web_authn 0.0.0 → 0.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f0f760c97d1bf71827f8f5fc1ae2e0da5ada27e221e7ab85ae001f1f97be6210
-  data.tar.gz: 0b4ec0fa7befdccfe91666f0f550318513222aee0600b1263c44743c1211d590
+  metadata.gz: fd0d84bc14a9f6773426c3c509b379268f26b36ee5555fd8c3603a45cc677221
+  data.tar.gz: 124bfe151246e6380a59984f95784f6f39671038ddf98aed99dd8d4b8b59233f
 SHA512:
-  metadata.gz: 6048298d255edac0b1d0bcf5689118c11087bc514ef60a6972dcaf6316fde3c3ec09b58ebda43b49e3d95e6e736cb37dfa8998382419689eeb28c29064ee0c07
-  data.tar.gz: 10ed1a6298c6b8a22f9840c7f967a369501bc7429ac123f2baf7e69f1155efd157eefacbd8de11bf7aff9a29b41f80b7a5b6fe81977cef2810480c789b2e1f7b
+  metadata.gz: 811e1addfca6f94a181bb59dc02fd1bde4ac6c5692e5a1ed5903eb8b7063db5409061ab2880e3425be6f940aac2394d90d1223dea6d4c0a1262560388ba2fa38
+  data.tar.gz: faf55e02e28045d0cd1a767170bf20f606a9329bd6c351f8d81ea974e6c78d0e08d4d02bd2e714431cddc3ff3fd0651106325487e8c257da3fecc2072ebcf356

data/VERSION

@@ -1 +1 @@
-0.0.0
+0.0.1

data/lib/web_authn/attestation_object.rb

@@ -0,0 +1,33 @@
+module WebAuthn
+  class AttestationObject
+    attr_accessor :format, :attestation_statement, :authenticator_data
+    alias_method :fmt,       :format
+    alias_method :att_stmt,  :attestation_statement
+    alias_method :auth_data, :authenticator_data
+
+    %i(credential_id rp_id_hash flags public_key sign_count).each do |method|
+      delegate method, to: :authenticator_data
+    end
+
+    def initialize(attrs)
+      self.format = attrs[:fmt]
+      self.attestation_statement = case format
+      when 'none'
+        nil
+      when 'packed', 'tpm', 'android-key', 'android-safetynet', 'fido-u2f'
+        raise "Unsupported Attestation Format: #{attestation_object[:fmt]}"
+      else
+        raise 'Unknown Attestation Format'
+      end
+      self.authenticator_data = AuthenticatorData.decode attrs[:authData]
+    end
+
+    class << self
+      def decode(encoded_attestation_object)
+        new CBOR.decode(
+          Base64.urlsafe_decode64 encoded_attestation_object
+        ).with_indifferent_access
+      end
+    end
+  end
+end

data/lib/web_authn/attested_credential_data.rb

@@ -0,0 +1,49 @@
+module WebAuthn
+  class AttestedCredentialData
+    attr_accessor :aaguid, :credential_id, :public_key
+
+    def initialize(aaguid:, credential_id:, public_key:)
+      self.aaguid = aaguid
+      self.credential_id = credential_id
+      self.public_key = public_key
+    end
+
+    class << self
+      def decode(attested_credential_data)
+        length = (
+          ((attested_credential_data.getbyte(16) << 8) & 0xFF) +
+          (attested_credential_data.getbyte(17) & 0xFF)
+        )
+        aaguid,
+        credential_id,
+        _encoded_cose_key_ = [
+          attested_credential_data.byteslice(0...16),
+          attested_credential_data.byteslice(18...(18 + length)),
+          attested_credential_data.byteslice((18 + length)..-1),
+        ]
+        cose_key = COSE::Key::EC2.from_cbor(_encoded_cose_key_)
+        crv = case cose_key.curve
+        when 1
+          :'P-256'
+        when 2
+          :'P-384'
+        when 3
+          :'P-521'
+        else
+          raise 'Non-supported EC curve'
+        end
+        jwk = JSON::JWK.new(
+          kty: :EC,
+          crv: crv,
+          x: Base64.urlsafe_encode64(cose_key.x_coordinate, padding: false),
+          y: Base64.urlsafe_encode64(cose_key.y_coordinate, padding: false),
+        )
+        new(
+          aaguid: Base64.urlsafe_encode64(aaguid, padding: false),
+          credential_id: Base64.urlsafe_encode64(credential_id, padding: false),
+          public_key: jwk.to_key
+        )
+      end
+    end
+  end
+end

