webauthn 2.1.0 → 3.4.0

data/lib/webauthn/authenticator_attestation_response.rb

@@ -1,145 +1,84 @@
 # frozen_string_literal: true
 
 require "cbor"
+require "forwardable"
 require "uri"
 require "openssl"
 
-require "webauthn/authenticator_data"
+require "webauthn/attestation_object"
 require "webauthn/authenticator_response"
-require "webauthn/attestation_statement"
 require "webauthn/client_data"
 require "webauthn/encoder"
 
 module WebAuthn
   class AttestationStatementVerificationError < VerificationError; end
-  class AttestationTrustworthinessVerificationError < VerificationError; end
   class AttestedCredentialVerificationError < VerificationError; end
 
   class AuthenticatorAttestationResponse < AuthenticatorResponse
-    def self.from_client(response)
-      encoder = WebAuthn.configuration.encoder
+    extend Forwardable
+
+    def self.from_client(response, relying_party: WebAuthn.configuration.relying_party)
+      encoder = relying_party.encoder
 
       new(
         attestation_object: encoder.decode(response["attestationObject"]),
-        client_data_json: encoder.decode(response["clientDataJSON"])
+        transports: response["transports"],
+        client_data_json: encoder.decode(response["clientDataJSON"]),
+        relying_party: relying_party
       )
     end
 
-    attr_reader :attestation_type, :attestation_trust_path
+    attr_reader :attestation_type, :attestation_trust_path, :transports
 
-    def initialize(attestation_object:, **options)
+    def initialize(attestation_object:, transports: [], **options)
       super(**options)
 
-      @attestation_object = attestation_object
+      @attestation_object_bytes = attestation_object
+      @transports = transports
+      @relying_party = relying_party
     end
 
-    def verify(expected_challenge, expected_origin = nil, user_verification: nil, rp_id: nil)
+    def verify(expected_challenge, expected_origin = nil, user_presence: nil, user_verification: nil, rp_id: nil)
       super
 
       verify_item(:attested_credential)
-      if WebAuthn.configuration.verify_attestation_statement
+      if relying_party.verify_attestation_statement
         verify_item(:attestation_statement)
-        verify_item(:attestation_trustworthiness) if WebAuthn.configuration.attestation_root_certificates_finders.any?
       end
 
       true
     end
 
-    def credential
-      authenticator_data.credential
-    end
-
-    def attestation_statement
-      @attestation_statement ||=
-        WebAuthn::AttestationStatement.from(attestation["fmt"], attestation["attStmt"])
+    def attestation_object
+      @attestation_object ||= WebAuthn::AttestationObject.deserialize(attestation_object_bytes, relying_party)
     end
 
-    def authenticator_data
-      @authenticator_data ||= WebAuthn::AuthenticatorData.new(attestation["authData"])
-    end
+    def_delegators(
+      :attestation_object,
+      :aaguid,
+      :attestation_statement,
+      :attestation_certificate_key_id,
+      :authenticator_data,
+      :credential
+    )
 
-    def attestation_format
-      attestation["fmt"]
-    end
-
-    def attestation
-      @attestation ||= CBOR.decode(attestation_object)
-    end
-
-    def aaguid
-      raw_aaguid = authenticator_data.attested_credential_data.raw_aaguid
-      unless raw_aaguid == WebAuthn::AuthenticatorData::AttestedCredentialData::ZEROED_AAGUID
-        authenticator_data.attested_credential_data.aaguid
-      end
-    end
-
-    def attestation_certificate_key
-      raw_subject_key_identifier(attestation_statement.attestation_certificate)&.unpack("H*")&.[](0)
-    end
+    alias_method :attestation_certificate_key, :attestation_certificate_key_id
 
     private
 
-    attr_reader :attestation_object
+    attr_reader :attestation_object_bytes, :relying_party
 
     def type
       WebAuthn::TYPES[:create]
     end
 
     def valid_attested_credential?
-      authenticator_data.attested_credential_data_included? &&
-        authenticator_data.attested_credential_data.valid?
+      attestation_object.valid_attested_credential? &&
+        relying_party.algorithms.include?(authenticator_data.credential.algorithm)
     end
 
