diff options
Diffstat (limited to 'packages/server/src')
| -rw-r--r-- | packages/server/src/helpers/constants.ts | 16 | ||||
| -rw-r--r-- | packages/server/src/metadata/metadataService.ts | 25 |
2 files changed, 36 insertions, 5 deletions
diff --git a/packages/server/src/helpers/constants.ts b/packages/server/src/helpers/constants.ts index ac12bee..161348b 100644 --- a/packages/server/src/helpers/constants.ts +++ b/packages/server/src/helpers/constants.ts @@ -74,3 +74,19 @@ export const FIDO_METADATA_ATTESTATION_TYPES: { [type: string]: string } = { 15881: 'ATTESTATION_ECDAA', 15882: 'ATTESTATION_ATTCA', }; + +export type FIDO_AUTHENTICATOR_STATUS = + | 'NOT_FIDO_CERTIFIED' + | 'FIDO_CERTIFIED' + | 'USER_VERIFICATION_BYPASS' + | 'ATTESTATION_KEY_COMPROMISE' + | 'USER_KEY_REMOTE_COMPROMISE' + | 'USER_KEY_PHYSICAL_COMPROMISE' + | 'UPDATE_AVAILABLE' + | 'REVOKED' + | 'SELF_ASSERTION_SUBMITTED' + | 'FIDO_CERTIFIED_L1' + | 'FIDO_CERTIFIED_L2' + | 'FIDO_CERTIFIED_L3' + | 'FIDO_CERTIFIED_L4' + | 'FIDO_CERTIFIED_L5'; diff --git a/packages/server/src/metadata/metadataService.ts b/packages/server/src/metadata/metadataService.ts index b3a5bf6..8f63e3c 100644 --- a/packages/server/src/metadata/metadataService.ts +++ b/packages/server/src/metadata/metadataService.ts @@ -3,7 +3,7 @@ import fetch from 'node-fetch'; import { KJUR } from 'jsrsasign'; import base64url from 'base64url'; -import { ENV_VARS } from '../helpers/constants'; +import { ENV_VARS, FIDO_AUTHENTICATOR_STATUS } from '../helpers/constants'; import toHash from '../helpers/toHash'; import validateCertificatePath from '../helpers/validateCertificatePath'; import convertASN1toPEM from '../helpers/convertASN1toPEM'; @@ -14,8 +14,9 @@ import parseJWT from './parseJWT'; const { ENABLE_MDS, MDS_TOC_URL, MDS_API_TOKEN, MDS_ROOT_CERT_URL } = ENV_VARS; type CachedAAGUID = { - url: string; - hash: string; + url: TOCEntry['url']; + hash: TOCEntry['hash']; + statusReports: TOCEntry['statusReports']; statement?: MetadataStatement; }; @@ -49,7 +50,7 @@ class MetadataService { } else { if (statements?.length) { statements.forEach(statement => { - this.cache[statement.aaguid] = { url: '', hash: '', statement }; + this.cache[statement.aaguid] = { url: '', hash: '', statement, statusReports: [] }; }); } this.state = SERVICE_STATE.READY; @@ -87,6 +88,19 @@ class MetadataService { return; } + // Check to see if the this aaguid has a status report with a "compromised" status + for (const report of cached.statusReports) { + const { status } = report; + if ( + status === 'USER_VERIFICATION_BYPASS' || + status === 'ATTESTATION_KEY_COMPROMISE' || + status === 'USER_KEY_REMOTE_COMPROMISE' || + status === 'USER_KEY_PHYSICAL_COMPROMISE' + ) { + throw new Error(`Detected compromised aaguid "${aaguid}"`); + } + } + if (!cached.statement && ENABLE_MDS) { // Download the metadata statement if it's not been cached const resp = await fetch(`${cached.url}?token=${MDS_API_TOKEN}`); @@ -188,6 +202,7 @@ class MetadataService { const cached: CachedAAGUID = { url: entry.url, hash: entry.hash, + statusReports: entry.statusReports, }; this.cache[_entry.aaguid] = cached; @@ -278,7 +293,7 @@ type TOCEntry = { aaguid?: string; attestationCertificateKeyIdentifiers: string[]; statusReports: { - status: string; + status: FIDO_AUTHENTICATOR_STATUS; certificateNumber: string; certificate: string; certificationDescriptor: string; |