webauthn 2.2.0 → 2.2.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ab7bf6dcca17e3cfe29921d5eb1b93202864d397c5e3a923b6626e365b2caf39
4
- data.tar.gz: 5d77612f3ba67243a44a93aab9cf6be9178728f5701fbae52d7a48a0590be356
3
+ metadata.gz: 1c61ea0ee6982c86b8413c42097b7ab9518c0b49e8067a89d5380ed76f214a0b
4
+ data.tar.gz: 4fe7e8aa42ff3a3894c5bc162575a7f5145c2d1bff6d844c247b434c4ff86854
5
5
  SHA512:
6
- metadata.gz: cd9e2477f0b3e36f440a3bcd16694329abd4aab1e32df5a96441a54493689f9b2287a7bfbcd510ad6132784e18ad494e797964f6403f084c5fafb91c2bc7dd38
7
- data.tar.gz: 04eae0faa11df97e39d9e62f848e1dec2cce409829776ed00de928674e841eb0143c82803d2a32d6f01f429ac402dead7120ee9bc3cc46f45333415a478ed6eb
6
+ metadata.gz: 8ef6c40183c3a7f45ba73e07e96eaa9bac5c05c4a61bb80849cc1ff985b4f139eefe12fcbff0d2988ce22e8c0bc3aa05ba0f41aa5f046b41df1c004ac16b9d8d
7
+ data.tar.gz: 36563d824c96cccda9281077197a4f0a98475d536f928aad5882e1e9b83c79c7f6b4b97afbd0abce8a58e3953f5fe74fa29a6d9ce644557761e94410e7158318
@@ -20,6 +20,9 @@ Gemspec:
20
20
  Layout:
21
21
  Enabled: true
22
22
 
23
+ Layout/ClassStructure:
24
+ Enabled: true
25
+
23
26
  Layout/FirstMethodArgumentLineBreak:
24
27
  Enabled: true
25
28
 
@@ -1,26 +1,39 @@
1
1
  dist: bionic
2
2
  language: ruby
3
- cache: bundler
4
3
 
5
- rvm:
6
- - ruby-head
7
- - 2.7.0
8
- - 2.6.5
9
- - 2.5.7
10
- - 2.4.9
4
+ cache:
5
+ bundler: true
6
+ directories:
7
+ - /home/travis/.rvm/
8
+
9
+ env:
10
+ - LIBSSL=1.1 RB=2.7.1
11
+ - LIBSSL=1.1 RB=2.6.6
12
+ - LIBSSL=1.1 RB=2.5.8
13
+ - LIBSSL=1.1 RB=2.4.10
14
+ - LIBSSL=1.1 RB=ruby-head
15
+ - LIBSSL=1.0 RB=2.7.1
16
+ - LIBSSL=1.0 RB=2.6.6
17
+ - LIBSSL=1.0 RB=2.5.8
18
+ - LIBSSL=1.0 RB=2.4.10
19
+ - LIBSSL=1.0 RB=ruby-head
11
20
 
12
21
  gemfile:
13
22
  - gemfiles/cose_head.gemfile
14
23
  - gemfiles/openssl_head.gemfile
24
+ - gemfiles/openssl_2_2.gemfile
15
25
  - gemfiles/openssl_2_1.gemfile
16
26
  - gemfiles/openssl_2_0.gemfile
17
27
 
18
28
  matrix:
19
29
  fast_finish: true
20
30
  allow_failures:
21
- - rvm: ruby-head
31
+ - env: LIBSSL=1.1 RB=ruby-head
32
+ - env: LIBSSL=1.0 RB=ruby-head
22
33
  - gemfile: gemfiles/cose_head.gemfile
23
34
  - gemfile: gemfiles/openssl_head.gemfile
24
35
 
25
36
  before_install:
37
+ - ./script/ci/install-openssl
38
+ - ./script/ci/install-ruby
26
39
  - gem install bundler -v "~> 2.0"
data/Appraisals CHANGED
@@ -8,6 +8,10 @@ appraise "openssl_head" do
8
8
  gem "openssl", git: "https://github.com/ruby/openssl"
9
9
  end
10
10
 
11
+ appraise "openssl_2_2" do
12
+ gem "openssl", "~> 2.2.0"
13
+ end
14
+
11
15
  appraise "openssl_2_1" do
12
16
  gem "openssl", "~> 2.1.0"
13
17
  end
@@ -1,5 +1,11 @@
1
1
  # Changelog
2
2
 
3
+ ## [v2.2.1] - 2020-06-06
4
+
5
+ ### Fixed
6
+
7
+ - Fixed compatibility with OpenSSL-C (libssl) v1.0.2 ([@santiagorodriguez96])
8
+
3
9
  ## [v2.2.0] - 2020-03-14
4
10
 