data/lib/web_authn/authenticator_data/flags.rb

@@ -0,0 +1,30 @@
+module WebAuthn
+  class AuthenticatorData
+    class Flags
+      _flags_ = [:up, :uv, :at, :ex]
+      attr_accessor *_flags_
+      _flags_.each do |flag|
+        alias_method :"#{flag}?", flag
+      end
+
+      def initialize(up:, uv:, at:, ex:)
+        self.up = up
+        self.uv = uv
+        self.at = at
+        self.ex = ex
+      end
+
+      class << self
+        def decode(input)
+          bit_array = input.getbyte(0)
+          new(
+            up: bit_array[0] == 1,
+            uv: bit_array[2] == 1,
+            at: bit_array[6] == 1,
+            ex: bit_array[7] == 1
+          )
+        end
+      end
+    end
+  end
+end

data/lib/web_authn/authenticator_data.rb

@@ -1,4 +1,47 @@
 module WebAuthn
-  class AuthData
+  class AuthenticatorData
+    attr_accessor :rp_id_hash, :flags, :sign_count, :attested_credential_data
+
+    %i(credential_id public_key).each do |method|
+      delegate method, to: :attested_credential_data, allow_nil: true
+    end
+
+    def initialize(rp_id_hash:, flags:, sign_count:, attested_credential_data: nil)
+      self.rp_id_hash = rp_id_hash
+      self.flags = flags
+      self.sign_count = sign_count
+      self.attested_credential_data = attested_credential_data
+    end
+
+    class << self
+      def decode(auth_data)
+        rp_id_hash,
+        _flags_,
+        sign_count = [
+          auth_data.byteslice(0...32),
+          auth_data.byteslice(32),
+          auth_data.byteslice(33...37)
+        ]
+        flags = Flags.decode(_flags_)
+        attested_credential_data = if flags.at?
+          if flags.ex?
+            raise 'Extension Data Not Supported Yet'
+          else
+            AttestedCredentialData.decode auth_data.byteslice(37..-1)
+          end
+        else
+          nil
+        end
+
+        new(
+          rp_id_hash: Base64.urlsafe_encode64(rp_id_hash, padding: false),
+          flags: flags,
+          sign_count: sign_count.unpack('N1').first,
+          attested_credential_data: attested_credential_data
+        )
+      end
+    end
   end
 end
+
+require 'web_authn/authenticator_data/flags'

data/lib/web_authn/client_data_json.rb

@@ -1,4 +1,23 @@
 module WebAuthn
   class ClientDataJSON
+    attr_accessor :type, :origin, :challenge, :raw
+
+    def initialize(attrs = {})
+      self.type = attrs[:type]
+      self.origin = attrs[:origin]
+      self.challenge = attrs[:challenge]
+      self.raw = attrs[:raw]
+    end
+
+    class << self
+      def decode(encoded_client_data_json)
+        raw_client_data_json = Base64.urlsafe_decode64 encoded_client_data_json
+        new JSON.parse(
+          raw_client_data_json
+        ).merge(
+          raw: raw_client_data_json
+        ).with_indifferent_access
+      end
+    end
   end
 end

