Merge pull request #245 from MasterKale/fix/fido-mds-alg-removal-emsa-sm2

fix/fido-mds-alg-removal-emsa-sm2
author: Matthew Miller <matthew@millerti.me> 2022-08-10 23:13:32 -0700
committer: GitHub <noreply@github.com> 2022-08-10 23:13:32 -0700
commit: 026c31e3060cee8aef3b777f858f7a27d10be42d (patch)
tree: 6c256ead03a1a4daafec4ff0256160594ad7052c /packages/server/src
parent: b485b82cb592969cf78442afc98749ac5f5f5c0d (diff)
parent: 02db42d71a0dcf80e1ad5bda211abb37be72db63 (diff)
3 files changed, 41 insertions, 22 deletions
diff --git a/packages/server/src/metadata/mdsTypes.ts b/packages/server/src/metadata/mdsTypes.ts
index a731018..0421383 100644
--- a/packages/server/src/metadata/mdsTypes.ts
+++ b/packages/server/src/metadata/mdsTypes.ts
@@ -208,11 +208,7 @@ const AlgSign = [
   'rsassa_pss_sha256_der',
   'secp256k1_ecdsa_sha256_raw',
   'secp256k1_ecdsa_sha256_der',
-  'sm2_sm3_raw',
-  'rsa_emsa_pkcs1_sha256_raw',
-  'rsa_emsa_pkcs1_sha256_der',
   'rsassa_pss_sha384_raw',
-  'rsassa_pss_sha256_raw',
   'rsassa_pkcsv15_sha256_raw',
   'rsassa_pkcsv15_sha384_raw',
   'rsassa_pkcsv15_sha512_raw',
diff --git a/packages/server/src/metadata/verifyAttestationWithMetadata.test.ts b/packages/server/src/metadata/verifyAttestationWithMetadata.test.ts
index 24165d2..128e26a 100644
--- a/packages/server/src/metadata/verifyAttestationWithMetadata.test.ts
+++ b/packages/server/src/metadata/verifyAttestationWithMetadata.test.ts
@@ -65,7 +65,7 @@ test('should verify attestation with rsa_emsa_pkcs1_sha256_raw authenticator alg
     'protocolFamily': 'fido2',
     'schema': 3,
     'upv': [{ 'major': 1, 'minor': 0 }],
-    'authenticationAlgorithms': ['rsa_emsa_pkcs1_sha256_raw'],
+    'authenticationAlgorithms': ['rsassa_pkcsv15_sha256_raw'],
     'publicKeyAlgAndEncodings': ['cose'],
     'attestationTypes': ['attca'],
     'userVerificationDetails': [
diff --git a/packages/server/src/metadata/verifyAttestationWithMetadata.ts b/packages/server/src/metadata/verifyAttestationWithMetadata.ts
index 9577a2e..940b174 100644
--- a/packages/server/src/metadata/verifyAttestationWithMetadata.ts
+++ b/packages/server/src/metadata/verifyAttestationWithMetadata.ts
@@ -66,22 +66,29 @@ export async function verifyAttestationWithMetadata(
 
   // Make sure the public key is one of the allowed algorithms
   if (!foundMatch) {
-    const debugMDSAlgs = Array.from(keypairCOSEAlgs);
-    // Construct some useful error output about the public key
-    const debugPubKeyAlgInfo: COSEInfo = {
-      kty: publicKeyCOSEInfo.kty,
-      alg: publicKeyCOSEInfo.alg,
-    };
-    // Don't output a bunch of bytes for `crv` when the public key is an RSA key
-    if (publicKeyCOSEInfo.kty !== COSEKTY.RSA) {
-      debugPubKeyAlgInfo.crv = publicKeyCOSEInfo.crv;
-    }
+    /**
+     * Craft some useful error output from the MDS algorithms
+     *
+     * Example:
+     *
+     * ```
+     * [
+     *   'rsassa_pss_sha256_raw' (COSE info: { kty: 3, alg: -37 }),
+     *   'secp256k1_ecdsa_sha256_raw' (COSE info: { kty: 2, alg: -47, crv: 8 })
+     * ]
+     * ```
+     */
+    const debugMDSAlgs = statement.authenticationAlgorithms
+      .map((algSign) => `'${algSign}' (COSE info: ${stringifyCOSEInfo(algSignToCOSEInfoMap[algSign])})`);
+    const strMDSAlgs = JSON.stringify(debugMDSAlgs, null, 2).replace(/"/g, '');
 
-    const strPubKeyAlg = JSON.stringify(debugPubKeyAlgInfo);
-    const strMDSAlgs = JSON.stringify(debugMDSAlgs);
+    /**
+     * Construct useful error output about the public key
+     */
+    const strPubKeyAlg = stringifyCOSEInfo(publicKeyCOSEInfo);
 
     throw new Error(
-      `Public key algorithm ${strPubKeyAlg} did not match any metadata algorithms ${strMDSAlgs}`,
+      `Public key parameters ${strPubKeyAlg} did not match any of the following metadata algorithms:\n${strMDSAlgs}`,
     );
   }
 
@@ -128,8 +135,24 @@ export const algSignToCOSEInfoMap: { [key in AlgSign]: COSEInfo } = {
   secp384r1_ecdsa_sha384_raw: { kty: 2, alg: -35, crv: 2 },
   secp512r1_ecdsa_sha256_raw: { kty: 2, alg: -36, crv: 3 },
   ed25519_eddsa_sha512_raw: { kty: 1, alg: -8, crv: 6 },
-  rsa_emsa_pkcs1_sha256_raw: { kty: 3, alg: -257 },
-  rsa_emsa_pkcs1_sha256_der: { kty: 3, alg: -257 },
-  // TODO: COSE info wasn't readily available for this, it seems rare...
-  sm2_sm3_raw: { kty: 999, alg: 999, crv: 999 },
 };
+
+/**
+ * A helper to format COSEInfo a little nicer than we can achieve with JSON.stringify()
+ *
+ * Input: `{ "kty": 3, "alg": -257 }`
+ *
+ * Output: `"{ kty: 3, alg: -257 }"`
+ */
+function stringifyCOSEInfo(info: COSEInfo): string {
+  const { kty, alg, crv } = info;
+
+  let toReturn = '';
+  if (kty !== COSEKTY.RSA) {
+    toReturn = `{ kty: ${kty}, alg: ${alg}, crv: ${crv} }`;
+  } else {
+    toReturn = `{ kty: ${kty}, alg: ${alg} }`;
+  }
+
+  return toReturn;
+}
author	Matthew Miller <matthew@millerti.me>	2022-08-10 23:13:32 -0700
committer	GitHub <noreply@github.com>	2022-08-10 23:13:32 -0700
commit	026c31e3060cee8aef3b777f858f7a27d10be42d (patch)
tree	6c256ead03a1a4daafec4ff0256160594ad7052c /packages/server/src
parent	b485b82cb592969cf78442afc98749ac5f5f5c0d (diff)
parent	02db42d71a0dcf80e1ad5bda211abb37be72db63 (diff)