webauthn 2.0.0 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2bd2d85eb0ce4769f5c4fe9529dedb4cd8bb25c4322bfb95bd4d9d623ab58b00
-  data.tar.gz: 6b0a3a7c524d7bd4db88d6c94968a165801374708ceac00f24e981c8599cbfe4
+  metadata.gz: 78367d9a528b780d4e53a29667fe47cf95d03698c976714fc7d71d46b253f4fa
+  data.tar.gz: ab4e9b0ef6a0bfcb9bd2c33d8220e0f3241f2ba949c57053d52968b6e34a5a61
 SHA512:
-  metadata.gz: ebf401f24d784c4beb0adbcb98203de34612eb47bd6af002dc5cb02709bc258078ca92439d5917fef28f8ff869de6e02c41bbe3301f16f2472d76b0cf93662ec
-  data.tar.gz: 8e1d8f03cad6d75658c4116d7b6117539ba828cbfea07dbb9a584a29387f55519c9a8eed332b4602a75ed0d7691a9bd412e7f9241b9993b0dff123b69cec086c
+  metadata.gz: f9a3514276b45c34c5509e7d55a6238d8a705ab19534a5ca3a802be4a00f42784b81c3dbc02f3c991918bb61da55b6f20c268a0573b8099224d9467d13932a60
+  data.tar.gz: e337a703e30a984b881d589f5c31a653e312a9ae4395cf2c411408e0f162871622c7f3d212412ea01de4db121a1ddf2431000ae55968358062f513b5feef812c

data/.gitignore

@@ -13,3 +13,4 @@
 /Gemfile.lock
 /gemfiles/*.gemfile.lock
 .byebug_history
+/spec/conformance/metadata.zip

data/.travis.yml

@@ -4,6 +4,7 @@ cache: bundler
 
 rvm:
   - ruby-head
+  - 2.7.0
   - 2.6.5
   - 2.5.7
   - 2.4.9
@@ -22,12 +23,14 @@ matrix:
     - gemfile: gemfiles/cose_head.gemfile
     - gemfile: gemfiles/openssl_head.gemfile
 
+addons:
+  apt:
+    packages:
+      - libfaketime
+
 before_install:
-  - wget http://archive.ubuntu.com/ubuntu/pool/universe/f/faketime/libfaketime_0.9.7-3_amd64.deb
-  - sudo dpkg -i libfaketime_0.9.7-3_amd64.deb
   - gem install bundler -v "~> 2.0"
 
 before_script:
   - export LD_PRELOAD=/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1
-  - export DONT_FAKE_MONOTONIC=1
   - export FAKETIME_NO_CACHE=1

data/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## [v2.1.0] - 2019-12-30
+
+### Added
+
+- Ability to convert stored credential public key back to a ruby object with `WebAuthn::PublicKey.deserialize(stored_public_key)`, included the validation during de-serialization ([@ssuttner], [@padulafacundo])
+- Improved TPM attestation validation by checking "Subject Alternative Name" ([@bdewater])
+- Improved SafetyNet attestation validation by checking timestamp ([@padulafacundo])
+- [EXPERIMENTAL] Ability to optionally "Assess the attestation trustworthiness" during registration by setting `acceptable_attestation_types` and `attestation_root_certificates_finders` configuration values ([@padulafacundo])
+- Ruby 2.7 support without warnings
+
+Note: Expect possible breaking changes for "EXPERIMENTAL" features.
+
 ## [v2.0.0] - 2019-10-03
 
 ### Added
@@ -13,7 +25,7 @@
   - All the above automatically handle encoding/decoding for necessary values. The specific encoding scheme can
     be set (or even turned off) in `WebAutnn.configuration.encoding=`. Defaults to `:base64url`.
 - `WebAuthn::FakeClient#get` better fakes a real client by including `userHandle` in the returned hash.
-- Expose AAGUID and attestationCertificateKey for MDS lookup during attestation (@bdwater)
+- Expose AAGUID and attestationCertificateKey for MDS lookup during attestation ([@bdewater])
 
 ### Changed
 
@@ -56,23 +68,23 @@ returned base64url-encoded `id` value.
 
 ### Added
 
-- Ability to migrate U2F credentials to WebAuthn ([#211](https://github.com/cedarcode/webauthn-ruby/pull/211)) (@bdewater + @jdongelmans)
-- Ability to skip attestation statement verification ([#219](https://github.com/cedarcode/webauthn-ruby/pull/219)) (@MaximeNdutiye)
-- Ability to configure default credential options timeout ([#243](https://github.com/cedarcode/webauthn-ruby/pull/243)) (@MaximeNdutiye)
+- Ability to migrate U2F credentials to WebAuthn ([#211](https://github.com/cedarcode/webauthn-ruby/pull/211)) ([@bdewater] + [@jdongelmans])
+- Ability to skip attestation statement verification ([#219](https://github.com/cedarcode/webauthn-ruby/pull/219)) ([@MaximeNdutiye])
+- Ability to configure default credential options timeout ([#243](https://github.com/cedarcode/webauthn-ruby/pull/243)) ([@MaximeNdutiye])
 - AttestedCredentialData presence verification ([#237](https://github.com/cedarcode/webauthn-ruby/pull/237))
 - FakeClient learns how to increment sign count ([#225](https://github.com/cedarcode/webauthn-ruby/pull/225))
 
 ### Fixed
 
-- Properly verify SafetyNet certificates from input ([#233](https://github.com/cedarcode/webauthn-ruby/pull/233)) (@bdewater)
-- FakeClient default origin URL ([#242](https://github.com/cedarcode/webauthn-ruby/pull/242)) (@kalebtesfay)
+- Properly verify SafetyNet certificates from input ([#233](https://github.com/cedarcode/webauthn-ruby/pull/233)) ([@bdewater])
+- FakeClient default origin URL ([#242](https://github.com/cedarcode/webauthn-ruby/pull/242)) ([@kalebtesfay])
 
 ## [v1.17.0] - 2019-06-18
 
 ### Added
 
-- Support ES384, ES512, PS384, PS512, RS384 and RS512 credentials. Off by default. Enable by adding any of them to `WebAuthn.configuration.algorithms` array. Thank you @bdewater.
-- Support [Signature Counter](https://www.w3.org/TR/webauthn/#signature-counter) verification. Thank you @bdewater.
+- Support ES384, ES512, PS384, PS512, RS384 and RS512 credentials. Off by default. Enable by adding any of them to `WebAuthn.configuration.algorithms` array ([@bdewater])
+- Support [Signature Counter](https://www.w3.org/TR/webauthn/#signature-counter) verification ([@bdewater])
 
 ## [v1.16.0] - 2019-06-13
 
@@ -80,7 +92,7 @@ returned base64url-encoded `id` value.
 
