webauthn 2.4.1 → 3.0.0.alpha1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e1ffc928d4b54cc4c19c946a30e3e0d1e6a56b317d9d82376bb7f7f9693ee88a
-  data.tar.gz: fe42ab966c5ec4ef20089f147276ba485496b8bcf284c1a16a05606c217a434a
+  metadata.gz: 1f418eb52a085d8e7c03bd1c3d11b88ed8fe467f4ec01d3178836689d470f436
+  data.tar.gz: 4ab67e8804cbd7d785e29b94760af6db9d6b1e52de1a58bafc74aed19b5b7e21
 SHA512:
-  metadata.gz: bd77e2c99e1a08f63dc1986edef737e64872f48108e5e664c8517c7bea11e22a9b4c2bf6e07f7d370d09c3ba3ba3264dff309fd792a47c239d359b27bdd070db
-  data.tar.gz: 36a50f38e8c7dac6e33e0494d9ebeac33587ace21d4cad022be1984bd7f915112ba99c6fb975186e63d2757156c09014538a8cfda55db8edeac5ef0327c42bc0
+  metadata.gz: ccdcd22e494079eb67c122c03e3061166f91de50dd0c2bf8662748c976483a9d472fa9f8d6b67db9abf484e8eac182195b5f1e1cca8aaaf88146d831919f1c93
+  data.tar.gz: b2506b530c796ee57e5d037e7dd3692b1e359408fd9757141b6c4f042c43d57344baa09dc63d17ace549927eeea50abaa8c0771a0ab6da0ece5d880362d890db

data/.rubocop.yml

@@ -24,9 +24,6 @@ Layout:
 Layout/ClassStructure:
   Enabled: true
 
-Layout/EmptyLinesAroundAttributeAccessor:
-  Enabled: true
-
 Layout/FirstMethodArgumentLineBreak:
   Enabled: true
 
@@ -41,54 +38,9 @@ Layout/MultilineAssignmentLayout:
 Layout/MultilineMethodArgumentLineBreaks:
   Enabled: true
 
-Layout/SpaceAroundMethodCallOperator:
-  Enabled: true
-
 Lint:
   Enabled: true
 
-Lint/DeprecatedOpenSSLConstant:
-  Enabled: true
-
-Lint/MixedRegexpCaptureTypes:
-  Enabled: true
-
-Lint/RaiseException:
-  Enabled: true
-
-Lint/StructNewOverride:
-  Enabled: true
-
-Lint/BinaryOperatorWithIdenticalOperands:
-  Enabled: true
-
-Lint/DuplicateElsifCondition:
-  Enabled: true
-
-Lint/DuplicateRescueException:
-  Enabled: true
-
-Lint/EmptyConditionalBody:
-  Enabled: true
-
-Lint/FloatComparison:
-  Enabled: true
-
-Lint/MissingSuper:
-  Enabled: true
-
-Lint/OutOfRangeRegexpRef:
-  Enabled: true
-
-Lint/SelfAssignment:
-  Enabled: true
-
-Lint/TopLevelReturnWithArgument:
-  Enabled: true
-
-Lint/UnreachableLoop:
-  Enabled: true
-
 Naming:
   Enabled: true
 

data/CHANGELOG.md

@@ -1,17 +1,10 @@
 # Changelog
 
-## [v2.4.1] - 2021-02-15
-
-### Fixed
-
-- Fix verification of new credential if no attestation provided and 'None' type is not among configured `acceptable_attestation_types`. I.e. reject it instead of letting it go through.
-
-## [v2.4.0] - 2020-09-03
+## [v3.0.0.alpha1] - 2020-06-27
 
 ### Added
 
-- Support for ES256K credentials
-- `FakeClient#get` accepts `user_handle:` keyword argument ([@lgarron])
+- Ability to define multiple relying parties with the introduction of the `WebAuthn::RelyingParty` class ([@padulafacundo], [@brauliomartinezlm])
 
 ## [v2.3.0] - 2020-06-27
 
@@ -307,8 +300,7 @@ Note: Both additions should help making it compatible with Chrome for Android 70
   - `WebAuthn::AuthenticatorAttestationResponse.valid?` can be used to validate fido-u2f attestations returned by the browser
 - Works with ruby 2.5
 
