web_authn 0.2.1 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7d1fff7e52035a4866627bc77ac38905ba8f702d1da958073824a48a27f53a9e
-  data.tar.gz: 68c0adc1b2f4a3722a137ac63657868af12c90cd40654ffc9476d757bf02c235
+  metadata.gz: 5a95868432d9b0378f32f89fcb8ebc3c64f30b2c881c52ec1e6cc43a1b94c48b
+  data.tar.gz: ed86036716a75ea287888670cc0d3e2555e2c18dad65aed820d067019aabafe4
 SHA512:
-  metadata.gz: 977f77cf15519cac46231aa2bfe829783a4b773e4709ee550fec8265bfff73ed39e91418143e50b3ec34e37af608b601cc03196eb37a6ac8fbbe51c51f95e318
-  data.tar.gz: 72277d134728c8efa97a950fac7a3c2b8c8d678bfe7f2f7a8424625a3fa54d6fb426da85da4ff68cbf8d0adf7f97fc67e360475d7996e41c9d0d1002eda4dfbe
+  metadata.gz: f47a3020a2a9e54840eedcc38a816ef65503a90798b67cc15c684f02b9f6eeb4b5b7afa8b08ed6f4c629626a4a117cbdff8b8bdaab687c9c3a2d30a8561a98c5
+  data.tar.gz: 8b6fd8bbecfb96b24ab1359011d5868b6d1098645f74389221bd9b9861451a41aa279ca9f6b51e00022284db9b13cd25930a5c064291980872b53ecffe65e359

data/Gemfile.lock

@@ -0,0 +1,71 @@
+PATH
+  remote: .
+  specs:
+    web_authn (0.4.1)
+      activesupport
+      cbor
+      cose-key (>= 0.2.0)
+      json-jwt
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activesupport (5.2.2)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+    aes_key_wrap (1.0.1)
+    bindata (2.4.4)
+    cbor (0.5.9.3)
+    concurrent-ruby (1.1.4)
+    cose-key (0.2.0)
+      cbor
+    diff-lcs (1.3)
+    docile (1.3.1)
+    i18n (1.5.1)
+      concurrent-ruby (~> 1.0)
+    json (2.1.0)
+    json-jwt (1.10.0)
+      activesupport (>= 4.2)
+      aes_key_wrap
+      bindata
+    minitest (5.11.3)
+    rake (10.5.0)
+    rspec (3.8.0)
+      rspec-core (~> 3.8.0)
+      rspec-expectations (~> 3.8.0)
+      rspec-mocks (~> 3.8.0)
+    rspec-core (3.8.0)
+      rspec-support (~> 3.8.0)
+    rspec-expectations (3.8.2)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.8.0)
+    rspec-its (1.2.0)
+      rspec-core (>= 3.0.0)
+      rspec-expectations (>= 3.0.0)
+    rspec-mocks (3.8.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.8.0)
+    rspec-support (3.8.0)
+    simplecov (0.16.1)
+      docile (~> 1.1)
+      json (>= 1.8, < 3)
+      simplecov-html (~> 0.10.0)
+    simplecov-html (0.10.2)
+    thread_safe (0.3.6)
+    tzinfo (1.2.5)
+      thread_safe (~> 0.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  rake (~> 10.0)
+  rspec
+  rspec-its
+  simplecov
+  web_authn!
+
+BUNDLED WITH
+   1.17.1

data/README.md

@@ -26,6 +26,43 @@ $ gem install web_authn
 
 ## Usage
 
+```ruby
+context = WebAuthn.context_for(
+  client_data_json, # NOTE: URL-safe Base64 encoded
+  origin: request.base_url,
+  challenge: session[:challenge],
+)
+
+if context.registration?
+  context.verify!(
+    attestation_object # URL-safe Base64 encoded
+  )
+  context.credential_id
+  context.public_key # => `OpenSSL::PKey::RSA` or `OpenSSL::PKey::EC`
+  context.public_cose_key # => `COSE::Key::RSA` or `COSE::Key::EC2` ref.) https://github.com/nov/cose-key
+  context.sign_count # => `Integer`
+elsif context.authentication?
+  context.verify!(
+    authenticator_data, # URL-safe Base64 encoded
+
+    # NOTE:
+    #  either 'public_key' or 'public_cose_key' is required.
+    #  if `public_key` is given, you can also specify `digest` (default: `OpenSSL::Digest::SHA256.new`).
+    #  if `public_cose_key` is given, it includes digest size information, so no `digest` is required.
+
+    # public_key: public_key, # `OpenSSL::PKey::RSA` or `OpenSSL::PKey::EC`
+    # digest: OpenSSL::Digest::SHA256.new, # `OpenSSL::Digest::SHA(1|256|384|512)`` (default: `OpenSSL::Digest::SHA256`)
+    public_cose_key: public_cose_key, # `COSE::Key::RSA` or `COSE::Key::EC` ref.) https://github.com/nov/cose-key
+
+    sign_count: previously_stored_sign_count,
+    signature: signature # URL-safe Base64 encoded
+  )
+  context.sign_count # => Integer
+else
+  # should never happen.
+end
+```
+
 See sample code in this repository, or [working sample site](https://web-authn.herokuapp.com/).
 
