webauthn 2.4.0 → 2.5.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/build.yml +32 -0
- data/.github/workflows/git.yml +21 -0
- data/.rubocop.yml +8 -0
- data/CHANGELOG.md +42 -0
- data/README.md +5 -2
- data/SECURITY.md +2 -1
- data/docs/advanced_configuration.md +174 -0
- data/docs/u2f_migration.md +3 -2
- data/lib/webauthn/attestation_statement/android_key.rb +0 -4
- data/lib/webauthn/attestation_statement/android_safetynet.rb +1 -5
- data/lib/webauthn/attestation_statement/apple.rb +65 -0
- data/lib/webauthn/attestation_statement/base.rb +11 -22
- data/lib/webauthn/attestation_statement/none.rb +7 -1
- data/lib/webauthn/attestation_statement/packed.rb +1 -1
- data/lib/webauthn/attestation_statement.rb +4 -1
- data/lib/webauthn/authenticator_response.rb +1 -2
- data/lib/webauthn/configuration.rb +2 -6
- data/lib/webauthn/fake_authenticator.rb +10 -2
- data/lib/webauthn/fake_client.rb +8 -2
- data/lib/webauthn/public_key_credential/entity.rb +3 -4
- data/lib/webauthn/version.rb +1 -1
- data/webauthn.gemspec +4 -5
- metadata +29 -49
- data/.travis.yml +0 -39
- data/Appraisals +0 -21
- data/gemfiles/cose_head.gemfile +0 -7
- data/gemfiles/openssl_2_0.gemfile +0 -7
- data/gemfiles/openssl_2_1.gemfile +0 -7
- data/gemfiles/openssl_2_2.gemfile +0 -7
- data/gemfiles/openssl_head.gemfile +0 -7
- data/lib/webauthn/security_utils.rb +0 -20
- data/script/ci/install-openssl +0 -7
- data/script/ci/install-ruby +0 -13
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: c1e5f50210b030860b4f7c5356420c2f462e6d4eae1f1adb254d1c69e90eead5
|
4
|
+
data.tar.gz: aab42b79101469b6783b522bdcefd6cd70c20ca055b10ffa85a2847cb400afab
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: eb440aeec87f78c45890e13cb1587eb736b457b791b23644ede24952cd3590ee5ff69a55975a5813cbd34699a21c593463907f592c668356efb1c020f73cecda
|
7
|
+
data.tar.gz: a9b6015c20a893ad8916e0251ff79a3d1871544acb027e1faf7a8553a3c8b70111c7a1beae9a590950e484248a70c490d0d0017f4d9c92fc14935e58cc083642
|
@@ -0,0 +1,32 @@
|
|
1
|
+
# This workflow uses actions that are not certified by GitHub.
|
2
|
+
# They are provided by a third-party and are governed by
|
3
|
+
# separate terms of service, privacy policy, and support
|
4
|
+
# documentation.
|
5
|
+
# This workflow will download a prebuilt Ruby version, install dependencies and run tests with Rake
|
6
|
+
# For more information see: https://github.com/marketplace/actions/setup-ruby-jruby-and-truffleruby
|
7
|
+
|
8
|
+
name: build
|
9
|
+
|
10
|
+
on: push
|
11
|
+
|
12
|
+
jobs:
|
13
|
+
test:
|
14
|
+
runs-on: ubuntu-20.04
|
15
|
+
strategy:
|
16
|
+
fail-fast: false
|
17
|
+
matrix:
|
18
|
+
ruby:
|
19
|
+
- '3.1'
|
20
|
+
- '3.0'
|
21
|
+
- '2.7'
|
22
|
+
- '2.6'
|
23
|
+
- '2.5'
|
24
|
+
- '2.4'
|
25
|
+
- truffleruby
|
26
|
+
steps:
|
27
|
+
- uses: actions/checkout@v2
|
28
|
+
- uses: ruby/setup-ruby@v1
|
29
|
+
with:
|
30
|
+
ruby-version: ${{ matrix.ruby }}
|
31
|
+
bundler-cache: true
|
32
|
+
- run: bundle exec rake
|
@@ -0,0 +1,21 @@
|
|
1
|
+
# Syntax reference:
|
2
|
+
# https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions
|
3
|
+
name: Git Checks
|
4
|
+
|
5
|
+
on:
|
6
|
+
pull_request:
|
7
|
+
types: [opened, synchronize]
|
8
|
+
|
9
|
+
jobs:
|
10
|
+
# Fixup commits are OK in pull requests, but should generally be squashed
|
11
|
+
# before merging to master, e.g. using `git rebase -i --autosquash master`.
|
12
|
+
# See https://github.com/marketplace/actions/block-autosquash-commits
|
13
|
+
block-fixup:
|
14
|
+
runs-on: ubuntu-latest
|
15
|
+
|
16
|
+
steps:
|
17
|
+
- uses: actions/checkout@v2.0.0
|
18
|
+
- name: Block autosquash commits
|
19
|
+
uses: xt0rted/block-autosquash-commits-action@v2
|
20
|
+
with:
|
21
|
+
repo-token: ${{ secrets.GITHUB_TOKEN }}
|
data/.rubocop.yml
CHANGED
@@ -1,5 +1,6 @@
|
|
1
1
|
require:
|
2
2
|
- rubocop-rspec
|
3
|
+
- rubocop-rake
|
3
4
|
|
4
5
|
inherit_mode:
|
5
6
|
merge:
|
@@ -8,6 +9,7 @@ inherit_mode:
|
|
8
9
|
AllCops:
|
9
10
|
TargetRubyVersion: 2.4
|
10
11
|
DisabledByDefault: true
|
12
|
+
NewCops: disable
|
11
13
|
Exclude:
|
12
14
|
- "gemfiles/**/*"
|
13
15
|
- "vendor/**/*"
|
@@ -24,6 +26,9 @@ Layout:
|
|
24
26
|
Layout/ClassStructure:
|
25
27
|
Enabled: true
|
26
28
|
|
29
|
+
Layout/EmptyLineBetweenDefs:
|
30
|
+
AllowAdjacentOneLineDefs: true
|
31
|
+
|
27
32
|
Layout/EmptyLinesAroundAttributeAccessor:
|
28
33
|
Enabled: true
|
29
34
|
|
@@ -92,6 +97,9 @@ Lint/UnreachableLoop:
|
|
92
97
|
Naming:
|
93
98
|
Enabled: true
|
94
99
|
|
100
|
+
Naming/VariableNumber:
|
101
|
+
Enabled: false
|
102
|
+
|
95
103
|
RSpec/Be:
|
96
104
|
Enabled: true
|
97
105
|
|
data/CHANGELOG.md
CHANGED
@@ -1,5 +1,38 @@
|
|
1
1
|
# Changelog
|
2
2
|
|
3
|
+
## [v3.0.0.alpha1] - 2020-06-27
|
4
|
+
|
5
|
+
### Added
|
6
|
+
|
7
|
+
- Ability to define multiple relying parties with the introduction of the `WebAuthn::RelyingParty` class ([@padulafacundo], [@brauliomartinezlm])
|
8
|
+
|
9
|
+
## [v2.5.1] - 2022-03-20
|
10
|
+
|
11
|
+
### Added
|
12
|
+
|
13
|
+
- Updated openssl support to be ~>2.2 [@bdewater]
|
14
|
+
|
15
|
+
### Removed
|
16
|
+
|
17
|
+
- Removed dependency [secure_compare dependency] (https://rubygems.org/gems/secure_compare/versions/0.0.1) and use OpenSSL#secure_compare instead [@bdewater]
|
18
|
+
|
19
|
+
## [v2.5.0] - 2021-03-14
|
20
|
+
|
21
|
+
### Added
|
22
|
+
|
23
|
+
- Support 'apple' attestation statement format ([#343](https://github.com/cedarcode/webauthn-ruby/pull/343) / [@juanarias93], [@santiagorodriguez96])
|
24
|
+
- Allow specifying an array of ids as `allow_credentials:` for `FakeClient#get` method ([#335](https://github.com/cedarcode/webauthn-ruby/pull/335) / [@kingjan1999])
|
25
|
+
|
26
|
+
### Removed
|
27
|
+
|
28
|
+
- No longer accept "removed from the WebAuthn spec" options `rp: { icon: }` and `user: { icon: }` for `WebAuthn::Credential.options_for_create` method ([#326](https://github.com/cedarcode/webauthn-ruby/pull/326) / [@santiagorodriguez96])
|
29
|
+
|
30
|
+
## [v2.4.1] - 2021-02-15
|
31
|
+
|
32
|
+
### Fixed
|
33
|
+
|
34
|
+
- Fix verification of new credential if no attestation provided and 'None' type is not among configured `acceptable_attestation_types`. I.e. reject it instead of letting it go through.
