diff options
Diffstat (limited to 'packages/server/src')
| -rw-r--r-- | packages/server/src/registration/verifications/verifyAttestationPacked.ts | 94 |
1 files changed, 12 insertions, 82 deletions
diff --git a/packages/server/src/registration/verifications/verifyAttestationPacked.ts b/packages/server/src/registration/verifications/verifyAttestationPacked.ts index 415c814..02beebc 100644 --- a/packages/server/src/registration/verifications/verifyAttestationPacked.ts +++ b/packages/server/src/registration/verifications/verifyAttestationPacked.ts @@ -1,22 +1,10 @@ -import elliptic from 'elliptic'; -import NodeRSA from 'node-rsa'; - import type { AttestationFormatVerifierOpts } from '../verifyRegistrationResponse'; -import { - COSEKEYS, - COSEALGHASH, - COSECRV, - COSEKTY, - COSERSASCHEME, - convertCOSEtoPKCS, -} from '../../helpers/convertCOSEtoPKCS'; -import { toHash } from '../../helpers/toHash'; +import { COSEALGHASH } from '../../helpers/convertCOSEtoPKCS'; import { convertCertBufferToPEM } from '../../helpers/convertCertBufferToPEM'; import { validateCertificatePath } from '../../helpers/validateCertificatePath'; import { getCertificateInfo } from '../../helpers/getCertificateInfo'; import { verifySignature } from '../../helpers/verifySignature'; -import { decodeCredentialPublicKey } from '../../helpers/decodeCredentialPublicKey'; import { MetadataService } from '../../services/metadataService'; import { verifyAttestationWithMetadata } from '../../metadata/verifyAttestationWithMetadata'; @@ -42,10 +30,8 @@ export async function verifyAttestationPacked( const signatureBase = Buffer.concat([authData, clientDataHash]); let verified = false; - const pkcsPublicKey = convertCOSEtoPKCS(credentialPublicKey); if (x5c) { - const leafCert = convertCertBufferToPEM(x5c[0]); const { subject, basicConstraintsCA, version, notBefore, notAfter } = getCertificateInfo( x5c[0], ); @@ -119,76 +105,20 @@ export async function verifyAttestationPacked( } } - verified = verifySignature(sig, signatureBase, leafCert); + verified = await verifySignature({ + signature: sig, + signatureBase, + leafCert: x5c[0], + }); } else { - const cosePublicKey = decodeCredentialPublicKey(credentialPublicKey); - - const kty = cosePublicKey.get(COSEKEYS.kty); - - if (!kty) { - throw new Error('COSE public key was missing kty (Packed|Self)'); - } - const hashAlg: string = COSEALGHASH[alg as number]; - if (kty === COSEKTY.EC2) { - const crv = cosePublicKey.get(COSEKEYS.crv); - - if (!crv) { - throw new Error('COSE public key was missing kty crv (Packed|EC2)'); - } - - const signatureBaseHash = toHash(signatureBase, hashAlg); - - /** - * Instantiating the curve here is _very_ computationally heavy - a bit of profiling - * (in compiled JS, not TS) reported an average of ~125ms to execute this line. The elliptic - * README states, "better do it once and reuse it", so maybe there's a better way to handle - * this in a server context, when we can re-use an existing instance. - * - * For now, it's worth noting that this line is probably the reason why it can take - * 5-6 seconds to run tests. - */ - const ec = new elliptic.ec(COSECRV[crv as number]); - const key = ec.keyFromPublic(pkcsPublicKey); - - verified = key.verify(signatureBaseHash, sig); - } else if (kty === COSEKTY.RSA) { - const n = cosePublicKey.get(COSEKEYS.n); - - if (!n) { - throw new Error('COSE public key was missing n (Packed|RSA)'); - } - - const signingScheme = COSERSASCHEME[alg as number]; - - // TODO: Verify this works - const key = new NodeRSA(); - key.setOptions({ signingScheme }); - key.importKey( - { - n: n as Buffer, - e: 65537, - }, - 'components-public', - ); - - verified = key.verify(signatureBase, sig); - } else if (kty === COSEKTY.OKP) { - const x = cosePublicKey.get(COSEKEYS.x); - - if (!x) { - throw new Error('COSE public key was missing x (Packed|OKP)'); - } - - const signatureBaseHash = toHash(signatureBase, hashAlg); - - const key = new elliptic.eddsa('ed25519'); - key.keyFromPublic(x as Buffer); - - // TODO: is `publicKey` right here? - verified = key.verify(signatureBaseHash, sig, pkcsPublicKey); - } + verified = await verifySignature({ + signature: sig, + signatureBase, + credentialPublicKey, + hashAlgorithm: hashAlg + }); } return verified; |