From 2e31764344df57ec2a9176a74279a459f82729b4 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Mon, 1 Jun 2020 16:14:34 -0700 Subject: Update types to reflect original response shape --- packages/typescript-types/src/index.ts | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) (limited to 'packages/typescript-types/src') diff --git a/packages/typescript-types/src/index.ts b/packages/typescript-types/src/index.ts index dcd88a9..235fcfb 100644 --- a/packages/typescript-types/src/index.ts +++ b/packages/typescript-types/src/index.ts @@ -49,6 +49,12 @@ export interface AttestationCredential extends PublicKeyCredential { response: AuthenticatorAttestationResponse; } +export interface AttestationCredentialJSON + extends Omit { + rawId: string; + response: AuthenticatorAttestationResponseJSON; +} + /** * The value returned from navigator.credentials.get() */ @@ -56,14 +62,19 @@ export interface AssertionCredential extends PublicKeyCredential { response: AuthenticatorAssertionResponse; } +export interface AssertionCredentialJSON extends Omit { + rawId: string; + response: AuthenticatorAssertionResponseJSON; +} + /** * A slightly-modified AuthenticatorAttestationResponse to simplify working with ArrayBuffers that * are base64-encoded in the browser so that they can be sent as JSON to the server. */ export interface AuthenticatorAttestationResponseJSON extends Omit { - base64ClientDataJSON: string; - base64AttestationObject: string; + clientDataJSON: string; + attestationObject: string; } /** @@ -73,13 +84,12 @@ export interface AuthenticatorAttestationResponseJSON export interface AuthenticatorAssertionResponseJSON extends Omit< AuthenticatorAssertionResponse, - 'clientDataJSON' | 'authenticatorData' | 'signature' | 'userHandle' + 'authenticatorData' | 'clientDataJSON' | 'signature' | 'userHandle' > { - base64CredentialID: string; - base64AuthenticatorData: string; - base64ClientDataJSON: string; - base64Signature: string; - base64UserHandle?: string; + authenticatorData: string; + clientDataJSON: string; + signature: string; + userHandle?: string; } export enum ATTESTATION_FORMATS { -- cgit v1.2.3 From 16e2e87226a7274dda30a850c72363783036c79e Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Mon, 1 Jun 2020 16:27:11 -0700 Subject: Try to communicate the expected string encoding --- packages/typescript-types/src/index.ts | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) (limited to 'packages/typescript-types/src') diff --git a/packages/typescript-types/src/index.ts b/packages/typescript-types/src/index.ts index 235fcfb..a54a493 100644 --- a/packages/typescript-types/src/index.ts +++ b/packages/typescript-types/src/index.ts @@ -12,7 +12,7 @@ PublicKeyCredentialCreationOptions, 'challenge' | 'user' | 'excludeCredentials' > { // Will be converted to a Uint8Array in the browser user: PublicKeyCredentialUserEntityJSON; - challenge: string; + challenge: Base64String; excludeCredentials: PublicKeyCredentialDescriptorJSON[]; } @@ -24,7 +24,7 @@ export interface PublicKeyCredentialRequestOptionsJSON extends Omit< PublicKeyCredentialRequestOptions, 'challenge' |'allowCredentials' > { // Will be converted to a Uint8Array in the browser - challenge: string; + challenge: Base64String; allowCredentials: PublicKeyCredentialDescriptorJSON[]; } @@ -32,14 +32,14 @@ export interface PublicKeyCredentialDescriptorJSON extends Omit< PublicKeyCredentialDescriptor, 'id' > { // Should be a Base64-encoded credential ID. Will be converted to a Uint8Array in the browser - id: string; + id: Base64String; } export interface PublicKeyCredentialUserEntityJSON extends Omit < PublicKeyCredentialUserEntity, 'id' > { // Should be a Base64-encoded credential ID. Will be converted to a Uint8Array in the browser - id: string; + id: Base64String; } /** @@ -51,7 +51,7 @@ export interface AttestationCredential extends PublicKeyCredential { export interface AttestationCredentialJSON extends Omit { - rawId: string; + rawId: Base64String; response: AuthenticatorAttestationResponseJSON; } @@ -63,7 +63,7 @@ export interface AssertionCredential extends PublicKeyCredential { } export interface AssertionCredentialJSON extends Omit { - rawId: string; + rawId: Base64String; response: AuthenticatorAssertionResponseJSON; } @@ -73,8 +73,8 @@ export interface AssertionCredentialJSON extends Omit { - clientDataJSON: string; - attestationObject: string; + clientDataJSON: Base64String; + attestationObject: Base64String; } /** @@ -86,10 +86,10 @@ export interface AuthenticatorAssertionResponseJSON AuthenticatorAssertionResponse, 'authenticatorData' | 'clientDataJSON' | 'signature' | 'userHandle' > { - authenticatorData: string; - clientDataJSON: string; - signature: string; - userHandle?: string; + authenticatorData: Base64String; + clientDataJSON: Base64String; + signature: Base64String; + userHandle?: Base64String; } export enum ATTESTATION_FORMATS { @@ -219,3 +219,8 @@ export type AuthenticatorDevice = { // Number of times this device is expected to have been used counter: number; }; + +/** + * An attempt to communicate that this isn't just any string, but a base64-encoded string + */ +export type Base64String = string; -- cgit v1.2.3 From 16b9d3339312bcccb0f31122b697feceea7a1a18 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Mon, 1 Jun 2020 16:27:36 -0700 Subject: Move some type comments around --- packages/typescript-types/src/index.ts | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'packages/typescript-types/src') diff --git a/packages/typescript-types/src/index.ts b/packages/typescript-types/src/index.ts index a54a493..886d8f1 100644 --- a/packages/typescript-types/src/index.ts +++ b/packages/typescript-types/src/index.ts @@ -49,6 +49,10 @@ export interface AttestationCredential extends PublicKeyCredential { response: AuthenticatorAttestationResponse; } +/** + * A slightly-modified AttestationCredential to simplify working with ArrayBuffers that + * are base64-encoded in the browser so that they can be sent as JSON to the server. + */ export interface AttestationCredentialJSON extends Omit { rawId: Base64String; @@ -62,25 +66,21 @@ export interface AssertionCredential extends PublicKeyCredential { response: AuthenticatorAssertionResponse; } +/** + * A slightly-modified AssertionCredential to simplify working with ArrayBuffers that + * are base64-encoded in the browser so that they can be sent as JSON to the server. + */ export interface AssertionCredentialJSON extends Omit { rawId: Base64String; response: AuthenticatorAssertionResponseJSON; } -/** - * A slightly-modified AuthenticatorAttestationResponse to simplify working with ArrayBuffers that - * are base64-encoded in the browser so that they can be sent as JSON to the server. - */ export interface AuthenticatorAttestationResponseJSON extends Omit { clientDataJSON: Base64String; attestationObject: Base64String; } -/** - * A slightly-modified AuthenticatorAttestationResponse to simplify working with ArrayBuffers that - * are base64-encoded in the browser so that they can be sent as JSON to the server. - */ export interface AuthenticatorAssertionResponseJSON extends Omit< AuthenticatorAssertionResponse, -- cgit v1.2.3 From 9776fc1d95558c598895f247dd3780f4dfdde0f2 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Mon, 1 Jun 2020 16:27:54 -0700 Subject: Stop exporting two now-internal types --- packages/typescript-types/src/index.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'packages/typescript-types/src') diff --git a/packages/typescript-types/src/index.ts b/packages/typescript-types/src/index.ts index 886d8f1..a1d93e0 100644 --- a/packages/typescript-types/src/index.ts +++ b/packages/typescript-types/src/index.ts @@ -75,13 +75,13 @@ export interface AssertionCredentialJSON extends Omit { clientDataJSON: Base64String; attestationObject: Base64String; } -export interface AuthenticatorAssertionResponseJSON +interface AuthenticatorAssertionResponseJSON extends Omit< AuthenticatorAssertionResponse, 'authenticatorData' | 'clientDataJSON' | 'signature' | 'userHandle' -- cgit v1.2.3 From 344ba5cec132724bf558b0a0c3b8e78e74624c7a Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Mon, 1 Jun 2020 17:10:58 -0700 Subject: Move some enums and types out of types package --- .../src/assertion/verifyAssertionResponse.ts | 19 +++- .../verifications/verifyAndroidSafetyNet.ts | 27 +++-- .../src/attestation/verifications/verifyFIDOU2F.ts | 4 +- .../src/attestation/verifications/verifyNone.ts | 4 +- .../src/attestation/verifications/verifyPacked.ts | 14 +-- .../src/attestation/verifyAttestationResponse.ts | 32 +++++- .../server/src/helpers/convertCOSEtoPKCS.test.ts | 3 +- packages/server/src/helpers/convertCOSEtoPKCS.ts | 13 ++- .../server/src/helpers/decodeAttestationObject.ts | 18 +++- .../server/src/helpers/decodeClientDataJSON.ts | 8 +- packages/server/src/helpers/getCertificateInfo.ts | 7 +- .../server/src/helpers/parseAuthenticatorData.ts | 19 +++- packages/typescript-types/src/index.ts | 118 --------------------- 13 files changed, 138 insertions(+), 148 deletions(-) (limited to 'packages/typescript-types/src') diff --git a/packages/server/src/assertion/verifyAssertionResponse.ts b/packages/server/src/assertion/verifyAssertionResponse.ts index 97bd94b..c780b06 100644 --- a/packages/server/src/assertion/verifyAssertionResponse.ts +++ b/packages/server/src/assertion/verifyAssertionResponse.ts @@ -2,7 +2,6 @@ import base64url from 'base64url'; import { AssertionCredentialJSON, AuthenticatorDevice, - VerifiedAssertion, } from '@simplewebauthn/typescript-types'; import decodeClientDataJSON from '../helpers/decodeClientDataJSON'; @@ -86,3 +85,21 @@ export default function verifyAssertionResponse( return toReturn; } + +/** + * Result of assertion verification + * + * @param verified If the assertion response could be verified + * @param authenticatorInfo.base64CredentialID The ID of the authenticator used during assertion. + * Should be used to identify which DB authenticator entry needs its `counter` updated to the value + * below + * @param authenticatorInfo.counter The number of times the authenticator identified above reported + * it has been used. **Should be kept in a DB for later reference to help prevent replay attacks!