fido_metadata 0.3.0

data/lib/fido_metadata/coercer/date.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require "time"
+
+module FidoMetadata
+  module Coercer
+    module Date
+      def self.coerce(value)
+        return value if value.is_a?(::Date)
+
+        ::Date.iso8601(value) if value
+      end
+    end
+  end
+end

data/lib/fido_metadata/coercer/escaped_uri.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require "uri"
+
+module FidoMetadata
+  module Coercer
+    module EscapedURI
+      # The character # is a reserved character and not allowed in URLs, it is replaced by its hex value %x23.
+      # https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-metadata-service-v2.0-rd-20180702.html#idl-def-MetadataTOCPayloadEntry
+      def self.coerce(value)
+        return value if value.is_a?(URI)
+
+        URI(value.gsub(/%x23/, "#")) if value
+      end
+    end
+  end
+end

data/lib/fido_metadata/coercer/magic_number.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module FidoMetadata
+  module Coercer
+    class MagicNumber
+      def initialize(mapping, array: false)
+        @mapping = mapping
+        @array = array
+      end
+
+      def coerce(values)
+        if @array
+          return values unless values.all? { |value| value.is_a?(Integer) }
+
+          values.map { |value| @mapping[value] }.compact
+        else
+          return values unless values.is_a?(Integer)
+
+          @mapping[values]
+        end
+      end
+    end
+  end
+end

data/lib/fido_metadata/coercer/objects.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module FidoMetadata
+  module Coercer
+    class Objects
+      def initialize(klass)
+        @klass = klass
+      end
+
+      def coerce(values)
+        return unless values.is_a?(Array)
+        return values if values.all? { |value| value.is_a?(@klass) }
+
+        values.map { |value| @klass.from_json(value) }
+      end
+    end
+  end
+end

data/lib/fido_metadata/coercer/user_verification_details.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require "fido_metadata/verification_method_descriptor"
+
+module FidoMetadata
+  module Coercer
+    class UserVerificationDetails
+      def self.coerce(values)
+        return unless values.is_a?(Array)
+        return values if values.all? do |array|
+          array.all? do |object|
+            object.is_a?(VerificationMethodDescriptor)
+          end
+        end
+
+        values.map do |array|
+          array.map do |hash|
+            object = FidoMetadata::VerificationMethodDescriptor.from_json(hash)
+
+            if hash["baDesc"]
+              object.ba_desc = FidoMetadata::BiometricAccuracyDescriptor.from_json(hash["baDesc"])
+            end
+            if hash["caDesc"]
+              object.ca_desc = FidoMetadata::CodeAccuracyDescriptor.from_json(hash["caDesc"])
+            end
+            if hash["paDesc"]
+              object.pa_desc = FidoMetadata::PatternAccuracyDescriptor.from_json(hash["paDesc"])
+            end
+
+            object
+          end
+        end
+      end
+    end
+  end
+end

