webauthn 2.1.0 → 3.4.0

data/lib/webauthn/credential.rb

@@ -15,12 +15,12 @@ module WebAuthn
       WebAuthn::PublicKeyCredential::RequestOptions.new(**keyword_arguments)
     end
 
-    def self.from_create(credential)
-      WebAuthn::PublicKeyCredentialWithAttestation.from_client(credential)
+    def self.from_create(credential, relying_party: WebAuthn.configuration.relying_party)
+      WebAuthn::PublicKeyCredentialWithAttestation.from_client(credential, relying_party: relying_party)
     end
 
-    def self.from_get(credential)
-      WebAuthn::PublicKeyCredentialWithAssertion.from_client(credential)
+    def self.from_get(credential, relying_party: WebAuthn.configuration.relying_party)
+      WebAuthn::PublicKeyCredentialWithAssertion.from_client(credential, relying_party: relying_party)
     end
   end
 end

data/lib/webauthn/credential_creation_options.rb

@@ -32,6 +32,8 @@ module WebAuthn
       user_display_name: nil,
       rp_name: nil
     )
+      super()
+
       @attestation = attestation
       @authenticator_selection = authenticator_selection
       @exclude_credentials = exclude_credentials

data/lib/webauthn/credential_request_options.rb

@@ -16,6 +16,8 @@ module WebAuthn
     attr_accessor :allow_credentials, :extensions, :user_verification
 
     def initialize(allow_credentials: [], extensions: nil, user_verification: nil)
+      super()
+
       @allow_credentials = allow_credentials
       @extensions = extensions
       @user_verification = user_verification

data/lib/webauthn/encoder.rb

@@ -20,9 +20,12 @@ module WebAuthn
     def encode(data)
       case encoding
       when :base64
-        Base64.strict_encode64(data)
+        [data].pack("m0") # Base64.strict_encode64(data)
       when :base64url
-        Base64.urlsafe_encode64(data, padding: false)
+        data = [data].pack("m0") # Base64.urlsafe_encode64(data, padding: false)
+        data.chomp!("==") or data.chomp!("=")
+        data.tr!("+/", "-_")
+        data
       when nil, false
         data
       else
@@ -33,9 +36,15 @@ module WebAuthn
     def decode(data)
       case encoding
       when :base64
-        Base64.strict_decode64(data)
+        data.unpack1("m0") # Base64.strict_decode64(data)
       when :base64url
-        Base64.urlsafe_decode64(data)
+        if !data.end_with?("=") && data.length % 4 != 0 #  Base64.urlsafe_decode64(data)
+          data = data.ljust((data.length + 3) & ~3, "=")
+          data.tr!("-_", "+/")
+        else
+          data = data.tr("-_", "+/")
+        end
+        data.unpack1("m0")
       when nil, false
         data
       else

data/lib/webauthn/fake_authenticator/attestation_object.rb

@@ -13,8 +13,11 @@ module WebAuthn
         credential_key:,
         user_present: true,
         user_verified: false,
+        backup_eligibility: false,
+        backup_state: false,
         attested_credential_data: true,
-        sign_count: 0
+        sign_count: 0,
+        extensions: nil
       )
         @client_data_hash = client_data_hash
         @rp_id_hash = rp_id_hash
@@ -22,8 +25,11 @@ module WebAuthn
         @credential_key = credential_key
         @user_present = user_present
         @user_verified = user_verified
+        @backup_eligibility = backup_eligibility
+        @backup_state = backup_state
         @attested_credential_data = attested_credential_data
         @sign_count = sign_count
+        @extensions = extensions
       end
 
       def serialize
@@ -43,8 +49,11 @@ module WebAuthn
         :credential_key,
         :user_present,
         :user_verified,
+        :backup_eligibility,
+        :backup_state,
         :attested_credential_data,
-        :sign_count
+        :sign_count,
+        :extensions
       )
 
       def authenticator_data
@@ -52,7 +61,7 @@ module WebAuthn
           begin
             credential_data =
               if attested_credential_data
-                { id: credential_id, public_key: credential_key.public_key }
+                { id: credential_id, public_key: credential_public_key }
               end
 
