diff options
| author | Matthew Miller <matthew@millerti.me> | 2020-07-04 17:25:02 -0700 |
|---|---|---|
| committer | Matthew Miller <matthew@millerti.me> | 2020-07-04 17:25:02 -0700 |
| commit | a7c042e931b189d58be31b5ccb2bf8b10d71ad70 (patch) | |
| tree | 081c61a9ba8ccf29d3913a7a1f0ebabc01771c35 /packages/server/src | |
| parent | 580e944f6377aa4d199ed0c177eff8774c3fb8ac (diff) | |
Error on full attestation if only self is valid
Diffstat (limited to 'packages/server/src')
| -rw-r--r-- | packages/server/src/attestation/verifications/verifyPacked.ts | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/packages/server/src/attestation/verifications/verifyPacked.ts b/packages/server/src/attestation/verifications/verifyPacked.ts index 53d5fa3..884badd 100644 --- a/packages/server/src/attestation/verifications/verifyPacked.ts +++ b/packages/server/src/attestation/verifications/verifyPacked.ts @@ -94,6 +94,13 @@ export default async function verifyAttestationPacked(options: Options): Promise // If available, validate attestation alg and x5c with info in the metadata statement const statement = await MetadataService.getStatement(aaguid); if (statement) { + // The presence of x5c means this is a full attestation. Check to see if attestationTypes + // includes packed attestations. + // See constants > FIDO_METADATA_ATTESTATION_TYPES for what this number means + if (statement.attestationTypes.indexOf(15879) < 0) { + throw new Error('Metadata does not indicate support for full attestations (Packed|Full)'); + } + try { verifyAttestationWithMetadata(statement, alg, x5c); } catch (err) { |