webauthn 2.0.0.beta1 → 2.3.0

data/lib/webauthn/fake_authenticator/attestation_object.rb

@@ -14,7 +14,8 @@ module WebAuthn
         user_present: true,
         user_verified: false,
         attested_credential_data: true,
-        sign_count: 0
+        sign_count: 0,
+        extensions: nil
       )
         @client_data_hash = client_data_hash
         @rp_id_hash = rp_id_hash
@@ -24,6 +25,7 @@ module WebAuthn
         @user_verified = user_verified
         @attested_credential_data = attested_credential_data
         @sign_count = sign_count
+        @extensions = extensions
       end
 
       def serialize
@@ -44,7 +46,8 @@ module WebAuthn
         :user_present,
         :user_verified,
         :attested_credential_data,
-        :sign_count
+        :sign_count,
+        :extensions
       )
 
       def authenticator_data
@@ -60,7 +63,8 @@ module WebAuthn
               credential: credential_data,
               user_present: user_present,
               user_verified: user_verified,
-              sign_count: 0
+              sign_count: 0,
+              extensions: extensions
             )
           end
       end

data/lib/webauthn/fake_authenticator/authenticator_data.rb

@@ -115,8 +115,7 @@ module WebAuthn
         case credential[:public_key]
         when OpenSSL::PKey::RSA
           key = COSE::Key::RSA.from_pkey(credential[:public_key])
-          # FIXME: Remove once writer in cose
-          key.instance_variable_set(:@alg, -257)
+          key.alg = -257
         when OpenSSL::PKey::EC::Point
           alg = {
             COSE::Key::Curve.by_name("P-256").id => -7,
@@ -125,8 +124,7 @@ module WebAuthn
           }
 
           key = COSE::Key::EC2.from_pkey(credential[:public_key])
-          # FIXME: Remove once writer in cose
-          key.instance_variable_set(:@alg, alg[key.crv])
+          key.alg = alg[key.crv]
 
         end
 

data/lib/webauthn/fake_client.rb

@@ -29,7 +29,8 @@ module WebAuthn
       rp_id: nil,
       user_present: true,
       user_verified: false,
-      attested_credential_data: true
+      attested_credential_data: true,
+      extensions: nil
     )
       rp_id ||= URI.parse(origin).host
 
@@ -41,12 +42,16 @@ module WebAuthn
         client_data_hash: client_data_hash,
         user_present: user_present,
         user_verified: user_verified,
-        attested_credential_data: attested_credential_data
+        attested_credential_data: attested_credential_data,
+        extensions: extensions
       )
 
       id =
         if attested_credential_data
-          WebAuthn::AuthenticatorData.new(CBOR.decode(attestation_object)["authData"]).credential.id
+          WebAuthn::AuthenticatorData
+            .deserialize(CBOR.decode(attestation_object)["authData"])
+            .attested_credential_data
+            .id
         else
           "id-for-pk-without-attested-credential-data"
         end
@@ -55,6 +60,7 @@ module WebAuthn
         "type" => "public-key",
         "id" => internal_encoder.encode(id),
         "rawId" => encoder.encode(id),
+        "clientExtensionResults" => extensions,
         "response" => {
           "attestationObject" => encoder.encode(attestation_object),
           "clientDataJSON" => encoder.encode(client_data_json)
@@ -62,7 +68,12 @@ module WebAuthn
       }
     end
 
-    def get(challenge: fake_challenge, rp_id: nil, user_present: true, user_verified: false, sign_count: nil)
+    def get(challenge: fake_challenge,
+            rp_id: nil,
+            user_present: true,
+            user_verified: false,
+            sign_count: nil,
+            extensions: nil)
       rp_id ||= URI.parse(origin).host
 
       client_data_json = data_json_for(:get, encoder.decode(challenge))
@@ -74,12 +85,14 @@ module WebAuthn
         user_present: user_present,
         user_verified: user_verified,
         sign_count: sign_count,
+        extensions: extensions
       )
 