 - Ability to enforce [user verification](https://www.w3.org/TR/webauthn/#user-verification) with extra argument in the `#verify` method.
 - Support RS1 (RSA w/ SHA-1) credentials. Off by default. Enable by adding `"RS1"` to `WebAuthn.configuration.algorithms` array.
-- Support PS256 (RSA Probabilistic Signature Scheme w/ SHA-256) credentials. On by default. Thank you @bdewater.
+- Support PS256 (RSA Probabilistic Signature Scheme w/ SHA-256) credentials. On by default ([@bdewater])
 
 ## [v1.15.0] - 2019-05-16
 
@@ -102,11 +114,11 @@ returned base64url-encoded `id` value.
 - Verify 'none' attestation statement is really empty.
 - Verify 'packed' attestation statement certificates start/end dates.
 - Verify 'packed' attestation statement signature algorithm.
-- Verify 'fiod-u2f attestation statement AAGUID is zeroed out. Thank you @bdewater.
+- Verify 'fiod-u2f attestation statement AAGUID is zeroed out ([@bdewater])
 - Verify 'android-key' attestation statement signature algorithm.
 - Verify assertion response signature algorithm.
 - Verify collectedClientData.tokenBinding format.
-- `WebAuthn.credential_creation_options` now accept `rp_name`, `user_id`, `user_name` and `display_name` as keyword arguments. Thank you @bdewater.
+- `WebAuthn.credential_creation_options` now accept `rp_name`, `user_id`, `user_name` and `display_name` as keyword arguments ([@bdewater])
 
 ## [v1.12.0] - 2019-04-03
 
@@ -128,11 +140,11 @@ Note #2: You don't need to do any convesion before passing the public key in `Au
 
 ### Added
 
-- `WebAuthn::AuthenticatorAttestationResponse#verify` supports `android-key` attestation statements. Thank you @bdewater!
+- `WebAuthn::AuthenticatorAttestationResponse#verify` supports `android-key` attestation statements ([@bdewater])
 
 ### Fixed
 
-- Verify matching AAGUID if needed when verifying `packed` attestation statements. Thank you @bdewater!
+- Verify matching AAGUID if needed when verifying `packed` attestation statements ([@bdewater])
 
 ## [v1.10.0] - 2019-03-05
 
@@ -150,7 +162,7 @@ Note #2: You don't need to do any convesion before passing the public key in `Au
 
 ### Added
 
-- Make challenge validation inside `#valid?` method resistant to timing attacks. Thank you @tomek-bt!
+- Make challenge validation inside `#valid?` method resistant to timing attacks (@tomek-bt)
 - Support for ruby 2.6
 
 ### Changed
@@ -162,7 +174,7 @@ Note #2: You don't need to do any convesion before passing the public key in `Au
 ### Added
 
 - _Registration_ ceremony
-  - `WebAuthn::AuthenticatorAttestationResponse` exposes attestation type and trust path via `#attestation_type` and `#attestation_trust_path` methods. Thank you @bdewater!
+  - `WebAuthn::AuthenticatorAttestationResponse` exposes attestation type and trust path via `#attestation_type` and `#attestation_trust_path` methods ([@bdewater])
 
 ## [v1.6.0] - 2018-11-01
 
@@ -174,21 +186,21 @@ Note #2: You don't need to do any convesion before passing the public key in `Au
 
 ### Added
 
-- Works with ruby 2.3. Thank you @bdewater!
+- Works with ruby 2.3 ([@bdewater])
 
 ## [v1.4.0] - 2018-10-11
 
 ### Added
 
 - _Registration_ ceremony
-  - `WebAuthn::AuthenticatorAttestationResponse.valid?` supports `android-safetynet` attestation statements. Thank you @bdewater!
+  - `WebAuthn::AuthenticatorAttestationResponse.valid?` supports `android-safetynet` attestation statements ([@bdewater])
 
 ## [v1.3.0] - 2018-10-11
 
 ### Added
 
 - _Registration_ ceremony
-  - `WebAuthn::AuthenticatorAttestationResponse.valid?` supports `packed` attestation statements. Thank you @sorah!
+  - `WebAuthn::AuthenticatorAttestationResponse.valid?` supports `packed` attestation statements ([@sorah])
 
 ## [v1.2.0] - 2018-10-08
 
@@ -206,7 +218,7 @@ Note: Both additions should help making it compatible with Chrome for Android 70
 ### Added
 
 - _Registration_ ceremony
-  - `WebAuthn::AuthenticatorAttestationResponse.valid?` optionally accepts rp_id. Thank you @sorah!
+  - `WebAuthn::AuthenticatorAttestationResponse.valid?` optionally accepts rp_id ([@sorah])
 - _Authentication_ ceremony
   - `WebAuthn::AuthenticatorAssertionResponse.valid?` optionally accepts rp_id.
 
@@ -261,6 +273,7 @@ Note: Both additions should help making it compatible with Chrome for Android 70
   - `WebAuthn::AuthenticatorAttestationResponse.valid?` can be used to validate fido-u2f attestations returned by the browser
 - Works with ruby 2.5
 
+[v2.1.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.0.0...v2.1.0/
 [v2.0.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.18.0...v2.0.0/
 [v1.18.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.17.0...v1.18.0/
 [v1.17.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.16.0...v1.17.0/
@@ -283,3 +296,11 @@ Note: Both additions should help making it compatible with Chrome for Android 70
 [v1.0.0]: https://github.com/cedarcode/webauthn-ruby/compare/v0.2.0...v1.0.0/
 [v0.2.0]: https://github.com/cedarcode/webauthn-ruby/compare/v0.1.0...v0.2.0/
 [v0.1.0]: https://github.com/cedarcode/webauthn-ruby/compare/v0.0.0...v0.1.0/
+
+[@bdewater]: https://github.com/bdewater
+[@jdongelmans]: https://github.com/jdongelmans
+[@kalebtesfay]: https://github.com/kalebtesfay
+[@MaximeNdutiye]: https://github.com/MaximeNdutiye
+[@sorah]: https://github.com/sorah
+[@ssuttner]: https://github.com/ssuttner
+[@padulafacundo]: https://github.com/padulafacundo

data/CONTRIBUTING.md

@@ -14,9 +14,9 @@
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake` to run the tests and code-style checks. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
 
