fido_metadata 0.3.0 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '08330439dce6050e6e099e11620382b947e17777a40744f72283a1be18a07c3e'
-  data.tar.gz: 2377b8900e5593832e965d53c41cac920d23bc846eb0be698b42f8d499f0d976
+  metadata.gz: 1899edc776f8d77121b90f9487e5c4ed915aad1407899e32f28c6a209efcb287
+  data.tar.gz: ad903aaa648ad7591d69883cd1cf61dba63228c07f9256b02d29a6e9e0642b9d
 SHA512:
-  metadata.gz: 1122f49d0fe46db1464763d37db667c09e7794b2acdac868effc6a5bac03c1ec9f38a6b2a4beb87b419f2f9028cd84021aaab6b858a8e645ff452c4c4b53f595
-  data.tar.gz: c60c889a0e9c3088d27530be2fa9f3a97ead8dbbdf638d18909ed66d78431fc969548282b4b6a41e030b5160abd42f171860c455aabbf993ed4fa0faeaabe189
+  metadata.gz: 19da5080beafc9fefb641f15419f1753123254aaa947a2b70682e56d4a865e50f18eb42ab3df7f0b4c219355b142ef6d58d42d472399c833942679823e76472d
+  data.tar.gz: 3ca8419fb3cf241c63ec0e100e46559940b82efb54cbfa61369727e396b1bbf1d483193412fa2cb90ca97aa9c53fc98983efa6efa24d2f8d356c5510b4a0f8be

data/.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

data/.github/workflows/ci.yml

@@ -0,0 +1,33 @@
+name: CI
+
+on: push
+
+jobs:
+  test:
+
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: ["2.5", "2.6", "2.7", "3.0", "3.1", "3.2", "3.3", "3.4"]
+        gemfile:
+          - jwt_2
+          - jwt_3
+
+    env:
+      BUNDLE_GEMFILE: gemfiles/${{ matrix.gemfile }}.gemfile
+
+    steps:
+    - uses: actions/checkout@v5
+
+    - run: rm Gemfile.lock
+
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        bundler-cache: true # 'bundle install' and cache gems
+        ruby-version: ${{ matrix.ruby }}
+
+    - name: Run tests
+      run: bundle exec rspec

data/.github/workflows/lint.yml

@@ -0,0 +1,18 @@
+name: Lint
+
+on: push
+
+jobs:
+  lint:
+
+    runs-on: ubuntu-latest
+    name: Rubocop
+
+    steps:
+    - uses: actions/checkout@v5
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        bundler-cache: true # 'bundle install' and cache gems
+    - name: Run Rubocop
+      run: bundle exec rubocop

data/.gitignore

@@ -6,3 +6,4 @@
 /pkg/
 /spec/reports/
 /tmp/
+/gemfiles/*.gemfile.lock

data/.rubocop.yml

@@ -7,6 +7,7 @@ AllCops:
   DisabledByDefault: true
   Exclude:
     - "gemfiles/**/*"
+    - "vendor/**/*"
 
 Bundler:
   Enabled: true
@@ -20,7 +21,7 @@ Layout:
 Lint:
   Enabled: true
 
-Metrics/LineLength:
+Layout/LineLength:
   Max: 120
 
 Naming:
@@ -32,9 +33,6 @@ Security:
 Style/BlockComments:
   Enabled: true
 
-Style/BracesAroundHashParameters:
-  Enabled: true
-
 Style/CaseEquality:
   Enabled: true
 
@@ -180,10 +178,10 @@ Style/TrailingMethodEndStatement:
 Style/TrivialAccessors:
   Enabled: true
 
-Style/UnneededInterpolation:
+Style/RedundantInterpolation:
   Enabled: true
 
-Style/UnneededPercentQ:
+Style/RedundantPercentQ:
   Enabled: true
 
 Style/UnpackFirst:

data/.ruby-version

@@ -0,0 +1 @@
+3.4.5

data/Appraisals

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+appraise "jwt_2" do
+  gem "jwt", "~> 2"
+end
+
+appraise "jwt_3" do
+  gem "jwt", "~> 3"
+end

data/CHANGELOG.md

@@ -6,6 +6,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.5.0] - 2025-09-12
+### Added
+- Add support for FIDO MDS v3. ([#10](https://github.com/cedarcode/fido_metadata/pull/10))
+- Follow HTTP 302 redirects when downloading CRLs. ([#14](https://github.com/cedarcode/fido_metadata/pull/14))
+
+### Changed
+- Update `jwt` dependency to support both v2 and v3. ([#23](https://github.com/cedarcode/fido_metadata/pull/23))
+
+## [0.4.0] - 2019-12-28
+### Added
+- Set `expires_in` and `race_condition_ttl` options during caching.
+
 ## [0.3.0] - 2019-11-24
 ### Changed
 - Made `FidoMetada::TestCacheStore` available for gem users. It is not required by default.
@@ -25,7 +37,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Extracted from [webauthn-ruby PR 208](https://github.com/cedarcode/webauthn-ruby/pull/208) after discussion with the maintainers. Thanks for the feedback @grzuy and @brauliomartinezlm!
 
