web_authn 0.3.0 → 0.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/Gemfile.lock +71 -0
- data/VERSION +1 -1
- data/lib/web_authn/attestation_object.rb +3 -1
- data/lib/web_authn/attestation_statement.rb +1 -0
- data/lib/web_authn/attestation_statement/android_safetynet.rb +0 -1
- data/lib/web_authn/attestation_statement/packed.rb +54 -0
- data/lib/web_authn/attested_credential_data.rb +4 -0
- data/spec/context/registration_spec.rb +45 -0
- data/web_authn.gemspec +1 -1
- metadata +7 -5
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
|
-
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: f684ad0ab8c4f516d4bb9023db18476bb76daa8a262576867b21debbb746ad19
|
|
4
|
+
data.tar.gz: 64f0b2c7251de13671401dca713f8c7b2c09a08874bce8cf66b83f2de7d5e6a6
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 426f5241570eb0030fb0a189930b53b5fb74945fd528dce77c1797de3ddfeabf00bcc1282dadbd5ebd87f09fbd4505f5499247ce19a5791ce341ecc9fdc00856
|
|
7
|
+
data.tar.gz: 3498f269f7bb8b654d75d377fde1c5e3d02693783eee78c604df51a5e052dfb680e59c6d0812ff2c88d9db015cd89dca17ab4c9e24235e3073a473e504217faf
|
data/Gemfile.lock
ADDED
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
PATH
|
|
2
|
+
remote: .
|
|
3
|
+
specs:
|
|
4
|
+
web_authn (0.3.0)
|
|
5
|
+
activesupport
|
|
6
|
+
cbor
|
|
7
|
+
cose-key (>= 0.2.0)
|
|
8
|
+
json-jwt
|
|
9
|
+
|
|
10
|
+
GEM
|
|
11
|
+
remote: https://rubygems.org/
|
|
12
|
+
specs:
|
|
13
|
+
activesupport (5.2.1)
|
|
14
|
+
concurrent-ruby (~> 1.0, >= 1.0.2)
|
|
15
|
+
i18n (>= 0.7, < 2)
|
|
16
|
+
minitest (~> 5.1)
|
|
17
|
+
tzinfo (~> 1.1)
|
|
18
|
+
aes_key_wrap (1.0.1)
|
|
19
|
+
bindata (2.4.4)
|
|
20
|
+
cbor (0.5.9.3)
|
|
21
|
+
concurrent-ruby (1.0.5)
|
|
22
|
+
cose-key (0.2.0)
|
|
23
|
+
cbor
|
|
24
|
+
diff-lcs (1.3)
|
|
25
|
+
docile (1.3.1)
|
|
26
|
+
i18n (1.1.1)
|
|
27
|
+
concurrent-ruby (~> 1.0)
|
|
28
|
+
json (2.1.0)
|
|
29
|
+
json-jwt (1.9.4)
|
|
30
|
+
activesupport
|
|
31
|
+
aes_key_wrap
|
|
32
|
+
bindata
|
|
33
|
+
minitest (5.11.3)
|
|
34
|
+
rake (10.5.0)
|
|
35
|
+
rspec (3.8.0)
|
|
36
|
+
rspec-core (~> 3.8.0)
|
|
37
|
+
rspec-expectations (~> 3.8.0)
|
|
38
|
+
rspec-mocks (~> 3.8.0)
|
|
39
|
+
rspec-core (3.8.0)
|
|
40
|
+
rspec-support (~> 3.8.0)
|
|
41
|
+
rspec-expectations (3.8.2)
|
|
42
|
+
diff-lcs (>= 1.2.0, < 2.0)
|
|
43
|
+
rspec-support (~> 3.8.0)
|
|
44
|
+
rspec-its (1.2.0)
|
|
45
|
+
rspec-core (>= 3.0.0)
|
|
46
|
+
rspec-expectations (>= 3.0.0)
|
|
47
|
+
rspec-mocks (3.8.0)
|
|
48
|
+
diff-lcs (>= 1.2.0, < 2.0)
|
|
49
|
+
rspec-support (~> 3.8.0)
|
|
50
|
+
rspec-support (3.8.0)
|
|
51
|
+
simplecov (0.16.1)
|
|
52
|
+
docile (~> 1.1)
|
|
53
|
+
json (>= 1.8, < 3)
|
|
54
|
+
simplecov-html (~> 0.10.0)
|
|
55
|
+
simplecov-html (0.10.2)
|
|
56
|
+
thread_safe (0.3.6)
|
|
57
|
+
tzinfo (1.2.5)
|
|
58
|
+
thread_safe (~> 0.1)
|
|
59
|
+
|
|
60
|
+
PLATFORMS
|
|
61
|
+
ruby
|
|
62
|
+
|
|
63
|
+
DEPENDENCIES
|
|
64
|
+
rake (~> 10.0)
|
|
65
|
+
rspec
|
|
66
|
+
rspec-its
|
|
67
|
+
simplecov
|
|
68
|
+
web_authn!