|
35
|
+
|
3
36
|
## [v2.4.0] - 2020-09-03
|
4
37
|
|
5
38
|
### Added
|
@@ -301,6 +334,10 @@ Note: Both additions should help making it compatible with Chrome for Android 70
|
|
301
334
|
- `WebAuthn::AuthenticatorAttestationResponse.valid?` can be used to validate fido-u2f attestations returned by the browser
|
302
335
|
- Works with ruby 2.5
|
303
336
|
|
337
|
+
[v3.0.0.alpha1]: https://github.com/cedarcode/webauthn-ruby/compare/2-stable...v3.0.0.alpha1/
|
338
|
+
[v2.5.1]: https://github.com/cedarcode/webauthn-ruby/compare/v2.5.0...v2.5.1/
|
339
|
+
[v2.5.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.4.1...v2.5.0/
|
340
|
+
[v2.4.1]: https://github.com/cedarcode/webauthn-ruby/compare/v2.4.0...v2.4.1/
|
304
341
|
[v2.4.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.3.0...v2.4.0/
|
305
342
|
[v2.3.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.2.1...v2.3.0/
|
306
343
|
[v2.2.1]: https://github.com/cedarcode/webauthn-ruby/compare/v2.2.0...v2.2.1/
|
@@ -329,6 +366,7 @@ Note: Both additions should help making it compatible with Chrome for Android 70
|
|
329
366
|
[v0.2.0]: https://github.com/cedarcode/webauthn-ruby/compare/v0.1.0...v0.2.0/
|
330
367
|
[v0.1.0]: https://github.com/cedarcode/webauthn-ruby/compare/v0.0.0...v0.1.0/
|
331
368
|
|
369
|
+
[@brauliomartinezlm]: https://github.com/brauliomartinezlm
|
332
370
|
[@bdewater]: https://github.com/bdewater
|
333
371
|
[@jdongelmans]: https://github.com/jdongelmans
|
334
372
|
[@kalebtesfay]: https://github.com/kalebtesfay
|
@@ -338,3 +376,7 @@ Note: Both additions should help making it compatible with Chrome for Android 70
|
|
338
376
|
[@padulafacundo]: https://github.com/padulafacundo
|
339
377
|
[@santiagorodriguez96]: https://github.com/santiagorodriguez96
|
340
378
|
[@lgarron]: https://github.com/lgarron
|
379
|
+
[@juanarias93]: https://github.com/juanarias93
|
380
|
+
[@kingjan1999]: https://github.com/@kingjan1999
|
381
|
+
[@jdongelmans]: https://github.com/jdongelmans
|
382
|
+
[@petergoldstein]: https://github.com/petergoldstein
|
data/README.md
CHANGED
@@ -6,7 +6,7 @@ For the current release version see https://github.com/cedarcode/webauthn-ruby/b
|
|
6
6
|
![banner](assets/webauthn-ruby.png)
|
7
7
|
|
8
8
|
[![Gem](https://img.shields.io/gem/v/webauthn.svg?style=flat-square)](https://rubygems.org/gems/webauthn)
|
9
|
-
[![Travis](https://img.shields.io/travis/cedarcode/webauthn-ruby/master.svg?style=flat-square)](https://travis-ci.
|
9
|
+
[![Travis](https://img.shields.io/travis/cedarcode/webauthn-ruby/master.svg?style=flat-square)](https://travis-ci.com/cedarcode/webauthn-ruby)
|
10
10
|
[![Conventional Commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-informational.svg?style=flat-square)](https://conventionalcommits.org)
|
11
11
|
[![Join the chat at https://gitter.im/cedarcode/webauthn-ruby](https://badges.gitter.im/cedarcode/webauthn-ruby.svg)](https://gitter.im/cedarcode/webauthn-ruby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
|
12
12
|
|
@@ -96,6 +96,8 @@ If you are migrating an existing application from the legacy FIDO U2F JavaScript
|
|
96
96
|
|
97
97
|
### Configuration
|
98
98
|
|
99
|
+
If you have a multi-tenant application or just need to configure WebAuthn differently for separate parts of your application (e.g. if your users authenticate to different subdomains in the same application), we strongly recommend you look at this [Advanced Configuration](docs/advanced_configuration.md) section instead of this.
|
100
|
+
|
99
101
|
For a Rails application this would go in `config/initializers/webauthn.rb`.
|
100
102
|
|
101
103
|
```ruby
|
@@ -408,7 +410,7 @@ credential.authenticator_extension_outputs
|
|
408
410
|
|
409
411
|
## Attestation
|
410
412
|
|
411
|
-
### Attestation Statement
|
413
|
+
### Attestation Statement Formats
|
412
414
|
|
413
415
|
| Attestation Statement Format | Supported? |
|
414
416
|
| -------- | :--------: |
|
@@ -417,6 +419,7 @@ credential.authenticator_extension_outputs
|
|
417
419
|
| tpm (x5c attestation) | Yes |
|
418
420
|
| android-key | Yes |
|
419
421
|
| android-safetynet | Yes |
|
422
|
+
| apple | Yes |
|
420
423
|
| fido-u2f | Yes |
|
421
424
|
| none | Yes |
|
422
425
|
|
data/SECURITY.md
CHANGED
@@ -4,9 +4,10 @@
|
|
4
4
|
|
5
5
|
| Version | Supported |
|
6
6
|
| ------- | ------------------ |
|
7
|
+
| 2.5.z | :white_check_mark: |
|
7
8
|
| 2.4.z | :white_check_mark: |
|
8
9
|
| 2.3.z | :white_check_mark: |
|
9
|
-
| 2.2.z | :
|
10
|
+
| 2.2.z | :x: |
|
10
11
|
| 2.1.z | :x: |
|
11
12
|
| 2.0.z | :x: |
|
12
13
|
| 1.18.z | :white_check_mark: |
|
@@ -0,0 +1,174 @@
|
|
1
|
+
# Advanced Configuration
|
2
|
+
|
3
|
+
## Global vs Instance Based Configuration
|
4
|
+
|
5
|
+
Which approach suits best your needs will depend on the architecture of your application and how do your users need to register and authenticate to it.
