u2f 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 60022b213b355bdb9a7c8e30d115cd460990d5bb
-  data.tar.gz: c59e0bce1c57789b4fe71f12bfd74576382e78ce
+  metadata.gz: 4181871c3a8f8591e810fca9f378c917d3c1817f
+  data.tar.gz: 537078ef16ddaf5392b56e5e7c072f6d908a8e71
 SHA512:
-  metadata.gz: 02a8053ff4803e1d9f8ebb0c4fd7b9ea36beebcad129d6b4842ca7b4db13a1f4b5611418b41c4571351f470c5641fc1a0200cd40c0d1cd2d9f10c168a50180c4
-  data.tar.gz: 537e239d9577a020d3a796dbf9840aa243b0432274fe29ed40e02b2ece1c75384dadd18ee26417d7153126e40dc903c9f5d7b6e7844696fc0ba40a95a60fc210
+  metadata.gz: 1f7a5df9ff90a60b12d979e3e4b23f708dc846b8962083fcc12528c362223f7d4512b972802b79b065d90f1a6b3d120ed7a2c1a7cb4878e43a75d3b6bd017b2e
+  data.tar.gz: 9bceaa3d4c0ed8529a69d903731fbbcd0fe616d4d976af5c321c56b8b73337437e6c017bc82dfde83f2c4bcb55035ef44be42918f6028365da808b786e97843a

data/README.md

@@ -19,6 +19,8 @@ U2F is an open 2-factor authentication standard that enables keychain devices, m
 
 Check out the [example](https://github.com/castle/ruby-u2f/tree/master/example) directory for a fully working Padrino server demonstrating U2F.
 
+There is another demo application available using the [Cuba](https://github.com/soveran/cuba) framework: [cuba-u2f-demo](https://github.com/badboy/cuba-u2f-demo) and a [blog post explaining the protocol and the implementation](http://fnordig.de/2015/03/06/u2f-demo-application/).
+
 ## Installation
 
 Add the `u2f` gem to your `Gemfile`
@@ -84,8 +86,8 @@ Render a form that will be automatically posted when the U2F device reponds.
 
 ```javascript
 // render requests from server into Javascript format
-var registerRequests = <%= @registration_requests.to_json.html_safe %>;
-var signRequests = <%= @sign_requests.to_json.html_safe %>;
+var registerRequests = <%= @registration_requests.as_json.to_json.html_safe %>;
+var signRequests = <%= @sign_requests.as_json.to_json.html_safe %>;
 
 u2f.register(registerRequests, signRequests, function(registerResponse) {
   var form, reg;
@@ -160,7 +162,7 @@ Render a form that will be automatically posted when the U2F device reponds.
 
 ```javascript
 // render requests from server into Javascript format
-var signRequests = <%= @sign_requests.to_json.html_safe %>;
+var signRequests = <%= @sign_requests.as_json.to_json.html_safe %>;
 
 u2f.sign(signRequests, function(signResponse) {
   var form, reg;

data/lib/u2f.rb

@@ -11,7 +11,9 @@ require 'u2f/register_response'
 require 'u2f/registration'
 require 'u2f/sign_request'
 require 'u2f/sign_response'
+require 'u2f/fake_u2f'
 require 'u2f/u2f'
 
 module U2F
+  DIGEST = OpenSSL::Digest::SHA256
 end

data/lib/u2f/client_data.rb

@@ -3,15 +3,18 @@ module U2F
   # A representation of ClientData, chapter 7
   # http://fidoalliance.org/specs/fido-u2f-raw-message-formats-v1.0-rd-20141008.pdf
   class ClientData
+    REGISTRATION_TYP   = "navigator.id.finishEnrollment".freeze
+    AUTHENTICATION_TYP = "navigator.id.getAssertion".freeze
+
     attr_accessor :typ, :challenge, :origin
     alias_method :type, :typ
 
     def registration?
-      typ == 'navigator.id.finishEnrollment'
+      typ == REGISTRATION_TYP
     end
 
     def authentication?
-      typ == 'navigator.id.getAssertion'
+      typ == AUTHENTICATION_TYP
     end
 
     def self.load_from_json(json)