     def valid_attestation_statement?
-      @attestation_type, @attestation_trust_path = attestation_statement.valid?(authenticator_data, client_data.hash)
-    end
-
-    def valid_attestation_trustworthiness?
-      case @attestation_type
-      when WebAuthn::AttestationStatement::ATTESTATION_TYPE_NONE
-        WebAuthn.configuration.acceptable_attestation_types.include?('None')
-      when WebAuthn::AttestationStatement::ATTESTATION_TYPE_SELF
-        WebAuthn.configuration.acceptable_attestation_types.include?('Self')
-      else
-        WebAuthn.configuration.acceptable_attestation_types.include?(@attestation_type) &&
-          attestation_root_certificates_store.verify(leaf_certificate, signing_certificates)
-      end
-    end
-
-    def raw_subject_key_identifier(certificate)
-      extension = certificate.extensions.detect { |ext| ext.oid == "subjectKeyIdentifier" }
-      return unless extension
-
-      ext_asn1 = OpenSSL::ASN1.decode(extension.to_der)
-      ext_value = ext_asn1.value.last
-      OpenSSL::ASN1.decode(ext_value.value).value
-    end
-
-    def attestation_root_certificates_store
-      certificates =
-        WebAuthn.configuration.attestation_root_certificates_finders.reduce([]) do |certs, finder|
-          if certs.empty?
-            finder.find(attestation_format: attestation_format,
-                        aaguid: aaguid,
-                        attestation_certificate_key_id: attestation_certificate_key) || []
-          else
-            certs
-          end
-        end
-
-      OpenSSL::X509::Store.new.tap do |store|
-        certificates.each do |cert|
-          store.add_cert(cert)
-        end
-      end
-    end
-
-    def signing_certificates
-      @attestation_trust_path[1..-1]
-    end
-
-    def leaf_certificate
-      @attestation_trust_path.first
+      @attestation_type, @attestation_trust_path = attestation_object.valid_attestation_statement?(client_data.hash)
     end
   end
 end

data/lib/webauthn/authenticator_data/attested_credential_data.rb

@@ -1,34 +1,42 @@
 # frozen_string_literal: true
 
+require "bindata"
 require "cose/key"
+require "webauthn/error"
 
 module WebAuthn
-  class AuthenticatorData
-    class AttestedCredentialData
+  class AttestedCredentialDataFormatError < WebAuthn::Error; end
+
+  class AuthenticatorData < BinData::Record
+    class AttestedCredentialData < BinData::Record
       AAGUID_LENGTH = 16
       ZEROED_AAGUID = 0.chr * AAGUID_LENGTH
 
       ID_LENGTH_LENGTH = 2
 
-      UINT16_BIG_ENDIAN_FORMAT = "n*"
+      endian :big
+
+      string :raw_aaguid, length: AAGUID_LENGTH
+      bit16 :id_length
+      string :id, read_length: :id_length
+      count_bytes_remaining :trailing_bytes_length
+      string :trailing_bytes, length: :trailing_bytes_length
 
-      # FIXME: use keyword_init when we dropped Ruby 2.4 support
-      Credential = Struct.new(:id, :public_key) do
-        def public_key_object
-          COSE::Key.deserialize(public_key).to_pkey
+      Credential =
+        Struct.new(:id, :public_key, :algorithm, keyword_init: true) do
+          def public_key_object
+            COSE::Key.deserialize(public_key).to_pkey
+          end
         end
-      end
 
-      def initialize(data)
-        @data = data
+      def self.deserialize(data)
+        read(data)
+      rescue EOFError
+        raise AttestedCredentialDataFormatError
       end
 
       def valid?
-        data.length >= AAGUID_LENGTH + ID_LENGTH_LENGTH && valid_credential_public_key?
-      end
-
-      def raw_aaguid
-        data_at(0, AAGUID_LENGTH)
+        valid_credential_public_key?
       end
 
       def aaguid
@@ -37,62 +45,38 @@ module WebAuthn
 
       def credential
         @credential ||=
-          if id
-            Credential.new(id, public_key)
+          if valid?
+            Credential.new(id: id, public_key: public_key, algorithm: algorithm)
           end
       end
 
       def length
         if valid?
-          public_key_position + public_key_length
+          AAGUID_LENGTH + ID_LENGTH_LENGTH + id_length + public_key_length
         end
       end
 
       private
 
-      attr_reader :data
+      def algorithm
+        COSE::Algorithm.find(cose_key.alg).name
+      end
 
       def valid_credential_public_key?
-        cose_key = COSE::Key.deserialize(public_key)
-
         !!cose_key.alg
       end
 
