webauthn 2.2.0 → 2.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ab7bf6dcca17e3cfe29921d5eb1b93202864d397c5e3a923b6626e365b2caf39
-  data.tar.gz: 5d77612f3ba67243a44a93aab9cf6be9178728f5701fbae52d7a48a0590be356
+  metadata.gz: 1e6487b19f172c0c7e96af23d04e47f91bebd2ef7d20f144f99f85e761a2db86
+  data.tar.gz: 7623405e7cd01708f29897a0d4183fbc8c9b2a3dfb06b9c182646ddaf9c6cb0d
 SHA512:
-  metadata.gz: cd9e2477f0b3e36f440a3bcd16694329abd4aab1e32df5a96441a54493689f9b2287a7bfbcd510ad6132784e18ad494e797964f6403f084c5fafb91c2bc7dd38
-  data.tar.gz: 04eae0faa11df97e39d9e62f848e1dec2cce409829776ed00de928674e841eb0143c82803d2a32d6f01f429ac402dead7120ee9bc3cc46f45333415a478ed6eb
+  metadata.gz: d2f8d2137b2ee140a3258fbbff8d62e49264b2eafa80f0726dacc16a742addf75625b9da51696db6f3862a85e63f44ca5fc2b73320b1c256dd1c57f96121de24
+  data.tar.gz: dcb2ea914a14944b4bf7c4682394df12e00ddd4a4b0cc1076a03a7368bf4d563d08b61fbbe27ece3ddcbc05a9ed542d8236c1bfce833669c9b60c5d3387b35b4

data/.github/workflows/build.yml

@@ -0,0 +1,36 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# This workflow will download a prebuilt Ruby version, install dependencies and run tests with Rake
+# For more information see: https://github.com/marketplace/actions/setup-ruby-jruby-and-truffleruby
+
+name: build
+
+on: push
+
+jobs:
+  test:
+    runs-on: ubuntu-20.04
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby:
+          - '3.0'
+          - '2.7'
+          - '2.6'
+          - '2.5'
+          - '2.4'
+          - truffleruby
+        gemfile:
+          - openssl_2_2
+          - openssl_2_1
+    env:
+      BUNDLE_GEMFILE: gemfiles/${{ matrix.gemfile }}.gemfile
+    steps:
+    - uses: actions/checkout@v2
+    - uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+        bundler-cache: true
+    - run: bundle exec rake

data/.rubocop.yml

@@ -1,5 +1,6 @@
 require:
   - rubocop-rspec
+  - rubocop-rake
 
 inherit_mode:
   merge:
@@ -8,8 +9,10 @@ inherit_mode:
 AllCops:
   TargetRubyVersion: 2.4
   DisabledByDefault: true
+  NewCops: disable
   Exclude:
     - "gemfiles/**/*"
+    - "vendor/**/*"
 
 Bundler:
   Enabled: true
@@ -20,6 +23,15 @@ Gemspec:
 Layout:
   Enabled: true
 
+Layout/ClassStructure:
+  Enabled: true
+
+Layout/EmptyLineBetweenDefs:
+  AllowAdjacentOneLineDefs: true
+
+Layout/EmptyLinesAroundAttributeAccessor:
+  Enabled: true
+
 Layout/FirstMethodArgumentLineBreak:
   Enabled: true
 
@@ -34,12 +46,60 @@ Layout/MultilineAssignmentLayout:
 Layout/MultilineMethodArgumentLineBreaks:
   Enabled: true
 
+Layout/SpaceAroundMethodCallOperator:
+  Enabled: true
+
 Lint:
   Enabled: true
 
