diff options
Diffstat (limited to 'packages/server/src')
4 files changed, 17 insertions, 16 deletions
diff --git a/packages/server/src/helpers/__mocks__/validateCertificateValidityWindow.ts b/packages/server/src/helpers/__mocks__/validateCertificateValidityWindow.ts deleted file mode 100644 index 64b7ae4..0000000 --- a/packages/server/src/helpers/__mocks__/validateCertificateValidityWindow.ts +++ /dev/null @@ -1,3 +0,0 @@ -export function validateCertificateValidityWindow(): boolean { - return true; -} diff --git a/packages/server/src/helpers/validateCertificatePath.ts b/packages/server/src/helpers/validateCertificatePath.ts index 32c1c6b..8cacb0b 100644 --- a/packages/server/src/helpers/validateCertificatePath.ts +++ b/packages/server/src/helpers/validateCertificatePath.ts @@ -4,7 +4,6 @@ import { KJUR, X509, ASN1HEX, zulutodate } from 'jsrsasign'; import isCertRevoked from './isCertRevoked'; -import { validateCertificateValidityWindow } from './validateCertificateValidityWindow'; const { crypto } = KJUR; @@ -81,7 +80,8 @@ async function _validatePath(certificates: string[]): Promise<boolean> { const notBefore = zulutodate(issuerCert.getNotBefore()); const notAfter = zulutodate(issuerCert.getNotAfter()); - if (!validateCertificateValidityWindow(notBefore, notAfter)) { + const now = new Date(Date.now()); + if (notBefore > now || notAfter < now) { throw new Error('Intermediate certificate is not yet valid or expired'); } diff --git a/packages/server/src/helpers/validateCertificateValidityWindow.ts b/packages/server/src/helpers/validateCertificateValidityWindow.ts deleted file mode 100644 index e1a0926..0000000 --- a/packages/server/src/helpers/validateCertificateValidityWindow.ts +++ /dev/null @@ -1,7 +0,0 @@ -/** - * Make sure "now" is within a specific time frame - */ -export function validateCertificateValidityWindow(notBefore: Date, notAfter: Date): boolean { - const now = new Date(); - return notBefore < now && now < notAfter; -} diff --git a/packages/server/src/registration/verifications/verifyAndroidSafetyNet.test.ts b/packages/server/src/registration/verifications/verifyAndroidSafetyNet.test.ts index 5792886..3cbe9f5 100644 --- a/packages/server/src/registration/verifications/verifyAndroidSafetyNet.test.ts +++ b/packages/server/src/registration/verifications/verifyAndroidSafetyNet.test.ts @@ -1,7 +1,3 @@ -// Mock the notBefore and notAfter time window check to always return true due to expiring -// SafetyNet intermediate certs -jest.mock('../../helpers/validateCertificateValidityWindow'); - import base64url from 'base64url'; import verifyAndroidSafetyNet from './verifyAndroidSafetyNet'; @@ -24,6 +20,7 @@ let aaguid: Buffer; let credentialID: Buffer; let credentialPublicKey: Buffer; let rpIdHash: Buffer; +let spyDate: jest.SpyInstance; beforeEach(() => { const { attestationObject, clientDataJSON } = attestationAndroidSafetyNet.response; @@ -37,6 +34,12 @@ beforeEach(() => { aaguid = parsedAuthData.aaguid!; credentialID = parsedAuthData.credentialID!; credentialPublicKey = parsedAuthData.credentialPublicKey!; + + spyDate = jest.spyOn(global.Date, 'now'); +}); + +afterEach(() => { + spyDate.mockRestore(); }); /** @@ -44,6 +47,10 @@ beforeEach(() => { * signature after modifying the payload with a `timestampMs` we can dynamically set */ test('should verify Android SafetyNet attestation', async () => { + // notBefore: 2017-06-15T00:00:42.000Z + // notAfter: 2021-12-15T00:00:42.000Z + spyDate.mockReturnValue(new Date('2021-11-15T00:00:42.000Z')); + const verified = await verifyAndroidSafetyNet({ attStmt, authData, @@ -75,6 +82,10 @@ test('should throw error when timestamp is not within one minute of now', async }); test('should validate response with cert path completed with GlobalSign R1 root cert', async () => { + // notBefore: 2006-12-15T08:00:00.000Z + // notAfter: 2021-12-15T08:00:00.000Z + spyDate.mockReturnValue(new Date('2021-11-15T00:00:42.000Z')); + const { attestationObject, clientDataJSON } = safetyNetUsingGSR1RootCert.response; const decodedAttestationObject = decodeAttestationObject(base64url.toBuffer(attestationObject)); |