summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorMatthew Miller <matthew@millerti.me>2022-08-14 22:52:39 -0700
committerMatthew Miller <matthew@millerti.me>2022-08-14 22:52:39 -0700
commit6d6e1a0d0d1434cbb489d9552dff97d9df1251a9 (patch)
tree14118c1b7a06870f70f8815e3dd0865312f2955a
parent86c26befad0f308a94c5a7d1c324c8122a09d702 (diff)
Revert to optional attestation statement alg
Diffstat
-rw-r--r--packages/server/src/metadata/verifyAttestationWithMetadata.test.ts24
-rw-r--r--packages/server/src/metadata/verifyAttestationWithMetadata.ts19
-rw-r--r--packages/server/src/registration/verifications/tpm/verifyAttestationTPM.ts7
-rw-r--r--packages/server/src/registration/verifications/verifyAttestationAndroidKey.ts7
-rw-r--r--packages/server/src/registration/verifications/verifyAttestationAndroidSafetyNet.ts7
-rw-r--r--packages/server/src/registration/verifications/verifyAttestationPacked.ts7
6 files changed, 48 insertions, 23 deletions
diff --git a/packages/server/src/metadata/verifyAttestationWithMetadata.test.ts b/packages/server/src/metadata/verifyAttestationWithMetadata.test.ts
index 9ba01fd..b48ef2e 100644
--- a/packages/server/src/metadata/verifyAttestationWithMetadata.test.ts
+++ b/packages/server/src/metadata/verifyAttestationWithMetadata.test.ts
@@ -47,11 +47,11 @@ test('should verify attestation with metadata (android-safetynet)', async () =>
const credentialPublicKey =
'pQECAyYgASFYIAKH2NrGZT-lUEA3tbBXR9owjW_7OnA1UqoL1UuKY_VCIlggpjeOH0xyBCpGDya55JLXXKrzyOieQN3dvG1pV-Qs-Gs';
- const verified = await verifyAttestationWithMetadata(
- metadataStatementJSONSafetyNet,
- base64url.toBuffer(credentialPublicKey),
+ const verified = await verifyAttestationWithMetadata({
+ statement: metadataStatementJSONSafetyNet,
+ credentialPublicKey: base64url.toBuffer(credentialPublicKey),
x5c,
- );
+ });
expect(verified).toEqual(true);
});
@@ -97,11 +97,11 @@ test('should verify attestation with rsa_emsa_pkcs1_sha256_raw authenticator alg
];
const credentialPublicKey = 'pAEDAzkBACBZAQC3X5SKwYUkxFxxyvCnz_37Z57eSdsgQuiBLDaBOd1R6VEZReAV3nVr_7jiRgmWfu1C-S3Aro65eSG5shcDCgIvY3KdEI8K5ENEPlmucjnFILBAE_MZtPmZlkEDmVCDcVspHX2iKqiVWYV6IFzVX1QUf0SAlWijV9NEfKDbij34ddV0qfG2nEMA0_xVpN2OK2BVXonFg6tS3T00XlFh4MdzIauIHTDT63eAdHlkFrMqU53T5IqDvL3VurBmBjYRJ3VDT9mA2sm7fSrJNXhSVLPst-ZsiOioVKrpzFE9sJmyCQvq2nGZ2RhDo8FfAKiw0kvJRkCSSe1ddxryk9_VSCprIUMBAAE';
- const verified = await verifyAttestationWithMetadata(
- metadataStatement,
- base64url.toBuffer(credentialPublicKey),
+ const verified = await verifyAttestationWithMetadata({
+ statement: metadataStatement,
+ credentialPublicKey: base64url.toBuffer(credentialPublicKey),
x5c,
- );
+ });
expect(verified).toEqual(true);
});
@@ -154,11 +154,11 @@ test('should not validate certificate path when authenticator is self-referencin
];
const credentialPublicKey = 'pQECAyYgASFYIBdmUVOxrn-OOtkVwGP_vAspH3VkgzcGXVlu3-acb7EZIlggKgDTs0fr2d51sLR6uL3KP2cqR3iIUkKMCjyMJhYOkf4';
- const verified = await verifyAttestationWithMetadata(
- metadataStatement,
- base64url.toBuffer(credentialPublicKey),
+ const verified = await verifyAttestationWithMetadata({
+ statement: metadataStatement,
+ credentialPublicKey: base64url.toBuffer(credentialPublicKey),
x5c,
- );
+ });
expect(verified).toEqual(true);
});
diff --git a/packages/server/src/metadata/verifyAttestationWithMetadata.ts b/packages/server/src/metadata/verifyAttestationWithMetadata.ts
index 8b832ca..5193135 100644
--- a/packages/server/src/metadata/verifyAttestationWithMetadata.ts
+++ b/packages/server/src/metadata/verifyAttestationWithMetadata.ts
@@ -10,12 +10,17 @@ import { COSEKEYS, COSEKTY } from '../helpers/convertCOSEtoPKCS';
* Match properties of the authenticator's attestation statement against expected values as
* registered with the FIDO Alliance Metadata Service
*/
-export async function verifyAttestationWithMetadata(
- statement: MetadataStatement,
- credentialPublicKey: Buffer,
- x5c: Buffer[] | Base64URLString[],
- attestationStatementAlg: number,
-): Promise<boolean> {
+export async function verifyAttestationWithMetadata({
