webauthn 2.0.0 → 3.0.0.alpha1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +1 -0
- data/.rubocop.yml +65 -13
- data/.travis.yml +21 -15
- data/Appraisals +4 -0
- data/CHANGELOG.md +73 -19
- data/CONTRIBUTING.md +0 -5
- data/README.md +76 -10
- data/SECURITY.md +4 -4
- data/gemfiles/openssl_2_2.gemfile +7 -0
- data/lib/cose/rsapkcs1_algorithm.rb +43 -0
- data/lib/webauthn/attestation_object.rb +47 -0
- data/lib/webauthn/attestation_statement.rb +21 -21
- data/lib/webauthn/attestation_statement/android_key.rb +28 -30
- data/lib/webauthn/attestation_statement/android_safetynet.rb +30 -20
- data/lib/webauthn/attestation_statement/base.rb +122 -15
- data/lib/webauthn/attestation_statement/fido_u2f.rb +13 -9
- data/lib/webauthn/attestation_statement/packed.rb +14 -42
- data/lib/webauthn/attestation_statement/tpm.rb +38 -54
- data/lib/webauthn/authenticator_assertion_response.rb +11 -39
- data/lib/webauthn/authenticator_attestation_response.rb +30 -49
- data/lib/webauthn/authenticator_data.rb +51 -51
- data/lib/webauthn/authenticator_data/attested_credential_data.rb +34 -49
- data/lib/webauthn/authenticator_response.rb +20 -14
- data/lib/webauthn/configuration.rb +38 -21
- data/lib/webauthn/credential.rb +9 -8
- data/lib/webauthn/credential_creation_options.rb +1 -1
- data/lib/webauthn/fake_authenticator.rb +7 -3
- data/lib/webauthn/fake_authenticator/attestation_object.rb +7 -3
- data/lib/webauthn/fake_authenticator/authenticator_data.rb +2 -4
- data/lib/webauthn/fake_client.rb +19 -6
- data/lib/webauthn/public_key.rb +68 -0
- data/lib/webauthn/public_key_credential.rb +25 -8
- data/lib/webauthn/public_key_credential/creation_options.rb +5 -5
- data/lib/webauthn/public_key_credential/options.rb +6 -9
- data/lib/webauthn/public_key_credential/request_options.rb +1 -1
- data/lib/webauthn/relying_party.rb +117 -0
- data/lib/webauthn/u2f_migrator.rb +5 -4
- data/lib/webauthn/version.rb +1 -1
- data/script/ci/install-openssl +7 -0
- data/script/ci/install-ruby +13 -0
- data/webauthn.gemspec +13 -8
- metadata +69 -40
- data/lib/android_safetynet/attestation_response.rb +0 -84
- data/lib/cose/algorithm.rb +0 -38
- data/lib/tpm/constants.rb +0 -22
- data/lib/tpm/s_attest.rb +0 -26
- data/lib/tpm/s_attest/s_certify_info.rb +0 -14
- data/lib/tpm/sized_buffer.rb +0 -13
- data/lib/tpm/t_public.rb +0 -32
- data/lib/tpm/t_public/s_ecc_parms.rb +0 -17
- data/lib/tpm/t_public/s_rsa_parms.rb +0 -17
- data/lib/webauthn/attestation_statement/android_key/authorization_list.rb +0 -39
- data/lib/webauthn/attestation_statement/android_key/key_description.rb +0 -37
- data/lib/webauthn/attestation_statement/tpm/cert_info.rb +0 -44
- data/lib/webauthn/attestation_statement/tpm/pub_area.rb +0 -85
- data/lib/webauthn/signature_verifier.rb +0 -65
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 1f418eb52a085d8e7c03bd1c3d11b88ed8fe467f4ec01d3178836689d470f436
|
4
|
+
data.tar.gz: 4ab67e8804cbd7d785e29b94760af6db9d6b1e52de1a58bafc74aed19b5b7e21
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: ccdcd22e494079eb67c122c03e3061166f91de50dd0c2bf8662748c976483a9d472fa9f8d6b67db9abf484e8eac182195b5f1e1cca8aaaf88146d831919f1c93
|
7
|
+
data.tar.gz: b2506b530c796ee57e5d037e7dd3692b1e359408fd9757141b6c4f042c43d57344baa09dc63d17ace549927eeea50abaa8c0771a0ab6da0ece5d880362d890db
|
data/.gitignore
CHANGED
data/.rubocop.yml
CHANGED
@@ -1,12 +1,16 @@
|
|
1
|
+
require:
|
2
|
+
- rubocop-rspec
|
3
|
+
|
1
4
|
inherit_mode:
|
2
5
|
merge:
|
3
6
|
- AllowedNames
|
4
7
|
|
5
8
|
AllCops:
|
6
|
-
TargetRubyVersion: 2.
