safety_net_attestation 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7c755feae396958cb6524bbfa08481ee56eeb51c882a517f5c460996d49b5623
-  data.tar.gz: 61185703482ff164ec66d09717b842e68284f7593f65b6130e11383b79134950
+  metadata.gz: 6ccbadd15213737c97c7380d54fbf0b742f33aec05897ae6e7c2f51fe114f487
+  data.tar.gz: e0fe5abd1f16f7b084b53431108defbc1d534d8061ec7d0363674b0ad207fd08
 SHA512:
-  metadata.gz: 5244cb19acd724bdd9f769ba608a7554b3bdef8df761d8d56715bb1fc8556510c39d465a895d54a0fae5603e2ca20f26e454ac194555a893c021ede762e49f63
-  data.tar.gz: afd1d3e03b7faedce4f68b9450e182fc4beb54ca7737773b313c6146b55d401387e7d8064e838fe657b30995b3e0c586b7681ecb96f55c5f1ee7c858ffa6b2fb
+  metadata.gz: d2f0413cb1b611f2bb0319da23002edb5f695119badb401fdef6af4e225e9a5cd778af31e0cf4af4ab228fca8c322763eb806d35ef21fa29cd7080edddbc318c
+  data.tar.gz: 6327628183000d2110361284af325cc210f7d45da9af7da755cde2b108e9ac4858e40b6028b71f46c864be58b3bb72736dab8a5cf0bdc1f1a6235745f44b187b

data/.travis.yml

@@ -6,6 +6,8 @@ rvm:
   - 2.5.7
   - 2.4.9
   - 2.3.8
+before_install:
+  - gem install bundler
 script:
   - bin/rspec
 jobs:

data/CHANGELOG.md

@@ -6,6 +6,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.3.0] - 2019-12-29
+### Added
+- `Statement#certificates` exposes the certificate chain used during verification
+- `Statement#verify` takes an optional `time` argument, defaulting to the current time. This can be used for testing
+  captured statements from real devices without needing stubbing.
+
 ## [0.2.0] - 2019-12-28
 ### Fixed
 - Fixed loading bundled root certificates
@@ -14,6 +20,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Extracted from [webauthn-ruby](https://github.com/cedarcode/webauthn-ruby) after discussion with the maintainers. Thanks for the feedback @grzuy and @brauliomartinezlm!
 
-[Unreleased]: https://github.com/bdewater/fido_metadata/compare/v0.1.0...HEAD
-[0.2.0]: https://github.com/bdewater/fido_metadata/compare/v0.1.0...v0.2.0
-[0.1.0]: https://github.com/bdewater/fido_metadata/releases/tag/v0.1.0
+[Unreleased]: https://github.com/bdewater/safety_net_attestation/compare/v0.1.0...HEAD
+[0.3.0]: https://github.com/bdewater/safety_net_attestation/compare/v0.2.0...v0.3.0
+[0.2.0]: https://github.com/bdewater/safety_net_attestation/compare/v0.1.0...v0.2.0
+[0.1.0]: https://github.com/bdewater/safety_net_attestation/releases/tag/v0.1.0

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    safety_net_attestation (0.2.0)
+    safety_net_attestation (0.3.0)
       jwt (~> 2.0)
 
 GEM

data/lib/safety_net_attestation/statement.rb

@@ -24,21 +24,23 @@ module SafetyNetAttestation
       @jws_result = jws_result
     end
 
-    def verify(nonce, timestamp_leeway: 60, trusted_certificates: GOOGLE_ROOT_CERTIFICATES)
+    def verify(nonce, timestamp_leeway: 60, trusted_certificates: GOOGLE_ROOT_CERTIFICATES, time: Time.now)
       certificates = nil
       response, _ = JWT.decode(@jws_result, nil, true, algorithms: ["ES256", "RS256"]) do |headers|
-        certificates = headers["x5c"].map do |encoded|
+        x5c_certificates = headers["x5c"].map do |encoded|
           OpenSSL::X509::Certificate.new(Base64.strict_decode64(encoded))
         end
 
-        X5cKeyFinder.from(certificates, trusted_certificates)
+        certificates = X5cKeyFinder.from(x5c_certificates, trusted_certificates, time: time)
+        certificates.first.public_key
       end
 
       verify_certificate_subject(certificates.first)
       verify_nonce(response, nonce)
-      verify_timestamp(response, timestamp_leeway)
+      verify_timestamp(response, timestamp_leeway, time)
 
       @json = response
+      @certificates = certificates
       self
     end
 
@@ -78,6 +80,12 @@ module SafetyNetAttestation
       json["advice"]&.split(",")
     end
 
+    def certificates
+      raise NotVerifiedError unless json
+
+      @certificates
+    end
+
     private
 
     def verify_certificate_subject(certificate)
@@ -94,8 +102,8 @@ module SafetyNetAttestation
       end
     end
 
-    def verify_timestamp(response, leeway)
-      now = Time.now.to_f
+    def verify_timestamp(response, leeway, time)
+      now = time.to_f
       response_time = response["timestampMs"] / 1000.0
       unless response_time.between?(now - leeway, now + leeway)
         raise TimestampError, "not within #{leeway}s leeway"

data/lib/safety_net_attestation/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module SafetyNetAttestation
-  VERSION = "0.2.0"
+  VERSION = "0.3.0"
 end

data/lib/safety_net_attestation/x5c_key_finder.rb

@@ -7,15 +7,16 @@ module SafetyNetAttestation
   class SignatureError < Error; end
 
   class X5cKeyFinder
-    def self.from(x5c_certificates, trusted_certificates)
+    def self.from(x5c_certificates, trusted_certificates, time: Time.now)
       store = OpenSSL::X509::Store.new
       trusted_certificates.each { |certificate| store.add_cert(certificate) }
 
       signing_certificate, *certificate_chain = x5c_certificates
       store_context = OpenSSL::X509::StoreContext.new(store, signing_certificate, certificate_chain)
+      store_context.time = time
 
       if store_context.verify
-        signing_certificate.public_key
+        store_context.chain
       else
         error = "Certificate verification failed: #{store_context.error_string}."
         error = "#{error} Certificate subject: #{store_context.current_cert.subject}." if store_context.current_cert

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: safety_net_attestation
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Bart de Water