Make validateCertificatePath async

author: Matthew Miller <matthew@millerti.me> 2020-07-07 14:57:02 -0700
committer: Matthew Miller <matthew@millerti.me> 2020-07-07 14:57:02 -0700
commit: 9d98f8b62535afbf5e1c1f5b73ecd03ee7e9d76d (patch)
tree: babbe91c2f8e79410ae6bb9f7d2aa95fc4dc47f7
parent: 1b4e82cabf59ad2710a1097ef7825db2b2de1953 (diff)
7 files changed, 10 insertions, 10 deletions
diff --git a/packages/server/src/attestation/verifications/tpm/verifyTPM.ts b/packages/server/src/attestation/verifications/tpm/verifyTPM.ts
index 1671ef1..b9351ea 100644
--- a/packages/server/src/attestation/verifications/tpm/verifyTPM.ts
+++ b/packages/server/src/attestation/verifications/tpm/verifyTPM.ts
@@ -236,7 +236,7 @@ export default async function verifyTPM(options: Options): Promise<boolean> {
   const statement = await MetadataService.getStatement(aaguid);
   if (statement) {
     try {
-      verifyAttestationWithMetadata(statement, alg, x5c);
+      await verifyAttestationWithMetadata(statement, alg, x5c);
     } catch (err) {
       throw new Error(`${err.message} (TPM)`);
     }
diff --git a/packages/server/src/attestation/verifications/verifyAndroidKey.ts b/packages/server/src/attestation/verifications/verifyAndroidKey.ts
index e5f68ba..1b494e0 100644
--- a/packages/server/src/attestation/verifications/verifyAndroidKey.ts
+++ b/packages/server/src/attestation/verifications/verifyAndroidKey.ts
@@ -91,7 +91,7 @@ export default async function verifyAttestationAndroidKey(options: Options): Pro
   const statement = await MetadataService.getStatement(aaguid);
   if (statement) {
     try {
-      verifyAttestationWithMetadata(statement, alg, x5c);
+      await verifyAttestationWithMetadata(statement, alg, x5c);
     } catch (err) {
       throw new Error(`${err.message} (AndroidKey)`);
     }
diff --git a/packages/server/src/attestation/verifications/verifyAndroidSafetyNet.ts b/packages/server/src/attestation/verifications/verifyAndroidSafetyNet.ts
index 2c4e6f3..5b09724 100644
--- a/packages/server/src/attestation/verifications/verifyAndroidSafetyNet.ts
+++ b/packages/server/src/attestation/verifications/verifyAndroidSafetyNet.ts
@@ -97,7 +97,7 @@ export default async function verifyAttestationAndroidSafetyNet(
     try {
       // Convert from alg in JWT header to a number in the metadata
       const alg = HEADER.alg === 'RS256' ? -257 : -99999;
-      verifyAttestationWithMetadata(statement, alg, HEADER.x5c);
+      await verifyAttestationWithMetadata(statement, alg, HEADER.x5c);
     } catch (err) {
       throw new Error(`${err.message} (SafetyNet)`);
     }
@@ -106,7 +106,7 @@ export default async function verifyAttestationAndroidSafetyNet(
     const path = HEADER.x5c.concat([GlobalSignRootCAR2]).map(convertASN1toPEM);
 
     try {
-      validateCertificatePath(path);
+      await validateCertificatePath(path);
     } catch (err) {
       throw new Error(`${err.message} (SafetyNet)`);
     }
diff --git a/packages/server/src/attestation/verifications/verifyPacked.ts b/packages/server/src/attestation/verifications/verifyPacked.ts
index aae4a32..7bc12df 100644
--- a/packages/server/src/attestation/verifications/verifyPacked.ts
+++ b/packages/server/src/attestation/verifications/verifyPacked.ts
@@ -102,7 +102,7 @@ export default async function verifyAttestationPacked(options: Options): Promise
       }
 
       try {
-        verifyAttestationWithMetadata(statement, alg, x5c);
+        await verifyAttestationWithMetadata(statement, alg, x5c);
       } catch (err) {
         throw new Error(`${err.message} (Packed|Full)`);
       }
diff --git a/packages/server/src/helpers/validateCertificatePath.ts b/packages/server/src/helpers/validateCertificatePath.ts
index 39b1009..c2b18a4 100644
--- a/packages/server/src/helpers/validateCertificatePath.ts
+++ b/packages/server/src/helpers/validateCertificatePath.ts
@@ -12,7 +12,7 @@ const { crypto } = KJUR;
  * Traverse an array of PEM certificates and ensure they form a proper chain
  * @param certificates Typically the result of `x5c.map(convertASN1toPEM)`
  */
-export default function validateCertificatePath(certificates: string[]): boolean {
+export default async function validateCertificatePath(certificates: string[]): Promise<boolean> {
   if (new Set(certificates).size !== certificates.length) {
     throw new Error('Invalid certificate path: found duplicate certificates');
   }
diff --git a/packages/server/src/metadata/metadataService.ts b/packages/server/src/metadata/metadataService.ts
index 7ef627e..e586a72 100644
--- a/packages/server/src/metadata/metadataService.ts
+++ b/packages/server/src/metadata/metadataService.ts
@@ -140,7 +140,7 @@ class MetadataService {
     try {
       // Validate the certificate chain
       // TODO: Check for certificate revocation
-      validateCertificatePath(fullCertPath);
+      await validateCertificatePath(fullCertPath);
     } catch (err) {
       // From FIDO MDS docs: "ignore the file if the chain cannot be verified or if one of the
       // chain certificates is revoked"
diff --git a/packages/server/src/metadata/verifyAttestationWithMetadata.ts b/packages/server/src/metadata/verifyAttestationWithMetadata.ts
index 815b7a7..6b4d2f6 100644
--- a/packages/server/src/metadata/verifyAttestationWithMetadata.ts
+++ b/packages/server/src/metadata/verifyAttestationWithMetadata.ts
@@ -5,11 +5,11 @@ import { FIDO_METADATA_AUTH_ALG_TO_COSE } from '../helpers/constants';
 import convertASN1toPEM from '../helpers/convertASN1toPEM';
 import validateCertificatePath from '../helpers/validateCertificatePath';
 
-export default function verifyAttestationWithMetadata(
+export default async function verifyAttestationWithMetadata(
   statement: MetadataStatement,
   alg: number,
   x5c: Buffer[] | Base64URLString[],
-): boolean {
+): Promise<boolean> {
   // Make sure the alg in the attestation statement matches the one specified in the metadata
   const metaCOSE = FIDO_METADATA_AUTH_ALG_TO_COSE[statement.authenticationAlgorithm];
   if (metaCOSE.alg !== alg) {
@@ -21,7 +21,7 @@ export default function verifyAttestationWithMetadata(
   for (const rootCert of statement.attestationRootCertificates) {
     try {
       const path = [...x5c, rootCert].map(convertASN1toPEM);
-      foundValidPath = validateCertificatePath(path);
+      foundValidPath = await validateCertificatePath(path);
     } catch (err) {
       // Swallow the error for now
       foundValidPath = false;
author	Matthew Miller <matthew@millerti.me>	2020-07-07 14:57:02 -0700
committer	Matthew Miller <matthew@millerti.me>	2020-07-07 14:57:02 -0700
commit	9d98f8b62535afbf5e1c1f5b73ecd03ee7e9d76d (patch)
tree	babbe91c2f8e79410ae6bb9f7d2aa95fc4dc47f7
parent	1b4e82cabf59ad2710a1097ef7825db2b2de1953 (diff)