|
9
|
+
TargetRubyVersion: 2.4
|
7
10
|
DisabledByDefault: true
|
8
11
|
Exclude:
|
9
12
|
- "gemfiles/**/*"
|
13
|
+
- "vendor/**/*"
|
10
14
|
|
11
15
|
Bundler:
|
12
16
|
Enabled: true
|
@@ -17,18 +21,69 @@ Gemspec:
|
|
17
21
|
Layout:
|
18
22
|
Enabled: true
|
19
23
|
|
20
|
-
|
24
|
+
Layout/ClassStructure:
|
25
|
+
Enabled: true
|
26
|
+
|
27
|
+
Layout/FirstMethodArgumentLineBreak:
|
21
28
|
Enabled: true
|
22
29
|
|
23
|
-
|
30
|
+
Layout/LineLength:
|
24
31
|
Max: 120
|
25
32
|
Exclude:
|
26
33
|
- spec/support/seeds.rb
|
27
34
|
|
35
|
+
Layout/MultilineAssignmentLayout:
|
36
|
+
Enabled: true
|
37
|
+
|
38
|
+
Layout/MultilineMethodArgumentLineBreaks:
|
39
|
+
Enabled: true
|
40
|
+
|
41
|
+
Lint:
|
42
|
+
Enabled: true
|
43
|
+
|
28
44
|
Naming:
|
29
45
|
Enabled: true
|
30
46
|
|
31
|
-
|
47
|
+
RSpec/Be:
|
48
|
+
Enabled: true
|
49
|
+
|
50
|
+
RSpec/BeforeAfterAll:
|
51
|
+
Enabled: true
|
52
|
+
|
53
|
+
RSpec/EmptyExampleGroup:
|
54
|
+
Enabled: true
|
55
|
+
|
56
|
+
RSpec/EmptyLineAfterExample:
|
57
|
+
Enabled: true
|
58
|
+
|
59
|
+
RSpec/EmptyLineAfterExampleGroup:
|
60
|
+
Enabled: true
|
61
|
+
|
62
|
+
RSpec/EmptyLineAfterFinalLet:
|
63
|
+
Enabled: true
|
64
|
+
|
65
|
+
RSpec/EmptyLineAfterHook:
|
66
|
+
Enabled: true
|
67
|
+
|
68
|
+
RSpec/EmptyLineAfterSubject:
|
69
|
+
Enabled: true
|
70
|
+
|
71
|
+
RSpec/HookArgument:
|
72
|
+
Enabled: true
|
73
|
+
|
74
|
+
RSpec/LeadingSubject:
|
75
|
+
Enabled: true
|
76
|
+
|
77
|
+
RSpec/NamedSubject:
|
78
|
+
Enabled: true
|
79
|
+
|
80
|
+
RSpec/ScatteredLet:
|
81
|
+
Enabled: true
|
82
|
+
|
83
|
+
RSpec/ScatteredSetup:
|
84
|
+
Enabled: true
|
85
|
+
|
86
|
+
Naming/MethodParameterName:
|
32
87
|
AllowedNames:
|
33
88
|
- rp
|
34
89
|
|
@@ -38,9 +93,6 @@ Security:
|
|
38
93
|
Style/BlockComments:
|
39
94
|
Enabled: true
|
40
95
|
|
41
|
-
Style/BracesAroundHashParameters:
|
42
|
-
Enabled: true
|
43
|
-
|
44
96
|
Style/CaseEquality:
|
45
97
|
Enabled: true
|
46
98
|
|
@@ -146,9 +198,15 @@ Style/RedundantException:
|
|
146
198
|
Style/RedundantFreeze:
|
147
199
|
Enabled: true
|
148
200
|
|
201
|
+
Style/RedundantInterpolation:
|
202
|
+
Enabled: true
|
203
|
+
|
149
204
|
Style/RedundantParentheses:
|
150
205
|
Enabled: true
|
151
206
|
|
207
|
+
Style/RedundantPercentQ:
|
208
|
+
Enabled: true
|
209
|
+
|
152
210
|
Style/RedundantReturn:
|
153
211
|
Enabled: true
|
154
212
|
|
@@ -182,12 +240,6 @@ Style/TrailingMethodEndStatement:
|
|
182
240
|
Style/TrivialAccessors:
|
183
241
|
Enabled: true
|
184
242
|
|
185
|
-
Style/UnneededInterpolation:
|
186
|
-
Enabled: true
|
187
|
-
|
188
|
-
Style/UnneededPercentQ:
|
189
|
-
Enabled: true
|
190
|
-
|
191
243
|
Style/UnpackFirst:
|
192
244
|