-[Unreleased]: https://github.com/bdewater/fido_metadata/compare/v0.2.0...HEAD
-[0.3.0]: https://github.com/bdewater/fido_metadata/compare/v0.2.0...v0.3.0
-[0.2.0]: https://github.com/bdewater/fido_metadata/compare/v0.1.0...v0.2.0
-[0.1.0]: https://github.com/bdewater/fido_metadata/releases/tag/v0.1.0
+[Unreleased]: https://github.com/cedarcode/fido_metadata/compare/v0.5.0...HEAD
+[0.5.0]: https://github.com/cedarcode/fido_metadata/compare/v0.4.0...v0.5.0
+[0.4.0]: https://github.com/cedarcode/fido_metadata/compare/v0.3.0...v0.4.0
+[0.3.0]: https://github.com/cedarcode/fido_metadata/compare/v0.2.0...v0.3.0
+[0.2.0]: https://github.com/cedarcode/fido_metadata/compare/v0.1.0...v0.2.0
+[0.1.0]: https://github.com/cedarcode/fido_metadata/releases/tag/v0.1.0

data/Gemfile

@@ -6,3 +6,9 @@ git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
 
 # Specify your gem's dependencies in fido_metadata.gemspec
 gemspec
+
+if Gem::Version.new(RUBY_VERSION) >= Gem::Version.new("3.4.0")
+  gem "rubocop", "~> 1.80", require: false
+end
+
+gem "appraisal", "~> 2.5"

data/Gemfile.lock

@@ -1,61 +1,77 @@
 PATH
   remote: .
   specs:
-    fido_metadata (0.3.0)
-      jwt (~> 2.0)
+    fido_metadata (0.5.0)
+      base64 (>= 0.1.0)
+      jwt (>= 2.0, < 4)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    addressable (2.7.0)
-      public_suffix (>= 2.0.2, < 5.0)
-    ast (2.4.0)
-    byebug (11.0.1)
-    coderay (1.1.2)
-    crack (0.4.3)
-      safe_yaml (~> 1.0.0)
-    diff-lcs (1.3)
-    hashdiff (1.0.0)
-    jaro_winkler (1.5.4)
-    jwt (2.2.1)
-    method_source (0.9.2)
-    parallel (1.18.0)
-    parser (2.6.5.0)
-      ast (~> 2.4.0)
-    pry (0.12.2)
-      coderay (~> 1.1.0)
-      method_source (~> 0.9.0)
-    pry-byebug (3.7.0)
-      byebug (~> 11.0)
-      pry (~> 0.10)
-    public_suffix (4.0.1)
-    rainbow (3.0.0)
-    rake (10.5.0)
-    rspec (3.9.0)
-      rspec-core (~> 3.9.0)
-      rspec-expectations (~> 3.9.0)
-      rspec-mocks (~> 3.9.0)
-    rspec-core (3.9.0)
-      rspec-support (~> 3.9.0)
-    rspec-expectations (3.9.0)
+    addressable (2.8.7)
+      public_suffix (>= 2.0.2, < 7.0)
+    appraisal (2.5.0)
+      bundler
+      rake
+      thor (>= 0.14.0)
+    ast (2.4.3)
+    base64 (0.3.0)
+    bigdecimal (3.2.2)
+    crack (1.0.0)
+      bigdecimal
+      rexml
+    diff-lcs (1.6.2)
+    hashdiff (1.2.0)
+    json (2.13.2)
+    jwt (3.1.2)
+      base64
+    language_server-protocol (3.17.0.5)
+    lint_roller (1.1.0)
+    parallel (1.27.0)
+    parser (3.3.9.0)
+      ast (~> 2.4.1)
+      racc
+    prism (1.4.0)
+    public_suffix (6.0.2)
+    racc (1.8.1)
+    rainbow (3.1.1)
+    rake (13.3.0)
+    regexp_parser (2.11.2)
+    rexml (3.4.2)
+    rspec (3.13.1)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.5)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.5)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.9.0)
-    rspec-mocks (3.9.0)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.5)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.9.0)
-    rspec-support (3.9.0)
-    rubocop (0.75.0)
-      jaro_winkler (~> 1.5.1)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.5)
+    rubocop (1.80.1)
+      json (~> 2.3)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
       parallel (~> 1.10)
-      parser (>= 2.6)
+      parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.46.0, < 2.0)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 1.4.0, < 1.7)
-    ruby-progressbar (1.10.1)
-    safe_yaml (1.0.5)
-    unicode-display_width (1.6.0)
-    webmock (3.7.6)
-      addressable (>= 2.3.6)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-ast (1.46.0)
+      parser (>= 3.3.7.2)
+      prism (~> 1.4)
+    ruby-progressbar (1.13.0)
+    thor (1.4.0)
+    unicode-display_width (3.1.5)
+      unicode-emoji (~> 4.0, >= 4.0.4)
+    unicode-emoji (4.0.4)
+    webmock (3.25.1)
+      addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
 