 Currently, there are several restrictions.

data/VERSION

@@ -1 +1 @@
-0.2.1
+0.5.0

data/lib/web_authn.rb

@@ -3,10 +3,12 @@ require 'active_support'
 require 'active_support/core_ext'
 require 'cbor'
 require 'cose/key'
+require 'json/jwt'
 
 module WebAuthn
   class Exception < StandardError; end
   class InvalidContext < Exception; end
+  class InvalidAttestation < Exception; end
   class InvalidAssertion < Exception; end
   class NotImplementedError < NotImplementedError; end
 
@@ -22,6 +24,7 @@ module WebAuthn
 end
 
 require 'web_authn/attestation_object'
+require 'web_authn/attestation_statement'
 require 'web_authn/attested_credential_data'
 require 'web_authn/authenticator_data'
 require 'web_authn/client_data_json'

data/lib/web_authn/attestation_object.rb

@@ -9,24 +9,39 @@ module WebAuthn
       delegate method, to: :authenticator_data
     end
 
-    def initialize(attrs)
-      self.format = attrs[:fmt]
+    def initialize(fmt:, att_stmt:, auth_data:)
+      self.format = fmt
       self.attestation_statement = case format
       when 'none'
         nil
-      when 'packed', 'tpm', 'android-key', 'android-safetynet', 'fido-u2f'
+      when 'android-safetynet'
+        AttestationStatement::AndroidSafetynet.decode att_stmt
+      when 'packed'
+        AttestationStatement::Packed.decode att_stmt
+      when 'apple'
+        AttestationStatement::Apple.decode att_stmt
+      when 'tpm', 'android-key', 'fido-u2f'
         raise NotImplementedError, "Unsupported Attestation Format: #{format}"
       else
         raise InvalidContext, 'Unknown Attestation Format'
       end
-      self.authenticator_data = AuthenticatorData.decode attrs[:authData]
+      self.authenticator_data = AuthenticatorData.decode auth_data
+    end
+
+    def verify_signature!(client_data_json)
+      attestation_statement.try(:verify!, authenticator_data, client_data_json)
     end
 
     class << self
       def decode(encoded_attestation_object)
-        new CBOR.decode(
+        cbor = CBOR.decode(
           Base64.urlsafe_decode64 encoded_attestation_object
         ).with_indifferent_access
+        new(
+          fmt: cbor[:fmt],
+          att_stmt: cbor[:attStmt],
+          auth_data: cbor[:authData]
+        )
       end
     end
   end

data/lib/web_authn/attestation_statement.rb

@@ -0,0 +1,8 @@
+module WebAuthn
+  class AttestationStatement
+  end
+end
+
+require 'web_authn/attestation_statement/android_safetynet'
+require 'web_authn/attestation_statement/apple'
+require 'web_authn/attestation_statement/packed'

data/lib/web_authn/attestation_statement/android_safetynet.rb

@@ -0,0 +1,80 @@
+module WebAuthn
+  class AttestationStatement
+    class AndroidSafetynet < AttestationStatement
+      attr_accessor :ver, :response, :certs
+
+      def initialize(ver:, response:)
+        self.ver = ver
+        self.response = response
+        self.certs = response.x5c.collect do |x5c|
+          OpenSSL::X509::Certificate.new(
+            Base64.decode64 x5c
+          )
+        end
+      end
+
+      def verify!(authenticator_data, client_data_json)
+        verify_nonce! authenticator_data, client_data_json
+        verify_signature!
+        verify_certificate!
+
+        unless response[:ctsProfileMatch]
+          raise InvalidAttestation, 'Invalid Android Safetynet Response: ctsProfileMatch'
+        end
+      end
+
+      private
+
+      def verify_nonce!(authenticator_data, client_data_json)
+        nonce = Base64.encode64(
+          OpenSSL::Digest::SHA256.digest [
+            authenticator_data.raw,
+            OpenSSL::Digest::SHA256.digest(client_data_json.raw)
+          ].join
+        ).strip
+        unless response[:nonce] == nonce
+          raise InvalidAttestation, 'Invalid Android Safetynet Response: nonce'
+        end
+      end
+
+      def verify_signature!
+        response.verify! certs.first.public_key
+      rescue JSON::JWS::VerificationFailed => e
+        raise InvalidAttestation, 'Invalid Android Safetynet Response: signature'
+      end
+
+      def verify_certificate!
+        signing_cert = certs.first
+        remaining_chain = certs[1..-1]
+
+        store = OpenSSL::X509::Store.new
+        store.set_default_paths
+        valid_chain = store.verify(signing_cert, remaining_chain)
+
+        valid_subject = signing_cert.subject.to_a.detect do |key, value, type|
+          key == 'CN'
+        end.second == 'attest.android.com'
+
+        valid_timestamp = (
+          signing_cert.not_after > Time.now &&
+          signing_cert.not_before < Time.now
+        )
+
+        # TODO: do we need CRL check?
+
+        unless valid_chain && valid_subject && valid_timestamp
+           raise InvalidAttestation, 'Invalid Android Safetynet Response: certificate'
+        end
+      end
+
+      class << self
+        def decode(att_stmt)
+          new(
+            ver: att_stmt[:ver],
+            response: JSON::JWT.decode(att_stmt[:response], :skip_verification)
+          )
+        end
+      end
+    end
+  end
+end

