webauthn 2.1.0 → 2.4.1

data/lib/webauthn/authenticator_data.rb

@@ -1,32 +1,49 @@
 # frozen_string_literal: true
 
+require "bindata"
 require "webauthn/authenticator_data/attested_credential_data"
+require "webauthn/error"
 
 module WebAuthn
-  class AuthenticatorData
-    RP_ID_HASH_POSITION = 0
+  class AuthenticatorDataFormatError < WebAuthn::Error; end
 
+  class AuthenticatorData < BinData::Record
     RP_ID_HASH_LENGTH = 32
     FLAGS_LENGTH = 1
     SIGN_COUNT_LENGTH = 4
 
-    SIGN_COUNT_POSITION = RP_ID_HASH_LENGTH + FLAGS_LENGTH
+    endian :big
 
-    USER_PRESENT_FLAG_POSITION = 0
-    USER_VERIFIED_FLAG_POSITION = 2
-    ATTESTED_CREDENTIAL_DATA_INCLUDED_FLAG_POSITION = 6
-    EXTENSION_DATA_INCLUDED_FLAG_POSITION = 7
+    count_bytes_remaining :data_length
+    string :rp_id_hash, length: RP_ID_HASH_LENGTH
+    struct :flags do
+      bit1 :extension_data_included
+      bit1 :attested_credential_data_included
+      bit1 :reserved_for_future_use_4
+      bit1 :reserved_for_future_use_3
+      bit1 :reserved_for_future_use_2
+      bit1 :user_verified
+      bit1 :reserved_for_future_use_1
+      bit1 :user_present
+    end
+    bit32 :sign_count
+    count_bytes_remaining :trailing_bytes_length
+    string :trailing_bytes, length: :trailing_bytes_length
 
-    def initialize(data)
-      @data = data
+    def self.deserialize(data)
+      read(data)
+    rescue EOFError
+      raise AuthenticatorDataFormatError
     end
 
-    attr_reader :data
+    def data
+      to_binary_s
+    end
 
     def valid?
-      valid_length? &&
-        (!attested_credential_data_included? || attested_credential_data.valid?) &&
-        (!extension_data_included? || extension_data)
+      (!attested_credential_data_included? || attested_credential_data.valid?) &&
+        (!extension_data_included? || extension_data) &&
+        valid_length?
     end
 
     def user_flagged?
@@ -34,26 +51,19 @@ module WebAuthn
     end
 
     def user_present?
-      flags[USER_PRESENT_FLAG_POSITION] == "1"
+      flags.user_present == 1
     end
 
     def user_verified?
-      flags[USER_VERIFIED_FLAG_POSITION] == "1"
+      flags.user_verified == 1
     end
 
     def attested_credential_data_included?
-      flags[ATTESTED_CREDENTIAL_DATA_INCLUDED_FLAG_POSITION] == "1"
+      flags.attested_credential_data_included == 1
     end
 
     def extension_data_included?
-      flags[EXTENSION_DATA_INCLUDED_FLAG_POSITION] == "1"
-    end
-
-    def rp_id_hash
-      @rp_id_hash ||=
-        if valid?
-          data_at(RP_ID_HASH_POSITION, RP_ID_HASH_LENGTH)
-        end
+      flags.extension_data_included == 1
     end
 
     def credential
@@ -62,35 +72,39 @@ module WebAuthn
       end
     end
 
-    def sign_count
-      @sign_count ||= data_at(SIGN_COUNT_POSITION, SIGN_COUNT_LENGTH).unpack('L>')[0]
-    end
-
     def attested_credential_data
       @attested_credential_data ||=
-        AttestedCredentialData.new(data_at(attested_credential_data_position))
+        AttestedCredentialData.deserialize(trailing_bytes)
+    rescue AttestedCredentialDataFormatError
+      raise AuthenticatorDataFormatError
     end
 
     def extension_data
       @extension_data ||= CBOR.decode(raw_extension_data)
     end
 