Enabled: true
|
193
245
|
|
data/.travis.yml
CHANGED
@@ -1,33 +1,39 @@
|
|
1
1
|
dist: bionic
|
2
2
|
language: ruby
|
3
|
-
cache: bundler
|
4
3
|
|
5
|
-
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
4
|
+
cache:
|
5
|
+
bundler: true
|
6
|
+
directories:
|
7
|
+
- /home/travis/.rvm/
|
8
|
+
|
9
|
+
env:
|
10
|
+
- LIBSSL=1.1 RB=2.7.1
|
11
|
+
- LIBSSL=1.1 RB=2.6.6
|
12
|
+
- LIBSSL=1.1 RB=2.5.8
|
13
|
+
- LIBSSL=1.1 RB=2.4.10
|
14
|
+
- LIBSSL=1.1 RB=ruby-head
|
15
|
+
- LIBSSL=1.0 RB=2.7.1
|
16
|
+
- LIBSSL=1.0 RB=2.6.6
|
17
|
+
- LIBSSL=1.0 RB=2.5.8
|
18
|
+
- LIBSSL=1.0 RB=2.4.10
|
19
|
+
- LIBSSL=1.0 RB=ruby-head
|
11
20
|
|
12
21
|
gemfile:
|
13
22
|
- gemfiles/cose_head.gemfile
|
14
23
|
- gemfiles/openssl_head.gemfile
|
24
|
+
- gemfiles/openssl_2_2.gemfile
|
15
25
|
- gemfiles/openssl_2_1.gemfile
|
16
26
|
- gemfiles/openssl_2_0.gemfile
|
17
27
|
|
18
28
|
matrix:
|
19
29
|
fast_finish: true
|
20
30
|
allow_failures:
|
21
|
-
-
|
31
|
+
- env: LIBSSL=1.1 RB=ruby-head
|
32
|
+
- env: LIBSSL=1.0 RB=ruby-head
|
22
33
|
- gemfile: gemfiles/cose_head.gemfile
|
23
34
|
- gemfile: gemfiles/openssl_head.gemfile
|
24
35
|
|
25
36
|
before_install:
|
26
|
-
-
|
27
|
-
-
|
37
|
+
- ./script/ci/install-openssl
|
38
|
+
- ./script/ci/install-ruby
|
28
39
|
- gem install bundler -v "~> 2.0"
|
29
|
-
|
30
|
-
before_script:
|
31
|
-
- export LD_PRELOAD=/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1
|
32
|
-
- export DONT_FAKE_MONOTONIC=1
|
33
|
-
- export FAKETIME_NO_CACHE=1
|
data/Appraisals
CHANGED
data/CHANGELOG.md
CHANGED
@@ -1,5 +1,44 @@
|
|
1
1
|
# Changelog
|
2
2
|
|
3
|
+
## [v3.0.0.alpha1] - 2020-06-27
|
4
|
+
|
5
|
+
### Added
|
6
|
+
|
7
|
+
- Ability to define multiple relying parties with the introduction of the `WebAuthn::RelyingParty` class ([@padulafacundo], [@brauliomartinezlm])
|
8
|
+
|
9
|
+
## [v2.3.0] - 2020-06-27
|
10
|
+
|
11
|
+
### Added
|
12
|
+
|
13
|
+
- Ability to access extension outputs with `PublicKeyCredential#client_extension_outputs` and `PublicKeyCredential#authenticator_extension_outputs` ([@santiagorodriguez96])
|
14
|
+
|
15
|
+
## [v2.2.1] - 2020-06-06
|
16
|
+
|
17
|
+
### Fixed
|
18
|
+
|
19
|
+
- Fixed compatibility with OpenSSL-C (libssl) v1.0.2 ([@santiagorodriguez96])
|
20
|
+
|
21
|
+
## [v2.2.0] - 2020-03-14
|
22
|
+
|
23
|
+
### Added
|
24
|
+
|
25
|
+
- Verification step that checks the received credential public key algorithm during registration matches one of the configured algorithms
|
26
|
+
- [EXPERIMENTAL] Attestation trustworthiness verification default steps for "tpm", "android-key" and "android-safetynet" ([@bdewater], [@padulafacundo]). Still manual configuration needed for "packed" and "fido-u2f".
