Check attStmt alg in Packed verification

2 files changed, 6 insertions, 6 deletions

diff --git a/packages/server/src/attestation/verifications/verifyPacked.ts b/packages/server/src/attestation/verifications/verifyPacked.ts
index 8055cf4..55d43e1 100644
--- a/packages/server/src/attestation/verifications/verifyPacked.ts
+++ b/packages/server/src/attestation/verifications/verifyPacked.ts
@@ -23,12 +23,16 @@ type Options = {
 export default function verifyAttestationPacked(options: Options): boolean {
   const { attStmt, clientDataHash, authData, credentialPublicKey } = options;
 
-  const { sig, x5c } = attStmt;
+  const { sig, x5c, alg } = attStmt;
 
   if (!sig) {
     throw new Error('No attestation signature provided in attestation statement (Packed)');
   }
 
+  if (Number.isNaN(Number(alg))) {
+    throw new Error(`Attestation Statement alg "${alg}" is not a number (Packed)`);
+  }
+
   const signatureBase = Buffer.concat([authData, clientDataHash]);
 
   let verified = false;
@@ -70,11 +74,6 @@ export default function verifyAttestationPacked(options: Options): boolean {
     const cosePublicKey = decodeCredentialPublicKey(credentialPublicKey);
 
     const kty = cosePublicKey.get(COSEKEYS.kty);
-    const alg = cosePublicKey.get(COSEKEYS.alg);
-
-    if (!alg) {
-      throw new Error('COSE public key was missing alg (Packed|Self)');
-    }
 
     if (!kty) {
       throw new Error('COSE public key was missing kty (Packed|Self)');
diff --git a/packages/server/src/helpers/decodeAttestationObject.ts b/packages/server/src/helpers/decodeAttestationObject.ts
index e5accdd..4e53ccf 100644
--- a/packages/server/src/helpers/decodeAttestationObject.ts
+++ b/packages/server/src/helpers/decodeAttestationObject.ts
@@ -31,4 +31,5 @@ export type AttestationStatement = {
   sig?: Buffer;
   x5c?: Buffer[];
   response?: Buffer;
+  alg?: number;
 };