data/lib/web_authn/context/authentication.rb

@@ -0,0 +1,54 @@
+module WebAuthn
+  class Context
+    class Authentication < Context
+      attr_accessor :authenticator_data
+
+      # TODO: will need more methods, or let developers access deep methods by themselves.
+      %i(rp_id_hash flags sign_count).each do |method|
+        delegate method, to: :authenticator_data
+      end
+
+      def authentication?
+        true
+      end
+
+      def verify!(encoded_authenticator_data, public_key:, sign_count:, signature:)
+        raw_authenticator_data = Base64.urlsafe_decode64 encoded_authenticator_data
+        self.authenticator_data = AuthenticatorData.decode(
+          raw_authenticator_data
+        )
+        verify_sign_count!(sign_count, authenticator_data.sign_count)
+        verify_signature!(raw_authenticator_data, client_data_json.raw, public_key, signature)
+        self
+      end
+
+      private
+
+      def verify_sign_count!(before, current)
+        if before == 0 && current == 0
+          self # NOTE: no counter supported on the authenticator
+        elsif before < current
+          self
+        else
+          raise 'Invalid Sign Count'
+        end
+      end
+
+      def verify_signature!(raw_authenticator_data, raw_client_data_json, public_key, signature)
+        signature_base_string = [
+          raw_authenticator_data,
+          OpenSSL::Digest::SHA256.digest(raw_client_data_json)
+        ].join
+        result = public_key.dsa_verify_asn1(
+          OpenSSL::Digest::SHA256.digest(signature_base_string),
+          Base64.urlsafe_decode64(signature)
+        )
+        if result
+          self
+        else
+          raise 'Invalid Signature'
+        end
+      end
+    end
+  end
+end

data/lib/web_authn/context/registration.rb

@@ -0,0 +1,23 @@
+module WebAuthn
+  class Context
+    class Registration < Context
+      attr_accessor :attestation_object
+
+      # TODO: will need more methods, or let developers access deep methods by themselves.
+      %i(credential_id rp_id_hash flags public_key sign_count).each do |method|
+        delegate method, to: :attestation_object
+      end
+
+      def registration?
+        true
+      end
+
+      def verify!(encoded_attestation_object)
+        self.attestation_object = AttestationObject.decode(
+          encoded_attestation_object
+        )
+        self
+      end
+    end
+  end
+end

data/lib/web_authn/context.rb

@@ -0,0 +1,43 @@
+module WebAuthn
+  class Context
+    attr_accessor :client_data_json
+
+    def initialize(client_data_json)
+      self.client_data_json = client_data_json
+    end
+
+    def verify_session!(origin:, challenge:)
+      raise 'Invalid Client Data JSON Origin' unless client_data_json.origin == origin
+      raise 'Invalid Client Data JSON Session' unless client_data_json.challenge == challenge
+      self
+    end
+
+    def registration?
+      false
+    end
+
+    def authentication?
+      false
+    end
+
+    class << self
+      def for(encoded_client_data_json, origin:, challenge:)
+        client_data_json = ClientDataJSON.decode encoded_client_data_json
+
+        context = case client_data_json.type
+        when 'webauthn.create'
+          Registration.new(client_data_json)
+        when 'webauthn.get'
+          Authentication.new(client_data_json)
+        else
+          raise 'Unknown Client Data JSON Type'
+        end
+
+        context.verify_session!(origin: origin, challenge: challenge)
+      end
+    end
+  end
+end
+
+require 'web_authn/context/authentication'
+require 'web_authn/context/registration'

data/lib/web_authn.rb

@@ -1,7 +1,24 @@
+require 'active_support'
+require 'active_support/core_ext'
+require 'cbor'
+require 'cose'
+require 'cose/key/ec2'
+require 'json/jwt'
+
 module WebAuthn
-  # TODO:
+  module_function
+
+  def context_for(encoded_client_data_json, origin:, challenge:)
+    Context.for(
+      encoded_client_data_json,
+      origin: origin,
+      challenge: challenge
+    )
+  end
 end
 
 require 'web_authn/attestation_object'
+require 'web_authn/attested_credential_data'
 require 'web_authn/authenticator_data'
 require 'web_authn/client_data_json'
+require 'web_authn/context'

