webauthn 2.0.0 → 3.0.0.alpha1

data/lib/webauthn/u2f_migrator.rb

@@ -28,10 +28,11 @@ module WebAuthn
     end
 
     def credential
-      @credential ||= begin
-        hash = authenticator_data.send(:credential)
-        WebAuthn::AuthenticatorData::AttestedCredentialData::Credential.new(hash[:id], hash[:public_key].serialize)
-      end
+      @credential ||=
+        begin
+          hash = authenticator_data.send(:credential)
+          WebAuthn::AuthenticatorData::AttestedCredentialData::Credential.new(hash[:id], hash[:public_key].serialize)
+        end
     end
 
     def attestation_type

data/lib/webauthn/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WebAuthn
-  VERSION = "2.0.0"
+  VERSION = "3.0.0.alpha1"
 end

data/script/ci/install-openssl

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+set -e
+
+if [[ "$LIBSSL" == "1.0" ]]; then
+  sudo apt-get install libssl1.0-dev
+fi

data/script/ci/install-ruby

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+source "$HOME/.rvm/scripts/rvm"
+
+if [[ "$LIBSSL" == "1.0" ]]; then
+  rvm use --install $RB --autolibs=read-only --disable-binary
+elif [[ "$LIBSSL" == "1.1" ]]; then
+  rvm use --install $RB --binary --fuzzy
+fi
+
+[[ "`ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'`" =~ "OpenSSL $LIBSSL" ]] || { echo "Wrong libssl version"; exit 1; }

data/webauthn.gemspec

@@ -22,27 +22,32 @@ Gem::Specification.new do |spec|
     "source_code_uri" => "https://github.com/cedarcode/webauthn-ruby"
   }
 
-  spec.files = `git ls-files -z`.split("\x0").reject do |f|
-    f.match(%r{^(test|spec|features|assets)/})
-  end
+  spec.files =
+    `git ls-files -z`.split("\x0").reject do |f|
+      f.match(%r{^(test|spec|features|assets)/})
+    end
+
   spec.bindir        = "exe"
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.required_ruby_version = ">= 2.3"
+  spec.required_ruby_version = ">= 2.4"
 
+  spec.add_dependency "android_key_attestation", "~> 0.3.0"
   spec.add_dependency "awrence", "~> 1.1"
   spec.add_dependency "bindata", "~> 2.4"
   spec.add_dependency "cbor", "~> 0.5.9"
-  spec.add_dependency "cose", "~> 0.8.0"
-  spec.add_dependency "jwt", [">= 1.5", "< 3.0"]
+  spec.add_dependency "cose", "~> 1.0"
   spec.add_dependency "openssl", "~> 2.0"
+  spec.add_dependency "safety_net_attestation", "~> 0.4.0"
   spec.add_dependency "securecompare", "~> 1.0"
+  spec.add_dependency "tpm-key_attestation", "~> 0.9.0"
 