5
11
  ### Added
@@ -282,6 +288,7 @@ Note: Both additions should help making it compatible with Chrome for Android 70
282
288
  - `WebAuthn::AuthenticatorAttestationResponse.valid?` can be used to validate fido-u2f attestations returned by the browser
283
289
  - Works with ruby 2.5
284
290
 
291
+ [v2.2.1]: https://github.com/cedarcode/webauthn-ruby/compare/v2.2.0...v2.2.1/
285
292
  [v2.2.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.1.0...v2.2.0/
286
293
  [v2.1.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.0.0...v2.1.0/
287
294
  [v2.0.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.18.0...v2.0.0/
@@ -314,3 +321,4 @@ Note: Both additions should help making it compatible with Chrome for Android 70
314
321
  [@sorah]: https://github.com/sorah
315
322
  [@ssuttner]: https://github.com/ssuttner
316
323
  [@padulafacundo]: https://github.com/padulafacundo
324
+ [@santiagorodriguez96]: https://github.com/santiagorodriguez96
data/README.md CHANGED
@@ -66,11 +66,10 @@ Known conformant pairs are, for example:
66
66
  - Mozilla Firefox for Desktop and Yubico's Security Key roaming authenticator via USB
67
67
  - Safari in iOS 13.3+ and YubiKey 5 NFC via NFC
68
68
 
69
- For a detailed picture about what is conformant and what not, you can refer to:
70
-
71
- - [apowers313/fido2-webauthn-status](https://github.com/apowers313/fido2-webauthn-status)
72
- - [FIDO certified products](https://fidoalliance.org/certification/fido-certified-products)
69
+ For a complete list:
73
70
 
71
+ - User Agents (Clients): [Can I Use: Web Authentication API](https://caniuse.com/#search=webauthn)
72
+ - Authenticators: [FIDO certified products](https://fidoalliance.org/certification/fido-certified-products) (search for Type=Authenticator and Specification=FIDO2)
74
73
 
75
74
  ## Install
76
75
 
@@ -151,7 +150,7 @@ if !user.webauthn_id
151
150
  end
152
151
 
153
152
  options = WebAuthn::Credential.options_for_create(
154
- user: { id: user.webauthn_id, name: user.name }
153
+ user: { id: user.webauthn_id, name: user.name },
155
154
  exclude: user.credentials.map { |c| c.webauthn_id }
156
155
  )
157
156
 
@@ -351,9 +350,7 @@ credential_with_assertion.verify(
351
350
  | -------- | :--------: |
352
351
  | packed (self attestation) | Yes |
353
352
  | packed (x5c attestation) | Yes |
354
- | packed (ECDAA attestation) | No |
355
353
  | tpm (x5c attestation) | Yes |
356
- | tpm (ECDAA attestation) | No |
357
354
  | android-key | Yes |
358
355
  | android-safetynet | Yes |
359
356
  | fido-u2f | Yes |
@@ -0,0 +1,7 @@
1
+ # This file was generated by Appraisal
2
+
3
+ source "https://rubygems.org"
4
+
5
+ gem "openssl", "~> 2.2.0"
6
+
7
+ gemspec path: "../"
@@ -21,6 +21,10 @@ class RSAPKCS1Algorithm < COSE::Algorithm::SignatureAlgorithm
21
21
  OpenSSL::SignatureAlgorithm::RSAPKCS1
22
22
  end
23
23
 
24
+ def valid_key?(key)
25
+ to_cose_key(key).is_a?(COSE::Key::RSA)
26
+ end
27
+
24
28
  def to_pkey(key)
25
29
  case key
26
30
  when COSE::Key::RSA
@@ -8,6 +8,8 @@ require "webauthn/authenticator_data"
8
8
 
9
9
  module WebAuthn
10
10
  class AttestationObject
11
+ extend Forwardable
12
+
11
13
  def self.deserialize(attestation_object)
12
14
  from_map(CBOR.decode(attestation_object))
13
15
  end
@@ -35,8 +37,6 @@ module WebAuthn
35
37
  attestation_statement.valid?(authenticator_data, client_data_hash)
36
38
  end
37
39
 
38
- extend Forwardable
39
-
40
40
  def_delegators :authenticator_data, :credential, :aaguid
41
41
  def_delegators :attestation_statement, :attestation_certificate_key_id
42
42
  end
@@ -10,7 +10,6 @@ module WebAuthn
10
10
  ATTESTATION_TYPE_BASIC = "Basic"
11
11
  ATTESTATION_TYPE_SELF = "Self"
12
12
  ATTESTATION_TYPE_ATTCA = "AttCA"
13
- ATTESTATION_TYPE_ECDAA = "ECDAA"
14
13
  ATTESTATION_TYPE_BASIC_OR_ATTCA = "Basic_or_AttCA"
15
14
 