|
6
|
+
|
7
|
+
If you have a multi-tenant application, or any application segmenation, where your users register and authenticate to each of these tenants or segments individuallly using different hostnames, or with different security needs, you need to go through [Instance Based Configuration](#instance-based-configuration).
|
8
|
+
|
9
|
+
However, if your application is served for just one hostname, or else if your users authenticate to only one subdmain (e.g. your application serves www.example.com and admin.example.com but all you users authenticate through auth.example.com) you can still rely on one [Global Configuration](../README.md#configuration).
|
10
|
+
|
11
|
+
If you are still not sure, or want to keep your options open, be aware that [Instance Based Configuration](#instance-based-configuration) is also a valid way of defining a single instance configuration and how you share such configuration across your application, it's up to you.
|
12
|
+
|
13
|
+
|
14
|
+
## Instance Based Configuration
|
15
|
+
|
16
|
+
Intead of the [Global Configuration](../README.md#configuration) you place in `config/initializers/webauthn.rb`,
|
17
|
+
you can now have an on-demand instance of `WebAuthn::RelyingParty` with the same configuration options, that
|
18
|
+
you can build anywhere in you application, in the following way:
|
19
|
+
|
20
|
+
```ruby
|
21
|
+
relying_party = WebAuthn::RelyingParty.new(
|
22
|
+
# This value needs to match `window.location.origin` evaluated by
|
23
|
+
# the User Agent during registration and authentication ceremonies.
|
24
|
+
origin: "https://admin.example.com"
|
25
|
+
|
26
|
+
# Relying Party name for display purposes
|
27
|
+
name: "Admin Site for Example Inc."
|
28
|
+
|
29
|
+
# Optionally configure a client timeout hint, in milliseconds.
|
30
|
+
# This hint specifies how long the browser should wait for any
|
31
|
+
# interaction with the user.
|
32
|
+
# This hint may be overridden by the browser.
|
33
|
+
# https://www.w3.org/TR/webauthn/#dom-publickeycredentialcreationoptions-timeout
|
34
|
+
# credential_options_timeout: 120_000
|
35
|
+
|
36
|
+
# You can optionally specify a different Relying Party ID
|
37
|
+
# (https://www.w3.org/TR/webauthn/#relying-party-identifier)
|
38
|
+
# if it differs from the default one.
|
39
|
+
#
|
40
|
+
# In this case the default would be "admin.example.com", but you can set it to
|
41
|
+
# the suffix "example.com"
|
42
|
+
#
|
43
|
+
# rp_id: "example.com"
|
44
|
+
|
45
|
+
# Configure preferred binary-to-text encoding scheme. This should match the encoding scheme
|
46
|
+
# used in your client-side (user agent) code before sending the credential to the server.
|
47
|
+
# Supported values: `:base64url` (default), `:base64` or `false` to disable all encoding.
|
48
|
+
#
|
49
|
+
# encoding: :base64url
|
50
|
+
|
51
|
+
# Possible values: "ES256", "ES384", "ES512", "PS256", "PS384", "PS512", "RS256", "RS384", "RS512", "RS1"
|
52
|
+
# Default: ["ES256", "PS256", "RS256"]
|
53
|
+
#
|
54
|
+
# algorithms: ["ES384"]
|
55
|
+
)
|
56
|
+
```
|
57
|
+
|
58
|
+
## Instance Based API
|
59
|
+
|
60
|
+
**DISCLAIMER: This API was released on version 3.0.0.alpha1 and is still under evaluation. Although it has been throughly tested and it is fully functional it might be changed until the final release of version 3.0.0.**
|
61
|
+
|
62
|
+
The explanation for each ceremony can be found in depth in [Credential Registration](../README.md#credential-registration) and [Credential Authentication](../README.md#credential-authentication) but if you choose this instance based approach to define your WebAuthn configurations and assuming `relying_party` is the result of an instance you get through `WebAuthn::RelytingParty.new(...)` the code in those explanations needs to be updated to:
|
63
|
+
|
64
|
+
### Credential Registration
|
65
|
+
|
66
|
+
#### Initiation phase
|
67
|
+
|
68
|
+
```ruby
|
69
|
+
# Generate and store the WebAuthn User ID the first time the user registers a credential
|
70
|
+
if !user.webauthn_id
|
71
|
+
user.update!(webauthn_id: WebAuthn.generate_user_id)
|
72
|
+
end
|
73
|
+
|
74
|
+
options = relying_party.options_for_create(
|
75
|
+
user: { id: user.webauthn_id, name: user.name },
|
76
|
+
exclude: user.credentials.map { |c| c.webauthn_id }
|
77
|
+
)
|
78
|
+
|
79
|
+
# Store the newly generated challenge somewhere so you can have it
|
80
|
+
# for the verification phase.
|
81
|
+
session[:creation_challenge] = options.challenge
|
82
|
+
|
83
|
+
# Send `options` back to the browser, so that they can be used
|
84
|
+
# to call `navigator.credentials.create({ "publicKey": options })`
|
85
|
+
#
|
86
|
+
# You can call `options.as_json` to get a ruby hash with a JSON representation if needed.
|
87
|
+
|
88
|
+
# If inside a Rails controller, `render json: options` will just work.
|
89
|
+
# I.e. it will encode and convert the options to JSON automatically.
|
90
|
+
|
91
|
+
# For your frontend code, you might find @github/webauthn-json npm package useful.
|
92
|
+
# Especially for handling the necessary decoding of the options, and sending the
|
93
|
+
# `PublicKeyCredential` object back to the server.
|
94
|
+
```
|
95
|
+
|
96
|
+
#### Verification phase
|
97
|
+
|
98
|
+
```ruby
|
99
|
+
# Assuming you're using @github/webauthn-json package to send the `PublicKeyCredential` object back
|
100
|
+
# in params[:publicKeyCredential]:
|
101
|
+
begin
|
102
|
+
webauthn_credential = relying_party.verify_registration(
|
103
|
+
params[:publicKeyCredential],
|
104
|
+
params[:create_challenge]
|
105
|
+
)
|
106
|
+
|
107
|
+
# Store Credential ID, Credential Public Key and Sign Count for future authentications
|
108
|
+
user.credentials.create!(
|
109
|
+
webauthn_id: webauthn_credential.id,
|
110
|
+
public_key: webauthn_credential.public_key,
|
111
|
+
sign_count: webauthn_credential.sign_count
|
112
|
+
)
|
113
|
+
rescue WebAuthn::Error => e
|
114
|
+
# Handle error
|
115
|
+
end
|
116
|
+
```
|
117
|
+
|
118
|
+
### Credential Authentication
|
119
|
+
|
120
|
+
#### Initiation phase
|
121
|
+
|
122
|
+
```ruby
|
123
|
+
options = relying_party.options_for_get(allow: user.credentials.map { |c| c.webauthn_id })