** + */ +export type VerifiedAssertion = { + verified: boolean; + authenticatorInfo: { + counter: number; + base64CredentialID: string; + }; +}; diff --git a/packages/server/src/attestation/verifications/verifyAndroidSafetyNet.ts b/packages/server/src/attestation/verifications/verifyAndroidSafetyNet.ts index 0f604d0..a5dc89a 100644 --- a/packages/server/src/attestation/verifications/verifyAndroidSafetyNet.ts +++ b/packages/server/src/attestation/verifications/verifyAndroidSafetyNet.ts @@ -1,11 +1,7 @@ import base64url from 'base64url'; -import { - AttestationObject, - VerifiedAttestation, - SafetyNetJWTHeader, - SafetyNetJWTPayload, - SafetyNetJWTSignature, -} from '@simplewebauthn/typescript-types'; + +import type { AttestationObject } from '../../helpers/decodeAttestationObject'; +import type { VerifiedAttestation } from '../verifyAttestationResponse'; import toHash from '../../helpers/toHash'; import verifySignature from '../../helpers/verifySignature'; @@ -151,3 +147,20 @@ const GlobalSignRootCAR2 = '7mpM0sYmsL4h4hO291xNBrBVNpGP-DTKqttVCL1OmLNIG-6KYnX3ZHu01yiPqFbQfXf5WRDLenVOavSot-3i9DAgBkcRcA' + 'tjOj4LaR0VknFBbVPFd5uRHg5h6h-u_N5GJG79G-dwfCMNYxdAfvDbbnvRG15RjF-Cv6pgsH_76tuIMRQyV-dTZsXjAzlA' + 'cmgQWpzU_qlULRuJQ_7TBj0_VLZjmmx6BEP3ojY-x1J96relc8geMJgEtslQIxq_H5COEBkEveegeGTLg'; + +type SafetyNetJWTHeader = { + alg: 'string'; + x5c: string[]; +}; + +type SafetyNetJWTPayload = { + nonce: string; + timestampMs: number; + apkPackageName: string; + apkDigestSha256: string; + ctsProfileMatch: boolean; + apkCertificateDigestSha256: string[]; + basicIntegrity: boolean; +}; + +type SafetyNetJWTSignature = string; diff --git a/packages/server/src/attestation/verifications/verifyFIDOU2F.ts b/packages/server/src/attestation/verifications/verifyFIDOU2F.ts index e518dc8..5842a3c 100644 --- a/packages/server/src/attestation/verifications/verifyFIDOU2F.ts +++ b/packages/server/src/attestation/verifications/verifyFIDOU2F.ts @@ -1,5 +1,7 @@ import base64url from 'base64url'; -import { AttestationObject, VerifiedAttestation } from '@simplewebauthn/typescript-types'; + +import type { AttestationObject } from '../../helpers/decodeAttestationObject'; +import type { VerifiedAttestation } from '../verifyAttestationResponse'; import toHash from '../../helpers/toHash'; import convertCOSEtoPKCS from '../../helpers/convertCOSEtoPKCS'; diff --git a/packages/server/src/attestation/verifications/verifyNone.ts b/packages/server/src/attestation/verifications/verifyNone.ts index 423f4fd..66fd7da 100644 --- a/packages/server/src/attestation/verifications/verifyNone.ts +++ b/packages/server/src/attestation/verifications/verifyNone.ts @@ -1,5 +1,7 @@ import base64url from 'base64url'; -import { AttestationObject, VerifiedAttestation } from '@simplewebauthn/typescript-types'; + +import type { AttestationObject } from '../../helpers/decodeAttestationObject'; +import type { VerifiedAttestation } from '../verifyAttestationResponse'; import convertCOSEtoPKCS from '../../helpers/convertCOSEtoPKCS'; import parseAuthenticatorData from '../../helpers/parseAuthenticatorData'; diff --git a/packages/server/src/attestation/verifications/verifyPacked.ts b/packages/server/src/attestation/verifications/verifyPacked.ts index f7b9932..16acdfd 100644 --- a/packages/server/src/attestation/verifications/verifyPacked.ts +++ b/packages/server/src/attestation/verifications/verifyPacked.ts @@ -2,14 +2,14 @@ import base64url from 'base64url'; import cbor from 'cbor'; import elliptic from 'elliptic'; import NodeRSA, { SigningSchemeHash } from 'node-rsa'; -import { - AttestationObject, - VerifiedAttestation, - COSEKEYS, - COSEPublicKey as COSEPublicKeyType, -} from '@simplewebauthn/typescript-types'; -import convertCOSEtoPKCS from '../../helpers/convertCOSEtoPKCS'; +import type { AttestationObject } from '../../helpers/decodeAttestationObject'; +import type { VerifiedAttestation } from '../verifyAttestationResponse'; + +import convertCOSEtoPKCS, { + COSEKEYS, + COSEPublicKey as COSEPublicKeyType +} from '../../helpers/convertCOSEtoPKCS'; import toHash from '../../helpers/toHash'; import convertASN1toPEM from '../../helpers/convertASN1toPEM'; import getCertificateInfo from '../../helpers/getCertificateInfo'; diff --git a/packages/server/src/attestation/verifyAttestationResponse.ts b/packages/server/src/attestation/verifyAttestationResponse.ts index 1d43304..2f81fdc 100644 --- a/packages/server/src/attestation/verifyAttestationResponse.ts +++ b/packages/server/src/attestation/verifyAttestationResponse.ts @@ -1,11 +1,10 @@ -import decodeAttestationObject from '../helpers/decodeAttestationObject'; -import decodeClientDataJSON from '../helpers/decodeClientDataJSON'; import { - ATTESTATION_FORMATS, AttestationCredentialJSON, - VerifiedAttestation, } from '@simplewebauthn/typescript-types'; +import