16
15
  ATTESTATION_TYPES_WITH_ROOT = [
@@ -81,10 +80,6 @@ module WebAuthn
81
80
  statement["x5c"]
82
81
  end
83
82
 
84
- def raw_ecdaa_key_id
85
- statement["ecdaaKeyId"]
86
- end
87
-
88
83
  def signature
89
84
  statement["sig"]
90
85
  end
@@ -6,13 +6,10 @@ require "webauthn/signature_verifier"
6
6
 
7
7
  module WebAuthn
8
8
  # Implements https://www.w3.org/TR/2018/CR-webauthn-20180807/#packed-attestation
9
- # ECDAA attestation is unsupported.
10
9
  module AttestationStatement
11
10
  class Packed < Base
12
11
  # Follows "Verification procedure"
13
12
  def valid?(authenticator_data, client_data_hash)
14
- check_unsupported_feature
15
-
16
13
  valid_format? &&
17
14
  valid_algorithm?(authenticator_data.credential) &&
18
15
  valid_ec_public_keys?(authenticator_data.credential) &&
@@ -30,19 +27,11 @@ module WebAuthn
30
27
  end
31
28
 
32
29
  def self_attestation?
33
- !raw_certificates && !raw_ecdaa_key_id
30
+ !raw_certificates
34
31
  end
35
32
 
36
33
  def valid_format?
37
- algorithm && signature && (
38
- [raw_certificates, raw_ecdaa_key_id].compact.size < 2
39
- )
40
- end
41
-
42
- def check_unsupported_feature
43
- if raw_ecdaa_key_id
44
- raise NotSupportedError, "ecdaaKeyId of the packed attestation format is not implemented yet"
45
- end
34
+ algorithm && signature
46
35
  end
47
36
 
48
37
  def valid_ec_public_keys?(credential)
@@ -19,23 +19,16 @@ module WebAuthn
19
19
  }.freeze
20
20
 
21
21
  def valid?(authenticator_data, client_data_hash)
22
- case attestation_type
23
- when ATTESTATION_TYPE_ATTCA
22
+ attestation_type == ATTESTATION_TYPE_ATTCA &&
24
23
  ver == TPM_V2 &&
25
- valid_key_attestation?(
26
- authenticator_data.data + client_data_hash,
27
- authenticator_data.credential.public_key_object,
28
- authenticator_data.aaguid
29
- ) &&
30
- matching_aaguid?(authenticator_data.attested_credential_data.raw_aaguid) &&
31
- trustworthy?(aaguid: authenticator_data.aaguid) &&
32
- [attestation_type, attestation_trust_path]
33
- when ATTESTATION_TYPE_ECDAA
34
- raise(
35
- WebAuthn::AttestationStatement::Base::NotSupportedError,
36
- "Attestation type ECDAA is not supported"
37
- )
38
- end
24
+ valid_key_attestation?(
25
+ authenticator_data.data + client_data_hash,
26
+ authenticator_data.credential.public_key_object,
27
+ authenticator_data.aaguid
28
+ ) &&
29
+ matching_aaguid?(authenticator_data.attested_credential_data.raw_aaguid) &&
30
+ trustworthy?(aaguid: authenticator_data.aaguid) &&
31
+ [attestation_type, attestation_trust_path]
39
32
  end
40
33
 
41
34
  private
@@ -78,10 +71,8 @@ module WebAuthn
78
71
  end
79
72
 
80
73
  def attestation_type
81
- if raw_certificates && !raw_ecdaa_key_id
74
+ if raw_certificates
82
75
  ATTESTATION_TYPE_ATTCA
83
- elsif raw_ecdaa_key_id && !raw_certificates
84
- ATTESTATION_TYPE_ECDAA
85
76
  else
86
77
  raise "Attestation type invalid"
87
78
  end
@@ -16,6 +16,8 @@ module WebAuthn
16
16
  class AttestedCredentialVerificationError < VerificationError; end
17
17
 
18
18
  class AuthenticatorAttestationResponse < AuthenticatorResponse
19
+ extend Forwardable
20
+
19
21
  def self.from_client(response)
20
22
  encoder = WebAuthn.configuration.encoder
21
23
 
@@ -48,8 +50,6 @@ module WebAuthn
48
50
  @attestation_object ||= WebAuthn::AttestationObject.deserialize(attestation_object_bytes)
49
51
  end
50
52
 