-      def id
-        if valid?
-          data_at(id_position, id_length)
-        end
+      def cose_key
+        @cose_key ||= COSE::Key.deserialize(public_key)
       end
 
       def public_key
-        @public_key ||= data_at(public_key_position, public_key_length)
-      end
-
-      def id_position
-        id_length_position + ID_LENGTH_LENGTH
-      end
-
-      def id_length
-        @id_length ||= data_at(id_length_position, ID_LENGTH_LENGTH).unpack(UINT16_BIG_ENDIAN_FORMAT)[0]
-      end
-
-      def id_length_position
-        AAGUID_LENGTH
-      end
-
-      def public_key_position
-        id_position + id_length
+        trailing_bytes[0..public_key_length - 1]
       end
 
       def public_key_length
         @public_key_length ||=
-          CBOR.encode(CBOR::Unpacker.new(StringIO.new(data_at(public_key_position))).each.first).length
-      end
-
-      def data_at(position, length = nil)
-        length ||= data.size - position
-
-        data[position..(position + length - 1)]
+          CBOR.encode(CBOR::Unpacker.new(StringIO.new(trailing_bytes)).each.first).length
       end
     end
   end

data/lib/webauthn/authenticator_data.rb

@@ -1,32 +1,49 @@
 # frozen_string_literal: true
 
+require "bindata"
 require "webauthn/authenticator_data/attested_credential_data"
+require "webauthn/error"
 
 module WebAuthn
-  class AuthenticatorData
-    RP_ID_HASH_POSITION = 0
+  class AuthenticatorDataFormatError < WebAuthn::Error; end
 
+  class AuthenticatorData < BinData::Record
     RP_ID_HASH_LENGTH = 32
     FLAGS_LENGTH = 1
     SIGN_COUNT_LENGTH = 4
 
-    SIGN_COUNT_POSITION = RP_ID_HASH_LENGTH + FLAGS_LENGTH
+    endian :big
 
-    USER_PRESENT_FLAG_POSITION = 0
-    USER_VERIFIED_FLAG_POSITION = 2
-    ATTESTED_CREDENTIAL_DATA_INCLUDED_FLAG_POSITION = 6
-    EXTENSION_DATA_INCLUDED_FLAG_POSITION = 7
+    count_bytes_remaining :data_length
+    string :rp_id_hash, length: RP_ID_HASH_LENGTH
+    struct :flags do
+      bit1 :extension_data_included
+      bit1 :attested_credential_data_included
+      bit1 :reserved_for_future_use_2
+      bit1 :backup_state
+      bit1 :backup_eligibility
+      bit1 :user_verified
+      bit1 :reserved_for_future_use_1
+      bit1 :user_present
+    end
+    bit32 :sign_count
+    count_bytes_remaining :trailing_bytes_length
+    string :trailing_bytes, length: :trailing_bytes_length
 
-    def initialize(data)
-      @data = data
+    def self.deserialize(data)
+      read(data)
+    rescue EOFError
+      raise AuthenticatorDataFormatError
     end
 
-    attr_reader :data
+    def data
+      to_binary_s
+    end
 
     def valid?
-      valid_length? &&
-        (!attested_credential_data_included? || attested_credential_data.valid?) &&
-        (!extension_data_included? || extension_data)
+      (!attested_credential_data_included? || attested_credential_data.valid?) &&
+        (!extension_data_included? || extension_data) &&
+        valid_length?
     end
 
     def user_flagged?
@@ -34,26 +51,27 @@ module WebAuthn
     end
 
     def user_present?
-      flags[USER_PRESENT_FLAG_POSITION] == "1"
+      flags.user_present == 1
     end
 
     def user_verified?
-      flags[USER_VERIFIED_FLAG_POSITION] == "1"
+      flags.user_verified == 1
     end
 
-    def attested_credential_data_included?
-      flags[ATTESTED_CREDENTIAL_DATA_INCLUDED_FLAG_POSITION] == "1"
+    def credential_backup_eligible?
+      flags.backup_eligibility == 1
     end
 
-    def extension_data_included?
-      flags[EXTENSION_DATA_INCLUDED_FLAG_POSITION] == "1"
+    def credential_backed_up?
+      flags.backup_state == 1
     end
 