data/lib/web_authn/attestation_statement/apple.rb

@@ -0,0 +1,90 @@
+module WebAuthn
+  class AttestationStatement
+    class Apple < AttestationStatement
+      CERTIFICATE_EXTENSION_OID = '1.2.840.113635.100.8.2'
+      ROOT_CERTIFICATE = <<~PEM
+        -----BEGIN CERTIFICATE-----
+        MIICEjCCAZmgAwIBAgIQaB0BbHo84wIlpQGUKEdXcTAKBggqhkjOPQQDAzBLMR8w
+        HQYDVQQDDBZBcHBsZSBXZWJBdXRobiBSb290IENBMRMwEQYDVQQKDApBcHBsZSBJ
+        bmMuMRMwEQYDVQQIDApDYWxpZm9ybmlhMB4XDTIwMDMxODE4MjEzMloXDTQ1MDMx
+        NTAwMDAwMFowSzEfMB0GA1UEAwwWQXBwbGUgV2ViQXV0aG4gUm9vdCBDQTETMBEG
+        A1UECgwKQXBwbGUgSW5jLjETMBEGA1UECAwKQ2FsaWZvcm5pYTB2MBAGByqGSM49
+        AgEGBSuBBAAiA2IABCJCQ2pTVhzjl4Wo6IhHtMSAzO2cv+H9DQKev3//fG59G11k
+        xu9eI0/7o6V5uShBpe1u6l6mS19S1FEh6yGljnZAJ+2GNP1mi/YK2kSXIuTHjxA/
+        pcoRf7XkOtO4o1qlcaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUJtdk
+        2cV4wlpn0afeaxLQG2PxxtcwDgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMDA2cA
+        MGQCMFrZ+9DsJ1PW9hfNdBywZDsWDbWFp28it1d/5w2RPkRX3Bbn/UbDTNLx7Jr3
+        jAGGiQIwHFj+dJZYUJR786osByBelJYsVZd2GbHQu209b5RCmGQ21gpSAk9QZW4B
+        1bWeT0vT
+        -----END CERTIFICATE-----
+      PEM
+
+      attr_accessor :alg, :x5c, :certs
+
+      def initialize(alg:, x5c:)
+        self.alg = alg
+        self.x5c = Array(x5c)
+        self.certs = self.x5c.collect do |x5c|
+          OpenSSL::X509::Certificate.new x5c
+        end
+      end
+
+      def verify!(authenticator_data, client_data_json)
+        verify_nonce! authenticator_data, client_data_json
+        verify_certificate! authenticator_data.attested_credential_data
+      end
+
+      private
+
+      def verify_nonce!(authenticator_data, client_data_json)
+        nonce = OpenSSL::Digest::SHA256.digest [
+          authenticator_data.raw,
+          OpenSSL::Digest::SHA256.digest(client_data_json.raw)
+        ].join
+
+        extension = certs.first.extensions.detect { |ext| ext.oid == CERTIFICATE_EXTENSION_OID }
+        expected_nonce = OpenSSL::ASN1.decode(
+          OpenSSL::ASN1.decode(extension.to_der).value.last.value
+        ).value.last.value.last.value
+
+        unless expected_nonce == nonce
+          raise InvalidAttestation, 'Invalid Apple Response: nonce'
+        end
+      end
+
+      def verify_certificate!(attested_credential_data)
+        attested_cert = certs.first
+        remaining_chain = certs[1..-1]
+
+        store = OpenSSL::X509::Store.new
+        store.add_cert OpenSSL::X509::Certificate.new ROOT_CERTIFICATE
+        valid_chain = store.verify(attested_cert, remaining_chain)
+
+        valid_timestamp = (
+          attested_cert.not_after > Time.now &&
+          attested_cert.not_before < Time.now
+        )
+
+        valid_attested_public_key = (
+          attested_credential_data.public_key.to_pem ==
+          attested_cert.public_key.to_pem
+        )
+
+        # TODO: do we need CRL check?
+
+        unless valid_chain && valid_attested_public_key && valid_timestamp
+           raise InvalidAttestation, 'Invalid Apple Response: certificate'
+        end
+      end
+
+      class << self
+        def decode(att_stmt)
+          new(
+            alg: att_stmt[:alg],
+            x5c: att_stmt[:x5c]
+          )
+        end
+      end
+    end
+  end
+end

data/lib/web_authn/attestation_statement/packed.rb

@@ -0,0 +1,71 @@
+module WebAuthn
+  class AttestationStatement
+    class Packed < AttestationStatement
+      attr_accessor :alg, :sig, :x5c, :ecdaa_key_id
+
+      def initialize(alg:, sig:, x5c:, ecdaa_key_id:)
+        self.alg = alg
+        self.sig = sig
+        self.x5c = Array(x5c)
+        self.ecdaa_key_id = ecdaa_key_id
+      end
+
+      def verify!(authenticator_data, client_data_json)
+        verify_signature! authenticator_data, client_data_json
+        verify_certificate! unless self_issued?
+      end
+
+      private
+
+      def self_issued?
+        [x5c, ecdaa_key_id].all?(&:blank?)
+      end
+
+      def verify_signature!(authenticator_data, client_data_json)
+        signature_base_string = [
+          authenticator_data.raw,
+          OpenSSL::Digest::SHA256.digest(client_data_json.raw)
+        ].join
+
+        if self_issued? && authenticator_data.attested_credential_data.anonymous?
+          public_cose_key = authenticator_data.attested_credential_data.public_cose_key
+          unless alg == public_cose_key.alg
+            raise InvalidAttestation, 'Invalid Packed Self Attestation: alg'
+          end
+          unless public_cose_key.verify sig, signature_base_string
+            raise InvalidAttestation, 'Invalid Packed Self Attestation: signature'
+          end
+        else
+          attestation_certificate = OpenSSL::X509::Certificate.new x5c.first
+          public_key = attestation_certificate.public_key
+          digest = case public_key
+          when OpenSSL::PKey::EC
+            COSE::Key::EC2
+          when OpenSSL::PKey::RSA
+            COSE::Key::RSA
+          end.new.tap do |k|
+            k.alg = alg
+          end.digest
+          unless public_key.verify digest, sig, signature_base_string
+            raise InvalidAttestation, 'Invalid Packed Attestation: signature'
+          end
+        end
+      end
+
+      def verify_certificate!
+        raise NotImplementedError, 'Certificate Chain Verification Not Implemented Yet: packed'
+      end
+
+      class << self
+        def decode(att_stmt)
+          new(
+            alg: att_stmt[:alg],
+            sig: att_stmt[:sig],
+            x5c: att_stmt[:x5c],
+            ecdaa_key_id: att_stmt[:ecdaaKeyId]
+          )
+        end
+      end
+    end
+  end
+end

data/lib/web_authn/attested_credential_data.rb

@@ -9,6 +9,10 @@ module WebAuthn
       self.public_cose_key = public_cose_key
     end
 