data/samples/authentication_response.rb

@@ -0,0 +1,46 @@
+require 'web_authn'
+
+authenticator_data = 'MsuA3KzDw1JGLLAfO_4wLebzcS8w_SDs0Zw7pbhYlJUBAAAAOw'
+
+signature = 'MEUCIQDXp8Wqzz3ZYV7avKvH3R3XQhW7xPYb5Cq2nx3gpflDGwIgPN0tSy2mmgpI06IIKmjrIUxCvL4Rfc53mFXfVd_yL58'
+sign_count = 0
+
+client_data_json = 'eyJjaGFsbGVuZ2UiOiJjbUZ1Wkc5dExYTjBjbWx1WnkxblpXNWxjbUYwWldRdFlua3RjbkF0YzJWeWRtVnkiLCJvcmlnaW4iOiJodHRwczovL3dlYi1hdXRobi5zZWxmLWlzc3VlZC5hcHAiLCJ0eXBlIjoid2ViYXV0aG4uZ2V0In0'
+
+origin = 'https://web-authn.self-issued.app'
+challenge = 'cmFuZG9tLXN0cmluZy1nZW5lcmF0ZWQtYnktcnAtc2VydmVy'
+
+public_key = OpenSSL::PKey::EC.new <<-PEM
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMpNU/8TjYoyN8FlhZ+YsOMAvyfQ4
+i6/JN0/DPXuZMoxLvdb1vjh7vPUt2Osw3Bq+0NZsx3U/8kmpFuwsZhTi9A==
+-----END PUBLIC KEY-----
+PEM
+
+context = WebAuthn.context_for(
+  client_data_json,
+  origin: origin,
+  challenge: challenge,
+)
+raise unless context.authentication?
+
+context.verify!(
+  authenticator_data,
+  public_key: public_key,
+  sign_count: sign_count,
+  signature: signature
+)
+
+puts <<-OUT
+# RP ID Hash
+#{context.rp_id_hash}
+
+# Flags
+up: #{context.flags.up}
+uv: #{context.flags.uv}
+at: #{context.flags.at}
+ex: #{context.flags.ex}
+
+# Sign Count
+#{context.sign_count}
+OUT

data/samples/concept.rb

@@ -0,0 +1,34 @@
+# Common
+context = WebAuthn.context_for(
+  client_data_json,
+  origin: request.base_url,
+  challenge: session[:challenge],
+)
+
+# Registration
+raise unless context.registration?
+
+context.verify!(params[:attestation_object])
+current_account.fido_authenticators.create(
+  credential_id: context.credential_id,
+  public_key: context.public_key.to_pem,
+  sign_count: context.sign_count
+)
+
+# Authentication
+raise unless context.authentication?
+
+fido_authentiator = FIDO::Authenticatior.find_by(credential_id: params[:credential_id])
+raise unless fido_authentiator.present?
+
+context.verify!(
+  authenticator_data,
+  public_key: fido_authentiator.public_key,
+  sign_count: fido_authentiator.sign_count,
+  signature: params[:signature]
+)
+
+fido_authentiator.update!(
+  sign_count: context.sign_count
+)
+authenticate authenticator.user

data/samples/registration_response.rb

@@ -0,0 +1,37 @@
+require 'web_authn'
+
+attestation_object = 'o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVjEMsuA3KzDw1JGLLAfO_4wLebzcS8w_SDs0Zw7pbhYlJVBAAAAMAAAAAAAAAAAAAAAAAAAAAAAQM1zXqvmYeVH9o2q1YcBZDSlkhvVs_2RjnKESVUktkQwQnYcU8jdo-duNLKrIOZNg0g4RCm0UMDZxtdXhR2bCu2lAQIDJiABIVggDMGhDLXoZit2uSMLyL-_emlFrGzlH7b2KpKpgYNzPRYiWCAl795OxcS2QimEnC9Jl_pNG3Gy_9O6m3_GbZdGsk90aw'
+
+client_data_json = 'eyJjaGFsbGVuZ2UiOiJjbUZ1Wkc5dExYTjBjbWx1WnkxblpXNWxjbUYwWldRdFlua3RjbkF0YzJWeWRtVnkiLCJuZXdfa2V5c19tYXlfYmVfYWRkZWRfaGVyZSI6ImRvIG5vdCBjb21wYXJlIGNsaWVudERhdGFKU09OIGFnYWluc3QgYSB0ZW1wbGF0ZS4gU2VlIGh0dHBzOi8vZ29vLmdsL3lhYlBleCIsIm9yaWdpbiI6Imh0dHBzOi8vd2ViLWF1dGhuLnNlbGYtaXNzdWVkLmFwcCIsInR5cGUiOiJ3ZWJhdXRobi5jcmVhdGUifQ'
+
+origin = 'https://web-authn.self-issued.app'
+challenge = 'cmFuZG9tLXN0cmluZy1nZW5lcmF0ZWQtYnktcnAtc2VydmVy'
+
+context = WebAuthn.context_for(
+  client_data_json,
+  origin: origin,
+  challenge: challenge
+)
+raise unless context.registration?
+
+context.verify! attestation_object
+
+puts <<-OUT
+# RP ID Hash
+#{context.rp_id_hash}
+
+# Flags
+up: #{context.flags.up}
+uv: #{context.flags.uv}
+at: #{context.flags.at}
+ex: #{context.flags.ex}
+
+# Credential ID
+#{context.credential_id}
+
+# Public Key
+#{context.public_key.to_pem}
+
+# Sign Count
+#{context.sign_count}
+OUT

