web_authn 0.0.1 → 0.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fd0d84bc14a9f6773426c3c509b379268f26b36ee5555fd8c3603a45cc677221
-  data.tar.gz: 124bfe151246e6380a59984f95784f6f39671038ddf98aed99dd8d4b8b59233f
+  metadata.gz: 648a6cc93f91835ee94c9c5d7efafd7ba788863d61a2e44efba388c4a45f066c
+  data.tar.gz: a0fa7c5a9848ec784ed62297131022223b6c6c43467532cb2ebb3fa71df706ae
 SHA512:
-  metadata.gz: 811e1addfca6f94a181bb59dc02fd1bde4ac6c5692e5a1ed5903eb8b7063db5409061ab2880e3425be6f940aac2394d90d1223dea6d4c0a1262560388ba2fa38
-  data.tar.gz: faf55e02e28045d0cd1a767170bf20f606a9329bd6c351f8d81ea974e6c78d0e08d4d02bd2e714431cddc3ff3fd0651106325487e8c257da3fecc2072ebcf356
+  metadata.gz: 44f73a5564326062ce9614d3df2e3238fad34c0ce5ea8e4381a0ca81e541fb0a893670527f013c12f9698da077d946b140746972ad8718601fd1562bf7a99399
+  data.tar.gz: 1858d4cb4e878ba8ae0595689f307cb13a4b17e2b21e6baf1569f496d94b01cf0f486bf8758224c114a9c3052e1ac3e46210321718ea4ef9ed5c02db9b923e12

data/README.md

@@ -1,8 +1,8 @@
 # WebAuthn
 
-Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/web_authn`. To experiment with that code, run `bin/console` for an interactive prompt.
+W3C WebAuthn (a.k.a. FIDO2) RP library in Ruby
 
-TODO: Delete this and the text above, and describe your gem
+[![Build Status](https://secure.travis-ci.org/nov/web_authn.png)](http://travis-ci.org/nov/web_authn)
 
 ## Installation
 
@@ -22,7 +22,12 @@ Or install it yourself as:
 
 ## Usage
 
-TODO: Write usage instructions here
+See samples for usage.
+
+Currently, there are several restrictions.
+* only `none` attestation format is supported.
+* only EC key w/ `P-(256|384|521)` public key is supported.
+* authenticator data w/ extensions aren't supported.
 
 ## Development
 

data/VERSION

@@ -1 +1 @@
-0.0.1
+0.0.2

data/lib/web_authn.rb

@@ -6,6 +6,11 @@ require 'cose/key/ec2'
 require 'json/jwt'
 
 module WebAuthn
+  class Exception < StandardError; end
+  class InvalidContext < Exception; end
+  class InvalidAssertion < Exception; end
+  class NotImplementedError < NotImplementedError; end
+
   module_function
 
   def context_for(encoded_client_data_json, origin:, challenge:)

data/lib/web_authn/attestation_object.rb

@@ -15,9 +15,9 @@ module WebAuthn
       when 'none'
         nil
       when 'packed', 'tpm', 'android-key', 'android-safetynet', 'fido-u2f'
-        raise "Unsupported Attestation Format: #{attestation_object[:fmt]}"
+        raise NotImplementedError, "Unsupported Attestation Format: #{attestation_object[:fmt]}"
       else
-        raise 'Unknown Attestation Format'
+        raise InvalidContext, 'Unknown Attestation Format'
       end
       self.authenticator_data = AuthenticatorData.decode attrs[:authData]
     end

data/lib/web_authn/attested_credential_data.rb

@@ -30,7 +30,7 @@ module WebAuthn
         when 3
           :'P-521'
         else
-          raise 'Non-supported EC curve'
+          raise NotImplementedError, 'Non-supported EC curve'
         end
         jwk = JSON::JWK.new(
           kty: :EC,

data/lib/web_authn/authenticator_data.rb

@@ -25,7 +25,7 @@ module WebAuthn
         flags = Flags.decode(_flags_)
         attested_credential_data = if flags.at?
           if flags.ex?
-            raise 'Extension Data Not Supported Yet'
+            raise NotImplementedError, 'Extension Data Not Supported Yet'
           else
             AttestedCredentialData.decode auth_data.byteslice(37..-1)
           end