+    def anonymous?
+      aaguid == 'AAAAAAAAAAAAAAAAAAAAAA' # NOTE: equals to `Base64.urlsafe_encode64("\0" * 16, padding: false)``
+    end
+
     class << self
       def decode(attested_credential_data)
         length = (

data/lib/web_authn/client_data_json.rb

@@ -2,23 +2,23 @@ module WebAuthn
   class ClientDataJSON
     attr_accessor :type, :origin, :challenge, :raw
 
-    def initialize(attrs = {})
-      self.type = attrs[:type]
-      self.origin = attrs[:origin]
-      self.challenge = attrs[:challenge]
-      self.raw = attrs[:raw]
+    def initialize(type:, origin:, challenge:, raw: nil)
+      self.type = type
+      self.origin = origin
+      self.challenge = challenge
+      self.raw = raw
     end
 
     class << self
       def decode(encoded_client_data_json)
-        raw_client_data_json = Base64.urlsafe_decode64 encoded_client_data_json
-        attrs = JSON.parse(
-          raw_client_data_json
-        ).merge(
-          raw: raw_client_data_json
-        ).with_indifferent_access
-        attrs[:challenge] = Base64.urlsafe_decode64 attrs[:challenge]
-        new attrs
+        raw = Base64.urlsafe_decode64 encoded_client_data_json
+        json = JSON.parse(raw).with_indifferent_access
+        new(
+          type: json[:type],
+          origin: json[:origin],
+          challenge: Base64.urlsafe_decode64(json[:challenge]),
+          raw: raw
+        )
       end
     end
   end

data/lib/web_authn/context/registration.rb

@@ -4,7 +4,8 @@ module WebAuthn
       attr_accessor :attestation_object
 
       # TODO: will need more methods, or let developers access deep methods by themselves.
-      %i(credential_id rp_id_hash flags public_key public_cose_key sign_count).each do |method|
+      %i(credential_id rp_id_hash flags public_key public_cose_key sign_count
+         attestation_statement).each do |method|
         delegate method, to: :attestation_object
       end
 
@@ -17,6 +18,7 @@ module WebAuthn
           encoded_attestation_object
         )
         verify_flags!
+        verify_signature!
         self
       end
 
@@ -26,6 +28,10 @@ module WebAuthn
         super
         raise InvalidAssertion, 'Missing Flag: "at"' unless flags.at?
       end
+
+      def verify_signature!
+        attestation_object.verify_signature! client_data_json
+      end
     end
   end
 end