51
- extend Forwardable
52
-
53
53
  def_delegators(
54
54
  :attestation_object,
55
55
  :aaguid,
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module WebAuthn
4
- VERSION = "2.2.0"
4
+ VERSION = "2.2.1"
5
5
  end
@@ -0,0 +1,7 @@
1
+ #!/bin/bash
2
+
3
+ set -e
4
+
5
+ if [[ "$LIBSSL" == "1.0" ]]; then
6
+ sudo apt-get install libssl1.0-dev
7
+ fi
@@ -0,0 +1,13 @@
1
+ #!/bin/bash
2
+
3
+ set -e
4
+
5
+ source "$HOME/.rvm/scripts/rvm"
6
+
7
+ if [[ "$LIBSSL" == "1.0" ]]; then
8
+ rvm use --install $RB --autolibs=read-only --disable-binary
9
+ elif [[ "$LIBSSL" == "1.1" ]]; then
10
+ rvm use --install $RB --binary --fuzzy
11
+ fi
12
+
13
+ [[ "`ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'`" =~ "OpenSSL $LIBSSL" ]] || { echo "Wrong libssl version"; exit 1; }
@@ -37,11 +37,11 @@ Gem::Specification.new do |spec|
37
37
  spec.add_dependency "awrence", "~> 1.1"
38
38
  spec.add_dependency "bindata", "~> 2.4"
39
39
  spec.add_dependency "cbor", "~> 0.5.9"
40
- spec.add_dependency "cose", "~> 0.11.0"
40
+ spec.add_dependency "cose", "~> 1.0"
41
41
  spec.add_dependency "openssl", "~> 2.0"
42
42
  spec.add_dependency "safety_net_attestation", "~> 0.4.0"
43
43
  spec.add_dependency "securecompare", "~> 1.0"
44
- spec.add_dependency "tpm-key_attestation", "~> 0.7.0"
44
+ spec.add_dependency "tpm-key_attestation", "~> 0.9.0"
45
45
 
46
46
  spec.add_development_dependency "appraisal", "~> 2.2.0"
47
47
  spec.add_development_dependency "bundler", ">= 1.17", "< 3.0"
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: webauthn
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.2.0
4
+ version: 2.2.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Gonzalo Rodriguez
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: exe
11
11
  cert_chain: []
12
- date: 2020-03-14 00:00:00.000000000 Z
12
+ date: 2020-06-06 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: android_key_attestation
@@ -73,14 +73,14 @@ dependencies:
73
73
  requirements:
74
74
  - - "~>"
75
75
  - !ruby/object:Gem::Version
76
- version: 0.11.0
76
+ version: '1.0'
77
77
  type: :runtime
78
78
  prerelease: false
79
79
  version_requirements: !ruby/object:Gem::Requirement
80
80
  requirements:
81
81
  - - "~>"
82
82
  - !ruby/object:Gem::Version
83
- version: 0.11.0
83
+ version: '1.0'
84
84
  - !ruby/object:Gem::Dependency
85
85
  name: openssl
86
86
  requirement: !ruby/object:Gem::Requirement
@@ -129,14 +129,14 @@ dependencies:
129
129
  requirements:
130
130
  - - "~>"
131
131
  - !ruby/object:Gem::Version
132
- version: 0.7.0
132
+ version: 0.9.0
133
133
  type: :runtime
134
134
  prerelease: false
135
135
  version_requirements: !ruby/object:Gem::Requirement
136
136
  requirements:
137
137
  - - "~>"
138
138
  - !ruby/object:Gem::Version
139
- version: 0.7.0
139
+ version: 0.9.0
140
140
  - !ruby/object:Gem::Dependency
141
141
  name: appraisal
142
142
  requirement: !ruby/object:Gem::Requirement
@@ -269,6 +269,7 @@ files:
269
269
  - gemfiles/cose_head.gemfile
270
270
  - gemfiles/openssl_2_0.gemfile
271
271
  - gemfiles/openssl_2_1.gemfile
272
+ - gemfiles/openssl_2_2.gemfile
272
273
  - gemfiles/openssl_head.gemfile
273
274
  - lib/cose/rsapkcs1_algorithm.rb
274
275
  - lib/webauthn.rb
@@ -316,6 +317,8 @@ files:
316
317
  - lib/webauthn/signature_verifier.rb
317
318
  - lib/webauthn/u2f_migrator.rb
318
319
  - lib/webauthn/version.rb
320
+ - script/ci/install-openssl
321
+ - script/ci/install-ruby
319
322
  - webauthn.gemspec
320
323
  homepage: https://github.com/cedarcode/webauthn-ruby
321
324
  licenses:
@@ -339,7 +342,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
339
342
  - !ruby/object:Gem::Version
340
343
  version: '0'
341
344
  requirements: []
342
- rubygems_version: 3.1.2
345
+ rubygems_version: 3.1.4
343
346
  signing_key:
344
347
  specification_version: 4
345
348
  summary: WebAuthn ruby server library