JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 33
  • Score
    100M100P100Q84804F
  • License Apache-2.0

Apache-2.0 verifier for W3C WebAuthn packed-attestation hardware-attestation credentials — offline chain verification against pinned FIDO vendor roots (Apple, Yubico, Microsoft). Plugs into @motebit/crypto's HardwareAttestationVerifiers dispatcher to validate browser-attested motebit identities.

Package Exports

  • @motebit/crypto-webauthn

Readme

@motebit/crypto-webauthn

Offline Apache-2.0 verifier for W3C WebAuthn packed-attestation hardware-attestation credentials.

npm i @motebit/crypto-webauthn

Plugs into @motebit/crypto's HardwareAttestationVerifiers dispatcher as the webauthn verifier — called when a credential declares platform: "webauthn" (any browser platform authenticator).

Usage

import { verify } from "@motebit/crypto";
import { webauthnVerifier } from "@motebit/crypto-webauthn";

const result = await verify(credential, {
  hardwareAttestation: { webauthn: webauthnVerifier({ expectedRpId: "motebit.com" }) },
});

What it verifies

  1. The CBOR attestation object the browser emits — { fmt, attStmt, authData }.
  2. Full attestation (fmt: "packed" with x5c): chain-verify the leaf against the pinned FIDO root set (Apple Anonymous Attestation, Yubico, Microsoft). Every non-leaf must carry basicConstraints.cA === true, terminal cert DER byte-equal to one of the pinned roots. Then attStmt.sig verifies over authData || clientDataHash using the leaf's public key and attStmt.alg.
  3. Self attestation (fmt: "packed" without x5c): attStmt.sig verifies over authData || clientDataHash using the credential's own public key carried in authData. Scores as hardware-exported-equivalent — proves only that the credential's key signed the challenge, not that any specific vendor minted it.
  4. Identity binding. The transmitted clientDataHash must equal SHA-256(canonicalJson({ attested_at, device_id, identity_public_key, motebit_id, platform: "webauthn", version: "1" })) — the same body the web mint path composes. A malicious page that substitutes any other body fails here.

Scope

v1 accepts fmt: "packed" only. Other formats (tpm, android-key, android-safetynet, fido-u2f, apple, none) return a structured fmt-not-supported error. Additional formats land as additive arms + fixtures.

Why pinned

A verifier that dynamically fetches the FIDO Metadata Service has no sovereign story. The pinned root set is the self-attesting contract — third parties audit DEFAULT_FIDO_ROOTS and know which vendor roots this library accepts. Rotations land as additive constants.

Lower-level primitives

Beyond webauthnVerifier, the package exports the parser + pinned-root constants for advanced consumers:

  • verifyWebAuthnAttestation(...) — bare-metal entry: takes the parsed attestation object + caller-supplied roots and returns the structured verification result. webauthnVerifier is a thin curry over this.
  • parseWebAuthnAttestationObjectCbor(bytes) — parse the raw CBOR object the browser emits into a typed { fmt, attStmt, authData } structure.
  • WEBAUTHN_FMT_PACKED — the canonical fmt-string constant ("packed") used to dispatch by attestation format.
  • APPLE_WEBAUTHN_ROOT_PEM, YUBICO_FIDO_ROOT_PEM, MICROSOFT_TPM_ROOT_PEM — the pinned vendor roots, exported for audit and for HardwareVerifierBundleConfig.webauthnRootPems overrides in @motebit/verify.

License

Apache-2.0 — see LICENSE and NOTICE.

"Motebit" is a trademark. The Apache License grants rights to this software, not to any Motebit trademarks, logos, or branding. You may not use Motebit branding in a way that suggests endorsement or affiliation without written permission.