data/web_authn.gemspec

@@ -12,8 +12,10 @@ Gem::Specification.new do |gem|
   gem.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
   gem.require_paths = ['lib']
   gem.required_ruby_version = '>= 2.3'
-  gem.add_runtime_dependency 'json-jwt', '>= 1.9.4'
-  gem.add_runtime_dependency 'cbor', '>= 0.5.9.3'
+  gem.add_runtime_dependency 'activesupport'
+  gem.add_runtime_dependency 'cbor'
+  gem.add_runtime_dependency 'cose'
+  gem.add_runtime_dependency 'json-jwt'
   gem.add_development_dependency 'rake', '~> 10.0'
   gem.add_development_dependency 'simplecov'
   gem.add_development_dependency 'rspec'

metadata

@@ -1,43 +1,71 @@
 --- !ruby/object:Gem::Specification
 name: web_authn
 version: !ruby/object:Gem::Version
-  version: 0.0.0
+  version: 0.0.1
 platform: ruby
 authors:
 - nov matake
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-08-29 00:00:00.000000000 Z
+date: 2018-09-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: json-jwt
+  name: activesupport
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.9.4
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.9.4
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: cbor
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.5.9.3
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: cose
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: json-jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.5.9.3
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -97,9 +125,7 @@ dependencies:
 description: W3C WebAuthn (a.k.a. FIDO2) RP library in Ruby
 email:
 - nov@matake.jp
-executables:
-- console
-- setup
+executables: []
 extensions: []
 extra_rdoc_files: []
 files:
@@ -111,12 +137,18 @@ files:
 - README.md
 - Rakefile
 - VERSION
-- bin/console
-- bin/setup
 - lib/web_authn.rb
 - lib/web_authn/attestation_object.rb
+- lib/web_authn/attested_credential_data.rb
 - lib/web_authn/authenticator_data.rb
+- lib/web_authn/authenticator_data/flags.rb
 - lib/web_authn/client_data_json.rb
+- lib/web_authn/context.rb
+- lib/web_authn/context/authentication.rb
+- lib/web_authn/context/registration.rb
+- samples/authentication_response.rb
+- samples/concept.rb
+- samples/registration_response.rb
 - spec/spec_helper.rb
 - spec/web_authn_spec.rb
 - web_authn.gemspec

data/bin/console

@@ -1,14 +0,0 @@
-#!/usr/bin/env ruby
-
-require "bundler/setup"
-require "web_authn"
-
-# You can add fixtures and/or initialization code here to make experimenting
-# with your gem easier. You can also use a different console, if you like.
-
-# (If you use this, don't forget to add pry to your Gemfile!)
-# require "pry"
-# Pry.start
-
-require "irb"
-IRB.start(__FILE__)

data/bin/setup

@@ -1,8 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-IFS=$'\n\t'
-set -vx
-
-bundle install
-
-# Do any other automated setup that you need to do here