|
27
|
+
|
28
|
+
Note: Expect possible breaking changes for "EXPERIMENTAL" features.
|
29
|
+
|
30
|
+
## [v2.1.0] - 2019-12-30
|
31
|
+
|
32
|
+
### Added
|
33
|
+
|
34
|
+
- Ability to convert stored credential public key back to a ruby object with `WebAuthn::PublicKey.deserialize(stored_public_key)`, included the validation during de-serialization ([@ssuttner], [@padulafacundo])
|
35
|
+
- Improved TPM attestation validation by checking "Subject Alternative Name" ([@bdewater])
|
36
|
+
- Improved SafetyNet attestation validation by checking timestamp ([@padulafacundo])
|
37
|
+
- [EXPERIMENTAL] Ability to optionally "Assess the attestation trustworthiness" during registration by setting `acceptable_attestation_types` and `attestation_root_certificates_finders` configuration values ([@padulafacundo])
|
38
|
+
- Ruby 2.7 support without warnings
|
39
|
+
|
40
|
+
Note: Expect possible breaking changes for "EXPERIMENTAL" features.
|
41
|
+
|
3
42
|
## [v2.0.0] - 2019-10-03
|
4
43
|
|
5
44
|
### Added
|
@@ -13,7 +52,7 @@
|
|
13
52
|
- All the above automatically handle encoding/decoding for necessary values. The specific encoding scheme can
|
14
53
|
be set (or even turned off) in `WebAutnn.configuration.encoding=`. Defaults to `:base64url`.
|
15
54
|
- `WebAuthn::FakeClient#get` better fakes a real client by including `userHandle` in the returned hash.
|
16
|
-
- Expose AAGUID and attestationCertificateKey for MDS lookup during attestation (@
|
55
|
+
- Expose AAGUID and attestationCertificateKey for MDS lookup during attestation ([@bdewater])
|
17
56
|
|
18
57
|
### Changed
|
19
58
|
|
@@ -56,23 +95,23 @@ returned base64url-encoded `id` value.
|
|
56
95
|
|
57
96
|
### Added
|
58
97
|
|
59
|
-
- Ability to migrate U2F credentials to WebAuthn ([#211](https://github.com/cedarcode/webauthn-ruby/pull/211)) (@bdewater + @jdongelmans)
|
60
|
-
- Ability to skip attestation statement verification ([#219](https://github.com/cedarcode/webauthn-ruby/pull/219)) (@MaximeNdutiye)
|
61
|
-
- Ability to configure default credential options timeout ([#243](https://github.com/cedarcode/webauthn-ruby/pull/243)) (@MaximeNdutiye)
|
98
|
+
- Ability to migrate U2F credentials to WebAuthn ([#211](https://github.com/cedarcode/webauthn-ruby/pull/211)) ([@bdewater] + [@jdongelmans])
|
99
|
+
- Ability to skip attestation statement verification ([#219](https://github.com/cedarcode/webauthn-ruby/pull/219)) ([@MaximeNdutiye])
|
100
|
+
- Ability to configure default credential options timeout ([#243](https://github.com/cedarcode/webauthn-ruby/pull/243)) ([@MaximeNdutiye])
|
62
101
|
- AttestedCredentialData presence verification ([#237](https://github.com/cedarcode/webauthn-ruby/pull/237))
|
63
102
|
- FakeClient learns how to increment sign count ([#225](https://github.com/cedarcode/webauthn-ruby/pull/225))
|
64
103
|
|
65
104
|
### Fixed
|
66
105
|
|
67
|
-
- Properly verify SafetyNet certificates from input ([#233](https://github.com/cedarcode/webauthn-ruby/pull/233)) (@bdewater)
|
68
|
-
- FakeClient default origin URL ([#242](https://github.com/cedarcode/webauthn-ruby/pull/242)) (@kalebtesfay)
|
106
|
+
- Properly verify SafetyNet certificates from input ([#233](https://github.com/cedarcode/webauthn-ruby/pull/233)) ([@bdewater])
|
107
|
+
- FakeClient default origin URL ([#242](https://github.com/cedarcode/webauthn-ruby/pull/242)) ([@kalebtesfay])
|
69
108
|
|
70
109
|
## [v1.17.0] - 2019-06-18
|
71
110
|
|
72
111
|
### Added
|
73
112
|
|
74
|
-
- Support ES384, ES512, PS384, PS512, RS384 and RS512 credentials. Off by default. Enable by adding any of them to `WebAuthn.configuration.algorithms` array
|
75
|
-
- Support [Signature Counter](https://www.w3.org/TR/webauthn/#signature-counter) verification
|
113
|
+
- Support ES384, ES512, PS384, PS512, RS384 and RS512 credentials. Off by default. Enable by adding any of them to `WebAuthn.configuration.algorithms` array ([@bdewater])
|
114
|
+
- Support [Signature Counter](https://www.w3.org/TR/webauthn/#signature-counter) verification ([@bdewater])
|
76
115
|
|
77
116
|
## [v1.16.0] - 2019-06-13
|
78
117
|
|
@@ -80,7 +119,7 @@ returned base64url-encoded `id` value.
