webauthn 1.18.0 → 2.0.0.beta1

data/lib/webauthn/attestation_statement/fido_u2f.rb

@@ -10,7 +10,6 @@ module WebAuthn
     class FidoU2f < Base
       VALID_ATTESTATION_CERTIFICATE_COUNT = 1
       VALID_ATTESTATION_CERTIFICATE_ALGORITHM = COSE::Algorithm.by_name("ES256")
-      VALID_ATTESTED_AAGUID = 0.chr * WebAuthn::AuthenticatorData::AttestedCredentialData::AAGUID_LENGTH
 
       def valid?(authenticator_data, client_data_hash)
         valid_format? &&
@@ -43,7 +42,7 @@ module WebAuthn
       end
 
       def valid_aaguid?(attested_credential_data_aaguid)
-        attested_credential_data_aaguid == VALID_ATTESTED_AAGUID
+        attested_credential_data_aaguid == WebAuthn::AuthenticatorData::AttestedCredentialData::ZEROED_AAGUID
       end
 
       def valid_signature?(authenticator_data, client_data_hash)

data/lib/webauthn/authenticator_assertion_response.rb

@@ -5,32 +5,45 @@ require "cose/key"
 require "webauthn/attestation_statement/fido_u2f/public_key"
 require "webauthn/authenticator_data"
 require "webauthn/authenticator_response"
+require "webauthn/encoder"
 require "webauthn/signature_verifier"
 
 module WebAuthn
-  class CredentialVerificationError < VerificationError; end
   class SignatureVerificationError < VerificationError; end
   class SignCountVerificationError < VerificationError; end
 
   class AuthenticatorAssertionResponse < AuthenticatorResponse
+    def self.from_client(response)
+      encoder = WebAuthn.configuration.encoder
+
+      user_handle =
+        if response["userHandle"]
+          encoder.decode(response["userHandle"])
+        end
+
+      new(
+        authenticator_data: encoder.decode(response["authenticatorData"]),
+        client_data_json: encoder.decode(response["clientDataJSON"]),
+        signature: encoder.decode(response["signature"]),
+        user_handle: user_handle
+      )
+    end
+
     attr_reader :user_handle
 
-    # FIXME: credential_id doesn't belong inside AuthenticatorAssertionResponse
-    def initialize(credential_id:, authenticator_data:, signature:, user_handle: nil, **options)
+    def initialize(authenticator_data:, signature:, user_handle: nil, **options)
       super(options)
 
-      @credential_id = credential_id
       @authenticator_data_bytes = authenticator_data
       @signature = signature
       @user_handle = user_handle
     end
 
-    def verify(expected_challenge, expected_origin = nil, allowed_credentials:, user_verification: nil, rp_id: nil)
+    def verify(expected_challenge, expected_origin = nil, public_key:, sign_count:, user_verification: nil,
+               rp_id: nil)
       super(expected_challenge, expected_origin, user_verification: user_verification, rp_id: rp_id)
-
-      verify_item(:credential, allowed_credentials)
-      verify_item(:signature, credential_cose_key(allowed_credentials))
-      verify_item(:sign_count, allowed_credentials)
+      verify_item(:signature, credential_cose_key(public_key))
+      verify_item(:sign_count, sign_count)
 
       true
     end
@@ -41,7 +54,7 @@ module WebAuthn
 
     private
 
-    attr_reader :credential_id, :authenticator_data_bytes, :signature
+    attr_reader :authenticator_data_bytes, :signature
 
     def valid_signature?(credential_cose_key)
       WebAuthn::SignatureVerifier
@@ -49,32 +62,17 @@ module WebAuthn
         .verify(signature, authenticator_data_bytes + client_data.hash)
     end
 
-    def valid_sign_count?(allowed_credentials)
-      matched_credential = allowed_credentials.find do |credential|
-        credential[:id] == credential_id
-      end
-      # TODO: make passing sign count mandatory in next major version
-      stored_sign_count = matched_credential.fetch(:sign_count, 0)
-
-      if authenticator_data.sign_count.nonzero? || stored_sign_count.nonzero?
-        authenticator_data.sign_count > stored_sign_count
+    def valid_sign_count?(stored_sign_count)
+      normalized_sign_count = stored_sign_count || 0
+      if authenticator_data.sign_count.nonzero? || normalized_sign_count.nonzero?
+        authenticator_data.sign_count > normalized_sign_count
       else
         true
       end
     end
 
