Update authData parser to map returns to spec

author: Matthew Miller <matthew@millerti.me> 2020-06-05 20:20:48 -0700
committer: Matthew Miller <matthew@millerti.me> 2020-06-05 20:20:48 -0700
commit: 553bd0d9f680942cef668e6a57d9c4a8fcab269b (patch)
tree: eac4f14849de2bfa9c157d283d9f27de20d3b36f /packages/server/src
parent: 20daeb22d277f8c3b5a19f3e9cb0db88ae11b8f6 (diff)
6 files changed, 23 insertions, 27 deletions
diff --git a/packages/server/src/attestation/verifications/verifyAndroidSafetyNet.ts b/packages/server/src/attestation/verifications/verifyAndroidSafetyNet.ts
index 9ef6bf8..31aa53d 100644
--- a/packages/server/src/attestation/verifications/verifyAndroidSafetyNet.ts
+++ b/packages/server/src/attestation/verifications/verifyAndroidSafetyNet.ts
@@ -16,7 +16,7 @@ export default function verifyAttestationAndroidSafetyNet(
   attestationObject: AttestationObject,
   base64ClientDataJSON: string,
   parsedAuthData: ParsedAuthenticatorData,
-  COSEPublicKey: Buffer,
+  credentialPublicKey: Buffer,
 ): VerifiedAttestation {
   const { attStmt, authData, fmt } = attestationObject;
   const { counter, credentialID, flags } = parsedAuthData;
@@ -24,9 +24,6 @@ export default function verifyAttestationAndroidSafetyNet(
   if (!credentialID) {
     throw new Error('No credential ID was provided by authenticator (SafetyNet)');
   }
-  if (!COSEPublicKey) {
-    throw new Error('No public key was provided by authenticator (SafetyNet)');
-  }
 
   if (!attStmt.response) {
     throw new Error('No response was included in attStmt by authenticator (SafetyNet)');
@@ -109,7 +106,7 @@ export default function verifyAttestationAndroidSafetyNet(
   if (toReturn.verified) {
     toReturn.userVerified = flags.uv;
 
-    const publicKey = convertCOSEtoPKCS(COSEPublicKey);
+    const publicKey = convertCOSEtoPKCS(credentialPublicKey);
 
     toReturn.authenticatorInfo = {
       fmt,
diff --git a/packages/server/src/attestation/verifications/verifyFIDOU2F.ts b/packages/server/src/attestation/verifications/verifyFIDOU2F.ts
index 335c239..508f167 100644
--- a/packages/server/src/attestation/verifications/verifyFIDOU2F.ts
+++ b/packages/server/src/attestation/verifications/verifyFIDOU2F.ts
@@ -18,9 +18,9 @@ export default function verifyAttestationFIDOU2F(
   parsedAuthData: ParsedAuthenticatorData,
 ): VerifiedAttestation {
   const { fmt, attStmt } = attestationObject;
-  const { flags, COSEPublicKey, rpIdHash, credentialID, counter } = parsedAuthData;
+  const { flags, credentialPublicKey, rpIdHash, credentialID, counter } = parsedAuthData;
 
-  if (!COSEPublicKey) {
+  if (!credentialPublicKey) {
     throw new Error('No public key was provided by authenticator (FIDOU2F)');
   }
 
@@ -30,7 +30,7 @@ export default function verifyAttestationFIDOU2F(
 
   const clientDataHash = toHash(base64url.toBuffer(base64ClientDataJSON));
   const reservedByte = Buffer.from([0x00]);
-  const publicKey = convertCOSEtoPKCS(COSEPublicKey);
+  const publicKey = convertCOSEtoPKCS(credentialPublicKey);
 
   const signatureBase = Buffer.concat([
     reservedByte,
diff --git a/packages/server/src/attestation/verifications/verifyNone.ts b/packages/server/src/attestation/verifications/verifyNone.ts
index 4ac1988..f276a83 100644
--- a/packages/server/src/attestation/verifications/verifyNone.ts
+++ b/packages/server/src/attestation/verifications/verifyNone.ts
@@ -15,10 +15,10 @@ export default function verifyAttestationNone(
   attestationObject: AttestationObject,
   parsedAuthData: ParsedAuthenticatorData,
 ): VerifiedAttestation {
-  const { fmt, authData } = attestationObject;
-  const { credentialID, COSEPublicKey, counter, flags } = parsedAuthData;
+  const { fmt } = attestationObject;
+  const { credentialID, credentialPublicKey, counter, flags } = parsedAuthData;
 
