web_authn 0.2.2 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0ff488512635e47137ce3c48273fb327c4a381a4
-  data.tar.gz: '09322b2c65d28acf9e26965b3bc080e47c687d24'
+  metadata.gz: ba07fe60ce73457f0f61ddc7c53dbf2b07886d93
+  data.tar.gz: a9d76ab96805dd91c619551c09e0701a2a7b0795
 SHA512:
-  metadata.gz: a0716efec15f12ff84672def323021fdb43890968551ffc18ffb0ce6b7fbbff949809ae54936cc683802b0ad573995cbc325f59a498fba917860d66036dbb51e
-  data.tar.gz: 9706f9c8c1fe371118d8f703bae4bfefeeade541661575b4c591ae4159ba15b320e3a3c90acafec0c9297b10014b9ae6a8e9fb88d28e7e22c534f5de48c38a37
+  metadata.gz: 4550a5b91a35c2c5e302b58072b2a063b203370a8128d03cc851d7866e8f6bee92eab6d86dda0a41dcc366b47f9c86bfc9a0eef1e6f4a7df24bba18bbf61e32f
+  data.tar.gz: 5aa59a73d18cfd24b6bd86431676c4c570ee6e5ff0e7af5c83fc70767a134ec87a577d1a7ebe0aab187dd92d9e467987b0e0adb085fe244aa57be6d4ac6f9849

data/README.md

@@ -26,6 +26,43 @@ $ gem install web_authn
 
 ## Usage
 
+```ruby
+context = WebAuthn.context_for(
+  client_data_json, # NOTE: URL-safe Base64 encoded
+  origin: request.base_url,
+  challenge: session[:challenge],
+)
+
+if context.registration?
+  context.verify!(
+    attestation_object # URL-safe Base64 encoded
+  )
+  context.credential_id
+  context.public_key # => `OpenSSL::PKey::RSA` or `OpenSSL::PKey::EC`
+  context.public_cose_key # => `COSE::Key::RSA` or `COSE::Key::EC2` ref.) https://github.com/nov/cose-key
+  context.sign_count # => `Integer`
+elsif context.authentication?
+  context.verify!(
+    authenticator_data, # URL-safe Base64 encoded
+
+    # NOTE:
+    #  either 'public_key' or 'public_cose_key' is required.
+    #  if `public_key` is given, you can also specify `digest` (default: `OpenSSL::Digest::SHA256.new`).
+    #  if `public_cose_key` is given, it includes digest size information, so no `digest` is required.
+
+    # public_key: public_key, # `OpenSSL::PKey::RSA` or `OpenSSL::PKey::EC`
+    # digest: OpenSSL::Digest::SHA256.new, # `OpenSSL::Digest::SHA(1|256|384|512)`` (default: `OpenSSL::Digest::SHA256`)
+    public_cose_key: public_cose_key, # `COSE::Key::RSA` or `COSE::Key::EC` ref.) https://github.com/nov/cose-key
+
+    sign_count: previously_stored_sign_count,
+    signature: signature # URL-safe Base64 encoded
+  )
+  context.sign_count # => Integer
+else
+  # should never happen.
+end
+```
+
 See sample code in this repository, or [working sample site](https://web-authn.herokuapp.com/).
 
 Currently, there are several restrictions.

data/VERSION

@@ -1 +1 @@
-0.2.2
+0.3.0

data/lib/web_authn.rb

@@ -3,10 +3,12 @@ require 'active_support'
 require 'active_support/core_ext'
 require 'cbor'
 require 'cose/key'
+require 'json/jwt'
 
 module WebAuthn
   class Exception < StandardError; end
   class InvalidContext < Exception; end
+  class InvalidAttestation < Exception; end
   class InvalidAssertion < Exception; end
   class NotImplementedError < NotImplementedError; end
 
@@ -22,6 +24,7 @@ module WebAuthn
 end
 
 require 'web_authn/attestation_object'
+require 'web_authn/attestation_statement'
 require 'web_authn/attested_credential_data'
 require 'web_authn/authenticator_data'
 require 'web_authn/client_data_json'

data/lib/web_authn/attestation_object.rb

@@ -9,24 +9,35 @@ module WebAuthn
       delegate method, to: :authenticator_data
     end
 