data/lib/fido_metadata/constants.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+module FidoMetadata
+  module Constants
+    # https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-registry-v2.0-rd-20180702.html
+
+    ATTACHMENT_HINTS = {
+      0x0001 => "INTERNAL",
+      0x0002 => "EXTERNAL",
+      0x0004 => "WIRED",
+      0x0008 => "WIRELESS",
+      0x0010 => "NFC",
+      0x0020 => "BLUETOOTH",
+      0x0040 => "NETWORK",
+      0x0080 => "READY",
+      0x0100 => "WIFI_DIRECT",
+    }.freeze
+
+    ATTESTATION_TYPES = {
+      0x3E07 => "BASIC_FULL", # 'Basic' in WebAuthn
+      0x3E08 => "BASIC_SURROGATE", # 'Self' in WebAuthn
+      0x3E09 => "ECDAA",
+      0x3E0A => "ATTCA",
+    }.freeze
+
+    AUTHENTICATION_ALGORITHMS = {
+      0x0001 => "SECP256R1_ECDSA_SHA256_RAW",
+      0x0002 => "SECP256R1_ECDSA_SHA256_DER",
+      0x0003 => "RSASSA_PSS_SHA256_RAW",
+      0x0004 => "RSASSA_PSS_SHA256_DER",
+      0x0005 => "SECP256K1_ECDSA_SHA256_RAW",
+      0x0006 => "SECP256K1_ECDSA_SHA256_DER",
+      0x0007 => "SM2_SM3_RAW",
+      0x0008 => "RSA_EMSA_PKCS1_SHA256_RAW",
+      0x0009 => "RSA_EMSA_PKCS1_SHA256_DER",
+      0x000A => "RSASSA_PSS_SHA384_RAW",
+      0x000B => "RSASSA_PSS_SHA512_RAW",
+      0x000C => "RSASSA_PKCSV15_SHA256_RAW",
+      0x000D => "RSASSA_PKCSV15_SHA384_RAW",
+      0x000E => "RSASSA_PKCSV15_SHA512_RAW",
+      0x000F => "RSASSA_PKCSV15_SHA1_RAW",
+      0x0010 => "SECP384R1_ECDSA_SHA384_RAW",
+      0x0011 => "SECP521R1_ECDSA_SHA512_RAW",
+      0x0012 => "ED25519_EDDSA_SHA256_RAW",
+    }.freeze
+
+    KEY_PROTECTION_TYPES = {
+      0x0001 => "SOFTWARE",
+      0x0002 => "HARDWARE",
+      0x0004 => "TEE",
+      0x0008 => "SECURE_ELEMENT",
+      0x0010 => "REMOTE_HANDLE",
+    }.freeze
+
+    MATCHER_PROTECTION_TYPES = {
+      0x0001 => "SOFTWARE",
+      0x0002 => "TEE",
+      0x0004 => "ON_CHIP",
+    }.freeze
+
+    PUBLIC_KEY_FORMATS = {
+      0x0100 => "ECC_X962_RAW",
+      0x0101 => "ECC_X962_DER",
+      0x0102 => "RSA_2048_RAW",
+      0x0103 => "RSA_2048_DER",
+      0x0104 => "COSE",
+    }.freeze
+
+    TRANSACTION_CONFIRMATION_DISPLAY_TYPES = {
+      0x0001 => "ANY",
+      0x0002 => "PRIVILEGED_SOFTWARE",
+      0x0004 => "TEE",
+      0x0008 => "HARDWARE",
+      0x0010 => "REMOTE",
+    }.freeze
+
+    USER_VERIFICATION_METHODS = {
+      0x00000001 => "PRESENCE",
+      0x00000002 => "FINGERPRINT",
+      0x00000004 => "PASSCODE",
+      0x00000008 => "VOICEPRINT",
+      0x00000010 => "FACEPRINT",
+      0x00000020 => "LOCATION",
+      0x00000040 => "EYEPRINT",
+      0x00000080 => "PATTERN",
+      0x00000100 => "HANDPRINT",
+      0x00000200 => "NONE",
+      0x00000400 => "ALL",
+    }.freeze
+  end
+end

data/lib/fido_metadata/entry.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require "fido_metadata/attributes"
+require "fido_metadata/biometric_status_report"
+require "fido_metadata/status_report"
+require "fido_metadata/coercer/date"
+require "fido_metadata/coercer/escaped_uri"
+require "fido_metadata/coercer/objects"
+
+module FidoMetadata
+  class Entry
+    extend Attributes
+
+    json_accessor("aaid")
+    json_accessor("aaguid")
+    json_accessor("attestationCertificateKeyIdentifiers")
+    json_accessor("hash")
+    json_accessor("url", Coercer::EscapedURI)
+    json_accessor("biometricStatusReports", Coercer::Objects.new(BiometricStatusReport))
+    json_accessor("statusReports", Coercer::Objects.new(StatusReport))
+    json_accessor("timeOfLastStatusChange", Coercer::Date)
+    json_accessor("rogueListURL", Coercer::EscapedURI)
+    json_accessor("rogueListHash")
+  end
+end

data/lib/fido_metadata/pattern_accuracy_descriptor.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+require "fido_metadata/attributes"
+
+module FidoMetadata
+  class PatternAccuracyDescriptor
+    extend Attributes
+
+    json_accessor("minComplexity")
+    json_accessor("maxRetries")
+    json_accessor("blockSlowdown")
+  end
+end