-Some tests require stubbing time with [libfaketime](https://github.com/wolfcw/libfaketime) in order to pass, otherwise they're skipped. You can install this library with your package manager. Follow libfaketime's instructions for your OS to preload the library before running the tests, and use the `DONT_FAKE_MONOTONIC=1 FAKETIME_NO_CACHE=1` options. E.g. when installed via homebrew on macOS:
+Some tests require stubbing time with [libfaketime](https://github.com/wolfcw/libfaketime) in order to pass, otherwise they're skipped. You can install this library with your package manager. Follow libfaketime's instructions for your OS to preload the library before running the tests, and use the `FAKETIME_NO_CACHE=1` option. E.g. when installed via homebrew on macOS:
 ```shell
-DYLD_INSERT_LIBRARIES=/usr/local/Cellar/libfaketime/2.9.7_1/lib/faketime/libfaketime.1.dylib DYLD_FORCE_FLAT_NAMESPACE=1 DONT_FAKE_MONOTONIC=1 FAKETIME_NO_CACHE=1 bundle exec rspec
+DYLD_INSERT_LIBRARIES=/usr/local/Cellar/libfaketime/2.9.7_1/lib/faketime/libfaketime.1.dylib DYLD_FORCE_FLAT_NAMESPACE=1 FAKETIME_NO_CACHE=1 bundle exec rspec
 ```
 
 To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).

data/README.md

@@ -1,5 +1,5 @@
 __Note__: You are viewing the README for the development version of webauthn-ruby.
-For the current release version see https://github.com/cedarcode/webauthn-ruby/blob/1-stable/README.md.
+For the current release version see https://github.com/cedarcode/webauthn-ruby/blob/2-stable/README.md.
 