data/lib/web_authn/authenticator_data/flags.rb

@@ -14,6 +14,13 @@ module WebAuthn
         self.ex = ex
       end
 
+      def ==(target)
+        up == target.up &&
+        uv == target.uv &&
+        at == target.at &&
+        ex == target.ex
+      end
+
       class << self
         def decode(input)
           bit_array = input.getbyte(0)

data/lib/web_authn/context.rb

@@ -7,8 +7,12 @@ module WebAuthn
     end
 
     def verify_session!(origin:, challenge:)
-      raise 'Invalid Client Data JSON Origin' unless client_data_json.origin == origin
-      raise 'Invalid Client Data JSON Session' unless client_data_json.challenge == challenge
+      if client_data_json.origin != origin
+        raise InvalidContext, 'Invalid Origin'
+      end
+      if client_data_json.challenge != challenge
+        raise InvalidContext, 'Invalid Challenge'
+      end
       self
     end
 
@@ -30,7 +34,7 @@ module WebAuthn
         when 'webauthn.get'
           Authentication.new(client_data_json)
         else
-          raise 'Unknown Client Data JSON Type'
+          raise InvalidContext, 'Unknown Client Data JSON Type'
         end
 
         context.verify_session!(origin: origin, challenge: challenge)

data/lib/web_authn/context/authentication.rb

@@ -30,7 +30,7 @@ module WebAuthn
         elsif before < current
           self
         else
-          raise 'Invalid Sign Count'
+          raise InvalidAssertion, 'Invalid Sign Count'
         end
       end
 
@@ -39,14 +39,15 @@ module WebAuthn
           raw_authenticator_data,
           OpenSSL::Digest::SHA256.digest(raw_client_data_json)
         ].join
-        result = public_key.dsa_verify_asn1(
-          OpenSSL::Digest::SHA256.digest(signature_base_string),
-          Base64.urlsafe_decode64(signature)
+        result = public_key.verify(
+          OpenSSL::Digest::SHA256.new,
+          Base64.urlsafe_decode64(signature),
+          signature_base_string
         )
         if result
           self
         else
-          raise 'Invalid Signature'
+          raise InvalidAssertion, 'Invalid Signature'
         end
       end
     end

data/samples/authentication_response.rb

@@ -1,9 +1,9 @@
 require 'web_authn'
 
-authenticator_data = 'MsuA3KzDw1JGLLAfO_4wLebzcS8w_SDs0Zw7pbhYlJUBAAAAOw'
+authenticator_data = 'MsuA3KzDw1JGLLAfO_4wLebzcS8w_SDs0Zw7pbhYlJUBAAAASg'
 
-signature = 'MEUCIQDXp8Wqzz3ZYV7avKvH3R3XQhW7xPYb5Cq2nx3gpflDGwIgPN0tSy2mmgpI06IIKmjrIUxCvL4Rfc53mFXfVd_yL58'
-sign_count = 0
+signature = 'MEYCIQDmAVQcoMNRJiQZe9o5jJMnYvzza3nkDpnWdmdgKYBfwAIhAINDcFyIpIB8fql4QkllVXrQOkICfi595Gkn313gYG2r'
+sign_count = 73
 
 client_data_json = 'eyJjaGFsbGVuZ2UiOiJjbUZ1Wkc5dExYTjBjbWx1WnkxblpXNWxjbUYwWldRdFlua3RjbkF0YzJWeWRtVnkiLCJvcmlnaW4iOiJodHRwczovL3dlYi1hdXRobi5zZWxmLWlzc3VlZC5hcHAiLCJ0eXBlIjoid2ViYXV0aG4uZ2V0In0'
 

data/samples/registration_response.rb

@@ -1,8 +1,8 @@
 require 'web_authn'
 
-attestation_object = 'o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVjEMsuA3KzDw1JGLLAfO_4wLebzcS8w_SDs0Zw7pbhYlJVBAAAAMAAAAAAAAAAAAAAAAAAAAAAAQM1zXqvmYeVH9o2q1YcBZDSlkhvVs_2RjnKESVUktkQwQnYcU8jdo-duNLKrIOZNg0g4RCm0UMDZxtdXhR2bCu2lAQIDJiABIVggDMGhDLXoZit2uSMLyL-_emlFrGzlH7b2KpKpgYNzPRYiWCAl795OxcS2QimEnC9Jl_pNG3Gy_9O6m3_GbZdGsk90aw'
+attestation_object = 'o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVjEMsuA3KzDw1JGLLAfO_4wLebzcS8w_SDs0Zw7pbhYlJVBAAAASQAAAAAAAAAAAAAAAAAAAAAAQA3sNJGmV3TJ2Y5pYDZP-DpZIku6rXhmhUZJ5kNNlaI3-4wwfhl296tAl52zStVDUsLVIm4_e4apQWUwl6eGnXalAQIDJiABIVggmQvMomjF0F3asbDWda13XeA1UbXdcS5j3Wg3G1LtgaMiWCBlNRc_WstNxVl56t6fVIJuVjMZqon1GpDp_UDDTXO7_g'
 
