webauthn 2.3.0 → 3.0.0

data/lib/webauthn/fake_authenticator/authenticator_data.rb

@@ -15,11 +15,13 @@ module WebAuthn
         rp_id_hash:,
         credential: {
           id: SecureRandom.random_bytes(16),
-          public_key: OpenSSL::PKey::EC.new("prime256v1").generate_key.public_key
+          public_key: OpenSSL::PKey::EC.generate("prime256v1").public_key
         },
         sign_count: 0,
         user_present: true,
         user_verified: !user_present,
+        backup_eligibility: false,
+        backup_state: false,
         aaguid: AAGUID,
         extensions: { "fakeExtension" => "fakeExtensionValue" }
       )
@@ -28,6 +30,8 @@ module WebAuthn
         @sign_count = sign_count
         @user_present = user_present
         @user_verified = user_verified
+        @backup_eligibility = backup_eligibility
+        @backup_state = backup_state
         @aaguid = aaguid
         @extensions = extensions
       end
@@ -38,7 +42,13 @@ module WebAuthn
 
       private
 
-      attr_reader :rp_id_hash, :credential, :user_present, :user_verified, :extensions
+      attr_reader :rp_id_hash,
+                  :credential,
+                  :user_present,
+                  :user_verified,
+                  :extensions,
+                  :backup_eligibility,
+                  :backup_state
 
       def flags
         [
@@ -46,8 +56,8 @@ module WebAuthn
             bit(:user_present),
             reserved_for_future_use_bit,
             bit(:user_verified),
-            reserved_for_future_use_bit,
-            reserved_for_future_use_bit,
+            bit(:backup_eligibility),
+            bit(:backup_state),
             reserved_for_future_use_bit,
             attested_credential_data_included_bit,
             extension_data_included_bit
@@ -108,7 +118,12 @@ module WebAuthn
       end
 
       def context
-        { user_present: user_present, user_verified: user_verified }
+        {
+          user_present: user_present,
+          user_verified: user_verified,
+          backup_eligibility: backup_eligibility,
+          backup_state: backup_state
+        }
       end
 
       def cose_credential_public_key

data/lib/webauthn/fake_authenticator.rb

@@ -17,6 +17,8 @@ module WebAuthn
       client_data_hash:,
       user_present: true,
       user_verified: false,
+      backup_eligibility: false,
+      backup_state: false,
       attested_credential_data: true,
       sign_count: nil,
       extensions: nil
@@ -37,6 +39,8 @@ module WebAuthn
         credential_key: credential_key,
         user_present: user_present,
         user_verified: user_verified,
+        backup_eligibility: backup_eligibility,
+        backup_state: backup_state,
         attested_credential_data: attested_credential_data,
         sign_count: sign_count,
         extensions: extensions
@@ -48,14 +52,24 @@ module WebAuthn
       client_data_hash:,
       user_present: true,
       user_verified: false,
+      backup_eligibility: false,
+      backup_state: false,
       aaguid: AuthenticatorData::AAGUID,
       sign_count: nil,
-      extensions: nil
+      extensions: nil,
+      allow_credentials: nil
     )
       credential_options = credentials[rp_id]
 
       if credential_options
-        credential_id, credential = credential_options.first
+        allow_credentials ||= credential_options.keys
+        credential_id = (credential_options.keys & allow_credentials).first
+        unless credential_id
+          raise "No matching credentials (allowed=#{allow_credentials}) " \
+                "found for RP #{rp_id} among credentials=#{credential_options}"
+        end
+
+        credential = credential_options[credential_id]
         credential_key = credential[:credential_key]
         credential_sign_count = credential[:sign_count]
 
@@ -63,6 +77,8 @@ module WebAuthn
           rp_id_hash: hashed(rp_id),
           user_present: user_present,
           user_verified: user_verified,
+          backup_eligibility: backup_eligibility,
+          backup_state: backup_state,
           aaguid: aaguid,
           credential: nil,
           sign_count: sign_count || credential_sign_count,
@@ -87,7 +103,7 @@ module WebAuthn
     attr_reader :credentials
 
     def new_credential
-      [SecureRandom.random_bytes(16), OpenSSL::PKey::EC.new("prime256v1").generate_key, 0]
+      [SecureRandom.random_bytes(16), OpenSSL::PKey::EC.generate("prime256v1"), 0]
     end
 
     def hashed(target)

data/lib/webauthn/fake_client.rb

@@ -10,7 +10,7 @@ module WebAuthn
   class FakeClient
     TYPES = { create: "webauthn.create", get: "webauthn.get" }.freeze
 
