RubyGems - webauthn - Versions diffs - 1.7.0 → 1.8.0 - Mend

webauthn 1.7.0 → 1.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

checksums.yaml +4 -4
data/.travis.yml +7 -2
data/CHANGELOG.md +12 -0
data/README.md +4 -0
data/lib/webauthn.rb +1 -0
data/lib/webauthn/attestation_statement.rb +3 -1
data/lib/webauthn/attestation_statement/base.rb +3 -1
data/lib/webauthn/authenticator_data/attested_credential_data.rb +1 -5
data/lib/webauthn/authenticator_response.rb +1 -1
data/lib/webauthn/client_data.rb +4 -1
data/lib/webauthn/error.rb +5 -0
data/lib/webauthn/security_utils.rb +35 -0
data/lib/webauthn/version.rb +1 -1
data/webauthn.gemspec +4 -4
metadata +21 -14

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 861ba8a05d52230a89d8ba009d93e656c42c7f9add389767f0cd3cf6bf97c8c2
-  data.tar.gz: a3c7d357340f381c4ea06e3ed8aa5711549573eb9f59e591a332f7224a55a2dd
+  metadata.gz: 0e9c0949f662e12a84d1810c564633cd6feec64b1f4ed9352a19260a1840d6fc
+  data.tar.gz: 30725d9ebd21ce4b77b548807a9c57014983e245183bc2c1179e7eb1580d0583
 SHA512:
-  metadata.gz: dcad6286a076eea7af7d3bfde6c708cb291a2d8102c8722db8a6372baedf6541df470d54717ed2c347a2f0e703a7bcf190cffbef9c8f90cbe6475064ee00f542
-  data.tar.gz: 8b28576e8ce15e632ca54e78fd4cf94ac2c34a506c84b085baa19623787e50d60eb0ed7253edbd87523639353a4cdb448c7bfc94dedf1563ae764e9ff1e4cd28
+  metadata.gz: f0499fa6c77cc863dfd325ad84e7bf746377b18e6260cbad692add3ac3a1e1508b5652e1536ef9f72a2614026c95ab71a026a73b96212bd54ab4e088e3ad9dd5
+  data.tar.gz: 122fd1cd5689b051a9c39744ee3d02dce099ff9f226d4b2278ae3baf2fe2aff0d1e6dc218bed9e19f3703eafb7a0e0d142055c01c5219449ac5f118a21b94813

data/.travis.yml CHANGED

@@ -1,12 +1,17 @@
+dist: xenial
 sudo: false
 language: ruby
 cache: bundler
 rvm:
-  - 2.6.0-preview3
+  - ruby-head
+  - 2.6.0
   - 2.5.3
   - 2.4.5
   - 2.3.8
 matrix:
   fast_finish: true
   allow_failures:
-    - rvm: 2.6.0-preview3
+    - rvm: ruby-head
+before_install:
+  - gem install bundler -v "~> 2.0"

data/CHANGELOG.md CHANGED

@@ -1,5 +1,16 @@
 # Changelog
+## [v1.8.0] - 2019-01-17
+### Added
+- Make challenge validation inside `#valid?` method resistant to timing attacks. Thank you @tomek-bt!
+- Support for ruby 2.6
+### Changed
+- Make current raised exception errors a bit more meaningful to aid debugging
 ## [v1.7.0] - 2018-11-08
 ### Added
@@ -104,6 +115,7 @@ Note: Both additions should help making it compatible with Chrome for Android 70
   - `WebAuthn::AuthenticatorAttestationResponse.valid?` can be used to validate fido-u2f attestations returned by the browser
 - Works with ruby 2.5
+[v1.8.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.7.0...v1.8.0/
 [v1.7.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.6.0...v1.7.0/
 [v1.6.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.5.0...v1.6.0/
 [v1.5.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.4.0...v1.5.0/

data/README.md CHANGED

@@ -198,6 +198,10 @@ Inspired in a subset of [Angular's Commit Message Guidelines](https://github.com
 Bug reports and pull requests are welcome on GitHub at https://github.com/cedarcode/webauthn-ruby.
+### Security
+If you have discovered a security bug, please send an email to security@cedarcode.com instead of posting to the GitHub issue tracker.
 ## License
 The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/lib/webauthn.rb CHANGED

@@ -3,6 +3,7 @@
 require "cose/ecdsa"
 require "webauthn/authenticator_attestation_response"
 require "webauthn/authenticator_assertion_response"
+require "webauthn/security_utils"
 require "webauthn/version"
 require "base64"

data/lib/webauthn/attestation_statement.rb CHANGED

@@ -1,8 +1,10 @@
 # frozen_string_literal: true
+require "webauthn/error"
 module WebAuthn
   module AttestationStatement
-    class FormatNotSupportedError < StandardError; end
+    class FormatNotSupportedError < Error; end
     ATTESTATION_FORMAT_NONE = "none"
     ATTESTATION_FORMAT_FIDO_U2F = "fido-u2f"

data/lib/webauthn/attestation_statement/base.rb CHANGED

@@ -1,9 +1,11 @@
 # frozen_string_literal: true
+require "webauthn/error"
 module WebAuthn
   module AttestationStatement
     class Base
-      class NotSupportedError < StandardError; end
+      class NotSupportedError < Error; end
       def initialize(statement)
         @statement = statement

