webauthn 2.0.0.beta1 → 2.3.0

data/lib/webauthn/authenticator_data.rb

@@ -1,32 +1,49 @@
 # frozen_string_literal: true
 
+require "bindata"
 require "webauthn/authenticator_data/attested_credential_data"
+require "webauthn/error"
 
 module WebAuthn
-  class AuthenticatorData
-    RP_ID_HASH_POSITION = 0
+  class AuthenticatorDataFormatError < WebAuthn::Error; end
 
+  class AuthenticatorData < BinData::Record
     RP_ID_HASH_LENGTH = 32
     FLAGS_LENGTH = 1
     SIGN_COUNT_LENGTH = 4
 
-    SIGN_COUNT_POSITION = RP_ID_HASH_LENGTH + FLAGS_LENGTH
+    endian :big
 
-    USER_PRESENT_FLAG_POSITION = 0
-    USER_VERIFIED_FLAG_POSITION = 2
-    ATTESTED_CREDENTIAL_DATA_INCLUDED_FLAG_POSITION = 6
-    EXTENSION_DATA_INCLUDED_FLAG_POSITION = 7
+    count_bytes_remaining :data_length
+    string :rp_id_hash, length: RP_ID_HASH_LENGTH
+    struct :flags do
+      bit1 :extension_data_included
+      bit1 :attested_credential_data_included
+      bit1 :reserved_for_future_use_4
+      bit1 :reserved_for_future_use_3
+      bit1 :reserved_for_future_use_2
+      bit1 :user_verified
+      bit1 :reserved_for_future_use_1
+      bit1 :user_present
+    end
+    bit32 :sign_count
+    count_bytes_remaining :trailing_bytes_length
+    string :trailing_bytes, length: :trailing_bytes_length
 
-    def initialize(data)
-      @data = data
+    def self.deserialize(data)
+      read(data)
+    rescue EOFError
+      raise AuthenticatorDataFormatError
     end
 
-    attr_reader :data
+    def data
+      to_binary_s
+    end
 
     def valid?
-      valid_length? &&
-        (!attested_credential_data_included? || attested_credential_data.valid?) &&
-        (!extension_data_included? || extension_data)
+      (!attested_credential_data_included? || attested_credential_data.valid?) &&
+        (!extension_data_included? || extension_data) &&
+        valid_length?
     end
 
     def user_flagged?
@@ -34,26 +51,19 @@ module WebAuthn
     end
 
     def user_present?
-      flags[USER_PRESENT_FLAG_POSITION] == "1"
+      flags.user_present == 1
     end
 
     def user_verified?
-      flags[USER_VERIFIED_FLAG_POSITION] == "1"
+      flags.user_verified == 1
     end
 
     def attested_credential_data_included?
-      flags[ATTESTED_CREDENTIAL_DATA_INCLUDED_FLAG_POSITION] == "1"
+      flags.attested_credential_data_included == 1
     end
 
     def extension_data_included?
-      flags[EXTENSION_DATA_INCLUDED_FLAG_POSITION] == "1"
-    end
-
-    def rp_id_hash
-      @rp_id_hash ||=
-        if valid?
-          data_at(RP_ID_HASH_POSITION, RP_ID_HASH_LENGTH)
-        end
+      flags.extension_data_included == 1
     end
 
     def credential
@@ -62,35 +72,39 @@ module WebAuthn
       end
     end
 
-    def sign_count
-      @sign_count ||= data_at(SIGN_COUNT_POSITION, SIGN_COUNT_LENGTH).unpack('L>')[0]
-    end
-
     def attested_credential_data
       @attested_credential_data ||=
-        AttestedCredentialData.new(data_at(attested_credential_data_position))
+        AttestedCredentialData.deserialize(trailing_bytes)
+    rescue AttestedCredentialDataFormatError
+      raise AuthenticatorDataFormatError
     end
 
     def extension_data
       @extension_data ||= CBOR.decode(raw_extension_data)
     end
 
-    def flags
-      @flags ||= data_at(flags_position, FLAGS_LENGTH).unpack("b*")[0]
+    def aaguid
+      raw_aaguid = attested_credential_data.raw_aaguid
+
+      unless raw_aaguid == WebAuthn::AuthenticatorData::AttestedCredentialData::ZEROED_AAGUID
+        attested_credential_data.aaguid
+      end
     end
 
     private
 
     def valid_length?
-      data.length == base_length + attested_credential_data_length + extension_data_length
+      data_length == base_length + attested_credential_data_length + extension_data_length
     end
 
     def raw_extension_data
-      data_at(extension_data_position)
-    end
-
-    def attested_credential_data_position
-      base_length
+      if extension_data_included?
+        if attested_credential_data_included?
+          trailing_bytes[attested_credential_data.length..-1]
+        else
+          trailing_bytes.snapshot
+        end
+      end
     end
 
     def attested_credential_data_length
@@ -109,22 +123,8 @@ module WebAuthn
       end
     end
 