-    def flags
-      @flags ||= data_at(flags_position, FLAGS_LENGTH).unpack("b*")[0]
+    def aaguid
+      raw_aaguid = attested_credential_data.raw_aaguid
+
+      unless raw_aaguid == WebAuthn::AuthenticatorData::AttestedCredentialData::ZEROED_AAGUID
+        attested_credential_data.aaguid
+      end
     end
 
     private
 
     def valid_length?
-      data.length == base_length + attested_credential_data_length + extension_data_length
+      data_length == base_length + attested_credential_data_length + extension_data_length
     end
 
     def raw_extension_data
-      data_at(extension_data_position)
-    end
-
-    def attested_credential_data_position
-      base_length
+      if extension_data_included?
+        if attested_credential_data_included?
+          trailing_bytes[attested_credential_data.length..-1]
+        else
+          trailing_bytes.snapshot
+        end
+      end
     end
 
     def attested_credential_data_length
@@ -109,22 +123,8 @@ module WebAuthn
       end
     end
 
-    def extension_data_position
-      base_length + attested_credential_data_length
-    end
-
     def base_length
       RP_ID_HASH_LENGTH + FLAGS_LENGTH + SIGN_COUNT_LENGTH
     end
-
-    def flags_position
-      RP_ID_HASH_LENGTH
-    end
-
-    def data_at(position, length = nil)
-      length ||= data.size - position
-
-      data[position..(position + length - 1)]
-    end
   end
 end

data/lib/webauthn/authenticator_data/attested_credential_data.rb

@@ -1,34 +1,43 @@
 # frozen_string_literal: true
 
+require "bindata"
 require "cose/key"
+require "webauthn/error"
 
 module WebAuthn
-  class AuthenticatorData
-    class AttestedCredentialData
+  class AttestedCredentialDataFormatError < WebAuthn::Error; end
+
+  class AuthenticatorData < BinData::Record
+    class AttestedCredentialData < BinData::Record
       AAGUID_LENGTH = 16
       ZEROED_AAGUID = 0.chr * AAGUID_LENGTH
 
       ID_LENGTH_LENGTH = 2
 
-      UINT16_BIG_ENDIAN_FORMAT = "n*"
+      endian :big
+
+      string :raw_aaguid, length: AAGUID_LENGTH
+      bit16 :id_length
+      string :id, read_length: :id_length
+      count_bytes_remaining :trailing_bytes_length
+      string :trailing_bytes, length: :trailing_bytes_length
 
-      # FIXME: use keyword_init when we dropped Ruby 2.4 support
-      Credential = Struct.new(:id, :public_key) do
-        def public_key_object
-          COSE::Key.deserialize(public_key).to_pkey
+      # TODO: use keyword_init when we dropped Ruby 2.4 support
+      Credential =
+        Struct.new(:id, :public_key) do
+          def public_key_object
+            COSE::Key.deserialize(public_key).to_pkey
+          end
         end
-      end
 
-      def initialize(data)
-        @data = data
+      def self.deserialize(data)
+        read(data)
+      rescue EOFError
+        raise AttestedCredentialDataFormatError
       end
 
       def valid?
-        data.length >= AAGUID_LENGTH + ID_LENGTH_LENGTH && valid_credential_public_key?
-      end
-
-      def raw_aaguid
-        data_at(0, AAGUID_LENGTH)
+        valid_credential_public_key?
       end
 
       def aaguid
@@ -37,62 +46,32 @@ module WebAuthn
 
       def credential
         @credential ||=
-          if id
+          if valid?
             Credential.new(id, public_key)
           end
       end
 
       def length
         if valid?
-          public_key_position + public_key_length
+          AAGUID_LENGTH + ID_LENGTH_LENGTH + id_length + public_key_length
         end
       end
 
       private
 
-      attr_reader :data
-
       def valid_credential_public_key?
         cose_key = COSE::Key.deserialize(public_key)
 