|
|
80
119
|
|
81
120
|
- Ability to enforce [user verification](https://www.w3.org/TR/webauthn/#user-verification) with extra argument in the `#verify` method.
|
82
121
|
- Support RS1 (RSA w/ SHA-1) credentials. Off by default. Enable by adding `"RS1"` to `WebAuthn.configuration.algorithms` array.
|
83
|
-
- Support PS256 (RSA Probabilistic Signature Scheme w/ SHA-256) credentials. On by default
|
122
|
+
- Support PS256 (RSA Probabilistic Signature Scheme w/ SHA-256) credentials. On by default ([@bdewater])
|
84
123
|
|
85
124
|
## [v1.15.0] - 2019-05-16
|
86
125
|
|
@@ -102,11 +141,11 @@ returned base64url-encoded `id` value.
|
|
102
141
|
- Verify 'none' attestation statement is really empty.
|
103
142
|
- Verify 'packed' attestation statement certificates start/end dates.
|
104
143
|
- Verify 'packed' attestation statement signature algorithm.
|
105
|
-
- Verify 'fiod-u2f attestation statement AAGUID is zeroed out
|
144
|
+
- Verify 'fiod-u2f attestation statement AAGUID is zeroed out ([@bdewater])
|
106
145
|
- Verify 'android-key' attestation statement signature algorithm.
|
107
146
|
- Verify assertion response signature algorithm.
|
108
147
|
- Verify collectedClientData.tokenBinding format.
|
109
|
-
- `WebAuthn.credential_creation_options` now accept `rp_name`, `user_id`, `user_name` and `display_name` as keyword arguments
|
148
|
+
- `WebAuthn.credential_creation_options` now accept `rp_name`, `user_id`, `user_name` and `display_name` as keyword arguments ([@bdewater])
|
110
149
|
|
111
150
|
## [v1.12.0] - 2019-04-03
|
112
151
|
|
@@ -128,11 +167,11 @@ Note #2: You don't need to do any convesion before passing the public key in `Au
|
|
128
167
|
|
129
168
|
### Added
|
130
169
|
|
131
|
-
- `WebAuthn::AuthenticatorAttestationResponse#verify` supports `android-key` attestation statements
|
170
|
+
- `WebAuthn::AuthenticatorAttestationResponse#verify` supports `android-key` attestation statements ([@bdewater])
|
132
171
|
|
133
172
|
### Fixed
|
134
173
|
|
135
|
-
- Verify matching AAGUID if needed when verifying `packed` attestation statements
|
174
|
+
- Verify matching AAGUID if needed when verifying `packed` attestation statements ([@bdewater])
|
136
175
|
|
137
176
|
## [v1.10.0] - 2019-03-05
|
138
177
|
|
@@ -150,7 +189,7 @@ Note #2: You don't need to do any convesion before passing the public key in `Au
|
|
150
189
|
|
151
190
|
### Added
|
152
191
|
|
153
|
-
- Make challenge validation inside `#valid?` method resistant to timing attacks
|
192
|
+
- Make challenge validation inside `#valid?` method resistant to timing attacks (@tomek-bt)
|
154
193
|
- Support for ruby 2.6
|
155
194
|
|
156
195
|
### Changed
|
@@ -162,7 +201,7 @@ Note #2: You don't need to do any convesion before passing the public key in `Au
|
|
162
201
|
### Added
|
163
202
|
|
164
203
|
- _Registration_ ceremony
|
165
|
-
- `WebAuthn::AuthenticatorAttestationResponse` exposes attestation type and trust path via `#attestation_type` and `#attestation_trust_path` methods
|
204
|
+
- `WebAuthn::AuthenticatorAttestationResponse` exposes attestation type and trust path via `#attestation_type` and `#attestation_trust_path` methods ([@bdewater])
|
166
205
|
|
167
206
|
## [v1.6.0] - 2018-11-01
|
168
207
|
|
@@ -174,21 +213,21 @@ Note #2: You don't need to do any convesion before passing the public key in `Au
|
|
174
213
|
|
175
214
|
### Added
|
176
215
|
|
177
|
-
- Works with ruby 2.3
|
216
|
+
- Works with ruby 2.3 ([@bdewater])
|
178
217
|
|
179
218
|
## [v1.4.0] - 2018-10-11
|
180
219
|
|
181
220
|
### Added
|
182
221
|
|
183
222
|
- _Registration_ ceremony
|
184
|
-
- `WebAuthn::AuthenticatorAttestationResponse.valid?` supports `android-safetynet` attestation statements
|
223
|
+