-    attr_reader :origin, :token_binding
+    attr_reader :origin, :token_binding, :encoding
 
     def initialize(
       origin = fake_origin,
@@ -29,6 +29,8 @@ module WebAuthn
       rp_id: nil,
       user_present: true,
       user_verified: false,
+      backup_eligibility: false,
+      backup_state: false,
       attested_credential_data: true,
       extensions: nil
     )
@@ -42,6 +44,8 @@ module WebAuthn
         client_data_hash: client_data_hash,
         user_present: user_present,
         user_verified: user_verified,
+        backup_eligibility: backup_eligibility,
+        backup_state: backup_state,
         attested_credential_data: attested_credential_data,
         extensions: extensions
       )
@@ -72,20 +76,31 @@ module WebAuthn
             rp_id: nil,
             user_present: true,
             user_verified: false,
+            backup_eligibility: false,
+            backup_state: true,
             sign_count: nil,
-            extensions: nil)
+            extensions: nil,
+            user_handle: nil,
+            allow_credentials: nil)
       rp_id ||= URI.parse(origin).host
 
       client_data_json = data_json_for(:get, encoder.decode(challenge))
       client_data_hash = hashed(client_data_json)
 
+      if allow_credentials
+        allow_credentials = allow_credentials.map { |credential| encoder.decode(credential) }
+      end
+
       assertion = authenticator.get_assertion(
         rp_id: rp_id,
         client_data_hash: client_data_hash,
         user_present: user_present,
         user_verified: user_verified,
+        backup_eligibility: backup_eligibility,
+        backup_state: backup_state,
         sign_count: sign_count,
-        extensions: extensions
+        extensions: extensions,
+        allow_credentials: allow_credentials
       )
 
       {
@@ -97,14 +112,14 @@ module WebAuthn
           "clientDataJSON" => encoder.encode(client_data_json),
           "authenticatorData" => encoder.encode(assertion[:authenticator_data]),
           "signature" => encoder.encode(assertion[:signature]),
-          "userHandle" => nil
+          "userHandle" => user_handle ? encoder.encode(user_handle) : nil
         }
       }
     end
 
     private
 
-    attr_reader :authenticator, :encoding
+    attr_reader :authenticator
 
     def data_json_for(method, challenge)
       data = {

data/lib/webauthn/public_key_credential/creation_options.rb

@@ -39,8 +39,8 @@ module WebAuthn
 
         @rp =
           if rp.is_a?(Hash)
-            rp[:name] ||= configuration.rp_name
-            rp[:id] ||= configuration.rp_id
+            rp[:name] ||= relying_party.name
+            rp[:id] ||= relying_party.id
 
             RPEntity.new(**rp)
           else
@@ -76,7 +76,7 @@ module WebAuthn
       end
 
       def pub_key_cred_params_from_algs
-        Array(algs || configuration.algorithms).map do |alg|
+        Array(algs || relying_party.algorithms).map do |alg|
           alg_id =
             if alg.is_a?(String) || alg.is_a?(Symbol)
               COSE::Algorithm.by_name(alg.to_s).id

data/lib/webauthn/public_key_credential/entity.rb

@@ -5,11 +5,10 @@ require "awrence"
 module WebAuthn
   class PublicKeyCredential
     class Entity
-      attr_reader :name, :icon
+      attr_reader :name
 
-      def initialize(name:, icon: nil)
+      def initialize(name:)
         @name = name
-        @icon = icon
       end
 
       def as_json
@@ -37,7 +36,7 @@ module WebAuthn
       end
 
       def attributes
-        [:name, :icon]
+        [:name]
       end
     end
   end

data/lib/webauthn/public_key_credential/options.rb

@@ -8,11 +8,12 @@ module WebAuthn
     class Options
       CHALLENGE_LENGTH = 32
 
-      attr_reader :timeout, :extensions
+      attr_reader :timeout, :extensions, :relying_party
 
-      def initialize(timeout: default_timeout, extensions: nil)
-        @timeout = timeout
-        @extensions = extensions
+      def initialize(timeout: nil, extensions: nil, relying_party: WebAuthn.configuration.relying_party)
+        @relying_party = relying_party
+        @timeout = timeout || default_timeout
+        @extensions = default_extensions.merge(extensions || {})
       end
 
       def challenge
@@ -49,7 +50,7 @@ module WebAuthn
       end
 
       def encoder
-        WebAuthn.configuration.encoder
+        relying_party.encoder
       end
 
       def raw_challenge
@@ -57,11 +58,11 @@ module WebAuthn
       end
 
       def default_timeout
-        configuration.credential_options_timeout
+        relying_party.credential_options_timeout
       end
 
-      def configuration
-        WebAuthn.configuration
+      def default_extensions
+        {}
       end
 
       def as_public_key_descriptors(ids)

data/lib/webauthn/public_key_credential/request_options.rb

@@ -10,7 +10,7 @@ module WebAuthn
       def initialize(rp_id: nil, allow_credentials: nil, allow: nil, user_verification: nil, **keyword_arguments)
         super(**keyword_arguments)
 