             AuthenticatorData.new(
@@ -60,10 +69,22 @@ module WebAuthn
               credential: credential_data,
               user_present: user_present,
               user_verified: user_verified,
-              sign_count: 0
+              backup_eligibility: backup_eligibility,
+              backup_state: backup_state,
+              sign_count: 0,
+              extensions: extensions
             )
           end
       end
+
+      def credential_public_key
+        case credential_key
+        when OpenSSL::PKey::RSA, OpenSSL::PKey::EC
+          credential_key.public_key
+        when OpenSSL::PKey::PKey
+          OpenSSL::PKey.read(credential_key.public_to_der)
+        end
+      end
     end
   end
 end

data/lib/webauthn/fake_authenticator/authenticator_data.rb

@@ -15,11 +15,13 @@ module WebAuthn
         rp_id_hash:,
         credential: {
           id: SecureRandom.random_bytes(16),
-          public_key: OpenSSL::PKey::EC.new("prime256v1").generate_key.public_key
+          public_key: OpenSSL::PKey::EC.generate("prime256v1").public_key
         },
         sign_count: 0,
         user_present: true,
         user_verified: !user_present,
+        backup_eligibility: false,
+        backup_state: false,
         aaguid: AAGUID,
         extensions: { "fakeExtension" => "fakeExtensionValue" }
       )
@@ -28,6 +30,8 @@ module WebAuthn
         @sign_count = sign_count
         @user_present = user_present
         @user_verified = user_verified
+        @backup_eligibility = backup_eligibility
+        @backup_state = backup_state
         @aaguid = aaguid
         @extensions = extensions
       end
@@ -38,7 +42,13 @@ module WebAuthn
 
       private
 
-      attr_reader :rp_id_hash, :credential, :user_present, :user_verified, :extensions
+      attr_reader :rp_id_hash,
+                  :credential,
+                  :user_present,
+                  :user_verified,
+                  :extensions,
+                  :backup_eligibility,
+                  :backup_state
 
       def flags
         [
@@ -46,8 +56,8 @@ module WebAuthn
             bit(:user_present),
             reserved_for_future_use_bit,
             bit(:user_verified),
-            reserved_for_future_use_bit,
-            reserved_for_future_use_bit,
+            bit(:backup_eligibility),
+            bit(:backup_state),
             reserved_for_future_use_bit,
             attested_credential_data_included_bit,
             extension_data_included_bit
@@ -108,15 +118,19 @@ module WebAuthn
       end
 
       def context
-        { user_present: user_present, user_verified: user_verified }
+        {
+          user_present: user_present,
+          user_verified: user_verified,
+          backup_eligibility: backup_eligibility,
+          backup_state: backup_state
+        }
       end
 
       def cose_credential_public_key
         case credential[:public_key]
         when OpenSSL::PKey::RSA
           key = COSE::Key::RSA.from_pkey(credential[:public_key])
-          # FIXME: Remove once writer in cose
-          key.instance_variable_set(:@alg, -257)
+          key.alg = -257
         when OpenSSL::PKey::EC::Point
           alg = {
             COSE::Key::Curve.by_name("P-256").id => -7,
@@ -125,9 +139,10 @@ module WebAuthn
           }
 
           key = COSE::Key::EC2.from_pkey(credential[:public_key])
-          # FIXME: Remove once writer in cose
-          key.instance_variable_set(:@alg, alg[key.crv])
-
+          key.alg = alg[key.crv]
+        when OpenSSL::PKey::PKey
+          key = COSE::Key::OKP.from_pkey(credential[:public_key])
+          key.alg = -8
         end
 
         key.serialize

data/lib/webauthn/fake_authenticator.rb

@@ -17,10 +17,14 @@ module WebAuthn
       client_data_hash:,
       user_present: true,
       user_verified: false,
+      backup_eligibility: false,
+      backup_state: false,
       attested_credential_data: true,
-      sign_count: nil
+      algorithm: nil,
+      sign_count: nil,
+      extensions: nil
     )
-      credential_id, credential_key, credential_sign_count = new_credential
+      credential_id, credential_key, credential_sign_count = new_credential(algorithm)
       sign_count ||= credential_sign_count
 
       credentials[rp_id] ||= {}
@@ -36,8 +40,11 @@ module WebAuthn
         credential_key: credential_key,
         user_present: user_present,
         user_verified: user_verified,
+        backup_eligibility: backup_eligibility,
+        backup_state: backup_state,
         attested_credential_data: attested_credential_data,
-        sign_count: sign_count
+        sign_count: sign_count,
+        extensions: extensions
       ).serialize
     end
 