-[v2.4.1]: https://github.com/cedarcode/webauthn-ruby/compare/v2.4.0...v2.4.1/
-[v2.4.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.3.0...v2.4.0/
+[v3.0.0.alpha1]: https://github.com/cedarcode/webauthn-ruby/compare/2-stable...v3.0.0.alpha1/
 [v2.3.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.2.1...v2.3.0/
 [v2.2.1]: https://github.com/cedarcode/webauthn-ruby/compare/v2.2.0...v2.2.1/
 [v2.2.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.1.0...v2.2.0/
@@ -336,6 +328,7 @@ Note: Both additions should help making it compatible with Chrome for Android 70
 [v0.2.0]: https://github.com/cedarcode/webauthn-ruby/compare/v0.1.0...v0.2.0/
 [v0.1.0]: https://github.com/cedarcode/webauthn-ruby/compare/v0.0.0...v0.1.0/
 
+[@brauliomartinezlm]: https://github.com/brauliomartinezlm
 [@bdewater]: https://github.com/bdewater
 [@jdongelmans]: https://github.com/jdongelmans
 [@kalebtesfay]: https://github.com/kalebtesfay
@@ -344,4 +337,3 @@ Note: Both additions should help making it compatible with Chrome for Android 70
 [@ssuttner]: https://github.com/ssuttner
 [@padulafacundo]: https://github.com/padulafacundo
 [@santiagorodriguez96]: https://github.com/santiagorodriguez96
-[@lgarron]: https://github.com/lgarron

data/SECURITY.md

@@ -4,11 +4,9 @@
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 2.4.z    | :white_check_mark: |
-| 2.3.z    | :white_check_mark: |
 | 2.2.z    | :white_check_mark: |
-| 2.1.z    | :x: |
-| 2.0.z    | :x: |
+| 2.1.z    | :white_check_mark: |
+| 2.0.z    | :white_check_mark: |
 | 1.18.z   | :white_check_mark: |
 | < 1.18   | :x:                |
 

data/lib/cose/rsapkcs1_algorithm.rb

@@ -40,11 +40,4 @@ end
 COSE::Algorithm.register(RSAPKCS1Algorithm.new(-257, "RS256", hash_function: "SHA256"))
 COSE::Algorithm.register(RSAPKCS1Algorithm.new(-258, "RS384", hash_function: "SHA384"))
 COSE::Algorithm.register(RSAPKCS1Algorithm.new(-259, "RS512", hash_function: "SHA512"))
-
-# Patch openssl-signature_algorithm gem to support discouraged/deprecated RSA-PKCS#1 with SHA-1
-# (RS1 in JOSE/COSE terminology) algorithm needed for WebAuthn.
-OpenSSL::SignatureAlgorithm::RSAPKCS1.const_set(
-  :ACCEPTED_HASH_FUNCTIONS,
-  OpenSSL::SignatureAlgorithm::RSAPKCS1::ACCEPTED_HASH_FUNCTIONS + ["SHA1"]
-)
 COSE::Algorithm.register(RSAPKCS1Algorithm.new(-65535, "RS1", hash_function: "SHA1"))

data/lib/webauthn/attestation_object.rb

@@ -10,18 +10,22 @@ module WebAuthn
   class AttestationObject
     extend Forwardable
 
-    def self.deserialize(attestation_object)
-      from_map(CBOR.decode(attestation_object))
+    def self.deserialize(attestation_object, relying_party)
+      from_map(CBOR.decode(attestation_object), relying_party)
     end
 
-    def self.from_map(map)
+    def self.from_map(map, relying_party)
       new(
         authenticator_data: WebAuthn::AuthenticatorData.deserialize(map["authData"]),
-        attestation_statement: WebAuthn::AttestationStatement.from(map["fmt"], map["attStmt"])
+        attestation_statement: WebAuthn::AttestationStatement.from(
+          map["fmt"],
+          map["attStmt"],
+          relying_party: relying_party
+        )
       )
     end
 
-    attr_reader :authenticator_data, :attestation_statement
+    attr_reader :authenticator_data, :attestation_statement, :relying_party
 
     def initialize(authenticator_data:, attestation_statement:)
       @authenticator_data = authenticator_data

data/lib/webauthn/attestation_statement.rb

@@ -28,11 +28,11 @@ module WebAuthn
       ATTESTATION_FORMAT_TPM => WebAuthn::AttestationStatement::TPM
     }.freeze
 
