RubyGems - android_key_attestation - Versions diffs - 0.2.0 → 0.3.0 - Mend

android_key_attestation 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +9 -2
data/Gemfile.lock +1 -1
data/lib/android_key_attestation.rb +3 -0
data/lib/android_key_attestation/google_hardware_attestation_root.pem +31 -0
data/lib/android_key_attestation/statement.rb +13 -0
data/lib/android_key_attestation/version.rb +1 -1
metadata +4 -3

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4e3bb936ba3e6e271423c4a56a8e07450a097161d3ad4c9f7a38615d9206814c
-  data.tar.gz: 3e64a79f6258523de7b6a6c4cc357c16904425dfc95d74a2e4269e8655395d60
+  metadata.gz: 80a822b17938c94650c9a22a6aa11f984774ceb095fa2f21907dffe635471f9d
+  data.tar.gz: 00b086c968d927e5e1c71639922255bd3e664120e8246a2be7998a28b72b17ed
 SHA512:
-  metadata.gz: 561e7a64bcd9d164368ca967214fc3d777bc3ebce59e53f650d6e44b9b68c3ae5707aecc99e1c2b03b425e0c0ad669f8ccf8f5321d3472b0b6966b6b3ee3559e
-  data.tar.gz: da3cff8a1cfdfa7ff3a4331e6261cb460dba73271f31fbd0295e3599e24572ea4b1887b8d0f6dd8c255f0b0d9731adf6f97009bcf1adbba4107be3b15d2d38bd
+  metadata.gz: fb59d0fcba2c3c65b73a9e3500e812e7229acb9dc56a75bc981258b70c62c215215f21a6382ac31452bf5c8fdf0cabdf9aa17204ba0015280466638245d40423
+  data.tar.gz: 7c588c47e006d3270de6c5ebca545b9bb8468ed4974d88d4c45cc5ddd756752655c6017118ef9feebf76358fff0733ce784b431629f861466a3df6471c57907b

data/CHANGELOG.md CHANGED

@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [Unreleased]
+## [0.3.0] - 2020-02-16
+### Added
+- `Statement#verify_certificate_chain` to verify if the attestation certificate is trustworthy
 ## [0.2.0] - 2019-12-31
 ### Changed
 - Raise `ChallengeMismatchError` if the challenge lengths are different, not `ArgumentError`
@@ -12,6 +18,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Extracted from [webauthn-ruby](https://github.com/cedarcode/webauthn-ruby) after discussion with the maintainers. Thanks for the feedback @grzuy and @brauliomartinezlm!
-[Unreleased]: https://github.com/bdewater/android_key_attestation/compare/v0.1.0...HEAD
-[0.1.0]: https://github.com/bdewater/android_key_attestation/releases/tag/v0.1.0...0.2.0
+[Unreleased]: https://github.com/bdewater/android_key_attestation/compare/v0.3.0...HEAD
+[0.3.0]: https://github.com/bdewater/android_key_attestation/compare/v0.2.0...v0.3.0
+[0.2.0]: https://github.com/bdewater/android_key_attestation/compare/v0.1.0...v0.2.0
 [0.1.0]: https://github.com/bdewater/android_key_attestation/releases/tag/v0.1.0

data/Gemfile.lock CHANGED

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    android_key_attestation (0.2.0)
+    android_key_attestation (0.3.0)
 GEM
   remote: https://rubygems.org/

data/lib/android_key_attestation.rb CHANGED

@@ -4,6 +4,9 @@ module AndroidKeyAttestation
   class Error < StandardError; end
   class ExtensionMissingError < Error; end
   class ChallengeMismatchError < Error; end
+  class CertificateVerificationError < Error; end
+  GEM_ROOT = File.expand_path(__dir__)
 end
 require_relative "android_key_attestation/statement"