-    def initialize(attrs)
-      self.format = attrs[:fmt]
+    def initialize(fmt:, att_stmt:, auth_data:)
+      self.format = fmt
       self.attestation_statement = case format
       when 'none'
         nil
-      when 'packed', 'tpm', 'android-key', 'android-safetynet', 'fido-u2f'
+      when 'android-safetynet'
+        AttestationStatement::AndroidSafetynet.decode att_stmt
+      when 'packed', 'tpm', 'android-key', 'fido-u2f'
         raise NotImplementedError, "Unsupported Attestation Format: #{format}"
       else
         raise InvalidContext, 'Unknown Attestation Format'
       end
-      self.authenticator_data = AuthenticatorData.decode attrs[:authData]
+      self.authenticator_data = AuthenticatorData.decode auth_data
+    end
+
+    def verify_signature!(client_data_json)
+      attestation_statement.try(:verify!, authenticator_data, client_data_json)
     end
 
     class << self
       def decode(encoded_attestation_object)
-        new CBOR.decode(
+        cbor = CBOR.decode(
           Base64.urlsafe_decode64 encoded_attestation_object
         ).with_indifferent_access
+        new(
+          fmt: cbor[:fmt],
+          att_stmt: cbor[:attStmt],
+          auth_data: cbor[:authData]
+        )
       end
     end
   end

data/lib/web_authn/attestation_statement.rb

@@ -0,0 +1,6 @@
+module WebAuthn
+  class AttestationStatement
+  end
+end
+
+require 'web_authn/attestation_statement/android_safetynet'

data/lib/web_authn/attestation_statement/android_safetynet.rb

@@ -0,0 +1,81 @@
+module WebAuthn
+  class AttestationStatement
+    class AndroidSafetynet < AttestationStatement
+      attr_accessor :ver, :response, :certs
+
+      def initialize(ver:, response:)
+        self.ver = ver
+        self.response = response
+        self.certs = response.x5c.collect do |x5c|
+          OpenSSL::X509::Certificate.new(
+            Base64.decode64 x5c
+          )
+        end
+      end
+
+      def verify!(authenticator_data, client_data_json)
+        verify_nonce! authenticator_data, client_data_json
+        verify_signature!
+        verify_certificate!
+
+        # TODO: put more ref.) https://www.w3.org/TR/webauthn/#android-safetynet-attestation
+        unless response[:ctsProfileMatch]
+          raise InvalidAttestation, 'Invalid Android Safetynet Response: ctsProfileMatch'
+        end
+      end
+
+      private
+
+      def verify_nonce!(authenticator_data, client_data_json)
+        nonce = Base64.encode64(
+          OpenSSL::Digest::SHA256.digest [
+            authenticator_data.raw,
+            OpenSSL::Digest::SHA256.digest(client_data_json.raw)
+          ].join
+        ).strip
+        unless response[:nonce] == nonce
+          raise InvalidAttestation, 'Invalid Android Safetynet Response: nonce'
+        end
+      end
+
+      def verify_signature!
+        response.verify! certs.first.public_key
+      rescue JSON::JWS::VerificationFailed => e
+        raise InvalidAttestation, 'Invalid Android Safetynet Response: signature'
+      end
+
+      def verify_certificate!
+        signing_cert = certs.first
+        remaining_chain = certs[1..-1]
+
+        store = OpenSSL::X509::Store.new
+        store.set_default_paths
+        valid_chain = store.verify(signing_cert, remaining_chain)
+
+        valid_subject = signing_cert.subject.to_a.detect do |key, value, type|
+          key == 'CN'
+        end.second == 'attest.android.com'
+
+        valid_timestamp = (
+          signing_cert.not_after > Time.now &&
+          signing_cert.not_before < Time.now
+        )
+
+        # TODO: do we need CRL check?
+
+        unless valid_chain && valid_subject && valid_timestamp
+           raise InvalidAttestation, 'Invalid Android Safetynet Response: certificate'
+        end
+      end
+
+      class << self
+        def decode(att_stmt)
+          new(
+            ver: att_stmt[:ver],
+            response: JSON::JWT.decode(att_stmt[:response], :skip_verification)
+          )
+        end
+      end
+    end
+  end
+end

data/lib/web_authn/client_data_json.rb

@@ -2,23 +2,23 @@ module WebAuthn
   class ClientDataJSON
     attr_accessor :type, :origin, :challenge, :raw
 