-    def self.from(format, statement)
+    def self.from(format, statement, relying_party: WebAuthn.configuration.relying_party)
       klass = FORMAT_TO_CLASS[format]
 
       if klass
-        klass.new(statement)
+        klass.new(statement, relying_party)
       else
         raise(FormatNotSupportedError, "Unsupported attestation format '#{format}'")
       end

data/lib/webauthn/attestation_statement/base.rb

@@ -26,8 +26,9 @@ module WebAuthn
     class Base
       AAGUID_EXTENSION_OID = "1.3.6.1.4.1.45724.1.1.4"
 
-      def initialize(statement)
+      def initialize(statement, relying_party = WebAuthn.configuration.relying_party)
         @statement = statement
+        @relying_party = relying_party
       end
 
       def valid?(_authenticator_data, _client_data_hash)
@@ -54,7 +55,7 @@ module WebAuthn
 
       private
 
-      attr_reader :statement
+      attr_reader :statement, :relying_party
 
       def matching_aaguid?(attested_credential_data_aaguid)
         extension = attestation_certificate&.extensions&.detect { |ext| ext.oid == AAGUID_EXTENSION_OID }
@@ -95,10 +96,10 @@ module WebAuthn
 
       def trustworthy?(aaguid: nil, attestation_certificate_key_id: nil)
         if ATTESTATION_TYPES_WITH_ROOT.include?(attestation_type)
-          configuration.acceptable_attestation_types.include?(attestation_type) &&
+          relying_party.acceptable_attestation_types.include?(attestation_type) &&
             valid_certificate_chain?(aaguid: aaguid, attestation_certificate_key_id: attestation_certificate_key_id)
         else
-          configuration.acceptable_attestation_types.include?(attestation_type)
+          relying_party.acceptable_attestation_types.include?(attestation_type)
         end
       end
 
@@ -122,7 +123,7 @@ module WebAuthn
 
       def root_certificates(aaguid: nil, attestation_certificate_key_id: nil)
         root_certificates =
-          configuration.attestation_root_certificates_finders.reduce([]) do |certs, finder|
+          relying_party.attestation_root_certificates_finders.reduce([]) do |certs, finder|
             if certs.empty?
               finder.find(
                 attestation_format: format,
@@ -169,14 +170,10 @@ module WebAuthn
       def cose_algorithm
         @cose_algorithm ||=
           COSE::Algorithm.find(algorithm).tap do |alg|
-            alg && configuration.algorithms.include?(alg.name) ||
+            alg && relying_party.algorithms.include?(alg.name) ||
               raise(UnsupportedAlgorithm, "Unsupported algorithm #{algorithm}")
           end
       end
-
-      def configuration
-        WebAuthn.configuration
-      end
     end
   end
 end

data/lib/webauthn/attestation_statement/none.rb

@@ -6,18 +6,12 @@ module WebAuthn
   module AttestationStatement
     class None < Base
       def valid?(*_args)
-        if statement == {} && trustworthy?
+        if statement == {}
           [WebAuthn::AttestationStatement::ATTESTATION_TYPE_NONE, nil]
         else
           false
         end
       end
-
-      private
-
-      def attestation_type
-        WebAuthn::AttestationStatement::ATTESTATION_TYPE_NONE
-      end
     end
   end
 end

data/lib/webauthn/authenticator_assertion_response.rb

@@ -10,8 +10,8 @@ module WebAuthn
   class SignCountVerificationError < VerificationError; end
 
   class AuthenticatorAssertionResponse < AuthenticatorResponse
-    def self.from_client(response)
-      encoder = WebAuthn.configuration.encoder
+    def self.from_client(response, relying_party: WebAuthn.configuration.relying_party)
+      encoder = relying_party.encoder
 
       user_handle =
         if response["userHandle"]
@@ -22,7 +22,8 @@ module WebAuthn
         authenticator_data: encoder.decode(response["authenticatorData"]),
         client_data_json: encoder.decode(response["clientDataJSON"]),
         signature: encoder.decode(response["signature"]),
-        user_handle: user_handle
+        user_handle: user_handle,
+        relying_party: relying_party
       )
     end
 

data/lib/webauthn/authenticator_attestation_response.rb

@@ -18,12 +18,13 @@ module WebAuthn
   class AuthenticatorAttestationResponse < AuthenticatorResponse
     extend Forwardable
 