@@ -63,13 +79,12 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
-  bundler (~> 1.17)
+  appraisal (~> 2.5)
   fido_metadata!
-  pry-byebug
-  rake (~> 10.0)
+  rake (~> 13.0)
   rspec (~> 3.8)
-  rubocop (= 0.75.0)
+  rubocop (~> 1.80)
   webmock (~> 3.6)
 
 BUNDLED WITH
-   1.17.3
+   2.7.1

data/README.md

@@ -26,7 +26,6 @@ First, you need to [register for an access token](https://mds2.fidoalliance.org/
 The cache interface is compatible with Rails' [`ActiveSupport::Cache::Store`](https://api.rubyonrails.org/classes/ActiveSupport/Cache/Store.html), which means you can configure the gem to use your existing cache or a separate one:
 ```ruby
 FidoMetadata.configure do |config|
-  config.metadata_token = "your token"
   config.cache_backend = Rails.cache # or something like `ActiveSupport::Cache::FileStore.new(...)`
 end
 ```

data/Rakefile

@@ -1,12 +1,8 @@
 # frozen_string_literal: true
 
 require "bundler/gem_tasks"
-require "rake/testtask"
+require "rspec/core/rake_task"
 
-Rake::TestTask.new(:test) do |t|
-  t.libs << "test"
-  t.libs << "lib"
-  t.test_files = FileList["test/**/*_test.rb"]
-end
+RSpec::Core::RakeTask.new(:spec)
 
-task default: :test
+task default: :spec

data/bin/console

@@ -7,18 +7,10 @@ require "fido_metadata"
 # Configure in-memory cache
 require "fido_metadata/test_cache_store"
 FidoMetadata.configure do |config|
-  config.metadata_token = ENV["MDS_TOKEN"]
   config.cache_backend = FidoMetadata::TestCacheStore.new
 end
 
-unless FidoMetadata.configuration.metadata_token
-  puts <<~TOKEN_HINT
-    No MDS token configured via the MDS_TOKEN environment variable.
-    Set one for this session: FidoMetadata.configuration.metadata_token = 'your token'
-  TOKEN_HINT
-end
 puts "Reset the cache via: FidoMetadata.configuration.cache_backend.clear"
 
 # Start REPL
-require "pry-byebug"
 Pry.start

data/fido_metadata.gemspec

@@ -31,11 +31,9 @@ Gem::Specification.new do |spec|
 
   spec.required_ruby_version = ">= 2.3"
 
-  spec.add_dependency "jwt", "~> 2.0"
-  spec.add_development_dependency "bundler", "~> 1.17"
-  spec.add_development_dependency "pry-byebug"
-  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_dependency "base64", ">= 0.1.0"
+  spec.add_dependency "jwt", ">= 2.0", "< 4"
+  spec.add_development_dependency "rake", "~> 13.0"
   spec.add_development_dependency "rspec", "~> 3.8"
-  spec.add_development_dependency "rubocop", "0.75.0"
   spec.add_development_dependency "webmock", "~> 3.6"
 end

data/gemfiles/jwt_2.gemfile

@@ -0,0 +1,8 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "appraisal", "~> 2.5"
+gem "jwt", "~> 2"
+
+gemspec path: "../"

data/gemfiles/jwt_3.gemfile

@@ -0,0 +1,8 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "appraisal", "~> 2.5"
+gem "jwt", "~> 3"
+
+gemspec path: "../"

