webauthn 2.1.0 → 3.4.0

data/lib/webauthn/attestation_statement/base.rb

@@ -1,61 +1,77 @@
 # frozen_string_literal: true
 
+require "cose/algorithm"
+require "cose/error"
+require "cose/rsapkcs1_algorithm"
 require "openssl"
 require "webauthn/authenticator_data/attested_credential_data"
 require "webauthn/error"
 
 module WebAuthn
   module AttestationStatement
+    class UnsupportedAlgorithm < Error; end
+
     ATTESTATION_TYPE_NONE = "None"
     ATTESTATION_TYPE_BASIC = "Basic"
     ATTESTATION_TYPE_SELF = "Self"
     ATTESTATION_TYPE_ATTCA = "AttCA"
-    ATTESTATION_TYPE_ECDAA = "ECDAA"
     ATTESTATION_TYPE_BASIC_OR_ATTCA = "Basic_or_AttCA"
+    ATTESTATION_TYPE_ANONCA = "AnonCA"
 
-    class Base
-      class NotSupportedError < Error; end
+    ATTESTATION_TYPES_WITH_ROOT = [
+      ATTESTATION_TYPE_BASIC,
+      ATTESTATION_TYPE_BASIC_OR_ATTCA,
+      ATTESTATION_TYPE_ATTCA,
+      ATTESTATION_TYPE_ANONCA
+    ].freeze
 
+    class Base
       AAGUID_EXTENSION_OID = "1.3.6.1.4.1.45724.1.1.4"
 
-      def initialize(statement)
+      def initialize(statement, relying_party = WebAuthn.configuration.relying_party)
         @statement = statement
+        @relying_party = relying_party
       end
 
       def valid?(_authenticator_data, _client_data_hash)
         raise NotImplementedError
       end
 
+      def format
+        WebAuthn::AttestationStatement::FORMAT_TO_CLASS.key(self.class)
+      end
+
       def attestation_certificate
         certificates&.first
       end
 
-      def certificate_chain
-        if certificates
-          certificates[1..-1]
-        end
+      def attestation_certificate_key_id
+        attestation_certificate.subject_key_identifier&.unpack("H*")&.[](0)
       end
 
       private
 
-      attr_reader :statement
+      attr_reader :statement, :relying_party
 
       def matching_aaguid?(attested_credential_data_aaguid)
-        extension = attestation_certificate&.extensions&.detect { |ext| ext.oid == AAGUID_EXTENSION_OID }
+        extension = attestation_certificate&.find_extension(AAGUID_EXTENSION_OID)
         if extension
-          # `extension.value` mangles data into ASCII, so we must manually compare bytes
-          # see https://github.com/ruby/openssl/pull/234
-          extension.to_der[-WebAuthn::AuthenticatorData::AttestedCredentialData::AAGUID_LENGTH..-1] ==
-            attested_credential_data_aaguid
+          aaguid_value = OpenSSL::ASN1.decode(extension.value_der).value
+          aaguid_value == attested_credential_data_aaguid
         else
           true
         end
       end
 
+      def matching_public_key?(authenticator_data)
+        attestation_certificate.public_key.to_der == authenticator_data.credential.public_key_object.to_der
+      end
+
       def certificates
-        @certificates ||= raw_certificates&.map do |raw_certificate|
-          OpenSSL::X509::Certificate.new(raw_certificate)
-        end
+        @certificates ||=
+          raw_certificates&.map do |raw_certificate|
+            OpenSSL::X509::Certificate.new(raw_certificate)
+          end
       end
 
       def algorithm
@@ -66,10 +82,6 @@ module WebAuthn
         statement["x5c"]
       end
 