-    def self.from_client(response)
-      encoder = WebAuthn.configuration.encoder
+    def self.from_client(response, relying_party: WebAuthn.configuration.relying_party)
+      encoder = relying_party.encoder
 
       new(
         attestation_object: encoder.decode(response["attestationObject"]),
-        client_data_json: encoder.decode(response["clientDataJSON"])
+        client_data_json: encoder.decode(response["clientDataJSON"]),
+        relying_party: relying_party
       )
     end
 
@@ -33,13 +34,14 @@ module WebAuthn
       super(**options)
 
       @attestation_object_bytes = attestation_object
+      @relying_party = relying_party
     end
 
     def verify(expected_challenge, expected_origin = nil, user_verification: nil, rp_id: nil)
       super
 
       verify_item(:attested_credential)
-      if WebAuthn.configuration.verify_attestation_statement
+      if relying_party.verify_attestation_statement
         verify_item(:attestation_statement)
       end
 
@@ -47,7 +49,7 @@ module WebAuthn
     end
 
     def attestation_object
-      @attestation_object ||= WebAuthn::AttestationObject.deserialize(attestation_object_bytes)
+      @attestation_object ||= WebAuthn::AttestationObject.deserialize(attestation_object_bytes, relying_party)
     end
 
     def_delegators(
@@ -63,14 +65,15 @@ module WebAuthn
 
     private
 
-    attr_reader :attestation_object_bytes
+    attr_reader :attestation_object_bytes, :relying_party
 
     def type
       WebAuthn::TYPES[:create]
     end
 
     def valid_attested_credential?
-      attestation_object.valid_attested_credential?
+      attestation_object.valid_attested_credential? &&
+        relying_party.algorithms.include?(authenticator_data.credential.algorithm)
     end
 
     def valid_attestation_statement?

data/lib/webauthn/authenticator_data/attested_credential_data.rb

@@ -24,7 +24,7 @@ module WebAuthn
 
       # TODO: use keyword_init when we dropped Ruby 2.4 support
       Credential =
-        Struct.new(:id, :public_key) do
+        Struct.new(:id, :public_key, :algorithm) do
           def public_key_object
             COSE::Key.deserialize(public_key).to_pkey
           end
@@ -47,7 +47,7 @@ module WebAuthn
       def credential
         @credential ||=
           if valid?
-            Credential.new(id, public_key)
+            Credential.new(id, public_key, algorithm)
           end
       end
 
@@ -59,10 +59,16 @@ module WebAuthn
 
       private
 
+      def algorithm
+        COSE::Algorithm.find(cose_key.alg).name
+      end
+
       def valid_credential_public_key?
-        cose_key = COSE::Key.deserialize(public_key)
+        !!cose_key.alg
+      end
 
-        !!cose_key.alg && WebAuthn.configuration.algorithms.include?(COSE::Algorithm.find(cose_key.alg).name)
+      def cose_key
+        @cose_key ||= COSE::Key.deserialize(public_key)
       end
 
       def public_key

data/lib/webauthn/authenticator_response.rb

@@ -20,13 +20,14 @@ module WebAuthn
   class UserVerifiedVerificationError < VerificationError; end
 
   class AuthenticatorResponse
-    def initialize(client_data_json:)
+    def initialize(client_data_json:, relying_party: WebAuthn.configuration.relying_party)
       @client_data_json = client_data_json
+      @relying_party = relying_party
     end
 
     def verify(expected_challenge, expected_origin = nil, user_verification: nil, rp_id: nil)
-      expected_origin ||= WebAuthn.configuration.origin || raise("Unspecified expected origin")
-      rp_id ||= WebAuthn.configuration.rp_id
+      expected_origin ||= relying_party.origin || raise("Unspecified expected origin")
+      rp_id ||= relying_party.id
 
       verify_item(:type)
       verify_item(:token_binding)
@@ -35,7 +36,7 @@ module WebAuthn
       verify_item(:authenticator_data)
       verify_item(:rp_id, rp_id || rp_id_from_origin(expected_origin))
 