data/lib/Root.cer

@@ -1,15 +1,21 @@
 -----BEGIN CERTIFICATE-----
-MIICQzCCAcigAwIBAgIORqmxkzowRM99NQZJurcwCgYIKoZIzj0EAwMwUzELMAkG
-A1UEBhMCVVMxFjAUBgNVBAoTDUZJRE8gQWxsaWFuY2UxHTAbBgNVBAsTFE1ldGFk
-YXRhIFRPQyBTaWduaW5nMQ0wCwYDVQQDEwRSb290MB4XDTE1MDYxNzAwMDAwMFoX
-DTQ1MDYxNzAwMDAwMFowUzELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUZJRE8gQWxs
-aWFuY2UxHTAbBgNVBAsTFE1ldGFkYXRhIFRPQyBTaWduaW5nMQ0wCwYDVQQDEwRS
-b290MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEFEoo+6jdxg6oUuOloqPjK/nVGyY+
-AXCFz1i5JR4OPeFJs+my143ai0p34EX4R1Xxm9xGi9n8F+RxLjLNPHtlkB3X4ims
-rfIx7QcEImx1cMTgu5zUiwxLX1ookVhIRSoso2MwYTAOBgNVHQ8BAf8EBAMCAQYw
-DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU0qUfC6f2YshA1Ni9udeO0VS7vEYw
-HwYDVR0jBBgwFoAU0qUfC6f2YshA1Ni9udeO0VS7vEYwCgYIKoZIzj0EAwMDaQAw
-ZgIxAKulGbSFkDSZusGjbNkAhAkqTkLWo3GrN5nRBNNk2Q4BlG+AvM5q9wa5WciW
-DcMdeQIxAMOEzOFsxX9Bo0h4LOFE5y5H8bdPFYW+l5gy1tQiJv+5NUyM2IBB55XU
-YjdBz56jSA==
+MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G
+A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp
+Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4
+MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEG
+A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8
+RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsT
+gHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm
+KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zd
+QQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZ
+XriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAw
+DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+o
+LkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZU
+RUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMp
+jjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK
+6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQX
+mcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecs
+Mx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpH
+WD9f
 -----END CERTIFICATE-----

data/lib/fido_metadata/authenticator_get_info.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require "fido_metadata/attributes"
+
+module FidoMetadata
+  class AuthenticatorGetInfo
+    extend Attributes
+
+    json_accessor("versions")
+    json_accessor("extensions")
+    json_accessor("aaguid")
+    json_accessor("options")
+    json_accessor("maxMsgSize")
+    json_accessor("pinUvAuthProtocols")
+    json_accessor("maxCredentialCountInList")
+    json_accessor("maxCredentialIdLength")
+    json_accessor("transports")
+    json_accessor("algorithms")
+    json_accessor("maxSerializedLargeBlobArray")
+    json_accessor("forcePINChange")
+    json_accessor("minPINLength")
+    json_accessor("firmwareVersion")
+    json_accessor("maxCredBlobLength")
+    json_accessor("maxRPIDsForSetMinPINLength")
+    json_accessor("preferredPlatformUvAttempts")
+    json_accessor("uvModality")
+    json_accessor("certifications")
+    json_accessor("remainingDiscoverableCredentials")
+    json_accessor("vendorPrototypeConfigCommands")
+  end
+end

data/lib/fido_metadata/client.rb

@@ -23,13 +23,9 @@ module FidoMetadata
       File.read(File.join(__dir__, "..", "Root.cer"))
     )].freeze
 
-    def initialize(token)
-      @token = token
-    end
-
-    def download_toc(uri, trusted_certs: FIDO_ROOT_CERTIFICATES)
-      response = get_with_token(uri)
-      payload, _ = JWT.decode(response, nil, true, algorithms: ["ES256"]) do |headers|
+    def download_toc(uri, algorithms: ["RS256"], trusted_certs: FIDO_ROOT_CERTIFICATES)
+      response = get(uri)
+      payload, _ = JWT.decode(response, nil, true, algorithms: algorithms) do |headers|
         jwt_certificates = headers["x5c"].map do |encoded|
           OpenSSL::X509::Certificate.new(Base64.strict_decode64(encoded))
         end
@@ -44,43 +40,26 @@ module FidoMetadata
       payload
     end
 
-    def download_entry(uri, expected_hash:)
-      response = get_with_token(uri)
-      decoded_hash = Base64.urlsafe_decode64(expected_hash)
-      unless OpenSSL.fixed_length_secure_compare(OpenSSL::Digest::SHA256.digest(response), decoded_hash)
-        raise(InvalidHashError)
-      end
-
-      decoded_body = Base64.urlsafe_decode64(response)
-      JSON.parse(decoded_body)
-    end
-
     private
 
