summaryrefslogtreecommitdiffhomepage
path: root/packages/server/src
diff options
context:
space:
mode:
Diffstat (limited to 'packages/server/src')
-rw-r--r--packages/server/src/attestation/verifications/tpm/verifyTPM.ts6
-rw-r--r--packages/server/src/attestation/verifications/verifyAndroidSafetyNet.ts7
-rw-r--r--packages/server/src/attestation/verifications/verifyPacked.ts4
3 files changed, 9 insertions, 8 deletions
diff --git a/packages/server/src/attestation/verifications/tpm/verifyTPM.ts b/packages/server/src/attestation/verifications/tpm/verifyTPM.ts
index fd9ff9d..fc549ff 100644
--- a/packages/server/src/attestation/verifications/tpm/verifyTPM.ts
+++ b/packages/server/src/attestation/verifications/tpm/verifyTPM.ts
@@ -177,8 +177,7 @@ export default async function verifyTPM(options: Options): Promise<boolean> {
}
// Pick a leaf AIK certificate of the x5c array and parse it.
- const leafCertPEM = convertX509CertToPEM(x5c[0]);
- const leafCertInfo = getCertificateInfo(leafCertPEM);
+ const leafCertInfo = getCertificateInfo(x5c[0]);
const { basicConstraintsCA, version, subject, notAfter, notBefore } = leafCertInfo;
if (basicConstraintsCA) {
@@ -186,7 +185,7 @@ export default async function verifyTPM(options: Options): Promise<boolean> {
}
// Check that certificate is of version 3 (value must be set to 2).
- if (version !== 3) {
+ if (version !== 2) {
throw new Error('Certificate version was not `3` (ASN.1 value of 2) (TPM)');
}
@@ -275,6 +274,7 @@ export default async function verifyTPM(options: Options): Promise<boolean> {
// Verify signature over certInfo with the public key extracted from AIK certificate.
// In the wise words of Yuriy Ackermann: "Get Martini friend, you are done!"
+ const leafCertPEM = convertX509CertToPEM(x5c[0]);
return verifySignature(sig, certInfo, leafCertPEM, hashAlg);
}
diff --git a/packages/server/src/attestation/verifications/verifyAndroidSafetyNet.ts b/packages/server/src/attestation/verifications/verifyAndroidSafetyNet.ts
index 4ce7f36..6c0a5c8 100644
--- a/packages/server/src/attestation/verifications/verifyAndroidSafetyNet.ts
+++ b/packages/server/src/attestation/verifications/verifyAndroidSafetyNet.ts
@@ -81,8 +81,8 @@ export default async function verifyAttestationAndroidSafetyNet(
/**
* START Verify Header
*/
- const leafCert = convertX509CertToPEM(HEADER.x5c[0]);
- const leafCertInfo = getCertificateInfo(leafCert);
+ const leafCertBuffer = base64url.toBuffer(HEADER.x5c[0]);
+ const leafCertInfo = getCertificateInfo(leafCertBuffer);
const { subject } = leafCertInfo;
@@ -121,7 +121,8 @@ export default async function verifyAttestationAndroidSafetyNet(
const signatureBaseBuffer = Buffer.from(`${jwtParts[0]}.${jwtParts[1]}`);
const signatureBuffer = base64url.toBuffer(SIGNATURE);
- const verified = verifySignature(signatureBuffer, signatureBaseBuffer, leafCert);
+ const leafCertPEM = convertX509CertToPEM(leafCertBuffer);
+ const verified = verifySignature(signatureBuffer, signatureBaseBuffer, leafCertPEM);
/**
* END Verify Signature
*/
diff --git a/packages/server/src/attestation/verifications/verifyPacked.ts b/packages/server/src/attestation/verifications/verifyPacked.ts
index f16aa50..3068bbb 100644
--- a/packages/server/src/attestation/verifications/verifyPacked.ts
+++ b/packages/server/src/attestation/verifications/verifyPacked.ts
@@ -50,7 +50,7 @@ export default async function verifyAttestationPacked(options: Options): Promise
if (x5c) {
const leafCert = convertX509CertToPEM(x5c[0]);
const { subject, basicConstraintsCA, version, notBefore, notAfter } = getCertificateInfo(
- leafCert,
+ x5c[0],
);
const { OU, CN, O, C } = subject;
@@ -75,7 +75,7 @@ export default async function verifyAttestationPacked(options: Options): Promise
throw new Error('Certificate basic constraints CA was not `false` (Packed|Full)');
}
- if (version !== 3) {
+ if (version !== 2) {
throw new Error('Certificate version was not `3` (ASN.1 value of 2) (Packed|Full)');
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-14 04:30:14 +0000