-      if !WebAuthn.configuration.silent_authentication
+      if !relying_party.silent_authentication
         verify_item(:user_presence)
       end
 
@@ -58,7 +59,7 @@ module WebAuthn
 
     private
 
-    attr_reader :client_data_json
+    attr_reader :client_data_json, :relying_party
 
     def verify_item(item, *args)
       if send("valid_#{item}?", *args)

data/lib/webauthn/configuration.rb

@@ -1,8 +1,7 @@
 # frozen_string_literal: true
 
-require "openssl"
-require "webauthn/encoder"
-require "webauthn/error"
+require 'forwardable'
+require 'webauthn/relying_party'
 
 module WebAuthn
   def self.configuration
@@ -13,54 +12,49 @@ module WebAuthn
     yield(configuration)
   end
 
-  class RootCertificateFinderNotSupportedError < Error; end
-
   class Configuration
-    def self.if_pss_supported(algorithm)
-      OpenSSL::PKey::RSA.instance_methods.include?(:verify_pss) ? algorithm : nil
-    end
-
-    DEFAULT_ALGORITHMS = ["ES256", if_pss_supported("PS256"), "RS256"].compact.freeze
-
-    attr_accessor :algorithms
-    attr_accessor :encoding
-    attr_accessor :origin
-    attr_accessor :rp_id
-    attr_accessor :rp_name
-    attr_accessor :verify_attestation_statement
-    attr_accessor :credential_options_timeout
-    attr_accessor :silent_authentication
-    attr_accessor :acceptable_attestation_types
-    attr_reader :attestation_root_certificates_finders
+    extend Forwardable
+
+    def_delegators :@relying_party,
+                   :algorithms,
+                   :algorithms=,
+                   :encoding,
+                   :encoding=,
+                   :origin,
+                   :origin=,
+                   :verify_attestation_statement,
+                   :verify_attestation_statement=,
+                   :credential_options_timeout,
+                   :credential_options_timeout=,
+                   :silent_authentication,
+                   :silent_authentication=,
+                   :acceptable_attestation_types,
+                   :acceptable_attestation_types=,
+                   :attestation_root_certificates_finders,
+                   :attestation_root_certificates_finders=,
+                   :encoder,
+                   :encoder=
+
+    attr_reader :relying_party
 
     def initialize
-      @algorithms = DEFAULT_ALGORITHMS.dup
-      @encoding = WebAuthn::Encoder::STANDARD_ENCODING
-      @verify_attestation_statement = true
-      @credential_options_timeout = 120000
-      @silent_authentication = false
-      @acceptable_attestation_types = ['None', 'Self', 'Basic', 'AttCA', 'Basic_or_AttCA']
-      @attestation_root_certificates_finders = []
+      @relying_party = RelyingParty.new
     end
 
-    # This is the user-data encoder.
-    # Used to decode user input and to encode data provided to the user.
-    def encoder
-      @encoder ||= WebAuthn::Encoder.new(encoding)
+    def rp_name
+      relying_party.name
     end
 
-    def attestation_root_certificates_finders=(finders)
-      if !finders.respond_to?(:each)
-        finders = [finders]
-      end
+    def rp_name=(name)
+      relying_party.name = name
+    end
 
-      finders.each do |finder|
-        unless finder.respond_to?(:find)
-          raise RootCertificateFinderNotSupportedError, "Finder must implement `find` method"
-        end
-      end
+    def rp_id
+      relying_party.id
+    end
 
-      @attestation_root_certificates_finders = finders
+    def rp_id=(id)
+      relying_party.id = id
     end
   end
 end

data/lib/webauthn/credential.rb

@@ -4,6 +4,7 @@ require "webauthn/public_key_credential/creation_options"
 require "webauthn/public_key_credential/request_options"
 require "webauthn/public_key_credential_with_assertion"
 require "webauthn/public_key_credential_with_attestation"
+require "webauthn/relying_party"
 
 module WebAuthn
   module Credential
@@ -15,12 +16,12 @@ module WebAuthn
       WebAuthn::PublicKeyCredential::RequestOptions.new(**keyword_arguments)
     end
 