-        !!cose_key.alg
-      end
-
-      def id
-        if valid?
-          data_at(id_position, id_length)
-        end
+        !!cose_key.alg && WebAuthn.configuration.algorithms.include?(COSE::Algorithm.find(cose_key.alg).name)
       end
 
       def public_key
-        @public_key ||= data_at(public_key_position, public_key_length)
-      end
-
-      def id_position
-        id_length_position + ID_LENGTH_LENGTH
-      end
-
-      def id_length
-        @id_length ||= data_at(id_length_position, ID_LENGTH_LENGTH).unpack(UINT16_BIG_ENDIAN_FORMAT)[0]
-      end
-
-      def id_length_position
-        AAGUID_LENGTH
-      end
-
-      def public_key_position
-        id_position + id_length
+        trailing_bytes[0..public_key_length - 1]
       end
 
       def public_key_length
         @public_key_length ||=
-          CBOR.encode(CBOR::Unpacker.new(StringIO.new(data_at(public_key_position))).each.first).length
-      end
-
-      def data_at(position, length = nil)
-        length ||= data.size - position
-
-        data[position..(position + length - 1)]
+          CBOR.encode(CBOR::Unpacker.new(StringIO.new(trailing_bytes)).each.first).length
       end
     end
   end

data/lib/webauthn/authenticator_response.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require "webauthn/authenticator_data"
 require "webauthn/client_data"
 require "webauthn/error"
 require "webauthn/security_utils"
@@ -91,6 +92,8 @@ module WebAuthn
 
     def valid_authenticator_data?
       authenticator_data.valid?
+    rescue WebAuthn::AuthenticatorDataFormatError
+      false
     end
 
     def valid_user_presence?

data/lib/webauthn/credential_creation_options.rb

@@ -32,6 +32,8 @@ module WebAuthn
       user_display_name: nil,
       rp_name: nil
     )
+      super()
+
       @attestation = attestation
       @authenticator_selection = authenticator_selection
       @exclude_credentials = exclude_credentials

data/lib/webauthn/credential_request_options.rb

@@ -16,6 +16,8 @@ module WebAuthn
     attr_accessor :allow_credentials, :extensions, :user_verification
 
     def initialize(allow_credentials: [], extensions: nil, user_verification: nil)
+      super()
+
       @allow_credentials = allow_credentials
       @extensions = extensions
       @user_verification = user_verification

data/lib/webauthn/fake_authenticator.rb

@@ -18,7 +18,8 @@ module WebAuthn
       user_present: true,
       user_verified: false,
       attested_credential_data: true,
-      sign_count: nil
+      sign_count: nil,
+      extensions: nil
     )
       credential_id, credential_key, credential_sign_count = new_credential
       sign_count ||= credential_sign_count
@@ -37,7 +38,8 @@ module WebAuthn
         user_present: user_present,
         user_verified: user_verified,
         attested_credential_data: attested_credential_data,
-        sign_count: sign_count
+        sign_count: sign_count,
+        extensions: extensions
       ).serialize
     end
 
@@ -47,7 +49,8 @@ module WebAuthn
       user_present: true,
       user_verified: false,
       aaguid: AuthenticatorData::AAGUID,
-      sign_count: nil
+      sign_count: nil,
+      extensions: nil
     )
       credential_options = credentials[rp_id]
 
@@ -63,6 +66,7 @@ module WebAuthn
           aaguid: aaguid,
           credential: nil,
           sign_count: sign_count || credential_sign_count,
+          extensions: extensions
         ).serialize
 
         signature = credential_key.sign("SHA256", authenticator_data + client_data_hash)

data/lib/webauthn/fake_authenticator/attestation_object.rb

@@ -14,7 +14,8 @@ module WebAuthn
         user_present: true,
         user_verified: false,
         attested_credential_data: true,
-        sign_count: 0
+        sign_count: 0,
+        extensions: nil
       )
         @client_data_hash = client_data_hash
         @rp_id_hash = rp_id_hash
@@ -24,6 +25,7 @@ module WebAuthn
         @user_verified = user_verified
         @attested_credential_data = attested_credential_data
         @sign_count = sign_count
+        @extensions = extensions
       end
 