- `WebAuthn::AuthenticatorAttestationResponse.valid?` supports `android-safetynet` attestation statements ([@bdewater])
|
185
224
|
|
186
225
|
## [v1.3.0] - 2018-10-11
|
187
226
|
|
188
227
|
### Added
|
189
228
|
|
190
229
|
- _Registration_ ceremony
|
191
|
-
- `WebAuthn::AuthenticatorAttestationResponse.valid?` supports `packed` attestation statements
|
230
|
+
- `WebAuthn::AuthenticatorAttestationResponse.valid?` supports `packed` attestation statements ([@sorah])
|
192
231
|
|
193
232
|
## [v1.2.0] - 2018-10-08
|
194
233
|
|
@@ -206,7 +245,7 @@ Note: Both additions should help making it compatible with Chrome for Android 70
|
|
206
245
|
### Added
|
207
246
|
|
208
247
|
- _Registration_ ceremony
|
209
|
-
- `WebAuthn::AuthenticatorAttestationResponse.valid?` optionally accepts rp_id
|
248
|
+
- `WebAuthn::AuthenticatorAttestationResponse.valid?` optionally accepts rp_id ([@sorah])
|
210
249
|
- _Authentication_ ceremony
|
211
250
|
- `WebAuthn::AuthenticatorAssertionResponse.valid?` optionally accepts rp_id.
|
212
251
|
|
@@ -261,6 +300,11 @@ Note: Both additions should help making it compatible with Chrome for Android 70
|
|
261
300
|
- `WebAuthn::AuthenticatorAttestationResponse.valid?` can be used to validate fido-u2f attestations returned by the browser
|
262
301
|
- Works with ruby 2.5
|
263
302
|
|
303
|
+
[v3.0.0.alpha1]: https://github.com/cedarcode/webauthn-ruby/compare/2-stable...v3.0.0.alpha1/
|
304
|
+
[v2.3.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.2.1...v2.3.0/
|
305
|
+
[v2.2.1]: https://github.com/cedarcode/webauthn-ruby/compare/v2.2.0...v2.2.1/
|
306
|
+
[v2.2.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.1.0...v2.2.0/
|
307
|
+
[v2.1.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.0.0...v2.1.0/
|
264
308
|
[v2.0.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.18.0...v2.0.0/
|
265
309
|
[v1.18.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.17.0...v1.18.0/
|
266
310
|
[v1.17.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.16.0...v1.17.0/
|
@@ -283,3 +327,13 @@ Note: Both additions should help making it compatible with Chrome for Android 70
|
|
283
327
|
[v1.0.0]: https://github.com/cedarcode/webauthn-ruby/compare/v0.2.0...v1.0.0/
|
284
328
|
[v0.2.0]: https://github.com/cedarcode/webauthn-ruby/compare/v0.1.0...v0.2.0/
|
285
329
|
[v0.1.0]: https://github.com/cedarcode/webauthn-ruby/compare/v0.0.0...v0.1.0/
|
330
|
+
|
331
|
+
[@brauliomartinezlm]: https://github.com/brauliomartinezlm
|
332
|
+
[@bdewater]: https://github.com/bdewater
|
333
|
+
[@jdongelmans]: https://github.com/jdongelmans
|
334
|
+
[@kalebtesfay]: https://github.com/kalebtesfay
|
335
|
+
[@MaximeNdutiye]: https://github.com/MaximeNdutiye
|
336
|
+
[@sorah]: https://github.com/sorah
|
337
|
+
[@ssuttner]: https://github.com/ssuttner
|
338
|
+
[@padulafacundo]: https://github.com/padulafacundo
|
339
|
+
[@santiagorodriguez96]: https://github.com/santiagorodriguez96
|
data/CONTRIBUTING.md
CHANGED
@@ -14,11 +14,6 @@
|
|
14
14
|
|
15
15
|
After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake` to run the tests and code-style checks. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
|
16
16
|
|
17
|
-
Some tests require stubbing time with [libfaketime](https://github.com/wolfcw/libfaketime) in order to pass, otherwise they're skipped. You can install this library with your package manager. Follow libfaketime's instructions for your OS to preload the library before running the tests, and use the `DONT_FAKE_MONOTONIC=1 FAKETIME_NO_CACHE=1` options. E.g. when installed via homebrew on macOS:
|
18
|
-
```shell
|
19
|
-
DYLD_INSERT_LIBRARIES=/usr/local/Cellar/libfaketime/2.9.7_1/lib/faketime/libfaketime.1.dylib DYLD_FORCE_FLAT_NAMESPACE=1 DONT_FAKE_MONOTONIC=1 FAKETIME_NO_CACHE=1 bundle exec rspec