-  spec.add_development_dependency "appraisal", "~> 2.2.0"
+  spec.add_development_dependency "appraisal", "~> 2.3.0"
   spec.add_development_dependency "bundler", ">= 1.17", "< 3.0"
   spec.add_development_dependency "byebug", "~> 11.0"
   spec.add_development_dependency "rake", "~> 13.0"
   spec.add_development_dependency "rspec", "~> 3.8"
-  spec.add_development_dependency "rubocop", "0.75.0"
+  spec.add_development_dependency "rubocop", "0.80.1"
+  spec.add_development_dependency "rubocop-rspec", "~> 1.38.1"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: webauthn
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 3.0.0.alpha1
 platform: ruby
 authors:
 - Gonzalo Rodriguez
@@ -9,8 +9,22 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-10-03 00:00:00.000000000 Z
+date: 2020-06-27 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: android_key_attestation
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.3.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.3.0
 - !ruby/object:Gem::Dependency
   name: awrence
   requirement: !ruby/object:Gem::Requirement
@@ -59,48 +73,42 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.0
+        version: '1.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.0
+        version: '1.0'
 - !ruby/object:Gem::Dependency
-  name: jwt
+  name: openssl
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '1.5'
-    - - "<"
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '1.5'
-    - - "<"
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
-  name: openssl
+  name: safety_net_attestation
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: 0.4.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: 0.4.0
 - !ruby/object:Gem::Dependency
   name: securecompare
   requirement: !ruby/object:Gem::Requirement
@@ -115,20 +123,34 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: tpm-key_attestation
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.0
 - !ruby/object:Gem::Dependency
   name: appraisal
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.2.0
+        version: 2.3.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.2.0
+        version: 2.3.0
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -197,14 +219,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.75.0
+        version: 0.80.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.75.0
+        version: 0.80.1
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.38.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.38.1
 description: |-
   WebAuthn ruby server library ― Make your application a W3C Web Authentication conformant
       Relying Party and allow your users to authenticate with U2F and FIDO2 authenticators.
@@ -233,21 +269,13 @@ files:
 - gemfiles/cose_head.gemfile
 - gemfiles/openssl_2_0.gemfile
 - gemfiles/openssl_2_1.gemfile
+- gemfiles/openssl_2_2.gemfile
 - gemfiles/openssl_head.gemfile
-- lib/android_safetynet/attestation_response.rb
-- lib/cose/algorithm.rb
-- lib/tpm/constants.rb
-- lib/tpm/s_attest.rb
-- lib/tpm/s_attest/s_certify_info.rb
-- lib/tpm/sized_buffer.rb
-- lib/tpm/t_public.rb
-- lib/tpm/t_public/s_ecc_parms.rb
-- lib/tpm/t_public/s_rsa_parms.rb
+- lib/cose/rsapkcs1_algorithm.rb
 - lib/webauthn.rb
+- lib/webauthn/attestation_object.rb
 - lib/webauthn/attestation_statement.rb
 - lib/webauthn/attestation_statement/android_key.rb
-- lib/webauthn/attestation_statement/android_key/authorization_list.rb
-- lib/webauthn/attestation_statement/android_key/key_description.rb
 - lib/webauthn/attestation_statement/android_safetynet.rb
 - lib/webauthn/attestation_statement/base.rb
 - lib/webauthn/attestation_statement/fido_u2f.rb
@@ -255,8 +283,6 @@ files:
 - lib/webauthn/attestation_statement/none.rb
 - lib/webauthn/attestation_statement/packed.rb
 - lib/webauthn/attestation_statement/tpm.rb
-- lib/webauthn/attestation_statement/tpm/cert_info.rb
-- lib/webauthn/attestation_statement/tpm/pub_area.rb
 - lib/webauthn/authenticator_assertion_response.rb
 - lib/webauthn/authenticator_attestation_response.rb
 - lib/webauthn/authenticator_data.rb
@@ -277,6 +303,7 @@ files:
 - lib/webauthn/fake_authenticator/attestation_object.rb
 - lib/webauthn/fake_authenticator/authenticator_data.rb
 - lib/webauthn/fake_client.rb
+- lib/webauthn/public_key.rb
 - lib/webauthn/public_key_credential.rb
 - lib/webauthn/public_key_credential/creation_options.rb
 - lib/webauthn/public_key_credential/entity.rb
@@ -286,10 +313,12 @@ files:
 - lib/webauthn/public_key_credential/user_entity.rb
 - lib/webauthn/public_key_credential_with_assertion.rb
 - lib/webauthn/public_key_credential_with_attestation.rb
+- lib/webauthn/relying_party.rb
 - lib/webauthn/security_utils.rb
-- lib/webauthn/signature_verifier.rb
 - lib/webauthn/u2f_migrator.rb
 - lib/webauthn/version.rb
+- script/ci/install-openssl
+- script/ci/install-ruby
 - webauthn.gemspec
 homepage: https://github.com/cedarcode/webauthn-ruby
 licenses:
@@ -306,14 +335,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.3'
+      version: '2.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: WebAuthn ruby server library