 # webauthn-ruby
 
@@ -342,7 +342,9 @@ credential_with_assertion.verify(
 )
 ```
 
-## Attestation Statement Formats
+## Attestation
+
+### Attestation Statement Format
 
 | Attestation Statement Format | Supported? |
 | -------- | :--------: |
@@ -356,7 +358,9 @@ credential_with_assertion.verify(
 | fido-u2f | Yes |
 | none | Yes |
 
-NOTE: Be aware that it is up to you to do "trust path validation" (steps 15 and 16 in [Registering a new credential](https://www.w3.org/TR/webauthn/#registering-a-new-credential)) if that's a requirement of your Relying Party policy. The gem doesn't perform that validation for you right now.
+### Attestation Types
+
+You can define what trust policy to enforce by setting `acceptable_attestation_types` config to a subset of `['None', 'Self', 'Basic', 'AttCA', 'Basic_or_AttCA']` and `attestation_root_certificates_finders` to an object that responds to `#find` and returns the corresponding root certificate for each registration. The `#find` method will be called passing keyword arguments `attesation_format`, `aaguid` and `attestation_certificate_key_id`.
 
 ## Testing Your Integration
 

data/SECURITY.md

@@ -4,11 +4,11 @@
 
 | Version | Supported          |
 | ------- | ------------------ |
+| 2.1.z    | :white_check_mark: |
+| 2.0.z    | :white_check_mark: |
 | 1.18.z   | :white_check_mark: |
 | 1.17.z   | :white_check_mark: |
-| 1.16.z   | :white_check_mark: |
-| 1.15.z   | :white_check_mark: |
-| < 1.15   | :x:                |
+| < 1.17   | :x:                |
 
 ## Reporting a Vulnerability
 

data/lib/android_safetynet/attestation_response.rb

@@ -13,11 +13,22 @@ module AndroidSafetynet
     class NonceMismatchError < VerificationError; end
     class SignatureError < VerificationError; end
     class ResponseMissingError < VerificationError; end
+    class TimestampError < VerificationError; end
+    class TrustworthinessError < VerificationError; end
 
     CERTIRICATE_CHAIN_HEADER = "x5c"
     VALID_SUBJECT_HOSTNAME = "attest.android.com"
     HEADERS_POSITION = 1
     PAYLOAD_POSITION = 0
+    LEEWAY = 60
+
+    # FIXME: Should probably be limited to only roots published by Google
+    # See https://github.com/cedarcode/webauthn-ruby/issues/160#issuecomment-487941201
+    @trust_store = OpenSSL::X509::Store.new.tap { |trust_store| trust_store.set_default_paths }
+
+    class << self
+      attr_accessor :trust_store
+    end
 
     attr_reader :response
 
@@ -25,11 +36,15 @@ module AndroidSafetynet
       @response = response
     end
 
-    def verify(nonce)
+    def verify(nonce, trustworthiness: true)
       if response
         valid_nonce?(nonce) || raise(NonceMismatchError)
         valid_attestation_domain? || raise(LeafCertificateSubjectError)
         valid_signature? || raise(SignatureError)
+        valid_timestamp? || raise(TimestampError)
+        trustworthy? || raise(TrustworthinessError) if trustworthiness
+
+        true
       else
         raise(ResponseMissingError)
       end
@@ -39,12 +54,21 @@ module AndroidSafetynet
       payload["ctsProfileMatch"]
     end
 
+    def leaf_certificate
+      certificate_chain[0]
+    end
+
     def certificate_chain
       @certificate_chain ||= headers[CERTIRICATE_CHAIN_HEADER].map do |cert|
         OpenSSL::X509::Certificate.new(Base64.strict_decode64(cert))
       end
     end
 
+    def valid_timestamp?
+      now = Time.now
+      Time.at((payload["timestampMs"] / 1000.0).round).between?(now - LEEWAY, now)
+    end
+
     private
 
     def valid_nonce?(nonce)
@@ -65,8 +89,16 @@ module AndroidSafetynet
       false
     end
 
-    def leaf_certificate
-      certificate_chain[0]
+    def trustworthy?
+      !trust_store || trust_store.verify(leaf_certificate, signing_certificates)
+    end
+
+    def trust_store
+      self.class.trust_store
+    end
+
+    def signing_certificates
+      certificate_chain[1..-1]
     end
 
     def headers

data/lib/cose/rsassa_algorithm.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+require "cose"
+
+RSASSAAlgorithm = Struct.new(:id, :name, :hash_function, :kty)
+
+COSE::Algorithm.register(RSASSAAlgorithm.new(-257, "RS256", "SHA256", COSE::Key::RSA::KTY_RSA))
+COSE::Algorithm.register(RSASSAAlgorithm.new(-258, "RS384", "SHA384", COSE::Key::RSA::KTY_RSA))
+COSE::Algorithm.register(RSASSAAlgorithm.new(-259, "RS512", "SHA512", COSE::Key::RSA::KTY_RSA))
+COSE::Algorithm.register(RSASSAAlgorithm.new(-65535, "RS1", "SHA1", COSE::Key::RSA::KTY_RSA))

data/lib/tpm/constants.rb

@@ -19,4 +19,26 @@ module TPM
 
   # ECC curves
   ECC_NIST_P256 = 0x0003
+
+  # https://trustedcomputinggroup.org/resource/vendor-id-registry/ section 2 "TPM Capabilities Vendor ID (CAP_VID)"
+  VENDOR_IDS = {
+    "id:414D4400" => "AMD",
+    "id:41544D4C" => "Atmel",
+    "id:4252434D" => "Broadcom",
+    "id:49424D00" => "IBM",
+    "id:49465800" => "Infineon",
+    "id:494E5443" => "Intel",
+    "id:4C454E00" => "Lenovo",
+    "id:4E534D20" => "National Semiconductor",
+    "id:4E545A00" => "Nationz",
+    "id:4E544300" => "Nuvoton Technology",
+    "id:51434F4D" => "Qualcomm",
+    "id:534D5343" => "SMSC",
+    "id:53544D20" => "ST Microelectronics",
+    "id:534D534E" => "Samsung",
+    "id:534E5300" => "Sinosun",
+    "id:54584E00" => "Texas Instruments",
+    "id:57454300" => "Winbond",
+    "id:524F4343" => "Fuzhou Rockchip",
+  }.freeze
 end

data/lib/webauthn/attestation_statement/android_key.rb

@@ -22,7 +22,7 @@ module WebAuthn
           all_applications_field_not_present? &&
           valid_authorization_list_origin? &&
           valid_authorization_list_purpose? &&
-          [WebAuthn::AttestationStatement::ATTESTATION_TYPE_BASIC, attestation_certificate_chain]
+          [WebAuthn::AttestationStatement::ATTESTATION_TYPE_BASIC, attestation_trust_path]
       end
 
       private

data/lib/webauthn/attestation_statement/android_safetynet.rb

@@ -8,34 +8,24 @@ module WebAuthn
   module AttestationStatement
     # Implements https://www.w3.org/TR/webauthn-1/#sctn-android-safetynet-attestation
     class AndroidSafetynet < Base
-      def self.default_trust_store
-        OpenSSL::X509::Store.new.tap { |trust_store| trust_store.set_default_paths }
-      end
-
-      def valid?(authenticator_data, client_data_hash, trust_store: self.class.default_trust_store)
-        trusted_attestation_certificate?(trust_store) &&
-          valid_response?(authenticator_data, client_data_hash) &&
+      def valid?(authenticator_data, client_data_hash)
+        valid_response?(authenticator_data, client_data_hash) &&
           valid_version? &&
           cts_profile_match? &&
-          [WebAuthn::AttestationStatement::ATTESTATION_TYPE_BASIC, attestation_certificate]
+          [WebAuthn::AttestationStatement::ATTESTATION_TYPE_BASIC, attestation_trust_path]
