summaryrefslogtreecommitdiffhomepage
path: root/packages/server/src
diff options
context:
space:
mode:
Diffstat (limited to 'packages/server/src')
-rw-r--r--packages/server/src/metadata/mdsTypes.ts61
-rw-r--r--packages/server/src/metadata/verifyAttestationWithMetadata.ts66
2 files changed, 58 insertions, 69 deletions
diff --git a/packages/server/src/metadata/mdsTypes.ts b/packages/server/src/metadata/mdsTypes.ts
index 22ba564..a731018 100644
--- a/packages/server/src/metadata/mdsTypes.ts
+++ b/packages/server/src/metadata/mdsTypes.ts
@@ -176,7 +176,7 @@ export type MetadataStatement = {
/**
* USER_VERIFY
- * https://fidoalliance.org/specs/common-specs/fido-registry-v2.1-ps-20191217.html#user-verification-methods
+ * https://fidoalliance.org/specs/common-specs/fido-registry-v2.2-ps-20220523.html#user-verification-methods
*/
export type UserVerify =
| 'presence_internal'
@@ -195,55 +195,60 @@ export type UserVerify =
/**
* ALG_SIGN
- * https://fidoalliance.org/specs/common-specs/fido-registry-v2.1-ps-20191217.html#authentication-algorithms
+ * https://fidoalliance.org/specs/common-specs/fido-registry-v2.2-ps-20220523.html#authentication-algorithms
+ *
+ * Using this helpful TS pattern here so that we can strongly enforce the existence of COSE info
+ * mappings in `algSignToCOSEInfoMap` in verifyAttestationWithMetadata.ts
*/
-export type AlgSign =
- | 'secp256r1_ecdsa_sha256_raw'
- | 'secp256r1_ecdsa_sha256_der'
- | 'rsassa_pss_sha256_raw'
- | 'rsassa_pss_sha256_der'
- | 'secp256k1_ecdsa_sha256_raw'
- | 'secp256k1_ecdsa_sha256_der'
- | 'sm2_sm3_raw'
- | 'rsa_emsa_pkcs1_sha256_raw'
- | 'rsa_emsa_pkcs1_sha256_der'
- | 'rsassa_pss_sha384_raw'
- | 'rsassa_pss_sha256_raw'
- | 'rsassa_pkcsv15_sha256_raw'
- | 'rsassa_pkcsv15_sha384_raw'
- | 'rsassa_pkcsv15_sha512_raw'
- | 'rsassa_pkcsv15_sha1_raw'
- | 'secp384r1_ecdsa_sha384_raw'
- | 'secp512r1_ecdsa_sha256_raw'
- | 'ed25519_eddsa_sha512_raw';
+export type AlgSign = typeof AlgSign[number];
+const AlgSign = [
+ 'secp256r1_ecdsa_sha256_raw',
+ 'secp256r1_ecdsa_sha256_der',
+ 'rsassa_pss_sha256_raw',
+ 'rsassa_pss_sha256_der',
+ 'secp256k1_ecdsa_sha256_raw',
+ 'secp256k1_ecdsa_sha256_der',
+ 'sm2_sm3_raw',
+ 'rsa_emsa_pkcs1_sha256_raw',
+ 'rsa_emsa_pkcs1_sha256_der',
+ 'rsassa_pss_sha384_raw',
+ 'rsassa_pss_sha256_raw',
+ 'rsassa_pkcsv15_sha256_raw',
+ 'rsassa_pkcsv15_sha384_raw',
+ 'rsassa_pkcsv15_sha512_raw',
+ 'rsassa_pkcsv15_sha1_raw',
+ 'secp384r1_ecdsa_sha384_raw',
+ 'secp512r1_ecdsa_sha256_raw',
+ 'ed25519_eddsa_sha512_raw',
+] as const;
/**
* ALG_KEY
- * https://fidoalliance.org/specs/common-specs/fido-registry-v2.1-ps-20191217.html#public-key-representation-formats
+ * https://fidoalliance.org/specs/common-specs/fido-registry-v2.2-ps-20220523.html#public-key-representation-formats
*/
export type AlgKey = 'ecc_x962_raw' | 'ecc_x962_der' | 'rsa_2048_raw' | 'rsa_2048_der' | 'cose';
/**
* ATTESTATION
