fido_metadata 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7feb05dd5eac0b351f74073c80c16f1c7c7f6701a88be33eac7d6877af2a0478
-  data.tar.gz: bfd36220edd79a54cccea8a1b4ebbfa303a067d86e75cc6c3942a64b090009f4
+  metadata.gz: 2881c4ebdb1827ac7d037d7e4460bd8708451c7a1c5e0501d5144a6119b64a1e
+  data.tar.gz: b01d388d2710097a8e84319963c528c4933ce0ceb4a2fee2ee68ee63d0d6b38c
 SHA512:
-  metadata.gz: 7774a0c247e959267e946d09aeda636690ddf446f2120335133b76ad4c77bed62718ce83182f5cbf161577b2596fda2c31bdb34ca5d5b40aa888c2af61eae3f1
-  data.tar.gz: 365630d2b485aebbb372e47b4d9bcbc8c804e275ecf436af56b3b91de1876bfa5085a7c803881183c1f0704a7c8b1d70e0f0330f45a6d052699f7144533873cc
+  metadata.gz: 01e1e3c685c0b88708067a451f5236607ee6bdc0a3d7f5b20bb5ff50bc053a24e49da71247d72e722cc46b302cf996f576f77acf71a47ad8d131af8f71a4a605
+  data.tar.gz: e28acf6f1afacf9f39a8309a9b0eff3f4222049a0c6ea6fb3e56b367e403753d9ae068fe867862dd2348d43d382d54495b5d523b2929a9a3377233d06562573e

data/CHANGELOG.md

@@ -0,0 +1,24 @@
+# Changelog
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## [0.2.0] - 2019-11-16
+### Added
+- This CHANGELOG.md file.
+- Add helper method to build a `OpenSSL::X509::Store` from a metadata statement root certificates
+
+### Changed
+- JWT verification to match implementation [submitted upstream](https://github.com/jwt/ruby-jwt/pull/338) to `ruby-jwt`
+
+### Removed
+- Drop `securecompare` gem for OpenSSL gem 2.2's implementation, with a Ruby fallback for older versions
+
+## [0.1.0] - 2019-11-13
+### Added
+- Extracted from [webauthn-ruby PR 208](https://github.com/cedarcode/webauthn-ruby/pull/208) after discussion with the maintainers. Thanks for the feedback @grzuy and @brauliomartinezlm!
+
+[0.1.0]: https://github.com/bdewater/fido_metadata/releases/tag/v0.1.0

data/Gemfile.lock

@@ -1,9 +1,8 @@
 PATH
   remote: .
   specs:
-    fido_metadata (0.1.0)
+    fido_metadata (0.2.0)
       jwt (~> 2.0)
-      securecompare (~> 1.0)
 
 GEM
   remote: https://rubygems.org/
@@ -54,7 +53,6 @@ GEM
       unicode-display_width (>= 1.4.0, < 1.7)
     ruby-progressbar (1.10.1)
     safe_yaml (1.0.5)
-    securecompare (1.0.0)
     unicode-display_width (1.6.0)
     webmock (3.7.6)
       addressable (>= 2.3.6)

data/README.md

@@ -22,10 +22,12 @@ Or install it yourself as:
 
 ## Usage
 
-First, you need to [register for an access token](https://mds2.fidoalliance.org/tokens/). You can configure the gem as follows:
+First, you need to [register for an access token](https://mds2.fidoalliance.org/tokens/) and configure a cache backend.
+The cache interface is compatible with Rails' [`ActiveSupport::Cache::Store`](https://api.rubyonrails.org/classes/ActiveSupport/Cache/Store.html), which means you can configure the gem to use your existing cache or a separate one:
 ```ruby
 FidoMetadata.configure do |config|
   config.metadata_token = "your token"
+  config.cache_backend = Rails.cache # or something like `ActiveSupport::Cache::FileStore.new(...)`
 end
 ```
 
@@ -33,9 +35,8 @@ Then you can query the table of contents (TOC):
 ```ruby
 store = FidoMetadata::Store.new
 toc = store.table_of_contents
-# `toc.entries` returns an array of FidoMetadata::Entry objects, see
+# returns a FidoMetadata::TableOfContents object. `toc.entries` returns an array of FidoMetadata::Entry objects, see
 # https://fidoalliance.org/specs/fido-v2.0-ps-20170927/fido-metadata-service-v2.0-ps-20170927.html#metadata-toc-payload-entry-dictionary
-  
 ```
 