       end
 
       def attestation_certificate
-        attestation_response.certificate_chain[0]
+        attestation_response.leaf_certificate
       end
 
       private
 
-      # FIXME: This should be a responsibility of AndroidSafetynet::AttestationResponse#verify
-      def trusted_attestation_certificate?(trust_store)
-        trust_store.verify(attestation_certificate, signing_certificates)
-      end
-
       def valid_response?(authenticator_data, client_data_hash)
         nonce = Digest::SHA256.base64digest(authenticator_data.data + client_data_hash)
 
         begin
-          attestation_response.verify(nonce)
+          attestation_response.verify(nonce, trustworthiness: false)
         rescue ::AndroidSafetynet::AttestationResponse::VerificationError
           false
         end
@@ -50,8 +40,8 @@ module WebAuthn
         attestation_response.cts_profile_match?
       end
 
-      def signing_certificates
-        attestation_response.certificate_chain[1..-1]
+      def attestation_trust_path
+        attestation_response.certificate_chain
       end
 
       def attestation_response

data/lib/webauthn/attestation_statement/base.rb

@@ -27,7 +27,13 @@ module WebAuthn
       end
 
       def attestation_certificate
-        attestation_certificate_chain&.first
+        certificates&.first
+      end
+
+      def certificate_chain
+        if certificates
+          certificates[1..-1]
+        end
       end
 
       private
@@ -46,8 +52,8 @@ module WebAuthn
         end
       end
 
-      def attestation_certificate_chain
-        @attestation_certificate_chain ||= raw_attestation_certificates&.map do |raw_certificate|
+      def certificates
+        @certificates ||= raw_certificates&.map do |raw_certificate|
           OpenSSL::X509::Certificate.new(raw_certificate)
         end
       end
@@ -56,7 +62,7 @@ module WebAuthn
         statement["alg"]
       end
 
-      def raw_attestation_certificates
+      def raw_certificates
         statement["x5c"]
       end
 
@@ -67,6 +73,12 @@ module WebAuthn
       def signature
         statement["sig"]
       end
+
+      def attestation_trust_path
+        if certificates&.any?
+          certificates
+        end
+      end
     end
   end
 end

data/lib/webauthn/attestation_statement/fido_u2f.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require "cose"
 require "openssl"
 require "webauthn/attestation_statement/base"
 require "webauthn/attestation_statement/fido_u2f/public_key"
@@ -10,6 +11,7 @@ module WebAuthn
     class FidoU2f < Base
       VALID_ATTESTATION_CERTIFICATE_COUNT = 1
       VALID_ATTESTATION_CERTIFICATE_ALGORITHM = COSE::Algorithm.by_name("ES256")
+      VALID_ATTESTATION_CERTIFICATE_KEY_CURVE = COSE::Key::Curve.by_name("P-256")
 
       def valid?(authenticator_data, client_data_hash)
         valid_format? &&
@@ -17,19 +19,19 @@ module WebAuthn
           valid_credential_public_key?(authenticator_data.credential.public_key) &&
           valid_aaguid?(authenticator_data.attested_credential_data.raw_aaguid) &&
           valid_signature?(authenticator_data, client_data_hash) &&
-          [WebAuthn::AttestationStatement::ATTESTATION_TYPE_BASIC_OR_ATTCA, [attestation_certificate]]
+          [WebAuthn::AttestationStatement::ATTESTATION_TYPE_BASIC_OR_ATTCA, attestation_trust_path]
       end
 
       private
 
       def valid_format?
-        !!(raw_attestation_certificates && signature) &&
-          raw_attestation_certificates.length == VALID_ATTESTATION_CERTIFICATE_COUNT
+        !!(raw_certificates && signature) &&
+          raw_certificates.length == VALID_ATTESTATION_CERTIFICATE_COUNT
       end
 
       def valid_certificate_public_key?
         certificate_public_key.is_a?(OpenSSL::PKey::EC) &&
-          certificate_public_key.group.curve_name == VALID_ATTESTATION_CERTIFICATE_ALGORITHM.key_curve &&
+          certificate_public_key.group.curve_name == VALID_ATTESTATION_CERTIFICATE_KEY_CURVE.pkey_name &&
           certificate_public_key.check_key
       end
 

data/lib/webauthn/attestation_statement/packed.rb

@@ -30,12 +30,12 @@ module WebAuthn
       end
 
       def self_attestation?
-        !raw_attestation_certificates && !raw_ecdaa_key_id
+        !raw_certificates && !raw_ecdaa_key_id
       end
 
       def valid_format?
         algorithm && signature && (
-          [raw_attestation_certificates, raw_ecdaa_key_id].compact.size < 2
+          [raw_certificates, raw_ecdaa_key_id].compact.size < 2
         )
       end
 
@@ -46,15 +46,15 @@ module WebAuthn
       end
 
       def valid_certificate_chain?
-        if attestation_certificate_chain
-          attestation_certificate_chain[1..-1].all? { |c| certificate_in_use?(c) }
+        if certificate_chain
+          certificate_chain.all? { |c| certificate_in_use?(c) }
         else
           true
         end
       end
 
       def valid_ec_public_keys?(credential)
-        (attestation_certificate_chain&.map(&:public_key) || [credential.public_key_object])
+        (certificates&.map(&:public_key) || [credential.public_key_object])
           .select { |pkey| pkey.is_a?(OpenSSL::PKey::EC) }
           .all? { |pkey| pkey.check_key }
       end
@@ -89,8 +89,8 @@ module WebAuthn
       end
 
       def attestation_type_and_trust_path
-        if raw_attestation_certificates&.any?
-          [WebAuthn::AttestationStatement::ATTESTATION_TYPE_BASIC_OR_ATTCA, attestation_certificate_chain]
+        if attestation_trust_path
+          [WebAuthn::AttestationStatement::ATTESTATION_TYPE_BASIC_OR_ATTCA, attestation_trust_path]
         else
           [WebAuthn::AttestationStatement::ATTESTATION_TYPE_SELF, nil]
         end

data/lib/webauthn/attestation_statement/tpm.rb

@@ -2,6 +2,7 @@
 
 require "cose/algorithm"
 require "openssl"
+require "tpm/constants"
 require "webauthn/attestation_statement/base"
 require "webauthn/attestation_statement/tpm/cert_info"
 require "webauthn/attestation_statement/tpm/pub_area"
@@ -12,6 +13,10 @@ module WebAuthn
     class TPM < Base
       CERTIFICATE_V3 = 2
       CERTIFICATE_EMPTY_NAME = OpenSSL::X509::Name.new([]).freeze
+      CERTIFICATE_SAN_DIRECTORY_NAME = 4
+      OID_TCG_AT_TPM_MANUFACTURER = "2.23.133.2.1"
+      OID_TCG_AT_TPM_MODEL = "2.23.133.2.2"
+      OID_TCG_AT_TPM_VERSION = "2.23.133.2.3"
       OID_TCG_KP_AIK_CERTIFICATE = "2.23.133.8.3"
       TPM_V2 = "2.0"
 
@@ -24,7 +29,8 @@ module WebAuthn
             valid_signature? &&
             valid_attestation_certificate? &&
             pub_area.valid?(authenticator_data.credential.public_key) &&
-            cert_info.valid?(statement["pubArea"], OpenSSL::Digest.digest(cose_algorithm.hash, att_to_be_signed)) &&
+            cert_info.valid?(statement["pubArea"],
