diff options
| author | Matthew Miller <matthew@millerti.me> | 2020-07-24 10:13:20 -0700 |
|---|---|---|
| committer | Matthew Miller <matthew@millerti.me> | 2020-07-24 10:13:20 -0700 |
| commit | bc58cae331b93092b4fd769baebe81a812d9efb8 (patch) | |
| tree | 8785ec2d0480fe15ac94ccb1195e9a26c9fd7e7a | |
| parent | 1c017c98a7e183833db3d5212e3fa26d5ecb3dfc (diff) | |
Enable setting custom alg IDs for verification
Step 16 of the WebAuthn attestation verification spec says: “Verify that the "alg" parameter in the credential public key in authData matches the alg attribute of one of the items in options.pubKeyCredParams.”, which means we need to support custom alg IDs here too
https://w3c.github.io/webauthn/#sctn-registering-a-new-credential
| -rw-r--r-- | packages/server/src/attestation/verifyAttestationResponse.ts | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/packages/server/src/attestation/verifyAttestationResponse.ts b/packages/server/src/attestation/verifyAttestationResponse.ts index df1dcd5..cf0e68a 100644 --- a/packages/server/src/attestation/verifyAttestationResponse.ts +++ b/packages/server/src/attestation/verifyAttestationResponse.ts @@ -21,6 +21,7 @@ type Options = { expectedOrigin: string; expectedRPID?: string; requireUserVerification?: boolean; + supportedAlgorithmIDs?: COSEAlgorithmIdentifier[]; }; /** @@ -35,6 +36,8 @@ type Options = { * @param expectedRPID RP ID that was specified in the attestation options * @param requireUserVerification (Optional) Enforce user verification by the authenticator * (via PIN, fingerprint, etc...) + * @param supportedAlgorithmIDs Array of numeric COSE algorithm identifiers supported for + * attestation by this RP. See https://www.iana.org/assignments/cose/cose.xhtml#algorithms */ export default async function verifyAttestationResponse( options: Options, @@ -45,6 +48,7 @@ export default async function verifyAttestationResponse( expectedOrigin, expectedRPID, requireUserVerification = false, + supportedAlgorithmIDs = supportedCOSEAlgorithmIdentifiers, } = options; const { id, rawId, type: credentialType, response } = credential; @@ -139,8 +143,8 @@ export default async function verifyAttestationResponse( } // Make sure the key algorithm is one we specified within the attestation options - if (!supportedCOSEAlgorithmIdentifiers.includes(alg as number)) { - const supported = supportedCOSEAlgorithmIdentifiers.join(', '); + if (!supportedAlgorithmIDs.includes(alg as number)) { + const supported = supportedAlgorithmIDs.join(', '); throw new Error(`Unexpected public key alg "${alg}", expected one of "${supported}"`); } |