|
124
|
+
|
125
|
+
# Store the newly generated challenge somewhere so you can have it
|
126
|
+
# for the verification phase.
|
127
|
+
session[:authentication_challenge] = options.challenge
|
128
|
+
|
129
|
+
# Send `options` back to the browser, so that they can be used
|
130
|
+
# to call `navigator.credentials.get({ "publicKey": options })`
|
131
|
+
|
132
|
+
# You can call `options.as_json` to get a ruby hash with a JSON representation if needed.
|
133
|
+
|
134
|
+
# If inside a Rails controller, `render json: options` will just work.
|
135
|
+
# I.e. it will encode and convert the options to JSON automatically.
|
136
|
+
|
137
|
+
# For your frontend code, you might find @github/webauthn-json npm package useful.
|
138
|
+
# Especially for handling the necessary decoding of the options, and sending the
|
139
|
+
# `PublicKeyCredential` object back to the server.
|
140
|
+
```
|
141
|
+
|
142
|
+
#### Verification phase
|
143
|
+
|
144
|
+
```ruby
|
145
|
+
begin
|
146
|
+
# Assuming you're using @github/webauthn-json package to send the `PublicKeyCredential` object back
|
147
|
+
# in params[:publicKeyCredential]:
|
148
|
+
webauthn_credential, stored_credential = relying_party.verify_authentication(
|
149
|
+
params[:publicKeyCredential],
|
150
|
+
session[:authentication_challenge]
|
151
|
+
) do
|
152
|
+
# the returned object needs to respond to #public_key and #sign_count
|
153
|
+
user.credentials.find_by(webauthn_id: webauthn_credential.id)
|
154
|
+
end
|
155
|
+
|
156
|
+
# Update the stored credential sign count with the value from `webauthn_credential.sign_count`
|
157
|
+
stored_credential.update!(sign_count: webauthn_credential.sign_count)
|
158
|
+
|
159
|
+
# Continue with successful sign in or 2FA verification...
|
160
|
+
|
161
|
+
rescue WebAuthn::SignCountVerificationError => e
|
162
|
+
# Cryptographic verification of the authenticator data succeeded, but the signature counter was less then or equal
|
163
|
+
# to the stored value. This can have several reasons and depending on your risk tolerance you can choose to fail or
|
164
|
+
# pass authentication. For more information see https://www.w3.org/TR/webauthn/#sign-counter
|
165
|
+
rescue WebAuthn::Error => e
|
166
|
+
# Handle error
|
167
|
+
end
|
168
|
+
```
|
169
|
+
|
170
|
+
## Moving from Global to Instance Based Configuration
|
171
|
+
|
172
|
+
Adding a configuration for a new instance does not mean you need to get rid of your Global configuration. They can co-exist in your application and be both available for the different usages you might have. `WebAuthn.configuration.relying_party` will always return the global one while `WebAuthn::RelyingParty.new`, executed anywhere in your codebase, will allow you to create a different instance as you see the need. They will not collide and instead operate in isolation without any shared state.
|
173
|
+
|
174
|
+
The gem API described in the current [Usage](../README.md#usage) section for the [Global Configuration](../README.md#configuration) approach will still valid but the [Instance Based API](#instance-based-api) also works with the global `relying_party` that is maintain globally at `WebAuthn.configuration.relying_party`.
|
data/docs/u2f_migration.md
CHANGED
@@ -82,7 +82,7 @@ During authentication verification phase, you must pass either the original AppI
|
|
82
82
|
|
83
83
|
```ruby
|
84
84
|
assertion_response = WebAuthn::AuthenticatorAssertionResponse.new(
|
85
|
-
|
85
|
+
user_handle: params[:response][:userHandle],
|
86
86
|
authenticator_data: params[:response][:authenticatorData],
|
87
87
|
client_data_json: params[:response][:clientDataJSON],
|
88
88
|
signature: params[:response][:signature],
|
@@ -90,7 +90,8 @@ assertion_response = WebAuthn::AuthenticatorAssertionResponse.new(
|
|
90
90
|
|
91
91
|
assertion_response.verify(
|
92
92
|
expected_challenge,
|
93
|
-
|
93
|
+
public_key: credential.public_key,
|
94
|
+
sign_count: credential.count,
|
94
95
|
rp_id: params[:clientExtensionResults][:appid] ? domain.to_s : domain.host,
|
95
96
|
)
|
96
97
|
```
|
@@ -20,10 +20,6 @@ module WebAuthn
|
|
20
20
|
|
21
21
|
private
|
22
22
|
|
23
|
-
def matching_public_key?(authenticator_data)
|
24
|
-
attestation_certificate.public_key.to_der == authenticator_data.credential.public_key_object.to_der
|
25
|
-
end
|
26
|
-
|
27
23
|
def valid_attestation_challenge?(client_data_hash)
|
28
24
|
android_key_attestation.verify_challenge(client_data_hash)
|
29
25
|
rescue AndroidKeyAttestation::ChallengeMismatchError
|
@@ -16,10 +16,6 @@ module WebAuthn
|
|
16
16
|
[attestation_type, attestation_trust_path]
|
17
17
|
end
|
18
18
|
|
19
|
-
def attestation_certificate
|
20
|
-
attestation_trust_path.first
|
21
|
-
end
|
22
|
-
|
23
19
|
private
|
24
20
|
|
25
21
|
def valid_response?(authenticator_data, client_data_hash)
|
@@ -52,7 +48,7 @@ module WebAuthn
|
|
52
48
|
end
|
53
49
|
|
54
50
|
# SafetyNetAttestation returns full chain including root, WebAuthn expects only the x5c certificates
|
55
|
-
def
|
51
|
+
def certificates
|
56
52
|
attestation_response.certificate_chain[0..-2]
|
57
53
|
end
|
58
54
|
|
@@ -0,0 +1,65 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require "openssl"
|
4
|
+
require "webauthn/attestation_statement/base"
|
5
|
+
|
6
|
+
module WebAuthn
|
7
|
+
module AttestationStatement
|
8
|
+
class Apple < Base
|
9
|
+
# Source: https://www.apple.com/certificateauthority/private/
|
10