@@ -46,13 +53,24 @@ module WebAuthn
       client_data_hash:,
       user_present: true,
       user_verified: false,
+      backup_eligibility: false,
+      backup_state: false,
       aaguid: AuthenticatorData::AAGUID,
-      sign_count: nil
+      sign_count: nil,
+      extensions: nil,
+      allow_credentials: nil
     )
       credential_options = credentials[rp_id]
 
       if credential_options
-        credential_id, credential = credential_options.first
+        allow_credentials ||= credential_options.keys
+        credential_id = (credential_options.keys & allow_credentials).first
+        unless credential_id
+          raise "No matching credentials (allowed=#{allow_credentials}) " \
+                "found for RP #{rp_id} among credentials=#{credential_options}"
+        end
+
+        credential = credential_options[credential_id]
         credential_key = credential[:credential_key]
         credential_sign_count = credential[:sign_count]
 
@@ -60,12 +78,22 @@ module WebAuthn
           rp_id_hash: hashed(rp_id),
           user_present: user_present,
           user_verified: user_verified,
+          backup_eligibility: backup_eligibility,
+          backup_state: backup_state,
           aaguid: aaguid,
           credential: nil,
           sign_count: sign_count || credential_sign_count,
+          extensions: extensions
         ).serialize
 
-        signature = credential_key.sign("SHA256", authenticator_data + client_data_hash)
+        signature_digest_algorithm =
+          case credential_key
+          when OpenSSL::PKey::RSA, OpenSSL::PKey::EC
+            'SHA256'
+          when OpenSSL::PKey::PKey
+            nil
+          end
+        signature = credential_key.sign(signature_digest_algorithm, authenticator_data + client_data_hash)
         credential[:sign_count] += 1
 
         {
@@ -82,8 +110,21 @@ module WebAuthn
 
     attr_reader :credentials
 
-    def new_credential
-      [SecureRandom.random_bytes(16), OpenSSL::PKey::EC.new("prime256v1").generate_key, 0]
+    def new_credential(algorithm)
+      algorithm ||= 'ES256'
+      credential_key =
+        case algorithm
+        when 'ES256'
+          OpenSSL::PKey::EC.generate('prime256v1')
+        when 'RS256'
+          OpenSSL::PKey::RSA.new(2048)
+        when 'EdDSA'
+          OpenSSL::PKey.generate_key("ED25519")
+        else
+          raise "Unsupported algorithm #{algorithm}"
+        end
+
+      [SecureRandom.random_bytes(16), credential_key, 0]
     end
 
     def hashed(target)

data/lib/webauthn/fake_client.rb

@@ -10,7 +10,7 @@ module WebAuthn
   class FakeClient
     TYPES = { create: "webauthn.create", get: "webauthn.get" }.freeze
 
-    attr_reader :origin, :token_binding
+    attr_reader :origin, :token_binding, :encoding
 
     def initialize(
       origin = fake_origin,
@@ -29,7 +29,11 @@ module WebAuthn
       rp_id: nil,
       user_present: true,
       user_verified: false,
-      attested_credential_data: true
+      backup_eligibility: false,
+      backup_state: false,
+      attested_credential_data: true,
+      credential_algorithm: nil,
+      extensions: nil
     )
       rp_id ||= URI.parse(origin).host
 