decodeAttestationObject, { ATTESTATION_FORMATS } from '../helpers/decodeAttestationObject'; +import decodeClientDataJSON from '../helpers/decodeClientDataJSON'; + import verifyFIDOU2F from './verifications/verifyFIDOU2F'; import verifyPacked from './verifications/verifyPacked'; import verifyNone from './verifications/verifyNone'; @@ -69,3 +68,28 @@ export default function verifyAttestationResponse( throw new Error(`Unsupported Attestation Format: ${fmt}`); } + +/** + * Result of attestation verification + * + * @param verified If the assertion response could be verified + * @param userVerified Whether the user was uniquely identified during attestation + * @param authenticatorInfo.fmt Type of attestation + * @param authenticatorInfo.counter The number of times the authenticator reported it has been used. + * Should be kept in a DB for later reference to help prevent replay attacks + * @param authenticatorInfo.base64PublicKey Base64-encoded ArrayBuffer containing the + * authenticator's public key. **Should be kept in a DB for later reference!** + * @param authenticatorInfo.base64CredentialID Base64-encoded ArrayBuffer containing the + * authenticator's credential ID for the public key above. **Should be kept in a DB for later + * reference!** + */ +export type VerifiedAttestation = { + verified: boolean; + userVerified: boolean; + authenticatorInfo?: { + fmt: ATTESTATION_FORMATS; + counter: number; + base64PublicKey: string; + base64CredentialID: string; + }; +}; diff --git a/packages/server/src/helpers/convertCOSEtoPKCS.test.ts b/packages/server/src/helpers/convertCOSEtoPKCS.test.ts index d17d4bd..e914cc7 100644 --- a/packages/server/src/helpers/convertCOSEtoPKCS.test.ts +++ b/packages/server/src/helpers/convertCOSEtoPKCS.test.ts @@ -1,7 +1,6 @@ import cbor from 'cbor'; -import { COSEKEYS } from '@simplewebauthn/typescript-types'; -import convertCOSEtoPKCS from './convertCOSEtoPKCS'; +import convertCOSEtoPKCS, { COSEKEYS } from './convertCOSEtoPKCS'; test('should throw an error curve if, somehow, curve coordinate x is missing', () => { const mockCOSEKey = new Map(); diff --git a/packages/server/src/helpers/convertCOSEtoPKCS.ts b/packages/server/src/helpers/convertCOSEtoPKCS.ts index 5b03b1a..3039415 100644 --- a/packages/server/src/helpers/convertCOSEtoPKCS.ts +++ b/packages/server/src/helpers/convertCOSEtoPKCS.ts @@ -1,5 +1,4 @@ import cbor from 'cbor'; -import { COSEKEYS, COSEPublicKey } from '@simplewebauthn/typescript-types'; /** * Takes COSE-encoded public key and converts it to PKCS key @@ -40,3 +39,15 @@ export default function convertCOSEtoPKCS(cosePublicKey: Buffer): Buffer { return Buffer.concat([tag, x as Buffer, y as Buffer]); } + +export type COSEPublicKey = Map; + +export enum COSEKEYS { + kty = 1, + alg = 3, + crv = -1, + x = -2, + y = -3, + n = -1, + e = -2, +} diff --git a/packages/server/src/helpers/decodeAttestationObject.ts b/packages/server/src/helpers/decodeAttestationObject.ts index 3e66e67..374dbf4 100644 --- a/packages/server/src/helpers/decodeAttestationObject.ts +++ b/packages/server/src/helpers/decodeAttestationObject.ts @@ -1,6 +1,5 @@ import base64url from 'base64url'; import cbor from 'cbor'; -import { AttestationObject } from '@simplewebauthn/typescript-types'; /** * Convert an AttestationObject from base64 string to a proper object @@ -14,3 +13,20 @@ export default function decodeAttestationObject( const toCBOR: AttestationObject = cbor.decodeAllSync(toBuffer)[0]; return toCBOR; } + +export enum ATTESTATION_FORMATS { + FIDO_U2F = 'fido-u2f', + PACKED = 'packed', + ANDROID_SAFETYNET = 'android-safetynet', + NONE = 'none', +} + +export type AttestationObject = { + fmt: ATTESTATION_FORMATS; + attStmt: { + sig?: Buffer; + x5c?: Buffer[]; + response?: Buffer; + }; + authData: Buffer; +}; diff --git a/packages/server/src/helpers/decodeClientDataJSON.ts b/packages/server/src/helpers/decodeClientDataJSON.ts index fb909cf..c0ebb2b 100644 --- a/packages/server/src/helpers/decodeClientDataJSON.ts +++ b/packages/server/src/helpers/decodeClientDataJSON.ts @@ -1,5 +1,3 @@ -import { ClientDataJSON } from '@simplewebauthn/typescript-types'; - import asciiToBinary from './asciiToBinary'; /** @@ -15,3 +13,9 @@ export default function decodeClientDataJSON(data: string): ClientDataJSON { return clientData; } + +type ClientDataJSON = { + type: string; + challenge: string; + origin: string; +}; diff --git a/packages/server/src/helpers/getCertificateInfo.ts b/packages/server/src/helpers/getCertificateInfo.ts index b6d8e26..3741fac 100644 --- a/packages/server/src/helpers/getCertificateInfo.ts +++ b/packages/server/src/helpers/getCertificateInfo.ts @@ -1,5 +1,10 @@ import jsrsasign from 'jsrsasign'; -import { CertificateInfo } from '@simplewebauthn/typescript-types'; + +export type CertificateInfo = { + subject: { [key: string]: string }; + version: number; + basicConstraintsCA: boolean; +}; type ExtInfo = { critical: boolean; diff --git a/packages/server/src/helpers/parseAuthenticatorData.ts