       {
         "type" => "public-key",
         "id" => internal_encoder.encode(assertion[:credential_id]),
         "rawId" => encoder.encode(assertion[:credential_id]),
+        "clientExtensionResults" => extensions,
         "response" => {
           "clientDataJSON" => encoder.encode(client_data_json),
           "authenticatorData" => encoder.encode(assertion[:authenticator_data]),

data/lib/webauthn/public_key.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require "cose/algorithm"
+require "cose/error"
+require "cose/key"
+require "cose/rsapkcs1_algorithm"
+require "webauthn/attestation_statement/fido_u2f/public_key"
+
+module WebAuthn
+  class PublicKey
+    class UnsupportedAlgorithm < Error; end
+
+    def self.deserialize(public_key)
+      cose_key =
+        if WebAuthn::AttestationStatement::FidoU2f::PublicKey.uncompressed_point?(public_key)
+          # Gem version v1.11.0 and lower, used to behave so that Credential#public_key
+          # returned an EC P-256 uncompressed point.
+          #
+          # Because of https://github.com/cedarcode/webauthn-ruby/issues/137 this was changed
+          # and Credential#public_key started returning the unchanged COSE_Key formatted
+          # credentialPublicKey (as in https://www.w3.org/TR/webauthn/#credentialpublickey).
+          #
+          # Given that the credential public key is expected to be stored long-term by the gem
+          # user and later be passed as the public_key argument in the
+          # AuthenticatorAssertionResponse.verify call, we then need to support the two formats.
+          COSE::Key::EC2.new(
+            alg: COSE::Algorithm.by_name("ES256").id,
+            crv: 1,
+            x: public_key[1..32],
+            y: public_key[33..-1]
+          )
+        else
+          COSE::Key.deserialize(public_key)
+        end
+
+      new(cose_key: cose_key)
+    end
+
+    attr_reader :cose_key
+
+    def initialize(cose_key:)
+      @cose_key = cose_key
+    end
+
+    def pkey
+      @cose_key.to_pkey
+    end
+
+    def alg
+      @cose_key.alg
+    end
+
+    def verify(signature, verification_data)
+      cose_algorithm.verify(pkey, signature, verification_data)
+    rescue COSE::Error
+      false
+    end
+
+    private
+
+    def cose_algorithm
+      @cose_algorithm ||= COSE::Algorithm.find(alg) || raise(
+        UnsupportedAlgorithm,
+        "The public key algorithm #{alg} is not among the available COSE algorithms"
+      )
+    end
+  end
+end

data/lib/webauthn/public_key_credential.rb

@@ -4,21 +4,23 @@ require "webauthn/encoder"
 
 module WebAuthn
   class PublicKeyCredential
-    attr_reader :type, :id, :raw_id, :response
+    attr_reader :type, :id, :raw_id, :client_extension_outputs, :response
 
     def self.from_client(credential)
       new(
         type: credential["type"],
         id: credential["id"],
         raw_id: WebAuthn.configuration.encoder.decode(credential["rawId"]),
+        client_extension_outputs: credential["clientExtensionResults"],
         response: response_class.from_client(credential["response"])
       )
     end
 
-    def initialize(type:, id:, raw_id:, response:)
+    def initialize(type:, id:, raw_id:, client_extension_outputs: {}, response:)
       @type = type
       @id = id
       @raw_id = raw_id
+      @client_extension_outputs = client_extension_outputs
       @response = response
     end
 
@@ -30,7 +32,11 @@ module WebAuthn
     end
 
     def sign_count
-      response&.authenticator_data&.sign_count
+      authenticator_data&.sign_count
+    end
+
+    def authenticator_extension_outputs
+      authenticator_data.extension_data if authenticator_data&.extension_data_included?
     end
 
     private
@@ -43,6 +49,10 @@ module WebAuthn
       raw_id && id && raw_id == WebAuthn.standard_encoder.decode(id)
     end
 
+    def authenticator_data
+      response&.authenticator_data
+    end
+
     def encoder
       WebAuthn.configuration.encoder
     end

data/lib/webauthn/public_key_credential/creation_options.rb

@@ -42,14 +42,14 @@ module WebAuthn
             rp[:name] ||= configuration.rp_name
             rp[:id] ||= configuration.rp_id
 