-        @rp_id = rp_id || configuration.rp_id
+        @rp_id = rp_id || relying_party.id
         @allow_credentials = allow_credentials
         @allow = allow
         @user_verification = user_verification
@@ -26,6 +26,16 @@ module WebAuthn
         super.concat([:allow_credentials, :rp_id, :user_verification])
       end
 
+      def default_extensions
+        extensions = super || {}
+
+        if relying_party.legacy_u2f_appid
+          extensions.merge!(appid: relying_party.legacy_u2f_appid)
+        end
+
+        extensions
+      end
+
       def allow_credentials_from_allow
         if allow
           as_public_key_descriptors(allow)

data/lib/webauthn/public_key_credential.rb

@@ -6,22 +6,31 @@ module WebAuthn
   class PublicKeyCredential
     attr_reader :type, :id, :raw_id, :client_extension_outputs, :response
 
-    def self.from_client(credential)
+    def self.from_client(credential, relying_party: WebAuthn.configuration.relying_party)
       new(
         type: credential["type"],
         id: credential["id"],
-        raw_id: WebAuthn.configuration.encoder.decode(credential["rawId"]),
+        raw_id: relying_party.encoder.decode(credential["rawId"]),
         client_extension_outputs: credential["clientExtensionResults"],
-        response: response_class.from_client(credential["response"])
+        response: response_class.from_client(credential["response"], relying_party: relying_party),
+        relying_party: relying_party
       )
     end
 
-    def initialize(type:, id:, raw_id:, client_extension_outputs: {}, response:)
+    def initialize(
+      type:,
+      id:,
+      raw_id:,
+      response:,
+      client_extension_outputs: {},
+      relying_party: WebAuthn.configuration.relying_party
+    )
       @type = type
       @id = id
       @raw_id = raw_id
       @client_extension_outputs = client_extension_outputs
       @response = response
+      @relying_party = relying_party
     end
 
     def verify(*_args)
@@ -39,8 +48,18 @@ module WebAuthn
       authenticator_data.extension_data if authenticator_data&.extension_data_included?
     end
 
+    def backup_eligible?
+      authenticator_data&.credential_backup_eligible?
+    end
+
+    def backed_up?
+      authenticator_data&.credential_backed_up?
+    end
+
     private
 
+    attr_reader :relying_party
+
     def valid_type?
       type == TYPE_PUBLIC_KEY
     end
@@ -54,7 +73,7 @@ module WebAuthn
     end
 
     def encoder
-      WebAuthn.configuration.encoder
+      relying_party.encoder
     end
   end
 end

data/lib/webauthn/public_key_credential_with_assertion.rb

@@ -16,7 +16,8 @@ module WebAuthn
         encoder.decode(challenge),
         public_key: encoder.decode(public_key),
         sign_count: sign_count,
-        user_verification: user_verification
+        user_verification: user_verification,
+        rp_id: appid_extension_output ? appid : nil
       )
 
       true
@@ -31,5 +32,17 @@ module WebAuthn
     def raw_user_handle
       response.user_handle
     end
+
+    private
+
+    def appid_extension_output
+      return if client_extension_outputs.nil?
+
+      client_extension_outputs['appid']
+    end
+
+    def appid
+      URI.parse(relying_party.legacy_u2f_appid || raise("Unspecified legacy U2F AppID")).to_s
+    end
   end
 end