data/lib/android_safetynet/attestation_response.rb

@@ -1,84 +0,0 @@
-# frozen_string_literal: true
-
-require "base64"
-require "jwt"
-require "webauthn/security_utils"
-
-module AndroidSafetynet
-  # Decoupled from WebAuthn, candidate for extraction
-  # Reference: https://developer.android.com/training/safetynet/attestation.html
-  class AttestationResponse
-    class VerificationError < StandardError; end
-    class LeafCertificateSubjectError < VerificationError; end
-    class NonceMismatchError < VerificationError; end
-    class SignatureError < VerificationError; end
-    class ResponseMissingError < VerificationError; end
-
-    CERTIRICATE_CHAIN_HEADER = "x5c"
-    VALID_SUBJECT_HOSTNAME = "attest.android.com"
-    HEADERS_POSITION = 1
-    PAYLOAD_POSITION = 0
-
-    attr_reader :response
-
-    def initialize(response)
-      @response = response
-    end
-
-    def verify(nonce)
-      if response
-        valid_nonce?(nonce) || raise(NonceMismatchError)
-        valid_attestation_domain? || raise(LeafCertificateSubjectError)
-        valid_signature? || raise(SignatureError)
-      else
-        raise(ResponseMissingError)
-      end
-    end
-
-    def cts_profile_match?
-      payload["ctsProfileMatch"]
-    end
-
-    def certificate_chain
-      @certificate_chain ||= headers[CERTIRICATE_CHAIN_HEADER].map do |cert|
-        OpenSSL::X509::Certificate.new(Base64.strict_decode64(cert))
-      end
-    end
-
-    private
-
-    def valid_nonce?(nonce)
-      WebAuthn::SecurityUtils.secure_compare(payload["nonce"], nonce)
-    end
-
-    def valid_attestation_domain?
-      common_name = leaf_certificate&.subject&.to_a&.assoc('CN')
-
-      if common_name
-        common_name[1] == VALID_SUBJECT_HOSTNAME
-      end
-    end
-
-    def valid_signature?
-      JWT.decode(response, leaf_certificate.public_key, true, algorithms: ["ES256", "RS256"])
-    rescue JWT::VerificationError
-      false
-    end
-
-    def leaf_certificate
-      certificate_chain[0]
-    end
-
-    def headers
-      jws_parts[HEADERS_POSITION]
-    end
-
-    def payload
-      jws_parts[PAYLOAD_POSITION]
-    end
-
-    def jws_parts
-      @jws_parts ||= JWT.decode(response, nil, false)
-    end
-  end
-end

data/lib/cose/algorithm.rb

@@ -1,38 +0,0 @@
-# frozen_string_literal: true
-
-require "cose/key"
-
-# TODO: Move this to cose gem
-module COSE
-  # https://tools.ietf.org/html/rfc8152#section-8.1
-  Algorithm = Struct.new(:id, :name, :hash, :kty, :key_curve) do
-    @registered = {}
-
-    def self.register(id, name, hash, kty, key_curve = nil)
-      @registered[id] = COSE::Algorithm.new(id, name, hash, kty, key_curve)
-    end
-
-    def self.find(id)
-      @registered[id]
-    end
-
-    def self.by_name(name)
-      @registered.values.detect { |algorithm| algorithm.name == name }
-    end
-
-    def value
-      id
-    end
-  end
-end
-
-COSE::Algorithm.register(-7, "ES256", "SHA256", COSE::Key::EC2::KTY_EC2, "prime256v1")
-COSE::Algorithm.register(-35, "ES384", "SHA384", COSE::Key::EC2::KTY_EC2, "prime256v1")
-COSE::Algorithm.register(-36, "ES512", "SHA512", COSE::Key::EC2::KTY_EC2, "prime256v1")
-COSE::Algorithm.register(-37, "PS256", "SHA256", COSE::Key::RSA::KTY_RSA)
-COSE::Algorithm.register(-38, "PS384", "SHA384", COSE::Key::RSA::KTY_RSA)
-COSE::Algorithm.register(-39, "PS512", "SHA512", COSE::Key::RSA::KTY_RSA)
-COSE::Algorithm.register(-257, "RS256", "SHA256", COSE::Key::RSA::KTY_RSA)
-COSE::Algorithm.register(-258, "RS384", "SHA384", COSE::Key::RSA::KTY_RSA)
-COSE::Algorithm.register(-259, "RS512", "SHA512", COSE::Key::RSA::KTY_RSA)
-COSE::Algorithm.register(-65535, "RS1", "SHA1", COSE::Key::RSA::KTY_RSA)

data/lib/tpm/constants.rb

@@ -1,22 +0,0 @@
-# frozen_string_literal: true
-
-module TPM
-  # Section 6 in https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf
-
-  GENERATED_VALUE = 0xFF544347
-
-  ST_ATTEST_CERTIFY = 0x8017
-
-  # Algorithms
-  ALG_RSA = 0x0001
-  ALG_SHA1 = 0x0004
-  ALG_SHA256 = 0x000B
-  ALG_NULL = 0x0010
-  ALG_RSASSA = 0x0014
-  ALG_RSAPSS = 0x0016
-  ALG_ECDSA = 0x0018
-  ALG_ECC = 0x0023
-
-  # ECC curves
-  ECC_NIST_P256 = 0x0003
-end