data/lib/webauthn/authenticator_data/attested_credential_data.rb CHANGED

@@ -51,7 +51,7 @@ module WebAuthn
       end
       def public_key
-        @public_key ||= PublicKeyU2f.new(data_at(public_key_position, public_key_length))
+        @public_key ||= PublicKeyU2f.new(data_at(public_key_position))
       end
       def id_position
@@ -70,10 +70,6 @@ module WebAuthn
         id_position + id_length
       end
-      def public_key_length
-        data.size - (AAGUID_LENGTH + ID_LENGTH_LENGTH + id_length)
-      end
       def data_at(position, length = nil)
         length ||= data.size - position

data/lib/webauthn/authenticator_response.rb CHANGED

@@ -28,7 +28,7 @@ module WebAuthn
     end
     def valid_challenge?(original_challenge)
-      Base64.urlsafe_decode64(client_data.challenge) == original_challenge
+      WebAuthn::SecurityUtils.secure_compare(Base64.urlsafe_decode64(client_data.challenge), original_challenge)
     end
     def valid_origin?(original_origin)

data/lib/webauthn/client_data.rb CHANGED

@@ -1,8 +1,11 @@
 # frozen_string_literal: true
 require "openssl"
+require "webauthn/error"
 module WebAuthn
+  class ClientDataMissingError < Error; end
   class ClientData
     def initialize(client_data_json)
       @client_data_json = client_data_json
@@ -34,7 +37,7 @@ module WebAuthn
           if client_data_json
             JSON.parse(client_data_json)
           else
-            raise "Missing client_data_json"
+            raise ClientDataMissingError, "Client Data JSON is missing"
           end
         end
     end

data/lib/webauthn/error.rb ADDED

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+module WebAuthn
+  class Error < StandardError; end
+end

data/lib/webauthn/security_utils.rb ADDED

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+module WebAuthn
+  module SecurityUtils
+    # Constant time string comparison, for variable length strings.
+    # This code was adapted from Rails ActiveSupport::SecurityUtils
+    #
+    # The values are first processed by SHA256, so that we don't leak length info
+    # via timing attacks.
+    def secure_compare(first_string, second_string)
+      first_string_sha256 = ::Digest::SHA256.hexdigest(first_string)
+      second_string_sha256 = ::Digest::SHA256.hexdigest(second_string)
+      fixed_length_secure_compare(first_string_sha256, second_string_sha256) && first_string == second_string
+    end
+    module_function :secure_compare
+    private
+    # Constant time string comparison, for fixed length strings.
+    # This code was adapted from Rails ActiveSupport::SecurityUtils
+    #
+    # The values compared should be of fixed length, such as strings
+    # that have already been processed by HMAC. Raises in case of length mismatch.
+    def fixed_length_secure_compare(first_string, second_string)
+      raise ArgumentError, "string length mismatch." unless first_string.bytesize == second_string.bytesize
+      l = first_string.unpack "C#{first_string.bytesize}"
+      res = 0
+      second_string.each_byte { |byte| res |= byte ^ l.shift }
+      res == 0
+    end
+    module_function :fixed_length_secure_compare
+  end
+end

data/lib/webauthn/version.rb CHANGED

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module WebAuthn
-  VERSION = "1.7.0"
+  VERSION = "1.8.0"
 end

data/webauthn.gemspec CHANGED

@@ -34,9 +34,9 @@ Gem::Specification.new do |spec|
   spec.add_dependency "jwt", [">= 1.5", "< 3.0"]
   spec.add_dependency "openssl", "~> 2.0"
-  spec.add_development_dependency "bundler", "~> 1.16"
+  spec.add_development_dependency "bundler", ">= 1.17", "< 3.0"
   spec.add_development_dependency "byebug", "~> 10.0"
-  spec.add_development_dependency "rake", "~> 12.0"
-  spec.add_development_dependency "rspec", "~> 3.0"
-  spec.add_development_dependency "rubocop", "0.60.0"
+  spec.add_development_dependency "rake", "~> 12.3"
+  spec.add_development_dependency "rspec", "~> 3.8"
+  spec.add_development_dependency "rubocop", "0.61.1"
 end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: webauthn
 version: !ruby/object:Gem::Version
-  version: 1.7.0
+  version: 1.8.0
 platform: ruby
 authors:
 - Gonzalo Rodriguez
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2018-11-08 00:00:00.000000000 Z
+date: 2019-01-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cbor
@@ -77,16 +77,22 @@ dependencies:
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.17'
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '1.16'
+        version: '3.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.17'
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '1.16'
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement
@@ -107,42 +113,42 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.0'
+        version: '12.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.0'
+        version: '12.3'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '3.8'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '3.8'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.60.0
+        version: 0.61.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.60.0
+        version: 0.61.1
 description:
 email:
 - gonzalo@cedarcode.com
@@ -177,7 +183,9 @@ files:
 - lib/webauthn/authenticator_data/attested_credential_data/public_key_u2f.rb
 - lib/webauthn/authenticator_response.rb
 - lib/webauthn/client_data.rb
+- lib/webauthn/error.rb
 - lib/webauthn/fake_authenticator.rb
+- lib/webauthn/security_utils.rb
 - lib/webauthn/version.rb
 - webauthn.gemspec
 homepage: https://github.com/cedarcode/webauthn-ruby
@@ -202,8 +210,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.7.7
+rubygems_version: 3.0.2
 signing_key:
 specification_version: 4
 summary: WebAuthn in ruby ― Ruby implementation of a WebAuthn Relying Party