data/lib/fido_metadata/refinement/fixed_length_secure_compare.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require "openssl"
+
+module FidoMetadata
+  module Refinement
+    module FixedLengthSecureCompare
+      unless OpenSSL.singleton_class.method_defined?(:fixed_length_secure_compare)
+        refine OpenSSL.singleton_class do
+          def fixed_length_secure_compare(a, b) # rubocop:disable Naming/UncommunicativeMethodParamName
+            raise ArgumentError, "inputs must be of equal length" unless a.bytesize == b.bytesize
+
+            # borrowed from Rack::Utils
+            l = a.unpack("C*")
+            r, i = 0, -1
+            b.each_byte { |v| r |= v ^ l[i += 1] }
+            r == 0
+          end
+        end
+      end
+    end
+  end
+end

data/lib/fido_metadata/statement.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+require "fido_metadata/attributes"
+require "fido_metadata/constants"
+require "fido_metadata/verification_method_descriptor"
+require "fido_metadata/coercer/assumed_value"
+require "fido_metadata/coercer/bit_field"
+require "fido_metadata/coercer/certificates"
+require "fido_metadata/coercer/magic_number"
+require "fido_metadata/coercer/user_verification_details"
+
+module FidoMetadata
+  class Statement
+    extend Attributes
+
+    json_accessor("legalHeader")
+    json_accessor("aaid")
+    json_accessor("aaguid")
+    json_accessor("attestationCertificateKeyIdentifiers")
+    json_accessor("description")
+    json_accessor("alternativeDescriptions")
+    json_accessor("authenticatorVersion")
+    json_accessor("protocolFamily", Coercer::AssumedValue.new("uaf"))
+    json_accessor("upv")
+    json_accessor("assertionScheme")
+    json_accessor("authenticationAlgorithm", Coercer::MagicNumber.new(Constants::AUTHENTICATION_ALGORITHMS))
+    json_accessor("authenticationAlgorithms",
+                  Coercer::MagicNumber.new(Constants::AUTHENTICATION_ALGORITHMS, array: true))
+    json_accessor("publicKeyAlgAndEncoding", Coercer::MagicNumber.new(Constants::PUBLIC_KEY_FORMATS))
+    json_accessor("publicKeyAlgAndEncodings",
+                  Coercer::MagicNumber.new(Constants::PUBLIC_KEY_FORMATS, array: true))
+    json_accessor("attestationTypes", Coercer::MagicNumber.new(Constants::ATTESTATION_TYPES, array: true))
+    json_accessor("userVerificationDetails", Coercer::UserVerificationDetails)
+    json_accessor("keyProtection", Coercer::BitField.new(Constants::KEY_PROTECTION_TYPES))
+    json_accessor("isKeyRestricted", Coercer::AssumedValue.new(true))
+    json_accessor("isFreshUserVerificationRequired", Coercer::AssumedValue.new(true))
+    json_accessor("matcherProtection",
+                  Coercer::BitField.new(Constants::MATCHER_PROTECTION_TYPES, single_value: true))
+    json_accessor("cryptoStrength")
+    json_accessor("operatingEnv")
+    json_accessor("attachmentHint", Coercer::BitField.new(Constants::ATTACHMENT_HINTS))
+    json_accessor("isSecondFactorOnly")
+    json_accessor("tcDisplay", Coercer::BitField.new(Constants::TRANSACTION_CONFIRMATION_DISPLAY_TYPES))
+    json_accessor("tcDisplayContentType")
+    json_accessor("tcDisplayPNGCharacteristics")
+    json_accessor("attestationRootCertificates")
+    json_accessor("ecdaaTrustAnchors")
+    json_accessor("icon")
+    json_accessor("supportedExtensions")
+
+    # Lazy load certificates for compatibility ActiveSupport::Cache. Can be removed once we require a version of
+    # OpenSSL which includes https://github.com/ruby/openssl/pull/281
+    def attestation_root_certificates
+      Coercer::Certificates.coerce(@attestation_root_certificates)
+    end
+
+    def trust_store
+      trust_store = OpenSSL::X509::Store.new
+      attestation_root_certificates.each do |certificate|
+        trust_store.add_cert(certificate)
+      end
+      trust_store
+    end
+  end
+end