-      def raw_ecdaa_key_id
-        statement["ecdaaKeyId"]
-      end
-
       def signature
         statement["sig"]
       end
@@ -79,6 +91,87 @@ module WebAuthn
           certificates
         end
       end
+
+      def trustworthy?(aaguid: nil, attestation_certificate_key_id: nil)
+        if ATTESTATION_TYPES_WITH_ROOT.include?(attestation_type)
+          relying_party.acceptable_attestation_types.include?(attestation_type) &&
+            valid_certificate_chain?(aaguid: aaguid, attestation_certificate_key_id: attestation_certificate_key_id)
+        else
+          relying_party.acceptable_attestation_types.include?(attestation_type)
+        end
+      end
+
+      def valid_certificate_chain?(aaguid: nil, attestation_certificate_key_id: nil)
+        root_certificates = root_certificates(
+          aaguid: aaguid,
+          attestation_certificate_key_id: attestation_certificate_key_id
+        )
+
+        if certificates&.one? && root_certificates.include?(attestation_certificate)
+          return true
+        end
+
+        attestation_root_certificates_store(
+          aaguid: aaguid,
+          attestation_certificate_key_id: attestation_certificate_key_id
+        ).verify(attestation_certificate, attestation_trust_path)
+      end
+
+      def attestation_root_certificates_store(aaguid: nil, attestation_certificate_key_id: nil)
+        OpenSSL::X509::Store.new.tap do |store|
+          root_certificates(
+            aaguid: aaguid,
+            attestation_certificate_key_id: attestation_certificate_key_id
+          ).each do |cert|
+            store.add_cert(cert)
+          end
+        end
+      end
+
+      def root_certificates(aaguid: nil, attestation_certificate_key_id: nil)
+        root_certificates =
+          relying_party.attestation_root_certificates_finders.reduce([]) do |certs, finder|
+            if certs.empty?
+              finder.find(
+                attestation_format: format,
+                aaguid: aaguid,
+                attestation_certificate_key_id: attestation_certificate_key_id
+              ) || []
+            else
+              certs
+            end
+          end
+
+        if root_certificates.empty? && respond_to?(:default_root_certificates, true)
+          default_root_certificates
+        else
+          root_certificates
+        end
+      end
+
+      def valid_signature?(authenticator_data, client_data_hash, public_key = attestation_certificate.public_key)
+        raise("Incompatible algorithm and key") unless cose_algorithm.compatible_key?(public_key)
+
+        cose_algorithm.verify(
+          public_key,
+          signature,
+          verification_data(authenticator_data, client_data_hash)
+        )
+      rescue COSE::Error
+        false
+      end
+
+      def verification_data(authenticator_data, client_data_hash)
+        authenticator_data.data + client_data_hash
+      end
+
+      def cose_algorithm
+        @cose_algorithm ||=
+          COSE::Algorithm.find(algorithm).tap do |alg|
+            alg && relying_party.algorithms.include?(alg.name) ||
+              raise(UnsupportedAlgorithm, "Unsupported algorithm #{algorithm}")
+          end
+      end
     end
   end
 end

data/lib/webauthn/attestation_statement/fido_u2f.rb

@@ -4,7 +4,6 @@ require "cose"
 require "openssl"
 require "webauthn/attestation_statement/base"
 require "webauthn/attestation_statement/fido_u2f/public_key"
-require "webauthn/signature_verifier"
 
 module WebAuthn
   module AttestationStatement
@@ -19,7 +18,8 @@ module WebAuthn
           valid_credential_public_key?(authenticator_data.credential.public_key) &&
           valid_aaguid?(authenticator_data.attested_credential_data.raw_aaguid) &&
           valid_signature?(authenticator_data, client_data_hash) &&
-          [WebAuthn::AttestationStatement::ATTESTATION_TYPE_BASIC_OR_ATTCA, attestation_trust_path]
+          trustworthy?(attestation_certificate_key_id: attestation_certificate_key_id) &&
+          [attestation_type, attestation_trust_path]
       end
 
       private
@@ -47,10 +47,8 @@ module WebAuthn
         attested_credential_data_aaguid == WebAuthn::AuthenticatorData::AttestedCredentialData::ZEROED_AAGUID
       end
 
-      def valid_signature?(authenticator_data, client_data_hash)
-        WebAuthn::SignatureVerifier
-          .new(VALID_ATTESTATION_CERTIFICATE_ALGORITHM, certificate_public_key)
-          .verify(signature, verification_data(authenticator_data, client_data_hash))
+      def algorithm
+        VALID_ATTESTATION_CERTIFICATE_ALGORITHM.id
       end
 
       def verification_data(authenticator_data, client_data_hash)
@@ -64,6 +62,10 @@ module WebAuthn
       def public_key_u2f(cose_key_data)
         PublicKey.new(cose_key_data)
       end
+
+      def attestation_type
+        WebAuthn::AttestationStatement::ATTESTATION_TYPE_BASIC_OR_ATTCA
+      end
     end
   end
 end

