fido_metadata 0.1.0

data/Rakefile

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList["test/**/*_test.rb"]
+end
+
+task default: :test

data/bin/console

@@ -0,0 +1,24 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "bundler/setup"
+require "fido_metadata"
+
+# Configure in-memory cache
+require_relative "../spec/support/test_cache_store"
+FidoMetadata.configure do |config|
+  config.metadata_token = ENV["MDS_TOKEN"]
+  config.cache_backend = TestCacheStore.new
+end
+
+unless FidoMetadata.configuration.metadata_token
+  puts <<~EOS
+    No MDS token configured via the MDS_TOKEN environment variable.
+    Set one for this session: FidoMetadata.configuration.metadata_token = 'your token'
+  EOS
+end
+puts "Reset the cache via: FidoMetadata.configuration.cache_backend.clear"
+
+# Start REPL
+require "pry-byebug"
+Pry.start

data/bin/rspec

@@ -0,0 +1,29 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+#
+# This file was generated by Bundler.
+#
+# The application 'rspec' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require "pathname"
+ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../../Gemfile",
+                                           Pathname.new(__FILE__).realpath)
+
+bundle_binstub = File.expand_path("bundle", __dir__)
+
+if File.file?(bundle_binstub)
+  if File.read(bundle_binstub, 300) =~ /This file was generated by Bundler/
+    load(bundle_binstub)
+  else
+    abort("Your `bin/bundle` was not generated by Bundler, so this binstub cannot run.
+Replace `bin/bundle` by running `bundle binstubs bundler --force`, then run this command again.")
+  end
+end
+
+require "rubygems"
+require "bundler/setup"
+
+load Gem.bin_path("rspec-core", "rspec")

data/bin/rubocop

@@ -0,0 +1,29 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+#
+# This file was generated by Bundler.
+#
+# The application 'rubocop' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require "pathname"
+ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../../Gemfile",
+                                           Pathname.new(__FILE__).realpath)
+
+bundle_binstub = File.expand_path("bundle", __dir__)
+
+if File.file?(bundle_binstub)
+  if File.read(bundle_binstub, 300) =~ /This file was generated by Bundler/
+    load(bundle_binstub)
+  else
+    abort("Your `bin/bundle` was not generated by Bundler, so this binstub cannot run.
+Replace `bin/bundle` by running `bundle binstubs bundler --force`, then run this command again.")
+  end
+end
+
+require "rubygems"
+require "bundler/setup"
+
+load Gem.bin_path("rubocop", "rubocop")

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/fido_metadata.gemspec

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+lib = File.expand_path("lib", __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "fido_metadata/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "fido_metadata"
+  spec.version       = FidoMetadata::VERSION
+  spec.authors       = ["Bart de Water"]
+
+  spec.summary       = "FIDO Alliance Metadata Service client"
+  spec.description   = "Client for looking up metadata about FIDO authenticators, for use by WebAuthn relying parties"
+  spec.homepage      = "https://github.com/bdewater/fido_metadata"
+  spec.license       = "MIT"
+
+  if spec.respond_to?(:metadata)
+    spec.metadata["homepage_uri"] = spec.homepage
+    spec.metadata["source_code_uri"] = spec.homepage
+    spec.metadata["changelog_uri"] = "#{spec.homepage}/blob/master/CHANGELOG.md"
+  end
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.required_ruby_version = ">= 2.3"
+
+  spec.add_dependency "jwt", "~> 2.0"
+  spec.add_dependency "securecompare", "~> 1.0"
+  spec.add_development_dependency "bundler", "~> 1.17"
+  spec.add_development_dependency "pry-byebug"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rspec", "~> 3.8"
+  spec.add_development_dependency "rubocop", "0.75.0"
+  spec.add_development_dependency "webmock", "~> 3.6"
+end