|
+
ROOT_CERTIFICATE =
|
11
|
+
OpenSSL::X509::Certificate.new(<<~PEM)
|
12
|
+
-----BEGIN CERTIFICATE-----
|
13
|
+
MIICEjCCAZmgAwIBAgIQaB0BbHo84wIlpQGUKEdXcTAKBggqhkjOPQQDAzBLMR8w
|
14
|
+
HQYDVQQDDBZBcHBsZSBXZWJBdXRobiBSb290IENBMRMwEQYDVQQKDApBcHBsZSBJ
|
15
|
+
bmMuMRMwEQYDVQQIDApDYWxpZm9ybmlhMB4XDTIwMDMxODE4MjEzMloXDTQ1MDMx
|
16
|
+
NTAwMDAwMFowSzEfMB0GA1UEAwwWQXBwbGUgV2ViQXV0aG4gUm9vdCBDQTETMBEG
|
17
|
+
A1UECgwKQXBwbGUgSW5jLjETMBEGA1UECAwKQ2FsaWZvcm5pYTB2MBAGByqGSM49
|
18
|
+
AgEGBSuBBAAiA2IABCJCQ2pTVhzjl4Wo6IhHtMSAzO2cv+H9DQKev3//fG59G11k
|
19
|
+
xu9eI0/7o6V5uShBpe1u6l6mS19S1FEh6yGljnZAJ+2GNP1mi/YK2kSXIuTHjxA/
|
20
|
+
pcoRf7XkOtO4o1qlcaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUJtdk
|
21
|
+
2cV4wlpn0afeaxLQG2PxxtcwDgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMDA2cA
|
22
|
+
MGQCMFrZ+9DsJ1PW9hfNdBywZDsWDbWFp28it1d/5w2RPkRX3Bbn/UbDTNLx7Jr3
|
23
|
+
jAGGiQIwHFj+dJZYUJR786osByBelJYsVZd2GbHQu209b5RCmGQ21gpSAk9QZW4B
|
24
|
+
1bWeT0vT
|
25
|
+
-----END CERTIFICATE-----
|
26
|
+
PEM
|
27
|
+
|
28
|
+
NONCE_EXTENSION_OID = "1.2.840.113635.100.8.2"
|
29
|
+
|
30
|
+
def valid?(authenticator_data, client_data_hash)
|
31
|
+
valid_nonce?(authenticator_data, client_data_hash) &&
|
32
|
+
matching_public_key?(authenticator_data) &&
|
33
|
+
trustworthy? &&
|
34
|
+
[attestation_type, attestation_trust_path]
|
35
|
+
end
|
36
|
+
|
37
|
+
private
|
38
|
+
|
39
|
+
def valid_nonce?(authenticator_data, client_data_hash)
|
40
|
+
extension = cred_cert&.find_extension(NONCE_EXTENSION_OID)
|
41
|
+
|
42
|
+
if extension
|
43
|
+
sequence = OpenSSL::ASN1.decode(extension.value_der)
|
44
|
+
|
45
|
+
sequence.tag == OpenSSL::ASN1::SEQUENCE &&
|
46
|
+
sequence.value.size == 1 &&
|
47
|
+
sequence.value[0].value[0].value ==
|
48
|
+
OpenSSL::Digest::SHA256.digest(authenticator_data.data + client_data_hash)
|
49
|
+
end
|
50
|
+
end
|
51
|
+
|
52
|
+
def attestation_type
|
53
|
+
WebAuthn::AttestationStatement::ATTESTATION_TYPE_ANONCA
|
54
|
+
end
|
55
|
+
|
56
|
+
def cred_cert
|
57
|
+
attestation_certificate
|
58
|
+
end
|
59
|
+
|
60
|
+
def default_root_certificates
|
61
|
+
[ROOT_CERTIFICATE]
|
62
|
+
end
|
63
|
+
end
|
64
|
+
end
|
65
|
+
end
|
@@ -16,11 +16,13 @@ module WebAuthn
|
|
16
16
|
ATTESTATION_TYPE_SELF = "Self"
|
17
17
|
ATTESTATION_TYPE_ATTCA = "AttCA"
|
18
18
|
ATTESTATION_TYPE_BASIC_OR_ATTCA = "Basic_or_AttCA"
|
19
|
+
ATTESTATION_TYPE_ANONCA = "AnonCA"
|
19
20
|
|
20
21
|
ATTESTATION_TYPES_WITH_ROOT = [
|
21
22
|
ATTESTATION_TYPE_BASIC,
|
22
23
|
ATTESTATION_TYPE_BASIC_OR_ATTCA,
|
23
|
-
ATTESTATION_TYPE_ATTCA
|
24
|
+
ATTESTATION_TYPE_ATTCA,
|
25
|
+
ATTESTATION_TYPE_ANONCA
|
24
26
|
].freeze
|
25
27
|
|
26
28
|
class Base
|
@@ -42,14 +44,8 @@ module WebAuthn
|
|
42
44
|
certificates&.first
|
43
45
|
end
|
44
46
|
|
45
|
-
def certificate_chain
|
46
|
-
if certificates
|
47
|
-
certificates[1..-1]
|
48
|
-
end
|
49
|
-
end
|
50
|
-
|
51
47
|
def attestation_certificate_key_id
|
52
|
-
|
48
|
+
attestation_certificate.subject_key_identifier&.unpack("H*")&.[](0)
|
53
49
|
end
|
54
50
|
|
55
51
|
private
|
@@ -57,17 +53,19 @@ module WebAuthn
|
|
57
53
|
attr_reader :statement
|
58
54
|
|
59
55
|
def matching_aaguid?(attested_credential_data_aaguid)
|
60
|
-
extension = attestation_certificate&.
|
56
|
+
extension = attestation_certificate&.find_extension(AAGUID_EXTENSION_OID)
|
61
57
|
if extension
|
62
|
-
|
63
|
-
|
64
|
-
extension.to_der[-WebAuthn::AuthenticatorData::AttestedCredentialData::AAGUID_LENGTH..-1] ==
|
65
|
-
attested_credential_data_aaguid
|
58
|
+
aaguid_value = OpenSSL::ASN1.decode(extension.value_der).value
|
59
|
+
aaguid_value == attested_credential_data_aaguid
|
66
60
|
else
|
67
61
|
true
|
68
62
|
end
|
69
63
|
end
|
70
64
|
|
65
|
+
def matching_public_key?(authenticator_data)
|
66
|
+
attestation_certificate.public_key.to_der == authenticator_data.credential.public_key_object.to_der
|
67
|
+
end
|
68
|
+
|
71
69
|
def certificates
|
72
70
|
@certificates ||=
|
73
71
|
raw_certificates&.map do |raw_certificate|
|
@@ -141,15 +139,6 @@ module WebAuthn
|
|
141
139
|
end
|
142
140
|
end
|
143
141
|
|
144
|
-
def raw_subject_key_identifier
|
145
|
-
extension = attestation_certificate.extensions.detect { |ext| ext.oid == "subjectKeyIdentifier" }
|
146
|
-
return unless extension
|
147
|
-
|
148
|
-
ext_asn1 = OpenSSL::ASN1.decode(extension.to_der)
|
149
|
-
ext_value = ext_asn1.value.last
|
150
|
-
OpenSSL::ASN1.decode(ext_value.value).value
|
151
|
-
end
|
152
|
-
|
153
142
|
def valid_signature?(authenticator_data, client_data_hash, public_key = attestation_certificate.public_key)
|
154
143
|
raise("Incompatible algorithm and key") unless cose_algorithm.compatible_key?(public_key)
|
155
144
|
|
@@ -6,12 +6,18 @@ module WebAuthn
|
|
6
6
|
module AttestationStatement
|
7
7
|
class None < Base
|
8
8
|
def valid?(*_args)
|
9
|
-
if statement == {}
|
9
|
+
if statement == {} && trustworthy?
|
10
10
|
[WebAuthn::AttestationStatement::ATTESTATION_TYPE_NONE, nil]
|
11
11
|
else
|
12
12
|
false
|
13
13
|
end
|
14
14
|
end
|
15
|
+
|
16
|
+
private
|
17
|
+
|
18
|
+
def attestation_type
|
19
|
+
WebAuthn::AttestationStatement::ATTESTATION_TYPE_NONE
|
20
|
+
end
|
15
21
|
end
|
16
22
|
end
|
17
23
|
end
|
@@ -46,7 +46,7 @@ module WebAuthn
|
|
46
46
|
|
47
47
|
attestation_certificate.version == 2 &&
|
48
48
|
subject.assoc('OU')&.at(1) == "Authenticator Attestation" &&
|
49
|
-
attestation_certificate.
