UNPKG

@nevis-security/nevis-mobile-authentication-sdk-react

Version:

React Native plugin for Nevis Mobile Authentication SDK. Supports only mobile.

www.nevis.net

353 lines (326 loc) 14.3 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
/** * Copyright © 2025 Nevis Security AG. All rights reserved. */ import type { CertificateChainValidationResult } from './CertificateChainValidationResult'; import type { SecurityLevel } from './SecurityLevel'; enum FidoUafAttestationInformationType { OnlySurrogateBasicSupported, OnlyDefaultMode, StrictMode, StrictStrongBoxMode, } /** * The interface informing about whether the device supports {@link https://docs.nevis.net/configurationguide/mobile-auth-concept-and-integration-guide/use-cases-and-best-practices/uaf-surrogate-full-basic-comparison | Full Basic Attestations}. * * If full basic is required by the backend during registration, and this device does not support it, * registration will fail. This information can be used to preemptively inform the user that the device * is not supported. * * Note that it is guaranteed that the only type of instances that the {@link AndroidDeviceCapabilities.fidoUafAttestationInformationGetter} * returns are either {@link OnlySurrogateBasicSupported}, {@link OnlyDefaultMode}, {@link StrictMode} or {@link StrictStrongBoxMode}. * * @see * - {@link MobileAuthenticationClient.deviceCapabilities} * - {@link AndroidDeviceCapabilities.fidoUafAttestationInformationGetter} * - {@link FidoUafAttestationInformationGetter} */ export abstract class FidoUafAttestationInformation { /** * The {@link SecurityLevel} of the environment where the FIDO UAF keys are stored. * This provides information about the security of the environment where the keys are stored. */ abstract keymasterSecurityLevel: SecurityLevel; /** * The {@link https://source.android.com/docs/security/features/keystore/attestation#keydescription-fields | keymaster} version. */ abstract keymasterVersion: number; /** * Returns `true` if the {@link https://source.android.com/docs/security/features/keystore/attestation#rootoftrust-fields | device's bootloader} * is locked, and `false` otherwise. */ abstract isDeviceBootloaderLocked: boolean; /** * Returns `true` if the {@link https://source.android.com/docs/security/features/keystore/attestation#verifiedbootstate-values | boot * state} is `Verified`. Compromised devices (such as some root devices) do not have a valid * boot state. */ abstract isVerifiedBootStateValid: boolean; /** * The result of the certificate chain validation. * * In devices supporting full basic attestation ({@link OnlyDefaultMode}, {@link StrictMode} or * {@link StrictStrongBoxMode}), when a new key is created the device must generate an associated * certificate chain (or certification path) that fulfills the following criteria: * <ul> * <li>The root certificate is a known {@link https://developer.android.com/privacy-and-security/security-key-attestation#root_certificate | Google * root certificate}.</li> * <li>The certificate chain is valid: it does not contain a certificate in the CRL, no certificate * is expired, the certificates in the chain are signed with the previous one, etc.</li> * </ul> * So, when a device supports full basic, returns {@link CertificateChainValidationResult.Success}. */ abstract certificateChainValidationResult: CertificateChainValidationResult; /** * Alternate constructor that creates a {@link FidoUafAttestationInformation} from a json. * * @param json contains the source for instance creation. * @returns a {@link FidoUafAttestationInformation} instance. */ static fromJson(json: any): FidoUafAttestationInformation { const subtype = FidoUafAttestationInformationType[ json.type as keyof typeof FidoUafAttestationInformationType ]; switch (subtype) { case FidoUafAttestationInformationType.OnlySurrogateBasicSupported: return OnlySurrogateBasicSupported.fromJson(json.data); case FidoUafAttestationInformationType.OnlyDefaultMode: return OnlyDefaultMode.fromJson(json.data); case FidoUafAttestationInformationType.StrictMode: return StrictMode.fromJson(json.data); case FidoUafAttestationInformationType.StrictStrongBoxMode: return StrictStrongBoxMode.fromJson(json.data); default: throw new Error(`Unknown FIDO UAF attestation information (${json.type}).