data/spec/context/registration_spec.rb

@@ -43,5 +43,97 @@ RSpec.describe WebAuthn::Context::Registration do
       subject.public_key.to_pem.should == public_key_pem
     end
     its(:sign_count) { should == sign_count }
+
+    context 'when packed attestation given' do
+      let(:context) do
+        {
+          origin: 'https://web-authn.self-issued.app',
+          challenge: 'random-string-generated-by-rp-server'
+        }
+      end
+      let(:client_data_json) do
+        'eyJjaGFsbGVuZ2UiOiJjbUZ1Wkc5dExYTjBjbWx1WnkxblpXNWxjbUYwWldRdFlua3RjbkF0YzJWeWRtVnkiLCJvcmlnaW4iOiJodHRwczovL3dlYi1hdXRobi5zZWxmLWlzc3VlZC5hcHAiLCJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0'
+      end
+
+      context 'when self-attestation' do
+        let(:attestation_object) do
+          'o2NmbXRmcGFja2VkZ2F0dFN0bXSiY2FsZyZjc2lnWEYwRAIgOprGUE_GZMIbRBAPLPw6IiNdSk4dxFb4cRbqDgVfFXQCIHnRdm64FfnShyIhq1Z2qfn3ygp0auT32gy-eL35Uo6YaGF1dGhEYXRhWMQyy4DcrMPDUkYssB87_jAt5vNxLzD9IOzRnDuluFiUlUVb2_sTAAAAAAAAAAAAAAAAAAAAAABAAKUVEhUfjXl7S9MbcWXRfXltc39Spl6yuLxOuUtQJ-y-5DkR61Ge8riwY7dRXZFNSaWhsw9LfsknL57eZEB1gKUBAgMmIAEhWCCfkZcOMoafdVwFi4cNNPQlJS1JNUkq34sJ5fKhDODsfyJYIKD89fXxjNhcX6gDxsTwH3VL_TG7HAHdKFgUjAFumfmr'
+        end
+
+        it do
+          expect do
+            subject
+          end.not_to raise_error
+        end
+
+        context 'when client_data_json is invalid' do
+          let(:client_data_json) do
+            Base64.urlsafe_encode64({
+              type: "webauthn.create",
+              challenge: "cmFuZG9tLXN0cmluZy1nZW5lcmF0ZWQtYnktcnAtc2VydmVy",
+              origin: "https://web-authn.self-issued.app",
+              malformed: 'malformed'
+            }.to_json, padding: false)
+          end
+
+          it do
+            expect do
+              subject
+            end.to raise_error WebAuthn::InvalidAttestation, 'Invalid Packed Self Attestation: signature'
+          end
+        end
+      end
+
+      context 'otherwise' do
+        let(:attestation_object) do
+          'o2NmbXRmcGFja2VkZ2F0dFN0bXSjY2FsZyZjc2lnWEgwRgIhANsy4jAv4_BLPmM1pua45Pqo1gfIMA3KDgG-22P0eSH1AiEA3vRxM21j1nKLYyWTdgigzjZHG81IU3JXt2hh0Hr-P_tjeDVjgVkCwjCCAr4wggGmoAMCAQICBHSG_cIwDQYJKoZIhvcNAQELBQAwLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwIBcNMTQwODAxMDAwMDAwWhgPMjA1MDA5MDQwMDAwMDBaMG8xCzAJBgNVBAYTAlNFMRIwEAYDVQQKDAlZdWJpY28gQUIxIjAgBgNVBAsMGUF1dGhlbnRpY2F0b3IgQXR0ZXN0YXRpb24xKDAmBgNVBAMMH1l1YmljbyBVMkYgRUUgU2VyaWFsIDE5NTUwMDM4NDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASVXfOt9yR9MXXv_ZzE8xpOh4664YEJVmFQ-ziLLl9lJ79XQJqlgaUNCsUvGERcChNUihNTyKTlmnBOUjvATevto2wwajAiBgkrBgEEAYLECgIEFTEuMy42LjEuNC4xLjQxNDgyLjEuMTATBgsrBgEEAYLlHAIBAQQEAwIFIDAhBgsrBgEEAYLlHAEBBAQSBBD4oBHzjApNFYAGFxEfntx9MAwGA1UdEwEB_wQCMAAwDQYJKoZIhvcNAQELBQADggEBADFcSIDmmlJ-OGaJvWn9CqhvSeueToVFQVVvqtALOgCKHdwB-Wx29mg2GpHiMsgQp5xjB0ybbnpG6x212FxESJ-GinZD0ipchi7APwPlhIvjgH16zVX44a4e4hOsc6tLIOP71SaMsHuHgCcdH0vg5d2sc006WJe9TXO6fzV-ogjJnYpNKQLmCXoAXE3JBNwKGBIOCvfQDPyWmiiG5bGxYfPty8Z3pnjX-1MDnM2hhr40ulMxlSNDnX_ZSnDyMGIbk8TOQmjTF02UO8auP8k3wt5D1rROIRU9-FCSX5WQYi68RuDrGMZB8P5-byoJqbKQdxn2LmE1oZAyohPAmLcoPO5oYXV0aERhdGFYxDLLgNysw8NSRiywHzv-MC3m83EvMP0g7NGcO6W4WJSVQQAAAAv4oBHzjApNFYAGFxEfntx9AEA02xXaLwowZrcHlY4sjukQfJOcMH6ulShKwJM5F4ScjEZHw5pzBzgX2Us_FsAqBP4D3f7rnJ3khIHK7bwY6vtYpQECAyYgASFYIJCdNP17MO609HucLCpQWeeCqIDtipNu2yK0PZHMPh1KIlggRfqxNbCUPKGPZn_NLUdXP2Jsf2ErcCoLEq9O7yEpZvQ'
+        end
+
+        it do
+          expect do
+            subject
+          end.to raise_error WebAuthn::NotImplementedError, 'Certificate Chain Verification Not Implemented Yet: packed'
+        end
+      end
+    end
+
+    context 'when android-safetynet attestation given' do
+      let(:context) do
+        {
+          origin: 'https://web-authn.self-issued.app',
+          challenge: 'random-string-generated-by-rp-server'
+        }
+      end
+      let(:client_data_json) do
