6 files changed, 28 insertions, 13 deletions

diff --git a/packages/server/src/helpers/convertCOSEtoPKCS.test.ts b/packages/server/src/helpers/convertCOSEtoPKCS.test.ts
index e914cc7..f25ac49 100644
--- a/packages/server/src/helpers/convertCOSEtoPKCS.test.ts
+++ b/packages/server/src/helpers/convertCOSEtoPKCS.test.ts
@@ -1,4 +1,4 @@
-import cbor from 'cbor';
+import * as decodeCbor from './decodeCbor';
 
 import convertCOSEtoPKCS, { COSEKEYS } from './convertCOSEtoPKCS';
 
@@ -7,7 +7,7 @@ test('should throw an error curve if, somehow, curve coordinate x is missing', (
 
   mockCOSEKey.set(COSEKEYS.y, 1);
 
-  jest.spyOn(cbor, 'decodeFirstSync').mockReturnValue(mockCOSEKey);
+  jest.spyOn(decodeCbor, 'decodeCborFirst').mockReturnValue(mockCOSEKey);
 
   expect(() => {
     convertCOSEtoPKCS(Buffer.from('123', 'ascii'));
@@ -19,7 +19,7 @@ test('should throw an error curve if, somehow, curve coordinate y is missing', (
 
   mockCOSEKey.set(COSEKEYS.x, 1);
 
-  jest.spyOn(cbor, 'decodeFirstSync').mockReturnValue(mockCOSEKey);
+  jest.spyOn(decodeCbor, 'decodeCborFirst').mockReturnValue(mockCOSEKey);
 
   expect(() => {
     convertCOSEtoPKCS(Buffer.from('123', 'ascii'));
diff --git a/packages/server/src/helpers/convertCOSEtoPKCS.ts b/packages/server/src/helpers/convertCOSEtoPKCS.ts
index 3119de5..2b51d1d 100644
--- a/packages/server/src/helpers/convertCOSEtoPKCS.ts
+++ b/packages/server/src/helpers/convertCOSEtoPKCS.ts
@@ -1,11 +1,12 @@
 import cbor from 'cbor';
 import type { SigningSchemeHash } from 'node-rsa';
+import { decodeCborFirst } from './decodeCbor';
 
 /**
  * Takes COSE-encoded public key and converts it to PKCS key
  */
 export default function convertCOSEtoPKCS(cosePublicKey: Buffer): Buffer {
-  const struct: COSEPublicKey = cbor.decodeFirstSync(cosePublicKey);
+  const struct: COSEPublicKey = decodeCborFirst(cosePublicKey);
 
   const tag = Buffer.from([0x04]);
   const x = struct.get(COSEKEYS.x);
diff --git a/packages/server/src/helpers/decodeCbor.ts b/packages/server/src/helpers/decodeCbor.ts
new file mode 100644
index 0000000..aa489e8
--- /dev/null
+++ b/packages/server/src/helpers/decodeCbor.ts
@@ -0,0 +1,14 @@
+import cbor from 'cbor';
+
+export function decodeCborFirst(input: string | Buffer | ArrayBufferView): any {
+  try {
+    // throws if there are extra bytes
+    return cbor.decodeFirstSync(input);
+  } catch (err) {
+    // if the error was due to extra bytes, return the unpacked value
+    if (err.value) {
+      return err.value;
+    }
+    throw err;
+  }
+}
diff --git a/packages/server/src/helpers/decodeCredentialPublicKey.ts b/packages/server/src/helpers/decodeCredentialPublicKey.ts
index a856a72..a3fb45f 100644
--- a/packages/server/src/helpers/decodeCredentialPublicKey.ts
+++ b/packages/server/src/helpers/decodeCredentialPublicKey.ts
@@ -1,7 +1,6 @@
-import cbor from 'cbor';
-
 import { COSEPublicKey } from './convertCOSEtoPKCS';
+import { decodeCborFirst } from './decodeCbor';
 
 export default function decodeCredentialPublicKey(publicKey: Buffer): COSEPublicKey {
-  return cbor.decodeFirstSync(publicKey);
+  return decodeCborFirst(publicKey);
 }
diff --git a/packages/server/src/helpers/isCertRevoked.ts b/packages/server/src/helpers/isCertRevoked.ts
index 4eeacbb..e3113b7 100644
--- a/packages/server/src/helpers/isCertRevoked.ts
+++ b/packages/server/src/helpers/isCertRevoked.ts
@@ -24,15 +24,15 @@ export default async function isCertRevoked(cert: X509): Promise<boolean> {
   const certSerialHex = cert.getSerialNumberHex();
 
   // Check to see if we've got cached info for the cert's CA
-  let certAuthKeyID: { kid: string } | null = null;
+  let certAuthKeyID: { kid: { hex: string } } | null = null;
   try {
-    certAuthKeyID = cert.getExtAuthorityKeyIdentifier();
+    certAuthKeyID = cert.getExtAuthorityKeyIdentifier() as { kid: { hex: string } } | null;
   } catch (err) {
     return false;
   }
 
   if (certAuthKeyID) {
-    const cached = cacheRevokedCerts[certAuthKeyID.kid];
+    const cached = cacheRevokedCerts[certAuthKeyID.kid.hex];
     if (cached) {
       const now = new Date();
       // If there's a nextUpdate then make sure we're before it
@@ -88,7 +88,7 @@ export default async function isCertRevoked(cert: X509): Promise<boolean> {
 
     // Cache the results
     if (certAuthKeyID) {
-      cacheRevokedCerts[certAuthKeyID.kid] = newCached;
+      cacheRevokedCerts[certAuthKeyID.kid.hex] = newCached;
     }
 
     return newCached.revokedCerts.indexOf(certSerialHex) >= 0;
diff --git a/packages/server/src/helpers/parseAuthenticatorData.ts b/packages/server/src/helpers/parseAuthenticatorData.ts
index 6fea0bd..67f0e1a 100644
--- a/packages/server/src/helpers/parseAuthenticatorData.ts
+++ b/packages/server/src/helpers/parseAuthenticatorData.ts
@@ -1,4 +1,5 @@
 import cbor from 'cbor';
+import { decodeCborFirst } from './decodeCbor';
 
 /**
  * Make sense of the authData buffer contained in an Attestation
@@ -50,7 +51,7 @@ export default function parseAuthenticatorData(authData: Buffer): ParsedAuthenti
     intBuffer = intBuffer.slice(credIDLen);
 
     // Decode the next CBOR item in the buffer, then re-encode it back to a Buffer
-    const firstDecoded = cbor.decodeFirstSync(intBuffer);
+    const firstDecoded = decodeCborFirst(intBuffer);
     const firstEncoded = Buffer.from(cbor.encode(firstDecoded));
     credentialPublicKey = firstEncoded;
     intBuffer = intBuffer.slice(firstEncoded.byteLength);
@@ -58,7 +59,7 @@ export default function parseAuthenticatorData(authData: Buffer): ParsedAuthenti
 
   let extensionsDataBuffer: Buffer | undefined = undefined;
   if (flags.ed) {
-    const firstDecoded = cbor.decodeFirstSync(intBuffer);
+    const firstDecoded = decodeCborFirst(intBuffer);
     const firstEncoded = Buffer.from(cbor.encode(firstDecoded));
     extensionsDataBuffer = firstEncoded;
     intBuffer = intBuffer.slice(firstEncoded.byteLength);