b/packages/server/src/helpers/parseAuthenticatorData.ts index 62c1cb1..3177dd5 100644 --- a/packages/server/src/helpers/parseAuthenticatorData.ts +++ b/packages/server/src/helpers/parseAuthenticatorData.ts @@ -1,5 +1,3 @@ -import { ParsedAuthenticatorData } from '@simplewebauthn/typescript-types'; - /** * Make sense of the authData buffer contained in an Attestation */ @@ -57,3 +55,20 @@ export default function parseAuthenticatorData(authData: Buffer): ParsedAuthenti COSEPublicKey, }; } + +type ParsedAuthenticatorData = { + rpIdHash: Buffer; + flagsBuf: Buffer; + flags: { + up: boolean; + uv: boolean; + at: boolean; + ed: boolean; + flagsInt: number; + }; + counter: number; + counterBuf: Buffer; + aaguid?: Buffer; + credentialID?: Buffer; + COSEPublicKey?: Buffer; +}; diff --git a/packages/typescript-types/src/index.ts b/packages/typescript-types/src/index.ts index a1d93e0..40dd4dd 100644 --- a/packages/typescript-types/src/index.ts +++ b/packages/typescript-types/src/index.ts @@ -92,124 +92,6 @@ interface AuthenticatorAssertionResponseJSON userHandle?: Base64String; } -export enum ATTESTATION_FORMATS { - FIDO_U2F = 'fido-u2f', - PACKED = 'packed', - ANDROID_SAFETYNET = 'android-safetynet', - NONE = 'none', -} - -export type AttestationObject = { - fmt: ATTESTATION_FORMATS; - attStmt: { - sig?: Buffer; - x5c?: Buffer[]; - response?: Buffer; - }; - authData: Buffer; -}; - -export type ParsedAuthenticatorData = { - rpIdHash: Buffer; - flagsBuf: Buffer; - flags: { - up: boolean; - uv: boolean; - at: boolean; - ed: boolean; - flagsInt: number; - }; - counter: number; - counterBuf: Buffer; - aaguid?: Buffer; - credentialID?: Buffer; - COSEPublicKey?: Buffer; -}; - -export type ClientDataJSON = { - type: string; - challenge: string; - origin: string; -}; - -/** - * Result of attestation verification - * - * @param verified If the assertion response could be verified - * @param userVerified Whether the user was uniquely identified during attestation - * @param authenticatorInfo.fmt Type of attestation - * @param authenticatorInfo.counter The number of times the authenticator reported it has been used. - * Should be kept in a DB for later reference to help prevent replay attacks - * @param authenticatorInfo.base64PublicKey Base64-encoded ArrayBuffer containing the - * authenticator's public key. **Should be kept in a DB for later reference!** - * @param authenticatorInfo.base64CredentialID Base64-encoded ArrayBuffer containing the - * authenticator's credential ID for the public key above. **Should be kept in a DB for later - * reference!** - */ -export type VerifiedAttestation = { - verified: boolean; - userVerified: boolean; - authenticatorInfo?: { - fmt: ATTESTATION_FORMATS; - counter: number; - base64PublicKey: string; - base64CredentialID: string; - }; -}; - -/** - * Result of assertion verification - * - * @param verified If the assertion response could be verified - * @param authenticatorInfo.base64CredentialID The ID of the authenticator used during assertion. - * Should be used to identify which DB authenticator entry needs its `counter` updated to the value - * below - * @param authenticatorInfo.counter The number of times the authenticator identified above reported - * it has been used. **Should be kept in a DB for later reference to help prevent replay attacks!** - */ -export type VerifiedAssertion = { - verified: boolean; - authenticatorInfo: { - counter: number; - base64CredentialID: string; - }; -}; - -export type CertificateInfo = { - subject: { [key: string]: string }; - version: number; - basicConstraintsCA: boolean; -}; - -export enum COSEKEYS { - kty = 1, - alg = 3, - crv = -1, - x = -2, - y = -3, - n = -1, - e = -2, -} - -export type COSEPublicKey = Map; - -export type SafetyNetJWTHeader = { - alg: 'string'; - x5c: string[]; -}; - -export type SafetyNetJWTPayload = { - nonce: string; - timestampMs: number; - apkPackageName: string; - apkDigestSha256: string; - ctsProfileMatch: boolean; - apkCertificateDigestSha256: string[]; - basicIntegrity: boolean; -}; - -export type SafetyNetJWTSignature = string; - /** * A WebAuthn-compatible device and the information needed to verify assertions by it */ -- cgit v1.2.3 From 063282c49fc31570565348a0f1123b3d18a1e4b2 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Mon, 1 Jun 2020 17:14:08 -0700 Subject: Update AuthenticatorDevice type def --- packages/server/src/assertion/verifyAssertionResponse.ts | 2 +- packages/typescript-types/src/index.ts | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'packages/typescript-types/src') diff --git a/packages/server/src/assertion/verifyAssertionResponse.ts b/packages/server/src/assertion/verifyAssertionResponse.ts index c780b06..f19c548 100644 --- a/packages/server/src/assertion/verifyAssertionResponse.ts +++ b/packages/server/src/assertion/verifyAssertionResponse.ts @@ -72,7 +72,7 @@ export default function verifyAssertionResponse( const clientDataHash = toHash(base64url.toBuffer(response.clientDataJSON)); const signatureBase = Buffer.concat([rpIdHash, flagsBuf, counterBuf, clientDataHash]); - const publicKey = convertASN1toPEM(base64url.toBuffer(authenticator.base64PublicKey)); + const publicKey = convertASN1toPEM(base64url.toBuffer(authenticator.publicKey)); const signature = base64url.toBuffer(response.signature); const toReturn = { diff --git a/packages/typescript-types/src/index.ts b/packages/typescript-types/src/index.ts index 40dd4dd..d4a398d 100644 --- a/packages/typescript-types/src/index.ts +++ b/packages/typescript-types/src/index.ts @@ -96,8 +96,8 @@ interface AuthenticatorAssertionResponseJSON * A WebAuthn-compatible device and the information needed to verify assertions by it */ export type AuthenticatorDevice = { - base64PublicKey: string; - base64CredentialID: string; + publicKey: Base64String; + credentialID: Base64String; // Number of times this device is expected to have been used counter: number; }; -- cgit v1.2.3 From 870e83e66c05dfdcc4bd571f922282693164cb30 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Tue, 2 Jun 2020 14:54:22 -0700 Subject: Exclude methods from credential JSON output --- packages/typescript-types/src/index.ts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'packages/typescript-types/src') diff --git a/packages/typescript-types/src/index.ts b/packages/typescript-types/src/index.ts index d4a398d..034363d 100644 --- a/packages/typescript-types/src/index.ts +++ b/packages/typescript-types/src/index.ts @@ -54,7 +54,7 @@ export interface AttestationCredential extends PublicKeyCredential { * are base64-encoded in the browser so that they can be sent as JSON to the server. */ export interface AttestationCredentialJSON - extends Omit { + extends Omit { rawId: Base64String; response: AuthenticatorAttestationResponseJSON; } @@ -70,7 +70,8 @@ export interface AssertionCredential extends PublicKeyCredential { * A slightly-modified AssertionCredential to simplify working with ArrayBuffers that * are base64-encoded in the browser so that they can be sent as JSON to the server. */ -export interface AssertionCredentialJSON extends Omit { +export interface AssertionCredentialJSON + extends Omit { rawId: Base64String; response: AuthenticatorAssertionResponseJSON; } -- cgit v1.2.3 From 555e69498f7c0a779a13393d534266070f1ba52f Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Tue, 2 Jun 2020 14:54:33 -0700 Subject: Remove some old comments --- packages/typescript-types/src/index.ts | 2 -- 1 file changed, 2 deletions(-) (limited to 'packages/typescript-types/src') diff --git a/packages/typescript-types/src/index.ts b/packages/typescript-types/src/index.ts index 034363d..c383330 100644 --- a/packages/typescript-types/src/index.ts +++ b/packages/typescript-types/src/index.ts @@ -10,7 +10,6 @@ export interface PublicKeyCredentialCreationOptionsJSON extends Omit< PublicKeyCredentialCreationOptions, 'challenge' | 'user' | 'excludeCredentials' > { - // Will be converted to a Uint8Array in the browser user: PublicKeyCredentialUserEntityJSON; challenge: Base64String; excludeCredentials: PublicKeyCredentialDescriptorJSON[]; @@ -23,7 +22,6 @@ PublicKeyCredentialCreationOptions, 'challenge' | 'user' | 'excludeCredentials' export interface PublicKeyCredentialRequestOptionsJSON extends Omit< PublicKeyCredentialRequestOptions, 'challenge' |'allowCredentials' > { - // Will be converted to a Uint8Array in the browser challenge: Base64String; allowCredentials: PublicKeyCredentialDescriptorJSON[]; } -- cgit v1.2.3 From 1bb9d9f802f37cff132794959ee0f6e32e7a6259 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Tue, 2 Jun 2020 15:07:18 -0700 Subject: Rename “Base64String” to “Base64URLString” MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- packages/typescript-types/src/index.ts | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) (limited to 'packages/typescript-types/src') diff --git a/packages/typescript-types/src/index.ts b/packages/typescript-types/src/index.ts index c383330..0f84c6a 100644 --- a/packages/typescript-types/src/index.ts +++ b/packages/typescript-types/src/index.ts @@ -11,7 +11,7 @@ export interface PublicKeyCredentialCreationOptionsJSON extends Omit< PublicKeyCredentialCreationOptions, 'challenge' | 'user' | 'excludeCredentials' > { user: PublicKeyCredentialUserEntityJSON; - challenge: Base64String; + challenge: Base64URLString; excludeCredentials: PublicKeyCredentialDescriptorJSON[]; } @@ -22,7 +22,7 @@ PublicKeyCredentialCreationOptions, 'challenge' | 'user' | 'excludeCredentials' export interface PublicKeyCredentialRequestOptionsJSON extends Omit< PublicKeyCredentialRequestOptions, 'challenge' |'allowCredentials' > { - challenge: Base64String; + challenge: Base64URLString; allowCredentials: PublicKeyCredentialDescriptorJSON[]; } @@ -30,14 +30,14 @@ export interface PublicKeyCredentialDescriptorJSON extends Omit< PublicKeyCredentialDescriptor, 'id' > { // Should be a Base64-encoded credential ID. Will be converted to a Uint8Array in the browser - id: Base64String; + id: Base64URLString; } export interface