data/lib/u2f/fake_u2f.rb

@@ -0,0 +1,194 @@
+class U2F::FakeU2F
+  CURVE_NAME   = "prime256v1".freeze
+
+  attr_accessor :app_id, :counter, :key_handle_raw, :cert_subject
+
+  # Initialize a new FakeU2F device for use in tests.
+  #
+  # app_id  - The appId/origin this is being tested against.
+  # options - A Hash of optional parameters (optional).
+  #           :counter      - The initial counter for this device.
+  #           :key_handle   - The raw key-handle this device should use.
+  #           :cert_subject - The subject field for the certificate generated
+  #                           for this device.
+  #
+  # Returns nothing.
+  def initialize(app_id, options = {})
+    @app_id = app_id
+    @counter = options.fetch(:counter, 0)
+    @key_handle_raw = options.fetch(:key_handle, SecureRandom.random_bytes(32))
+    @cert_subject = options.fetch(:cert_subject, "/CN=U2FTest")
+  end
+
+  # A registerResponse hash as returned by the u2f.register JavaScript API.
+  #
+  # challenge - The challenge to sign.
+  # error     - Boolean. Whether to return an error response (optional).
+  #
+  # Returns a JSON encoded Hash String.
+  def register_response(challenge, error = false)
+    if error
+      JSON.dump(:errorCode => 4)
+    else
+      client_data_json = client_data(U2F::ClientData::REGISTRATION_TYP, challenge)
+      JSON.dump(
+        :registrationData => reg_registration_data(client_data_json),
+        :clientData => U2F.urlsafe_encode64(client_data_json)
+      )
+    end
+  end
+
+  # A SignResponse hash as returned by the u2f.sign JavaScript API.
+  #
+  # challenge - The challenge to sign.
+  #
+  # Returns a JSON encoded Hash String.
+  def sign_response(challenge)
+    client_data_json = client_data(U2F::ClientData::AUTHENTICATION_TYP, challenge)
+    JSON.dump(
+      :clientData => U2F.urlsafe_encode64(client_data_json),
+      :keyHandle => U2F.urlsafe_encode64(key_handle_raw),
+      :signatureData => auth_signature_data(client_data_json)
+    )
+  end
+
+  # The appId specific public key as returned in the registrationData field of
+  # a RegisterResponse Hash.
+  #
+  # Returns a binary formatted EC public key String.
+  def origin_public_key_raw
+    [origin_key.public_key.to_bn.to_s(16)].pack('H*')
+  end
+
+  # The raw device attestation certificate as returned in the registrationData
+  # field of a RegisterResponse Hash.
+  #
+  # Returns a DER formatted certificate String.
+  def cert_raw
+    cert.to_der
+  end
+
+  private
+
+  # The registrationData field returns in a RegisterResponse Hash.
+  #
+  # client_data_json - The JSON encoded clientData String.
+  #
+  # Returns a url-safe base64 encoded binary String.
+  def reg_registration_data(client_data_json)
+    U2F.urlsafe_encode64(
+      [
+        5,
+        origin_public_key_raw,
+        key_handle_raw.bytesize,
+        key_handle_raw,
+        cert_raw,
+        reg_signature(client_data_json)
+      ].pack("CA65CA#{key_handle_raw.bytesize}A#{cert_raw.bytesize}A*")
+    )
+  end
+
+  # The signature field of a registrationData field of a RegisterResponse.
+  #
+  # client_data_json - The JSON encoded clientData String.
+  #
+  # Returns an ECDSA signature String.
+  def reg_signature(client_data_json)
+    payload = [
+      "\x00",
+      U2F::DIGEST.digest(app_id),
+      U2F::DIGEST.digest(client_data_json),
+      key_handle_raw,
+      origin_public_key_raw
+    ].join
+    cert_key.sign(U2F::DIGEST.new, payload)
+  end
+
+  # The signatureData field of a SignResponse Hash.
+  #
+  # client_data_json - The JSON encoded clientData String.
+  #
+  # Returns a url-safe base64 encoded binary String.
+  def auth_signature_data(client_data_json)
+    ::U2F.urlsafe_encode64(
+      [
+        1, # User present
+        self.counter += 1,
+        auth_signature(client_data_json)
+      ].pack("CNA*")
+    )
+  end
+
+  # The signature field of a signatureData field of a SignResponse Hash.
+  #
+  # client_data_json - The JSON encoded clientData String.
+  #
+  # Returns an ECDSA signature String.
+  def auth_signature(client_data_json)
+    data = [
+      U2F::DIGEST.digest(app_id),
+      1, # User present
+      counter,
+      U2F::DIGEST.digest(client_data_json)
+    ].pack("A32CNA32")
+
+    origin_key.sign(U2F::DIGEST.new, data)
+  end
+
+  # The clientData hash as returned by registration and authentication
+  # responses.
+  #
+  # typ       - The String value for the 'typ' field.
+  # challenge - The String url-safe base64 encoded challenge parameter.
+  #
+  # Returns a JSON encoded Hash String.
+  def client_data(typ, challenge)
+    JSON.dump(
+      :challenge => challenge,
+      :origin    => app_id,
+      :typ       => typ
+    )
+  end
+
+  # The appId-specific public/private key.
+  #
+  # Returns a OpenSSL::PKey::EC instance.
+  def origin_key
+    @origin_key ||= generate_ec_key
+  end
+
+  # The self-signed device attestation certificate.
+  #
+  # Returns a OpenSSL::X509::Certificate instance.
+  def cert
+    @cert ||= OpenSSL::X509::Certificate.new.tap do |c|
+      c.subject = c.issuer = OpenSSL::X509::Name.parse(cert_subject)
+      c.not_before = Time.now
+      c.not_after = Time.now + 365 * 24 * 60 * 60
+      c.public_key = cert_key
+      c.serial = 0x1
+      c.version = 0x0
+      c.sign cert_key, U2F::DIGEST.new
+    end
+  end
+
+  # The public key used for signing the device certificate.
+  #
+  # Returns a OpenSSL::PKey::EC instance.
+  def cert_key
+    @cert_key ||= generate_ec_key
+  end
+
+  # Generate an eliptic curve public/private key.
+  #
+  # Returns a OpenSSL::PKey::EC instance.
+  def generate_ec_key
+    OpenSSL::PKey::EC.new().tap do |ec|
+      ec.group = OpenSSL::PKey::EC::Group.new(CURVE_NAME)
+      ec.generate_key
+      # https://bugs.ruby-lang.org/issues/8177
+      ec.define_singleton_method(:private?) { private_key? }
+      ec.define_singleton_method(:public?) { public_key? }
+    end
+  end
+end