- * https://fidoalliance.org/specs/common-specs/fido-registry-v2.1-ps-20191217.html#authenticator-attestation-types
+ * https://fidoalliance.org/specs/common-specs/fido-registry-v2.2-ps-20220523.html#authenticator-attestation-types
*/
-export type Attestation = 'basic_full' | 'basic_surrogate' | 'ecdaa' | 'attca';
+export type Attestation = 'basic_full' | 'basic_surrogate' | 'ecdaa' | 'attca' | 'anonca' | 'none';
/**
* KEY_PROTECTION
- * https://fidoalliance.org/specs/common-specs/fido-registry-v2.1-ps-20191217.html#key-protection-types
+ * https://fidoalliance.org/specs/common-specs/fido-registry-v2.2-ps-20220523.html#key-protection-types
*/
export type KeyProtection = 'software' | 'hardware' | 'tee' | 'secure_element' | 'remote_handle';
/**
* MATCHER_PROTECTION
- * https://fidoalliance.org/specs/common-specs/fido-registry-v2.1-ps-20191217.html#matcher-protection-types
+ * https://fidoalliance.org/specs/common-specs/fido-registry-v2.2-ps-20220523.html#matcher-protection-types
*/
export type MatcherProtection = 'software' | 'tee' | 'on_chip';
/**
* ATTACHMENT_HINT
- * https://fidoalliance.org/specs/common-specs/fido-registry-v2.1-ps-20191217.html#authenticator-attachment-hints
+ * https://fidoalliance.org/specs/common-specs/fido-registry-v2.2-ps-20220523.html#authenticator-attachment-hints
*/
export type AttachmentHint =
| 'internal'
@@ -258,7 +263,7 @@ export type AttachmentHint =
/**
* TRANSACTION_CONFIRMATION_DISPLAY
- * https://fidoalliance.org/specs/common-specs/fido-registry-v2.1-ps-20191217.html#transaction-confirmation-display-types
+ * https://fidoalliance.org/specs/common-specs/fido-registry-v2.2-ps-20220523.html#transaction-confirmation-display-types
*/
export type TransactionConfirmationDisplay =
| 'any'
diff --git a/packages/server/src/metadata/verifyAttestationWithMetadata.ts b/packages/server/src/metadata/verifyAttestationWithMetadata.ts
index 0e7c736..9577a2e 100644
--- a/packages/server/src/metadata/verifyAttestationWithMetadata.ts
+++ b/packages/server/src/metadata/verifyAttestationWithMetadata.ts
@@ -1,6 +1,6 @@
import { Base64URLString } from '@simplewebauthn/typescript-types';
-import { MetadataStatement, AlgSign } from '../metadata/mdsTypes';
+import type { MetadataStatement, AlgSign } from '../metadata/mdsTypes';
import { convertCertBufferToPEM } from '../helpers/convertCertBufferToPEM';
import { validateCertificatePath } from '../helpers/validateCertificatePath';
import { decodeCredentialPublicKey } from '../helpers/decodeCredentialPublicKey';
@@ -18,9 +18,10 @@ export async function verifyAttestationWithMetadata(
// Make sure the alg in the attestation statement matches one of the ones specified in metadata
const keypairCOSEAlgs: Set<COSEInfo> = new Set();
statement.authenticationAlgorithms.forEach(algSign => {
- // Convert algSign string to { kty, alg, crv }
- const algSignCOSEINFO = algSignToCOSEInfo(algSign);
+ // Map algSign string to { kty, alg, crv }
