webauthn 2.1.0 → 2.4.1

data/lib/cose/rsassa_algorithm.rb

@@ -1,10 +0,0 @@
-# frozen_string_literal: true
-
-require "cose"
-
-RSASSAAlgorithm = Struct.new(:id, :name, :hash_function, :kty)
-
-COSE::Algorithm.register(RSASSAAlgorithm.new(-257, "RS256", "SHA256", COSE::Key::RSA::KTY_RSA))
-COSE::Algorithm.register(RSASSAAlgorithm.new(-258, "RS384", "SHA384", COSE::Key::RSA::KTY_RSA))
-COSE::Algorithm.register(RSASSAAlgorithm.new(-259, "RS512", "SHA512", COSE::Key::RSA::KTY_RSA))
-COSE::Algorithm.register(RSASSAAlgorithm.new(-65535, "RS1", "SHA1", COSE::Key::RSA::KTY_RSA))

data/lib/tpm/constants.rb

@@ -1,44 +0,0 @@
-# frozen_string_literal: true
-
-module TPM
-  # Section 6 in https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf
-
-  GENERATED_VALUE = 0xFF544347
-
-  ST_ATTEST_CERTIFY = 0x8017
-
-  # Algorithms
-  ALG_RSA = 0x0001
-  ALG_SHA1 = 0x0004
-  ALG_SHA256 = 0x000B
-  ALG_NULL = 0x0010
-  ALG_RSASSA = 0x0014
-  ALG_RSAPSS = 0x0016
-  ALG_ECDSA = 0x0018
-  ALG_ECC = 0x0023
-
-  # ECC curves
-  ECC_NIST_P256 = 0x0003
-
-  # https://trustedcomputinggroup.org/resource/vendor-id-registry/ section 2 "TPM Capabilities Vendor ID (CAP_VID)"
-  VENDOR_IDS = {
-    "id:414D4400" => "AMD",
-    "id:41544D4C" => "Atmel",
-    "id:4252434D" => "Broadcom",
-    "id:49424D00" => "IBM",
-    "id:49465800" => "Infineon",
-    "id:494E5443" => "Intel",
-    "id:4C454E00" => "Lenovo",
-    "id:4E534D20" => "National Semiconductor",
-    "id:4E545A00" => "Nationz",
-    "id:4E544300" => "Nuvoton Technology",
-    "id:51434F4D" => "Qualcomm",
-    "id:534D5343" => "SMSC",
-    "id:53544D20" => "ST Microelectronics",
-    "id:534D534E" => "Samsung",
-    "id:534E5300" => "Sinosun",
-    "id:54584E00" => "Texas Instruments",
-    "id:57454300" => "Winbond",
-    "id:524F4343" => "Fuzhou Rockchip",
-  }.freeze
-end

data/lib/tpm/s_attest.rb

@@ -1,26 +0,0 @@
-# frozen_string_literal: true
-
-require "bindata"
-require "tpm/constants"
-require "tpm/sized_buffer"
-require "tpm/s_attest/s_certify_info"
-
-module TPM
-  # Section 10.12.8 in https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf
-  class SAttest < BinData::Record
-    endian :big
-
-    uint32 :magic
-    uint16 :attested_type
-    sized_buffer :qualified_signer
-    sized_buffer :extra_data
-
-    # s_clock_info :clock_info
-    # uint64 :firmware_version
-    skip length: 25
-
-    choice :attested, selection: :attested_type do
-      s_certify_info TPM::ST_ATTEST_CERTIFY
-    end
-  end
-end

data/lib/tpm/s_attest/s_certify_info.rb

@@ -1,14 +0,0 @@
-# frozen_string_literal: true
-
-require "bindata"
-require "tpm/sized_buffer"
-
-module TPM
-  class SAttest < BinData::Record
-    # Section 10.12.3 in https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf
-    class SCertifyInfo < BinData::Record
-      sized_buffer :name
-      sized_buffer :qualified_name
-    end
-  end
-end

data/lib/tpm/sized_buffer.rb

@@ -1,13 +0,0 @@
-# frozen_string_literal: true
-
-require "bindata"
-
-module TPM
-  # Section 10.4 in https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf
-  class SizedBuffer < BinData::Record
-    endian :big
-
-    uint16 :buffer_size, value: lambda { buffer.size }
-    string :buffer, read_length: :buffer_size
-  end
-end

data/lib/tpm/t_public.rb

@@ -1,32 +0,0 @@
-# frozen_string_literal: true
-
-require "bindata"
-require "tpm/constants"
-require "tpm/sized_buffer"
-require "tpm/t_public/s_ecc_parms"
-require "tpm/t_public/s_rsa_parms"
-
-module TPM
-  # Section 12.2.4 in https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf
-  class TPublic < BinData::Record
-    endian :big
-
-    uint16 :alg_type
-    uint16 :name_alg
-
-    # :object_attributes
-    skip length: 4
-
-    sized_buffer :auth_policy
-
-    choice :parameters, selection: :alg_type do
-      s_ecc_parms TPM::ALG_ECC
-      s_rsa_parms TPM::ALG_RSA
-    end
-
-    choice :unique, selection: :alg_type do
-      sized_buffer TPM::ALG_ECC
-      sized_buffer TPM::ALG_RSA
-    end
-  end
-end