-    def valid_credential?(allowed_credentials)
-      allowed_credential_ids = allowed_credentials.map { |credential| credential[:id] }
-
-      allowed_credential_ids.include?(credential_id)
-    end
-
-    def credential_cose_key(allowed_credentials)
-      matched_credential = allowed_credentials.find do |credential|
-        credential[:id] == credential_id
-      end
-
-      if WebAuthn::AttestationStatement::FidoU2f::PublicKey.uncompressed_point?(matched_credential[:public_key])
+    def credential_cose_key(public_key)
+      if WebAuthn::AttestationStatement::FidoU2f::PublicKey.uncompressed_point?(public_key)
         # Gem version v1.11.0 and lower, used to behave so that Credential#public_key
         # returned an EC P-256 uncompressed point.
         #
@@ -83,16 +81,16 @@ module WebAuthn
         # credentialPublicKey (as in https://www.w3.org/TR/webauthn/#credentialpublickey).
         #
         # Given that the credential public key is expected to be stored long-term by the gem
-        # user and later be passed as one of the allowed_credentials arguments in the
+        # user and later be passed as the public_key argument in the
         # AuthenticatorAssertionResponse.verify call, we then need to support the two formats.
         COSE::Key::EC2.new(
           alg: COSE::Algorithm.by_name("ES256").id,
           crv: 1,
-          x: matched_credential[:public_key][1..32],
-          y: matched_credential[:public_key][33..-1]
+          x: public_key[1..32],
+          y: public_key[33..-1]
         )
       else
-        COSE::Key.deserialize(matched_credential[:public_key])
+        COSE::Key.deserialize(public_key)
       end
     end
 

data/lib/webauthn/authenticator_attestation_response.rb

@@ -8,12 +8,22 @@ require "webauthn/authenticator_data"
 require "webauthn/authenticator_response"
 require "webauthn/attestation_statement"
 require "webauthn/client_data"
+require "webauthn/encoder"
 
 module WebAuthn
   class AttestationStatementVerificationError < VerificationError; end
   class AttestedCredentialVerificationError < VerificationError; end
 
   class AuthenticatorAttestationResponse < AuthenticatorResponse
+    def self.from_client(response)
+      encoder = WebAuthn.configuration.encoder
+
+      new(
+        attestation_object: encoder.decode(response["attestationObject"]),
+        client_data_json: encoder.decode(response["clientDataJSON"])
+      )
+    end
+
     attr_reader :attestation_type, :attestation_trust_path
 
     def initialize(attestation_object:, **options)
@@ -52,6 +62,17 @@ module WebAuthn
       @attestation ||= CBOR.decode(attestation_object)
     end
 
+    def aaguid
+      raw_aaguid = authenticator_data.attested_credential_data.raw_aaguid
+      unless raw_aaguid == WebAuthn::AuthenticatorData::AttestedCredentialData::ZEROED_AAGUID
+        authenticator_data.attested_credential_data.aaguid
+      end
+    end
+
+    def attestation_certificate_key
+      raw_subject_key_identifier(attestation_statement.attestation_certificate)&.unpack("H*")&.[](0)
+    end
+
     private
 
     attr_reader :attestation_object
@@ -68,5 +89,14 @@ module WebAuthn
     def valid_attestation_statement?
       @attestation_type, @attestation_trust_path = attestation_statement.valid?(authenticator_data, client_data.hash)
     end
+
+    def raw_subject_key_identifier(certificate)
+      extension = certificate.extensions.detect { |ext| ext.oid == "subjectKeyIdentifier" }
+      return unless extension
+
+      ext_asn1 = OpenSSL::ASN1.decode(extension.to_der)
+      ext_value = ext_asn1.value.last
+      OpenSSL::ASN1.decode(ext_value.value).value
+    end
   end
 end

data/lib/webauthn/authenticator_data.rb

@@ -57,7 +57,9 @@ module WebAuthn
     end
 
     def credential
-      attested_credential_data.credential
+      if attested_credential_data_included?
+        attested_credential_data.credential
+      end
     end
 
     def sign_count

data/lib/webauthn/authenticator_data/attested_credential_data.rb

@@ -6,6 +6,7 @@ module WebAuthn
   class AuthenticatorData
     class AttestedCredentialData
       AAGUID_LENGTH = 16
+      ZEROED_AAGUID = 0.chr * AAGUID_LENGTH
 