|
|
69
|
+
|
|
70
|
+
BUNDLED WITH
|
|
71
|
+
1.17.1
|
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
0.
|
|
1
|
+
0.4.0
|
|
@@ -16,7 +16,9 @@ module WebAuthn
|
|
|
16
16
|
nil
|
|
17
17
|
when 'android-safetynet'
|
|
18
18
|
AttestationStatement::AndroidSafetynet.decode att_stmt
|
|
19
|
-
when 'packed'
|
|
19
|
+
when 'packed'
|
|
20
|
+
AttestationStatement::Packed.decode att_stmt
|
|
21
|
+
when 'tpm', 'android-key', 'fido-u2f'
|
|
20
22
|
raise NotImplementedError, "Unsupported Attestation Format: #{format}"
|
|
21
23
|
else
|
|
22
24
|
raise InvalidContext, 'Unknown Attestation Format'
|
|
@@ -18,7 +18,6 @@ module WebAuthn
|
|
|
18
18
|
verify_signature!
|
|
19
19
|
verify_certificate!
|
|
20
20
|
|
|
21
|
-
# TODO: put more ref.) https://www.w3.org/TR/webauthn/#android-safetynet-attestation
|
|
22
21
|
unless response[:ctsProfileMatch]
|
|
23
22
|
raise InvalidAttestation, 'Invalid Android Safetynet Response: ctsProfileMatch'
|
|
24
23
|
end
|
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
module WebAuthn
|
|
2
|
+
class AttestationStatement
|
|
3
|
+
class Packed < AttestationStatement
|
|
4
|
+
attr_accessor :alg, :sig, :x5c, :ecdaa_key_id
|
|
5
|
+
|
|
6
|
+
def initialize(alg:, sig:, x5c:, ecdaa_key_id:)
|
|
7
|
+
self.alg = alg
|
|
8
|
+
self.sig = sig
|
|
9
|
+
self.x5c = Array(x5c)
|
|
10
|
+
self.ecdaa_key_id = ecdaa_key_id
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
def verify!(authenticator_data, client_data_json)
|
|
14
|
+
verify_signature! authenticator_data, client_data_json
|
|
15
|
+
end
|
|
16
|
+
|
|
17
|
+
private
|
|
18
|
+
|
|
19
|
+
def self_issued?
|
|
20
|
+
[x5c, ecdaa_key_id].all?(&:blank?)
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
def verify_signature!(authenticator_data, client_data_json)
|
|
24
|
+
signature_base_string = [
|
|
25
|
+
authenticator_data.raw,
|
|
26
|
+
OpenSSL::Digest::SHA256.digest(client_data_json.raw)
|
|
27
|
+
].join
|
|
28
|
+
|
|
29
|
+
if self_issued? && authenticator_data.attested_credential_data.anonymous?