+Lint/DeprecatedOpenSSLConstant:
+  Enabled: true
+
+Lint/MixedRegexpCaptureTypes:
+  Enabled: true
+
+Lint/RaiseException:
+  Enabled: true
+
+Lint/StructNewOverride:
+  Enabled: true
+
+Lint/BinaryOperatorWithIdenticalOperands:
+  Enabled: true
+
+Lint/DuplicateElsifCondition:
+  Enabled: true
+
+Lint/DuplicateRescueException:
+  Enabled: true
+
+Lint/EmptyConditionalBody:
+  Enabled: true
+
+Lint/FloatComparison:
+  Enabled: true
+
+Lint/MissingSuper:
+  Enabled: true
+
+Lint/OutOfRangeRegexpRef:
+  Enabled: true
+
+Lint/SelfAssignment:
+  Enabled: true
+
+Lint/TopLevelReturnWithArgument:
+  Enabled: true
+
+Lint/UnreachableLoop:
+  Enabled: true
+
 Naming:
   Enabled: true
 
+Naming/VariableNumber:
+  Enabled: false
+
 RSpec/Be:
   Enabled: true
 

data/Appraisals

@@ -1,17 +1,9 @@
 # frozen_string_literal: true
 
-appraise "cose_head" do
-  gem "cose", git: "https://github.com/cedarcode/cose-ruby"
-end
-
-appraise "openssl_head" do
-  gem "openssl", git: "https://github.com/ruby/openssl"
+appraise "openssl_2_2" do
+  gem "openssl", "~> 2.2.0"
 end
 
 appraise "openssl_2_1" do
   gem "openssl", "~> 2.1.0"
 end
-
-appraise "openssl_2_0" do
-  gem "openssl", "~> 2.0.0"
-end

data/CHANGELOG.md

@@ -1,5 +1,47 @@
 # Changelog
 
+## [v3.0.0.alpha1] - 2020-06-27
+
+### Added
+
+- Ability to define multiple relying parties with the introduction of the `WebAuthn::RelyingParty` class ([@padulafacundo], [@brauliomartinezlm])
+
+## [v2.5.0] - 2021-03-14
+
+### Added
+
+- Support 'apple' attestation statement format ([#343](https://github.com/cedarcode/webauthn-ruby/pull/343) / [@juanarias93], [@santiagorodriguez96])
+- Allow specifying an array of ids as `allow_credentials:` for `FakeClient#get` method ([#335](https://github.com/cedarcode/webauthn-ruby/pull/335) / [@kingjan1999])
+
+### Removed
+
+- No longer accept "removed from the WebAuthn spec" options `rp: { icon: }` and `user: { icon: }` for `WebAuthn::Credential.options_for_create` method ([#326](https://github.com/cedarcode/webauthn-ruby/pull/326) / [@santiagorodriguez96])
+
+## [v2.4.1] - 2021-02-15
+
+### Fixed
+
+- Fix verification of new credential if no attestation provided and 'None' type is not among configured `acceptable_attestation_types`. I.e. reject it instead of letting it go through.
+
+## [v2.4.0] - 2020-09-03
+
+### Added
+
+- Support for ES256K credentials
+- `FakeClient#get` accepts `user_handle:` keyword argument ([@lgarron])
+
+## [v2.3.0] - 2020-06-27
+
+### Added
+
+- Ability to access extension outputs with `PublicKeyCredential#client_extension_outputs` and `PublicKeyCredential#authenticator_extension_outputs` ([@santiagorodriguez96])
+
+## [v2.2.1] - 2020-06-06
+
+### Fixed
+
+- Fixed compatibility with OpenSSL-C (libssl) v1.0.2 ([@santiagorodriguez96])
+
 ## [v2.2.0] - 2020-03-14
 
 ### Added
@@ -282,6 +324,12 @@ Note: Both additions should help making it compatible with Chrome for Android 70
   - `WebAuthn::AuthenticatorAttestationResponse.valid?` can be used to validate fido-u2f attestations returned by the browser
 - Works with ruby 2.5
 
+[v3.0.0.alpha1]: https://github.com/cedarcode/webauthn-ruby/compare/2-stable...v3.0.0.alpha1/
+[v2.5.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.4.1...v2.5.0/
+[v2.4.1]: https://github.com/cedarcode/webauthn-ruby/compare/v2.4.0...v2.4.1/
+[v2.4.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.3.0...v2.4.0/
+[v2.3.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.2.1...v2.3.0/
+[v2.2.1]: https://github.com/cedarcode/webauthn-ruby/compare/v2.2.0...v2.2.1/
 [v2.2.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.1.0...v2.2.0/
 [v2.1.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.0.0...v2.1.0/
 [v2.0.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.18.0...v2.0.0/
@@ -307,6 +355,7 @@ Note: Both additions should help making it compatible with Chrome for Android 70
 [v0.2.0]: https://github.com/cedarcode/webauthn-ruby/compare/v0.1.0...v0.2.0/
 [v0.1.0]: https://github.com/cedarcode/webauthn-ruby/compare/v0.0.0...v0.1.0/
 