 Retrieve metadata statement via the authenticator `aaguid` (FIDO2) or `attestation_certificate_key_id` (U2F):
@@ -45,23 +46,16 @@ store.fetch_statement(aaguid: "0132d110-bf4e-4208-a403-ab4f5f12efe5")
 # https://fidoalliance.org/specs/fido-v2.0-ps-20170927/fido-metadata-statement-v2.0-ps-20170927.html#types
 ```
 
-### Integrating the cache backend
-    
-The cache interface is compatible with Rails' [`ActiveSupport::Cache::Store`](https://api.rubyonrails.org/classes/ActiveSupport/Cache/Store.html), which means you can configure the gem to use your existing cache or a separate one: 
+### Custom cache backend
 
-```ruby
-FidoMetadata.configure do |config|
-  config.cache_backend = Rails.cache # or something like `ActiveSupport::Cache::FileStore.new(...)`
-end
-``` 
-
-It is also possible to implement your own backend for using any datastore you'd like, such as your database. The interface you need to implement is as follows:
+It is possible to implement your own backend for using any datastore you'd like, such as your database. The interface you need to implement is as follows:
 
 ```ruby
 class CustomMetadataCacheStore
   def read(name, _options = nil)
     # deserialize and return `value`
   end
+
   def write(name, value, _options = nil)
     # serialize and store `value` so it can be looked up using `name`
   end

data/bin/console

@@ -12,10 +12,10 @@ FidoMetadata.configure do |config|
 end
 
 unless FidoMetadata.configuration.metadata_token
-  puts <<~EOS
+  puts <<~TOKEN_HINT
     No MDS token configured via the MDS_TOKEN environment variable.
     Set one for this session: FidoMetadata.configuration.metadata_token = 'your token'
-  EOS
+  TOKEN_HINT
 end
 puts "Reset the cache via: FidoMetadata.configuration.cache_backend.clear"
 

data/fido_metadata.gemspec

@@ -32,7 +32,6 @@ Gem::Specification.new do |spec|
   spec.required_ruby_version = ">= 2.3"
 
   spec.add_dependency "jwt", "~> 2.0"
-  spec.add_dependency "securecompare", "~> 1.0"
   spec.add_development_dependency "bundler", "~> 1.17"
   spec.add_development_dependency "pry-byebug"
   spec.add_development_dependency "rake", "~> 10.0"

data/lib/fido_metadata/client.rb

@@ -3,7 +3,8 @@
 require "jwt"
 require "net/http"
 require "openssl"
-require "securecompare"
+require "fido_metadata/refinement/fixed_length_secure_compare"
+require "fido_metadata/x5c_key_finder"
 
 module FidoMetadata
   class Client
@@ -11,34 +12,41 @@ module FidoMetadata
     class InvalidHashError < DataIntegrityError; end
     class UnverifiedSigningKeyError < DataIntegrityError; end
 
+    using Refinement::FixedLengthSecureCompare
+
     DEFAULT_HEADERS = {
       "Content-Type" => "application/json",
       "User-Agent" => "fido_metadata/#{FidoMetadata::VERSION} (Ruby)"
     }.freeze
-
-    def self.fido_trust_store
-      store = OpenSSL::X509::Store.new
-      store.purpose = OpenSSL::X509::PURPOSE_ANY
-      store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK | OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
-      file = File.read(File.join(__dir__, "..", "Root.cer"))
-      store.add_cert(OpenSSL::X509::Certificate.new(file))
-    end
+    FIDO_ROOT_CERTIFICATES = [OpenSSL::X509::Certificate.new(
+      File.read(File.join(__dir__, "..", "Root.cer"))
+    )].freeze
 
     def initialize(token)
       @token = token
     end
 
-    def download_toc(uri, trust_store: self.class.fido_trust_store)
+    def download_toc(uri, trusted_certs: FIDO_ROOT_CERTIFICATES)
       response = get_with_token(uri)
       payload, _ = JWT.decode(response, nil, true, algorithms: ["ES256"]) do |headers|
-        verified_public_key(headers["x5c"], trust_store)
+        jwt_certificates = headers["x5c"].map do |encoded|
+          OpenSSL::X509::Certificate.new(Base64.strict_decode64(encoded))
+        end
+        crls = download_crls(jwt_certificates)
+
+        begin
+          X5cKeyFinder.from(jwt_certificates, trusted_certs, crls)
+        rescue JWT::VerificationError => e
+          raise(UnverifiedSigningKeyError, e.message)
+        end
       end
       payload
     end
 
     def download_entry(uri, expected_hash:)
       response = get_with_token(uri)
-      unless SecureCompare.compare(OpenSSL::Digest::SHA256.digest(response), Base64.urlsafe_decode64(expected_hash))
+      decoded_hash = Base64.urlsafe_decode64(expected_hash)
+      unless OpenSSL.fixed_length_secure_compare(OpenSSL::Digest::SHA256.digest(response), decoded_hash)
         raise(InvalidHashError)
       end
 