-    def extension_data_position
-      base_length + attested_credential_data_length
-    end
-
     def base_length
       RP_ID_HASH_LENGTH + FLAGS_LENGTH + SIGN_COUNT_LENGTH
     end
-
-    def flags_position
-      RP_ID_HASH_LENGTH
-    end
-
-    def data_at(position, length = nil)
-      length ||= data.size - position
-
-      data[position..(position + length - 1)]
-    end
   end
 end

data/lib/webauthn/authenticator_data/attested_credential_data.rb

@@ -1,34 +1,43 @@
 # frozen_string_literal: true
 
+require "bindata"
 require "cose/key"
+require "webauthn/error"
 
 module WebAuthn
-  class AuthenticatorData
-    class AttestedCredentialData
+  class AttestedCredentialDataFormatError < WebAuthn::Error; end
+
+  class AuthenticatorData < BinData::Record
+    class AttestedCredentialData < BinData::Record
       AAGUID_LENGTH = 16
       ZEROED_AAGUID = 0.chr * AAGUID_LENGTH
 
       ID_LENGTH_LENGTH = 2
 
-      UINT16_BIG_ENDIAN_FORMAT = "n*"
+      endian :big
+
+      string :raw_aaguid, length: AAGUID_LENGTH
+      bit16 :id_length
+      string :id, read_length: :id_length
+      count_bytes_remaining :trailing_bytes_length
+      string :trailing_bytes, length: :trailing_bytes_length
 
-      # FIXME: use keyword_init when we dropped Ruby 2.4 support
-      Credential = Struct.new(:id, :public_key) do
-        def public_key_object
-          COSE::Key.deserialize(public_key).to_pkey
+      # TODO: use keyword_init when we dropped Ruby 2.4 support
+      Credential =
+        Struct.new(:id, :public_key) do
+          def public_key_object
+            COSE::Key.deserialize(public_key).to_pkey
+          end
         end
-      end
 
-      def initialize(data)
-        @data = data
+      def self.deserialize(data)
+        read(data)
+      rescue EOFError
+        raise AttestedCredentialDataFormatError
       end
 
       def valid?
-        data.length >= AAGUID_LENGTH + ID_LENGTH_LENGTH && valid_credential_public_key?
-      end
-
-      def raw_aaguid
-        data_at(0, AAGUID_LENGTH)
+        valid_credential_public_key?
       end
 
       def aaguid
@@ -37,62 +46,32 @@ module WebAuthn
 
       def credential
         @credential ||=
-          if id
+          if valid?
             Credential.new(id, public_key)
           end
       end
 
       def length
         if valid?
-          public_key_position + public_key_length
+          AAGUID_LENGTH + ID_LENGTH_LENGTH + id_length + public_key_length
         end
       end
 
       private
 
-      attr_reader :data
-
       def valid_credential_public_key?
         cose_key = COSE::Key.deserialize(public_key)
 
-        !!cose_key.alg
-      end
-
-      def id
-        if valid?
-          data_at(id_position, id_length)
-        end
+        !!cose_key.alg && WebAuthn.configuration.algorithms.include?(COSE::Algorithm.find(cose_key.alg).name)
       end
 
       def public_key
-        @public_key ||= data_at(public_key_position, public_key_length)
-      end
-
-      def id_position
-        id_length_position + ID_LENGTH_LENGTH
-      end
-
-      def id_length
-        @id_length ||= data_at(id_length_position, ID_LENGTH_LENGTH).unpack(UINT16_BIG_ENDIAN_FORMAT)[0]
-      end
-
-      def id_length_position
-        AAGUID_LENGTH
-      end
-
-      def public_key_position
-        id_position + id_length
+        trailing_bytes[0..public_key_length - 1]
       end
 
       def public_key_length
         @public_key_length ||=
-          CBOR.encode(CBOR::Unpacker.new(StringIO.new(data_at(public_key_position))).each.first).length
-      end
-
-      def data_at(position, length = nil)
-        length ||= data.size - position
-
-        data[position..(position + length - 1)]
+          CBOR.encode(CBOR::Unpacker.new(StringIO.new(trailing_bytes)).each.first).length
       end
     end
   end

data/lib/webauthn/authenticator_response.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require "webauthn/authenticator_data"
 require "webauthn/client_data"
 require "webauthn/error"
 require "webauthn/security_utils"
@@ -33,14 +34,20 @@ module WebAuthn
       verify_item(:origin, expected_origin)
       verify_item(:authenticator_data)
       verify_item(:rp_id, rp_id || rp_id_from_origin(expected_origin))
-      verify_item(:user_presence)
-      verify_item(:user_verified, user_verification)
+
+      if !WebAuthn.configuration.silent_authentication
+        verify_item(:user_presence)
+      end
+
+      if user_verification
+        verify_item(:user_verified)
+      end
 