+                             OpenSSL::Digest.digest(cose_algorithm.hash_function, att_to_be_signed)) &&
             matching_aaguid?(authenticator_data.attested_credential_data.raw_aaguid) &&
             [attestation_type, attestation_trust_path]
         when ATTESTATION_TYPE_ECDAA
@@ -48,11 +54,30 @@ module WebAuthn
 
         attestation_certificate.version == CERTIFICATE_V3 &&
           attestation_certificate.subject.eql?(CERTIFICATE_EMPTY_NAME) &&
+          valid_subject_alternative_name? &&
           certificate_in_use?(attestation_certificate) &&
           extensions.find { |ext| ext.oid == 'basicConstraints' }&.value == "CA:FALSE" &&
           extensions.find { |ext| ext.oid == "extendedKeyUsage" }&.value == OID_TCG_KP_AIK_CERTIFICATE
       end
 
+      def valid_subject_alternative_name?
+        extension = attestation_certificate.extensions.detect { |ext| ext.oid == "subjectAltName" }
+        return unless extension&.critical?
+
+        san_asn1 = OpenSSL::ASN1.decode(extension).find do |val|
+          val.tag_class == :UNIVERSAL && val.tag == OpenSSL::ASN1::OCTET_STRING
+        end
+        directory_name = OpenSSL::ASN1.decode(san_asn1.value).find do |val|
+          val.tag_class == :CONTEXT_SPECIFIC && val.tag == CERTIFICATE_SAN_DIRECTORY_NAME
+        end
+        name = OpenSSL::X509::Name.new(directory_name.value.first).to_a
+        manufacturer = name.assoc(OID_TCG_AT_TPM_MANUFACTURER).at(1)
+        model = name.assoc(OID_TCG_AT_TPM_MODEL).at(1)
+        version = name.assoc(OID_TCG_AT_TPM_VERSION).at(1)
+
+        ::TPM::VENDOR_IDS[manufacturer] && !model.empty? && !version.empty?
+      end
+
       def certificate_in_use?(certificate)
         now = Time.now
 
@@ -80,18 +105,14 @@ module WebAuthn
       end
 
       def attestation_type
-        if raw_attestation_certificates && !raw_ecdaa_key_id
+        if raw_certificates && !raw_ecdaa_key_id
           ATTESTATION_TYPE_ATTCA
-        elsif raw_ecdaa_key_id && !raw_attestation_certificates
+        elsif raw_ecdaa_key_id && !raw_certificates
           ATTESTATION_TYPE_ECDAA
         else
           raise "Attestation type invalid"
         end
       end
-
-      def attestation_trust_path
-        attestation_certificate_chain
-      end
     end
   end
 end

data/lib/webauthn/attestation_statement/tpm/pub_area.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
-require "cose/algorithm"
-require "cose/key"
+require "cose"
+require "cose/rsassa_algorithm"
 require "tpm/constants"
 require "tpm/t_public"
 require "webauthn/attestation_statement/base"

data/lib/webauthn/authenticator_assertion_response.rb

@@ -1,12 +1,10 @@
 # frozen_string_literal: true
 
-require "cose/algorithm"
-require "cose/key"
-require "webauthn/attestation_statement/fido_u2f/public_key"
 require "webauthn/authenticator_data"
 require "webauthn/authenticator_response"
 require "webauthn/encoder"
 require "webauthn/signature_verifier"
+require "webauthn/public_key"
 
 module WebAuthn
   class SignatureVerificationError < VerificationError; end
@@ -32,7 +30,7 @@ module WebAuthn
     attr_reader :user_handle
 
     def initialize(authenticator_data:, signature:, user_handle: nil, **options)
-      super(options)
+      super(**options)
 
       @authenticator_data_bytes = authenticator_data
       @signature = signature
@@ -42,7 +40,7 @@ module WebAuthn
     def verify(expected_challenge, expected_origin = nil, public_key:, sign_count:, user_verification: nil,
                rp_id: nil)
       super(expected_challenge, expected_origin, user_verification: user_verification, rp_id: rp_id)
-      verify_item(:signature, credential_cose_key(public_key))
+      verify_item(:signature, WebAuthn::PublicKey.deserialize(public_key))
       verify_item(:sign_count, sign_count)
 
       true
@@ -56,9 +54,9 @@ module WebAuthn
 
     attr_reader :authenticator_data_bytes, :signature
 
-    def valid_signature?(credential_cose_key)
+    def valid_signature?(webauthn_public_key)
       WebAuthn::SignatureVerifier
-        .new(credential_cose_key.alg, credential_cose_key.to_pkey)
+        .new(webauthn_public_key.alg, webauthn_public_key.pkey)
         .verify(signature, authenticator_data_bytes + client_data.hash)
     end
 
@@ -71,29 +69,6 @@ module WebAuthn
       end
     end
 
-    def credential_cose_key(public_key)
-      if WebAuthn::AttestationStatement::FidoU2f::PublicKey.uncompressed_point?(public_key)
-        # Gem version v1.11.0 and lower, used to behave so that Credential#public_key
-        # returned an EC P-256 uncompressed point.
-        #
-        # Because of https://github.com/cedarcode/webauthn-ruby/issues/137 this was changed
-        # and Credential#public_key started returning the unchanged COSE_Key formatted
-        # credentialPublicKey (as in https://www.w3.org/TR/webauthn/#credentialpublickey).
-        #
-        # Given that the credential public key is expected to be stored long-term by the gem
-        # user and later be passed as the public_key argument in the
-        # AuthenticatorAssertionResponse.verify call, we then need to support the two formats.
-        COSE::Key::EC2.new(
-          alg: COSE::Algorithm.by_name("ES256").id,
-          crv: 1,
-          x: public_key[1..32],
-          y: public_key[33..-1]
-        )
-      else
-        COSE::Key.deserialize(public_key)
-      end
-    end
-
     def type
       WebAuthn::TYPES[:get]
     end

data/lib/webauthn/authenticator_attestation_response.rb

@@ -12,6 +12,7 @@ require "webauthn/encoder"
 
 module WebAuthn
   class AttestationStatementVerificationError < VerificationError; end
+  class AttestationTrustworthinessVerificationError < VerificationError; end
   class AttestedCredentialVerificationError < VerificationError; end
 
   class AuthenticatorAttestationResponse < AuthenticatorResponse
@@ -27,7 +28,7 @@ module WebAuthn
     attr_reader :attestation_type, :attestation_trust_path
 
     def initialize(attestation_object:, **options)
-      super(options)
+      super(**options)
 
       @attestation_object = attestation_object
     end
@@ -36,7 +37,10 @@ module WebAuthn
       super
 
       verify_item(:attested_credential)
-      verify_item(:attestation_statement) if WebAuthn.configuration.verify_attestation_statement
+      if WebAuthn.configuration.verify_attestation_statement
+        verify_item(:attestation_statement)
+        verify_item(:attestation_trustworthiness) if WebAuthn.configuration.attestation_root_certificates_finders.any?
+      end
 
       true
     end
@@ -90,6 +94,18 @@ module WebAuthn
       @attestation_type, @attestation_trust_path = attestation_statement.valid?(authenticator_data, client_data.hash)
     end
 