@@ -74,25 +82,6 @@ module FidoMetadata
       end
     end
 
-    def verified_public_key(x5c, trust_store)
-      certificates = x5c.map do |encoded|
-        OpenSSL::X509::Certificate.new(Base64.strict_decode64(encoded))
-      end
-      leaf_certificate = certificates[0]
-      chain_certificates = certificates[1..-1]
-
-      crls = download_crls(certificates)
-      crls.each do |crl|
-        trust_store.add_crl(crl)
-      end
-
-      if trust_store.verify(leaf_certificate, chain_certificates)
-        leaf_certificate.public_key
-      else
-        raise(UnverifiedSigningKeyError, "OpenSSL error #{trust_store.error} (#{trust_store.error_string})")
-      end
-    end
-
     def download_crls(certificates)
       uris = extract_crl_distribution_points(certificates)
 

data/lib/fido_metadata/refinement/fixed_length_secure_compare.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require "openssl"
+
+module FidoMetadata
+  module Refinement
+    module FixedLengthSecureCompare
+      unless OpenSSL.singleton_class.method_defined?(:fixed_length_secure_compare)
+        refine OpenSSL.singleton_class do
+          def fixed_length_secure_compare(a, b) # rubocop:disable Naming/UncommunicativeMethodParamName
+            raise ArgumentError, "inputs must be of equal length" unless a.bytesize == b.bytesize
+
+            # borrowed from Rack::Utils
+            l = a.unpack("C*")
+            r, i = 0, -1
+            b.each_byte { |v| r |= v ^ l[i += 1] }
+            r == 0
+          end
+        end
+      end
+    end
+  end
+end

data/lib/fido_metadata/statement.rb

@@ -53,5 +53,13 @@ module FidoMetadata
     def attestation_root_certificates
       Coercer::Certificates.coerce(@attestation_root_certificates)
     end
+
+    def trust_store
+      trust_store = OpenSSL::X509::Store.new
+      attestation_root_certificates.each do |certificate|
+        trust_store.add_cert(certificate)
+      end
+      trust_store
+    end
   end
 end

data/lib/fido_metadata/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module FidoMetadata
-  VERSION = "0.1.0"
+  VERSION = "0.2.0"
 end

data/lib/fido_metadata/x5c_key_finder.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require "base64"
+require "jwt/error"
+
+module FidoMetadata
+  class VerificationError < StandardError; end
+
+  # If the x5c header certificate chain can be validated by trusted root
+  # certificates, and none of the certificates are revoked, returns the public
+  # key from the first certificate.
+  # See https://tools.ietf.org/html/rfc7515#section-4.1.6
+  class X5cKeyFinder
+    def self.from(x5c_header_or_certificates, trusted_certificates, crls)
+      store = build_store(trusted_certificates, crls)
+      signing_certificate, *certificate_chain = parse_certificates(x5c_header_or_certificates)
+      store_context = OpenSSL::X509::StoreContext.new(store, signing_certificate, certificate_chain)
+
+      if store_context.verify
+        signing_certificate.public_key
+      else
+        error = "Certificate verification failed: #{store_context.error_string}."
+        error = "#{error} Certificate subject: #{store_context.current_cert.subject}." if store_context.current_cert
+
+        raise JWT::VerificationError, error
+      end
+    end
+
+    def self.parse_certificates(x5c_header_or_certificates)
+      if x5c_header_or_certificates.all? { |obj| obj.is_a?(OpenSSL::X509::Certificate) }
+        x5c_header_or_certificates
+      else
+        x5c_header_or_certificates.map do |encoded|
+          OpenSSL::X509::Certificate.new(::Base64.strict_decode64(encoded))
+        end
+      end
+    end
+    private_class_method :parse_certificates
+
+    def self.build_store(trusted_certificates, crls)
+      store = OpenSSL::X509::Store.new
+      store.purpose = OpenSSL::X509::PURPOSE_ANY
+      store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK | OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
+      trusted_certificates.each { |certificate| store.add_cert(certificate) }
+      crls && crls.each { |crl| store.add_crl(crl) }
+      store
+    end
+    private_class_method :build_store
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: fido_metadata
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Bart de Water
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-11-13 00:00:00.000000000 Z
+date: 2019-11-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -24,20 +24,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
-- !ruby/object:Gem::Dependency
-  name: securecompare
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -132,6 +118,7 @@ files:
 - ".gitignore"
 - ".rubocop.yml"
 - ".travis.yml"
+- CHANGELOG.md
 - CODE_OF_CONDUCT.md
 - Gemfile
 - Gemfile.lock
@@ -161,12 +148,14 @@ files:
 - lib/fido_metadata/constants.rb
 - lib/fido_metadata/entry.rb
 - lib/fido_metadata/pattern_accuracy_descriptor.rb
+- lib/fido_metadata/refinement/fixed_length_secure_compare.rb
 - lib/fido_metadata/statement.rb
 - lib/fido_metadata/status_report.rb
 - lib/fido_metadata/store.rb
 - lib/fido_metadata/table_of_contents.rb
 - lib/fido_metadata/verification_method_descriptor.rb
 - lib/fido_metadata/version.rb
+- lib/fido_metadata/x5c_key_finder.rb
 homepage: https://github.com/bdewater/fido_metadata
 licenses:
 - MIT