summaryrefslogtreecommitdiffhomepage
path: root/packages/server/src
diff options
context:
space:
mode:
Diffstat (limited to 'packages/server/src')
-rw-r--r--packages/server/src/attestation/verifications/tpm/parseCertInfo.ts38
-rw-r--r--packages/server/src/attestation/verifications/tpm/parsePubArea.ts29
-rw-r--r--packages/server/src/helpers/parseAuthenticatorData.ts33
3 files changed, 35 insertions, 65 deletions
diff --git a/packages/server/src/attestation/verifications/tpm/parseCertInfo.ts b/packages/server/src/attestation/verifications/tpm/parseCertInfo.ts
index e7c9225..1ac391e 100644
--- a/packages/server/src/attestation/verifications/tpm/parseCertInfo.ts
+++ b/packages/server/src/attestation/verifications/tpm/parseCertInfo.ts
@@ -4,32 +4,25 @@ import { TPM_ST, TPM_ALG } from './constants';
* Cut up a TPM attestation's certInfo into intelligible chunks
*/
export default function parseCertInfo(certInfo: Buffer): ParsedCertInfo {
- let certBuffer = certInfo;
+ let pointer = 0;
// Get a magic constant
- const magic = certBuffer.slice(0, 4).readUInt32BE(0);
- certBuffer = certBuffer.slice(4);
+ const magic = certInfo.slice(pointer, (pointer += 4)).readUInt32BE(0);
// Determine the algorithm used for attestation
- const typeBuffer = certBuffer.slice(0, 2);
- certBuffer = certBuffer.slice(2);
+ const typeBuffer = certInfo.slice(pointer, (pointer += 2));
const type = TPM_ST[typeBuffer.readUInt16BE(0)];
// The name of a parent entity, can be ignored
- const qualifiedSignerLength = certBuffer.slice(0, 2).readUInt16BE(0);
- certBuffer = certBuffer.slice(2);
- const qualifiedSigner = certBuffer.slice(0, qualifiedSignerLength);
- certBuffer = certBuffer.slice(qualifiedSignerLength);
+ const qualifiedSignerLength = certInfo.slice(pointer, (pointer += 2)).readUInt16BE(0);
+ const qualifiedSigner = certInfo.slice(pointer, (pointer += qualifiedSignerLength));
// Get the expected hash of `attsToBeSigned`
- const extraDataLength = certBuffer.slice(0, 2).readUInt16BE(0);
- certBuffer = certBuffer.slice(2);
- const extraData = certBuffer.slice(0, extraDataLength);
- certBuffer = certBuffer.slice(extraDataLength);
+ const extraDataLength = certInfo.slice(pointer, (pointer += 2)).readUInt16BE(0);
+ const extraData = certInfo.slice(pointer, (pointer += extraDataLength));
// Information about the TPM device's internal clock, can be ignored
- const clockInfoBuffer = certBuffer.slice(0, 17);
- certBuffer = certBuffer.slice(17);
+ const clockInfoBuffer = certInfo.slice(pointer, (pointer += 17));
const clockInfo = {
clock: clockInfoBuffer.slice(0, 8),
resetCount: clockInfoBuffer.slice(8, 12).readUInt32BE(0),
@@ -38,20 +31,15 @@ export default function parseCertInfo(certInfo: Buffer): ParsedCertInfo {
};
// TPM device firmware version
- const firmwareVersion = certBuffer.slice(0, 8);
- certBuffer = certBuffer.slice(8);
+ const firmwareVersion = certInfo.slice(pointer, (pointer += 8));
// Attested Name
- const attestedNameLength = certBuffer.slice(0, 2).readUInt16BE(0);
- certBuffer = certBuffer.slice(2);
- const attestedName = certBuffer.slice(0, attestedNameLength);
- certBuffer = certBuffer.slice(attestedNameLength);
+ const attestedNameLength = certInfo.slice(pointer, (pointer += 2)).readUInt16BE(0);