-    def initialize(attrs = {})
-      self.type = attrs[:type]
-      self.origin = attrs[:origin]
-      self.challenge = attrs[:challenge]
-      self.raw = attrs[:raw]
+    def initialize(type:, origin:, challenge:, raw: nil)
+      self.type = type
+      self.origin = origin
+      self.challenge = challenge
+      self.raw = raw
     end
 
     class << self
       def decode(encoded_client_data_json)
-        raw_client_data_json = Base64.urlsafe_decode64 encoded_client_data_json
-        attrs = JSON.parse(
-          raw_client_data_json
-        ).merge(
-          raw: raw_client_data_json
-        ).with_indifferent_access
-        attrs[:challenge] = Base64.urlsafe_decode64 attrs[:challenge]
-        new attrs
+        raw = Base64.urlsafe_decode64 encoded_client_data_json
+        json = JSON.parse(raw).with_indifferent_access
+        new(
+          type: json[:type],
+          origin: json[:origin],
+          challenge: Base64.urlsafe_decode64(json[:challenge]),
+          raw: raw
+        )
       end
     end
   end

data/lib/web_authn/context/registration.rb

@@ -4,7 +4,8 @@ module WebAuthn
       attr_accessor :attestation_object
 
       # TODO: will need more methods, or let developers access deep methods by themselves.
-      %i(credential_id rp_id_hash flags public_key public_cose_key sign_count).each do |method|
+      %i(credential_id rp_id_hash flags public_key public_cose_key sign_count
+         attestation_statement).each do |method|
         delegate method, to: :attestation_object
       end
 
@@ -17,6 +18,7 @@ module WebAuthn
           encoded_attestation_object
         )
         verify_flags!
+        verify_signature!
         self
       end
 
@@ -26,6 +28,10 @@ module WebAuthn
         super
         raise InvalidAssertion, 'Missing Flag: "at"' unless flags.at?
       end
+
+      def verify_signature!
+        attestation_object.verify_signature! client_data_json
+      end
     end
   end
 end