-  if (!COSEPublicKey) {
+  if (!credentialPublicKey) {
     throw new Error('No public key was provided by authenticator (None)');
   }
 
@@ -26,7 +26,7 @@ export default function verifyAttestationNone(
     throw new Error('No credential ID was provided by authenticator (None)');
   }
 
-  const publicKey = convertCOSEtoPKCS(COSEPublicKey);
+  const publicKey = convertCOSEtoPKCS(credentialPublicKey);
 
   const toReturn: VerifiedAttestation = {
     verified: true,
diff --git a/packages/server/src/attestation/verifications/verifyPacked.ts b/packages/server/src/attestation/verifications/verifyPacked.ts
index 48764aa..c5f8ec1 100644
--- a/packages/server/src/attestation/verifications/verifyPacked.ts
+++ b/packages/server/src/attestation/verifications/verifyPacked.ts
@@ -1,5 +1,4 @@
 import base64url from 'base64url';
-import cbor from 'cbor';
 import elliptic from 'elliptic';
 import NodeRSA, { SigningSchemeHash } from 'node-rsa';
 
@@ -9,12 +8,12 @@ import type { VerifiedAttestation } from '../verifyAttestationResponse';
 
 import convertCOSEtoPKCS, {
   COSEKEYS,
-  COSEPublicKey as COSEPublicKeyType
 } from '../../helpers/convertCOSEtoPKCS';
 import toHash from '../../helpers/toHash';
 import convertASN1toPEM from '../../helpers/convertASN1toPEM';
 import getCertificateInfo from '../../helpers/getCertificateInfo';
 import verifySignature from '../../helpers/verifySignature';
+import decodeCredentialPublicKey from '../../helpers/decodeCredentialPublicKey';
 
 /**
  * Verify an attestation response with fmt 'packed'
@@ -26,9 +25,9 @@ export default function verifyAttestationPacked(
 ): VerifiedAttestation {
   const { fmt, authData, attStmt } = attestationObject;
   const { sig, x5c } = attStmt;
-  const { COSEPublicKey, counter, credentialID, flags } = parsedAuthData;
+  const { credentialPublicKey, counter, credentialID, flags } = parsedAuthData;
 
-  if (!COSEPublicKey) {
+  if (!credentialPublicKey) {
     throw new Error('No public key was provided by authenticator (Packed)');
   }
 
@@ -48,7 +47,7 @@ export default function verifyAttestationPacked(
     verified: false,
     userVerified: flags.uv,
   };
-  const publicKey = convertCOSEtoPKCS(COSEPublicKey);
+  const publicKey = convertCOSEtoPKCS(credentialPublicKey);
 
   if (x5c) {
     const leafCert = convertASN1toPEM(x5c[0]);
@@ -83,7 +82,7 @@ export default function verifyAttestationPacked(
 
     toReturn.verified = verifySignature(sig, signatureBase, leafCert);
   } else {
-    const cosePublicKey: COSEPublicKeyType = cbor.decodeAllSync(COSEPublicKey)[0];
+    const cosePublicKey = decodeCredentialPublicKey(credentialPublicKey);
 
     const kty = cosePublicKey.get(COSEKEYS.kty);
     const alg = cosePublicKey.get(COSEKEYS.alg);
@@ -105,7 +104,7 @@ export default function verifyAttestationPacked(
         throw new Error('COSE public key was missing kty crv (Packed|EC2)');
       }
 