|
49
|
+
attestation_certificate.find_extension('basicConstraints')&.value == 'CA:FALSE'
|
50
50
|
else
|
51
51
|
true
|
52
52
|
end
|
@@ -2,6 +2,7 @@
|
|
2
2
|
|
3
3
|
require "webauthn/attestation_statement/android_key"
|
4
4
|
require "webauthn/attestation_statement/android_safetynet"
|
5
|
+
require "webauthn/attestation_statement/apple"
|
5
6
|
require "webauthn/attestation_statement/fido_u2f"
|
6
7
|
require "webauthn/attestation_statement/none"
|
7
8
|
require "webauthn/attestation_statement/packed"
|
@@ -18,6 +19,7 @@ module WebAuthn
|
|
18
19
|
ATTESTATION_FORMAT_ANDROID_SAFETYNET = "android-safetynet"
|
19
20
|
ATTESTATION_FORMAT_ANDROID_KEY = "android-key"
|
20
21
|
ATTESTATION_FORMAT_TPM = "tpm"
|
22
|
+
ATTESTATION_FORMAT_APPLE = "apple"
|
21
23
|
|
22
24
|
FORMAT_TO_CLASS = {
|
23
25
|
ATTESTATION_FORMAT_NONE => WebAuthn::AttestationStatement::None,
|
@@ -25,7 +27,8 @@ module WebAuthn
|
|
25
27
|
ATTESTATION_FORMAT_PACKED => WebAuthn::AttestationStatement::Packed,
|
26
28
|
ATTESTATION_FORMAT_ANDROID_SAFETYNET => WebAuthn::AttestationStatement::AndroidSafetynet,
|
27
29
|
ATTESTATION_FORMAT_ANDROID_KEY => WebAuthn::AttestationStatement::AndroidKey,
|
28
|
-
ATTESTATION_FORMAT_TPM => WebAuthn::AttestationStatement::TPM
|
30
|
+
ATTESTATION_FORMAT_TPM => WebAuthn::AttestationStatement::TPM,
|
31
|
+
ATTESTATION_FORMAT_APPLE => WebAuthn::AttestationStatement::Apple
|
29
32
|
}.freeze
|
30
33
|
|
31
34
|
def self.from(format, statement)
|
@@ -3,7 +3,6 @@
|
|
3
3
|
require "webauthn/authenticator_data"
|
4
4
|
require "webauthn/client_data"
|
5
5
|
require "webauthn/error"
|
6
|
-
require "webauthn/security_utils"
|
7
6
|
|
8
7
|
module WebAuthn
|
9
8
|
TYPES = { create: "webauthn.create", get: "webauthn.get" }.freeze
|
@@ -79,7 +78,7 @@ module WebAuthn
|
|
79
78
|
end
|
80
79
|
|
81
80
|
def valid_challenge?(expected_challenge)
|
82
|
-
|
81
|
+
OpenSSL.secure_compare(client_data.challenge, expected_challenge)
|
83
82
|
end
|
84
83
|
|
85
84
|
def valid_origin?(expected_origin)
|
@@ -16,11 +16,7 @@ module WebAuthn
|
|
16
16
|
class RootCertificateFinderNotSupportedError < Error; end
|
17
17
|
|
18
18
|
class Configuration
|
19
|
-
|
20
|
-
OpenSSL::PKey::RSA.instance_methods.include?(:verify_pss) ? algorithm : nil
|
21
|
-
end
|
22
|
-
|
23
|
-
DEFAULT_ALGORITHMS = ["ES256", if_pss_supported("PS256"), "RS256"].compact.freeze
|
19
|
+
DEFAULT_ALGORITHMS = ["ES256", "PS256", "RS256"].compact.freeze
|
24
20
|
|
25
21
|
attr_accessor :algorithms
|
26
22
|
attr_accessor :encoding
|
@@ -39,7 +35,7 @@ module WebAuthn
|
|
39
35
|
@verify_attestation_statement = true
|
40
36
|
@credential_options_timeout = 120000
|
41
37
|
@silent_authentication = false
|
42
|
-
@acceptable_attestation_types = ['None', 'Self', 'Basic', 'AttCA', 'Basic_or_AttCA']
|
38
|
+
@acceptable_attestation_types = ['None', 'Self', 'Basic', 'AttCA', 'Basic_or_AttCA', 'AnonCA']
|
43
39
|
@attestation_root_certificates_finders = []
|
44
40
|
end
|
45
41
|
|
@@ -50,12 +50,20 @@ module WebAuthn
|
|
50
50
|
user_verified: false,
|
51
51
|
aaguid: AuthenticatorData::AAGUID,
|
52
52
|
sign_count: nil,
|
53
|
-
extensions: nil
|
53
|
+
extensions: nil,
|
54
|
+
allow_credentials: nil
|
54
55
|
)
|
55
56
|
credential_options = credentials[rp_id]
|
56
57
|
|
57
58
|
if credential_options
|
58
|
-
|
59
|
+
allow_credentials ||= credential_options.keys
|
60
|
+
credential_id = (credential_options.keys & allow_credentials).first
|
61
|
+
unless credential_id
|
62
|
+
raise "No matching credentials (allowed=#{allow_credentials}) " \
|
63
|
+
"found for RP #{rp_id} among credentials=#{credential_options}"
|
64
|
+
end
|
65
|
+
|
66
|
+
credential = credential_options[credential_id]
|
59
67
|
credential_key = credential[:credential_key]
|
60
68
|
credential_sign_count = credential[:sign_count]
|
61
69
|
|
data/lib/webauthn/fake_client.rb
CHANGED
@@ -74,19 +74,25 @@ module WebAuthn
|
|
74
74
|
user_verified: false,
|
75
75
|
sign_count: nil,
|
76
76
|
extensions: nil,
|
77
|
-
user_handle: nil
|
77
|
+
user_handle: nil,
|
78
|
+
allow_credentials: nil)
|
78
79
|
rp_id ||= URI.parse(origin).host
|
79
80
|
|
80
81
|
client_data_json = data_json_for(:get, encoder.decode(challenge))
|
81
82
|
client_data_hash = hashed(client_data_json)
|
82
83
|
|
84
|
+
if allow_credentials
|
85
|
+
allow_credentials = allow_credentials.map { |credential| encoder.decode(credential) }
|
86
|
+
end
|
87
|
+
|
83
88
|
assertion = authenticator.get_assertion(
|
84
89
|
rp_id: rp_id,
|
85
90
|
client_data_hash: client_data_hash,
|
86
91
|
user_present: user_present,
|
87
92
|
user_verified: user_verified,
|
88
93
|
sign_count: sign_count,
|
89
|
-
extensions: extensions
|
94
|
+
extensions: extensions,
|
95
|
+
allow_credentials: allow_credentials
|
90
96
|
)
|
91
97
|
|
92
98
|
{
|
@@ -5,11 +5,10 @@ require "awrence"
|
|
5
5
|
module WebAuthn
|
6
6
|
class PublicKeyCredential
|
7
7
|
class Entity
|
8
|
-
attr_reader :name
|
8
|
+
attr_reader :name
|
9
9
|
|
10
|
-
def initialize(name
|
10
|
+
def initialize(name:)
|
11
11
|
@name = name
|
12
|
-
@icon = icon
|
13
12
|
end
|
14
13
|
|
15
14
|
def as_json
|
@@ -37,7 +36,7 @@ module WebAuthn
|
|
37
36
|
end
|
38
37
|
|
39
38
|
def attributes
|
40
|
-
[:name
|
39
|
+
[:name]
|
41
40
|
end
|
42
41
|
end
|
43
42
|
end
|
data/lib/webauthn/version.rb
CHANGED
data/webauthn.gemspec
CHANGED
@@ -38,16 +38,15 @@ Gem::Specification.new do |spec|
|
|
38
38
|
spec.add_dependency "bindata", "~> 2.4"
|
39
39
|
spec.add_dependency "cbor", "~> 0.5.9"
|
40
40
|
spec.add_dependency "cose", "~> 1.1"
|
41
|
-
spec.add_dependency "openssl", "~> 2.