data/lib/webauthn/attestation_statement/none.rb

@@ -6,12 +6,18 @@ module WebAuthn
   module AttestationStatement
     class None < Base
       def valid?(*_args)
-        if statement == {}
+        if statement == {} && trustworthy?
           [WebAuthn::AttestationStatement::ATTESTATION_TYPE_NONE, nil]
         else
           false
         end
       end
+
+      private
+
+      def attestation_type
+        WebAuthn::AttestationStatement::ATTESTATION_TYPE_NONE
+      end
     end
   end
 end

data/lib/webauthn/attestation_statement/packed.rb

@@ -2,25 +2,21 @@
 
 require "openssl"
 require "webauthn/attestation_statement/base"
-require "webauthn/signature_verifier"
 
 module WebAuthn
   # Implements https://www.w3.org/TR/2018/CR-webauthn-20180807/#packed-attestation
-  # ECDAA attestation is unsupported.
   module AttestationStatement
     class Packed < Base
       # Follows "Verification procedure"
       def valid?(authenticator_data, client_data_hash)
-        check_unsupported_feature
-
         valid_format? &&
           valid_algorithm?(authenticator_data.credential) &&
-          valid_certificate_chain? &&
           valid_ec_public_keys?(authenticator_data.credential) &&
           meet_certificate_requirement? &&
           matching_aaguid?(authenticator_data.attested_credential_data.raw_aaguid) &&
           valid_signature?(authenticator_data, client_data_hash) &&
-          attestation_type_and_trust_path
+          trustworthy?(aaguid: authenticator_data.aaguid) &&
+          [attestation_type, attestation_trust_path]
       end
 
       private
@@ -30,27 +26,11 @@ module WebAuthn
       end
 
       def self_attestation?
-        !raw_certificates && !raw_ecdaa_key_id
+        !raw_certificates
       end
 
       def valid_format?
-        algorithm && signature && (
-          [raw_certificates, raw_ecdaa_key_id].compact.size < 2
-        )
-      end
-
-      def check_unsupported_feature
-        if raw_ecdaa_key_id
-          raise NotSupportedError, "ecdaaKeyId of the packed attestation format is not implemented yet"
-        end
-      end
-
-      def valid_certificate_chain?
-        if certificate_chain
-          certificate_chain.all? { |c| certificate_in_use?(c) }
-        else
-          true
-        end
+        algorithm && signature
       end
 
       def valid_ec_public_keys?(credential)
@@ -65,35 +45,27 @@ module WebAuthn
           subject = attestation_certificate.subject.to_a
 
           attestation_certificate.version == 2 &&
-            certificate_in_use?(attestation_certificate) &&
             subject.assoc('OU')&.at(1) == "Authenticator Attestation" &&
-            attestation_certificate.extensions.find { |ext| ext.oid == 'basicConstraints' }&.value == 'CA:FALSE'
+            attestation_certificate.find_extension('basicConstraints')&.value == 'CA:FALSE'
         else
           true
         end
       end
 
-      def certificate_in_use?(certificate)
-        now = Time.now
-
-        certificate.not_before < now && now < certificate.not_after
+      def attestation_type
+        if attestation_trust_path
+          WebAuthn::AttestationStatement::ATTESTATION_TYPE_BASIC_OR_ATTCA # FIXME: use metadata if available
+        else
+          WebAuthn::AttestationStatement::ATTESTATION_TYPE_SELF
+        end
       end
 
       def valid_signature?(authenticator_data, client_data_hash)
-        signature_verifier = WebAuthn::SignatureVerifier.new(
-          algorithm,
+        super(
+          authenticator_data,
+          client_data_hash,
           attestation_certificate&.public_key || authenticator_data.credential.public_key_object
         )
-
-        signature_verifier.verify(signature, authenticator_data.data + client_data_hash)
-      end
-
-      def attestation_type_and_trust_path
-        if attestation_trust_path
-          [WebAuthn::AttestationStatement::ATTESTATION_TYPE_BASIC_OR_ATTCA, attestation_trust_path]
-        else
-          [WebAuthn::AttestationStatement::ATTESTATION_TYPE_SELF, nil]
-        end
       end
     end
   end

