From a7c042e931b189d58be31b5ccb2bf8b10d71ad70 Mon Sep 17 00:00:00 2001
From: Matthew Miller <matthew@millerti.me>
Date: Sat, 4 Jul 2020 17:25:02 -0700
Subject: Error on full attestation if only self is valid

---
 packages/server/src/attestation/verifications/verifyPacked.ts | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'packages/server/src')

diff --git a/packages/server/src/attestation/verifications/verifyPacked.ts b/packages/server/src/attestation/verifications/verifyPacked.ts
index 53d5fa3..884badd 100644
--- a/packages/server/src/attestation/verifications/verifyPacked.ts
+++ b/packages/server/src/attestation/verifications/verifyPacked.ts
@@ -94,6 +94,13 @@ export default async function verifyAttestationPacked(options: Options): Promise
     // If available, validate attestation alg and x5c with info in the metadata statement
     const statement = await MetadataService.getStatement(aaguid);
     if (statement) {
+      // The presence of x5c means this is a full attestation. Check to see if attestationTypes
+      // includes packed attestations.
+      // See constants > FIDO_METADATA_ATTESTATION_TYPES for what this number means
+      if (statement.attestationTypes.indexOf(15879) < 0) {
+        throw new Error('Metadata does not indicate support for full attestations (Packed|Full)');
+      }
+
       try {
         verifyAttestationWithMetadata(statement, alg, x5c);
       } catch (err) {
-- 
cgit v1.2.3