|
41
|
+
spec.add_dependency "openssl", "~> 2.2"
|
42
42
|
spec.add_dependency "safety_net_attestation", "~> 0.4.0"
|
43
|
-
spec.add_dependency "securecompare", "~> 1.0"
|
44
43
|
spec.add_dependency "tpm-key_attestation", "~> 0.10.0"
|
45
44
|
|
46
|
-
spec.add_development_dependency "appraisal", "~> 2.3.0"
|
47
45
|
spec.add_development_dependency "bundler", ">= 1.17", "< 3.0"
|
48
46
|
spec.add_development_dependency "byebug", "~> 11.0"
|
49
47
|
spec.add_development_dependency "rake", "~> 13.0"
|
50
48
|
spec.add_development_dependency "rspec", "~> 3.8"
|
51
|
-
spec.add_development_dependency "rubocop", "
|
52
|
-
spec.add_development_dependency "rubocop-
|
49
|
+
spec.add_development_dependency "rubocop", "~> 1.9.1"
|
50
|
+
spec.add_development_dependency "rubocop-rake", "~> 0.5.1"
|
51
|
+
spec.add_development_dependency "rubocop-rspec", "~> 2.2.0"
|
53
52
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: webauthn
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.
|
4
|
+
version: 2.5.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Gonzalo Rodriguez
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: exe
|
11
11
|
cert_chain: []
|
12
|
-
date:
|
12
|
+
date: 2022-03-20 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: android_key_attestation
|
@@ -87,14 +87,14 @@ dependencies:
|
|
87
87
|
requirements:
|
88
88
|
- - "~>"
|
89
89
|
- !ruby/object:Gem::Version
|
90
|
-
version: '2.
|
90
|
+
version: '2.2'
|
91
91
|
type: :runtime
|
92
92
|
prerelease: false
|
93
93
|
version_requirements: !ruby/object:Gem::Requirement
|
94
94
|
requirements:
|
95
95
|
- - "~>"
|
96
96
|
- !ruby/object:Gem::Version
|
97
|
-
version: '2.
|
97
|
+
version: '2.2'
|
98
98
|
- !ruby/object:Gem::Dependency
|
99
99
|
name: safety_net_attestation
|
100
100
|
requirement: !ruby/object:Gem::Requirement
|
@@ -109,20 +109,6 @@ dependencies:
|
|
109
109
|
- - "~>"
|
110
110
|
- !ruby/object:Gem::Version
|
111
111
|
version: 0.4.0
|
112
|
-
- !ruby/object:Gem::Dependency
|
113
|
-
name: securecompare
|
114
|
-
requirement: !ruby/object:Gem::Requirement
|
115
|
-
requirements:
|
116
|
-
- - "~>"
|
117
|
-
- !ruby/object:Gem::Version
|
118
|
-
version: '1.0'
|
119
|
-
type: :runtime
|
120
|
-
prerelease: false
|
121
|
-
version_requirements: !ruby/object:Gem::Requirement
|
122
|
-
requirements:
|
123
|
-
- - "~>"
|
124
|
-
- !ruby/object:Gem::Version
|
125
|
-
version: '1.0'
|
126
112
|
- !ruby/object:Gem::Dependency
|
127
113
|
name: tpm-key_attestation
|
128
114
|
requirement: !ruby/object:Gem::Requirement
|
@@ -137,20 +123,6 @@ dependencies:
|
|
137
123
|
- - "~>"
|
138
124
|
- !ruby/object:Gem::Version
|
139
125
|
version: 0.10.0
|
140
|
-
- !ruby/object:Gem::Dependency
|
141
|
-
name: appraisal
|
142
|
-
requirement: !ruby/object:Gem::Requirement
|
143
|
-
requirements:
|
144
|
-
- - "~>"
|
145
|
-
- !ruby/object:Gem::Version
|
146
|
-
version: 2.3.0
|
147
|
-
type: :development
|
148
|
-
prerelease: false
|
149
|
-
version_requirements: !ruby/object:Gem::Requirement
|
150
|
-
requirements:
|
151
|
-
- - "~>"
|
152
|
-
- !ruby/object:Gem::Version
|
153
|
-
version: 2.3.0
|
154
126
|
- !ruby/object:Gem::Dependency
|
155
127
|
name: bundler
|
156
128
|
requirement: !ruby/object:Gem::Requirement
|
@@ -217,30 +189,44 @@ dependencies:
|
|
217
189
|
name: rubocop
|
218
190
|
requirement: !ruby/object:Gem::Requirement
|
219
191
|
requirements:
|
220
|
-
- -
|
192
|
+
- - "~>"
|
221
193
|
- !ruby/object:Gem::Version
|
222
|
-
version:
|
194
|
+
version: 1.9.1
|
223
195
|
type: :development
|
224
196
|
prerelease: false
|
225
197
|
version_requirements: !ruby/object:Gem::Requirement
|
226
198
|
requirements:
|
227
|
-
- -
|
199
|
+
- - "~>"
|
200
|
+
- !ruby/object:Gem::Version
|
201
|
+
version: 1.9.1
|
202
|
+
- !ruby/object:Gem::Dependency
|
203
|
+
name: rubocop-rake
|
204
|
+
requirement: !ruby/object:Gem::Requirement
|
205
|
+
requirements:
|
206
|
+
- - "~>"
|
207
|
+
- !ruby/object:Gem::Version
|
208
|
+
version: 0.5.1
|
209
|
+
type: :development
|
210
|
+
prerelease: false
|
211
|
+
version_requirements: !ruby/object:Gem::Requirement
|
212
|
+
requirements:
|
213
|
+
- - "~>"
|
228
214
|
- !ruby/object:Gem::Version
|
229
|
-
version:
|
215
|
+
version: 0.5.1
|
230
216
|
- !ruby/object:Gem::Dependency
|
231
217
|
name: rubocop-rspec
|
232
218
|
requirement: !ruby/object:Gem::Requirement
|
233
219
|
requirements:
|
234
220
|
- - "~>"
|
235
221
|
- !ruby/object:Gem::Version
|
236
|
-
version:
|
222
|
+
version: 2.2.0
|
237
223
|
type: :development
|
238
224
|
prerelease: false
|
239
225
|
version_requirements: !ruby/object:Gem::Requirement
|
240
226
|
requirements:
|
241
227
|
- - "~>"
|
242
228
|
- !ruby/object:Gem::Version
|
243
|
-
version:
|
229
|
+
version: 2.2.0
|
244
230
|
description: |-
|
245
231
|
WebAuthn ruby server library ― Make your application a W3C Web Authentication conformant
|
246
232
|
Relying Party and allow your users to authenticate with U2F and FIDO2 authenticators.