data/lib/tpm/t_public/s_ecc_parms.rb

@@ -1,17 +0,0 @@
-# frozen_string_literal: true
-
-require "bindata"
-
-module TPM
-  class TPublic < BinData::Record
-    # Section 12.2.3.6 in https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf
-    class SEccParms < BinData::Record
-      endian :big
-
-      uint16 :symmetric
-      uint16 :scheme
-      uint16 :curve_id
-      uint16 :kdf
-    end
-  end
-end

data/lib/tpm/t_public/s_rsa_parms.rb

@@ -1,17 +0,0 @@
-# frozen_string_literal: true
-
-require "bindata"
-
-module TPM
-  class TPublic < BinData::Record
-    # Section 12.2.3.5 in https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf
-    class SRsaParms < BinData::Record
-      endian :big
-
-      uint16 :symmetric
-      uint16 :scheme
-      uint16 :key_bits
-      uint32 :exponent
-    end
-  end
-end

data/lib/webauthn/attestation_statement/android_key/authorization_list.rb

@@ -1,39 +0,0 @@
-# frozen_string_literal: true
-
-require "webauthn/attestation_statement/base"
-
-module WebAuthn
-  module AttestationStatement
-    class AndroidKey < Base
-      class AuthorizationList
-        PURPOSE_TAG = 1
-        ALL_APPLICATIONS_TAG = 600
-        ORIGIN_TAG = 702
-
-        def initialize(sequence)
-          @sequence = sequence
-        end
-
-        def purpose
-          find_by_tag(PURPOSE_TAG)&.value&.at(0)&.value&.at(0)&.value
-        end
-
-        def all_applications
-          find_by_tag(ALL_APPLICATIONS_TAG)&.value
-        end
-
-        def origin
-          find_by_tag(ORIGIN_TAG)&.value&.at(0)&.value
-        end
-
-        private
-
-        attr_reader :sequence
-
-        def find_by_tag(tag)
-          sequence.detect { |data| data.tag == tag }
-        end
-      end
-    end
-  end
-end

data/lib/webauthn/attestation_statement/android_key/key_description.rb

@@ -1,37 +0,0 @@
-# frozen_string_literal: true
-
-require "webauthn/attestation_statement/android_key/authorization_list"
-require "webauthn/attestation_statement/base"
-
-module WebAuthn
-  module AttestationStatement
-    class AndroidKey < Base
-      class KeyDescription
-        # https://developer.android.com/training/articles/security-key-attestation#certificate_schema
-        ATTESTATION_CHALLENGE_INDEX = 4
-        SOFTWARE_ENFORCED_INDEX = 6
-        TEE_ENFORCED_INDEX = 7
-
-        def initialize(sequence)
-          @sequence = sequence
-        end
-
-        def attestation_challenge
-          sequence[ATTESTATION_CHALLENGE_INDEX].value
-        end
-
-        def tee_enforced
-          @tee_enforced ||= AuthorizationList.new(sequence[TEE_ENFORCED_INDEX].value)
-        end
-
-        def software_enforced
-          @software_enforced ||= AuthorizationList.new(sequence[SOFTWARE_ENFORCED_INDEX].value)
-        end
-
-        private
-
-        attr_reader :sequence
-      end
-    end
-  end
-end

data/lib/webauthn/attestation_statement/tpm/cert_info.rb

@@ -1,44 +0,0 @@
-# frozen_string_literal: true
-
-require "openssl"
-require "tpm/constants"
-require "tpm/s_attest"
-require "webauthn/attestation_statement/base"
-
-module WebAuthn
-  module AttestationStatement
-    class TPM < Base
-      class CertInfo
-        TPM_TO_OPENSSL_HASH_ALG = {
-          ::TPM::ALG_SHA1 => "SHA1",
-          ::TPM::ALG_SHA256 => "SHA256"
-        }.freeze
-
-        def initialize(data)
-          @data = data
-        end
-
-        def valid?(attested_data, extra_data)
-          s_attest.magic == ::TPM::GENERATED_VALUE &&
-            valid_name?(attested_data) &&
-            s_attest.extra_data.buffer == extra_data
-        end
-
-        private
-
-        attr_reader :data
-
-        def valid_name?(attested_data)
-          name_hash_alg = s_attest.attested.name.buffer[0..1].unpack("n")[0]
-          name = s_attest.attested.name.buffer[2..-1]
-
-          name == OpenSSL::Digest.digest(TPM_TO_OPENSSL_HASH_ALG[name_hash_alg], attested_data)
-        end
-
-        def s_attest
-          @s_attest ||= ::TPM::SAttest.read(data)
-        end
-      end
-    end
-  end
-end