`); } } } /** * Only the surrogate basic attestation is supported. * * So, neither the `default`, the `strict` nor the `strict-strongbox` modes of full basic attestation * are supported (see the {@link https://docs.nevis.net/configurationguide/patterns-reference#basic-full-attestation | nevisFIDO documentation} * for details regarding the different modes). * * Supporting only surrogate basic attestation implies that the certificate chain of the device could * not be successfully validated (see {@link certificateChainValidationResult}). This occurs typically * in old devices, and devices that do not contain a Google root certificate (like some Huawei models). */ export abstract class OnlySurrogateBasicSupported extends FidoUafAttestationInformation { /** * The error that occurred while checking if the full basic attestation is supported. * * Its message provides information about why the device does not support full basic attestation. */ abstract cause?: string; /** * Alternate constructor that creates an {@link OnlySurrogateBasicSupported} from a json. * * @param json contains the source for instance creation. * @returns the created {@link OnlySurrogateBasicSupported} instance. */ static fromJson(json: any): OnlySurrogateBasicSupported { return OnlySurrogateBasicSupportedImpl.fromJson(json); } } export class OnlySurrogateBasicSupportedImpl extends OnlySurrogateBasicSupported { keymasterSecurityLevel: SecurityLevel; keymasterVersion: number; isDeviceBootloaderLocked: boolean; isVerifiedBootStateValid: boolean; certificateChainValidationResult: CertificateChainValidationResult; cause: string | undefined; constructor( keymasterSecurityLevel: SecurityLevel, keymasterVersion: number, isDeviceBootloaderLocked: boolean, isVerifiedBootStateValid: boolean, certificateChainValidationResult: CertificateChainValidationResult, cause: string | undefined ) { super(); this.keymasterSecurityLevel = keymasterSecurityLevel; this.keymasterVersion = keymasterVersion; this.isDeviceBootloaderLocked = isDeviceBootloaderLocked; this.isVerifiedBootStateValid = isVerifiedBootStateValid; this.certificateChainValidationResult = certificateChainValidationResult; this.cause = cause; } static fromJson(json: any): OnlySurrogateBasicSupportedImpl { return new OnlySurrogateBasicSupportedImpl( json.keymasterSecurityLevel, json.keymasterVersion, json.isDeviceBootloaderLocked, json.isVerifiedBootStateValid, json.certificateChainValidationResult, json.cause ); } } /** * The device supports the `default` full basic attestation mode as described in the {@link https://docs.nevis.net/configurationguide/patterns-reference#basic-full-attestation | nevisFIDO documentation}. * * It supports surrogate basic attestation, but it does not support neither the `strict` nor the * `strict-strongbox` modes. * * This means that the certificate chain was successfully validated, and thus {@link certificateChainValidationResult} * returns {@link CertificateChainValidationResult.Success}. The device contains hardware using a known * Google root certificate, but does not fulfill at least one of the other criteria required to be * compatible with {@link StrictMode} or {@link StrictStrongBoxMode}. */ export abstract class OnlyDefaultMode extends FidoUafAttestationInformation { /** * The error that occurred while checking if the strict mode of the full basic attestation is * supported. * * Its message provides information about why the device does not support the full basic attestation * strict mode. */ abstract cause?: string; /** * Alternate constructor that creates an {@link OnlyDefaultMode} from a json. * * @param json contains the source for instance creation. * @returns the created {@link OnlyDefaultMode} instance. */ static fromJson(json: any): OnlyDefaultMode { return OnlyDefaultModeImpl.fromJson(json); } } export class OnlyDefaultModeImpl extends OnlyDefaultMode { keymasterSecurityLevel: SecurityLevel; keymasterVersion: number; isDeviceBootloaderLocked: boolean; isVerifiedBootStateValid: boolean; certificateChainValidationResult: CertificateChainValidationResult; cause: string | undefined; constructor( keymasterSecurityLevel: SecurityLevel, keymasterVersion: number, isDeviceBootloaderLocked: boolean, isVerifiedBootStateValid: boolean, certificateChainValidationResult: CertificateChainValidationResult, cause: string | undefined ) { super(); this.keymasterSecurityLevel = keymasterSecurityLevel; this.keymasterVersion = keymasterVersion; this.isDeviceBootloaderLocked = isDeviceBootloaderLocked; this.isVerifiedBootStateValid = isVerifiedBootStateValid; this.certificateChainValidationResult = certificateChainValidationResult; this.cause = cause; } static fromJson(json: any): OnlyDefaultModeImpl { return new OnlyDefaultModeImpl( json.keymasterSecurityLevel, json.keymasterVersion, json.isDeviceBootloaderLocked, json.isVerifiedBootStateValid, json.certificateChainValidationResult, json.cause ); } } /** * The device supports the `default` and `strict` full basic attestation modes as