PublicKeyCredentialUserEntityJSON extends Omit < PublicKeyCredentialUserEntity, 'id' > { // Should be a Base64-encoded credential ID. Will be converted to a Uint8Array in the browser - id: Base64String; + id: Base64URLString; } /** @@ -53,7 +53,7 @@ export interface AttestationCredential extends PublicKeyCredential { */ export interface AttestationCredentialJSON extends Omit { - rawId: Base64String; + rawId: Base64URLString; response: AuthenticatorAttestationResponseJSON; } @@ -70,14 +70,14 @@ export interface AssertionCredential extends PublicKeyCredential { */ export interface AssertionCredentialJSON extends Omit { - rawId: Base64String; + rawId: Base64URLString; response: AuthenticatorAssertionResponseJSON; } interface AuthenticatorAttestationResponseJSON extends Omit { - clientDataJSON: Base64String; - attestationObject: Base64String; + clientDataJSON: Base64URLString; + attestationObject: Base64URLString; } interface AuthenticatorAssertionResponseJSON @@ -85,23 +85,23 @@ interface AuthenticatorAssertionResponseJSON AuthenticatorAssertionResponse, 'authenticatorData' | 'clientDataJSON' | 'signature' | 'userHandle' > { - authenticatorData: Base64String; - clientDataJSON: Base64String; - signature: Base64String; - userHandle?: Base64String; + authenticatorData: Base64URLString; + clientDataJSON: Base64URLString; + signature: Base64URLString; + userHandle?: Base64URLString; } /** * A WebAuthn-compatible device and the information needed to verify assertions by it */ export type AuthenticatorDevice = { - publicKey: Base64String; - credentialID: Base64String; + publicKey: Base64URLString; + credentialID: Base64URLString; // Number of times this device is expected to have been used counter: number; }; /** - * An attempt to communicate that this isn't just any string, but a base64-encoded string + * An attempt to communicate that this isn't just any string, but a base64url-encoded string */ -export type Base64String = string; +export type Base64URLString = string; -- cgit v1.2.3 From e82c9e9f813897015c9054aa6d279e8ca4279f07 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Tue, 2 Jun 2020 15:14:31 -0700 Subject: Standardize on use of “base64url” where applicable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- packages/browser/src/methods/startAttestation.test.ts | 2 +- packages/server/src/assertion/generateAssertionOptions.ts | 2 +- packages/server/src/assertion/verifyAssertionResponse.ts | 2 +- packages/server/src/attestation/generateAttestationOptions.ts | 2 +- packages/server/src/attestation/verifyAttestationResponse.ts | 6 +++--- packages/server/src/helpers/decodeAttestationObject.ts | 4 ++-- packages/typescript-types/src/index.ts | 6 ++---- 7 files changed, 11 insertions(+), 13 deletions(-) (limited to 'packages/typescript-types/src') diff --git a/packages/browser/src/methods/startAttestation.test.ts b/packages/browser/src/methods/startAttestation.test.ts index 926db40..bf6ab9b 100644 --- a/packages/browser/src/methods/startAttestation.test.ts +++ b/packages/browser/src/methods/startAttestation.test.ts @@ -77,7 +77,7 @@ test('should convert options before passing to navigator.credentials.create(...) done(); }); -test('should return base64-encoded response values', async done => { +test('should return base64url-encoded response values', async done => { mockSupportsWebauthn.mockReturnValue(true); mockNavigatorCreate.mockImplementation( diff --git a/packages/server/src/assertion/generateAssertionOptions.ts b/packages/server/src/assertion/generateAssertionOptions.ts index 9444a54..ca699c6 100644 --- a/packages/server/src/assertion/generateAssertionOptions.ts +++ b/packages/server/src/assertion/generateAssertionOptions.ts @@ -15,7 +15,7 @@ type Options = { * Prepare a value to pass into navigator.credentials.get(...) for authenticator "login" * * @param challenge Random string the authenticator needs to sign and pass back - * @param allowedBase64CredentialIDs Array of base64-encoded authenticator IDs registered by the + * @param allowedBase64CredentialIDs Array of base64url-encoded authenticator IDs registered by the * user for assertion * @param timeout How long (in ms) the user can take to complete assertion * @param suggestedTransports Suggested types of authenticators for assertion diff --git a/packages/server/src/assertion/verifyAssertionResponse.ts b/packages/server/src/assertion/verifyAssertionResponse.ts index f19c548..7d13271 100644 --- a/packages/server/src/assertion/verifyAssertionResponse.ts +++ b/packages/server/src/assertion/verifyAssertionResponse.ts @@ -13,7 +13,7 @@ import parseAuthenticatorData from '../helpers/parseAuthenticatorData'; /** * Verify that the user has legitimately completed the login process * - * @param response Authenticator assertion response with base64-encoded values + * @param response Authenticator assertion response with base64url-encoded values * @param expectedChallenge The random value provided to generateAssertionOptions for the * authenticator to sign * @param expectedOrigin Expected