       true
     end
 
-    def valid?(*args)
-      verify(*args)
+    def valid?(*args, **keyword_arguments)
+      verify(*args, **keyword_arguments)
     rescue WebAuthn::VerificationError
       false
     end
@@ -85,18 +92,16 @@ module WebAuthn
 
     def valid_authenticator_data?
       authenticator_data.valid?
+    rescue WebAuthn::AuthenticatorDataFormatError
+      false
     end
 
     def valid_user_presence?
       authenticator_data.user_flagged?
     end
 
-    def valid_user_verified?(user_verification)
-      if user_verification
-        authenticator_data.user_verified?
-      else
-        true
-      end
+    def valid_user_verified?
+      authenticator_data.user_verified?
     end
 
     def rp_id_from_origin(expected_origin)

data/lib/webauthn/configuration.rb

@@ -2,6 +2,7 @@
 
 require "openssl"
 require "webauthn/encoder"
+require "webauthn/error"
 
 module WebAuthn
   def self.configuration
@@ -12,6 +13,8 @@ module WebAuthn
     yield(configuration)
   end
 
+  class RootCertificateFinderNotSupportedError < Error; end
+
   class Configuration
     def self.if_pss_supported(algorithm)
       OpenSSL::PKey::RSA.instance_methods.include?(:verify_pss) ? algorithm : nil
@@ -26,12 +29,18 @@ module WebAuthn
     attr_accessor :rp_name
     attr_accessor :verify_attestation_statement
     attr_accessor :credential_options_timeout
+    attr_accessor :silent_authentication
+    attr_accessor :acceptable_attestation_types
+    attr_reader :attestation_root_certificates_finders
 
     def initialize
       @algorithms = DEFAULT_ALGORITHMS.dup
       @encoding = WebAuthn::Encoder::STANDARD_ENCODING
       @verify_attestation_statement = true
       @credential_options_timeout = 120000
+      @silent_authentication = false
+      @acceptable_attestation_types = ['None', 'Self', 'Basic', 'AttCA', 'Basic_or_AttCA']
+      @attestation_root_certificates_finders = []
     end
 
     # This is the user-data encoder.
@@ -39,5 +48,19 @@ module WebAuthn
     def encoder
       @encoder ||= WebAuthn::Encoder.new(encoding)
     end
+
+    def attestation_root_certificates_finders=(finders)
+      if !finders.respond_to?(:each)
+        finders = [finders]
+      end
+
+      finders.each do |finder|
+        unless finder.respond_to?(:find)
+          raise RootCertificateFinderNotSupportedError, "Finder must implement `find` method"
+        end
+      end
+
+      @attestation_root_certificates_finders = finders
+    end
   end
 end

data/lib/webauthn/credential.rb

@@ -7,12 +7,12 @@ require "webauthn/public_key_credential_with_attestation"
 
 module WebAuthn
   module Credential
-    def self.options_for_create(*args)
-      WebAuthn::PublicKeyCredential::CreationOptions.new(*args)
+    def self.options_for_create(**keyword_arguments)
+      WebAuthn::PublicKeyCredential::CreationOptions.new(**keyword_arguments)
     end
 
-    def self.options_for_get(*args)
-      WebAuthn::PublicKeyCredential::RequestOptions.new(*args)
+    def self.options_for_get(**keyword_arguments)
+      WebAuthn::PublicKeyCredential::RequestOptions.new(**keyword_arguments)
     end
 
     def self.from_create(credential)

data/lib/webauthn/credential_creation_options.rb

@@ -71,7 +71,7 @@ module WebAuthn
     end
 
     def pub_key_cred_params
-      WebAuthn.configuration.algorithms.map do |alg_name|
+      configuration.algorithms.map do |alg_name|
         { type: "public-key", alg: COSE::Algorithm.by_name(alg_name).id }
       end
     end

data/lib/webauthn/fake_authenticator.rb

@@ -18,7 +18,8 @@ module WebAuthn
       user_present: true,
       user_verified: false,
       attested_credential_data: true,
-      sign_count: nil
+      sign_count: nil,
+      extensions: nil
     )
       credential_id, credential_key, credential_sign_count = new_credential
       sign_count ||= credential_sign_count
@@ -37,7 +38,8 @@ module WebAuthn
         user_present: user_present,
         user_verified: user_verified,
         attested_credential_data: attested_credential_data,
-        sign_count: sign_count
+        sign_count: sign_count,
+        extensions: extensions
       ).serialize
     end
 
@@ -47,7 +49,8 @@ module WebAuthn
       user_present: true,
       user_verified: false,
       aaguid: AuthenticatorData::AAGUID,
-      sign_count: nil
+      sign_count: nil,
+      extensions: nil
     )
       credential_options = credentials[rp_id]
 
@@ -63,6 +66,7 @@ module WebAuthn
           aaguid: aaguid,
           credential: nil,
           sign_count: sign_count || credential_sign_count,
+          extensions: extensions
         ).serialize
 
         signature = credential_key.sign("SHA256", authenticator_data + client_data_hash)