|
|
30
|
+
public_cose_key = authenticator_data.attested_credential_data.public_cose_key
|
|
31
|
+
unless alg == public_cose_key.alg
|
|
32
|
+
raise InvalidAttestation, 'Invalid Packed Self Attestation: alg'
|
|
33
|
+
end
|
|
34
|
+
unless public_cose_key.verify sig, signature_base_string
|
|
35
|
+
raise InvalidAttestation, 'Invalid Packed Self Attestation: signature'
|
|
36
|
+
end
|
|
37
|
+
else
|
|
38
|
+
raise NotImplementedError, "Unsupported Attestation Format: packed"
|
|
39
|
+
end
|
|
40
|
+
end
|
|
41
|
+
|
|
42
|
+
class << self
|
|
43
|
+
def decode(att_stmt)
|
|
44
|
+
new(
|
|
45
|
+
alg: att_stmt[:alg],
|
|
46
|
+
sig: att_stmt[:sig],
|
|
47
|
+
x5c: att_stmt[:x5c],
|
|
48
|
+
ecdaa_key_id: att_stmt[:ecdaaKeyId]
|
|
49
|
+
)
|
|
50
|
+
end
|
|
51
|
+
end
|
|
52
|
+
end
|
|
53
|
+
end
|
|
54
|
+
end
|
|
@@ -9,6 +9,10 @@ module WebAuthn
|
|
|
9
9
|
self.public_cose_key = public_cose_key
|
|
10
10
|
end
|
|
11
11
|
|
|
12
|
+
def anonymous?
|
|
13
|
+
aaguid == 'AAAAAAAAAAAAAAAAAAAAAA' # NOTE: equals to `Base64.urlsafe_encode64("\0" * 16, padding: false)``
|
|
14
|
+
end
|
|
15
|
+
|
|
12
16
|
class << self
|
|
13
17
|
def decode(attested_credential_data)
|
|
14
18
|
length = (
|
|
@@ -44,6 +44,51 @@ RSpec.describe WebAuthn::Context::Registration do
|
|
|
44
44
|
end
|
|
45
45
|
its(:sign_count) { should == sign_count }
|
|
46
46
|
|
|
47
|
+
context 'when packed attestation given' do
|
|
48
|
+
let(:context) do
|
|
49
|
+
{
|
|
50
|
+
origin: 'https://web-authn.self-issued.app',
|
|
51
|
+
challenge: 'random-string-generated-by-rp-server'
|
|
52
|
+
}
|
|
53
|
+
end
|
|
54
|
+
let(:client_data_json) do
|
|
55
|
+
'eyJjaGFsbGVuZ2UiOiJjbUZ1Wkc5dExYTjBjbWx1WnkxblpXNWxjbUYwWldRdFlua3RjbkF0YzJWeWRtVnkiLCJvcmlnaW4iOiJodHRwczovL3dlYi1hdXRobi5zZWxmLWlzc3VlZC5hcHAiLCJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0'
|
|
56
|
+
end
|
|
57
|
+
|
|
58
|
+
context 'when self-attestation' do
|
|
59
|
+
let(:attestation_object) do
|
|
60
|
+
'o2NmbXRmcGFja2VkZ2F0dFN0bXSiY2FsZyZjc2lnWEYwRAIgOprGUE_GZMIbRBAPLPw6IiNdSk4dxFb4cRbqDgVfFXQCIHnRdm64FfnShyIhq1Z2qfn3ygp0auT32gy-eL35Uo6YaGF1dGhEYXRhWMQyy4DcrMPDUkYssB87_jAt5vNxLzD9IOzRnDuluFiUlUVb2_sTAAAAAAAAAAAAAAAAAAAAAABAAKUVEhUfjXl7S9MbcWXRfXltc39Spl6yuLxOuUtQJ-y-5DkR61Ge8riwY7dRXZFNSaWhsw9LfsknL57eZEB1gKUBAgMmIAEhWCCfkZcOMoafdVwFi4cNNPQlJS1JNUkq34sJ5fKhDODsfyJYIKD89fXxjNhcX6gDxsTwH3VL_TG7HAHdKFgUjAFumfmr'
|
|
61
|
+
end
|
|
62
|
+
|
|
63
|
+
it do
|
|
64
|
+
expect do
|
|
65
|
+
subject
|
|
66
|
+
end.not_to raise_error
|
|
67
|
+
end
|
|
68
|
+
|
|
69
|
+
context 'when client_data_json is invalid' do
|
|
70
|
+
let(:client_data_json) do
|
|
71
|
+
Base64.urlsafe_encode64({
|
|
72
|
+
type: "webauthn.create",
|
|
73
|
+
challenge: "cmFuZG9tLXN0cmluZy1nZW5lcmF0ZWQtYnktcnAtc2VydmVy",
|
|
74
|
+
origin: "https://web-authn.self-issued.app",
|
|
75
|
+
malformed: 'malformed'