-            RPEntity.new(rp)
+            RPEntity.new(**rp)
           else
             rp
           end
 
         @user =
           if user.is_a?(Hash)
-            UserEntity.new(user)
+            UserEntity.new(**user)
           else
             user
           end

data/lib/webauthn/u2f_migrator.rb

@@ -28,10 +28,11 @@ module WebAuthn
     end
 
     def credential
-      @credential ||= begin
-        hash = authenticator_data.send(:credential)
-        WebAuthn::AuthenticatorData::AttestedCredentialData::Credential.new(hash[:id], hash[:public_key].serialize)
-      end
+      @credential ||=
+        begin
+          hash = authenticator_data.send(:credential)
+          WebAuthn::AuthenticatorData::AttestedCredentialData::Credential.new(hash[:id], hash[:public_key].serialize)
+        end
     end
 
     def attestation_type

data/lib/webauthn/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WebAuthn
-  VERSION = "2.0.0.beta1"
+  VERSION = "2.3.0"
 end

data/script/ci/install-openssl

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+set -e
+
+if [[ "$LIBSSL" == "1.0" ]]; then
+  sudo apt-get install libssl1.0-dev
+fi

data/script/ci/install-ruby

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+source "$HOME/.rvm/scripts/rvm"
+
+if [[ "$LIBSSL" == "1.0" ]]; then
+  rvm use --install $RB --autolibs=read-only --disable-binary
+elif [[ "$LIBSSL" == "1.1" ]]; then
+  rvm use --install $RB --binary --fuzzy
+fi
+
+[[ "`ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'`" =~ "OpenSSL $LIBSSL" ]] || { echo "Wrong libssl version"; exit 1; }

data/webauthn.gemspec

@@ -22,27 +22,32 @@ Gem::Specification.new do |spec|
     "source_code_uri" => "https://github.com/cedarcode/webauthn-ruby"
   }
 
-  spec.files = `git ls-files -z`.split("\x0").reject do |f|
-    f.match(%r{^(test|spec|features|assets)/})
-  end
+  spec.files =
+    `git ls-files -z`.split("\x0").reject do |f|
+      f.match(%r{^(test|spec|features|assets)/})
+    end
+
   spec.bindir        = "exe"
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.required_ruby_version = ">= 2.3"
+  spec.required_ruby_version = ">= 2.4"
 
+  spec.add_dependency "android_key_attestation", "~> 0.3.0"
   spec.add_dependency "awrence", "~> 1.1"
   spec.add_dependency "bindata", "~> 2.4"
   spec.add_dependency "cbor", "~> 0.5.9"
-  spec.add_dependency "cose", "~> 0.8.0"
-  spec.add_dependency "jwt", [">= 1.5", "< 3.0"]
+  spec.add_dependency "cose", "~> 1.0"
   spec.add_dependency "openssl", "~> 2.0"
+  spec.add_dependency "safety_net_attestation", "~> 0.4.0"
   spec.add_dependency "securecompare", "~> 1.0"
+  spec.add_dependency "tpm-key_attestation", "~> 0.9.0"
 