data/spec/context/registration_spec.rb

@@ -43,5 +43,43 @@ RSpec.describe WebAuthn::Context::Registration do
       subject.public_key.to_pem.should == public_key_pem
     end
     its(:sign_count) { should == sign_count }
+
+    context 'when android-safetynet attestation given' do
+      let(:context) do
+        {
+          origin: 'https://web-authn.self-issued.app',
+          challenge: 'random-string-generated-by-rp-server'
+        }
+      end
+      let(:client_data_json) do
+        'eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiY21GdVpHOXRMWE4wY21sdVp5MW5aVzVsY21GMFpXUXRZbmt0Y25BdGMyVnlkbVZ5Iiwib3JpZ2luIjoiaHR0cHM6XC9cL3dlYi1hdXRobi5zZWxmLWlzc3VlZC5hcHAiLCJhbmRyb2lkUGFja2FnZU5hbWUiOiJjb20uY2hyb21lLmNhbmFyeSJ9'
+      end
+      let(:attestation_object) do
+        'o2NmbXRxYW5kcm9pZC1zYWZldHluZXRnYXR0U3RtdKJjdmVyaDEyODc0MDQxaHJlc3BvbnNlWRMHZXlKaGJHY2lPaUpTVXpJMU5pSXNJbmcxWXlJNld5Sk5TVWxGYVdwRFEwRXpTMmRCZDBsQ1FXZEpTVmxyV1c4MVJqQm5PRFpyZDBSUldVcExiMXBKYUhaalRrRlJSVXhDVVVGM1ZrUkZURTFCYTBkQk1WVkZRbWhOUTFaV1RYaElha0ZqUW1kT1ZrSkJiMVJHVldSMllqSmtjMXBUUWxWamJsWjZaRU5DVkZwWVNqSmhWMDVzWTNwRmJFMURUVWRCTVZWRlFYaE5ZMUl5T1haYU1uaHNTVVZzZFdSSFZubGliVll3U1VWR01XUkhhSFpqYld3d1pWTkNTRTE2UVdWR2R6QjRUbnBGZVUxRVVYaE5la1UwVGtST1lVWjNNSGhQUkVWNVRVUk5kMDFFUVhkTlJFSmhUVWQzZUVONlFVcENaMDVXUWtGWlZFRnNWbFJOVWsxM1JWRlpSRlpSVVVsRVFYQkVXVmQ0Y0ZwdE9YbGliV3hvVFZKWmQwWkJXVVJXVVZGSVJFRXhUbUl6Vm5Wa1IwWndZbWxDVjJGWFZqTk5VazEzUlZGWlJGWlJVVXRFUVhCSVlqSTVibUpIVldkVFZ6VnFUVkp6ZDBkUldVUldVVkZFUkVKS2FHUklVbXhqTTFGMVdWYzFhMk50T1hCYVF6VnFZakl3ZDJkblJXbE5RVEJIUTFOeFIxTkpZak5FVVVWQ1FWRlZRVUUwU1VKRWQwRjNaMmRGUzBGdlNVSkJVVU5WYWpoM1dXOVFhWGhMWW1KV09ITm5XV2QyVFZSbVdDdGtTWE5HVkU5clowdFBiR2hVTUdrd1ltTkVSbHBMTW5KUGVFcGFNblZUVEZOV2FGbDJhWEJhVGtVelNFcFJXWFYxV1hkR2FtbDVLM2xyWm1GMFFVZFRhbEo2UmpGaU16RjFORE12TjI5SE5XcE5hRE5UTXpkaGJIZHFWV0k0UTFkcFZIaHZhWEJXVDFsM1MwdDZkVlY1YTNGRlEzUnFiR2hLTkVGclYyRkVVeXRhZUV0RmNVOWhaVGwwYmtOblpVaHNiRnBGTDA5U1oyVk5ZWGd5V0U1RGIwZzJjM0pVUlZKamEzTnFlbHBhY2tGWGVFdHpaR1oyVm5KWVRucERVamxFZUZaQlUzVkpOa3g2ZDJnNFJGTnNNa1ZQYjJ0aWMyRnVXaXNyTDBweFRXVkJRa1ptVUhkcWVYZHlZakJ3Y2tWVmVUQndZV1ZXYzNWa0t6QndaV1Y0U3k4MUswVTJhM0JaUjBzMFdrc3libXR2Vmt4MVowVTFkR0ZJY2tGcU9ETlJLMUJQWW1KMlQzcFhZMFpyY0c1V1MzbHFielpMVVVGdFdEWlhTa0ZuVFVKQlFVZHFaMmRHUjAxSlNVSlJha0ZVUW1kT1ZraFRWVVZFUkVGTFFtZG5ja0puUlVaQ1VXTkVRVlJCWkVKblRsWklVa1ZGUm1wQlZXZG9TbWhrU0ZKc1l6TlJkVmxYTld0amJUbHdXa00xYW1JeU1IZGhRVmxKUzNkWlFrSlJWVWhCVVVWRldFUkNZVTFETUVkRFEzTkhRVkZWUmtKNlFVTm9hVVp2WkVoU2QwOXBPSFpqUjNSd1RHMWtkbUl5WTNaYU0wNTVUV2s1U0ZaR1RraFRWVVpJVFhrMWFtTnVVWGRMVVZsSlMzZFpRa0pSVlVoTlFVZEhTRmRvTUdSSVFUWk1lVGwyV1ROT2QweHVRbkpoVXpWdVlqSTVia3d3WkZWVk1HUktVVlZqZWsxQ01FZEJNVlZrUkdkUlYwSkNVVWM0U1hKUmRFWlNOa05WVTJ0cGEySXpZV2x0YzIweU5tTkNWRUZOUW1kT1ZraFNUVUpCWmpoRlFXcEJRVTFDT0VkQk1WVmtTWGRSV1UxQ1lVRkdTR1pEZFVaRFlWb3pXakp6VXpORGFIUkRSRzlJTm0xbWNuQk1UVU5GUjBFeFZXUkpRVkZoVFVKbmQwUkJXVXRMZDFsQ1FrRklWMlZSU1VaQmVrRkpRbWRhYm1kUmQwSkJaMGwzVFZGWlJGWlNNR1pDUTI5M1MwUkJiVzlEVTJkSmIxbG5ZVWhTTUdORWIzWk1NazU1WWtNMWQyRXlhM1ZhTWpsMlduazVTRlpHVGtoVFZVWklUWGsxYW1OdGQzZEVVVmxLUzI5YVNXaDJZMDVCVVVWTVFsRkJSR2RuUlVKQlJpOVNlazV1UXpWRWVrSlZRblJ1YURKdWRFcE1WMFZSYURsNlJXVkdXbVpRVERsUmIydHliRUZ2V0dkcVYyZE9PSEJUVWxVeGJGWkhTWEIwZWsxNFIyaDVNeTlQVWxKYVZHRTJSREpFZVRob2RrTkVja1pKTXl0c1Exa3dNVTFNTlZFMldFNUZOVkp6TW1ReFVtbGFjRTF6ZWtRMFMxRmFUa2N6YUZvd1FrWk9VUzlqYW5KRGJVeENUMGRMYTBWVk1XUnRRVmh6UmtwWVNtbFBjakpEVGxSQ1QxUjFPVVZpVEZkb1VXWmtRMFl4WW5kNmVYVXJWelppVVZOMk9GRkVialZQWkUxVEwxQnhSVEZrUldkbGRDODJSVWxTUWpjMk1VdG1XbEVyTDBSRk5reHdNMVJ5V2xSd1QwWkVSR2RZYUN0TVowZFBjM2RvUld4cU9XTXpkbHBJUjBwdWFHcHdkRGh5YTJKcGNpOHlkVXhIWm5oc1ZsbzBTekY0TlVSU1RqQlFWVXhrT1hsUVUyMXFaeXRoYWpFcmRFaDNTVEZ0VVcxYVZsazNjWFpQTlVSbmFFOTRhRXBOUjJ4Nk5teE1hVnB0ZW05blBTSXNJazFKU1VWWVJFTkRRVEJUWjBGM1NVSkJaMGxPUVdWUGNFMUNlamhqWjFrMFVEVndWRWhVUVU1Q1oydHhhR3RwUnpsM01FSkJVWE5HUVVSQ1RVMVRRWGRJWjFsRVZsRlJURVY0WkVoaVJ6bHBXVmQ0VkdGWFpIVkpSa3AyWWpOUloxRXdSV2RNVTBKVFRXcEZWRTFDUlVkQk1WVkZRMmhOUzFJeWVIWlpiVVp6VlRKc2JtSnFSVlJOUWtWSFFURlZSVUY0VFV0U01uaDJXVzFHYzFVeWJHNWlha0ZsUm5jd2VFNTZRVEpOVkZWM1RVUkJkMDVFU21GR2R6QjVUVlJGZVUxVVZYZE5SRUYzVGtSS1lVMUdVWGhEZWtGS1FtZE9Wa0pCV1ZSQmJGWlVUVkkwZDBoQldVUldVVkZMUlhoV1NHSXlPVzVpUjFWblZraEtNV016VVdkVk1sWjVaRzFzYWxwWVRYaEtWRUZxUW1kT1ZrSkJUVlJJUldSMllqSmtjMXBUUWtwaWJsSnNZMjAxYkdSRFFrSmtXRkp2WWpOS2NHUklhMmRTZWsxM1oyZEZhVTFCTUVkRFUzRkhVMGxpTTBSUlJVSkJVVlZCUVRSSlFrUjNRWGRuWjBWTFFXOUpRa0ZSUkV0VmEzWnhTSFl2VDBwSGRXOHlia2xaWVU1V1YxaFJOVWxYYVRBeFExaGFZWG8yVkVsSVRFZHdMMnhQU2lzMk1EQXZOR2hpYmpkMmJqWkJRVUl6UkZaNlpGRlBkSE0zUnpWd1NEQnlTbTV1VDBaVlFVczNNVWMwYm5wTFRXWklRMGRWYTNOWEwyMXZibUVyV1RKbGJVcFJNazRyWVdsamQwcExaWFJRUzFKVFNXZEJkVkJQUWpaQllXaG9PRWhpTWxoUE0yZzVVbFZyTWxRd1NFNXZkVUl5Vm5wNGIwMVliR3Q1VnpkWVZWSTFiWGMyU210TVNHNUJOVEpZUkZadlVsUlhhMDUwZVRWdlEwbE9USFpIYlc1U2Mwb3hlbTkxUVhGWlIxWlJUV012TjNONUt5OUZXV2hCVEhKV1NrVkJPRXRpZEhsWUszSTRjMjUzVlRWRE1XaFZjbmRoVnpaTlYwOUJVbUU0Y1VKd1RsRmpWMVJyWVVsbGIxbDJlUzl6UjBsS1JXMXFVakIyUmtWM1NHUndNV05UWVZkSmNqWXZOR2MzTW00M1QzRllkMlpwYm5VM1dsbFhPVGRGWm05UFUxRktaVUY2UVdkTlFrRkJSMnBuWjBWNlRVbEpRa3g2UVU5Q1owNVdTRkU0UWtGbU9FVkNRVTFEUVZsWmQwaFJXVVJXVWpCc1FrSlpkMFpCV1VsTGQxbENRbEZWU0VGM1JVZERRM05IUVZGVlJrSjNUVU5OUWtsSFFURlZaRVYzUlVJdmQxRkpUVUZaUWtGbU9FTkJVVUYzU0ZGWlJGWlNNRTlDUWxsRlJraG1RM1ZHUTJGYU0xb3ljMU16UTJoMFEwUnZTRFp0Wm5Kd1RFMUNPRWRCTVZWa1NYZFJXVTFDWVVGR1NuWnBRakZrYmtoQ04wRmhaMkpsVjJKVFlVeGtMMk5IV1ZsMVRVUlZSME5EYzBkQlVWVkdRbmRGUWtKRGEzZEtla0ZzUW1kbmNrSm5SVVpDVVdOM1FWbFpXbUZJVWpCalJHOTJUREk1YW1NelFYVmpSM1J3VEcxa2RtSXlZM1phTTA1NVRXcEJlVUpuVGxaSVVqaEZTM3BCY0UxRFpXZEtZVUZxYUdsR2IyUklVbmRQYVRoMldUTktjMHh1UW5KaFV6VnVZakk1Ymt3eVpIcGpha2wyV2pOT2VVMXBOV3BqYlhkM1VIZFpSRlpTTUdkQ1JHZDNUbXBCTUVKbldtNW5VWGRDUVdkSmQwdHFRVzlDWjJkeVFtZEZSa0pSWTBOQlVsbGpZVWhTTUdOSVRUWk1lVGwzWVRKcmRWb3lPWFphZVRsNVdsaENkbU15YkRCaU0wbzFUSHBCVGtKbmEzRm9hMmxIT1hjd1FrRlJjMFpCUVU5RFFWRkZRVWhNWlVwc2RWSlVOMkoyY3pJMlozbEJXamh6YnpneGRISlZTVk5rTjA4ME5YTnJSRlZ0UVdkbE1XTnVlR2hITVZBeVkwNXRVM2hpVjNOdmFVTjBNbVYxZURsTVUwUXJVRUZxTWt4SldWSkdTRmN6TVM4MmVHOXBZekZyTkhSaVYxaHJSRU5xYVhJek4zaFVWRTV4VWtGTlVGVjVSbEpYVTJSMmRDdHViRkJ4ZDI1aU9FOWhNa2t2YldGVFNuVnJZM2hFYWs1VFpuQkVhQzlDWkRGc1drNW5aR1F2T0dOTVpITkZNeXQzZVhCMVprbzVkVmhQTVdsUmNHNW9PWHBpZFVaSmQzTkpUMDVIYkRGd00wRTRRMmQ0YTNGSkwxVkJhV2d6U21GSFQzRmpjR05rWVVOSmVtdENZVkk1ZFZsUk1WZzBhekpXWnpWQlVGSk1iM1Y2Vm5rM1lUaEpWbXMyZDNWNU5uQnRLMVEzU0ZRMFRGazRhV0pUTlVaRldteG1RVVpNVTFjNFRuZHpWbm81VTBKTE1sWnhiakZPTUZCSlRXNDFlRUUyVGxwV1l6ZHZPRE0xUkV4QlJuTm9SVmRtUXpkVVNXVXpaejA5SWwxOS5leUp1YjI1alpTSTZJaTlYVG1SVFZXOHpiRUl4ZWt0Mk5UVlpNV1EyY2psR1pXdFJkbE5rZERjNWNHaDRjMmhuTjNsMVIxazlJaXdpZEdsdFpYTjBZVzF3VFhNaU9qRTFNelUyT1Rjd056TTFOVEFzSW1Gd2ExQmhZMnRoWjJWT1lXMWxJam9pWTI5dExtZHZiMmRzWlM1aGJtUnliMmxrTG1kdGN5SXNJbUZ3YTBScFoyVnpkRk5vWVRJMU5pSTZJako1TXpBNFJ6Y3hMM2RaUmtZMk9XRnVSVzlKT1VGYWNrTmFPREZFV0dSMk1YaEhNMjg0UVZkUlNITTlJaXdpWTNSelVISnZabWxzWlUxaGRHTm9JanAwY25WbExDSmhjR3REWlhKMGFXWnBZMkYwWlVScFoyVnpkRk5vWVRJMU5pSTZXeUk0VURGelZ6QkZVRXBqYzJ4M04xVjZVbk5wV0V3Mk5IY3JUelV3UldRclVrSkpRM1JoZVRGbk1qUk5QU0pkTENKaVlYTnBZMGx1ZEdWbmNtbDBlU0k2ZEhKMVpYMC5QVW9fT0h0dW96SWUxZGZFNlctSUVlYkZtN0R0Qll6M2NmZ0UzRlB5X3dVQlFCMjUwUE1WWjNVbk1NVjYwb0Q2U3d0ajZtQ0lQYnNYZnBULXFuY184eHlTUURndXZQUmp1b191b1JtUWF4aV9FSEZVaTZrZFV0akhaNkY1bWpYcVF4LWRiaFlONU00dG01WlM2bUxaMkdlbGlVcE1UVG9nU2FQUVZiVnl1Y3g0aGpfT1VDLWVPM1lCRmRldmw0d0pmSy15QVJxaGtmOHN6NEgwa1E5TU9IT2U0N0x2a0h3RnI2MElQSjNaQ3QwSklKYnJWVDZnMHJJal9iSlo3aXFrTDFOWUhrbURvNUhnSkgyTXA3QnYtZlJfMHcydzJyWkIzZk5zVGhxRm9UbUI4RU5XUmJjQ3lWQXBncVdIbFU5bUh5SlJGWVVsbnVDcGRGSEwwUjFaX1FoYXV0aERhdGFYxTLLgNysw8NSRiywHzv-MC3m83EvMP0g7NGcO6W4WJSVRAAAAAAAAAAAAAAAAAAAAAAAAAAAAEEBKg96NvDCk5gmyyLqM0zXE0ZZnSkTarHzUfYU2PHWwdQhjjWLXayf0-jYLazWjpSr-N8DM1Zhls4jfmQCqa50X6UBAgMmIAEhWCAGD72C5VXE3mwMjzc_X0_7wUgIOA6kt2KoDIn1-1PHdSJYIAoZmBXyEJkjvlu251BDb8VoOtIketAD1VvYc3WUJJrZ'
+      end
+
+      it do
+        expect do
+          subject
+        end.not_to raise_error
+      end
+
+      context 'when client_data_json is invalid' do
+        let(:client_data_json) do
+          Base64.urlsafe_encode64({
+            type: "webauthn.create",
+            challenge: "cmFuZG9tLXN0cmluZy1nZW5lcmF0ZWQtYnktcnAtc2VydmVy",
+            origin: "https://web-authn.self-issued.app",
+            androidPackageName: "com.chrome.canary.malformed"
+          }.to_json, padding: false)
+        end
+
+        it do
+          expect do
+            subject
+          end.to raise_error WebAuthn::InvalidAttestation, 'Invalid Android Safetynet Response: nonce'
+        end
+      end
+    end
   end
 end

data/web_authn.gemspec

@@ -15,6 +15,7 @@ Gem::Specification.new do |gem|
   gem.add_runtime_dependency 'activesupport'
   gem.add_runtime_dependency 'cbor'
   gem.add_runtime_dependency 'cose-key'
+  gem.add_runtime_dependency 'json-jwt'
   gem.add_development_dependency 'rake', '~> 10.0'
   gem.add_development_dependency 'simplecov'
   gem.add_development_dependency 'rspec'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: web_authn
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: 0.3.0
 platform: ruby
 authors:
 - nov matake
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-09-09 00:00:00.000000000 Z
+date: 2018-09-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -52,6 +52,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: json-jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -128,6 +142,8 @@ files:
 - bin/setup
 - lib/web_authn.rb
 - lib/web_authn/attestation_object.rb
+- lib/web_authn/attestation_statement.rb
+- lib/web_authn/attestation_statement/android_safetynet.rb
 - lib/web_authn/attested_credential_data.rb
 - lib/web_authn/authenticator_data.rb
 - lib/web_authn/authenticator_data/flags.rb
@@ -165,7 +181,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.11
+rubygems_version: 2.5.2
 signing_key: 
 specification_version: 4
 summary: WebAuthn RP library