data/lib/u2f/register_response.rb

@@ -89,13 +89,13 @@ module U2F
       # http://fidoalliance.org/specs/fido-u2f-raw-message-formats-v1.0-rd-20141008.pdf
       data = [
         "\x00",
-        Digest::SHA256.digest(app_id),
-        Digest::SHA256.digest(client_data_json),
+        ::U2F::DIGEST.digest(app_id),
+        ::U2F::DIGEST.digest(client_data_json),
         key_handle_raw,
         public_key_raw
       ].join
 
-      parsed_certificate.public_key.verify(OpenSSL::Digest::SHA256.new, signature, data)
+      parsed_certificate.public_key.verify(::U2F::DIGEST.new, signature, data)
     end
 
     private

data/lib/u2f/request_base.rb

@@ -2,7 +2,7 @@ module U2F
   module RequestBase
     attr_accessor :version, :challenge, :app_id
 
-    def as_json
+    def as_json(options = {})
       {
         version: version,
         challenge: challenge,

data/lib/u2f/sign_request.rb

@@ -9,7 +9,7 @@ module U2F
       @app_id = app_id
     end
 
-    def as_json
+    def as_json(options = {})
       super.merge(keyHandle: key_handle)
     end
   end

data/lib/u2f/sign_response.rb

@@ -40,13 +40,13 @@ module U2F
     # registered device
     def verify(app_id, public_key_pem)
       data = [
-        Digest::SHA256.digest(app_id),
+        ::U2F::DIGEST.digest(app_id),
         signature_data.byteslice(0, 5),
-        Digest::SHA256.digest(client_data_json)
+        ::U2F::DIGEST.digest(client_data_json)
       ].join
 
       public_key = OpenSSL::PKey.read(public_key_pem)
-      public_key.verify(OpenSSL::Digest::SHA256.new, signature, data)
+      public_key.verify(::U2F::DIGEST.new, signature, data)
     end
   end
 end

data/lib/u2f/u2f.rb

@@ -140,7 +140,7 @@ module U2F
     #   - +PublicKeyDecodeError+:: if the +key+ argument is incorrect
     #
     def self.public_key_pem(key)
-      fail PublicKeyDecodeError unless key.length == 65 || key[0] == "\x04"
+      fail PublicKeyDecodeError unless key.length == 65 && key[0] == "\x04"
       # http://tools.ietf.org/html/rfc5480
       der = OpenSSL::ASN1::Sequence([
         OpenSSL::ASN1::Sequence([

data/lib/version.rb

@@ -1,3 +1,3 @@
 module U2F
-  VERSION = "0.1.0"
+  VERSION = "0.2.0"
 end

data/spec/lib/client_data_spec.rb

@@ -2,8 +2,8 @@ require 'spec_helper.rb'
 
 describe U2F::ClientData do
   let(:type) { '' }
-  let(:registration_type) { 'navigator.id.finishEnrollment' }
-  let(:authentication_type) { 'navigator.id.getAssertion' }
+  let(:registration_type) { U2F::ClientData::REGISTRATION_TYP }
+  let(:authentication_type) { U2F::ClientData::AUTHENTICATION_TYP }
 
   let(:client_data) do
     cd = U2F::ClientData.new

data/spec/lib/register_response_spec.rb

@@ -1,32 +1,18 @@
 require 'spec_helper.rb'
 
