apottere · February 9, 2022 21:51
diff --git a/index.ts b/index.ts
 import cbor from 'cbor';
 import jsrsasign from 'jsrsasign';
 import { parseAuthenticatorData } from '@simplewebauthn/server/helpers';
 import { ParsedAuthenticatorData } from '@simplewebauthn/server/dist/helpers';


 // ...
 // const inputKeyId = get keyId from the app - this is a base64 of the sha256sum of the public key in uncompressed point format
 // const attestation = get attestation from the app
 const validateAttestation = async (inputKeyId: string, challenge: string, attestation: string): Promise<boolean> => {
    const keyId = Buffer.from(inputKeyId, 'base64').toString('hex');
    const attestationObject = (await cbor.decodeAll(Buffer.from(attestation, 'base64')))[0];
    const authData = parseAuthenticatorData(attestationObject.authData) as ParsedAuthenticatorData;

    const credCertBuffer: Buffer | undefined = attestationObject.attStmt.x5c[0];
    if (credCertBuffer === undefined) {
        console.error(`Invalid attestation credential cert: ${credCertBuffer}`);
        return false;
    }
    
    const credCert = new jsrsasign.X509();
    credCert.readCertHex(credCertBuffer.toString('hex'));
    
    const credCertPubKeyPoints = (credCert.getPublicKey() as jsrsasign.KJUR.crypto.ECDSA).getPublicKeyXYHex();
    const credCertPubKey = Buffer.concat([
        Buffer.from([0x04]),
        Buffer.from(credCertPubKeyPoints.x, 'hex'),
        Buffer.from(credCertPubKeyPoints.y, 'hex'),
    ]).toString('hex');
    const credCertPubKeyHash = sha256(credCertPubKey, 'hex').toString('hex');
    if (credCertPubKeyHash !== keyId) {
        console.error(`Invalid attestation credential cert public key hash: ${credCertPubKeyHash} !== ${keyId}`);
        return false;
    }
    
    // ...
    
    return true;
 }
	import cbor from 'cbor';
	import jsrsasign from 'jsrsasign';
	import { parseAuthenticatorData } from '@simplewebauthn/server/helpers';
	import { ParsedAuthenticatorData } from '@simplewebauthn/server/dist/helpers';


	// ...
	// const inputKeyId = get keyId from the app - this is a base64 of the sha256sum of the public key in uncompressed point format
	// const attestation = get attestation from the app
	const validateAttestation = async (inputKeyId: string, challenge: string, attestation: string): Promise<boolean> => {
	const keyId = Buffer.from(inputKeyId, 'base64').toString('hex');
	const attestationObject = (await cbor.decodeAll(Buffer.from(attestation, 'base64')))[0];
	const authData = parseAuthenticatorData(attestationObject.authData) as ParsedAuthenticatorData;

	const credCertBuffer: Buffer \| undefined = attestationObject.attStmt.x5c[0];
	if (credCertBuffer === undefined) {
	console.error(`Invalid attestation credential cert: ${credCertBuffer}`);
	return false;
	}

	const credCert = new jsrsasign.X509();
	credCert.readCertHex(credCertBuffer.toString('hex'));

	const credCertPubKeyPoints = (credCert.getPublicKey() as jsrsasign.KJUR.crypto.ECDSA).getPublicKeyXYHex();
	const credCertPubKey = Buffer.concat([
	Buffer.from([0x04]),
	Buffer.from(credCertPubKeyPoints.x, 'hex'),
	Buffer.from(credCertPubKeyPoints.y, 'hex'),
	]).toString('hex');
	const credCertPubKeyHash = sha256(credCertPubKey, 'hex').toString('hex');
	if (credCertPubKeyHash !== keyId) {
	console.error(`Invalid attestation credential cert public key hash: ${credCertPubKeyHash} !== ${keyId}`);
	return false;
	}

	// ...

	return true;
	}