-client_data_json = 'eyJjaGFsbGVuZ2UiOiJjbUZ1Wkc5dExYTjBjbWx1WnkxblpXNWxjbUYwWldRdFlua3RjbkF0YzJWeWRtVnkiLCJuZXdfa2V5c19tYXlfYmVfYWRkZWRfaGVyZSI6ImRvIG5vdCBjb21wYXJlIGNsaWVudERhdGFKU09OIGFnYWluc3QgYSB0ZW1wbGF0ZS4gU2VlIGh0dHBzOi8vZ29vLmdsL3lhYlBleCIsIm9yaWdpbiI6Imh0dHBzOi8vd2ViLWF1dGhuLnNlbGYtaXNzdWVkLmFwcCIsInR5cGUiOiJ3ZWJhdXRobi5jcmVhdGUifQ'
+client_data_json = 'eyJjaGFsbGVuZ2UiOiJjbUZ1Wkc5dExYTjBjbWx1WnkxblpXNWxjbUYwWldRdFlua3RjbkF0YzJWeWRtVnkiLCJvcmlnaW4iOiJodHRwczovL3dlYi1hdXRobi5zZWxmLWlzc3VlZC5hcHAiLCJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0'
 
 origin = 'https://web-authn.self-issued.app'
 challenge = 'cmFuZG9tLXN0cmluZy1nZW5lcmF0ZWQtYnktcnAtc2VydmVy'

data/spec/authenticator_data/flags_spec.rb

@@ -0,0 +1,45 @@
+RSpec.describe WebAuthn::AuthenticatorData::Flags do
+  describe '.decode' do
+    subject { described_class.decode [bits].pack('b*') }
+
+    describe 'when all false' do
+      let(:bits) { '00000000' }
+      its(:up?) { should == false }
+      its(:uv?) { should == false }
+      its(:at?) { should == false }
+      its(:ex?) { should == false }
+    end
+
+    describe 'when up is on' do
+      let(:bits) { '10000000' }
+      its(:up?) { should == true }
+      its(:uv?) { should == false }
+      its(:at?) { should == false }
+      its(:ex?) { should == false }
+    end
+
+    describe 'when uv is on' do
+      let(:bits) { '00100000' }
+      its(:up?) { should == false }
+      its(:uv?) { should == true }
+      its(:at?) { should == false }
+      its(:ex?) { should == false }
+    end
+
+    describe 'when at is on' do
+      let(:bits) { '00000010' }
+      its(:up?) { should == false }
+      its(:uv?) { should == false }
+      its(:at?) { should == true }
+      its(:ex?) { should == false }
+    end
+
+    describe 'when ex is on' do
+      let(:bits) { '00000001' }
+      its(:up?) { should == false }
+      its(:uv?) { should == false }
+      its(:at?) { should == false }
+      its(:ex?) { should == true }
+    end
+  end
+end