data/lib/android_key_attestation/google_hardware_attestation_root.pem ADDED

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFYDCCA0igAwIBAgIJAOj6GWMU0voYMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV
+BAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTYwNTI2MTYyODUyWhcNMjYwNTI0MTYy
+ODUyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0B
+AQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdS
+Sxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7
+tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggj
+nar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGq
+C4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQ
+oVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+O
+JtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/Eg
+sTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRi
+igHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+M
+RPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9E
+aDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5Um
+AGMCAwEAAaOBpjCBozAdBgNVHQ4EFgQUNmHhAHyIBQlRi0RsR/8aTMnqTxIwHwYD
+VR0jBBgwFoAUNmHhAHyIBQlRi0RsR/8aTMnqTxIwDwYDVR0TAQH/BAUwAwEB/zAO
+BgNVHQ8BAf8EBAMCAYYwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cHM6Ly9hbmRyb2lk
+Lmdvb2dsZWFwaXMuY29tL2F0dGVzdGF0aW9uL2NybC8wDQYJKoZIhvcNAQELBQAD
+ggIBACDIw41L3KlXG0aMiS//cqrG+EShHUGo8HNsw30W1kJtjn6UBwRM6jnmiwfB
+Pb8VA91chb2vssAtX2zbTvqBJ9+LBPGCdw/E53Rbf86qhxKaiAHOjpvAy5Y3m00m
+qC0w/Zwvju1twb4vhLaJ5NkUJYsUS7rmJKHHBnETLi8GFqiEsqTWpG/6ibYCv7rY
+DBJDcR9W62BW9jfIoBQcxUCUJouMPH25lLNcDc1ssqvC2v7iUgI9LeoM1sNovqPm
+QUiG9rHli1vXxzCyaMTjwftkJLkf6724DFhuKug2jITV0QkXvaJWF4nUaHOTNA4u
+JU9WDvZLI1j83A+/xnAJUucIv/zGJ1AMH2boHqF8CY16LpsYgBt6tKxxWH00XcyD
+CdW2KlBCeqbQPcsFmWyWugxdcekhYsAWyoSf818NUsZdBWBaR/OukXrNLfkQ79Iy
+ZohZbvabO/X+MVT3rriAoKc8oE2Uws6DF+60PV7/WIPjNvXySdqspImSN78mflxD
+qwLqRBYkA3I75qppLGG9rp7UCdRjxMl8ZDBld+7yvHVgt1cVzJx9xnyGCC23Uaic
+MDSXYrB4I4WHXPGjxhZuCuPBLTdOLU8YRvMYdEvYebWHMpvwGCF6bAx3JBpIeOQ1
+wDB5y0USicV3YgYGmi+NZfhA4URSh77Yd6uuJOJENRaNVTzk
+-----END CERTIFICATE-----

data/lib/android_key_attestation/statement.rb CHANGED

@@ -8,6 +8,10 @@ require_relative "fixed_length_secure_compare"
 module AndroidKeyAttestation
   class Statement
     EXTENSION_DATA_OID = "1.3.6.1.4.1.11129.2.1.17"
+    GOOGLE_ROOT_CERTIFICATES = begin
+      file = File.read(File.join(GEM_ROOT, "android_key_attestation", "google_hardware_attestation_root.pem"))
+      [OpenSSL::X509::Certificate.new(file)]
+    end.freeze
     extend Forwardable
     def_delegators :key_description, :attestation_version, :attestation_security_level, :keymaster_version,
@@ -30,6 +34,15 @@ module AndroidKeyAttestation
         raise(ChallengeMismatchError)
     end
+    def verify_certificate_chain(root_certificates: GOOGLE_ROOT_CERTIFICATES, time: Time.now)
+      store = OpenSSL::X509::Store.new
+      root_certificates.each { |cert| store.add_cert(cert) }
+      store.time = time
+      store.verify(attestation_certificate, @certificates[1..-1]) ||
+        raise(CertificateVerificationError, store.error_string)
+    end
     def key_description
       @key_description ||= begin
         extension_data = attestation_certificate.extensions.detect { |ext| ext.oid == EXTENSION_DATA_OID }

data/lib/android_key_attestation/version.rb CHANGED

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module AndroidKeyAttestation
-  VERSION = "0.2.0"
+  VERSION = "0.3.0"
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: android_key_attestation
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Bart de Water
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2019-12-31 00:00:00.000000000 Z
+date: 2020-02-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -90,6 +90,7 @@ files:
 - lib/android_key_attestation.rb
 - lib/android_key_attestation/authorization_list.rb
 - lib/android_key_attestation/fixed_length_secure_compare.rb
+- lib/android_key_attestation/google_hardware_attestation_root.pem
 - lib/android_key_attestation/key_description.rb
 - lib/android_key_attestation/statement.rb
 - lib/android_key_attestation/version.rb
@@ -115,7 +116,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.0.3
 signing_key:
 specification_version: 4
 summary: Android key attestation verification