+ statement,
+ credentialPublicKey,
+ x5c,
+ attestationStatementAlg,
+}: {
+ statement: MetadataStatement;
+ credentialPublicKey: Buffer;
+ x5c: Buffer[] | Base64URLString[];
+ attestationStatementAlg?: number;
+}): Promise<boolean> {
const {
authenticationAlgorithms,
authenticatorGetInfo,
@@ -102,7 +107,7 @@ export async function verifyAttestationWithMetadata(
/**
* Confirm the attestation statement's algorithm is one supported according to metadata
*/
- if (authenticatorGetInfo?.algorithms !== undefined) {
+ if (attestationStatementAlg !== undefined && authenticatorGetInfo?.algorithms !== undefined) {
const getInfoAlgs = authenticatorGetInfo.algorithms.map(_alg => _alg.alg);
if (getInfoAlgs.indexOf(attestationStatementAlg) < 0) {
throw new Error(
diff --git a/packages/server/src/registration/verifications/tpm/verifyAttestationTPM.ts b/packages/server/src/registration/verifications/tpm/verifyAttestationTPM.ts
index edacfc7..c74a7fe 100644
--- a/packages/server/src/registration/verifications/tpm/verifyAttestationTPM.ts
+++ b/packages/server/src/registration/verifications/tpm/verifyAttestationTPM.ts
@@ -257,7 +257,12 @@ export async function verifyAttestationTPM(options: AttestationFormatVerifierOpt
const statement = await MetadataService.getStatement(aaguid);
if (statement) {
try {
- await verifyAttestationWithMetadata(statement, credentialPublicKey, x5c, alg);
+ await verifyAttestationWithMetadata({
+ statement,
+ credentialPublicKey,
+ x5c,
+ attestationStatementAlg: alg,
+ });
} catch (err) {
const _err = err as Error;
throw new Error(`${_err.message} (TPM)`);
diff --git a/packages/server/src/registration/verifications/verifyAttestationAndroidKey.ts b/packages/server/src/registration/verifications/verifyAttestationAndroidKey.ts
index 0eb9f85..0930eb8 100644
--- a/packages/server/src/registration/verifications/verifyAttestationAndroidKey.ts
+++ b/packages/server/src/registration/verifications/verifyAttestationAndroidKey.ts
@@ -78,7 +78,12 @@ export async function verifyAttestationAndroidKey(
const statement = await MetadataService.getStatement(aaguid);
if (statement) {
try {
- await verifyAttestationWithMetadata(statement, credentialPublicKey, x5c, alg);
+ await verifyAttestationWithMetadata({
+ statement,
+ credentialPublicKey,
+ x5c,
+ attestationStatementAlg: alg,
+ });
} catch (err) {
const _err = err as Error;
throw new Error(`${_err.message} (AndroidKey)`);
diff --git a/packages/server/src/registration/verifications/verifyAttestationAndroidSafetyNet.ts b/packages/server/src/registration/verifications/verifyAttestationAndroidSafetyNet.ts
index cf1063e..4b8c31f 100644
--- a/packages/server/src/registration/verifications/verifyAttestationAndroidSafetyNet.ts
+++ b/packages/server/src/registration/verifications/verifyAttestationAndroidSafetyNet.ts
@@ -95,7 +95,12 @@ export async function verifyAttestationAndroidSafetyNet(
const statement = await MetadataService.getStatement(aaguid);
if (statement) {
try {
- await verifyAttestationWithMetadata(statement, credentialPublicKey, HEADER.x5c, alg);
+ await verifyAttestationWithMetadata({
+ statement,
+ credentialPublicKey,
+ x5c: HEADER.x5c,
+ attestationStatementAlg: alg,
+ });
} catch (err) {
const _err = err as Error;
throw new Error(`${_err.message} (SafetyNet)`);
diff --git a/packages/server/src/registration/verifications/verifyAttestationPacked.ts b/packages/server/src/registration/verifications/verifyAttestationPacked.ts
index ee132cf..415c814 100644
--- a/packages/server/src/registration/verifications/verifyAttestationPacked.ts
+++ b/packages/server/src/registration/verifications/verifyAttestationPacked.ts
@@ -99,7 +99,12 @@ export async function verifyAttestationPacked(
}
try {
- await verifyAttestationWithMetadata(statement, credentialPublicKey, x5c, alg);
+ await verifyAttestationWithMetadata({
+ statement,
+ credentialPublicKey,
+ x5c,
+ attestationStatementAlg: alg,
+ });
} catch (err) {
const _err = err as Error;
throw new Error(`${_err.message} (Packed|Full)`);
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-25 19:22:56 +0000