data/lib/Root.cer

@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICQzCCAcigAwIBAgIORqmxkzowRM99NQZJurcwCgYIKoZIzj0EAwMwUzELMAkG
+A1UEBhMCVVMxFjAUBgNVBAoTDUZJRE8gQWxsaWFuY2UxHTAbBgNVBAsTFE1ldGFk
+YXRhIFRPQyBTaWduaW5nMQ0wCwYDVQQDEwRSb290MB4XDTE1MDYxNzAwMDAwMFoX
+DTQ1MDYxNzAwMDAwMFowUzELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUZJRE8gQWxs
+aWFuY2UxHTAbBgNVBAsTFE1ldGFkYXRhIFRPQyBTaWduaW5nMQ0wCwYDVQQDEwRS
+b290MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEFEoo+6jdxg6oUuOloqPjK/nVGyY+
+AXCFz1i5JR4OPeFJs+my143ai0p34EX4R1Xxm9xGi9n8F+RxLjLNPHtlkB3X4ims
+rfIx7QcEImx1cMTgu5zUiwxLX1ookVhIRSoso2MwYTAOBgNVHQ8BAf8EBAMCAQYw
+DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU0qUfC6f2YshA1Ni9udeO0VS7vEYw
+HwYDVR0jBBgwFoAU0qUfC6f2YshA1Ni9udeO0VS7vEYwCgYIKoZIzj0EAwMDaQAw
+ZgIxAKulGbSFkDSZusGjbNkAhAkqTkLWo3GrN5nRBNNk2Q4BlG+AvM5q9wa5WciW
+DcMdeQIxAMOEzOFsxX9Bo0h4LOFE5y5H8bdPFYW+l5gy1tQiJv+5NUyM2IBB55XU
+YjdBz56jSA==
+-----END CERTIFICATE-----

data/lib/fido_metadata.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require "fido_metadata/store"
+require "fido_metadata/version"
+
+module FidoMetadata
+  def self.configuration
+    @configuration ||= Configuration.new
+  end
+
+  def self.configure
+    yield(configuration)
+  end
+
+  class Configuration
+    attr_accessor :metadata_token
+    attr_accessor :cache_backend
+  end
+end

data/lib/fido_metadata/attributes.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module FidoMetadata
+  module Attributes
+    def underscore_name(name)
+      name
+        .gsub(/([A-Z]+)([A-Z][a-z])/, '\1_\2')
+        .gsub(/([a-z\d])([A-Z])/, '\1_\2')
+        .downcase
+        .to_sym
+    end
+
+    private :underscore_name
+
+    def json_accessor(name, coercer = nil)
+      underscored_name = underscore_name(name)
+      attr_accessor underscored_name
+
+      if coercer
+        define_method(:"#{underscored_name}=") do |value|
+          coerced_value = coercer.coerce(value)
+          instance_variable_set(:"@#{underscored_name}", coerced_value)
+        end
+      end
+    end
+
+    def from_json(hash = {})
+      instance = new
+      hash.each do |k, v|
+        method_name = :"#{underscore_name(k)}="
+        instance.public_send(method_name, v) if instance.respond_to?(method_name)
+      end
+
+      instance
+    end
+  end
+end

data/lib/fido_metadata/biometric_accuracy_descriptor.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require "fido_metadata/attributes"
+
+module FidoMetadata
+  class BiometricAccuracyDescriptor
+    extend Attributes
+
+    json_accessor("selfAttestedFRR")
+    json_accessor("selfAttestedFAR")
+    json_accessor("maxTemplates")
+    json_accessor("maxRetries")
+    json_accessor("blockSlowdown")
+  end
+end

data/lib/fido_metadata/biometric_status_report.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require "fido_metadata/attributes"
+require "fido_metadata/coercer/date"
+
+module FidoMetadata
+  class BiometricStatusReport
+    extend Attributes
+
+    json_accessor("certLevel")
+    json_accessor("modality")
+    json_accessor("effectiveDate", Coercer::Date)
+    json_accessor("certificationDescriptor")
+    json_accessor("certificateNumber")
+    json_accessor("certificationPolicyVersion")
+    json_accessor("certificationRequirementsVersion")
+  end
+end