@@ -41,12 +45,19 @@ module WebAuthn
         client_data_hash: client_data_hash,
         user_present: user_present,
         user_verified: user_verified,
-        attested_credential_data: attested_credential_data
+        backup_eligibility: backup_eligibility,
+        backup_state: backup_state,
+        attested_credential_data: attested_credential_data,
+        algorithm: credential_algorithm,
+        extensions: extensions
       )
 
       id =
         if attested_credential_data
-          WebAuthn::AuthenticatorData.new(CBOR.decode(attestation_object)["authData"]).credential.id
+          WebAuthn::AuthenticatorData
+            .deserialize(CBOR.decode(attestation_object)["authData"])
+            .attested_credential_data
+            .id
         else
           "id-for-pk-without-attested-credential-data"
         end
@@ -55,43 +66,65 @@ module WebAuthn
         "type" => "public-key",
         "id" => internal_encoder.encode(id),
         "rawId" => encoder.encode(id),
+        "authenticatorAttachment" => 'platform',
+        "clientExtensionResults" => extensions,
         "response" => {
           "attestationObject" => encoder.encode(attestation_object),
-          "clientDataJSON" => encoder.encode(client_data_json)
+          "clientDataJSON" => encoder.encode(client_data_json),
+          "transports" => ["internal"],
         }
       }
     end
 
-    def get(challenge: fake_challenge, rp_id: nil, user_present: true, user_verified: false, sign_count: nil)
+    def get(challenge: fake_challenge,
+            rp_id: nil,
+            user_present: true,
+            user_verified: false,
+            backup_eligibility: false,
+            backup_state: true,
+            sign_count: nil,
+            extensions: nil,
+            user_handle: nil,
+            allow_credentials: nil)
       rp_id ||= URI.parse(origin).host
 
       client_data_json = data_json_for(:get, encoder.decode(challenge))
       client_data_hash = hashed(client_data_json)
 
+      if allow_credentials
+        allow_credentials = allow_credentials.map { |credential| encoder.decode(credential) }
+      end
+
       assertion = authenticator.get_assertion(
         rp_id: rp_id,
         client_data_hash: client_data_hash,
         user_present: user_present,
         user_verified: user_verified,
+        backup_eligibility: backup_eligibility,
+        backup_state: backup_state,
         sign_count: sign_count,
+        extensions: extensions,
+        allow_credentials: allow_credentials
       )
 
       {
         "type" => "public-key",
         "id" => internal_encoder.encode(assertion[:credential_id]),
         "rawId" => encoder.encode(assertion[:credential_id]),
+        "clientExtensionResults" => extensions,
+        "authenticatorAttachment" => 'platform',
         "response" => {
           "clientDataJSON" => encoder.encode(client_data_json),
           "authenticatorData" => encoder.encode(assertion[:authenticator_data]),
           "signature" => encoder.encode(assertion[:signature]),
-          "userHandle" => nil
+          "userHandle" => user_handle ? encoder.encode(user_handle) : nil
         }
       }
     end
 
     private
 
-    attr_reader :authenticator, :encoding
+    attr_reader :authenticator
 
     def data_json_for(method, challenge)
       data = {

data/lib/webauthn/json_serializer.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module WebAuthn
+  module JSONSerializer
+    # Argument wildcard for Ruby on Rails controller automatic object JSON serialization
+    def as_json(*)
+      deep_camelize_keys(to_hash)
+    end
+
+    private
+
+    def to_hash
+      attributes.each_with_object({}) do |attribute_name, hash|
+        value = send(attribute_name)
+
+        if value.respond_to?(:as_json)
+          value = value.as_json
+        end
+
+        if value
+          hash[attribute_name] = value
+        end
+      end
+    end
+
+    def deep_camelize_keys(object)
+      case object
+      when Hash
+        object.each_with_object({}) do |(key, value), result|
+          result[camelize(key)] = deep_camelize_keys(value)
+        end
+      when Array
+        object.map { |element| deep_camelize_keys(element) }
+      else
+        object
+      end
+    end
+
+    def camelize(term)
+      first_term, *rest = term.to_s.split('_')
+
+      [first_term, *rest.map(&:capitalize)].join.to_sym
+    end
+  end
+end

data/lib/webauthn/public_key.rb

@@ -1,11 +1,15 @@
 # frozen_string_literal: true
 
-require "webauthn/attestation_statement/fido_u2f/public_key"
-require "cose/key"
 require "cose/algorithm"
+require "cose/error"
+require "cose/key"
+require "cose/rsapkcs1_algorithm"
+require "webauthn/attestation_statement/fido_u2f/public_key"
 