data/lib/webauthn/attestation_statement/tpm.rb

@@ -2,98 +2,63 @@
 
 require "cose/algorithm"
 require "openssl"
-require "tpm/constants"
+require "tpm/key_attestation"
 require "webauthn/attestation_statement/base"
-require "webauthn/attestation_statement/tpm/cert_info"
-require "webauthn/attestation_statement/tpm/pub_area"
-require "webauthn/signature_verifier"
 
 module WebAuthn
   module AttestationStatement
     class TPM < Base
-      CERTIFICATE_V3 = 2
-      CERTIFICATE_EMPTY_NAME = OpenSSL::X509::Name.new([]).freeze
-      CERTIFICATE_SAN_DIRECTORY_NAME = 4
-      OID_TCG_AT_TPM_MANUFACTURER = "2.23.133.2.1"
-      OID_TCG_AT_TPM_MODEL = "2.23.133.2.2"
-      OID_TCG_AT_TPM_VERSION = "2.23.133.2.3"
-      OID_TCG_KP_AIK_CERTIFICATE = "2.23.133.8.3"
       TPM_V2 = "2.0"
 
-      def valid?(authenticator_data, client_data_hash)
-        case attestation_type
-        when ATTESTATION_TYPE_ATTCA
-          att_to_be_signed = authenticator_data.data + client_data_hash
+      COSE_ALG_TO_TPM = {
+        "RS1" => { signature: ::TPM::ALG_RSASSA, hash: ::TPM::ALG_SHA1 },
+        "RS256" => { signature: ::TPM::ALG_RSASSA, hash: ::TPM::ALG_SHA256 },
+        "PS256" => { signature: ::TPM::ALG_RSAPSS, hash: ::TPM::ALG_SHA256 },
+        "ES256" => { signature: ::TPM::ALG_ECDSA, hash: ::TPM::ALG_SHA256 },
+      }.freeze
 
+      def valid?(authenticator_data, client_data_hash)
+        attestation_type == ATTESTATION_TYPE_ATTCA &&
           ver == TPM_V2 &&
-            valid_signature? &&
-            valid_attestation_certificate? &&
-            pub_area.valid?(authenticator_data.credential.public_key) &&
-            cert_info.valid?(statement["pubArea"],
-                             OpenSSL::Digest.digest(cose_algorithm.hash_function, att_to_be_signed)) &&
-            matching_aaguid?(authenticator_data.attested_credential_data.raw_aaguid) &&
-            [attestation_type, attestation_trust_path]
-        when ATTESTATION_TYPE_ECDAA
-          raise(
-            WebAuthn::AttestationStatement::Base::NotSupportedError,
-            "Attestation type ECDAA is not supported"
-          )
-        end
+          valid_key_attestation?(
+            authenticator_data.data + client_data_hash,
+            authenticator_data.credential.public_key_object,
+            authenticator_data.aaguid
+          ) &&
+          matching_aaguid?(authenticator_data.attested_credential_data.raw_aaguid) &&
+          trustworthy?(aaguid: authenticator_data.aaguid) &&
+          [attestation_type, attestation_trust_path]
       end
 
       private
 
-      def valid_signature?
-        WebAuthn::SignatureVerifier
-          .new(algorithm, attestation_certificate.public_key)
-          .verify(signature, verification_data, rsa_pss_salt_length: :auto)
-      end
-
-      def valid_attestation_certificate?
-        extensions = attestation_certificate.extensions
-
-        attestation_certificate.version == CERTIFICATE_V3 &&
-          attestation_certificate.subject.eql?(CERTIFICATE_EMPTY_NAME) &&
-          valid_subject_alternative_name? &&
-          certificate_in_use?(attestation_certificate) &&
-          extensions.find { |ext| ext.oid == 'basicConstraints' }&.value == "CA:FALSE" &&
-          extensions.find { |ext| ext.oid == "extendedKeyUsage" }&.value == OID_TCG_KP_AIK_CERTIFICATE
-      end
-
-      def valid_subject_alternative_name?
-        extension = attestation_certificate.extensions.detect { |ext| ext.oid == "subjectAltName" }
-        return unless extension&.critical?
-
-        san_asn1 = OpenSSL::ASN1.decode(extension).find do |val|
-          val.tag_class == :UNIVERSAL && val.tag == OpenSSL::ASN1::OCTET_STRING
-        end
-        directory_name = OpenSSL::ASN1.decode(san_asn1.value).find do |val|
-          val.tag_class == :CONTEXT_SPECIFIC && val.tag == CERTIFICATE_SAN_DIRECTORY_NAME
-        end
-        name = OpenSSL::X509::Name.new(directory_name.value.first).to_a
-        manufacturer = name.assoc(OID_TCG_AT_TPM_MANUFACTURER).at(1)
-        model = name.assoc(OID_TCG_AT_TPM_MODEL).at(1)
-        version = name.assoc(OID_TCG_AT_TPM_VERSION).at(1)
-
-        ::TPM::VENDOR_IDS[manufacturer] && !model.empty? && !version.empty?
-      end
-
-      def certificate_in_use?(certificate)
-        now = Time.now
+      def valid_key_attestation?(certified_extra_data, key, aaguid)
+        key_attestation =
+          ::TPM::KeyAttestation.new(
+            statement["certInfo"],
+            signature,
+            statement["pubArea"],
+            certificates,
+            OpenSSL::Digest.digest(cose_algorithm.hash_function, certified_extra_data),
+            signature_algorithm: tpm_algorithm[:signature],
+            hash_algorithm: tpm_algorithm[:hash],
+            trusted_certificates: root_certificates(aaguid: aaguid)
+          )
 