-    def get_with_token(uri)
-      if @token && !@token.empty?
-        uri.path += "/" unless uri.path.end_with?("/")
-        uri.query = "token=#{@token}"
-      end
-      get(uri)
-    end
-
     def get(uri)
       get = Net::HTTP::Get.new(uri, DEFAULT_HEADERS)
       response = http(uri).request(get)
       response.value
       response.body
+    rescue Net::HTTPRetriableError => e
+      if e.response.is_a? Net::HTTPResponse
+        get(URI(e.response["location"]))
+      end
     end
 
     def http(uri)
-      @http ||= begin
-        http = Net::HTTP.new(uri.host, uri.port)
-        http.use_ssl = uri.port == 443
-        http.verify_mode = OpenSSL::SSL::VERIFY_PEER
-        http.open_timeout = 5
-        http.read_timeout = 5
-        http
-      end
+      http = Net::HTTP.new(uri.host, uri.port)
+      http.use_ssl = uri.port == 443
+      http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+      http.open_timeout = 5
+      http.read_timeout = 5
+      http
     end
 
     def download_crls(certificates)
@@ -89,7 +68,7 @@ module FidoMetadata
       crls = uris.compact.uniq.map do |uri|
         begin
           get(uri)
-        rescue Net::ProtoServerError
+        rescue Net::ProtocolError
           # TODO: figure out why test endpoint specifies a missing and unused CRL in the cert chain, and see if this
           # rescue can be removed. If the CRL is used, OpenSSL error 3 (unable to get certificate CRL) will raise.
           nil

data/lib/fido_metadata/coercer/authenticator_get_info.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require "fido_metadata/authenticator_get_info"
+
+module FidoMetadata
+  module Coercer
+    module AuthenticatorGetInfo
+      def self.coerce(value)
+        return value if value.is_a?(FidoMetadata::AuthenticatorGetInfo)
+
+        FidoMetadata::AuthenticatorGetInfo.from_json(value) if value
+      end
+    end
+  end
+end

data/lib/fido_metadata/coercer/statement.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require "fido_metadata/statement"
+
+module FidoMetadata
+  module Coercer
+    module Statement
+      def self.coerce(value)
+        return value if value.is_a?(FidoMetadata::Statement)
+
+        FidoMetadata::Statement.from_json(value) if value
+      end
+    end
+  end
+end

data/lib/fido_metadata/entry.rb

@@ -6,6 +6,7 @@ require "fido_metadata/status_report"
 require "fido_metadata/coercer/date"
 require "fido_metadata/coercer/escaped_uri"
 require "fido_metadata/coercer/objects"
+require "fido_metadata/coercer/statement"
 
 module FidoMetadata
   class Entry
@@ -21,5 +22,6 @@ module FidoMetadata
     json_accessor("timeOfLastStatusChange", Coercer::Date)
     json_accessor("rogueListURL", Coercer::EscapedURI)
     json_accessor("rogueListHash")
+    json_accessor("metadataStatement", Coercer::Statement)
   end
 end

data/lib/fido_metadata/refinement/fixed_length_secure_compare.rb

@@ -7,7 +7,7 @@ module FidoMetadata
     module FixedLengthSecureCompare
       unless OpenSSL.singleton_class.method_defined?(:fixed_length_secure_compare)
         refine OpenSSL.singleton_class do
-          def fixed_length_secure_compare(a, b) # rubocop:disable Naming/UncommunicativeMethodParamName
+          def fixed_length_secure_compare(a, b) # rubocop:disable Naming/MethodParameterName
             raise ArgumentError, "inputs must be of equal length" unless a.bytesize == b.bytesize
 
             # borrowed from Rack::Utils

data/lib/fido_metadata/statement.rb

@@ -1,13 +1,13 @@
 # frozen_string_literal: true
 
 require "fido_metadata/attributes"
-require "fido_metadata/constants"
 require "fido_metadata/verification_method_descriptor"
 require "fido_metadata/coercer/assumed_value"
 require "fido_metadata/coercer/bit_field"
 require "fido_metadata/coercer/certificates"
 require "fido_metadata/coercer/magic_number"
 require "fido_metadata/coercer/user_verification_details"
+require "fido_metadata/coercer/authenticator_get_info"
 