data/spec/context/authentication_spec.rb

@@ -0,0 +1,72 @@
+RSpec.describe WebAuthn::Context::Authentication do
+  let(:context_instance) do
+    WebAuthn.context_for(
+      client_data_json,
+      origin: origin,
+      challenge: challenge
+    )
+  end
+
+  describe '#verify!' do
+    let(:client_data_json) do
+      'eyJjaGFsbGVuZ2UiOiJjbUZ1Wkc5dExYTjBjbWx1WnkxblpXNWxjbUYwWldRdFlua3RjbkF0YzJWeWRtVnkiLCJvcmlnaW4iOiJodHRwczovL3dlYi1hdXRobi5zZWxmLWlzc3VlZC5hcHAiLCJ0eXBlIjoid2ViYXV0aG4uZ2V0In0'
+    end
+    let(:origin) { 'https://web-authn.self-issued.app' }
+    let(:challenge) { 'cmFuZG9tLXN0cmluZy1nZW5lcmF0ZWQtYnktcnAtc2VydmVy' }
+    let(:rp_id_hash) do
+      'MsuA3KzDw1JGLLAfO_4wLebzcS8w_SDs0Zw7pbhYlJU'
+    end
+    let(:flags) do
+      WebAuthn::AuthenticatorData::Flags.new(
+        up: true, uv: false, at: false, ex: false
+      )
+    end
+    let(:public_key) do
+      OpenSSL::PKey::EC.new <<~PEM
+      -----BEGIN PUBLIC KEY-----
+      MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMpNU/8TjYoyN8FlhZ+YsOMAvyfQ4
+      i6/JN0/DPXuZMoxLvdb1vjh7vPUt2Osw3Bq+0NZsx3U/8kmpFuwsZhTi9A==
+      -----END PUBLIC KEY-----
+      PEM
+    end
+    let(:sign_count) { 74 }
+    let(:signature) do
+      'MEYCIQDmAVQcoMNRJiQZe9o5jJMnYvzza3nkDpnWdmdgKYBfwAIhAINDcFyIpIB8fql4QkllVXrQOkICfi595Gkn313gYG2r'
+    end
+    let(:authenticator_data) do
+      'MsuA3KzDw1JGLLAfO_4wLebzcS8w_SDs0Zw7pbhYlJUBAAAASg'
+    end
+    subject do
+      context_instance.verify!(
+        authenticator_data,
+        public_key: public_key,
+        sign_count: sign_count - 1,
+        signature: signature
+      )
+    end
+
+    its(:rp_id_hash) { should == rp_id_hash }
+    its(:flags) { should == flags }
+    its(:sign_count) { should == sign_count }
+
+    context 'when sign count is invalid' do
+      let(:sign_count) { 75 }
+      it do
+        expect do
+          subject
+        end.to raise_error WebAuthn::InvalidAssertion, 'Invalid Sign Count'
+      end
+    end
+
+    context 'when signature is invalid' do
+      let(:signature) do
+        'MEQCIB09d1yFCLxDUJdYIW3HwrZPsNqA1jwLqv_EqyN-xFpYAiAZ5h3RvpxCKvcbwQhqFdw2Chw5rmVD6aAZBNC9tJNmZw'
+      end
+      it do
+        expect do
+          subject
+        end.to raise_error WebAuthn::InvalidAssertion, 'Invalid Signature'
+      end
+    end
+  end
+end

data/spec/context/registration_spec.rb

@@ -0,0 +1,46 @@
+RSpec.describe WebAuthn::Context::Registration do
+  let(:context) { registration_context }
+  let(:context_instance) do
+    WebAuthn.context_for(
+      client_data_json,
+      origin: context[:origin],
+      challenge: context[:challenge]
+    )
+  end
+
+  describe '#verify!' do
+    let(:credential_id) do
+      'Dew0kaZXdMnZjmlgNk_4OlkiS7qteGaFRknmQ02Vojf7jDB-GXb3q0CXnbNK1UNSwtUibj97hqlBZTCXp4addg'
+    end
+    let(:rp_id_hash) do
+      'MsuA3KzDw1JGLLAfO_4wLebzcS8w_SDs0Zw7pbhYlJU'
+    end
+    let(:flags) do
+      WebAuthn::AuthenticatorData::Flags.new(
+        up: true, uv: false, at: true, ex: false
+      )
+    end
+    let(:public_key_pem) do
+      <<~PEM
+      -----BEGIN PUBLIC KEY-----
+      MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmQvMomjF0F3asbDWda13XeA1UbXd
+      cS5j3Wg3G1LtgaNlNRc/WstNxVl56t6fVIJuVjMZqon1GpDp/UDDTXO7/g==
+      -----END PUBLIC KEY-----
+      PEM
+    end
+    let(:sign_count) { 73 }
+    let(:attestation_object) do
+      'o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVjEMsuA3KzDw1JGLLAfO_4wLebzcS8w_SDs0Zw7pbhYlJVBAAAASQAAAAAAAAAAAAAAAAAAAAAAQA3sNJGmV3TJ2Y5pYDZP-DpZIku6rXhmhUZJ5kNNlaI3-4wwfhl296tAl52zStVDUsLVIm4_e4apQWUwl6eGnXalAQIDJiABIVggmQvMomjF0F3asbDWda13XeA1UbXdcS5j3Wg3G1LtgaMiWCBlNRc_WstNxVl56t6fVIJuVjMZqon1GpDp_UDDTXO7_g'
+    end
+    subject { context_instance.verify! attestation_object }
+
+    its(:credential_id) { should == credential_id }
+    its(:rp_id_hash) { should == rp_id_hash }
+    its(:flags) { should == flags }
+    its(:public_key) { should be_instance_of OpenSSL::PKey::EC }
+    its(:public_key_pem) do
+      subject.public_key.to_pem.should == public_key_pem
+    end
+    its(:sign_count) { should == sign_count }
+  end
+end