+ const attestedName = certInfo.slice(pointer, (pointer += attestedNameLength));
// Attested qualified name, can be ignored
- const qualifiedNameLength = certBuffer.slice(0, 2).readUInt16BE(0);
- certBuffer = certBuffer.slice(2);
- const qualifiedName = certBuffer.slice(0, qualifiedNameLength);
- certBuffer = certBuffer.slice(qualifiedNameLength);
+ const qualifiedNameLength = certInfo.slice(pointer, (pointer += 2)).readUInt16BE(0);
+ const qualifiedName = certInfo.slice(pointer, (pointer += qualifiedNameLength));
const attested = {
nameAlg: TPM_ALG[attestedName.slice(0, 2).readUInt16BE(0)],
diff --git a/packages/server/src/attestation/verifications/tpm/parsePubArea.ts b/packages/server/src/attestation/verifications/tpm/parsePubArea.ts
index a9ee374..5f0d63b 100644
--- a/packages/server/src/attestation/verifications/tpm/parsePubArea.ts
+++ b/packages/server/src/attestation/verifications/tpm/parsePubArea.ts
@@ -4,19 +4,16 @@ import { TPM_ALG, TPM_ECC_CURVE } from './constants';
* Break apart a TPM attestation's pubArea buffer
*/
export default function parsePubArea(pubArea: Buffer): ParsedPubArea {
- let pubBuffer: Buffer = pubArea;
+ let pointer = 0;
- const typeBuffer = pubBuffer.slice(0, 2);
- pubBuffer = pubBuffer.slice(2);
+ const typeBuffer = pubArea.slice(pointer, (pointer += 2));
const type = TPM_ALG[typeBuffer.readUInt16BE(0)];
- const nameAlgBuffer = pubBuffer.slice(0, 2);
- pubBuffer = pubBuffer.slice(2);
+ const nameAlgBuffer = pubArea.slice(pointer, (pointer += 2));
const nameAlg = TPM_ALG[nameAlgBuffer.readUInt16BE(0)];
// Get some authenticator attributes(?)
- const objectAttributesInt = pubBuffer.slice(0, 4).readUInt32BE(0);
- pubBuffer = pubBuffer.slice(4);
+ const objectAttributesInt = pubArea.slice(pointer, (pointer += 4)).readUInt32BE(0);
const objectAttributes = {
fixedTPM: !!(objectAttributesInt & 1),
stClear: !!(objectAttributesInt & 2),
@@ -32,16 +29,13 @@ export default function parsePubArea(pubArea: Buffer): ParsedPubArea {
};
// Slice out the authPolicy of dynamic length
- const authPolicyLength = pubBuffer.slice(0, 2).readUInt16BE(0);
- pubBuffer = pubBuffer.slice(2);
- const authPolicy = pubBuffer.slice(0, authPolicyLength);
- pubBuffer = pubBuffer.slice(authPolicyLength);
+ const authPolicyLength = pubArea.slice(pointer, (pointer += 2)).readUInt16BE(0);
+ const authPolicy = pubArea.slice(pointer, (pointer += authPolicyLength));
// Extract additional curve params according to type
const parameters: { rsa?: RSAParameters; ecc?: ECCParameters } = {};
if (type === 'TPM_ALG_RSA') {
- const rsaBuffer = pubBuffer.slice(0, 10);
- pubBuffer = pubBuffer.slice(10);
+ const rsaBuffer = pubArea.slice(pointer, (pointer += 10));
parameters.rsa = {
symmetric: TPM_ALG[rsaBuffer.slice(0, 2).readUInt16BE(0)],
@@ -50,8 +44,7 @@ export default function parsePubArea(pubArea: Buffer): ParsedPubArea {
exponent: rsaBuffer.slice(6, 10).readUInt32BE(0),
};
} else if (type === 'TPM_ALG_ECC') {
- const eccBuffer = pubBuffer.slice(0, 8);
- pubBuffer = pubBuffer.slice(8);
+ const eccBuffer = pubArea.slice(pointer, (pointer += 8));
parameters.ecc = {
symmetric: TPM_ALG[eccBuffer.slice(0, 2).readUInt16BE(0)],
@@ -64,10 +57,8 @@ export default function parsePubArea(pubArea: Buffer): ParsedPubArea {