 describe U2F::RegisterResponse do
-  let(:key_handle) do
-    'CTUayZo8hCBeC-sGQJChC0wW-bBg99bmOlGCgw8XGq4dLsxO3yWh9mRYArZxocP5hBB1pEGB3bbJYiM-5acc5w'
-  end
-  let(:public_key) do
-    'BC0SaFZWC9uH7wamOwduP93kUH2I2hEvyY0Srfj4A258pZSlV0iPoFIH+bd4yhncaqdoPLdEDl5Y/yaFORPUe3c='
-  end
-  let(:certificate) do
-    'MIIC4jCBywIBATANBgkqhkiG9w0BAQsFADAdMRswGQYDVQQDExJZdWJpY28gVTJGIFRlc3QgQ0EwHhcNMTQwNTE1MTI1ODU0WhcNMTQwNjE0MTI1ODU0WjAdMRswGQYDVQQDExJZdWJpY28gVTJGIFRlc3QgRUUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATbCtv1IcdczmPcpuHoJQYNlOYnVBlPnSSvJhq+rZlEH5WjcZEKOiDnPpFeE+i+OAV61XqjfnaQj6/iipS2MOudMA0GCSqGSIb3DQEBCwUAA4ICAQCVQGtQYX2thKO064gP4zAPLaIKANklBO5y+mffWFEPC0cCnD5BKUqTrCmFiS2keoEyKFdxAe+oQogWljeR1d/gj8k8jbDNiXCC7HnTxnhzKTLlq2y9Vp/VRZHOwd2NZNzpnB9ePNKvUaWCGK/gN+cynnYFdwJ75iSgMVYb/RnFcdPwnsBzBU68hbhTnu/FvJxWo7rZJ2q7qXpA10eLVXJr4/4oSXEk9I/0IIHqOP98Ck/fAoI5gYI7ygndyqoPJ/Wkg1VsmjmbFToWY9xb+axbvPefvg+KojwxE6MySMpYh/h7oKEKamCWk19dJp5jHQmumkHlvQhH/uUJmyD9EuLmQH+6SmEzZg0Oc9uw1aKamhcNNDCFakJGnv80j1+HbDXnqE0168FBqorS2hmqeaJfNSyg/SXT950lGC36tLy7BzQ8jYG99Ok32znp0UVbIEEvLSci3JJ0ipLVg/0J+xOb4zl6a1z65nae4OTj7628/UJFmtSU0X6Np9gF1dNizxXPlH0fW1ggRCCQcb5m6ZqrdDJwUx1p7Ydm9AlPyiUwwmN5ADyxmzk/AOCoiO96UVvnvUlk2kF7JMNxIv3R0SCzP5fTl7KqGByeA3d7W375o6DWIIEsOI+dJd7pyPXdakecZQRaVubC6/ICl+G52OEkdp8jYjkDS8j3NAdJ1udNmg=='
-  end
-  let(:registration_data_json) do
-    '{ "registrationData": "BQQtEmhWVgvbh-8GpjsHbj_d5FB9iNoRL8mNEq34-ANufKWUpVdIj6BSB_m3eMoZ3GqnaDy3RA5eWP8mhTkT1Ht3QAk1GsmaPIQgXgvrBkCQoQtMFvmwYPfW5jpRgoMPFxquHS7MTt8lofZkWAK2caHD-YQQdaRBgd22yWIjPuWnHOcwggLiMIHLAgEBMA0GCSqGSIb3DQEBCwUAMB0xGzAZBgNVBAMTEll1YmljbyBVMkYgVGVzdCBDQTAeFw0xNDA1MTUxMjU4NTRaFw0xNDA2MTQxMjU4NTRaMB0xGzAZBgNVBAMTEll1YmljbyBVMkYgVGVzdCBFRTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNsK2_Uhx1zOY9ym4eglBg2U5idUGU-dJK8mGr6tmUQflaNxkQo6IOc-kV4T6L44BXrVeqN-dpCPr-KKlLYw650wDQYJKoZIhvcNAQELBQADggIBAJVAa1Bhfa2Eo7TriA_jMA8togoA2SUE7nL6Z99YUQ8LRwKcPkEpSpOsKYWJLaR6gTIoV3EB76hCiBaWN5HV3-CPyTyNsM2JcILsedPGeHMpMuWrbL1Wn9VFkc7B3Y1k3OmcH1480q9RpYIYr-A35zKedgV3AnvmJKAxVhv9GcVx0_CewHMFTryFuFOe78W8nFajutknarupekDXR4tVcmvj_ihJcST0j_Qggeo4_3wKT98CgjmBgjvKCd3Kqg8n9aSDVWyaOZsVOhZj3Fv5rFu895--D4qiPDETozJIyliH-HugoQpqYJaTX10mnmMdCa6aQeW9CEf-5QmbIP0S4uZAf7pKYTNmDQ5z27DVopqaFw00MIVqQkae_zSPX4dsNeeoTTXrwUGqitLaGap5ol81LKD9JdP3nSUYLfq0vLsHNDyNgb306TfbOenRRVsgQS8tJyLcknSKktWD_Qn7E5vjOXprXPrmdp7g5OPvrbz9QkWa1JTRfo2n2AXV02LPFc-UfR9bWCBEIJBxvmbpmqt0MnBTHWnth2b0CU_KJTDCY3kAPLGbOT8A4KiI73pRW-e9SWTaQXskw3Ei_dHRILM_l9OXsqoYHJ4Dd3tbfvmjoNYggSw4j50l3unI9d1qR5xlBFpW5sLr8gKX4bnY4SR2nyNiOQNLyPc0B0nW502aMEUCIQDTGOX-i_QrffJDY8XvKbPwMuBVrOSO-ayvTnWs_WSuDQIgZ7fMAvD_Ezyy5jg6fQeuOkoJi8V2naCtzV-HTly8Nww", "clientData": "eyAiY2hhbGxlbmdlIjogInlLQTB4MDc1dGpKLUdFN2ZLVGZuelRPU2FOVU9XUXhSZDlUV3o1YUZPZzgiLCAib3JpZ2luIjogImh0dHA6XC9cL2RlbW8uZXhhbXBsZS5jb20iLCAidHlwIjogIm5hdmlnYXRvci5pZC5maW5pc2hFbnJvbGxtZW50IiB9" }'