data/spec/spec_helper.rb

@@ -13,3 +13,5 @@ RSpec.configure do |config|
     c.syntax = [:should, :expect]
   end
 end
+
+require 'support/context_factory'

data/spec/support/context_factory.rb

@@ -0,0 +1,26 @@
+module ContextFactory
+  extend RSpec::Core::SharedContext
+
+  let(:base_context) do
+    {
+      challenge: SecureRandom.hex(8),
+      origin: 'https://rp.example.com'
+    }
+  end
+  let(:registration_context) do
+    base_context.merge(type: 'webauthn.create')
+  end
+  let(:authentication_context) do
+    base_context.merge(type: 'webauthn.get')
+  end
+  let(:unknown_context) do
+    base_context
+  end
+  let(:client_data_json) do
+    Base64.urlsafe_encode64(context.to_json, padding: false)
+  end
+end
+
+RSpec.configure do |config|
+  config.include ContextFactory
+end

data/spec/web_authn_spec.rb

@@ -1,5 +1,54 @@
 RSpec.describe WebAuthn do
-  it "does something useful" do
-    expect(true).to eq(true)
+  shared_examples_for :invalid_context do
+    it do
+      expect do
+        subject
+      end.to raise_error WebAuthn::InvalidContext
+    end
+  end
+
+  shared_examples_for :context_validator do
+    context 'when invalid origin' do
+      let(:origin) { 'https://other-rp.example.com' }
+      it_behaves_like :invalid_context
+    end
+
+    context 'when invalid challenge' do
+      let(:challenge) { SecureRandom.hex(8) }
+      it_behaves_like :invalid_context
+    end
+  end
+
+  describe '#context_for' do
+    let(:origin) { context[:origin] }
+    let(:challenge) { context[:challenge] }
+    subject do
+      described_class.context_for(
+        client_data_json,
+        origin: origin,
+        challenge: challenge,
+      )
+    end
+
+    context 'when registration context' do
+      let(:context) { registration_context }
+      it_behaves_like :context_validator
+      it { should be_instance_of WebAuthn::Context::Registration }
+      it { should be_registration }
+      it { should_not be_authentication }
+    end
+
+    context 'when authentication context' do
+      let(:context) { authentication_context }
+      it_behaves_like :context_validator
+      it { should be_instance_of WebAuthn::Context::Authentication }
+      it { should_not be_registration }
+      it { should be_authentication }
+    end
+
+    context 'when unknown context' do
+      let(:context) { unknown_context }
+      it_behaves_like :invalid_context
+    end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: web_authn
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.0.2
 platform: ruby
 authors:
 - nov matake
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-09-03 00:00:00.000000000 Z
+date: 2018-09-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -149,7 +149,11 @@ files:
 - samples/authentication_response.rb
 - samples/concept.rb
 - samples/registration_response.rb
+- spec/authenticator_data/flags_spec.rb
+- spec/context/authentication_spec.rb
+- spec/context/registration_spec.rb
 - spec/spec_helper.rb
+- spec/support/context_factory.rb
 - spec/web_authn_spec.rb
 - web_authn.gemspec
 homepage: https://github.com/nov/web_authn
@@ -177,5 +181,9 @@ signing_key:
 specification_version: 4
 summary: W3C WebAuthn (a.k.a. FIDO2) RP library in Ruby
 test_files:
+- spec/authenticator_data/flags_spec.rb
+- spec/context/authentication_spec.rb
+- spec/context/registration_spec.rb
 - spec/spec_helper.rb
+- spec/support/context_factory.rb
 - spec/web_authn_spec.rb