URL of website assertion should have occurred on diff --git a/packages/server/src/attestation/generateAttestationOptions.ts b/packages/server/src/attestation/generateAttestationOptions.ts index 89ac86a..25008c0 100644 --- a/packages/server/src/attestation/generateAttestationOptions.ts +++ b/packages/server/src/attestation/generateAttestationOptions.ts @@ -30,7 +30,7 @@ type Options = { * @param userDisplayName User's actual name * @param timeout How long (in ms) the user can take to complete attestation * @param attestationType Specific attestation statement - * @param excludedBase64CredentialIDs Array of base64-encoded authenticator IDs registered by the + * @param excludedBase64CredentialIDs Array of base64url-encoded authenticator IDs registered by the * user so the user can't register the same credential multiple times * @param suggestedTransports Suggested types of authenticators for attestation * @param authenticatorSelection Advanced criteria for restricting the types of authenticators that diff --git a/packages/server/src/attestation/verifyAttestationResponse.ts b/packages/server/src/attestation/verifyAttestationResponse.ts index 2f81fdc..ed4ac5c 100644 --- a/packages/server/src/attestation/verifyAttestationResponse.ts +++ b/packages/server/src/attestation/verifyAttestationResponse.ts @@ -13,7 +13,7 @@ import verifyAndroidSafetynet from './verifications/verifyAndroidSafetyNet'; /** * Verify that the user has legitimately completed the registration process * - * @param response Authenticator attestation response with base64-encoded values + * @param response Authenticator attestation response with base64url-encoded values * @param expectedChallenge The random value provided to generateAttestationOptions for the * authenticator to sign * @param expectedOrigin Expected URL of website attestation should have occurred on @@ -77,9 +77,9 @@ export default function verifyAttestationResponse( * @param authenticatorInfo.fmt Type of attestation * @param authenticatorInfo.counter The number of times the authenticator reported it has been used. * Should be kept in a DB for later reference to help prevent replay attacks - * @param authenticatorInfo.base64PublicKey Base64-encoded ArrayBuffer containing the + * @param authenticatorInfo.base64PublicKey Base64URL-encoded ArrayBuffer containing the * authenticator's public key. **Should be kept in a DB for later reference!** - * @param authenticatorInfo.base64CredentialID Base64-encoded ArrayBuffer containing the + * @param authenticatorInfo.base64CredentialID Base64URL-encoded ArrayBuffer containing the * authenticator's credential ID for the public key above. **Should be kept in a DB for later * reference!** */ diff --git a/packages/server/src/helpers/decodeAttestationObject.ts b/packages/server/src/helpers/decodeAttestationObject.ts index 374dbf4..2eb9997 100644 --- a/packages/server/src/helpers/decodeAttestationObject.ts +++ b/packages/server/src/helpers/decodeAttestationObject.ts @@ -2,9 +2,9 @@ import base64url from 'base64url'; import cbor from 'cbor'; /** - * Convert an AttestationObject from base64 string to a proper object + * Convert an AttestationObject from base64url string to a proper object * - * @param base64AttestationObject Base64-encoded Attestation Object + * @param base64AttestationObject Base64URL-encoded Attestation Object */ export default function decodeAttestationObject( base64AttestationObject: string, diff --git a/packages/typescript-types/src/index.ts b/packages/typescript-types/src/index.ts index 0f84c6a..da063a5 100644 --- a/packages/typescript-types/src/index.ts +++ b/packages/typescript-types/src/index.ts @@ -29,14 +29,12 @@ PublicKeyCredentialRequestOptions, 'challenge' |'allowCredentials' export interface PublicKeyCredentialDescriptorJSON extends Omit< PublicKeyCredentialDescriptor, 'id' > { - // Should be a Base64-encoded credential ID. Will be converted to a Uint8Array in the browser id: Base64URLString; } export interface PublicKeyCredentialUserEntityJSON extends Omit < PublicKeyCredentialUserEntity, 'id' > { - // Should be a Base64-encoded credential ID. Will be converted to a Uint8Array in the browser id: Base64URLString; } @@ -49,7 +47,7 @@ export interface AttestationCredential extends PublicKeyCredential { /** * A slightly-modified AttestationCredential to simplify working with ArrayBuffers that - * are base64-encoded in the browser so that they can be sent as JSON to the server. + * are base64url-encoded in the browser so that they can be sent as JSON to the server. */ export interface AttestationCredentialJSON extends Omit { @@ -66,7 +64,7 @@ export interface AssertionCredential extends PublicKeyCredential { /** * A slightly-modified AssertionCredential to simplify working with ArrayBuffers that - * are base64-encoded in the browser so that they can be sent as JSON to the server. + * are base64url-encoded in the browser so that they can be sent as JSON to the server. */ export interface AssertionCredentialJSON extends Omit { -- cgit v1.2.3