-  spec.add_development_dependency "appraisal", "~> 2.2.0"
+  spec.add_development_dependency "appraisal", "~> 2.3.0"
   spec.add_development_dependency "bundler", ">= 1.17", "< 3.0"
   spec.add_development_dependency "byebug", "~> 11.0"
-  spec.add_development_dependency "rake", "~> 12.3"
+  spec.add_development_dependency "rake", "~> 13.0"
   spec.add_development_dependency "rspec", "~> 3.8"
-  spec.add_development_dependency "rubocop", "0.73.0"
+  spec.add_development_dependency "rubocop", "0.80.1"
+  spec.add_development_dependency "rubocop-rspec", "~> 1.38.1"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: webauthn
 version: !ruby/object:Gem::Version
-  version: 2.0.0.beta1
+  version: 2.3.0
 platform: ruby
 authors:
 - Gonzalo Rodriguez
@@ -9,8 +9,22 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-09-16 00:00:00.000000000 Z
+date: 2020-06-27 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: android_key_attestation
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.3.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.3.0
 - !ruby/object:Gem::Dependency
   name: awrence
   requirement: !ruby/object:Gem::Requirement
@@ -59,48 +73,42 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.0
+        version: '1.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.0
+        version: '1.0'
 - !ruby/object:Gem::Dependency
-  name: jwt
+  name: openssl
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '1.5'
-    - - "<"
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '1.5'
-    - - "<"
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
-  name: openssl
+  name: safety_net_attestation
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: 0.4.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: 0.4.0
 - !ruby/object:Gem::Dependency
   name: securecompare
   requirement: !ruby/object:Gem::Requirement
@@ -115,20 +123,34 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: tpm-key_attestation
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.0
 - !ruby/object:Gem::Dependency
   name: appraisal
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.2.0
+        version: 2.3.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.2.0
+        version: 2.3.0
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -169,14 +191,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.3'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.3'
+        version: '13.0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -197,14 +219,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.73.0
+        version: 0.80.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.73.0
+        version: 0.80.1
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.38.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.38.1
 description: |-
   WebAuthn ruby server library ― Make your application a W3C Web Authentication conformant
       Relying Party and allow your users to authenticate with U2F and FIDO2 authenticators.
@@ -233,21 +269,13 @@ files:
 - gemfiles/cose_head.gemfile
 - gemfiles/openssl_2_0.gemfile
 - gemfiles/openssl_2_1.gemfile
+- gemfiles/openssl_2_2.gemfile
 - gemfiles/openssl_head.gemfile
-- lib/android_safetynet/attestation_response.rb
-- lib/cose/algorithm.rb
-- lib/tpm/constants.rb
-- lib/tpm/s_attest.rb
-- lib/tpm/s_attest/s_certify_info.rb
-- lib/tpm/sized_buffer.rb
-- lib/tpm/t_public.rb
-- lib/tpm/t_public/s_ecc_parms.rb
-- lib/tpm/t_public/s_rsa_parms.rb
+- lib/cose/rsapkcs1_algorithm.rb
 - lib/webauthn.rb
+- lib/webauthn/attestation_object.rb
 - lib/webauthn/attestation_statement.rb
 - lib/webauthn/attestation_statement/android_key.rb
-- lib/webauthn/attestation_statement/android_key/authorization_list.rb
-- lib/webauthn/attestation_statement/android_key/key_description.rb
 - lib/webauthn/attestation_statement/android_safetynet.rb
 - lib/webauthn/attestation_statement/base.rb
 - lib/webauthn/attestation_statement/fido_u2f.rb
@@ -255,8 +283,6 @@ files:
 - lib/webauthn/attestation_statement/none.rb
 - lib/webauthn/attestation_statement/packed.rb
 - lib/webauthn/attestation_statement/tpm.rb
-- lib/webauthn/attestation_statement/tpm/cert_info.rb
-- lib/webauthn/attestation_statement/tpm/pub_area.rb
 - lib/webauthn/authenticator_assertion_response.rb
 - lib/webauthn/authenticator_attestation_response.rb
 - lib/webauthn/authenticator_data.rb
@@ -277,6 +303,7 @@ files:
 - lib/webauthn/fake_authenticator/attestation_object.rb
 - lib/webauthn/fake_authenticator/authenticator_data.rb
 - lib/webauthn/fake_client.rb
+- lib/webauthn/public_key.rb
 - lib/webauthn/public_key_credential.rb
 - lib/webauthn/public_key_credential/creation_options.rb
 - lib/webauthn/public_key_credential/entity.rb
@@ -287,9 +314,10 @@ files:
 - lib/webauthn/public_key_credential_with_assertion.rb
 - lib/webauthn/public_key_credential_with_attestation.rb
 - lib/webauthn/security_utils.rb
-- lib/webauthn/signature_verifier.rb
 - lib/webauthn/u2f_migrator.rb
 - lib/webauthn/version.rb
+- script/ci/install-openssl
+- script/ci/install-ruby
 - webauthn.gemspec
 homepage: https://github.com/cedarcode/webauthn-ruby
 licenses:
@@ -306,14 +334,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.3'
+      version: '2.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
-rubygems_version: 3.0.6
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: WebAuthn ruby server library