}
// Slice out unique of dynamic length
- const uniqueLength = pubBuffer.slice(0, 2).readUInt16BE(0);
- pubBuffer = pubBuffer.slice(2);
- const unique = pubBuffer.slice(0, uniqueLength);
- pubBuffer = pubBuffer.slice(uniqueLength);
+ const uniqueLength = pubArea.slice(pointer, (pointer += 2)).readUInt16BE(0);
+ const unique = pubArea.slice(pointer, (pointer += uniqueLength));
return {
type,
diff --git a/packages/server/src/helpers/parseAuthenticatorData.ts b/packages/server/src/helpers/parseAuthenticatorData.ts
index cce6756..9b13195 100644
--- a/packages/server/src/helpers/parseAuthenticatorData.ts
+++ b/packages/server/src/helpers/parseAuthenticatorData.ts
@@ -11,14 +11,11 @@ export default function parseAuthenticatorData(authData: Buffer): ParsedAuthenti
);
}
- let intBuffer = authData;
+ let pointer = 0;
- const rpIdHash = intBuffer.slice(0, 32);
- intBuffer = intBuffer.slice(32);
-
- const flagsBuf = intBuffer.slice(0, 1);
- intBuffer = intBuffer.slice(1);
+ const rpIdHash = authData.slice(pointer, (pointer += 32));
+ const flagsBuf = authData.slice(pointer, (pointer += 1));
const flagsInt = flagsBuf[0];
const flags = {
@@ -29,9 +26,7 @@ export default function parseAuthenticatorData(authData: Buffer): ParsedAuthenti
flagsInt,
};
- const counterBuf = intBuffer.slice(0, 4);
- intBuffer = intBuffer.slice(4);
-
+ const counterBuf = authData.slice(pointer, (pointer += 4));
const counter = counterBuf.readUInt32BE(0);
let aaguid: Buffer | undefined = undefined;
@@ -39,33 +34,29 @@ export default function parseAuthenticatorData(authData: Buffer): ParsedAuthenti
let credentialPublicKey: Buffer | undefined = undefined;
if (flags.at) {
- aaguid = intBuffer.slice(0, 16);
- intBuffer = intBuffer.slice(16);
-
- const credIDLenBuf = intBuffer.slice(0, 2);
- intBuffer = intBuffer.slice(2);
+ aaguid = authData.slice(pointer, (pointer += 16));
+ const credIDLenBuf = authData.slice(pointer, (pointer += 2));
const credIDLen = credIDLenBuf.readUInt16BE(0);
- credentialID = intBuffer.slice(0, credIDLen);
- intBuffer = intBuffer.slice(credIDLen);
+ credentialID = authData.slice(pointer, (pointer += credIDLen));
// Decode the next CBOR item in the buffer, then re-encode it back to a Buffer
- const firstDecoded = decodeCborFirst(intBuffer);
+ const firstDecoded = decodeCborFirst(authData.slice(pointer));
const firstEncoded = Buffer.from(cbor.encode(firstDecoded) as ArrayBuffer);
credentialPublicKey = firstEncoded;
- intBuffer = intBuffer.slice(firstEncoded.byteLength);
+ authData = authData.slice((pointer += firstEncoded.byteLength));
}
let extensionsDataBuffer: Buffer | undefined = undefined;
if (flags.ed) {
- const firstDecoded = decodeCborFirst(intBuffer);
+ const firstDecoded = decodeCborFirst(authData);
const firstEncoded = Buffer.from(cbor.encode(firstDecoded) as ArrayBuffer);
extensionsDataBuffer = firstEncoded;
- intBuffer = intBuffer.slice(firstEncoded.byteLength);
+ authData = authData.slice((pointer += firstEncoded.byteLength));
}
- if (intBuffer.byteLength > 0) {
+ if (authData.byteLength > pointer) {
throw new Error('Leftover bytes detected while parsing authenticator data');
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-22 17:03:41 +0000