+    def valid_attestation_trustworthiness?
+      case @attestation_type
+      when WebAuthn::AttestationStatement::ATTESTATION_TYPE_NONE
+        WebAuthn.configuration.acceptable_attestation_types.include?('None')
+      when WebAuthn::AttestationStatement::ATTESTATION_TYPE_SELF
+        WebAuthn.configuration.acceptable_attestation_types.include?('Self')
+      else
+        WebAuthn.configuration.acceptable_attestation_types.include?(@attestation_type) &&
+          attestation_root_certificates_store.verify(leaf_certificate, signing_certificates)
+      end
+    end
+
     def raw_subject_key_identifier(certificate)
       extension = certificate.extensions.detect { |ext| ext.oid == "subjectKeyIdentifier" }
       return unless extension
@@ -98,5 +114,32 @@ module WebAuthn
       ext_value = ext_asn1.value.last
       OpenSSL::ASN1.decode(ext_value.value).value
     end
+
+    def attestation_root_certificates_store
+      certificates =
+        WebAuthn.configuration.attestation_root_certificates_finders.reduce([]) do |certs, finder|
+          if certs.empty?
+            finder.find(attestation_format: attestation_format,
+                        aaguid: aaguid,
+                        attestation_certificate_key_id: attestation_certificate_key) || []
+          else
+            certs
+          end
+        end
+
+      OpenSSL::X509::Store.new.tap do |store|
+        certificates.each do |cert|
+          store.add_cert(cert)
+        end
+      end
+    end
+
+    def signing_certificates
+      @attestation_trust_path[1..-1]
+    end
+
+    def leaf_certificate
+      @attestation_trust_path.first
+    end
   end
 end

data/lib/webauthn/authenticator_response.rb

@@ -33,14 +33,20 @@ module WebAuthn
       verify_item(:origin, expected_origin)
       verify_item(:authenticator_data)
       verify_item(:rp_id, rp_id || rp_id_from_origin(expected_origin))
-      verify_item(:user_presence)
-      verify_item(:user_verified, user_verification)
+
+      if !WebAuthn.configuration.silent_authentication
+        verify_item(:user_presence)
+      end
+
+      if user_verification
+        verify_item(:user_verified)
+      end
 
       true
     end
 
-    def valid?(*args)
-      verify(*args)
+    def valid?(*args, **keyword_arguments)
+      verify(*args, **keyword_arguments)
     rescue WebAuthn::VerificationError
       false
     end
@@ -91,12 +97,8 @@ module WebAuthn
       authenticator_data.user_flagged?
     end
 
-    def valid_user_verified?(user_verification)
-      if user_verification
-        authenticator_data.user_verified?
-      else
-        true
-      end
+    def valid_user_verified?
+      authenticator_data.user_verified?
     end
 
     def rp_id_from_origin(expected_origin)

data/lib/webauthn/configuration.rb

@@ -2,6 +2,7 @@
 
 require "openssl"
 require "webauthn/encoder"
+require "webauthn/error"
 
 module WebAuthn
   def self.configuration
@@ -12,6 +13,8 @@ module WebAuthn
     yield(configuration)
   end
 
+  class RootCertificateFinderNotSupportedError < Error; end
+
   class Configuration
     def self.if_pss_supported(algorithm)
       OpenSSL::PKey::RSA.instance_methods.include?(:verify_pss) ? algorithm : nil
@@ -26,12 +29,18 @@ module WebAuthn
     attr_accessor :rp_name
     attr_accessor :verify_attestation_statement
     attr_accessor :credential_options_timeout
+    attr_accessor :silent_authentication
+    attr_accessor :acceptable_attestation_types
+    attr_reader :attestation_root_certificates_finders
 
     def initialize
       @algorithms = DEFAULT_ALGORITHMS.dup
       @encoding = WebAuthn::Encoder::STANDARD_ENCODING
       @verify_attestation_statement = true
       @credential_options_timeout = 120000
+      @silent_authentication = false
+      @acceptable_attestation_types = ['None', 'Self', 'Basic', 'AttCA', 'Basic_or_AttCA']
+      @attestation_root_certificates_finders = []
     end
 
     # This is the user-data encoder.
@@ -39,5 +48,19 @@ module WebAuthn
     def encoder
       @encoder ||= WebAuthn::Encoder.new(encoding)
     end
+
+    def attestation_root_certificates_finders=(finders)
+      if !finders.respond_to?(:each)
+        finders = [finders]
+      end
+
+      finders.each do |finder|
+        unless finder.respond_to?(:find)
+          raise RootCertificateFinderNotSupportedError, "Finder must implement `find` method"
+        end
+      end
+
+      @attestation_root_certificates_finders = finders
+    end
   end
 end

data/lib/webauthn/credential.rb

@@ -7,12 +7,12 @@ require "webauthn/public_key_credential_with_attestation"
 
 module WebAuthn
   module Credential
-    def self.options_for_create(*args)
-      WebAuthn::PublicKeyCredential::CreationOptions.new(*args)
+    def self.options_for_create(**keyword_arguments)
+      WebAuthn::PublicKeyCredential::CreationOptions.new(**keyword_arguments)
     end
 
-    def self.options_for_get(*args)
-      WebAuthn::PublicKeyCredential::RequestOptions.new(*args)
+    def self.options_for_get(**keyword_arguments)
+      WebAuthn::PublicKeyCredential::RequestOptions.new(**keyword_arguments)
     end
 
     def self.from_create(credential)

data/lib/webauthn/credential_creation_options.rb

@@ -71,7 +71,7 @@ module WebAuthn
     end
 
     def pub_key_cred_params
-      WebAuthn.configuration.algorithms.map do |alg_name|
+      configuration.algorithms.map do |alg_name|
         { type: "public-key", alg: COSE::Algorithm.by_name(alg_name).id }
       end
     end

data/lib/webauthn/public_key.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require "webauthn/attestation_statement/fido_u2f/public_key"
+require "cose/key"
+require "cose/algorithm"
+
+module WebAuthn
+  class PublicKey
+    def self.deserialize(public_key)
+      cose_key =
+        if WebAuthn::AttestationStatement::FidoU2f::PublicKey.uncompressed_point?(public_key)
+          # Gem version v1.11.0 and lower, used to behave so that Credential#public_key
+          # returned an EC P-256 uncompressed point.
+          #
+          # Because of https://github.com/cedarcode/webauthn-ruby/issues/137 this was changed
+          # and Credential#public_key started returning the unchanged COSE_Key formatted
+          # credentialPublicKey (as in https://www.w3.org/TR/webauthn/#credentialpublickey).
+          #
+          # Given that the credential public key is expected to be stored long-term by the gem
+          # user and later be passed as the public_key argument in the
+          # AuthenticatorAssertionResponse.verify call, we then need to support the two formats.
+          COSE::Key::EC2.new(
+            alg: COSE::Algorithm.by_name("ES256").id,
+            crv: 1,
+            x: public_key[1..32],
+            y: public_key[33..-1]
+          )