+[@brauliomartinezlm]: https://github.com/brauliomartinezlm
 [@bdewater]: https://github.com/bdewater
 [@jdongelmans]: https://github.com/jdongelmans
 [@kalebtesfay]: https://github.com/kalebtesfay
@@ -314,3 +363,7 @@ Note: Both additions should help making it compatible with Chrome for Android 70
 [@sorah]: https://github.com/sorah
 [@ssuttner]: https://github.com/ssuttner
 [@padulafacundo]: https://github.com/padulafacundo
+[@santiagorodriguez96]: https://github.com/santiagorodriguez96
+[@lgarron]: https://github.com/lgarron
+[@juanarias93]: https://github.com/juanarias93
+[@kingjan1999]: https://github.com/@kingjan1999

data/README.md

@@ -6,7 +6,7 @@ For the current release version see https://github.com/cedarcode/webauthn-ruby/b
 ![banner](assets/webauthn-ruby.png)
 
 [![Gem](https://img.shields.io/gem/v/webauthn.svg?style=flat-square)](https://rubygems.org/gems/webauthn)
-[![Travis](https://img.shields.io/travis/cedarcode/webauthn-ruby/master.svg?style=flat-square)](https://travis-ci.org/cedarcode/webauthn-ruby)
+[![Travis](https://img.shields.io/travis/cedarcode/webauthn-ruby/master.svg?style=flat-square)](https://travis-ci.com/cedarcode/webauthn-ruby)
 [![Conventional Commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-informational.svg?style=flat-square)](https://conventionalcommits.org)
 [![Join the chat at https://gitter.im/cedarcode/webauthn-ruby](https://badges.gitter.im/cedarcode/webauthn-ruby.svg)](https://gitter.im/cedarcode/webauthn-ruby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
 
@@ -66,11 +66,10 @@ Known conformant pairs are, for example:
 - Mozilla Firefox for Desktop and Yubico's Security Key roaming authenticator via USB
 - Safari in iOS 13.3+ and YubiKey 5 NFC via NFC
 
-For a detailed picture about what is conformant and what not, you can refer to:
-
-- [apowers313/fido2-webauthn-status](https://github.com/apowers313/fido2-webauthn-status)
-- [FIDO certified products](https://fidoalliance.org/certification/fido-certified-products)
+For a complete list:
 
+- User Agents (Clients): [Can I Use: Web Authentication API](https://caniuse.com/#search=webauthn)
+- Authenticators: [FIDO certified products](https://fidoalliance.org/certification/fido-certified-products) (search for Type=Authenticator and Specification=FIDO2)
 
 ## Install
 
@@ -151,7 +150,7 @@ if !user.webauthn_id
 end
 
 options = WebAuthn::Credential.options_for_create(
-  user: { id: user.webauthn_id, name: user.name }
+  user: { id: user.webauthn_id, name: user.name },
   exclude: user.credentials.map { |c| c.webauthn_id }
 )
 