+        'eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiY21GdVpHOXRMWE4wY21sdVp5MW5aVzVsY21GMFpXUXRZbmt0Y25BdGMyVnlkbVZ5Iiwib3JpZ2luIjoiaHR0cHM6XC9cL3dlYi1hdXRobi5zZWxmLWlzc3VlZC5hcHAiLCJhbmRyb2lkUGFja2FnZU5hbWUiOiJjb20uY2hyb21lLmNhbmFyeSJ9'
+      end
+      let(:attestation_object) do
+        'o2NmbXRxYW5kcm9pZC1zYWZldHluZXRnYXR0U3RtdKJjdmVyaDEyODc0MDQxaHJlc3BvbnNlWRMHZXlKaGJHY2lPaUpTVXpJMU5pSXNJbmcxWXlJNld5Sk5TVWxGYVdwRFEwRXpTMmRCZDBsQ1FXZEpTVmxyV1c4MVJqQm5PRFpyZDBSUldVcExiMXBKYUhaalRrRlJSVXhDVVVGM1ZrUkZURTFCYTBkQk1WVkZRbWhOUTFaV1RYaElha0ZqUW1kT1ZrSkJiMVJHVldSMllqSmtjMXBUUWxWamJsWjZaRU5DVkZwWVNqSmhWMDVzWTNwRmJFMURUVWRCTVZWRlFYaE5ZMUl5T1haYU1uaHNTVVZzZFdSSFZubGliVll3U1VWR01XUkhhSFpqYld3d1pWTkNTRTE2UVdWR2R6QjRUbnBGZVUxRVVYaE5la1UwVGtST1lVWjNNSGhQUkVWNVRVUk5kMDFFUVhkTlJFSmhUVWQzZUVONlFVcENaMDVXUWtGWlZFRnNWbFJOVWsxM1JWRlpSRlpSVVVsRVFYQkVXVmQ0Y0ZwdE9YbGliV3hvVFZKWmQwWkJXVVJXVVZGSVJFRXhUbUl6Vm5Wa1IwWndZbWxDVjJGWFZqTk5VazEzUlZGWlJGWlJVVXRFUVhCSVlqSTVibUpIVldkVFZ6VnFUVkp6ZDBkUldVUldVVkZFUkVKS2FHUklVbXhqTTFGMVdWYzFhMk50T1hCYVF6VnFZakl3ZDJkblJXbE5RVEJIUTFOeFIxTkpZak5FVVVWQ1FWRlZRVUUwU1VKRWQwRjNaMmRGUzBGdlNVSkJVVU5WYWpoM1dXOVFhWGhMWW1KV09ITm5XV2QyVFZSbVdDdGtTWE5HVkU5clowdFBiR2hVTUdrd1ltTkVSbHBMTW5KUGVFcGFNblZUVEZOV2FGbDJhWEJhVGtVelNFcFJXWFYxV1hkR2FtbDVLM2xyWm1GMFFVZFRhbEo2UmpGaU16RjFORE12TjI5SE5XcE5hRE5UTXpkaGJIZHFWV0k0UTFkcFZIaHZhWEJXVDFsM1MwdDZkVlY1YTNGRlEzUnFiR2hLTkVGclYyRkVVeXRhZUV0RmNVOWhaVGwwYmtOblpVaHNiRnBGTDA5U1oyVk5ZWGd5V0U1RGIwZzJjM0pVUlZKamEzTnFlbHBhY2tGWGVFdHpaR1oyVm5KWVRucERVamxFZUZaQlUzVkpOa3g2ZDJnNFJGTnNNa1ZQYjJ0aWMyRnVXaXNyTDBweFRXVkJRa1ptVUhkcWVYZHlZakJ3Y2tWVmVUQndZV1ZXYzNWa0t6QndaV1Y0U3k4MUswVTJhM0JaUjBzMFdrc3libXR2Vmt4MVowVTFkR0ZJY2tGcU9ETlJLMUJQWW1KMlQzcFhZMFpyY0c1V1MzbHFielpMVVVGdFdEWlhTa0ZuVFVKQlFVZHFaMmRHUjAxSlNVSlJha0ZVUW1kT1ZraFRWVVZFUkVGTFFtZG5ja0puUlVaQ1VXTkVRVlJCWkVKblRsWklVa1ZGUm1wQlZXZG9TbWhrU0ZKc1l6TlJkVmxYTld0amJUbHdXa00xYW1JeU1IZGhRVmxKUzNkWlFrSlJWVWhCVVVWRldFUkNZVTFETUVkRFEzTkhRVkZWUmtKNlFVTm9hVVp2WkVoU2QwOXBPSFpqUjNSd1RHMWtkbUl5WTNaYU0wNTVUV2s1U0ZaR1RraFRWVVpJVFhrMWFtTnVVWGRMVVZsSlMzZFpRa0pSVlVoTlFVZEhTRmRvTUdSSVFUWk1lVGwyV1ROT2QweHVRbkpoVXpWdVlqSTVia3d3WkZWVk1HUktVVlZqZWsxQ01FZEJNVlZrUkdkUlYwSkNVVWM0U1hKUmRFWlNOa05WVTJ0cGEySXpZV2x0YzIweU5tTkNWRUZOUW1kT1ZraFNUVUpCWmpoRlFXcEJRVTFDT0VkQk1WVmtTWGRSV1UxQ1lVRkdTR1pEZFVaRFlWb3pXakp6VXpORGFIUkRSRzlJTm0xbWNuQk1UVU5GUjBFeFZXUkpRVkZoVFVKbmQwUkJXVXRMZDFsQ1FrRklWMlZSU1VaQmVrRkpRbWRhYm1kUmQwSkJaMGwzVFZGWlJGWlNNR1pDUTI5M1MwUkJiVzlEVTJkSmIxbG5ZVWhTTUdORWIzWk1NazU1WWtNMWQyRXlhM1ZhTWpsMlduazVTRlpHVGtoVFZVWklUWGsxYW1OdGQzZEVVVmxLUzI5YVNXaDJZMDVCVVVWTVFsRkJSR2RuUlVKQlJpOVNlazV1UXpWRWVrSlZRblJ1YURKdWRFcE1WMFZSYURsNlJXVkdXbVpRVERsUmIydHliRUZ2V0dkcVYyZE9PSEJUVWxVeGJGWkhTWEIwZWsxNFIyaDVNeTlQVWxKYVZHRTJSREpFZVRob2RrTkVja1pKTXl0c1Exa3dNVTFNTlZFMldFNUZOVkp6TW1ReFVtbGFjRTF6ZWtRMFMxRmFUa2N6YUZvd1FrWk9VUzlqYW5KRGJVeENUMGRMYTBWVk1XUnRRVmh6UmtwWVNtbFBjakpEVGxSQ1QxUjFPVVZpVEZkb1VXWmtRMFl4WW5kNmVYVXJWelppVVZOMk9GRkVialZQWkUxVEwxQnhSVEZrUldkbGRDODJSVWxTUWpjMk1VdG1XbEVyTDBSRk5reHdNMVJ5V2xSd1QwWkVSR2RZYUN0TVowZFBjM2RvUld4cU9XTXpkbHBJUjBwdWFHcHdkRGh5YTJKcGNpOHlkVXhIWm5oc1ZsbzBTekY0TlVSU1RqQlFWVXhrT1hsUVUyMXFaeXRoYWpFcmRFaDNTVEZ0VVcxYVZsazNjWFpQTlVSbmFFOTRhRXBOUjJ4Nk5teE1hVnB0ZW05blBTSXNJazFKU1VWWVJFTkRRVEJUWjBGM1NVSkJaMGxPUVdWUGNFMUNlamhqWjFrMFVEVndWRWhVUVU1Q1oydHhhR3RwUnpsM01FSkJVWE5HUVVSQ1RVMVRRWGRJWjFsRVZsRlJURVY0WkVoaVJ6bHBXVmQ0VkdGWFpIVkpSa3AyWWpOUloxRXdSV2RNVTBKVFRXcEZWRTFDUlVkQk1WVkZRMmhOUzFJeWVIWlpiVVp6VlRKc2JtSnFSVlJOUWtWSFFURlZSVUY0VFV0U01uaDJXVzFHYzFVeWJHNWlha0ZsUm5jd2VFNTZRVEpOVkZWM1RVUkJkMDVFU21GR2R6QjVUVlJGZVUxVVZYZE5SRUYzVGtSS1lVMUdVWGhEZWtGS1FtZE9Wa0pCV1ZSQmJGWlVUVkkwZDBoQldVUldVVkZMUlhoV1NHSXlPVzVpUjFWblZraEtNV016VVdkVk1sWjVaRzFzYWxwWVRYaEtWRUZxUW1kT1ZrSkJUVlJJUldSMllqSmtjMXBUUWtwaWJsSnNZMjAxYkdSRFFrSmtXRkp2WWpOS2NHUklhMmRTZWsxM1oyZEZhVTFCTUVkRFUzRkhVMGxpTTBSUlJVSkJVVlZCUVRSSlFrUjNRWGRuWjBWTFFXOUpRa0ZSUkV0VmEzWnhTSFl2VDBwSGRXOHlia2xaWVU1V1YxaFJOVWxYYVRBeFExaGFZWG8yVkVsSVRFZHdMMnhQU2lzMk1EQXZOR2hpYmpkMmJqWkJRVUl6UkZaNlpGRlBkSE0zUnpWd1NEQnlTbTV1VDBaVlFVczNNVWMwYm5wTFRXWklRMGRWYTNOWEwyMXZibUVyV1RKbGJVcFJNazRyWVdsamQwcExaWFJRUzFKVFNXZEJkVkJQUWpaQllXaG9PRWhpTWxoUE0yZzVVbFZyTWxRd1NFNXZkVUl5Vm5wNGIwMVliR3Q1VnpkWVZWSTFiWGMyU210TVNHNUJOVEpZUkZadlVsUlhhMDUwZVRWdlEwbE9USFpIYlc1U2Mwb3hlbTkxUVhGWlIxWlJUV012TjNONUt5OUZXV2hCVEhKV1NrVkJPRXRpZEhsWUszSTRjMjUzVlRWRE1XaFZjbmRoVnpaTlYwOUJVbUU0Y1VKd1RsRmpWMVJyWVVsbGIxbDJlUzl6UjBsS1JXMXFVakIyUmtWM1NHUndNV05UWVZkSmNqWXZOR2MzTW00M1QzRllkMlpwYm5VM1dsbFhPVGRGWm05UFUxRktaVUY2UVdkTlFrRkJSMnBuWjBWNlRVbEpRa3g2UVU5Q1owNVdTRkU0UWtGbU9FVkNRVTFEUVZsWmQwaFJXVVJXVWpCc1FrSlpkMFpCV1VsTGQxbENRbEZWU0VGM1JVZERRM05IUVZGVlJrSjNUVU5OUWtsSFFURlZaRVYzUlVJdmQxRkpUVUZaUWtGbU9FTkJVVUYzU0ZGWlJGWlNNRTlDUWxsRlJraG1RM1ZHUTJGYU0xb3ljMU16UTJoMFEwUnZTRFp0Wm5Kd1RFMUNPRWRCTVZWa1NYZFJXVTFDWVVGR1NuWnBRakZrYmtoQ04wRmhaMkpsVjJKVFlVeGtMMk5IV1ZsMVRVUlZSME5EYzBkQlVWVkdRbmRGUWtKRGEzZEtla0ZzUW1kbmNrSm5SVVpDVVdOM1FWbFpXbUZJVWpCalJHOTJUREk1YW1NelFYVmpSM1J3VEcxa2RtSXlZM1phTTA1NVRXcEJlVUpuVGxaSVVqaEZTM3BCY0UxRFpXZEtZVUZxYUdsR2IyUklVbmRQYVRoMldUTktjMHh1UW5KaFV6VnVZakk1Ymt3eVpIcGpha2wyV2pOT2VVMXBOV3BqYlhkM1VIZFpSRlpTTUdkQ1JHZDNUbXBCTUVKbldtNW5VWGRDUVdkSmQwdHFRVzlDWjJkeVFtZEZSa0pSWTBOQlVsbGpZVWhTTUdOSVRUWk1lVGwzWVRKcmRWb3lPWFphZVRsNVdsaENkbU15YkRCaU0wbzFUSHBCVGtKbmEzRm9hMmxIT1hjd1FrRlJjMFpCUVU5RFFWRkZRVWhNWlVwc2RWSlVOMkoyY3pJMlozbEJXamh6YnpneGRISlZTVk5rTjA4ME5YTnJSRlZ0UVdkbE1XTnVlR2hITVZBeVkwNXRVM2hpVjNOdmFVTjBNbVYxZURsTVUwUXJVRUZxTWt4SldWSkdTRmN6TVM4MmVHOXBZekZyTkhSaVYxaHJSRU5xYVhJek4zaFVWRTV4VWtGTlVGVjVSbEpYVTJSMmRDdHViRkJ4ZDI1aU9FOWhNa2t2YldGVFNuVnJZM2hFYWs1VFpuQkVhQzlDWkRGc1drNW5aR1F2T0dOTVpITkZNeXQzZVhCMVprbzVkVmhQTVdsUmNHNW9PWHBpZFVaSmQzTkpUMDVIYkRGd00wRTRRMmQ0YTNGSkwxVkJhV2d6U21GSFQzRmpjR05rWVVOSmVtdENZVkk1ZFZsUk1WZzBhekpXWnpWQlVGSk1iM1Y2Vm5rM1lUaEpWbXMyZDNWNU5uQnRLMVEzU0ZRMFRGazRhV0pUTlVaRldteG1RVVpNVTFjNFRuZHpWbm81VTBKTE1sWnhiakZPTUZCSlRXNDFlRUUyVGxwV1l6ZHZPRE0xUkV4QlJuTm9SVmRtUXpkVVNXVXpaejA5SWwxOS5leUp1YjI1alpTSTZJaTlYVG1SVFZXOHpiRUl4ZWt0Mk5UVlpNV1EyY2psR1pXdFJkbE5rZERjNWNHaDRjMmhuTjNsMVIxazlJaXdpZEdsdFpYTjBZVzF3VFhNaU9qRTFNelUyT1Rjd056TTFOVEFzSW1Gd2ExQmhZMnRoWjJWT1lXMWxJam9pWTI5dExtZHZiMmRzWlM1aGJtUnliMmxrTG1kdGN5SXNJbUZ3YTBScFoyVnpkRk5vWVRJMU5pSTZJako1TXpBNFJ6Y3hMM2RaUmtZMk9XRnVSVzlKT1VGYWNrTmFPREZFV0dSMk1YaEhNMjg0UVZkUlNITTlJaXdpWTNSelVISnZabWxzWlUxaGRHTm9JanAwY25WbExDSmhjR3REWlhKMGFXWnBZMkYwWlVScFoyVnpkRk5vWVRJMU5pSTZXeUk0VURGelZ6QkZVRXBqYzJ4M04xVjZVbk5wV0V3Mk5IY3JUelV3UldRclVrSkpRM1JoZVRGbk1qUk5QU0pkTENKaVlYTnBZMGx1ZEdWbmNtbDBlU0k2ZEhKMVpYMC5QVW9fT0h0dW96SWUxZGZFNlctSUVlYkZtN0R0Qll6M2NmZ0UzRlB5X3dVQlFCMjUwUE1WWjNVbk1NVjYwb0Q2U3d0ajZtQ0lQYnNYZnBULXFuY184eHlTUURndXZQUmp1b191b1JtUWF4aV9FSEZVaTZrZFV0akhaNkY1bWpYcVF4LWRiaFlONU00dG01WlM2bUxaMkdlbGlVcE1UVG9nU2FQUVZiVnl1Y3g0aGpfT1VDLWVPM1lCRmRldmw0d0pmSy15QVJxaGtmOHN6NEgwa1E5TU9IT2U0N0x2a0h3RnI2MElQSjNaQ3QwSklKYnJWVDZnMHJJal9iSlo3aXFrTDFOWUhrbURvNUhnSkgyTXA3QnYtZlJfMHcydzJyWkIzZk5zVGhxRm9UbUI4RU5XUmJjQ3lWQXBncVdIbFU5bUh5SlJGWVVsbnVDcGRGSEwwUjFaX1FoYXV0aERhdGFYxTLLgNysw8NSRiywHzv-MC3m83EvMP0g7NGcO6W4WJSVRAAAAAAAAAAAAAAAAAAAAAAAAAAAAEEBKg96NvDCk5gmyyLqM0zXE0ZZnSkTarHzUfYU2PHWwdQhjjWLXayf0-jYLazWjpSr-N8DM1Zhls4jfmQCqa50X6UBAgMmIAEhWCAGD72C5VXE3mwMjzc_X0_7wUgIOA6kt2KoDIn1-1PHdSJYIAoZmBXyEJkjvlu251BDb8VoOtIketAD1VvYc3WUJJrZ'
+      end
+
+      # it do
+      #   expect do
+      #     subject
+      #   end.not_to raise_error
+      # end
+      it 'TODO: handle time-dependent certificate verification error (timecop can\'t modify time in openssl world)'
+
+      context 'when client_data_json is invalid' do
+        let(:client_data_json) do
+          Base64.urlsafe_encode64({
+            type: "webauthn.create",
+            challenge: "cmFuZG9tLXN0cmluZy1nZW5lcmF0ZWQtYnktcnAtc2VydmVy",
+            origin: "https://web-authn.self-issued.app",
+            androidPackageName: "com.chrome.canary.malformed"
+          }.to_json, padding: false)
+        end
+
+        it do
+          expect do
+            subject
+          end.to raise_error WebAuthn::InvalidAttestation, 'Invalid Android Safetynet Response: nonce'
+        end
+      end
+    end
   end
 end