described in the * {@link https://docs.nevis.net/configurationguide/component-installation-guides/nevisFido/fido-uaf-configuration#full-basic-attestation | nevisFIDO documentation}. * It also supports surrogate basic. * * However, since it does not have a StrongBox that the SDK can use to store the FIDO UAF credentials, * the `strict-strongbox` mode is not supported. * * If the device supports this mode, then: * - The FIDO UAF keys will be stored in a Trusted Execution Environment (TEE), and thus {@link keymasterSecurityLevel} * will be {@link SecurityLevel.TrustedEnvironment}. * - The certificate chain was successfully validated, and thus {@link certificateChainValidationResult} * returns {@link CertificateChainValidationResult.Success}. * - The value of {@link keymasterVersion} is 2 or higher. * - The verified boot state is valid ({@link isVerifiedBootStateValid} returns `true`). * - The device bootloader is locked ({@link isDeviceBootloaderLocked} returns `true`). */ export abstract class StrictMode extends FidoUafAttestationInformation { /** * Alternate constructor that creates a {@link StrictMode} from a json. * * @param json contains the source for instance creation. * @returns the created {@link StrictMode} instance. */ static fromJson(json: any): StrictMode { return StrictModeImpl.fromJson(json); } } export class StrictModeImpl extends StrictMode { keymasterSecurityLevel: SecurityLevel; keymasterVersion: number; isDeviceBootloaderLocked: boolean; isVerifiedBootStateValid: boolean; certificateChainValidationResult: CertificateChainValidationResult; constructor( keymasterSecurityLevel: SecurityLevel, keymasterVersion: number, isDeviceBootloaderLocked: boolean, isVerifiedBootStateValid: boolean, certificateChainValidationResult: CertificateChainValidationResult ) { super(); this.keymasterSecurityLevel = keymasterSecurityLevel; this.keymasterVersion = keymasterVersion; this.isDeviceBootloaderLocked = isDeviceBootloaderLocked; this.isVerifiedBootStateValid = isVerifiedBootStateValid; this.certificateChainValidationResult = certificateChainValidationResult; } static fromJson(json: any): StrictModeImpl { return new StrictModeImpl( json.keymasterSecurityLevel, json.keymasterVersion, json.isDeviceBootloaderLocked, json.isVerifiedBootStateValid, json.certificateChainValidationResult ); } } /** * The device supports the `default`, `strict` and `strict-strongbox` full basic attestation modes as * described in the {@link https://docs.nevis.net/configurationguide/component-installation-guides/nevisFido/fido-uaf-configuration#full-basic-attestation | nevisFIDO documentation}. * It also supports surrogate basic. * * If the device supports this mode, then: * - The FIDO UAF keys will be stored in the StrongBox, and thus {@link keymasterSecurityLevel} will * be {@link SecurityLevel.StrongBox}. * - The certificate chain was successfully validated, and thus {@link certificateChainValidationResult} * returns {@link CertificateChainValidationResult.Success}. * - The value of {@link keymasterVersion} is 2 or higher. * - The verified boot state is valid ({@link isVerifiedBootStateValid} returns `true`). * - The device bootloader is locked ({@link isDeviceBootloaderLocked} returns `true`). */ export abstract class StrictStrongBoxMode extends FidoUafAttestationInformation { /** * Alternate constructor that creates a {@link StrictStrongBoxMode} from a json. * * @param json contains the source for instance creation. * @returns the created {@link StrictStrongBoxMode} instance. */ static fromJson(json: any): StrictStrongBoxMode { return StrictStrongBoxModeImpl.fromJson(json); } } export class StrictStrongBoxModeImpl extends StrictStrongBoxMode { keymasterSecurityLevel: SecurityLevel; keymasterVersion: number; isDeviceBootloaderLocked: boolean; isVerifiedBootStateValid: boolean; certificateChainValidationResult: CertificateChainValidationResult; constructor( keymasterSecurityLevel: SecurityLevel, keymasterVersion: number, isDeviceBootloaderLocked: boolean, isVerifiedBootStateValid: boolean, certificateChainValidationResult: CertificateChainValidationResult ) { super(); this.keymasterSecurityLevel = keymasterSecurityLevel; this.keymasterVersion = keymasterVersion; this.isDeviceBootloaderLocked = isDeviceBootloaderLocked; this.isVerifiedBootStateValid = isVerifiedBootStateValid; this.certificateChainValidationResult = certificateChainValidationResult; } static fromJson(json: any): StrictStrongBoxModeImpl { return new StrictStrongBoxModeImpl( json.keymasterSecurityLevel, json.keymasterVersion, json.isDeviceBootloaderLocked, json.isVerifiedBootStateValid, json.certificateChainValidationResult ); } }