data/lib/webauthn/relying_party.rb

@@ -0,0 +1,120 @@
+# frozen_string_literal: true
+
+require "openssl"
+require "webauthn/credential"
+require "webauthn/encoder"
+require "webauthn/error"
+
+module WebAuthn
+  class RootCertificateFinderNotSupportedError < Error; end
+
+  class RelyingParty
+    def self.if_pss_supported(algorithm)
+      OpenSSL::PKey::RSA.instance_methods.include?(:verify_pss) ? algorithm : nil
+    end
+
+    DEFAULT_ALGORITHMS = ["ES256", "PS256", "RS256"].compact.freeze
+
+    def initialize(
+      algorithms: DEFAULT_ALGORITHMS.dup,
+      encoding: WebAuthn::Encoder::STANDARD_ENCODING,
+      origin: nil,
+      id: nil,
+      name: nil,
+      verify_attestation_statement: true,
+      credential_options_timeout: 120000,
+      silent_authentication: false,
+      acceptable_attestation_types: ['None', 'Self', 'Basic', 'AttCA', 'Basic_or_AttCA', 'AnonCA'],
+      attestation_root_certificates_finders: [],
+      legacy_u2f_appid: nil
+    )
+      @algorithms = algorithms
+      @encoding = encoding
+      @origin = origin
+      @id = id
+      @name = name
+      @verify_attestation_statement = verify_attestation_statement
+      @credential_options_timeout = credential_options_timeout
+      @silent_authentication = silent_authentication
+      @acceptable_attestation_types = acceptable_attestation_types
+      @legacy_u2f_appid = legacy_u2f_appid
+      self.attestation_root_certificates_finders = attestation_root_certificates_finders
+    end
+
+    attr_accessor :algorithms,
+                  :encoding,
+                  :origin,
+                  :id,
+                  :name,
+                  :verify_attestation_statement,
+                  :credential_options_timeout,
+                  :silent_authentication,
+                  :acceptable_attestation_types,
+                  :legacy_u2f_appid
+
+    attr_reader :attestation_root_certificates_finders
+
+    # This is the user-data encoder.
+    # Used to decode user input and to encode data provided to the user.
+    def encoder
+      @encoder ||= WebAuthn::Encoder.new(encoding)
+    end
+
+    def attestation_root_certificates_finders=(finders)
+      if !finders.respond_to?(:each)
+        finders = [finders]
+      end
+
+      finders.each do |finder|
+        unless finder.respond_to?(:find)
+          raise RootCertificateFinderNotSupportedError, "Finder must implement `find` method"
+        end
+      end
+
+      @attestation_root_certificates_finders = finders
+    end
+
+    def options_for_registration(**keyword_arguments)
+      WebAuthn::Credential.options_for_create(
+        **keyword_arguments,
+        relying_party: self
+      )
+    end
+
+    def verify_registration(raw_credential, challenge, user_verification: nil)
+      webauthn_credential = WebAuthn::Credential.from_create(raw_credential, relying_party: self)
+
+      if webauthn_credential.verify(challenge, user_verification: user_verification)
+        webauthn_credential
+      end
+    end
+
+    def options_for_authentication(**keyword_arguments)
+      WebAuthn::Credential.options_for_get(
+        **keyword_arguments,
+        relying_party: self
+      )
+    end
+
+    def verify_authentication(
+      raw_credential,
+      challenge,
+      user_verification: nil,
+      public_key: nil,
+      sign_count: nil
+    )
+      webauthn_credential = WebAuthn::Credential.from_get(raw_credential, relying_party: self)
+
+      stored_credential = yield(webauthn_credential) if block_given?
+
+      if webauthn_credential.verify(
+        challenge,
+        public_key: public_key || stored_credential.public_key,
+        sign_count: sign_count || stored_credential.sign_count,
+        user_verification: user_verification
+      )
+        block_given? ? [webauthn_credential, stored_credential] : webauthn_credential
+      end
+    end
+  end
+end

data/lib/webauthn/u2f_migrator.rb

@@ -31,7 +31,10 @@ module WebAuthn
       @credential ||=
         begin
           hash = authenticator_data.send(:credential)
-          WebAuthn::AuthenticatorData::AttestedCredentialData::Credential.new(hash[:id], hash[:public_key].serialize)
+          WebAuthn::AuthenticatorData::AttestedCredentialData::Credential.new(
+            id: hash[:id],
+            public_key: hash[:public_key].serialize
+          )
         end
     end
 

data/lib/webauthn/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WebAuthn
-  VERSION = "2.3.0"
+  VERSION = "3.0.0"
 end

data/webauthn.gemspec

@@ -31,23 +31,22 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.required_ruby_version = ">= 2.4"
+  spec.required_ruby_version = ">= 2.5"
 
   spec.add_dependency "android_key_attestation", "~> 0.3.0"
   spec.add_dependency "awrence", "~> 1.1"
   spec.add_dependency "bindata", "~> 2.4"
   spec.add_dependency "cbor", "~> 0.5.9"
-  spec.add_dependency "cose", "~> 1.0"
-  spec.add_dependency "openssl", "~> 2.0"
+  spec.add_dependency "cose", "~> 1.1"
+  spec.add_dependency "openssl", ">= 2.2"
   spec.add_dependency "safety_net_attestation", "~> 0.4.0"
-  spec.add_dependency "securecompare", "~> 1.0"
-  spec.add_dependency "tpm-key_attestation", "~> 0.9.0"
+  spec.add_dependency "tpm-key_attestation", "~> 0.12.0"
 
-  spec.add_development_dependency "appraisal", "~> 2.3.0"
   spec.add_development_dependency "bundler", ">= 1.17", "< 3.0"
   spec.add_development_dependency "byebug", "~> 11.0"
   spec.add_development_dependency "rake", "~> 13.0"
   spec.add_development_dependency "rspec", "~> 3.8"
-  spec.add_development_dependency "rubocop", "0.80.1"
-  spec.add_development_dependency "rubocop-rspec", "~> 1.38.1"
+  spec.add_development_dependency "rubocop", "~> 1.9.1"
+  spec.add_development_dependency "rubocop-rake", "~> 0.5.1"
+  spec.add_development_dependency "rubocop-rspec", "~> 2.2.0"
 end