-        certificate.not_before < now && now < certificate.not_after
+        key_attestation.valid? && key_attestation.key && key_attestation.key.to_pem == key.to_pem
       end
 
-      def verification_data
-        statement["certInfo"]
+      def valid_certificate_chain?(**_)
+        # Already performed as part of #valid_key_attestation?
+        true
       end
 
-      def cert_info
-        @cert_info ||= CertInfo.new(statement["certInfo"])
+      def default_root_certificates
+        ::TPM::KeyAttestation::TRUSTED_CERTIFICATES
       end
 
-      def pub_area
-        @pub_area ||= PubArea.new(statement["pubArea"])
+      def tpm_algorithm
+        COSE_ALG_TO_TPM[cose_algorithm.name] || raise("Unsupported algorithm #{cose_algorithm.name}")
       end
 
       def ver
@@ -105,10 +70,8 @@ module WebAuthn
       end
 
       def attestation_type
-        if raw_certificates && !raw_ecdaa_key_id
+        if raw_certificates
           ATTESTATION_TYPE_ATTCA
-        elsif raw_ecdaa_key_id && !raw_certificates
-          ATTESTATION_TYPE_ECDAA
         else
           raise "Attestation type invalid"
         end

data/lib/webauthn/attestation_statement.rb

@@ -1,5 +1,12 @@
 # frozen_string_literal: true
 
+require "webauthn/attestation_statement/android_key"
+require "webauthn/attestation_statement/android_safetynet"
+require "webauthn/attestation_statement/apple"
+require "webauthn/attestation_statement/fido_u2f"
+require "webauthn/attestation_statement/none"
+require "webauthn/attestation_statement/packed"
+require "webauthn/attestation_statement/tpm"
 require "webauthn/error"
 
 module WebAuthn
@@ -12,29 +19,25 @@ module WebAuthn
     ATTESTATION_FORMAT_ANDROID_SAFETYNET = "android-safetynet"
     ATTESTATION_FORMAT_ANDROID_KEY = "android-key"
     ATTESTATION_FORMAT_TPM = "tpm"
+    ATTESTATION_FORMAT_APPLE = "apple"
 
