Merge pull request #177 from MasterKale/fix/remove-expired-safetynet-root-cert

fix/remove-expired-safetynet-root-cert
author: Matthew Miller <matthew@millerti.me> 2022-02-08 21:34:37 -0800
committer: GitHub <noreply@github.com> 2022-02-08 21:34:37 -0800
commit: a8b97311fdec49734d2476c8654202b567d89ffb (patch)
tree: f1083c3d7a603c59090bd7720a790d2bdf37bb3e
parent: a57a1078f5438c9d9b1a095bd797e927b1a625c9 (diff)
parent: 87ad08ff5db7bc7d80e1f4f29d96fb1108adc714 (diff)
4 files changed, 48 insertions, 39 deletions
diff --git a/packages/server/src/helpers/validateCertificatePath.ts b/packages/server/src/helpers/validateCertificatePath.ts
index 8cacb0b..77d7f77 100644
--- a/packages/server/src/helpers/validateCertificatePath.ts
+++ b/packages/server/src/helpers/validateCertificatePath.ts
@@ -59,8 +59,11 @@ async function _validatePath(certificates: string[]): Promise<boolean> {
     const subjectCert = new X509();
     subjectCert.readCertPEM(subjectPem);
 
+    const isLeafCert = i === 0;
+    const isRootCert = i + 1 >= certificates.length;
+
     let issuerPem = '';
-    if (i + 1 >= certificates.length) {
+    if (isRootCert) {
       issuerPem = subjectPem;
     } else {
       issuerPem = certificates[i + 1];
@@ -82,7 +85,13 @@ async function _validatePath(certificates: string[]): Promise<boolean> {
 
     const now = new Date(Date.now());
     if (notBefore > now || notAfter < now) {
-      throw new Error('Intermediate certificate is not yet valid or expired');
+      if (isLeafCert) {
+        throw new Error('Leaf certificate is not yet valid or expired');
+      } else if (isRootCert) {
+        throw new Error('Root certificate is not yet valid or expired');
+      } else {
+        throw new Error('Intermediate certificate is not yet valid or expired');
+      }
     }
 