|
@@ -251,11 +237,11 @@ executables: []
|
|
251
237
|
extensions: []
|
252
238
|
extra_rdoc_files: []
|
253
239
|
files:
|
240
|
+
- ".github/workflows/build.yml"
|
241
|
+
- ".github/workflows/git.yml"
|
254
242
|
- ".gitignore"
|
255
243
|
- ".rspec"
|
256
244
|
- ".rubocop.yml"
|
257
|
-
- ".travis.yml"
|
258
|
-
- Appraisals
|
259
245
|
- CHANGELOG.md
|
260
246
|
- CONTRIBUTING.md
|
261
247
|
- Gemfile
|
@@ -265,18 +251,15 @@ files:
|
|
265
251
|
- SECURITY.md
|
266
252
|
- bin/console
|
267
253
|
- bin/setup
|
254
|
+
- docs/advanced_configuration.md
|
268
255
|
- docs/u2f_migration.md
|
269
|
-
- gemfiles/cose_head.gemfile
|
270
|
-
- gemfiles/openssl_2_0.gemfile
|
271
|
-
- gemfiles/openssl_2_1.gemfile
|
272
|
-
- gemfiles/openssl_2_2.gemfile
|
273
|
-
- gemfiles/openssl_head.gemfile
|
274
256
|
- lib/cose/rsapkcs1_algorithm.rb
|
275
257
|
- lib/webauthn.rb
|
276
258
|
- lib/webauthn/attestation_object.rb
|
277
259
|
- lib/webauthn/attestation_statement.rb
|
278
260
|
- lib/webauthn/attestation_statement/android_key.rb
|
279
261
|
- lib/webauthn/attestation_statement/android_safetynet.rb
|
262
|
+
- lib/webauthn/attestation_statement/apple.rb
|
280
263
|
- lib/webauthn/attestation_statement/base.rb
|
281
264
|
- lib/webauthn/attestation_statement/fido_u2f.rb
|
282
265
|
- lib/webauthn/attestation_statement/fido_u2f/public_key.rb
|
@@ -313,11 +296,8 @@ files:
|
|
313
296
|
- lib/webauthn/public_key_credential/user_entity.rb
|
314
297
|
- lib/webauthn/public_key_credential_with_assertion.rb
|
315
298
|
- lib/webauthn/public_key_credential_with_attestation.rb
|
316
|
-
- lib/webauthn/security_utils.rb
|
317
299
|
- lib/webauthn/u2f_migrator.rb
|
318
300
|
- lib/webauthn/version.rb
|
319
|
-
- script/ci/install-openssl
|
320
|
-
- script/ci/install-ruby
|
321
301
|
- webauthn.gemspec
|
322
302
|
homepage: https://github.com/cedarcode/webauthn-ruby
|
323
303
|
licenses:
|
@@ -341,7 +321,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
341
321
|
- !ruby/object:Gem::Version
|
342
322
|
version: '0'
|
343
323
|
requirements: []
|
344
|
-
rubygems_version: 3.1
|
324
|
+
rubygems_version: 3.0.3.1
|
345
325
|
signing_key:
|
346
326
|
specification_version: 4
|
347
327
|
summary: WebAuthn ruby server library
|
data/.travis.yml
DELETED
@@ -1,39 +0,0 @@
|
|
1
|
-
dist: bionic
|
2
|
-
language: ruby
|
3
|
-
|
4
|
-
cache:
|
5
|
-
bundler: true
|
6
|
-
directories:
|
7
|
-
- /home/travis/.rvm/
|
8
|
-
|
9
|
-
env:
|
10
|
-
- LIBSSL=1.1 RB=2.7.1
|
11
|
-
- LIBSSL=1.1 RB=2.6.6
|
12
|
-
- LIBSSL=1.1 RB=2.5.8
|
13
|
-
- LIBSSL=1.1 RB=2.4.10
|
14
|
-
- LIBSSL=1.1 RB=ruby-head
|
15
|
-
- LIBSSL=1.0 RB=2.7.1
|
16
|
-
- LIBSSL=1.0 RB=2.6.6
|
17
|
-
- LIBSSL=1.0 RB=2.5.8
|
18
|
-
- LIBSSL=1.0 RB=2.4.10
|
19
|
-
- LIBSSL=1.0 RB=ruby-head
|
20
|
-
|
21
|
-
gemfile:
|
22
|
-
- gemfiles/cose_head.gemfile
|
23
|
-
- gemfiles/openssl_head.gemfile
|
24
|
-
- gemfiles/openssl_2_2.gemfile
|
25
|
-
- gemfiles/openssl_2_1.gemfile
|
26
|
-
- gemfiles/openssl_2_0.gemfile
|
27
|
-
|
28
|
-
matrix:
|
29
|
-
fast_finish: true
|
30
|
-
allow_failures:
|
31
|
-
- env: LIBSSL=1.1 RB=ruby-head
|
32
|
-
- env: LIBSSL=1.0 RB=ruby-head
|
33
|
-
- gemfile: gemfiles/cose_head.gemfile
|
34
|
-
- gemfile: gemfiles/openssl_head.gemfile
|
35
|
-
|
36
|
-
before_install:
|
37
|
-
- ./script/ci/install-openssl
|
38
|
-
- ./script/ci/install-ruby
|
39
|
-
- gem install bundler -v "~> 2.0"
|
data/Appraisals
DELETED
@@ -1,21 +0,0 @@
|
|
1
|
-
# frozen_string_literal: true
|
2
|
-
|
3
|
-
appraise "cose_head" do
|
4
|
-
gem "cose", git: "https://github.com/cedarcode/cose-ruby"
|
5
|
-
end
|
6
|
-
|
7
|
-
appraise "openssl_head" do
|
8
|
-
gem "openssl", git: "https://github.com/ruby/openssl"
|
9
|
-
end
|
10
|
-
|
11
|
-
appraise "openssl_2_2" do
|
12
|
-
gem "openssl", "~> 2.2.0"
|
13
|
-
end
|
14
|
-
|
15
|
-
appraise "openssl_2_1" do
|
16
|
-
gem "openssl", "~> 2.1.0"
|
17
|
-
end
|
18
|
-
|
19
|
-
appraise "openssl_2_0" do
|
20
|
-
gem "openssl", "~> 2.0.0"
|
21
|
-
end
|
data/gemfiles/cose_head.gemfile
DELETED
@@ -1,20 +0,0 @@
|
|
1
|
-
# frozen_string_literal: true
|
2
|
-
|
3
|
-
require "securecompare"
|
4
|
-
|
5
|
-
module WebAuthn
|
6
|
-
module SecurityUtils
|
7
|
-
# Constant time string comparison, for variable length strings.
|
8
|
-
# This code was adapted from Rails ActiveSupport::SecurityUtils
|
9
|
-
#
|
10
|
-
# The values are first processed by SHA256, so that we don't leak length info
|
11
|
-
# via timing attacks.
|
12
|
-
def secure_compare(first_string, second_string)
|
13
|
-
first_string_sha256 = ::Digest::SHA256.digest(first_string)
|
14
|
-
second_string_sha256 = ::Digest::SHA256.digest(second_string)
|
15
|
-
|
16
|
-
SecureCompare.compare(first_string_sha256, second_string_sha256) && first_string == second_string
|
17
|
-
end
|
18
|
-
module_function :secure_compare
|
19
|
-
end
|
20
|
-
end
|
data/script/ci/install-openssl
DELETED
data/script/ci/install-ruby
DELETED
@@ -1,13 +0,0 @@
|
|
1
|
-
#!/bin/bash
|
2
|
-
|
3
|
-
set -e
|
4
|
-
|
5
|
-
source "$HOME/.rvm/scripts/rvm"
|
6
|
-
|
7
|
-
if [[ "$LIBSSL" == "1.0" ]]; then
|
8
|
-
rvm use --install $RB --autolibs=read-only --disable-binary
|
9
|
-
elif [[ "$LIBSSL" == "1.1" ]]; then
|
10
|
-
rvm use --install $RB --binary --fuzzy
|
11
|
-
fi
|
12
|
-
|
13
|
-
[[ "`ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'`" =~ "OpenSSL $LIBSSL" ]] || { echo "Wrong libssl version"; exit 1; }
|