-  end
-
-  let(:registration_data_without_padding) {
-    "{\"registrationData\":\"BQT2UXxw7PXHmN5nCj1M3Lq_sibfqQehZbuUV1Vxr1l0J1Gdcv7FEvnPofmrSN44_pz8-XAj7pOpqB79rOphJPf2QM8nt8Jtyyj9_XmZWZTQMg2UVHvrin_Jc4tMHY9QmyCNDmSU9_Bhb-Ei4u5GPgLrpF1TaEYQCqUHboqDKt4x524wggIbMIIBBaADAgECAgR1o_Z1MAsGCSqGSIb3DQEBCzAuMSwwKgYDVQQDEyNZdWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAwMDBaGA8yMDUwMDkwNDAwMDAwMFowKjEoMCYGA1UEAwwfWXViaWNvIFUyRiBFRSBTZXJpYWwgMTk3MzY3OTczMzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBmjfkNqa2mXzVh2ZxuES5coCvvENxDMDLmfd-0ACG0Fu7wR4ZTjKd9KAuidySpfona5csGmlM0Te_Zu35h_wwujEjAQMA4GCisGAQQBgsQKAQIEADALBgkqhkiG9w0BAQsDggEBAb0tuI0-CzSxBg4cAlyD6UyT4cKyJZGVhWdtPgj_mWepT3Tu9jXtdgA5F3jfZtTc2eGxuS-PPvqRAkZd40AXgM8A0YaXPwlT4s0RUTY9Y8aAQzQZeAHuZk3lKKd_LUCg5077dzdt90lC5eVTEduj6cOnHEqnOr2Cv75FuiQXX7QkGQxtoD-otgvhZ2Fjk29o7Iy9ik7ewHGXOfoVw_ruGWi0YfXBTuqEJ6H666vvMN4BZWHtzhC0k5ceQslB9Xdntky-GQgDqNkkBf32GKwAFT9JJrkO2BfsB-wfBrTiHr0AABYNTNKTceA5dtR3UVpI492VUWQbY3YmWUUfKTI7fM4wRgIhAIfEKaF0w43L3RJHXp8qeRKw8Ek0CVcZ6pvBsH3Wo3F1AiEA5w89AFOBrjoSsnuGdUgB4AGxc5bRnV-p8jGUNoVSUwI\",\"version\":\"U2F_V2\",\"challenge\":\"oqDO4u_tTvhm1LhFDVYhFwywQF0PzFsXPgjD-5lKGDY\",\"appId\":\"http://localhost:3000\",\"clientData\":\"eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZmluaXNoRW5yb2xsbWVudCIsImNoYWxsZW5nZSI6Im9xRE80dV90VHZobTFMaEZEVlloRnd5d1FGMFB6RnNYUGdqRC01bEtHRFk9Iiwib3JpZ2luIjoiaHR0cDovL2xvY2FsaG9zdDozMDAwIiwiY2lkX3B1YmtleSI6IiJ9\"}"
-  }
-
-  let(:error_response) {
-    "{\"errorCode\":4}"
-  }
-
   let(:app_id) { 'http://demo.example.com' }
-  let(:challenge) { 'yKA0x075tjJ-GE7fKTfnzTOSaNUOWQxRd9TWz5aFOg8' }
-
+  let(:challenge) { U2F.urlsafe_encode64(SecureRandom.random_bytes(32)) }
+  let(:device) { U2F::FakeU2F.new(app_id) }
+  let(:key_handle) { U2F.urlsafe_encode64(device.key_handle_raw) }
+  let(:public_key) { Base64.strict_encode64(device.origin_public_key_raw) }
+  let(:certificate) { Base64.strict_encode64(device.cert_raw) }
+  let(:registration_data_json) { device.register_response(challenge) }
+  let(:registration_data_json_without_padding) do
+    device.register_response(challenge).gsub(" ", "")
+  end
+  let(:error_response) { device.register_response(challenge, error = true) }
   let(:registration_request) { U2F::RegisterRequest.new(challenge, app_id) }
-
   let(:register_response) do
     U2F::RegisterResponse.load_from_json(registration_data_json)
   end
@@ -43,7 +29,7 @@ describe U2F::RegisterResponse do
   end
 