@@ -253,6 +252,54 @@ rescue WebAuthn::Error => e
 end
 ```
 
+### Extensions
+
+> The mechanism for generating public key credentials, as well as requesting and generating Authentication assertions, as defined in Web Authentication API, can be extended to suit particular use cases. Each case is addressed by defining a registration extension and/or an authentication extension.
+
+> When creating a public key credential or requesting an authentication assertion, a WebAuthn Relying Party can request the use of a set of extensions. These extensions will be invoked during the requested ceremony if they are supported by the WebAuthn Client and/or the WebAuthn Authenticator. The Relying Party sends the client extension input for each extension in the get() call (for authentication extensions) or create() call (for registration extensions) to the WebAuthn client. [[source](https://www.w3.org/TR/webauthn-2/#sctn-extensions)]
+
+Extensions can be requested in the initiation phase in both Credential Registration and Authentication ceremonies by adding the extension parameter when generating the options for create/get:
+
+```ruby
+# Credential Registration
+creation_options = WebAuthn::Credential.options_for_create(
+  user: { id: user.webauthn_id, name: user.name },
+  exclude: user.credentials.map { |c| c.webauthn_id },
+  extensions: { appidExclude: domain.to_s }
+)
+
+# OR
+
+# Credential Authentication
+options = WebAuthn::Credential.options_for_get(
+  allow: user.credentials.map { |c| c.webauthn_id },
+  extensions: { appid: domain.to_s }
+)
+```
+
+Consequently, after these `options` are sent to the WebAuthn client:
+
+> The WebAuthn client performs client extension processing for each extension that the client supports, and augments the client data as specified by each extension, by including the extension identifier and client extension output values.
+
+> For authenticator extensions, as part of the client extension processing, the client also creates the CBOR authenticator extension input value for each extension (often based on the corresponding client extension input value), and passes them to the authenticator in the create() call (for registration extensions) or the get() call (for authentication extensions).
+
+> The authenticator, in turn, performs additional processing for the extensions that it supports, and returns the CBOR authenticator extension output for each as specified by the extension. Part of the client extension processing for authenticator extensions is to use the authenticator extension output as an input to creating the client extension output. [[source](https://www.w3.org/TR/webauthn-2/#sctn-extensions)]
+
+Finally, you can check the values returned for each extension by calling `client_extension_outputs` and `authenticator_extension_outputs` respectively.
+For example, following the initialization phase for the Credential Authentication ceremony specified in the above example:
+
+```ruby
+webauthn_credential = WebAuthn::Credential.from_get(credential_get_result_hash)
+
+webauthn_credential.client_extension_outputs #=> { "appid" => true }
+webauthn_credential.authenticator_extension_outputs #=> nil
+```
+
+A list of all currently defined extensions:
+
+  - [Last published version](https://www.w3.org/TR/webauthn-2/#sctn-defined-extensions)
+  - [Next version (in draft)](https://w3c.github.io/webauthn/#sctn-defined-extensions)
+
 ## API
 
 #### `WebAuthn.generate_user_id`
@@ -343,19 +390,34 @@ credential_with_assertion.verify(
 )
 ```
 
+#### `PublicKeyCredential#client_extension_outputs`
+
+```ruby
+credential = WebAuthn::Credential.from_create(params[:publicKeyCredential])
+
+credential.client_extension_outputs
+```
+
+#### `PublicKeyCredential#authenticator_extension_outputs`
+
+```ruby
+credential = WebAuthn::Credential.from_create(params[:publicKeyCredential])
+
+credential.authenticator_extension_outputs
+```
+
 ## Attestation
 
-### Attestation Statement Format
+### Attestation Statement Formats
 
 | Attestation Statement Format | Supported? |
 | -------- | :--------: |
 | packed (self attestation) | Yes |
 | packed (x5c attestation) | Yes |
-| packed (ECDAA attestation) | No |
 | tpm (x5c attestation) | Yes |
-| tpm (ECDAA attestation) | No |
 | android-key | Yes |
 | android-safetynet | Yes |
+| apple | Yes |
 | fido-u2f | Yes |
 | none | Yes |
 

data/SECURITY.md

@@ -4,9 +4,12 @@
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 2.2.z    | :white_check_mark: |
-| 2.1.z    | :white_check_mark: |
-| 2.0.z    | :white_check_mark: |
+| 2.5.z    | :white_check_mark: |
+| 2.4.z    | :white_check_mark: |
+| 2.3.z    | :white_check_mark: |
+| 2.2.z    | :x: |
+| 2.1.z    | :x: |
+| 2.0.z    | :x: |
 | 1.18.z   | :white_check_mark: |
 | < 1.18   | :x:                |
 

data/gemfiles/{openssl_2_0.gemfile → openssl_2_2.gemfile}

@@ -2,6 +2,6 @@
 
 source "https://rubygems.org"
 