-    def self.from_create(credential)
-      WebAuthn::PublicKeyCredentialWithAttestation.from_client(credential)
+    def self.from_create(credential, relying_party: WebAuthn.configuration.relying_party)
+      WebAuthn::PublicKeyCredentialWithAttestation.from_client(credential, relying_party: relying_party)
     end
 
-    def self.from_get(credential)
-      WebAuthn::PublicKeyCredentialWithAssertion.from_client(credential)
+    def self.from_get(credential, relying_party: WebAuthn.configuration.relying_party)
+      WebAuthn::PublicKeyCredentialWithAssertion.from_client(credential, relying_party: relying_party)
     end
   end
 end

data/lib/webauthn/credential_creation_options.rb

@@ -32,8 +32,6 @@ module WebAuthn
       user_display_name: nil,
       rp_name: nil
     )
-      super()
-
       @attestation = attestation
       @authenticator_selection = authenticator_selection
       @exclude_credentials = exclude_credentials

data/lib/webauthn/credential_request_options.rb

@@ -16,8 +16,6 @@ module WebAuthn
     attr_accessor :allow_credentials, :extensions, :user_verification
 
     def initialize(allow_credentials: [], extensions: nil, user_verification: nil)
-      super()
-
       @allow_credentials = allow_credentials
       @extensions = extensions
       @user_verification = user_verification

data/lib/webauthn/fake_client.rb

@@ -10,7 +10,7 @@ module WebAuthn
   class FakeClient
     TYPES = { create: "webauthn.create", get: "webauthn.get" }.freeze
 
-    attr_reader :origin, :token_binding
+    attr_reader :origin, :token_binding, :encoding
 
     def initialize(
       origin = fake_origin,
@@ -73,8 +73,7 @@ module WebAuthn
             user_present: true,
             user_verified: false,
             sign_count: nil,
-            extensions: nil,
-            user_handle: nil)
+            extensions: nil)
       rp_id ||= URI.parse(origin).host
 
       client_data_json = data_json_for(:get, encoder.decode(challenge))
@@ -98,14 +97,14 @@ module WebAuthn
           "clientDataJSON" => encoder.encode(client_data_json),
           "authenticatorData" => encoder.encode(assertion[:authenticator_data]),
           "signature" => encoder.encode(assertion[:signature]),
-          "userHandle" => user_handle ? encoder.encode(user_handle) : nil
+          "userHandle" => nil
         }
       }
     end
 
     private
 
-    attr_reader :authenticator, :encoding
+    attr_reader :authenticator
 
     def data_json_for(method, challenge)
       data = {

data/lib/webauthn/public_key_credential.rb

@@ -6,22 +6,31 @@ module WebAuthn
   class PublicKeyCredential
     attr_reader :type, :id, :raw_id, :client_extension_outputs, :response
 
-    def self.from_client(credential)
+    def self.from_client(credential, relying_party: WebAuthn.configuration.relying_party)
       new(
         type: credential["type"],
         id: credential["id"],
-        raw_id: WebAuthn.configuration.encoder.decode(credential["rawId"]),
+        raw_id: relying_party.encoder.decode(credential["rawId"]),
         client_extension_outputs: credential["clientExtensionResults"],
-        response: response_class.from_client(credential["response"])
+        response: response_class.from_client(credential["response"], relying_party: relying_party),
+        encoder: relying_party.encoder
       )
     end
 
-    def initialize(type:, id:, raw_id:, client_extension_outputs: {}, response:)
+    def initialize(
+      type:,
+      id:,
+      raw_id:,
+      response:,
+      client_extension_outputs: {},
+      encoder: WebAuthn.configuration.encoder
+    )
       @type = type
       @id = id
       @raw_id = raw_id
       @client_extension_outputs = client_extension_outputs
       @response = response
+      @encoder = encoder
     end
 
     def verify(*_args)
@@ -41,6 +50,8 @@ module WebAuthn
 
     private
 
+    attr_reader :encoder
+
     def valid_type?
       type == TYPE_PUBLIC_KEY
     end
@@ -52,9 +63,5 @@ module WebAuthn
     def authenticator_data
       response&.authenticator_data
     end
-
-    def encoder
-      WebAuthn.configuration.encoder
-    end
   end
 end

data/lib/webauthn/public_key_credential/creation_options.rb

@@ -39,8 +39,8 @@ module WebAuthn
 
         @rp =
           if rp.is_a?(Hash)
-            rp[:name] ||= configuration.rp_name
-            rp[:id] ||= configuration.rp_id
+            rp[:name] ||= relying_party.name
+            rp[:id] ||= relying_party.id
 