   context 'with unpadded response' do
-    let(:registration_data_json) { registration_data_without_padding }
+    let(:registration_data_json) { registration_data_json_without_padding }
     it 'does not raise "invalid base64" exception' do
       expect {
         register_response

data/spec/lib/sign_response_spec.rb

@@ -1,16 +1,15 @@
 require 'spec_helper.rb'
 
 describe U2F::SignResponse do
-  let(:json_response) do
-    '{ "signatureData": "AQAAAAQwRQIhAI6FSrMD3KUUtkpiP0jpIEakql-HNhwWFngyw553pS1CAiAKLjACPOhxzZXuZsVO8im-HStEcYGC50PKhsGp_SUAng==", "clientData": "eyAiY2hhbGxlbmdlIjogImZFbmM5b1Y3OUVhQmdLNUJvTkVSVTVnUEtNMlhHWVdyejRmVWpnYzBRN2ciLCAib3JpZ2luIjogImh0dHA6XC9cL2RlbW8uZXhhbXBsZS5jb20iLCAidHlwIjogIm5hdmlnYXRvci5pZC5nZXRBc3NlcnRpb24iIH0=", "keyHandle": "CTUayZo8hCBeC-sGQJChC0wW-bBg99bmOlGCgw8XGq4dLsxO3yWh9mRYArZxocP5hBB1pEGB3bbJYiM-5acc5w==" }'
-  end
-  let(:sign_response) do
-    U2F::SignResponse.load_from_json json_response
-  end
+  let(:app_id) { 'http://demo.example.com' }
+  let(:challenge) { U2F.urlsafe_encode64(SecureRandom.random_bytes(32)) }
+  let(:device) { U2F::FakeU2F.new(app_id) }
+  let(:json_response) { device.sign_response(challenge) }
+  let(:sign_response) { U2F::SignResponse.load_from_json json_response }
 
   describe '#counter' do
     subject { sign_response.counter }
-    it { is_expected.to be 4 }
+    it { is_expected.to be device.counter }
   end
 
   describe '#user_present?' do

data/spec/lib/u2f_spec.rb

@@ -1,35 +1,27 @@
-require 'spec_helper'
+ require 'spec_helper'
 