data/web_authn.gemspec

@@ -9,12 +9,13 @@ Gem::Specification.new do |gem|
   gem.license       = 'MIT'
   gem.files         = `git ls-files`.split("\n")
   gem.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
-  gem.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  gem.executables   = `git ls-files -- exe/*`.split("\n").map{ |f| File.basename(f) }
   gem.require_paths = ['lib']
   gem.required_ruby_version = '>= 2.3'
   gem.add_runtime_dependency 'activesupport'
   gem.add_runtime_dependency 'cbor'
-  gem.add_runtime_dependency 'cose-key'
+  gem.add_runtime_dependency 'cose-key', '>= 0.2.0'
+  gem.add_runtime_dependency 'json-jwt'
   gem.add_development_dependency 'rake', '~> 10.0'
   gem.add_development_dependency 'simplecov'
   gem.add_development_dependency 'rspec'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: web_authn
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.5.0
 platform: ruby
 authors:
 - nov matake
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-09-09 00:00:00.000000000 Z
+date: 2020-08-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -40,6 +40,20 @@ dependencies:
         version: '0'
 - !ruby/object:Gem::Dependency
   name: cose-key
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.2.0
+- !ruby/object:Gem::Dependency
+  name: json-jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -112,9 +126,7 @@ description: W3C Web Authentication API (a.k.a. WebAuthN / FIDO 2.0) RP library
   Ruby
 email:
 - nov@matake.jp
-executables:
-- console
-- setup
+executables: []
 extensions: []
 extra_rdoc_files: []
 files:
@@ -122,6 +134,7 @@ files:
 - ".rspec"
 - ".travis.yml"
 - Gemfile
+- Gemfile.lock
 - LICENSE.txt
 - README.md
 - Rakefile
@@ -130,6 +143,10 @@ files:
 - bin/setup
 - lib/web_authn.rb
 - lib/web_authn/attestation_object.rb
+- lib/web_authn/attestation_statement.rb
+- lib/web_authn/attestation_statement/android_safetynet.rb
+- lib/web_authn/attestation_statement/apple.rb
+- lib/web_authn/attestation_statement/packed.rb
 - lib/web_authn/attested_credential_data.rb
 - lib/web_authn/authenticator_data.rb
 - lib/web_authn/authenticator_data/flags.rb
@@ -166,8 +183,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: WebAuthn RP library