u2f 0.2.0 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4181871c3a8f8591e810fca9f378c917d3c1817f
-  data.tar.gz: 537078ef16ddaf5392b56e5e7c072f6d908a8e71
+  metadata.gz: e589a4313b54ef4f09bd93ee9d3ae3dc796a55d8
+  data.tar.gz: 6af61bb8549b978fc2e0de34eb1096aa7391df97
 SHA512:
-  metadata.gz: 1f7a5df9ff90a60b12d979e3e4b23f708dc846b8962083fcc12528c362223f7d4512b972802b79b065d90f1a6b3d120ed7a2c1a7cb4878e43a75d3b6bd017b2e
-  data.tar.gz: 9bceaa3d4c0ed8529a69d903731fbbcd0fe616d4d976af5c321c56b8b73337437e6c017bc82dfde83f2c4bcb55035ef44be42918f6028365da808b786e97843a
+  metadata.gz: 2b719b5857602edb742ce3d4e9ef90ae448a286e23abdd58696e52bf5f7d92a9afb88c8666a571f8af62ca6981db3313f7c0d7fb0fab016e2b71adfed68274f1
+  data.tar.gz: c9efc1c6157f3c6e846b237e545fdda917d9871098f0686ceb1ec21f7ddb73a75bdd6571bca92083f9ce35ecaeec519c4a6ff33f0b6c26a96cb415c2840a34eb

data/LICENSE

@@ -0,0 +1,21 @@
+The MIT License
+
+Copyright (c) 2014 by Johan Brissmyr and Sebastian Wallin
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -21,6 +21,8 @@ Check out the [example](https://github.com/castle/ruby-u2f/tree/master/example)
 
 There is another demo application available using the [Cuba](https://github.com/soveran/cuba) framework: [cuba-u2f-demo](https://github.com/badboy/cuba-u2f-demo) and a [blog post explaining the protocol and the implementation](http://fnordig.de/2015/03/06/u2f-demo-application/).
 
+You'll need Google Chrome 41 or later to use U2F.
+
 ## Installation
 
 Add the `u2f` gem to your `Gemfile`
@@ -29,12 +31,6 @@ Add the `u2f` gem to your `Gemfile`
 gem 'u2f'
 ```
 
-Currently, you need Google Chrome and the [FIDO U2F extension](https://chrome.google.com/webstore/detail/fido-u2f-universal-2nd-fa/pfboblefjcgdjicmnffhdgionmgcdmne) to enable U2F. To access the extension’s JavaScript API, add the script to the `<head>` section.
-
-```html
-<script src="chrome-extension://pfboblefjcgdjicmnffhdgionmgcdmne/u2f-api.js"></script>
-```
-
 ## Usage
 
 The U2F library has two major tasks:

data/lib/u2f/register_response.rb

@@ -95,7 +95,11 @@ module U2F
         public_key_raw
       ].join
 
-      parsed_certificate.public_key.verify(::U2F::DIGEST.new, signature, data)
+      begin
+        parsed_certificate.public_key.verify(::U2F::DIGEST.new, signature, data)
+      rescue OpenSSL::PKey::PKeyError
+        false
+      end
     end
 
     private

data/lib/u2f/sign_response.rb

@@ -19,7 +19,7 @@ module U2F
     # Counter value that the U2F token increments every time it performs an
     # authentication operation
     def counter
-      signature_data[1..4].unpack('N').first
+      signature_data.byteslice(1, 4).unpack('N').first
     end
 
     ##
@@ -32,7 +32,7 @@ module U2F
     ##
     # If user presence was verified
     def user_present?
-      signature_data[0].unpack('C').first == 1
+      signature_data.byteslice(0).unpack('C').first == 1
     end
 
     ##
@@ -46,7 +46,12 @@ module U2F
       ].join
 
       public_key = OpenSSL::PKey.read(public_key_pem)
-      public_key.verify(::U2F::DIGEST.new, signature, data)
+
+      begin
+        public_key.verify(::U2F::DIGEST.new, signature, data)
+      rescue OpenSSL::PKey::PKeyError
+        false
+      end
     end
   end
 end

data/lib/u2f/u2f.rb

@@ -60,7 +60,9 @@ module U2F
       fail UserNotPresentError unless response.user_present?
 
       unless response.counter > registration_counter
-        fail CounterTooLowError
+        unless response.counter == 0 && registration_counter == 0
+          fail CounterTooLowError
+        end
       end
     end
 
@@ -140,7 +142,7 @@ module U2F
     #   - +PublicKeyDecodeError+:: if the +key+ argument is incorrect
     #
     def self.public_key_pem(key)
-      fail PublicKeyDecodeError unless key.length == 65 && key[0] == "\x04"
+      fail PublicKeyDecodeError unless key.bytesize == 65 && key.byteslice(0) == "\x04"
       # http://tools.ietf.org/html/rfc5480
       der = OpenSSL::ASN1::Sequence([
         OpenSSL::ASN1::Sequence([

data/lib/version.rb

@@ -1,3 +1,3 @@
 module U2F
-  VERSION = "0.2.0"
+  VERSION = "0.2.1"
 end

data/spec/lib/register_response_spec.rb

@@ -68,4 +68,17 @@ describe U2F::RegisterResponse do
     subject { register_response.verify(app_id) }
     it { is_expected.to be_truthy }
   end
+
+  describe '#verify with wrong app_id' do
+    subject { register_response.verify("other app") }
+    it { is_expected.to be_falsey }
+  end
+
+  describe '#verify with corrupted signature' do
+    subject { register_response }
+    it "returns falsey" do
+      allow(subject).to receive(:signature).and_return("bad signature")
+      expect(subject.verify(app_id)).to be_falsey
+    end
+  end
 end

data/spec/lib/sign_response_spec.rb

@@ -6,6 +6,7 @@ describe U2F::SignResponse do
   let(:device) { U2F::FakeU2F.new(app_id) }
   let(:json_response) { device.sign_response(challenge) }
   let(:sign_response) { U2F::SignResponse.load_from_json json_response }
+  let(:public_key_pem) { U2F::U2F.public_key_pem(device.origin_public_key_raw) }
 
   describe '#counter' do
     subject { sign_response.counter }
@@ -16,4 +17,22 @@ describe U2F::SignResponse do
     subject { sign_response.user_present? }
     it { is_expected.to be true }
   end
+
+  describe '#verify with correct app id' do
+    subject { sign_response.verify(app_id, public_key_pem) }
+    it { is_expected.to be_truthy}
+  end
+
+  describe '#verify with wrong app id' do
+    subject { sign_response.verify("other app", public_key_pem) }
+    it { is_expected.to be_falsey }
+  end
+
+  describe '#verify with corrupted signature' do
+    subject { sign_response }
+    it "returns falsey" do
+      allow(subject).to receive(:signature).and_return("bad signature")
+      expect(subject.verify(app_id, public_key_pem)).to be_falsey
+    end
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: u2f
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.2.1
 platform: ruby
 authors:
 - Johan Brissmyr
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-06-20 00:00:00.000000000 Z
+date: 2015-10-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -103,6 +103,7 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- LICENSE
 - README.md
 - lib/u2f.rb
 - lib/u2f/client_data.rb
@@ -143,7 +144,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 2.4.5.1
 signing_key: 
 specification_version: 4
 summary: U2F library