 module WebAuthn
   class PublicKey
+    class UnsupportedAlgorithm < Error; end
+
     def self.deserialize(public_key)
       cose_key =
         if WebAuthn::AttestationStatement::FidoU2f::PublicKey.uncompressed_point?(public_key)
@@ -45,5 +49,20 @@ module WebAuthn
     def alg
       @cose_key.alg
     end
+
+    def verify(signature, verification_data)
+      cose_algorithm.verify(pkey, signature, verification_data)
+    rescue COSE::Error
+      false
+    end
+
+    private
+
+    def cose_algorithm
+      @cose_algorithm ||= COSE::Algorithm.find(alg) || raise(
+        UnsupportedAlgorithm,
+        "The public key algorithm #{alg} is not among the available COSE algorithms"
+      )
+    end
   end
 end

data/lib/webauthn/public_key_credential/creation_options.rb

@@ -39,8 +39,8 @@ module WebAuthn
 
         @rp =
           if rp.is_a?(Hash)
-            rp[:name] ||= configuration.rp_name
-            rp[:id] ||= configuration.rp_id
+            rp[:name] ||= relying_party.name
+            rp[:id] ||= relying_party.id
 
             RPEntity.new(**rp)
           else
@@ -76,7 +76,7 @@ module WebAuthn
       end
 
       def pub_key_cred_params_from_algs
-        Array(algs || configuration.algorithms).map do |alg|
+        Array(algs || relying_party.algorithms).map do |alg|
           alg_id =
             if alg.is_a?(String) || alg.is_a?(Symbol)
               COSE::Algorithm.by_name(alg.to_s).id

data/lib/webauthn/public_key_credential/entity.rb

@@ -1,43 +1,20 @@
 # frozen_string_literal: true
 
-require "awrence"
-
 module WebAuthn
   class PublicKeyCredential
     class Entity
-      attr_reader :name, :icon
+      include JSONSerializer
 
-      def initialize(name:, icon: nil)
-        @name = name
-        @icon = icon
-      end
+      attr_reader :name
 
-      def as_json
-        to_hash.to_camelback_keys
+      def initialize(name:)
+        @name = name
       end
 
       private
 
-      def to_hash
-        hash = {}
-
-        attributes.each do |attribute_name|
-          value = send(attribute_name)
-
-          if value.respond_to?(:as_json)
-            value = value.as_json
-          end
-
-          if value
-            hash[attribute_name] = value
-          end
-        end
-
-        hash
-      end
-
       def attributes
-        [:name, :icon]
+        [:name]
       end
     end
   end

data/lib/webauthn/public_key_credential/options.rb

@@ -1,55 +1,34 @@
 # frozen_string_literal: true
 
-require "awrence"
 require "securerandom"
 
 module WebAuthn
   class PublicKeyCredential
     class Options
+      include JSONSerializer
+
       CHALLENGE_LENGTH = 32
 
-      attr_reader :timeout, :extensions
+      attr_reader :timeout, :extensions, :relying_party
 
-      def initialize(timeout: default_timeout, extensions: nil)
-        @timeout = timeout
-        @extensions = extensions
+      def initialize(timeout: nil, extensions: nil, relying_party: WebAuthn.configuration.relying_party)
+        @relying_party = relying_party
+        @timeout = timeout || default_timeout
+        @extensions = default_extensions.merge(extensions || {})
       end
 
       def challenge
         encoder.encode(raw_challenge)
       end
 
-      # Argument wildcard for Ruby on Rails controller automatic object JSON serialization
-      def as_json(*)
-        to_hash.to_camelback_keys
-      end
-
       private
 
-      def to_hash
-        hash = {}
-
-        attributes.each do |attribute_name|
-          value = send(attribute_name)
-
-          if value.respond_to?(:as_json)
-            value = value.as_json
-          end
-
-          if value
-            hash[attribute_name] = value
-          end
-        end
-
-        hash
-      end
-
       def attributes
         [:challenge, :timeout, :extensions]
       end
 
       def encoder
-        WebAuthn.configuration.encoder
+        relying_party.encoder
       end
 
       def raw_challenge
@@ -57,11 +36,11 @@ module WebAuthn
       end
 
       def default_timeout
-        configuration.credential_options_timeout
+        relying_party.credential_options_timeout
       end
 
-      def configuration
-        WebAuthn.configuration
+      def default_extensions
+        {}
       end
 
       def as_public_key_descriptors(ids)