Return more certificate info

2 files changed, 40 insertions, 6 deletions

diff --git a/packages/server/src/helpers/getCertificateInfo.ts b/packages/server/src/helpers/getCertificateInfo.ts
index e503f70..7ec6eba 100644
--- a/packages/server/src/helpers/getCertificateInfo.ts
+++ b/packages/server/src/helpers/getCertificateInfo.ts
@@ -8,6 +8,7 @@ export type CertificateInfo = {
   basicConstraintsCA: boolean;
   notBefore: Date;
   notAfter: Date;
+  parsedCertificate: Certificate;
 };
 
 type Issuer = {
@@ -15,6 +16,7 @@ type Issuer = {
   O?: string;
   OU?: string;
   CN?: string;
+  combined: string;
 };
 
 type Subject = {
@@ -22,6 +24,7 @@ type Subject = {
   O?: string;
   OU?: string;
   CN?: string;
+  combined: string;
 };
 
 const issuerSubjectIDKey: { [key: string]: 'C' | 'O' | 'OU' | 'CN' } = {
@@ -37,26 +40,28 @@ const issuerSubjectIDKey: { [key: string]: 'C' | 'O' | 'OU' | 'CN' } = {
  * @param pemCertificate Result from call to `convertASN1toPEM(x5c[0])`
  */
 export function getCertificateInfo(leafCertBuffer: Uint8Array): CertificateInfo {
-  const asnx509 = AsnParser.parse(leafCertBuffer, Certificate);
-  const parsedCert = asnx509.tbsCertificate;
+  const x509 = AsnParser.parse(leafCertBuffer, Certificate);
+  const parsedCert = x509.tbsCertificate;
 
   // Issuer
-  const issuer: Issuer = {};
+  const issuer: Issuer = { combined: '' };
   parsedCert.issuer.forEach(([iss]) => {
     const key = issuerSubjectIDKey[iss.type];
     if (key) {
       issuer[key] = iss.value.toString();
     }
   });
+  issuer.combined = issuerSubjectToString(issuer);
 
   // Subject
-  const subject: Subject = {};
+  const subject: Subject = { combined: '' };
   parsedCert.subject.forEach(([iss]) => {
     const key = issuerSubjectIDKey[iss.type];
     if (key) {
       subject[key] = iss.value.toString();
     }
   });
+  subject.combined = issuerSubjectToString(subject);
 
   let basicConstraintsCA = false;
   if (parsedCert.extensions) {
@@ -76,5 +81,35 @@ export function getCertificateInfo(leafCertBuffer: Uint8Array): CertificateInfo
     basicConstraintsCA,
     notBefore: parsedCert.validity.notBefore.getTime(),
     notAfter: parsedCert.validity.notAfter.getTime(),
+    parsedCertificate: x509,
   };
 }
+
+/**
+ * Stringify the parts of Issuer or Subject info for easier comparison of subject issuers with
+ * issuer subjects.
+ *
+ * The order might seem arbitrary, because it is. It should be enough that the two are stringified
+ * in the same order.
+ */
+function issuerSubjectToString(input: Issuer | Subject): string {
+  const parts: string[] = [];
+
+  if (input.C) {
+    parts.push(input.C);
+  }
+
+  if (input.O) {
+    parts.push(input.O);
+  }
+
+  if (input.OU) {
+    parts.push(input.OU);
+  }
+
+  if (input.CN) {
+    parts.push(input.CN);
+  }
+
+  return parts.join(' : ');
+}
diff --git a/packages/server/src/registration/verifications/tpm/verifyAttestationTPM.ts b/packages/server/src/registration/verifications/tpm/verifyAttestationTPM.ts
index 5d9b136..95c7952 100644
--- a/packages/server/src/registration/verifications/tpm/verifyAttestationTPM.ts
+++ b/packages/server/src/registration/verifications/tpm/verifyAttestationTPM.ts
@@ -14,7 +14,6 @@ import { decodeCredentialPublicKey } from '../../../helpers/decodeCredentialPubl
 import {
   COSEKEYS,
   isCOSEAlg,
-  COSEKTY,
   isCOSEPublicKeyRSA,
   isCOSEPublicKeyEC2,
   COSEALG,
@@ -215,7 +214,7 @@ export async function verifyAttestationTPM(
   }
 
   // Check that Subject sequence is empty.
-  if (Object.keys(subject).length > 0) {
+  if (subject.combined.length > 0) {
     throw new Error('Certificate subject was not empty (TPM)');
   }