             RPEntity.new(**rp)
           else
@@ -76,7 +76,7 @@ module WebAuthn
       end
 
       def pub_key_cred_params_from_algs
-        Array(algs || configuration.algorithms).map do |alg|
+        Array(algs || relying_party.algorithms).map do |alg|
           alg_id =
             if alg.is_a?(String) || alg.is_a?(Symbol)
               COSE::Algorithm.by_name(alg.to_s).id

data/lib/webauthn/public_key_credential/options.rb

@@ -8,10 +8,11 @@ module WebAuthn
     class Options
       CHALLENGE_LENGTH = 32
 
-      attr_reader :timeout, :extensions
+      attr_reader :timeout, :extensions, :relying_party
 
-      def initialize(timeout: default_timeout, extensions: nil)
-        @timeout = timeout
+      def initialize(timeout: nil, extensions: nil, relying_party: WebAuthn.configuration.relying_party)
+        @relying_party = relying_party
+        @timeout = timeout || default_timeout
         @extensions = extensions
       end
 
@@ -49,7 +50,7 @@ module WebAuthn
       end
 
       def encoder
-        WebAuthn.configuration.encoder
+        relying_party.encoder
       end
 
       def raw_challenge
@@ -57,11 +58,7 @@ module WebAuthn
       end
 
       def default_timeout
-        configuration.credential_options_timeout
-      end
-
-      def configuration
-        WebAuthn.configuration
+        relying_party.credential_options_timeout
       end
 
       def as_public_key_descriptors(ids)

data/lib/webauthn/public_key_credential/request_options.rb

@@ -10,7 +10,7 @@ module WebAuthn
       def initialize(rp_id: nil, allow_credentials: nil, allow: nil, user_verification: nil, **keyword_arguments)
         super(**keyword_arguments)
 
-        @rp_id = rp_id || configuration.rp_id
+        @rp_id = rp_id || relying_party.id
         @allow_credentials = allow_credentials
         @allow = allow
         @user_verification = user_verification

data/lib/webauthn/relying_party.rb

@@ -0,0 +1,117 @@
+# frozen_string_literal: true
+
+require "openssl"
+require "webauthn/credential"
+require "webauthn/encoder"
+require "webauthn/error"
+
+module WebAuthn
+  class RootCertificateFinderNotSupportedError < Error; end
+
+  class RelyingParty
+    def self.if_pss_supported(algorithm)
+      OpenSSL::PKey::RSA.instance_methods.include?(:verify_pss) ? algorithm : nil
+    end
+
+    DEFAULT_ALGORITHMS = ["ES256", if_pss_supported("PS256"), "RS256"].compact.freeze
+
+    def initialize(
+      algorithms: DEFAULT_ALGORITHMS.dup,
+      encoding: WebAuthn::Encoder::STANDARD_ENCODING,
+      origin: nil,
+      id: nil,
+      name: nil,
+      verify_attestation_statement: true,
+      credential_options_timeout: 120000,
+      silent_authentication: false,
+      acceptable_attestation_types: ['None', 'Self', 'Basic', 'AttCA', 'Basic_or_AttCA'],
+      attestation_root_certificates_finders: []
+    )
+      @algorithms = algorithms
+      @encoding = encoding
+      @origin = origin
+      @id = id
+      @name = name
+      @verify_attestation_statement = verify_attestation_statement
+      @credential_options_timeout = credential_options_timeout
+      @silent_authentication = silent_authentication
+      @acceptable_attestation_types = acceptable_attestation_types
+      self.attestation_root_certificates_finders = attestation_root_certificates_finders
+    end
+
+    attr_accessor :algorithms,
+                  :encoding,
+                  :origin,
+                  :id,
+                  :name,
+                  :verify_attestation_statement,
+                  :credential_options_timeout,
+                  :silent_authentication,
+                  :acceptable_attestation_types
+
+    attr_reader :attestation_root_certificates_finders
+
+    # This is the user-data encoder.
+    # Used to decode user input and to encode data provided to the user.
+    def encoder
+      @encoder ||= WebAuthn::Encoder.new(encoding)
+    end
+
+    def attestation_root_certificates_finders=(finders)
+      if !finders.respond_to?(:each)
+        finders = [finders]
+      end
+
+      finders.each do |finder|
+        unless finder.respond_to?(:find)
+          raise RootCertificateFinderNotSupportedError, "Finder must implement `find` method"
+        end
+      end
+
+      @attestation_root_certificates_finders = finders
+    end
+
+    def options_for_registration(**keyword_arguments)
+      WebAuthn::Credential.options_for_create(
+        **keyword_arguments,
+        relying_party: self
+      )
+    end
+
+    def verify_registration(raw_credential, challenge, user_verification: nil)
+      webauthn_credential = WebAuthn::Credential.from_create(raw_credential, relying_party: self)
+
+      if webauthn_credential.verify(challenge, user_verification: user_verification)
+        webauthn_credential
+      end
+    end
+
+    def options_for_authentication(**keyword_arguments)
+      WebAuthn::Credential.options_for_get(
+        **keyword_arguments,
+        relying_party: self
+      )
+    end
+
+    def verify_authentication(
+      raw_credential,
+      challenge,
+      user_verification: nil,
+      public_key: nil,
+      sign_count: nil
+    )
+      webauthn_credential = WebAuthn::Credential.from_get(raw_credential, relying_party: self)
+
+      stored_credential = yield(webauthn_credential) if block_given?
+
+      if webauthn_credential.verify(
+        challenge,
+        public_key: public_key || stored_credential.public_key,
+        sign_count: sign_count || stored_credential.sign_count,
+        user_verification: user_verification
+      )
+        block_given? ? [webauthn_credential, stored_credential] : webauthn_credential
+      end
+    end
+  end
+end