|
20
|
-
```
|
21
|
-
|
22
17
|
To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
|
23
18
|
|
24
19
|
### Styleguide
|
data/README.md
CHANGED
@@ -1,5 +1,5 @@
|
|
1
1
|
__Note__: You are viewing the README for the development version of webauthn-ruby.
|
2
|
-
For the current release version see https://github.com/cedarcode/webauthn-ruby/blob/
|
2
|
+
For the current release version see https://github.com/cedarcode/webauthn-ruby/blob/2-stable/README.md.
|
3
3
|
|
4
4
|
# webauthn-ruby
|
5
5
|
|
@@ -64,12 +64,12 @@ Known conformant pairs are, for example:
|
|
64
64
|
- Google Chrome for Android 70+ and Android's Fingerprint-based platform authenticator
|
65
65
|
- Microsoft Edge and Windows 10 platform authenticator
|
66
66
|
- Mozilla Firefox for Desktop and Yubico's Security Key roaming authenticator via USB
|
67
|
+
- Safari in iOS 13.3+ and YubiKey 5 NFC via NFC
|
67
68
|
|
68
|
-
For a
|
69
|
-
|
70
|
-
- [apowers313/fido2-webauthn-status](https://github.com/apowers313/fido2-webauthn-status)
|
71
|
-
- [FIDO certified products](https://fidoalliance.org/certification/fido-certified-products)
|
69
|
+
For a complete list:
|
72
70
|
|
71
|
+
- User Agents (Clients): [Can I Use: Web Authentication API](https://caniuse.com/#search=webauthn)
|
72
|
+
- Authenticators: [FIDO certified products](https://fidoalliance.org/certification/fido-certified-products) (search for Type=Authenticator and Specification=FIDO2)
|
73
73
|
|
74
74
|
## Install
|
75
75
|
|
@@ -150,7 +150,7 @@ if !user.webauthn_id
|
|
150
150
|
end
|
151
151
|
|
152
152
|
options = WebAuthn::Credential.options_for_create(
|
153
|
-
user: { id: user.webauthn_id, name: user.name }
|
153
|
+
user: { id: user.webauthn_id, name: user.name },
|
154
154
|
exclude: user.credentials.map { |c| c.webauthn_id }
|
155
155
|
)
|
156
156
|
|
@@ -252,6 +252,54 @@ rescue WebAuthn::Error => e
|
|
252
252
|
end
|
253
253
|
```
|
254
254
|
|
255
|
+
### Extensions
|
256
|
+
|
257
|
+
> The mechanism for generating public key credentials, as well as requesting and generating Authentication assertions, as defined in Web Authentication API, can be extended to suit particular use cases. Each case is addressed by defining a registration extension and/or an authentication extension.
|
258
|
+
|
259
|
+
> When creating a public key credential or requesting an authentication assertion, a WebAuthn Relying Party can request the use of a set of extensions. These extensions will be invoked during the requested ceremony if they are supported by the WebAuthn Client and/or the WebAuthn Authenticator. The Relying Party sends the client extension input for each extension in the get() call (for authentication extensions) or create() call (for registration extensions) to the WebAuthn client. [[source](https://www.w3.org/TR/webauthn-2/#sctn-extensions)]
|
260
|
+
|
261
|
+
Extensions can be requested in the initiation phase in both Credential Registration and Authentication ceremonies by adding the extension parameter when generating the options for create/get:
|
262
|
+
|
263
|
+
```ruby
|
264
|
+
# Credential Registration
|
265
|
+
creation_options = WebAuthn::Credential.options_for_create(
|
266
|
+
user: { id: user.webauthn_id, name: user.name },
|
267
|
+
exclude: user.credentials.map { |c| c.webauthn_id },
|
268
|
+
extensions: { appidExclude: domain.to_s }
|
269
|
+
)
|
270
|
+
|
271
|
+
# OR
|
272
|
+
|
273
|
+
# Credential Authentication
|
274
|
+
options = WebAuthn::Credential.options_for_get(
|
275
|
+
allow: user.credentials.map { |c| c.webauthn_id },
|
276
|
+
extensions: { appid: domain.to_s }
|
277
|
+
)
|
278
|
+
```
|
279
|
+
|
280
|
+
Consequently, after these `options` are sent to the WebAuthn client:
|
281
|
+
|
282
|
+
> The WebAuthn client performs client extension processing for each extension that the client supports, and augments the client data as specified by each extension, by including the extension identifier and client extension output values.
