UNPKG

@simplewebauthn/server

Version:

SimpleWebAuthn for Servers

github.com/MasterKale/SimpleWebAuthn/tree/master/packages/server

MasterKale/SimpleWebAuthn

63 lines (62 loc) 2.82 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.verifyMDSBlob = verifyMDSBlob; const parseJWT_js_1 = require("./parseJWT.js"); const verifyJWT_js_1 = require("./verifyJWT.js"); const validateCertificatePath_js_1 = require("../helpers/validateCertificatePath.js"); const convertCertBufferToPEM_js_1 = require("../helpers/convertCertBufferToPEM.js"); const convertPEMToBytes_js_1 = require("../helpers/convertPEMToBytes.js"); const settingsService_js_1 = require("../services/settingsService.js"); /** * Perform authenticity and integrity verification of a * [FIDO Metadata Service (MDS)](https://fidoalliance.org/metadata/)-compatible blob, and then * extract the FIDO2 metadata statements included within. This method will make network requests * for things like CRL checks. * * @param blob - A JWT downloaded from an MDS server (e.g. https://mds3.fidoalliance.org) */ async function verifyMDSBlob(blob) { // Parse the JWT const parsedJWT = (0, parseJWT_js_1.parseJWT)(blob); const header = parsedJWT[0]; const payload = parsedJWT[1]; const headerCertsPEM = header.x5c.map(convertCertBufferToPEM_js_1.convertCertBufferToPEM); try { // Validate the certificate chain const rootCerts = settingsService_js_1.SettingsService.getRootCertificates({ identifier: 'mds', }); await (0, validateCertificatePath_js_1.validateCertificatePath)(headerCertsPEM, rootCerts); } catch (error) { const _error = error; // From FIDO MDS docs: "ignore the file if the chain cannot be verified or if one of the // chain certificates is revoked" throw new Error('BLOB certificate path could not be validated', { cause: _error }); } // Verify the BLOB JWT signature const leafCert = headerCertsPEM[0]; const verified = await (0, verifyJWT_js_1.verifyJWT)(blob, (0, convertPEMToBytes_js_1.convertPEMToBytes)(leafCert)); if (!verified) { // From FIDO MDS docs: "The FIDO Server SHOULD ignore the file if the signature is invalid." throw new Error('BLOB signature could not be verified'); } // Cache statements for FIDO2 devices const statements = []; for (const entry of payload.entries) { // Only cache entries with an `aaguid` if (entry.aaguid && entry.metadataStatement) { statements.push(entry.metadataStatement); } } // Convert the nextUpdate property into a Date so we can determine when to re-download const [year, month, day] = payload.nextUpdate.split('-'); const parsedNextUpdate = new Date(parseInt(year, 10), // Months need to be zero-indexed parseInt(month, 10) - 1, parseInt(day, 10)); return { statements, parsedNextUpdate, payload, }; }