+ const algSignCOSEINFO = algSignToCOSEInfoMap[algSign];
+ // Keeping this statement here just in case MDS returns something unexpected
if (algSignCOSEINFO) {
keypairCOSEAlgs.add(algSignCOSEINFO);
}
@@ -110,42 +111,25 @@ type COSEInfo = {
*
* Values pulled from `ALG_KEY_COSE` definitions in the FIDO Registry of Predefined Values
*
- * https://fidoalliance.org/specs/common-specs/fido-registry-v2.1-ps-20191217.html#authentication-algorithms
+ * https://fidoalliance.org/specs/common-specs/fido-registry-v2.2-ps-20220523.html#authentication-algorithms
*/
-function algSignToCOSEInfo(algSign: AlgSign): COSEInfo | undefined {
- switch (algSign) {
- case 'secp256r1_ecdsa_sha256_raw':
- case 'secp256r1_ecdsa_sha256_der':
- return { kty: 2, alg: -7, crv: 1 };
- case 'rsassa_pss_sha256_raw':
- case 'rsassa_pss_sha256_der':
- return { kty: 3, alg: -37 };
- case 'secp256k1_ecdsa_sha256_raw':
- case 'secp256k1_ecdsa_sha256_der':
- return { kty: 2, alg: 7, crv: 8 };
- case 'rsassa_pss_sha384_raw':
- return { kty: 3, alg: -38 };
- case 'rsassa_pkcsv15_sha256_raw':
- return { kty: 3, alg: -257 };
- case 'rsassa_pkcsv15_sha384_raw':
- return { kty: 3, alg: -258 };
- case 'rsassa_pkcsv15_sha512_raw':
- return { kty: 3, alg: -259 };
- case 'rsassa_pkcsv15_sha1_raw':
- return { kty: 3, alg: -65535 };
- case 'secp384r1_ecdsa_sha384_raw':
- return { kty: 2, alg: -35, crv: 2 };
- case 'secp512r1_ecdsa_sha256_raw':
- return { kty: 2, alg: -36, crv: 3 };
- case 'ed25519_eddsa_sha512_raw':
- return { kty: 1, alg: -8, crv: 6 };
- case 'rsa_emsa_pkcs1_sha256_raw':
- case 'rsa_emsa_pkcs1_sha256_der':
- return { kty: 3, alg: -257 };
- // TODO: COSE info wasn't readily available for these, these seem rare...
- // case 'sm2_sm3_raw':
- // return {};
- default:
- return undefined;
- }
-}
+export const algSignToCOSEInfoMap: { [key in AlgSign]: COSEInfo } = {
+ secp256r1_ecdsa_sha256_raw: { kty: 2, alg: -7, crv: 1 },
+ secp256r1_ecdsa_sha256_der: { kty: 2, alg: -7, crv: 1 },
+ rsassa_pss_sha256_raw: { kty: 3, alg: -37 },
+ rsassa_pss_sha256_der: { kty: 3, alg: -37 },
+ secp256k1_ecdsa_sha256_raw: { kty: 2, alg: -47, crv: 8 },
+ secp256k1_ecdsa_sha256_der: { kty: 2, alg: -47, crv: 8 },
+ rsassa_pss_sha384_raw: { kty: 3, alg: -38 },
+ rsassa_pkcsv15_sha256_raw: { kty: 3, alg: -257 },
+ rsassa_pkcsv15_sha384_raw: { kty: 3, alg: -258 },
+ rsassa_pkcsv15_sha512_raw: { kty: 3, alg: -259 },
+ rsassa_pkcsv15_sha1_raw: { kty: 3, alg: -65535 },
+ secp384r1_ecdsa_sha384_raw: { kty: 2, alg: -35, crv: 2 },
+ secp512r1_ecdsa_sha256_raw: { kty: 2, alg: -36, crv: 3 },
+ ed25519_eddsa_sha512_raw: { kty: 1, alg: -8, crv: 6 },
+ rsa_emsa_pkcs1_sha256_raw: { kty: 3, alg: -257 },
+ rsa_emsa_pkcs1_sha256_der: { kty: 3, alg: -257 },
+ // TODO: COSE info wasn't readily available for this, it seems rare...
+ sm2_sm3_raw: { kty: 999, alg: 999, crv: 999 },
+};
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-03 19:12:52 +0000