webauthn 2.1.0 → 2.4.1

data/lib/webauthn/public_key.rb

@@ -1,11 +1,15 @@
 # frozen_string_literal: true
 
-require "webauthn/attestation_statement/fido_u2f/public_key"
-require "cose/key"
 require "cose/algorithm"
+require "cose/error"
+require "cose/key"
+require "cose/rsapkcs1_algorithm"
+require "webauthn/attestation_statement/fido_u2f/public_key"
 
 module WebAuthn
   class PublicKey
+    class UnsupportedAlgorithm < Error; end
+
     def self.deserialize(public_key)
       cose_key =
         if WebAuthn::AttestationStatement::FidoU2f::PublicKey.uncompressed_point?(public_key)
@@ -45,5 +49,20 @@ module WebAuthn
     def alg
       @cose_key.alg
     end
+
+    def verify(signature, verification_data)
+      cose_algorithm.verify(pkey, signature, verification_data)
+    rescue COSE::Error
+      false
+    end
+
+    private
+
+    def cose_algorithm
+      @cose_algorithm ||= COSE::Algorithm.find(alg) || raise(
+        UnsupportedAlgorithm,
+        "The public key algorithm #{alg} is not among the available COSE algorithms"
+      )
+    end
   end
 end

data/lib/webauthn/public_key_credential.rb

@@ -4,21 +4,23 @@ require "webauthn/encoder"
 
 module WebAuthn
   class PublicKeyCredential
-    attr_reader :type, :id, :raw_id, :response
+    attr_reader :type, :id, :raw_id, :client_extension_outputs, :response
 
     def self.from_client(credential)
       new(
         type: credential["type"],
         id: credential["id"],
         raw_id: WebAuthn.configuration.encoder.decode(credential["rawId"]),
+        client_extension_outputs: credential["clientExtensionResults"],
         response: response_class.from_client(credential["response"])
       )
     end
 
-    def initialize(type:, id:, raw_id:, response:)
+    def initialize(type:, id:, raw_id:, client_extension_outputs: {}, response:)
       @type = type
       @id = id
       @raw_id = raw_id
+      @client_extension_outputs = client_extension_outputs
       @response = response
     end
 
@@ -30,7 +32,11 @@ module WebAuthn
     end
 
     def sign_count
-      response&.authenticator_data&.sign_count
+      authenticator_data&.sign_count
+    end
+
+    def authenticator_extension_outputs
+      authenticator_data.extension_data if authenticator_data&.extension_data_included?
     end
 
     private
@@ -43,6 +49,10 @@ module WebAuthn
       raw_id && id && raw_id == WebAuthn.standard_encoder.decode(id)
     end
 
+    def authenticator_data
+      response&.authenticator_data
+    end
+
     def encoder
       WebAuthn.configuration.encoder
     end

data/lib/webauthn/u2f_migrator.rb

@@ -28,10 +28,11 @@ module WebAuthn
     end
 
     def credential
-      @credential ||= begin
-        hash = authenticator_data.send(:credential)
-        WebAuthn::AuthenticatorData::AttestedCredentialData::Credential.new(hash[:id], hash[:public_key].serialize)
-      end
+      @credential ||=
+        begin
+          hash = authenticator_data.send(:credential)
+          WebAuthn::AuthenticatorData::AttestedCredentialData::Credential.new(hash[:id], hash[:public_key].serialize)
+        end
     end
 
     def attestation_type

data/lib/webauthn/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WebAuthn
-  VERSION = "2.1.0"
+  VERSION = "2.4.1"
 end

data/script/ci/install-openssl

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+set -e
+
+if [[ "$LIBSSL" == "1.0" ]]; then
+  sudo apt-get install libssl1.0-dev
+fi

data/script/ci/install-ruby

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+source "$HOME/.rvm/scripts/rvm"
+
+if [[ "$LIBSSL" == "1.0" ]]; then
+  rvm use --install $RB --autolibs=read-only --disable-binary
+elif [[ "$LIBSSL" == "1.1" ]]; then
+  rvm use --install $RB --binary --fuzzy
+fi
+
+[[ "`ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'`" =~ "OpenSSL $LIBSSL" ]] || { echo "Wrong libssl version"; exit 1; }

data/webauthn.gemspec

@@ -22,28 +22,32 @@ Gem::Specification.new do |spec|
     "source_code_uri" => "https://github.com/cedarcode/webauthn-ruby"
   }
 
-  spec.files = `git ls-files -z`.split("\x0").reject do |f|
-    f.match(%r{^(test|spec|features|assets)/})
-  end
+  spec.files =
+    `git ls-files -z`.split("\x0").reject do |f|
+      f.match(%r{^(test|spec|features|assets)/})
+    end
+
   spec.bindir        = "exe"
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.required_ruby_version = ">= 2.3"
+  spec.required_ruby_version = ">= 2.4"
 