|
|
76
|
+
}.to_json, padding: false)
|
|
77
|
+
end
|
|
78
|
+
|
|
79
|
+
it do
|
|
80
|
+
expect do
|
|
81
|
+
subject
|
|
82
|
+
end.to raise_error WebAuthn::InvalidAttestation, 'Invalid Packed Self Attestation: signature'
|
|
83
|
+
end
|
|
84
|
+
end
|
|
85
|
+
end
|
|
86
|
+
|
|
87
|
+
context 'otherwise' do
|
|
88
|
+
it :TODO
|
|
89
|
+
end
|
|
90
|
+
end
|
|
91
|
+
|
|
47
92
|
context 'when android-safetynet attestation given' do
|
|
48
93
|
let(:context) do
|
|
49
94
|
{
|
data/web_authn.gemspec
CHANGED
|
@@ -14,7 +14,7 @@ Gem::Specification.new do |gem|
|
|
|
14
14
|
gem.required_ruby_version = '>= 2.3'
|
|
15
15
|
gem.add_runtime_dependency 'activesupport'
|
|
16
16
|
gem.add_runtime_dependency 'cbor'
|
|
17
|
-
gem.add_runtime_dependency 'cose-key'
|
|
17
|
+
gem.add_runtime_dependency 'cose-key', '>= 0.2.0'
|
|
18
18
|
gem.add_runtime_dependency 'json-jwt'
|
|
19
19
|
gem.add_development_dependency 'rake', '~> 10.0'
|
|
20
20
|
gem.add_development_dependency 'simplecov'
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: web_authn
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.4.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- nov matake
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-
|
|
11
|
+
date: 2018-11-05 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -44,14 +44,14 @@ dependencies:
|
|
|
44
44
|
requirements:
|
|
45
45
|
- - ">="
|
|
46
46
|
- !ruby/object:Gem::Version
|
|
47
|
-
version:
|
|
47
|
+
version: 0.2.0
|
|
48
48
|
type: :runtime
|
|
49
49
|
prerelease: false
|
|
50
50
|
version_requirements: !ruby/object:Gem::Requirement
|
|
51
51
|
requirements:
|
|
52
52
|
- - ">="
|
|
53
53
|
- !ruby/object:Gem::Version
|
|
54
|
-
version:
|
|
54
|
+
version: 0.2.0
|
|
55
55
|
- !ruby/object:Gem::Dependency
|
|
56
56
|
name: json-jwt
|
|
57
57
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -134,6 +134,7 @@ files:
|
|
|
134
134
|
- ".rspec"
|
|
135
135
|
- ".travis.yml"
|
|
136
136
|
- Gemfile
|
|
137
|
+
- Gemfile.lock
|
|
137
138
|
- LICENSE.txt
|
|
138
139
|
- README.md
|
|
139
140
|
- Rakefile
|
|
@@ -144,6 +145,7 @@ files:
|
|
|
144
145
|
- lib/web_authn/attestation_object.rb
|
|
145
146
|
- lib/web_authn/attestation_statement.rb
|
|
146
147
|
- lib/web_authn/attestation_statement/android_safetynet.rb
|
|
148
|
+
- lib/web_authn/attestation_statement/packed.rb
|
|
147
149
|
- lib/web_authn/attested_credential_data.rb
|
|
148
150
|
- lib/web_authn/authenticator_data.rb
|
|
149
151
|
- lib/web_authn/authenticator_data/flags.rb
|
|
@@ -181,7 +183,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
181
183
|
version: '0'
|
|
182
184
|
requirements: []
|
|
183
185
|
rubyforge_project:
|
|
184
|
-
rubygems_version: 2.
|
|
186
|
+
rubygems_version: 2.7.3
|
|
185
187
|
signing_key:
|
|
186
188
|
specification_version: 4
|
|
187
189
|
summary: WebAuthn RP library
|