data/lib/webauthn/attestation_statement/tpm/pub_area.rb

@@ -1,85 +0,0 @@
-# frozen_string_literal: true
-
-require "cose"
-require "cose/rsassa_algorithm"
-require "tpm/constants"
-require "tpm/t_public"
-require "webauthn/attestation_statement/base"
-
-module WebAuthn
-  module AttestationStatement
-    class TPM < Base
-      class PubArea
-        BYTE_LENGTH = 8
-
-        COSE_ECC_TO_TPM_ALG = {
-          COSE::Algorithm.by_name("ES256").id => ::TPM::ALG_ECDSA,
-        }.freeze
-
-        COSE_RSA_TO_TPM_ALG = {
-          COSE::Algorithm.by_name("RS256").id => ::TPM::ALG_RSASSA,
-          COSE::Algorithm.by_name("PS256").id => ::TPM::ALG_RSAPSS,
-        }.freeze
-
-        COSE_TO_TPM_CURVE = {
-          COSE::Key::Curve.by_name("P-256").id => ::TPM::ECC_NIST_P256
-        }.freeze
-
-        def initialize(data)
-          @data = data
-        end
-
-        def valid?(public_key)
-          cose_key = COSE::Key.deserialize(public_key)
-
-          case cose_key
-          when COSE::Key::EC2
-            valid_ecc_key?(cose_key)
-          when COSE::Key::RSA
-            valid_rsa_key?(cose_key)
-          else
-            raise "Unsupported or unknown TPM key type"
-          end
-        end
-
-        private
-
-        attr_reader :data
-
-        def valid_ecc_key?(cose_key)
-          valid_symmetric? &&
-            valid_scheme?(COSE_ECC_TO_TPM_ALG[cose_key.alg]) &&
-            parameters.curve_id == COSE_TO_TPM_CURVE[cose_key.crv] &&
-            unique == cose_key.x + cose_key.y
-        end
-
-        def valid_rsa_key?(cose_key)
-          valid_symmetric? &&
-            valid_scheme?(COSE_RSA_TO_TPM_ALG[cose_key.alg]) &&
-            parameters.key_bits == cose_key.n.size * BYTE_LENGTH &&
-            unique == cose_key.n
-        end
-
-        def valid_symmetric?
-          parameters.symmetric == ::TPM::ALG_NULL
-        end
-
-        def valid_scheme?(scheme)
-          parameters.scheme == ::TPM::ALG_NULL || parameters.scheme == scheme
-        end
-
-        def unique
-          t_public.unique.buffer
-        end
-
-        def parameters
-          t_public.parameters
-        end
-
-        def t_public
-          @t_public = ::TPM::TPublic.read(data)
-        end
-      end
-    end
-  end
-end

data/lib/webauthn/signature_verifier.rb

@@ -1,77 +0,0 @@
-# frozen_string_literal: true
-
-require "cose"
-require "cose/rsassa_algorithm"
-require "openssl"
-require "webauthn/error"
-
-module WebAuthn
-  class SignatureVerifier
-    class UnsupportedAlgorithm < Error; end
-
-    # This logic contained in this map constant is a candidate to be moved to cose gem domain
-    KTY_MAP = {
-      COSE::Key::EC2::KTY_EC2 => [OpenSSL::PKey::EC, OpenSSL::PKey::EC::Point],
-      COSE::Key::RSA::KTY_RSA => [OpenSSL::PKey::RSA]
-    }.freeze
-
-    def initialize(algorithm, public_key)
-      @algorithm = algorithm
-      @public_key = public_key
-
-      validate
-    end
-
-    def verify(signature, verification_data, rsa_pss_salt_length: :digest)
-      if rsa_pss?
-        public_key.verify_pss(cose_algorithm.hash_function, signature, verification_data,
-                              salt_length: rsa_pss_salt_length, mgf1_hash: cose_algorithm.hash_function)
-      else
-        public_key.verify(cose_algorithm.hash_function, signature, verification_data)
-      end
-    end
-
-    private
-
-    attr_reader :algorithm, :public_key
-
-    def cose_algorithm
-      case algorithm
-      when COSE::Algorithm::Base
-        algorithm
-      else
-        COSE::Algorithm.find(algorithm)
-      end
-    end
-
-    # This logic is a candidate to be moved to cose gem domain
-    def cose_key_type
-      case cose_algorithm
-      when COSE::Algorithm::ECDSA
-        COSE::Key::EC2::KTY_EC2
-      when COSE::Algorithm::RSAPSS, RSASSAAlgorithm
-        COSE::Key::RSA::KTY_RSA
-      else
-        raise UnsupportedAlgorithm, "Unsupported algorithm #{algorithm}"
-      end
-    end
-
-    def rsa_pss?
-      cose_algorithm.name.start_with?("PS")
-    end
-
-    def validate
-      if !cose_algorithm
-        raise UnsupportedAlgorithm, "Unsupported algorithm #{algorithm}"
-      elsif !supported_algorithms.include?(cose_algorithm.name)
-        raise UnsupportedAlgorithm, "Unsupported algorithm #{algorithm}"
-      elsif !KTY_MAP[cose_key_type].include?(public_key.class)
-        raise("Incompatible algorithm and key")
-      end
-    end
-
-    def supported_algorithms
-      WebAuthn.configuration.algorithms
-    end
-  end
-end