 describe U2F do
   let(:app_id) { 'http://demo.example.com' }
+  let(:device_challenge) { U2F.urlsafe_encode64(SecureRandom.random_bytes(32)) }
+  let(:auth_challenge) { device_challenge }
   let(:u2f) { U2F::U2F.new(app_id) }
-  let(:challenge) { 'fEnc9oV79EaBgK5BoNERU5gPKM2XGYWrz4fUjgc0Q7g' }
-  let(:key_handle) do
-    'CTUayZo8hCBeC-sGQJChC0wW-bBg99bmOlGCgw8XGq4dLsxO3yWh9mRYArZxocP5hBB1pEGB3bbJYiM-5acc5w'
-  end
-  let(:certificate) do
-    "MIIC4jCBywIBATANBgkqhkiG9w0BAQsFADAdMRswGQYDVQQDExJZdWJpY28gVTJGIFRlc3QgQ0EwHhcNMTQwNTE1MTI1ODU0WhcNMTQwNjE0MTI1ODU0WjAdMRswGQYDVQQDExJZdWJpY28gVTJGIFRlc3QgRUUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATbCtv1IcdczmPcpuHoJQYNlOYnVBlPnSSvJhq+rZlEH5WjcZEKOiDnPpFeE+i+OAV61XqjfnaQj6\/iipS2MOudMA0GCSqGSIb3DQEBCwUAA4ICAQCVQGtQYX2thKO064gP4zAPLaIKANklBO5y+mffWFEPC0cCnD5BKUqTrCmFiS2keoEyKFdxAe+oQogWljeR1d\/gj8k8jbDNiXCC7HnTxnhzKTLlq2y9Vp\/VRZHOwd2NZNzpnB9ePNKvUaWCGK\/gN+cynnYFdwJ75iSgMVYb\/RnFcdPwnsBzBU68hbhTnu\/FvJxWo7rZJ2q7qXpA10eLVXJr4\/4oSXEk9I\/0IIHqOP98Ck\/fAoI5gYI7ygndyqoPJ\/Wkg1VsmjmbFToWY9xb+axbvPefvg+KojwxE6MySMpYh\/h7oKEKamCWk19dJp5jHQmumkHlvQhH\/uUJmyD9EuLmQH+6SmEzZg0Oc9uw1aKamhcNNDCFakJGnv80j1+HbDXnqE0168FBqorS2hmqeaJfNSyg\/SXT950lGC36tLy7BzQ8jYG99Ok32znp0UVbIEEvLSci3JJ0ipLVg\/0J+xOb4zl6a1z65nae4OTj7628\/UJFmtSU0X6Np9gF1dNizxXPlH0fW1ggRCCQcb5m6ZqrdDJwUx1p7Ydm9AlPyiUwwmN5ADyxmzk\/AOCoiO96UVvnvUlk2kF7JMNxIv3R0SCzP5fTl7KqGByeA3d7W375o6DWIIEsOI+dJd7pyPXdakecZQRaVubC6\/ICl+G52OEkdp8jYjkDS8j3NAdJ1udNmg"
-  end
-  let(:registration_data_json) do
-    '{ "registrationData": "BQQtEmhWVgvbh-8GpjsHbj_d5FB9iNoRL8mNEq34-ANufKWUpVdIj6BSB_m3eMoZ3GqnaDy3RA5eWP8mhTkT1Ht3QAk1GsmaPIQgXgvrBkCQoQtMFvmwYPfW5jpRgoMPFxquHS7MTt8lofZkWAK2caHD-YQQdaRBgd22yWIjPuWnHOcwggLiMIHLAgEBMA0GCSqGSIb3DQEBCwUAMB0xGzAZBgNVBAMTEll1YmljbyBVMkYgVGVzdCBDQTAeFw0xNDA1MTUxMjU4NTRaFw0xNDA2MTQxMjU4NTRaMB0xGzAZBgNVBAMTEll1YmljbyBVMkYgVGVzdCBFRTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNsK2_Uhx1zOY9ym4eglBg2U5idUGU-dJK8mGr6tmUQflaNxkQo6IOc-kV4T6L44BXrVeqN-dpCPr-KKlLYw650wDQYJKoZIhvcNAQELBQADggIBAJVAa1Bhfa2Eo7TriA_jMA8togoA2SUE7nL6Z99YUQ8LRwKcPkEpSpOsKYWJLaR6gTIoV3EB76hCiBaWN5HV3-CPyTyNsM2JcILsedPGeHMpMuWrbL1Wn9VFkc7B3Y1k3OmcH1480q9RpYIYr-A35zKedgV3AnvmJKAxVhv9GcVx0_CewHMFTryFuFOe78W8nFajutknarupekDXR4tVcmvj_ihJcST0j_Qggeo4_3wKT98CgjmBgjvKCd3Kqg8n9aSDVWyaOZsVOhZj3Fv5rFu895--D4qiPDETozJIyliH-HugoQpqYJaTX10mnmMdCa6aQeW9CEf-5QmbIP0S4uZAf7pKYTNmDQ5z27DVopqaFw00MIVqQkae_zSPX4dsNeeoTTXrwUGqitLaGap5ol81LKD9JdP3nSUYLfq0vLsHNDyNgb306TfbOenRRVsgQS8tJyLcknSKktWD_Qn7E5vjOXprXPrmdp7g5OPvrbz9QkWa1JTRfo2n2AXV02LPFc-UfR9bWCBEIJBxvmbpmqt0MnBTHWnth2b0CU_KJTDCY3kAPLGbOT8A4KiI73pRW-e9SWTaQXskw3Ei_dHRILM_l9OXsqoYHJ4Dd3tbfvmjoNYggSw4j50l3unI9d1qR5xlBFpW5sLr8gKX4bnY4SR2nyNiOQNLyPc0B0nW502aMEUCIQDTGOX-i_QrffJDY8XvKbPwMuBVrOSO-ayvTnWs_WSuDQIgZ7fMAvD_Ezyy5jg6fQeuOkoJi8V2naCtzV-HTly8Nww=", "clientData": "eyAiY2hhbGxlbmdlIjogInlLQTB4MDc1dGpKLUdFN2ZLVGZuelRPU2FOVU9XUXhSZDlUV3o1YUZPZzgiLCAib3JpZ2luIjogImh0dHA6XC9cL2RlbW8uZXhhbXBsZS5jb20iLCAidHlwIjogIm5hdmlnYXRvci5pZC5maW5pc2hFbnJvbGxtZW50IiB9" }'
-  end
-  let(:public_key) do
-    U2F.urlsafe_decode64("BC0SaFZWC9uH7wamOwduP93kUH2I2hEvyY0Srfj4A258pZSlV0iPoFIH+bd4yhncaqdoPLdEDl5Y\/yaFORPUe3c")
-  end
-  let(:json_response) do
-    '{ "signatureData": "AQAAAAQwRQIhAI6FSrMD3KUUtkpiP0jpIEakql-HNhwWFngyw553pS1CAiAKLjACPOhxzZXuZsVO8im-HStEcYGC50PKhsGp_SUAng", "clientData": "eyAiY2hhbGxlbmdlIjogImZFbmM5b1Y3OUVhQmdLNUJvTkVSVTVnUEtNMlhHWVdyejRmVWpnYzBRN2ciLCAib3JpZ2luIjogImh0dHA6XC9cL2RlbW8uZXhhbXBsZS5jb20iLCAidHlwIjogIm5hdmlnYXRvci5pZC5nZXRBc3NlcnRpb24iIH0=", "keyHandle": "CTUayZo8hCBeC-sGQJChC0wW-bBg99bmOlGCgw8XGq4dLsxO3yWh9mRYArZxocP5hBB1pEGB3bbJYiM-5acc5w" }'
-  end
+  let(:device) { U2F::FakeU2F.new(app_id) }
+  let(:key_handle) { U2F.urlsafe_encode64(device.key_handle_raw) }
+  let(:certificate) { Base64.strict_encode64(device.cert_raw) }
+  let(:public_key) { device.origin_public_key_raw }
+  let(:register_response_json) { device.register_response(device_challenge) }
+  let(:sign_response_json) { device.sign_response(device_challenge) }
   let(:registration) do
     U2F::Registration.new(key_handle, public_key, certificate)
   end
   let(:register_response) do
-    U2F::RegisterResponse.load_from_json(registration_data_json)
+    U2F::RegisterResponse.load_from_json(register_response_json)
   end
-  let(:response) do
-    U2F::SignResponse.load_from_json json_response
+  let(:sign_response) do
+    U2F::SignResponse.load_from_json sign_response_json
   end
   let(:sign_request) do
-    U2F::SignRequest.new(key_handle, challenge, app_id)
+    U2F::SignRequest.new(key_handle, auth_challenge, app_id)
   end
 