-    def rp_id_hash
-      @rp_id_hash ||=
-        if valid?
-          data_at(RP_ID_HASH_POSITION, RP_ID_HASH_LENGTH)
-        end
+    def attested_credential_data_included?
+      flags.attested_credential_data_included == 1
+    end
+
+    def extension_data_included?
+      flags.extension_data_included == 1
     end
 
     def credential
@@ -62,35 +80,39 @@ module WebAuthn
       end
     end
 
-    def sign_count
-      @sign_count ||= data_at(SIGN_COUNT_POSITION, SIGN_COUNT_LENGTH).unpack('L>')[0]
-    end
-
     def attested_credential_data
       @attested_credential_data ||=
-        AttestedCredentialData.new(data_at(attested_credential_data_position))
+        AttestedCredentialData.deserialize(trailing_bytes)
+    rescue AttestedCredentialDataFormatError
+      raise AuthenticatorDataFormatError
     end
 
     def extension_data
       @extension_data ||= CBOR.decode(raw_extension_data)
     end
 
-    def flags
-      @flags ||= data_at(flags_position, FLAGS_LENGTH).unpack("b*")[0]
+    def aaguid
+      raw_aaguid = attested_credential_data.raw_aaguid
+
+      unless raw_aaguid == WebAuthn::AuthenticatorData::AttestedCredentialData::ZEROED_AAGUID
+        attested_credential_data.aaguid
+      end
     end
 
     private
 
     def valid_length?
-      data.length == base_length + attested_credential_data_length + extension_data_length
+      data_length == base_length + attested_credential_data_length + extension_data_length
     end
 
     def raw_extension_data
-      data_at(extension_data_position)
-    end
-
-    def attested_credential_data_position
-      base_length
+      if extension_data_included?
+        if attested_credential_data_included?
+          trailing_bytes[attested_credential_data.length..-1]
+        else
+          trailing_bytes.snapshot
+        end
+      end
     end
 
     def attested_credential_data_length
@@ -109,22 +131,8 @@ module WebAuthn
       end
     end
 
-    def extension_data_position
-      base_length + attested_credential_data_length
-    end
-
     def base_length
       RP_ID_HASH_LENGTH + FLAGS_LENGTH + SIGN_COUNT_LENGTH
     end
-
-    def flags_position
-      RP_ID_HASH_LENGTH
-    end
-
-    def data_at(position, length = nil)
-      length ||= data.size - position
-
-      data[position..(position + length - 1)]
-    end
   end
 end

data/lib/webauthn/authenticator_response.rb

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
+require "webauthn/authenticator_data"
 require "webauthn/client_data"
 require "webauthn/error"
-require "webauthn/security_utils"
 
 module WebAuthn
   TYPES = { create: "webauthn.create", get: "webauthn.get" }.freeze
@@ -19,22 +19,29 @@ module WebAuthn
   class UserVerifiedVerificationError < VerificationError; end
 
   class AuthenticatorResponse
-    def initialize(client_data_json:)
+    def initialize(client_data_json:, relying_party: WebAuthn.configuration.relying_party)
       @client_data_json = client_data_json
+      @relying_party = relying_party
     end
 
-    def verify(expected_challenge, expected_origin = nil, user_verification: nil, rp_id: nil)
-      expected_origin ||= WebAuthn.configuration.origin || raise("Unspecified expected origin")
-      rp_id ||= WebAuthn.configuration.rp_id
+    def verify(expected_challenge, expected_origin = nil, user_presence: nil, user_verification: nil, rp_id: nil)
+      expected_origin ||= relying_party.allowed_origins || raise("Unspecified expected origin")
+
+      rp_id ||= relying_party.id
 
       verify_item(:type)
       verify_item(:token_binding)
       verify_item(:challenge, expected_challenge)
       verify_item(:origin, expected_origin)
       verify_item(:authenticator_data)
-      verify_item(:rp_id, rp_id || rp_id_from_origin(expected_origin))
 
-      if !WebAuthn.configuration.silent_authentication
+      verify_item(
+        :rp_id,
+        rp_id || rp_id_from_origin(expected_origin)
+      )
+
+      # Fallback to RP configuration unless user_presence is passed in explicitely
+      if user_presence.nil? && !relying_party.silent_authentication || user_presence
         verify_item(:user_presence)
       end
 
@@ -57,7 +64,7 @@ module WebAuthn
 
     private
 
-    attr_reader :client_data_json
+    attr_reader :client_data_json, :relying_party
 
     def verify_item(item, *args)
       if send("valid_#{item}?", *args)
@@ -78,19 +85,25 @@ module WebAuthn
     end
 
     def valid_challenge?(expected_challenge)
-      WebAuthn::SecurityUtils.secure_compare(client_data.challenge, expected_challenge)
+      OpenSSL.secure_compare(client_data.challenge, expected_challenge)
     end
 
     def valid_origin?(expected_origin)
-      expected_origin && (client_data.origin == expected_origin)
+      return false unless expected_origin
+
+      expected_origin.include?(client_data.origin)
     end
 
     def valid_rp_id?(rp_id)
+      return false unless rp_id
+
       OpenSSL::Digest::SHA256.digest(rp_id) == authenticator_data.rp_id_hash
     end
 
     def valid_authenticator_data?
       authenticator_data.valid?
+    rescue WebAuthn::AuthenticatorDataFormatError
+      false
     end
 
     def valid_user_presence?
@@ -102,7 +115,7 @@ module WebAuthn
     end
 
     def rp_id_from_origin(expected_origin)
-      URI.parse(expected_origin).host
+      URI.parse(expected_origin.first).host if expected_origin.size == 1
     end
 
     def type

data/lib/webauthn/client_data.rb

@@ -49,12 +49,10 @@ module WebAuthn
 
     def data
       @data ||=
-        begin
-          if client_data_json
-            JSON.parse(client_data_json)
-          else
-            raise ClientDataMissingError, "Client Data JSON is missing"
-          end
+        if client_data_json
+          JSON.parse(client_data_json)
+        else
+          raise ClientDataMissingError, "Client Data JSON is missing"
         end
     end
   end

data/lib/webauthn/configuration.rb

@@ -1,8 +1,7 @@
 # frozen_string_literal: true
 
-require "openssl"
-require "webauthn/encoder"
-require "webauthn/error"
+require 'forwardable'
+require 'webauthn/relying_party'
 
 module WebAuthn
   def self.configuration
@@ -13,54 +12,53 @@ module WebAuthn
     yield(configuration)
   end
 
-  class RootCertificateFinderNotSupportedError < Error; end
-
   class Configuration
-    def self.if_pss_supported(algorithm)
-      OpenSSL::PKey::RSA.instance_methods.include?(:verify_pss) ? algorithm : nil
-    end
+    extend Forwardable
 
-    DEFAULT_ALGORITHMS = ["ES256", if_pss_supported("PS256"), "RS256"].compact.freeze
+    def_delegators :@relying_party,
+                   :algorithms,
+                   :algorithms=,
+                   :encoding,
+                   :encoding=,
+                   :origin,
+                   :origin=,
+                   :allowed_origins,
+                   :allowed_origins=,
+                   :verify_attestation_statement,
+                   :verify_attestation_statement=,
+                   :credential_options_timeout,
+                   :credential_options_timeout=,
+                   :silent_authentication,
+                   :silent_authentication=,
+                   :acceptable_attestation_types,
+                   :acceptable_attestation_types=,
+                   :attestation_root_certificates_finders,
+                   :attestation_root_certificates_finders=,
+                   :encoder,
+                   :encoder=,
+                   :legacy_u2f_appid,
+                   :legacy_u2f_appid=
 
-    attr_accessor :algorithms
-    attr_accessor :encoding
-    attr_accessor :origin
-    attr_accessor :rp_id
-    attr_accessor :rp_name
-    attr_accessor :verify_attestation_statement
-    attr_accessor :credential_options_timeout
-    attr_accessor :silent_authentication
-    attr_accessor :acceptable_attestation_types
-    attr_reader :attestation_root_certificates_finders
+    attr_reader :relying_party
 
     def initialize
-      @algorithms = DEFAULT_ALGORITHMS.dup
-      @encoding = WebAuthn::Encoder::STANDARD_ENCODING
-      @verify_attestation_statement = true
-      @credential_options_timeout = 120000
-      @silent_authentication = false
-      @acceptable_attestation_types = ['None', 'Self', 'Basic', 'AttCA', 'Basic_or_AttCA']
-      @attestation_root_certificates_finders = []
+      @relying_party = RelyingParty.new
     end
 
-    # This is the user-data encoder.
-    # Used to decode user input and to encode data provided to the user.
-    def encoder
-      @encoder ||= WebAuthn::Encoder.new(encoding)
+    def rp_name
+      relying_party.name
     end
 
-    def attestation_root_certificates_finders=(finders)
-      if !finders.respond_to?(:each)
-        finders = [finders]
-      end
+    def rp_name=(name)
+      relying_party.name = name
+    end
 
-      finders.each do |finder|
-        unless finder.respond_to?(:find)
-          raise RootCertificateFinderNotSupportedError, "Finder must implement `find` method"
-        end
-      end
+    def rp_id
+      relying_party.id
+    end
 
-      @attestation_root_certificates_finders = finders
+    def rp_id=(id)
+      relying_party.id = id
     end
   end
 end