-      const pkcsPublicKey = convertCOSEtoPKCS(COSEPublicKey);
+      const pkcsPublicKey = convertCOSEtoPKCS(credentialPublicKey);
       const signatureBaseHash = toHash(signatureBase, hashAlg);
 
       /**
diff --git a/packages/server/src/attestation/verifyAttestationResponse.ts b/packages/server/src/attestation/verifyAttestationResponse.ts
index 6b54d8a..96f659a 100644
--- a/packages/server/src/attestation/verifyAttestationResponse.ts
+++ b/packages/server/src/attestation/verifyAttestationResponse.ts
@@ -55,7 +55,7 @@ export default function verifyAttestationResponse(
   const { fmt, authData } = attestationObject;
 
   const parsedAuthData = parseAuthenticatorData(authData);
-  const { rpIdHash, flags, COSEPublicKey } = parsedAuthData;
+  const { rpIdHash, flags, credentialPublicKey } = parsedAuthData;
 
   // Make sure the response's RP ID is ours
   const expectedRPIDHash = toHash(Buffer.from(expectedRPID, 'ascii'));
@@ -68,11 +68,11 @@ export default function verifyAttestationResponse(
     throw new Error('User not present during assertion');
   }
 
-  if (!COSEPublicKey) {
+  if (!credentialPublicKey) {
     throw new Error('No public key was provided by authenticator');
   }
 
-  const decodedPublicKey = decodeCredentialPublicKey(COSEPublicKey);
+  const decodedPublicKey = decodeCredentialPublicKey(credentialPublicKey);
   const alg = decodedPublicKey.get(COSEKEYS.alg);
 
   if (!alg) {
@@ -109,7 +109,7 @@ export default function verifyAttestationResponse(
       attestationObject,
       response.clientDataJSON,
       parsedAuthData,
-      COSEPublicKey,
+      credentialPublicKey,
     );
   }
 
diff --git a/packages/server/src/helpers/parseAuthenticatorData.ts b/packages/server/src/helpers/parseAuthenticatorData.ts
index 510c228..e177002 100644
--- a/packages/server/src/helpers/parseAuthenticatorData.ts
+++ b/packages/server/src/helpers/parseAuthenticatorData.ts
@@ -27,7 +27,7 @@ export default function parseAuthenticatorData(authData: Buffer): ParsedAuthenti
 
   let aaguid: Buffer | undefined = undefined;
   let credentialID: Buffer | undefined = undefined;
-  let COSEPublicKey: Buffer | undefined = undefined;
+  let credentialPublicKey: Buffer | undefined = undefined;
 
   if (flags.at) {
     aaguid = intBuffer.slice(0, 16);
@@ -41,7 +41,7 @@ export default function parseAuthenticatorData(authData: Buffer): ParsedAuthenti
     credentialID = intBuffer.slice(0, credIDLen);
     intBuffer = intBuffer.slice(credIDLen);
 
-    COSEPublicKey = intBuffer;
+    credentialPublicKey = intBuffer;
   }
 
   return {
@@ -52,7 +52,7 @@ export default function parseAuthenticatorData(authData: Buffer): ParsedAuthenti
     counterBuf,
     aaguid,
     credentialID,
-    COSEPublicKey,
+    credentialPublicKey,
   };
 }
 
@@ -70,5 +70,5 @@ export type ParsedAuthenticatorData = {
   counterBuf: Buffer;
   aaguid?: Buffer;
   credentialID?: Buffer;
-  COSEPublicKey?: Buffer;
+  credentialPublicKey?: Buffer;
 };
author	Matthew Miller <matthew@millerti.me>	2020-06-05 20:20:48 -0700
committer	Matthew Miller <matthew@millerti.me>	2020-06-05 20:20:48 -0700
commit	553bd0d9f680942cef668e6a57d9c4a8fcab269b (patch)
tree	eac4f14849de2bfa9c157d283d9f27de20d3b36f /packages/server/src
parent	20daeb22d277f8c3b5a19f3e9cb0db88ae11b8f6 (diff)