|
283
|
+
|
284
|
+
> For authenticator extensions, as part of the client extension processing, the client also creates the CBOR authenticator extension input value for each extension (often based on the corresponding client extension input value), and passes them to the authenticator in the create() call (for registration extensions) or the get() call (for authentication extensions).
|
285
|
+
|
286
|
+
> The authenticator, in turn, performs additional processing for the extensions that it supports, and returns the CBOR authenticator extension output for each as specified by the extension. Part of the client extension processing for authenticator extensions is to use the authenticator extension output as an input to creating the client extension output. [[source](https://www.w3.org/TR/webauthn-2/#sctn-extensions)]
|
287
|
+
|
288
|
+
Finally, you can check the values returned for each extension by calling `client_extension_outputs` and `authenticator_extension_outputs` respectively.
|
289
|
+
For example, following the initialization phase for the Credential Authentication ceremony specified in the above example:
|
290
|
+
|
291
|
+
```ruby
|
292
|
+
webauthn_credential = WebAuthn::Credential.from_get(credential_get_result_hash)
|
293
|
+
|
294
|
+
webauthn_credential.client_extension_outputs #=> { "appid" => true }
|
295
|
+
webauthn_credential.authenticator_extension_outputs #=> nil
|
296
|
+
```
|
297
|
+
|
298
|
+
A list of all currently defined extensions:
|
299
|
+
|
300
|
+
- [Last published version](https://www.w3.org/TR/webauthn-2/#sctn-defined-extensions)
|
301
|
+
- [Next version (in draft)](https://w3c.github.io/webauthn/#sctn-defined-extensions)
|
302
|
+
|
255
303
|
## API
|
256
304
|
|
257
305
|
#### `WebAuthn.generate_user_id`
|
@@ -342,21 +390,39 @@ credential_with_assertion.verify(
|
|
342
390
|
)
|
343
391
|
```
|
344
392
|
|
345
|
-
|
393
|
+
#### `PublicKeyCredential#client_extension_outputs`
|
394
|
+
|
395
|
+
```ruby
|
396
|
+
credential = WebAuthn::Credential.from_create(params[:publicKeyCredential])
|
397
|
+
|
398
|
+
credential.client_extension_outputs
|
399
|
+
```
|
400
|
+
|
401
|
+
#### `PublicKeyCredential#authenticator_extension_outputs`
|
402
|
+
|
403
|
+
```ruby
|
404
|
+
credential = WebAuthn::Credential.from_create(params[:publicKeyCredential])
|
405
|
+
|
406
|
+
credential.authenticator_extension_outputs
|
407
|
+
```
|
408
|
+
|
409
|
+
## Attestation
|
410
|
+
|
411
|
+
### Attestation Statement Format
|
346
412
|
|
347
413
|
| Attestation Statement Format | Supported? |
|
348
414
|
| -------- | :--------: |
|
349
415
|
| packed (self attestation) | Yes |
|
350
416
|
| packed (x5c attestation) | Yes |
|
351
|
-
| packed (ECDAA attestation) | No |
|
352
417
|
| tpm (x5c attestation) | Yes |
|
353
|
-
| tpm (ECDAA attestation) | No |
|
354
418
|
| android-key | Yes |
|
355
419
|
| android-safetynet | Yes |
|
356
420
|
| fido-u2f | Yes |
|
357
421
|
| none | Yes |
|
358
422
|
|
359
|
-
|
423
|
+
### Attestation Types
|
424
|
+
|
425
|
+
You can define what trust policy to enforce by setting `acceptable_attestation_types` config to a subset of `['None', 'Self', 'Basic', 'AttCA', 'Basic_or_AttCA']` and `attestation_root_certificates_finders` to an object that responds to `#find` and returns the corresponding root certificate for each registration. The `#find` method will be called passing keyword arguments `attestation_format`, `aaguid` and `attestation_certificate_key_id`.
|
360
426
|
|
361
427
|
## Testing Your Integration
|
362
428
|
|