+  spec.add_dependency "android_key_attestation", "~> 0.3.0"
   spec.add_dependency "awrence", "~> 1.1"
   spec.add_dependency "bindata", "~> 2.4"
   spec.add_dependency "cbor", "~> 0.5.9"
-  spec.add_dependency "cose", "~> 0.10.0"
-  spec.add_dependency "jwt", [">= 1.5", "< 3.0"]
+  spec.add_dependency "cose", "~> 1.1"
   spec.add_dependency "openssl", "~> 2.0"
+  spec.add_dependency "safety_net_attestation", "~> 0.4.0"
   spec.add_dependency "securecompare", "~> 1.0"
+  spec.add_dependency "tpm-key_attestation", "~> 0.10.0"
 
-  spec.add_development_dependency "appraisal", "~> 2.2.0"
+  spec.add_development_dependency "appraisal", "~> 2.3.0"
   spec.add_development_dependency "bundler", ">= 1.17", "< 3.0"
   spec.add_development_dependency "byebug", "~> 11.0"
   spec.add_development_dependency "rake", "~> 13.0"
   spec.add_development_dependency "rspec", "~> 3.8"
-  spec.add_development_dependency "rubocop", "0.75.0"
-  spec.add_development_dependency "timecop", "~> 0.9.1"
+  spec.add_development_dependency "rubocop", "0.89"
+  spec.add_development_dependency "rubocop-rspec", "~> 1.38.1"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: webauthn
 version: !ruby/object:Gem::Version
-  version: 2.1.0
+  version: 2.4.1
 platform: ruby
 authors:
 - Gonzalo Rodriguez
@@ -9,8 +9,22 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-12-30 00:00:00.000000000 Z
+date: 2021-02-15 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: android_key_attestation
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.3.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.3.0
 - !ruby/object:Gem::Dependency
   name: awrence
   requirement: !ruby/object:Gem::Requirement
@@ -59,48 +73,42 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.10.0
+        version: '1.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.10.0
+        version: '1.1'
 - !ruby/object:Gem::Dependency
-  name: jwt
+  name: openssl
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '1.5'
-    - - "<"
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '1.5'
-    - - "<"
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
-  name: openssl
+  name: safety_net_attestation
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: 0.4.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: 0.4.0
 - !ruby/object:Gem::Dependency
   name: securecompare
   requirement: !ruby/object:Gem::Requirement
@@ -115,20 +123,34 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: tpm-key_attestation
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.10.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.10.0
 - !ruby/object:Gem::Dependency
   name: appraisal
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.2.0
+        version: 2.3.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.2.0
+        version: 2.3.0
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -197,28 +219,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.75.0
+        version: '0.89'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.75.0
+        version: '0.89'
 - !ruby/object:Gem::Dependency
-  name: timecop
+  name: rubocop-rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.9.1
+        version: 1.38.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.9.1
+        version: 1.38.1
 description: |-
   WebAuthn ruby server library ― Make your application a W3C Web Authentication conformant
       Relying Party and allow your users to authenticate with U2F and FIDO2 authenticators.
@@ -247,21 +269,13 @@ files:
 - gemfiles/cose_head.gemfile
 - gemfiles/openssl_2_0.gemfile
 - gemfiles/openssl_2_1.gemfile
+- gemfiles/openssl_2_2.gemfile
 - gemfiles/openssl_head.gemfile
-- lib/android_safetynet/attestation_response.rb
-- lib/cose/rsassa_algorithm.rb
-- lib/tpm/constants.rb
-- lib/tpm/s_attest.rb
-- lib/tpm/s_attest/s_certify_info.rb
-- lib/tpm/sized_buffer.rb
-- lib/tpm/t_public.rb
-- lib/tpm/t_public/s_ecc_parms.rb
-- lib/tpm/t_public/s_rsa_parms.rb
+- lib/cose/rsapkcs1_algorithm.rb
 - lib/webauthn.rb
+- lib/webauthn/attestation_object.rb
 - lib/webauthn/attestation_statement.rb
 - lib/webauthn/attestation_statement/android_key.rb
-- lib/webauthn/attestation_statement/android_key/authorization_list.rb
-- lib/webauthn/attestation_statement/android_key/key_description.rb
 - lib/webauthn/attestation_statement/android_safetynet.rb
 - lib/webauthn/attestation_statement/base.rb
 - lib/webauthn/attestation_statement/fido_u2f.rb
@@ -269,8 +283,6 @@ files:
 - lib/webauthn/attestation_statement/none.rb
 - lib/webauthn/attestation_statement/packed.rb
 - lib/webauthn/attestation_statement/tpm.rb
-- lib/webauthn/attestation_statement/tpm/cert_info.rb
-- lib/webauthn/attestation_statement/tpm/pub_area.rb
 - lib/webauthn/authenticator_assertion_response.rb
 - lib/webauthn/authenticator_attestation_response.rb
 - lib/webauthn/authenticator_data.rb
@@ -302,9 +314,10 @@ files:
 - lib/webauthn/public_key_credential_with_assertion.rb
 - lib/webauthn/public_key_credential_with_attestation.rb
 - lib/webauthn/security_utils.rb
-- lib/webauthn/signature_verifier.rb
 - lib/webauthn/u2f_migrator.rb
 - lib/webauthn/version.rb
+- script/ci/install-openssl
+- script/ci/install-ruby
 - webauthn.gemspec
 homepage: https://github.com/cedarcode/webauthn-ruby
 licenses:
@@ -321,14 +334,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.3'
+      version: '2.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.2.8
 signing_key: 
 specification_version: 4
 summary: WebAuthn ruby server library