 module FidoMetadata
   class Statement
@@ -22,31 +22,25 @@ module FidoMetadata
     json_accessor("authenticatorVersion")
     json_accessor("protocolFamily", Coercer::AssumedValue.new("uaf"))
     json_accessor("upv")
-    json_accessor("assertionScheme")
-    json_accessor("authenticationAlgorithm", Coercer::MagicNumber.new(Constants::AUTHENTICATION_ALGORITHMS))
-    json_accessor("authenticationAlgorithms",
-                  Coercer::MagicNumber.new(Constants::AUTHENTICATION_ALGORITHMS, array: true))
-    json_accessor("publicKeyAlgAndEncoding", Coercer::MagicNumber.new(Constants::PUBLIC_KEY_FORMATS))
-    json_accessor("publicKeyAlgAndEncodings",
-                  Coercer::MagicNumber.new(Constants::PUBLIC_KEY_FORMATS, array: true))
-    json_accessor("attestationTypes", Coercer::MagicNumber.new(Constants::ATTESTATION_TYPES, array: true))
+    json_accessor("authenticationAlgorithms")
+    json_accessor("publicKeyAlgAndEncodings")
+    json_accessor("attestationTypes")
     json_accessor("userVerificationDetails", Coercer::UserVerificationDetails)
-    json_accessor("keyProtection", Coercer::BitField.new(Constants::KEY_PROTECTION_TYPES))
+    json_accessor("keyProtection")
     json_accessor("isKeyRestricted", Coercer::AssumedValue.new(true))
     json_accessor("isFreshUserVerificationRequired", Coercer::AssumedValue.new(true))
-    json_accessor("matcherProtection",
-                  Coercer::BitField.new(Constants::MATCHER_PROTECTION_TYPES, single_value: true))
+    json_accessor("matcherProtection")
     json_accessor("cryptoStrength")
-    json_accessor("operatingEnv")
-    json_accessor("attachmentHint", Coercer::BitField.new(Constants::ATTACHMENT_HINTS))
-    json_accessor("isSecondFactorOnly")
-    json_accessor("tcDisplay", Coercer::BitField.new(Constants::TRANSACTION_CONFIRMATION_DISPLAY_TYPES))
+    json_accessor("attachmentHint")
+    json_accessor("tcDisplay")
     json_accessor("tcDisplayContentType")
     json_accessor("tcDisplayPNGCharacteristics")
     json_accessor("attestationRootCertificates")
     json_accessor("ecdaaTrustAnchors")
     json_accessor("icon")
     json_accessor("supportedExtensions")
+    json_accessor("schema")
+    json_accessor("authenticatorGetInfo", Coercer::AuthenticatorGetInfo)
 
     # Lazy load certificates for compatibility ActiveSupport::Cache. Can be removed once we require a version of
     # OpenSSL which includes https://github.com/ruby/openssl/pull/281

data/lib/fido_metadata/store.rb

@@ -6,17 +6,19 @@ require "fido_metadata/statement"
 
 module FidoMetadata
   class Store
-    METADATA_ENDPOINT = URI("https://mds2.fidoalliance.org/")
+    METADATA_ENDPOINT = URI("https://mds.fidoalliance.org/")
+    TOC_CACHE_KEY = "metadata_toc"
+    STATEMENT_CACHE_KEY = "statement_%s"
 
     def table_of_contents
       @table_of_contents ||= begin
-        key = "metadata_toc"
+        key = TOC_CACHE_KEY
         toc = cache_backend.read(key)
         return toc if toc
 
         json = client.download_toc(METADATA_ENDPOINT)
         toc = FidoMetadata::TableOfContents.from_json(json)
-        cache_backend.write(key, toc)
+        cache_backend.write(key, toc, expires_in: toc.expires_in, race_condition_ttl: race_condition_ttl)
         toc
       end
     end
@@ -38,7 +40,7 @@ module FidoMetadata
     def fetch_statement(aaguid: nil, attestation_certificate_key_id: nil)
       verify_arguments(aaguid: aaguid, attestation_certificate_key_id: attestation_certificate_key_id)
 
-      key = "statement_#{aaguid || attestation_certificate_key_id}"
+      key = STATEMENT_CACHE_KEY % (aaguid || attestation_certificate_key_id)
       statement = cache_backend.read(key)
       return statement if statement
 
@@ -49,9 +51,13 @@ module FidoMetadata
               end
       return unless entry
 
-      json = client.download_entry(entry.url, expected_hash: entry.hash)
-      statement = FidoMetadata::Statement.from_json(json)
-      cache_backend.write(key, statement)
+      statement = entry.metadata_statement
+      cache_backend.write(
+        key,
+        statement,
+        expires_in: table_of_contents.expires_in,
+        race_condition_ttl: race_condition_ttl
+      )
       statement
     end
 
@@ -71,12 +77,12 @@ module FidoMetadata
       FidoMetadata.configuration.cache_backend || raise("no cache_backend configured")
     end
 