       ID_LENGTH_LENGTH = 2
 

data/lib/webauthn/authenticator_response.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require "base64"
 require "webauthn/client_data"
 require "webauthn/error"
 require "webauthn/security_utils"
@@ -73,7 +72,7 @@ module WebAuthn
     end
 
     def valid_challenge?(expected_challenge)
-      WebAuthn::SecurityUtils.secure_compare(Base64.urlsafe_decode64(client_data.challenge), expected_challenge)
+      WebAuthn::SecurityUtils.secure_compare(client_data.challenge, expected_challenge)
     end
 
     def valid_origin?(expected_origin)

data/lib/webauthn/client_data.rb

@@ -2,6 +2,7 @@
 
 require "json"
 require "openssl"
+require "webauthn/encoder"
 require "webauthn/error"
 
 module WebAuthn
@@ -19,7 +20,7 @@ module WebAuthn
     end
 
     def challenge
-      data["challenge"]
+      WebAuthn.standard_encoder.decode(data["challenge"])
     end
 
     def origin

data/lib/webauthn/configuration.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "openssl"
+require "webauthn/encoder"
 
 module WebAuthn
   def self.configuration
@@ -19,6 +20,7 @@ module WebAuthn
     DEFAULT_ALGORITHMS = ["ES256", if_pss_supported("PS256"), "RS256"].compact.freeze
 
     attr_accessor :algorithms
+    attr_accessor :encoding
     attr_accessor :origin
     attr_accessor :rp_id
     attr_accessor :rp_name
@@ -27,8 +29,15 @@ module WebAuthn
 
     def initialize
       @algorithms = DEFAULT_ALGORITHMS.dup
+      @encoding = WebAuthn::Encoder::STANDARD_ENCODING
       @verify_attestation_statement = true
       @credential_options_timeout = 120000
     end
+
+    # This is the user-data encoder.
+    # Used to decode user input and to encode data provided to the user.
+    def encoder
+      @encoder ||= WebAuthn::Encoder.new(encoding)
+    end
   end
 end

data/lib/webauthn/credential.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require "webauthn/public_key_credential/creation_options"
+require "webauthn/public_key_credential/request_options"
+require "webauthn/public_key_credential_with_assertion"
+require "webauthn/public_key_credential_with_attestation"
+
+module WebAuthn
+  module Credential
+    def self.options_for_create(*args)
+      WebAuthn::PublicKeyCredential::CreationOptions.new(*args)
+    end
+
+    def self.options_for_get(*args)
+      WebAuthn::PublicKeyCredential::RequestOptions.new(*args)
+    end
+
+    def self.from_create(credential)
+      WebAuthn::PublicKeyCredentialWithAttestation.from_client(credential)
+    end
+
+    def self.from_get(credential)
+      WebAuthn::PublicKeyCredentialWithAssertion.from_client(credential)
+    end
+  end
+end

data/lib/webauthn/credential_creation_options.rb

@@ -6,8 +6,12 @@ require "webauthn/credential_rp_entity"
 require "webauthn/credential_user_entity"
 
 module WebAuthn
-  # TODO: make keyword arguments mandatory in next major version
   def self.credential_creation_options(rp_name: nil, user_name: "web-user", display_name: "web-user", user_id: "1")
+    warn(
+      "DEPRECATION WARNING: `WebAuthn.credential_creation_options` is deprecated."\
+      " Please use `WebAuthn::Credential.options_for_create` instead."
+    )
+
     CredentialCreationOptions.new(
       rp_name: rp_name, user_id: user_id, user_name: user_name, user_display_name: display_name
     ).to_h

data/lib/webauthn/credential_request_options.rb

@@ -4,6 +4,11 @@ require "webauthn/credential_options"
 
 module WebAuthn
   def self.credential_request_options
+    warn(
+      "DEPRECATION WARNING: `WebAuthn.credential_request_options` is deprecated."\
+      " Please use `WebAuthn::Credential.options_for_get` instead."
+    )
+
     CredentialRequestOptions.new.to_h
   end
 

data/lib/webauthn/encoder.rb

@@ -3,10 +3,17 @@
 require "base64"
 
 module WebAuthn
+  def self.standard_encoder
+    @standard_encoder ||= Encoder.new
+  end
+
   class Encoder
+    # https://www.w3.org/TR/webauthn-2/#base64url-encoding
+    STANDARD_ENCODING = :base64url
+
     attr_reader :encoding
 