data/lib/android_safetynet/attestation_response.rb

@@ -1,116 +0,0 @@
-# frozen_string_literal: true
-
-require "base64"
-require "jwt"
-require "webauthn/security_utils"
-
-module AndroidSafetynet
-  # Decoupled from WebAuthn, candidate for extraction
-  # Reference: https://developer.android.com/training/safetynet/attestation.html
-  class AttestationResponse
-    class VerificationError < StandardError; end
-    class LeafCertificateSubjectError < VerificationError; end
-    class NonceMismatchError < VerificationError; end
-    class SignatureError < VerificationError; end
-    class ResponseMissingError < VerificationError; end
-    class TimestampError < VerificationError; end
-    class TrustworthinessError < VerificationError; end
-
-    CERTIRICATE_CHAIN_HEADER = "x5c"
-    VALID_SUBJECT_HOSTNAME = "attest.android.com"
-    HEADERS_POSITION = 1
-    PAYLOAD_POSITION = 0
-    LEEWAY = 60
-
-    # FIXME: Should probably be limited to only roots published by Google
-    # See https://github.com/cedarcode/webauthn-ruby/issues/160#issuecomment-487941201
-    @trust_store = OpenSSL::X509::Store.new.tap { |trust_store| trust_store.set_default_paths }
-
-    class << self
-      attr_accessor :trust_store
-    end
-
-    attr_reader :response
-
-    def initialize(response)
-      @response = response
-    end
-
-    def verify(nonce, trustworthiness: true)
-      if response
-        valid_nonce?(nonce) || raise(NonceMismatchError)
-        valid_attestation_domain? || raise(LeafCertificateSubjectError)
-        valid_signature? || raise(SignatureError)
-        valid_timestamp? || raise(TimestampError)
-        trustworthy? || raise(TrustworthinessError) if trustworthiness
-
-        true
-      else
-        raise(ResponseMissingError)
-      end
-    end
-
-    def cts_profile_match?
-      payload["ctsProfileMatch"]
-    end
-
-    def leaf_certificate
-      certificate_chain[0]
-    end
-
-    def certificate_chain
-      @certificate_chain ||= headers[CERTIRICATE_CHAIN_HEADER].map do |cert|
-        OpenSSL::X509::Certificate.new(Base64.strict_decode64(cert))
-      end
-    end
-
-    def valid_timestamp?
-      now = Time.now
-      Time.at((payload["timestampMs"] / 1000.0).round).between?(now - LEEWAY, now)
-    end
-
-    private
-
-    def valid_nonce?(nonce)
-      WebAuthn::SecurityUtils.secure_compare(payload["nonce"], nonce)
-    end
-
-    def valid_attestation_domain?
-      common_name = leaf_certificate&.subject&.to_a&.assoc('CN')
-
-      if common_name
-        common_name[1] == VALID_SUBJECT_HOSTNAME
-      end
-    end
-
-    def valid_signature?
-      JWT.decode(response, leaf_certificate.public_key, true, algorithms: ["ES256", "RS256"])
-    rescue JWT::VerificationError
-      false
-    end
-
-    def trustworthy?
-      !trust_store || trust_store.verify(leaf_certificate, signing_certificates)
-    end
-
-    def trust_store
-      self.class.trust_store
-    end
-
-    def signing_certificates
-      certificate_chain[1..-1]
-    end
-
-    def headers
-      jws_parts[HEADERS_POSITION]
-    end
-
-    def payload
-      jws_parts[PAYLOAD_POSITION]
-    end
-
-    def jws_parts
-      @jws_parts ||= JWT.decode(response, nil, false)
-    end
-  end
-end