-    def metadata_token
-      FidoMetadata.configuration.metadata_token || raise("no metadata_token configured")
+    def race_condition_ttl
+      FidoMetadata.configuration.race_condition_ttl
     end
 
     def client
-      @client ||= FidoMetadata::Client.new(metadata_token)
+      @client ||= FidoMetadata::Client.new
     end
   end
 end

data/lib/fido_metadata/table_of_contents.rb

@@ -13,5 +13,9 @@ module FidoMetadata
     json_accessor("nextUpdate", Coercer::Date)
     json_accessor("entries", Coercer::Objects.new(Entry))
     json_accessor("no")
+
+    def expires_in
+      next_update.to_time.to_i - Time.now.to_i
+    end
   end
 end

data/lib/fido_metadata/verification_method_descriptor.rb

@@ -2,7 +2,6 @@
 
 require "fido_metadata/attributes"
 require "fido_metadata/biometric_accuracy_descriptor"
-require "fido_metadata/constants"
 require "fido_metadata/code_accuracy_descriptor"
 require "fido_metadata/pattern_accuracy_descriptor"
 require "fido_metadata/coercer/magic_number"
@@ -12,7 +11,7 @@ module FidoMetadata
   class VerificationMethodDescriptor
     extend Attributes
 
-    json_accessor("userVerification", Coercer::MagicNumber.new(Constants::USER_VERIFICATION_METHODS))
+    json_accessor("userVerificationMethod")
     json_accessor("caDesc")
     json_accessor("baDesc")
     json_accessor("paDesc")

data/lib/fido_metadata/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module FidoMetadata
-  VERSION = "0.3.0"
+  VERSION = "0.5.0"
 end

data/lib/fido_metadata.rb

@@ -5,7 +5,11 @@ require "fido_metadata/version"
 
 module FidoMetadata
   def self.configuration
-    @configuration ||= Configuration.new
+    @configuration ||= begin
+      c = Configuration.new
+      c.race_condition_ttl = 1
+      c
+    end
   end
 
   def self.configure
@@ -13,7 +17,7 @@ module FidoMetadata
   end
 
   class Configuration
-    attr_accessor :metadata_token
     attr_accessor :cache_backend
+    attr_accessor :race_condition_ttl
   end
 end

metadata

@@ -1,71 +1,63 @@
 --- !ruby/object:Gem::Specification
 name: fido_metadata
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.5.0
 platform: ruby
 authors:
 - Bart de Water
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2019-11-24 00:00:00.000000000 Z
+date: 2025-09-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: jwt
+  name: base64
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: 0.1.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.0'
-- !ruby/object:Gem::Dependency
-  name: bundler
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.17'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.17'
+        version: 0.1.0
 - !ruby/object:Gem::Dependency
-  name: pry-byebug
+  name: jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
+        version: '2.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4'
+  type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '13.0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -80,20 +72,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.8'
-- !ruby/object:Gem::Dependency
-  name: rubocop
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 0.75.0
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 0.75.0
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
@@ -110,14 +88,18 @@ dependencies:
         version: '3.6'
 description: Client for looking up metadata about FIDO authenticators, for use by
   WebAuthn relying parties
-email: 
+email:
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/dependabot.yml"
+- ".github/workflows/ci.yml"
+- ".github/workflows/lint.yml"
 - ".gitignore"
 - ".rubocop.yml"
-- ".travis.yml"
+- ".ruby-version"
+- Appraisals
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
 - Gemfile
@@ -130,22 +112,26 @@ files:
 - bin/rubocop
 - bin/setup
 - fido_metadata.gemspec
+- gemfiles/jwt_2.gemfile
+- gemfiles/jwt_3.gemfile
 - lib/Root.cer
 - lib/fido_metadata.rb
 - lib/fido_metadata/attributes.rb
+- lib/fido_metadata/authenticator_get_info.rb
 - lib/fido_metadata/biometric_accuracy_descriptor.rb
 - lib/fido_metadata/biometric_status_report.rb
 - lib/fido_metadata/client.rb
 - lib/fido_metadata/code_accuracy_descriptor.rb
 - lib/fido_metadata/coercer/assumed_value.rb
+- lib/fido_metadata/coercer/authenticator_get_info.rb
 - lib/fido_metadata/coercer/bit_field.rb
 - lib/fido_metadata/coercer/certificates.rb
 - lib/fido_metadata/coercer/date.rb
 - lib/fido_metadata/coercer/escaped_uri.rb
 - lib/fido_metadata/coercer/magic_number.rb
 - lib/fido_metadata/coercer/objects.rb
+- lib/fido_metadata/coercer/statement.rb
 - lib/fido_metadata/coercer/user_verification_details.rb
-- lib/fido_metadata/constants.rb
 - lib/fido_metadata/entry.rb
 - lib/fido_metadata/pattern_accuracy_descriptor.rb
 - lib/fido_metadata/refinement/fixed_length_secure_compare.rb
@@ -164,7 +150,7 @@ metadata:
   homepage_uri: https://github.com/bdewater/fido_metadata
   source_code_uri: https://github.com/bdewater/fido_metadata
   changelog_uri: https://github.com/bdewater/fido_metadata/blob/master/CHANGELOG.md
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -179,8 +165,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 3.2.1
+signing_key:
 specification_version: 4
 summary: FIDO Alliance Metadata Service client
 test_files: []