-    def initialize(encoding = :base64)
+    def initialize(encoding = STANDARD_ENCODING)
       @encoding = encoding
     end
 

data/lib/webauthn/fake_authenticator.rb

@@ -61,6 +61,7 @@ module WebAuthn
           user_present: user_present,
           user_verified: user_verified,
           aaguid: aaguid,
+          credential: nil,
           sign_count: sign_count || credential_sign_count,
         ).serialize
 

data/lib/webauthn/fake_client.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
-require "base64"
 require "openssl"
+require "securerandom"
 require "webauthn/authenticator_data"
 require "webauthn/encoder"
 require "webauthn/fake_authenticator"
@@ -16,7 +16,7 @@ module WebAuthn
       origin = fake_origin,
       token_binding: nil,
       authenticator: WebAuthn::FakeAuthenticator.new,
-      encoding: nil
+      encoding: WebAuthn.configuration.encoding
     )
       @origin = origin
       @token_binding = token_binding
@@ -26,13 +26,14 @@ module WebAuthn
 
     def create(
       challenge: fake_challenge,
-      rp_id: nil, user_present: true,
+      rp_id: nil,
+      user_present: true,
       user_verified: false,
       attested_credential_data: true
     )
       rp_id ||= URI.parse(origin).host
 
-      client_data_json = data_json_for(:create, challenge)
+      client_data_json = data_json_for(:create, encoder.decode(challenge))
       client_data_hash = hashed(client_data_json)
 
       attestation_object = authenticator.make_credential(
@@ -50,14 +51,13 @@ module WebAuthn
           "id-for-pk-without-attested-credential-data"
         end
 
-      # TODO: return camelCase string keys instead of snakecase symbols
       {
-        type: "public-key",
-        id: Base64.urlsafe_encode64(id),
-        raw_id: encoder.encode(id),
-        response: {
-          attestation_object: encoder.encode(attestation_object),
-          client_data_json: encoder.encode(client_data_json)
+        "type" => "public-key",
+        "id" => internal_encoder.encode(id),
+        "rawId" => encoder.encode(id),
+        "response" => {
+          "attestationObject" => encoder.encode(attestation_object),
+          "clientDataJSON" => encoder.encode(client_data_json)
         }
       }
     end
@@ -65,7 +65,7 @@ module WebAuthn
     def get(challenge: fake_challenge, rp_id: nil, user_present: true, user_verified: false, sign_count: nil)
       rp_id ||= URI.parse(origin).host
 
-      client_data_json = data_json_for(:get, challenge)
+      client_data_json = data_json_for(:get, encoder.decode(challenge))
       client_data_hash = hashed(client_data_json)
 
       assertion = authenticator.get_assertion(
@@ -76,15 +76,15 @@ module WebAuthn
         sign_count: sign_count,
       )
 
-      # TODO: return camelCase string keys instead of snakecase symbols
       {
-        type: "public-key",
-        id: Base64.urlsafe_encode64(assertion[:credential_id]),
-        raw_id: encoder.encode(assertion[:credential_id]),
-        response: {
-          client_data_json: encoder.encode(client_data_json),
-          authenticator_data: encoder.encode(assertion[:authenticator_data]),
-          signature: encoder.encode(assertion[:signature])
+        "type" => "public-key",
+        "id" => internal_encoder.encode(assertion[:credential_id]),
+        "rawId" => encoder.encode(assertion[:credential_id]),
+        "response" => {
+          "clientDataJSON" => encoder.encode(client_data_json),
+          "authenticatorData" => encoder.encode(assertion[:authenticator_data]),
+          "signature" => encoder.encode(assertion[:signature]),
+          "userHandle" => nil
         }
       }
     end
@@ -96,7 +96,7 @@ module WebAuthn
     def data_json_for(method, challenge)
       data = {
         type: type_for(method),
-        challenge: Base64.urlsafe_encode64(challenge, padding: false),
+        challenge: internal_encoder.encode(challenge),
         origin: origin
       }
 
@@ -111,12 +111,16 @@ module WebAuthn
       @encoder ||= WebAuthn::Encoder.new(encoding)
     end
 
+    def internal_encoder
+      WebAuthn.standard_encoder
+    end
+
     def hashed(data)
       OpenSSL::Digest::SHA256.digest(data)
     end
 
     def fake_challenge
-      SecureRandom.random_bytes(32)
+      encoder.encode(SecureRandom.random_bytes(32))
     end
 
     def fake_origin