     if (subjectCert.getIssuerString() !== issuerCert.getSubjectString()) {
diff --git a/packages/server/src/registration/verifications/verifyAndroidSafetyNet.test.ts b/packages/server/src/registration/verifications/verifyAndroidSafetyNet.test.ts
index 3cbe9f5..cef374f 100644
--- a/packages/server/src/registration/verifications/verifyAndroidSafetyNet.test.ts
+++ b/packages/server/src/registration/verifications/verifyAndroidSafetyNet.test.ts
@@ -57,7 +57,7 @@ test('should verify Android SafetyNet attestation', async () => {
     clientDataHash,
     verifyTimestampMS: false,
     aaguid,
-    rootCertificates,
+    rootCertificates: [...rootCertificates, GlobalSign_R2],
     credentialID,
     credentialPublicKey,
     rpIdHash,
@@ -352,3 +352,37 @@ const safetyNetUsingGSR1RootCert = {
   clientExtensionResults: {},
   transports: [],
 };
+
+/**
+ * GlobalSign R2
+ *
+ * Downloaded from https://pki.goog/repo/certs/gsr2.pem
+ *
+ * EXPIRED ON 2021-12-15 @ 00:00 PST, ONLY HERE FOR TESTS
+ *
+ * SHA256 Fingerprint
+ * 69:E2:D0:6C:30:F3:66:16:61:65:E9:1D:68:D1:CE:E5:CC:47:58:4A:80:22:7E:76:66:60:86:C0:10:72:41:EB
+ */
+const GlobalSign_R2 = `-----BEGIN CERTIFICATE-----
+MIIDvDCCAqSgAwIBAgINAgPk9GHsmdnVeWbKejANBgkqhkiG9w0BAQUFADBMMSAw
+HgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEGA1UEChMKR2xvYmFs
+U2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0wNjEyMTUwODAwMDBaFw0yMTEy
+MTUwODAwMDBaMEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAtIFIyMRMw
+EQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWduMIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAps8kDr4ubyiZRULEqz4hVJsL03+EcPoS
+s8u/h1/Gf4bTsjBc1v2t8Xvc5fhglgmSEPXQU977e35ziKxSiHtKpspJpl6op4xa
+Ebx6guu+jOmzrJYlB5dKmSoHL7Qed7+KD7UCfBuWuMW5Oiy81hK561l94tAGhl9e
+SWq1OV6INOy8eAwImIRsqM1LtKB9DHlN8LgtyyHK1WxbfeGgKYSh+dOUScskYpEg
+vN0L1dnM+eonCitzkcadG6zIy+jgoPQvkItN+7A2G/YZeoXgbfJhE4hcn+CTClGX
+ilrOr6vV96oJqmC93Nlf33KpYBNeAAHJSvo/pOoHAyECjoLKA8KbjwIDAQABo4Gc
+MIGZMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSb
+4gdXZxwewGoG3lm0mi3f3BmGLjAfBgNVHSMEGDAWgBSb4gdXZxwewGoG3lm0mi3f
+3BmGLjA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLmdsb2JhbHNpZ24ubmV0
+L3Jvb3QtcjIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQANeX81Z1YqDIs4EaLjG0qP
+OxIzaJI/y4kiRj3a+y3KOx74clIkLuMgi/9/5iv/n+1LyhGU9g7174slbzJOPbSp
+p1eT19ST2mYbdgTLx/hm3tTLoHIY/w4ZbnQYwfnPwAG4RefnEFYPQJmpD+Wh8BJw
+Bgtm2drTale/T6NBwmwnEFunfaMfMX3g6IBrx7VKnxIkJh/3p190WveLKgl9n7i5
+SWce/4woPimEn9WfEQWRvp6wKhaCKFjuCMuulEZusoOUJ4LfJnXxcuQTgIrSnwI7
+KfSSjsd42w3lX1fbgJp7vPmLM6OBRvAXuYRKTFqMAWbb7OaGIEE+cbxY6PDepnva
+-----END CERTIFICATE-----
+`;
diff --git a/packages/server/src/services/defaultRootCerts/android-safetynet.ts b/packages/server/src/services/defaultRootCerts/android-safetynet.ts
index 5e42817..f4fb133 100644
--- a/packages/server/src/services/defaultRootCerts/android-safetynet.ts
+++ b/packages/server/src/services/defaultRootCerts/android-safetynet.ts
@@ -30,37 +30,3 @@ DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
 HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
 -----END CERTIFICATE-----
 `;
-
-/**
- * GlobalSign R2
- *
- * Downloaded from https://pki.goog/repo/certs/gsr2.pem
- *
- * Valid until 2021-12-15 @ 00:00 PST
- *
- * SHA256 Fingerprint
- * 69:E2:D0:6C:30:F3:66:16:61:65:E9:1D:68:D1:CE:E5:CC:47:58:4A:80:22:7E:76:66:60:86:C0:10:72:41:EB
- */
-export const GlobalSign_R2 = `-----BEGIN CERTIFICATE-----
-MIIDvDCCAqSgAwIBAgINAgPk9GHsmdnVeWbKejANBgkqhkiG9w0BAQUFADBMMSAw
-HgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEGA1UEChMKR2xvYmFs
-U2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0wNjEyMTUwODAwMDBaFw0yMTEy
-MTUwODAwMDBaMEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAtIFIyMRMw
-EQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWduMIIBIjANBgkq
-hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAps8kDr4ubyiZRULEqz4hVJsL03+EcPoS
-s8u/h1/Gf4bTsjBc1v2t8Xvc5fhglgmSEPXQU977e35ziKxSiHtKpspJpl6op4xa
-Ebx6guu+jOmzrJYlB5dKmSoHL7Qed7+KD7UCfBuWuMW5Oiy81hK561l94tAGhl9e
-SWq1OV6INOy8eAwImIRsqM1LtKB9DHlN8LgtyyHK1WxbfeGgKYSh+dOUScskYpEg
-vN0L1dnM+eonCitzkcadG6zIy+jgoPQvkItN+7A2G/YZeoXgbfJhE4hcn+CTClGX
-ilrOr6vV96oJqmC93Nlf33KpYBNeAAHJSvo/pOoHAyECjoLKA8KbjwIDAQABo4Gc
-MIGZMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSb
-4gdXZxwewGoG3lm0mi3f3BmGLjAfBgNVHSMEGDAWgBSb4gdXZxwewGoG3lm0mi3f
-3BmGLjA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLmdsb2JhbHNpZ24ubmV0
-L3Jvb3QtcjIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQANeX81Z1YqDIs4EaLjG0qP
-OxIzaJI/y4kiRj3a+y3KOx74clIkLuMgi/9/5iv/n+1LyhGU9g7174slbzJOPbSp
-p1eT19ST2mYbdgTLx/hm3tTLoHIY/w4ZbnQYwfnPwAG4RefnEFYPQJmpD+Wh8BJw
-Bgtm2drTale/T6NBwmwnEFunfaMfMX3g6IBrx7VKnxIkJh/3p190WveLKgl9n7i5
-SWce/4woPimEn9WfEQWRvp6wKhaCKFjuCMuulEZusoOUJ4LfJnXxcuQTgIrSnwI7
-KfSSjsd42w3lX1fbgJp7vPmLM6OBRvAXuYRKTFqMAWbb7OaGIEE+cbxY6PDepnva
------END CERTIFICATE-----
-`;
diff --git a/packages/server/src/services/settingsService.ts b/packages/server/src/services/settingsService.ts
index a88b628..499e4a6 100644
--- a/packages/server/src/services/settingsService.ts
+++ b/packages/server/src/services/settingsService.ts
@@ -1,7 +1,7 @@
 import { AttestationFormat } from '../helpers/decodeAttestationObject';
 import convertCertBufferToPEM from '../helpers/convertCertBufferToPEM';
 
-import { GlobalSign_Root_CA, GlobalSign_R2 } from './defaultRootCerts/android-safetynet';
+import { GlobalSign_Root_CA } from './defaultRootCerts/android-safetynet';
 import {
   Google_Hardware_Attestation_Root_1,
   Google_Hardware_Attestation_Root_2,
@@ -63,7 +63,7 @@ settingsService.setRootCertificates({
 
 settingsService.setRootCertificates({
   identifier: 'android-safetynet',
-  certificates: [GlobalSign_R2, GlobalSign_Root_CA],
+  certificates: [GlobalSign_Root_CA],
 });
 
 settingsService.setRootCertificates({
author	Matthew Miller <matthew@millerti.me>	2022-02-08 21:34:37 -0800
committer	GitHub <noreply@github.com>	2022-02-08 21:34:37 -0800
commit	a8b97311fdec49734d2476c8654202b567d89ffb (patch)
tree	f1083c3d7a603c59090bd7720a790d2bdf37bb3e
parent	a57a1078f5438c9d9b1a095bd797e927b1a625c9 (diff)
parent	87ad08ff5db7bc7d80e1f4f29d96fb1108adc714 (diff)