+        else
+          COSE::Key.deserialize(public_key)
+        end
+
+      new(cose_key: cose_key)
+    end
+
+    attr_reader :cose_key
+
+    def initialize(cose_key:)
+      @cose_key = cose_key
+    end
+
+    def pkey
+      @cose_key.to_pkey
+    end
+
+    def alg
+      @cose_key.alg
+    end
+  end
+end

data/lib/webauthn/public_key_credential/creation_options.rb

@@ -42,14 +42,14 @@ module WebAuthn
             rp[:name] ||= configuration.rp_name
             rp[:id] ||= configuration.rp_id
 
-            RPEntity.new(rp)
+            RPEntity.new(**rp)
           else
             rp
           end
 
         @user =
           if user.is_a?(Hash)
-            UserEntity.new(user)
+            UserEntity.new(**user)
           else
             user
           end

data/lib/webauthn/signature_verifier.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
-require "cose/algorithm"
-require "cose/key"
+require "cose"
+require "cose/rsassa_algorithm"
 require "openssl"
 require "webauthn/error"
 
@@ -24,10 +24,10 @@ module WebAuthn
 
     def verify(signature, verification_data, rsa_pss_salt_length: :digest)
       if rsa_pss?
-        public_key.verify_pss(cose_algorithm.hash, signature, verification_data,
-                              salt_length: rsa_pss_salt_length, mgf1_hash: cose_algorithm.hash)
+        public_key.verify_pss(cose_algorithm.hash_function, signature, verification_data,
+                              salt_length: rsa_pss_salt_length, mgf1_hash: cose_algorithm.hash_function)
       else
-        public_key.verify(cose_algorithm.hash, signature, verification_data)
+        public_key.verify(cose_algorithm.hash_function, signature, verification_data)
       end
     end
 
@@ -37,13 +37,25 @@ module WebAuthn
 
     def cose_algorithm
       case algorithm
-      when COSE::Algorithm
+      when COSE::Algorithm::Base
         algorithm
       else
         COSE::Algorithm.find(algorithm)
       end
     end
 
+    # This logic is a candidate to be moved to cose gem domain
+    def cose_key_type
+      case cose_algorithm
+      when COSE::Algorithm::ECDSA
+        COSE::Key::EC2::KTY_EC2
+      when COSE::Algorithm::RSAPSS, RSASSAAlgorithm
+        COSE::Key::RSA::KTY_RSA
+      else
+        raise UnsupportedAlgorithm, "Unsupported algorithm #{algorithm}"
+      end
+    end
+
     def rsa_pss?
       cose_algorithm.name.start_with?("PS")
     end
@@ -53,7 +65,7 @@ module WebAuthn
         raise UnsupportedAlgorithm, "Unsupported algorithm #{algorithm}"
       elsif !supported_algorithms.include?(cose_algorithm.name)
         raise UnsupportedAlgorithm, "Unsupported algorithm #{algorithm}"
-      elsif !KTY_MAP[cose_algorithm.kty].include?(public_key.class)
+      elsif !KTY_MAP[cose_key_type].include?(public_key.class)
         raise("Incompatible algorithm and key")
       end
     end

data/lib/webauthn/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WebAuthn
-  VERSION = "2.0.0"
+  VERSION = "2.1.0"
 end

data/webauthn.gemspec

@@ -34,7 +34,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "awrence", "~> 1.1"
   spec.add_dependency "bindata", "~> 2.4"
   spec.add_dependency "cbor", "~> 0.5.9"
-  spec.add_dependency "cose", "~> 0.8.0"
+  spec.add_dependency "cose", "~> 0.10.0"
   spec.add_dependency "jwt", [">= 1.5", "< 3.0"]
   spec.add_dependency "openssl", "~> 2.0"
   spec.add_dependency "securecompare", "~> 1.0"
@@ -45,4 +45,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "rake", "~> 13.0"
   spec.add_development_dependency "rspec", "~> 3.8"
   spec.add_development_dependency "rubocop", "0.75.0"
+  spec.add_development_dependency "timecop", "~> 0.9.1"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: webauthn
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.1.0
 platform: ruby
 authors:
 - Gonzalo Rodriguez
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-10-03 00:00:00.000000000 Z
+date: 2019-12-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: awrence
@@ -59,14 +59,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.0
+        version: 0.10.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.0
+        version: 0.10.0
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
@@ -205,6 +205,20 @@ dependencies:
     - - '='
       - !ruby/object:Gem::Version
         version: 0.75.0
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.1
 description: |-
   WebAuthn ruby server library ― Make your application a W3C Web Authentication conformant
       Relying Party and allow your users to authenticate with U2F and FIDO2 authenticators.
@@ -235,7 +249,7 @@ files:
 - gemfiles/openssl_2_1.gemfile
 - gemfiles/openssl_head.gemfile
 - lib/android_safetynet/attestation_response.rb
-- lib/cose/algorithm.rb
+- lib/cose/rsassa_algorithm.rb
 - lib/tpm/constants.rb
 - lib/tpm/s_attest.rb
 - lib/tpm/s_attest/s_certify_info.rb
@@ -277,6 +291,7 @@ files:
 - lib/webauthn/fake_authenticator/attestation_object.rb
 - lib/webauthn/fake_authenticator/authenticator_data.rb
 - lib/webauthn/fake_client.rb
+- lib/webauthn/public_key.rb
 - lib/webauthn/public_key_credential.rb
 - lib/webauthn/public_key_credential/creation_options.rb
 - lib/webauthn/public_key_credential/entity.rb
@@ -313,7 +328,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: WebAuthn ruby server library

data/lib/cose/algorithm.rb

@@ -1,38 +0,0 @@
-# frozen_string_literal: true
-
-require "cose/key"
-
-# TODO: Move this to cose gem
-module COSE
-  # https://tools.ietf.org/html/rfc8152#section-8.1
-  Algorithm = Struct.new(:id, :name, :hash, :kty, :key_curve) do
-    @registered = {}
-
-    def self.register(id, name, hash, kty, key_curve = nil)
-      @registered[id] = COSE::Algorithm.new(id, name, hash, kty, key_curve)
-    end
-
-    def self.find(id)
-      @registered[id]
-    end
-
-    def self.by_name(name)
-      @registered.values.detect { |algorithm| algorithm.name == name }
-    end
-
-    def value
-      id
-    end
-  end
-end
-
-COSE::Algorithm.register(-7, "ES256", "SHA256", COSE::Key::EC2::KTY_EC2, "prime256v1")
-COSE::Algorithm.register(-35, "ES384", "SHA384", COSE::Key::EC2::KTY_EC2, "prime256v1")
-COSE::Algorithm.register(-36, "ES512", "SHA512", COSE::Key::EC2::KTY_EC2, "prime256v1")
-COSE::Algorithm.register(-37, "PS256", "SHA256", COSE::Key::RSA::KTY_RSA)
-COSE::Algorithm.register(-38, "PS384", "SHA384", COSE::Key::RSA::KTY_RSA)
-COSE::Algorithm.register(-39, "PS512", "SHA512", COSE::Key::RSA::KTY_RSA)
-COSE::Algorithm.register(-257, "RS256", "SHA256", COSE::Key::RSA::KTY_RSA)
-COSE::Algorithm.register(-258, "RS384", "SHA384", COSE::Key::RSA::KTY_RSA)
-COSE::Algorithm.register(-259, "RS512", "SHA512", COSE::Key::RSA::KTY_RSA)
-COSE::Algorithm.register(-65535, "RS1", "SHA1", COSE::Key::RSA::KTY_RSA)