       def serialize
@@ -44,7 +46,8 @@ module WebAuthn
         :user_present,
         :user_verified,
         :attested_credential_data,
-        :sign_count
+        :sign_count,
+        :extensions
       )
 
       def authenticator_data
@@ -60,7 +63,8 @@ module WebAuthn
               credential: credential_data,
               user_present: user_present,
               user_verified: user_verified,
-              sign_count: 0
+              sign_count: 0,
+              extensions: extensions
             )
           end
       end

data/lib/webauthn/fake_authenticator/authenticator_data.rb

@@ -115,8 +115,7 @@ module WebAuthn
         case credential[:public_key]
         when OpenSSL::PKey::RSA
           key = COSE::Key::RSA.from_pkey(credential[:public_key])
-          # FIXME: Remove once writer in cose
-          key.instance_variable_set(:@alg, -257)
+          key.alg = -257
         when OpenSSL::PKey::EC::Point
           alg = {
             COSE::Key::Curve.by_name("P-256").id => -7,
@@ -125,8 +124,7 @@ module WebAuthn
           }
 
           key = COSE::Key::EC2.from_pkey(credential[:public_key])
-          # FIXME: Remove once writer in cose
-          key.instance_variable_set(:@alg, alg[key.crv])
+          key.alg = alg[key.crv]
 
         end
 

data/lib/webauthn/fake_client.rb

@@ -29,7 +29,8 @@ module WebAuthn
       rp_id: nil,
       user_present: true,
       user_verified: false,
-      attested_credential_data: true
+      attested_credential_data: true,
+      extensions: nil
     )
       rp_id ||= URI.parse(origin).host
 
@@ -41,12 +42,16 @@ module WebAuthn
         client_data_hash: client_data_hash,
         user_present: user_present,
         user_verified: user_verified,
-        attested_credential_data: attested_credential_data
+        attested_credential_data: attested_credential_data,
+        extensions: extensions
       )
 
       id =
         if attested_credential_data
-          WebAuthn::AuthenticatorData.new(CBOR.decode(attestation_object)["authData"]).credential.id
+          WebAuthn::AuthenticatorData
+            .deserialize(CBOR.decode(attestation_object)["authData"])
+            .attested_credential_data
+            .id
         else
           "id-for-pk-without-attested-credential-data"
         end
@@ -55,6 +60,7 @@ module WebAuthn
         "type" => "public-key",
         "id" => internal_encoder.encode(id),
         "rawId" => encoder.encode(id),
+        "clientExtensionResults" => extensions,
         "response" => {
           "attestationObject" => encoder.encode(attestation_object),
           "clientDataJSON" => encoder.encode(client_data_json)
@@ -62,7 +68,13 @@ module WebAuthn
       }
     end
 
-    def get(challenge: fake_challenge, rp_id: nil, user_present: true, user_verified: false, sign_count: nil)
+    def get(challenge: fake_challenge,
+            rp_id: nil,
+            user_present: true,
+            user_verified: false,
+            sign_count: nil,
+            extensions: nil,
+            user_handle: nil)
       rp_id ||= URI.parse(origin).host
 
       client_data_json = data_json_for(:get, encoder.decode(challenge))
@@ -74,17 +86,19 @@ module WebAuthn
         user_present: user_present,
         user_verified: user_verified,
         sign_count: sign_count,
+        extensions: extensions
       )
 
       {
         "type" => "public-key",
         "id" => internal_encoder.encode(assertion[:credential_id]),
         "rawId" => encoder.encode(assertion[:credential_id]),
+        "clientExtensionResults" => extensions,
         "response" => {
           "clientDataJSON" => encoder.encode(client_data_json),
           "authenticatorData" => encoder.encode(assertion[:authenticator_data]),
           "signature" => encoder.encode(assertion[:signature]),
-          "userHandle" => nil
+          "userHandle" => user_handle ? encoder.encode(user_handle) : nil
         }
       }
     end