data/.travis.yml

@@ -1,7 +0,0 @@
----
-sudo: false
-language: ruby
-cache: bundler
-rvm:
-  - 2.6.5
-before_install: gem install bundler -v 1.17.3

data/lib/fido_metadata/constants.rb

@@ -1,91 +0,0 @@
-# frozen_string_literal: true
-
-module FidoMetadata
-  module Constants
-    # https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-registry-v2.0-rd-20180702.html
-
-    ATTACHMENT_HINTS = {
-      0x0001 => "INTERNAL",
-      0x0002 => "EXTERNAL",
-      0x0004 => "WIRED",
-      0x0008 => "WIRELESS",
-      0x0010 => "NFC",
-      0x0020 => "BLUETOOTH",
-      0x0040 => "NETWORK",
-      0x0080 => "READY",
-      0x0100 => "WIFI_DIRECT",
-    }.freeze
-
-    ATTESTATION_TYPES = {
-      0x3E07 => "BASIC_FULL", # 'Basic' in WebAuthn
-      0x3E08 => "BASIC_SURROGATE", # 'Self' in WebAuthn
-      0x3E09 => "ECDAA",
-      0x3E0A => "ATTCA",
-    }.freeze
-
-    AUTHENTICATION_ALGORITHMS = {
-      0x0001 => "SECP256R1_ECDSA_SHA256_RAW",
-      0x0002 => "SECP256R1_ECDSA_SHA256_DER",
-      0x0003 => "RSASSA_PSS_SHA256_RAW",
-      0x0004 => "RSASSA_PSS_SHA256_DER",
-      0x0005 => "SECP256K1_ECDSA_SHA256_RAW",
-      0x0006 => "SECP256K1_ECDSA_SHA256_DER",
-      0x0007 => "SM2_SM3_RAW",
-      0x0008 => "RSA_EMSA_PKCS1_SHA256_RAW",
-      0x0009 => "RSA_EMSA_PKCS1_SHA256_DER",
-      0x000A => "RSASSA_PSS_SHA384_RAW",
-      0x000B => "RSASSA_PSS_SHA512_RAW",
-      0x000C => "RSASSA_PKCSV15_SHA256_RAW",
-      0x000D => "RSASSA_PKCSV15_SHA384_RAW",
-      0x000E => "RSASSA_PKCSV15_SHA512_RAW",
-      0x000F => "RSASSA_PKCSV15_SHA1_RAW",
-      0x0010 => "SECP384R1_ECDSA_SHA384_RAW",
-      0x0011 => "SECP521R1_ECDSA_SHA512_RAW",
-      0x0012 => "ED25519_EDDSA_SHA256_RAW",
-    }.freeze
-
-    KEY_PROTECTION_TYPES = {
-      0x0001 => "SOFTWARE",
-      0x0002 => "HARDWARE",
-      0x0004 => "TEE",
-      0x0008 => "SECURE_ELEMENT",
-      0x0010 => "REMOTE_HANDLE",
-    }.freeze
-
-    MATCHER_PROTECTION_TYPES = {
-      0x0001 => "SOFTWARE",
-      0x0002 => "TEE",
-      0x0004 => "ON_CHIP",
-    }.freeze
-
-    PUBLIC_KEY_FORMATS = {
-      0x0100 => "ECC_X962_RAW",
-      0x0101 => "ECC_X962_DER",
-      0x0102 => "RSA_2048_RAW",
-      0x0103 => "RSA_2048_DER",
-      0x0104 => "COSE",
-    }.freeze
-
-    TRANSACTION_CONFIRMATION_DISPLAY_TYPES = {
-      0x0001 => "ANY",
-      0x0002 => "PRIVILEGED_SOFTWARE",
-      0x0004 => "TEE",
-      0x0008 => "HARDWARE",
-      0x0010 => "REMOTE",
-    }.freeze
-
-    USER_VERIFICATION_METHODS = {
-      0x00000001 => "PRESENCE",
-      0x00000002 => "FINGERPRINT",
-      0x00000004 => "PASSCODE",
-      0x00000008 => "VOICEPRINT",
-      0x00000010 => "FACEPRINT",
-      0x00000020 => "LOCATION",
-      0x00000040 => "EYEPRINT",
-      0x00000080 => "PATTERN",
-      0x00000100 => "HANDPRINT",
-      0x00000200 => "NONE",
-      0x00000400 => "ALL",
-    }.freeze
-  end
-end