-    def self.from(format, statement)
-      case format
-      when ATTESTATION_FORMAT_NONE
-        require "webauthn/attestation_statement/none"
-        WebAuthn::AttestationStatement::None.new(statement)
-      when ATTESTATION_FORMAT_FIDO_U2F
-        require "webauthn/attestation_statement/fido_u2f"
-        WebAuthn::AttestationStatement::FidoU2f.new(statement)
-      when ATTESTATION_FORMAT_PACKED
-        require "webauthn/attestation_statement/packed"
-        WebAuthn::AttestationStatement::Packed.new(statement)
-      when ATTESTATION_FORMAT_ANDROID_SAFETYNET
-        require "webauthn/attestation_statement/android_safetynet"
-        WebAuthn::AttestationStatement::AndroidSafetynet.new(statement)
-      when ATTESTATION_FORMAT_ANDROID_KEY
-        require "webauthn/attestation_statement/android_key"
-        WebAuthn::AttestationStatement::AndroidKey.new(statement)
-      when ATTESTATION_FORMAT_TPM
-        require "webauthn/attestation_statement/tpm"
-        WebAuthn::AttestationStatement::TPM.new(statement)
+    FORMAT_TO_CLASS = {
+      ATTESTATION_FORMAT_NONE => WebAuthn::AttestationStatement::None,
+      ATTESTATION_FORMAT_FIDO_U2F => WebAuthn::AttestationStatement::FidoU2f,
+      ATTESTATION_FORMAT_PACKED => WebAuthn::AttestationStatement::Packed,
+      ATTESTATION_FORMAT_ANDROID_SAFETYNET => WebAuthn::AttestationStatement::AndroidSafetynet,
+      ATTESTATION_FORMAT_ANDROID_KEY => WebAuthn::AttestationStatement::AndroidKey,
+      ATTESTATION_FORMAT_TPM => WebAuthn::AttestationStatement::TPM,
+      ATTESTATION_FORMAT_APPLE => WebAuthn::AttestationStatement::Apple
+    }.freeze
+
+    def self.from(format, statement, relying_party: WebAuthn.configuration.relying_party)
+      klass = FORMAT_TO_CLASS[format]
+
+      if klass
+        klass.new(statement, relying_party)
       else
-        raise FormatNotSupportedError, "Unsupported attestation format '#{format}'"
+        raise(FormatNotSupportedError, "Unsupported attestation format '#{format}'")
       end
     end
   end

data/lib/webauthn/authenticator_assertion_response.rb

@@ -3,7 +3,6 @@
 require "webauthn/authenticator_data"
 require "webauthn/authenticator_response"
 require "webauthn/encoder"
-require "webauthn/signature_verifier"
 require "webauthn/public_key"
 
 module WebAuthn
@@ -11,8 +10,8 @@ module WebAuthn
   class SignCountVerificationError < VerificationError; end
 
   class AuthenticatorAssertionResponse < AuthenticatorResponse
-    def self.from_client(response)
-      encoder = WebAuthn.configuration.encoder
+    def self.from_client(response, relying_party: WebAuthn.configuration.relying_party)
+      encoder = relying_party.encoder
 
       user_handle =
         if response["userHandle"]
@@ -23,7 +22,8 @@ module WebAuthn
         authenticator_data: encoder.decode(response["authenticatorData"]),
         client_data_json: encoder.decode(response["clientDataJSON"]),
         signature: encoder.decode(response["signature"]),
-        user_handle: user_handle
+        user_handle: user_handle,
+        relying_party: relying_party
       )
     end
 
@@ -37,9 +37,22 @@ module WebAuthn
       @user_handle = user_handle
     end
 
-    def verify(expected_challenge, expected_origin = nil, public_key:, sign_count:, user_verification: nil,
-               rp_id: nil)
-      super(expected_challenge, expected_origin, user_verification: user_verification, rp_id: rp_id)
+    def verify(
+      expected_challenge,
+      expected_origin = nil,
+      public_key:,
+      sign_count:,
+      user_presence: nil,
+      user_verification: nil,
+      rp_id: nil
+    )
+      super(
+        expected_challenge,
+        expected_origin,
+        user_presence: user_presence,
+        user_verification: user_verification,
+        rp_id: rp_id
+      )
       verify_item(:signature, WebAuthn::PublicKey.deserialize(public_key))
       verify_item(:sign_count, sign_count)
 
@@ -47,7 +60,7 @@ module WebAuthn
     end
 
     def authenticator_data
-      @authenticator_data ||= WebAuthn::AuthenticatorData.new(authenticator_data_bytes)
+      @authenticator_data ||= WebAuthn::AuthenticatorData.deserialize(authenticator_data_bytes)
     end
 
     private
@@ -55,9 +68,7 @@ module WebAuthn
     attr_reader :authenticator_data_bytes, :signature
 
     def valid_signature?(webauthn_public_key)
-      WebAuthn::SignatureVerifier
-        .new(webauthn_public_key.alg, webauthn_public_key.pkey)
-        .verify(signature, authenticator_data_bytes + client_data.hash)
+      webauthn_public_key.verify(signature, authenticator_data_bytes + client_data.hash)
     end
 
     def valid_sign_count?(stored_sign_count)