-gem "openssl", "~> 2.0.0"
+gem "openssl", "~> 2.2.0"
 
 gemspec path: "../"

data/lib/cose/rsapkcs1_algorithm.rb

@@ -21,6 +21,10 @@ class RSAPKCS1Algorithm < COSE::Algorithm::SignatureAlgorithm
     OpenSSL::SignatureAlgorithm::RSAPKCS1
   end
 
+  def valid_key?(key)
+    to_cose_key(key).is_a?(COSE::Key::RSA)
+  end
+
   def to_pkey(key)
     case key
     when COSE::Key::RSA
@@ -36,4 +40,11 @@ end
 COSE::Algorithm.register(RSAPKCS1Algorithm.new(-257, "RS256", hash_function: "SHA256"))
 COSE::Algorithm.register(RSAPKCS1Algorithm.new(-258, "RS384", hash_function: "SHA384"))
 COSE::Algorithm.register(RSAPKCS1Algorithm.new(-259, "RS512", hash_function: "SHA512"))
+
+# Patch openssl-signature_algorithm gem to support discouraged/deprecated RSA-PKCS#1 with SHA-1
+# (RS1 in JOSE/COSE terminology) algorithm needed for WebAuthn.
+OpenSSL::SignatureAlgorithm::RSAPKCS1.const_set(
+  :ACCEPTED_HASH_FUNCTIONS,
+  OpenSSL::SignatureAlgorithm::RSAPKCS1::ACCEPTED_HASH_FUNCTIONS + ["SHA1"]
+)
 COSE::Algorithm.register(RSAPKCS1Algorithm.new(-65535, "RS1", hash_function: "SHA1"))

data/lib/webauthn/attestation_object.rb

@@ -8,6 +8,8 @@ require "webauthn/authenticator_data"
 
 module WebAuthn
   class AttestationObject
+    extend Forwardable
+
     def self.deserialize(attestation_object)
       from_map(CBOR.decode(attestation_object))
     end
@@ -35,8 +37,6 @@ module WebAuthn
       attestation_statement.valid?(authenticator_data, client_data_hash)
     end
 
-    extend Forwardable
-
     def_delegators :authenticator_data, :credential, :aaguid
     def_delegators :attestation_statement, :attestation_certificate_key_id
   end

data/lib/webauthn/attestation_statement.rb

@@ -2,6 +2,7 @@
 
 require "webauthn/attestation_statement/android_key"
 require "webauthn/attestation_statement/android_safetynet"
+require "webauthn/attestation_statement/apple"
 require "webauthn/attestation_statement/fido_u2f"
 require "webauthn/attestation_statement/none"
 require "webauthn/attestation_statement/packed"
@@ -18,6 +19,7 @@ module WebAuthn
     ATTESTATION_FORMAT_ANDROID_SAFETYNET = "android-safetynet"
     ATTESTATION_FORMAT_ANDROID_KEY = "android-key"
     ATTESTATION_FORMAT_TPM = "tpm"
+    ATTESTATION_FORMAT_APPLE = "apple"
 
     FORMAT_TO_CLASS = {
       ATTESTATION_FORMAT_NONE => WebAuthn::AttestationStatement::None,
@@ -25,7 +27,8 @@ module WebAuthn
       ATTESTATION_FORMAT_PACKED => WebAuthn::AttestationStatement::Packed,
       ATTESTATION_FORMAT_ANDROID_SAFETYNET => WebAuthn::AttestationStatement::AndroidSafetynet,
       ATTESTATION_FORMAT_ANDROID_KEY => WebAuthn::AttestationStatement::AndroidKey,
-      ATTESTATION_FORMAT_TPM => WebAuthn::AttestationStatement::TPM
+      ATTESTATION_FORMAT_TPM => WebAuthn::AttestationStatement::TPM,
+      ATTESTATION_FORMAT_APPLE => WebAuthn::AttestationStatement::Apple
     }.freeze
 
     def self.from(format, statement)