data/lib/fido_metadata/status_report.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require "fido_metadata/attributes"
+require "fido_metadata/coercer/date"
+require "fido_metadata/coercer/escaped_uri"
+
+module FidoMetadata
+  class StatusReport
+    extend Attributes
+
+    json_accessor("status")
+    json_accessor("effectiveDate", Coercer::Date)
+    json_accessor("certificate")
+    json_accessor("url", Coercer::EscapedURI)
+    json_accessor("certificationDescriptor")
+    json_accessor("certificateNumber")
+    json_accessor("certificationPolicyVersion")
+    json_accessor("certificationRequirementsVersion")
+  end
+end

data/lib/fido_metadata/store.rb

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+
+require "fido_metadata/client"
+require "fido_metadata/table_of_contents"
+require "fido_metadata/statement"
+
+module FidoMetadata
+  class Store
+    METADATA_ENDPOINT = URI("https://mds2.fidoalliance.org/")
+
+    def table_of_contents
+      @table_of_contents ||= begin
+        key = "metadata_toc"
+        toc = cache_backend.read(key)
+        return toc if toc
+
+        json = client.download_toc(METADATA_ENDPOINT)
+        toc = FidoMetadata::TableOfContents.from_json(json)
+        cache_backend.write(key, toc)
+        toc
+      end
+    end
+
+    def fetch_entry(aaguid: nil, attestation_certificate_key_id: nil)
+      verify_arguments(aaguid: aaguid, attestation_certificate_key_id: attestation_certificate_key_id)
+
+      if aaguid
+        table_of_contents.entries.detect { |entry| entry.aaguid == aaguid }
+      elsif attestation_certificate_key_id
+        table_of_contents.entries.detect do |entry|
+          entry.attestation_certificate_key_identifiers&.detect do |id|
+            id == attestation_certificate_key_id
+          end
+        end
+      end
+    end
+
+    def fetch_statement(aaguid: nil, attestation_certificate_key_id: nil)
+      verify_arguments(aaguid: aaguid, attestation_certificate_key_id: attestation_certificate_key_id)
+
+      key = "statement_#{aaguid || attestation_certificate_key_id}"
+      statement = cache_backend.read(key)
+      return statement if statement
+
+      entry = if aaguid
+                fetch_entry(aaguid: aaguid)
+              elsif attestation_certificate_key_id
+                fetch_entry(attestation_certificate_key_id: attestation_certificate_key_id)
+              end
+      return unless entry
+
+      json = client.download_entry(entry.url, expected_hash: entry.hash)
+      statement = FidoMetadata::Statement.from_json(json)
+      cache_backend.write(key, statement)
+      statement
+    end
+
+    private
+
+    def verify_arguments(aaguid: nil, attestation_certificate_key_id: nil)
+      unless aaguid || attestation_certificate_key_id
+        raise ArgumentError, "must pass either aaguid or attestation_certificate_key"
+      end
+
+      if aaguid && attestation_certificate_key_id
+        raise ArgumentError, "cannot pass both aaguid and attestation_certificate_key"
+      end
+    end
+
+    def cache_backend
+      FidoMetadata.configuration.cache_backend || raise("no cache_backend configured")
+    end
+
+    def metadata_token
+      FidoMetadata.configuration.metadata_token || raise("no metadata_token configured")
+    end
+
+    def client
+      @client ||= FidoMetadata::Client.new(metadata_token)
+    end
+  end
+end

data/lib/fido_metadata/table_of_contents.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require "fido_metadata/attributes"
+require "fido_metadata/entry"
+require "fido_metadata/coercer/date"
+require "fido_metadata/coercer/objects"
+
+module FidoMetadata
+  class TableOfContents
+    extend Attributes
+
+    json_accessor("legalHeader")
+    json_accessor("nextUpdate", Coercer::Date)
+    json_accessor("entries", Coercer::Objects.new(Entry))
+    json_accessor("no")
+  end
+end