data/lib/fido_metadata/client.rb

@@ -0,0 +1,120 @@
+# frozen_string_literal: true
+
+require "jwt"
+require "net/http"
+require "openssl"
+require "securecompare"
+
+module FidoMetadata
+  class Client
+    class DataIntegrityError < StandardError; end
+    class InvalidHashError < DataIntegrityError; end
+    class UnverifiedSigningKeyError < DataIntegrityError; end
+
+    DEFAULT_HEADERS = {
+      "Content-Type" => "application/json",
+      "User-Agent" => "fido_metadata/#{FidoMetadata::VERSION} (Ruby)"
+    }.freeze
+
+    def self.fido_trust_store
+      store = OpenSSL::X509::Store.new
+      store.purpose = OpenSSL::X509::PURPOSE_ANY
+      store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK | OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
+      file = File.read(File.join(__dir__, "..", "Root.cer"))
+      store.add_cert(OpenSSL::X509::Certificate.new(file))
+    end
+
+    def initialize(token)
+      @token = token
+    end
+
+    def download_toc(uri, trust_store: self.class.fido_trust_store)
+      response = get_with_token(uri)
+      payload, _ = JWT.decode(response, nil, true, algorithms: ["ES256"]) do |headers|
+        verified_public_key(headers["x5c"], trust_store)
+      end
+      payload
+    end
+
+    def download_entry(uri, expected_hash:)
+      response = get_with_token(uri)
+      unless SecureCompare.compare(OpenSSL::Digest::SHA256.digest(response), Base64.urlsafe_decode64(expected_hash))
+        raise(InvalidHashError)
+      end
+
+      decoded_body = Base64.urlsafe_decode64(response)
+      JSON.parse(decoded_body)
+    end
+
+    private
+
+    def get_with_token(uri)
+      if @token && !@token.empty?
+        uri.path += "/" unless uri.path.end_with?("/")
+        uri.query = "token=#{@token}"
+      end
+      get(uri)
+    end
+
+    def get(uri)
+      get = Net::HTTP::Get.new(uri, DEFAULT_HEADERS)
+      response = http(uri).request(get)
+      response.value
+      response.body
+    end
+
+    def http(uri)
+      @http ||= begin
+        http = Net::HTTP.new(uri.host, uri.port)
+        http.use_ssl = uri.port == 443
+        http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+        http.open_timeout = 5
+        http.read_timeout = 5
+        http
+      end
+    end
+
+    def verified_public_key(x5c, trust_store)
+      certificates = x5c.map do |encoded|
+        OpenSSL::X509::Certificate.new(Base64.strict_decode64(encoded))
+      end
+      leaf_certificate = certificates[0]
+      chain_certificates = certificates[1..-1]
+
+      crls = download_crls(certificates)
+      crls.each do |crl|
+        trust_store.add_crl(crl)
+      end
+
+      if trust_store.verify(leaf_certificate, chain_certificates)
+        leaf_certificate.public_key
+      else
+        raise(UnverifiedSigningKeyError, "OpenSSL error #{trust_store.error} (#{trust_store.error_string})")
+      end
+    end
+
+    def download_crls(certificates)
+      uris = extract_crl_distribution_points(certificates)
+
+      crls = uris.compact.uniq.map do |uri|
+        begin
+          get(uri)
+        rescue Net::ProtoServerError
+          # TODO: figure out why test endpoint specifies a missing and unused CRL in the cert chain, and see if this
+          # rescue can be removed. If the CRL is used, OpenSSL error 3 (unable to get certificate CRL) will raise.
+          nil
+        end
+      end
+      crls.compact.map { |crl| OpenSSL::X509::CRL.new(crl) }
+    end
+
+    def extract_crl_distribution_points(certificates)
+      certificates.map do |certificate|
+        extension = certificate.extensions.detect { |ext| ext.oid == "crlDistributionPoints" }
+        # TODO: replace this with proper parsing of deeply nested ASN1 structures
+        match = extension&.value&.match(/URI:(?<uri>\S*)/)
+        URI(match[:uri]) if match
+      end
+    end
+  end
+end

data/lib/fido_metadata/code_accuracy_descriptor.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+require "fido_metadata/attributes"
+
+module FidoMetadata
+  class CodeAccuracyDescriptor
+    extend Attributes
+
+    json_accessor("base")
+    json_accessor("minLength")
+    json_accessor("maxRetries")
+    json_accessor("blockSlowdown")
+  end
+end

data/lib/fido_metadata/coercer/assumed_value.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module FidoMetadata
+  module Coercer
+    class AssumedValue
+      def initialize(assume)
+        @assume = assume
+      end
+
+      def coerce(value)
+        if value.nil?
+          @assume
+        else
+          value
+        end
+      end
+    end
+  end
+end

data/lib/fido_metadata/coercer/bit_field.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module FidoMetadata
+  module Coercer
+    class BitField
+      def initialize(mapping, single_value: false)
+        @mapping = mapping
+        @single_value = single_value
+      end
+
+      def coerce(value)
+        results = @mapping.reject { |flag, _constant| flag & value == 0 }.values
+
+        if @single_value
+          results.first
+        else
+          results
+        end
+      end
+    end
+  end
+end