webauthn 2.0.0.beta1 → 2.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +1 -0
- data/.rubocop.yml +65 -13
- data/.travis.yml +22 -18
- data/Appraisals +4 -0
- data/CHANGELOG.md +72 -25
- data/CONTRIBUTING.md +0 -5
- data/README.md +172 -15
- data/SECURITY.md +4 -4
- data/gemfiles/openssl_2_2.gemfile +7 -0
- data/lib/cose/rsapkcs1_algorithm.rb +43 -0
- data/lib/webauthn/attestation_object.rb +43 -0
- data/lib/webauthn/attestation_statement.rb +20 -20
- data/lib/webauthn/attestation_statement/android_key.rb +28 -30
- data/lib/webauthn/attestation_statement/android_safetynet.rb +30 -20
- data/lib/webauthn/attestation_statement/base.rb +124 -14
- data/lib/webauthn/attestation_statement/fido_u2f.rb +13 -9
- data/lib/webauthn/attestation_statement/packed.rb +14 -42
- data/lib/webauthn/attestation_statement/tpm.rb +38 -54
- data/lib/webauthn/authenticator_assertion_response.rb +7 -36
- data/lib/webauthn/authenticator_attestation_response.rb +24 -46
- data/lib/webauthn/authenticator_data.rb +51 -51
- data/lib/webauthn/authenticator_data/attested_credential_data.rb +29 -50
- data/lib/webauthn/authenticator_response.rb +15 -10
- data/lib/webauthn/configuration.rb +23 -0
- data/lib/webauthn/credential.rb +4 -4
- data/lib/webauthn/credential_creation_options.rb +1 -1
- data/lib/webauthn/fake_authenticator.rb +7 -3
- data/lib/webauthn/fake_authenticator/attestation_object.rb +7 -3
- data/lib/webauthn/fake_authenticator/authenticator_data.rb +2 -4
- data/lib/webauthn/fake_client.rb +17 -4
- data/lib/webauthn/public_key.rb +68 -0
- data/lib/webauthn/public_key_credential.rb +13 -3
- data/lib/webauthn/public_key_credential/creation_options.rb +2 -2
- data/lib/webauthn/u2f_migrator.rb +5 -4
- data/lib/webauthn/version.rb +1 -1
- data/script/ci/install-openssl +7 -0
- data/script/ci/install-ruby +13 -0
- data/webauthn.gemspec +14 -9
- metadata +70 -42
- data/lib/android_safetynet/attestation_response.rb +0 -84
- data/lib/cose/algorithm.rb +0 -38
- data/lib/tpm/constants.rb +0 -22
- data/lib/tpm/s_attest.rb +0 -26
- data/lib/tpm/s_attest/s_certify_info.rb +0 -14
- data/lib/tpm/sized_buffer.rb +0 -13
- data/lib/tpm/t_public.rb +0 -32
- data/lib/tpm/t_public/s_ecc_parms.rb +0 -17
- data/lib/tpm/t_public/s_rsa_parms.rb +0 -17
- data/lib/webauthn/attestation_statement/android_key/authorization_list.rb +0 -39
- data/lib/webauthn/attestation_statement/android_key/key_description.rb +0 -37
- data/lib/webauthn/attestation_statement/tpm/cert_info.rb +0 -44
- data/lib/webauthn/attestation_statement/tpm/pub_area.rb +0 -85
- data/lib/webauthn/signature_verifier.rb +0 -65
@@ -1,65 +0,0 @@
|
|
1
|
-
# frozen_string_literal: true
|
2
|
-
|
3
|
-
require "cose/algorithm"
|
4
|
-
require "cose/key"
|
5
|
-
require "openssl"
|
6
|
-
require "webauthn/error"
|
7
|
-
|
8
|
-
module WebAuthn
|
9
|
-
class SignatureVerifier
|
10
|
-
class UnsupportedAlgorithm < Error; end
|
11
|
-
|
12
|
-
# This logic contained in this map constant is a candidate to be moved to cose gem domain
|
13
|
-
KTY_MAP = {
|
14
|
-
COSE::Key::EC2::KTY_EC2 => [OpenSSL::PKey::EC, OpenSSL::PKey::EC::Point],
|
15
|
-
COSE::Key::RSA::KTY_RSA => [OpenSSL::PKey::RSA]
|
16
|
-
}.freeze
|
17
|
-
|
18
|
-
def initialize(algorithm, public_key)
|
19
|
-
@algorithm = algorithm
|
20
|
-
@public_key = public_key
|
21
|
-
|
22
|
-
validate
|
23
|
-
end
|
24
|
-
|
25
|
-
def verify(signature, verification_data, rsa_pss_salt_length: :digest)
|
26
|
-
if rsa_pss?
|
27
|
-
public_key.verify_pss(cose_algorithm.hash, signature, verification_data,
|
28
|
-
salt_length: rsa_pss_salt_length, mgf1_hash: cose_algorithm.hash)
|
29
|
-
else
|
30
|
-
public_key.verify(cose_algorithm.hash, signature, verification_data)
|
31
|
-
end
|
32
|
-
end
|
33
|
-
|
34
|
-
private
|
35
|
-
|
36
|
-
attr_reader :algorithm, :public_key
|
37
|
-
|
38
|
-
def cose_algorithm
|
39
|
-
case algorithm
|
40
|
-
when COSE::Algorithm
|
41
|
-
algorithm
|
42
|
-
else
|
43
|
-
COSE::Algorithm.find(algorithm)
|
44
|
-
end
|
45
|
-
end
|
46
|
-
|
47
|
-
def rsa_pss?
|
48
|
-
cose_algorithm.name.start_with?("PS")
|
49
|
-
end
|
50
|
-
|
51
|
-
def validate
|
52
|
-
if !cose_algorithm
|
53
|
-
raise UnsupportedAlgorithm, "Unsupported algorithm #{algorithm}"
|
54
|
-
elsif !supported_algorithms.include?(cose_algorithm.name)
|
55
|
-
raise UnsupportedAlgorithm, "Unsupported algorithm #{algorithm}"
|
56
|
-
elsif !KTY_MAP[cose_algorithm.kty].include?(public_key.class)
|
57
|
-
raise("Incompatible algorithm and key")
|
58
|
-
end
|
59
|
-
end
|
60
|
-
|
61
|
-
def supported_algorithms
|
62
|
-
WebAuthn.configuration.algorithms
|
63
|
-
end
|
64
|
-
end
|
65
|
-
end
|