   describe '#authentication_requests' do
@@ -44,7 +36,7 @@ describe U2F do
     let(:counter) { registration.counter }
     let(:reg_public_key) { registration.public_key }
     let (:u2f_authenticate) do
-      u2f.authenticate!(challenge, response, reg_public_key, counter)
+      u2f.authenticate!(auth_challenge, sign_response, reg_public_key, counter)
     end
     context 'with correct parameters' do
       it 'does not raise an error' do
@@ -53,7 +45,7 @@ describe U2F do
     end
 
     context 'with incorrect challenge' do
-      let(:challenge) { 'incorrect' }
+      let(:auth_challenge) { 'incorrect' }
       it 'raises NoMatchingRequestError' do
         expect { u2f_authenticate }.to raise_error(U2F::NoMatchingRequestError)
       end
@@ -82,27 +74,26 @@ describe U2F do
   end
 
   describe '#register!' do
-    let(:challenge) { 'yKA0x075tjJ-GE7fKTfnzTOSaNUOWQxRd9TWz5aFOg8' }
     context 'with correct registration data' do
       it 'returns a registration' do
         reg = nil
         expect {
-          reg = u2f.register!(challenge, register_response)
+          reg = u2f.register!(auth_challenge, register_response)
         }.to_not raise_error
         expect(reg.key_handle).to eq key_handle
       end
 
       it 'accepts an array of challenges' do
-        reg = u2f.register!(['another-challenge', challenge], register_response)
+        reg = u2f.register!(['another-challenge', auth_challenge], register_response)
         expect(reg).to be_a U2F::Registration
       end
     end
 
     context 'with unknown challenge' do
-      let(:challenge) { 'non-matching' }
+      let(:auth_challenge) { 'non-matching' }
       it 'raises an UnmatchedChallengeError' do
         expect {
-          u2f.register!(challenge, register_response)
+          u2f.register!(auth_challenge, register_response)
         }.to raise_error(U2F::UnmatchedChallengeError)
       end
     end
@@ -117,8 +108,17 @@ describe U2F do
       end
     end
 
-    context 'with incorrect key' do
-      let(:public_key) { U2F.urlsafe_decode64('NW5jdzdnODV3dm9nNzU4d2duNTd3') }
+    context 'with invalid key' do
+      let(:public_key) { U2F.urlsafe_decode64('YV6FVSmH0ObY1cBRCsYJZ/CXF1gKsL+DW46rMfpeymtDZted2Ut2BraszUK1wg1+YJ4Bxt6r24WHNUYqKgeaSq8=') }
+      it 'fails when first byte of the key is not 0x04' do
+        expect {
+          U2F::U2F.public_key_pem public_key
+        }.to raise_error(U2F::PublicKeyDecodeError)
+      end
+    end
+
+    context 'with truncated key' do
+      let(:public_key) { U2F.urlsafe_decode64('BJhSPkR3Rmgl') }
       it 'fails when key is to short' do
         expect {
           U2F::U2F.public_key_pem public_key

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: u2f
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Johan Brissmyr
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-02-20 00:00:00.000000000 Z
+date: 2015-06-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -107,6 +107,7 @@ files:
 - lib/u2f.rb
 - lib/u2f/client_data.rb
 - lib/u2f/errors.rb
+- lib/u2f/fake_u2f.rb
 - lib/u2f/register_request.rb
 - lib/u2f/register_response.rb
 - lib/u2f/registration.rb