data/lib/webauthn/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WebAuthn
-  VERSION = "2.4.1"
+  VERSION = "3.0.0.alpha1"
 end

data/webauthn.gemspec

@@ -37,17 +37,17 @@ Gem::Specification.new do |spec|
   spec.add_dependency "awrence", "~> 1.1"
   spec.add_dependency "bindata", "~> 2.4"
   spec.add_dependency "cbor", "~> 0.5.9"
-  spec.add_dependency "cose", "~> 1.1"
+  spec.add_dependency "cose", "~> 1.0"
   spec.add_dependency "openssl", "~> 2.0"
   spec.add_dependency "safety_net_attestation", "~> 0.4.0"
   spec.add_dependency "securecompare", "~> 1.0"
-  spec.add_dependency "tpm-key_attestation", "~> 0.10.0"
+  spec.add_dependency "tpm-key_attestation", "~> 0.9.0"
 
   spec.add_development_dependency "appraisal", "~> 2.3.0"
   spec.add_development_dependency "bundler", ">= 1.17", "< 3.0"
   spec.add_development_dependency "byebug", "~> 11.0"
   spec.add_development_dependency "rake", "~> 13.0"
   spec.add_development_dependency "rspec", "~> 3.8"
-  spec.add_development_dependency "rubocop", "0.89"
+  spec.add_development_dependency "rubocop", "0.80.1"
   spec.add_development_dependency "rubocop-rspec", "~> 1.38.1"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: webauthn
 version: !ruby/object:Gem::Version
-  version: 2.4.1
+  version: 3.0.0.alpha1
 platform: ruby
 authors:
 - Gonzalo Rodriguez
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-02-15 00:00:00.000000000 Z
+date: 2020-06-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: android_key_attestation
@@ -73,14 +73,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '1.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: openssl
   requirement: !ruby/object:Gem::Requirement
@@ -129,14 +129,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.10.0
+        version: 0.9.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.10.0
+        version: 0.9.0
 - !ruby/object:Gem::Dependency
   name: appraisal
   requirement: !ruby/object:Gem::Requirement
@@ -219,14 +219,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: '0.89'
+        version: 0.80.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: '0.89'
+        version: 0.80.1
 - !ruby/object:Gem::Dependency
   name: rubocop-rspec
   requirement: !ruby/object:Gem::Requirement
@@ -313,6 +313,7 @@ files:
 - lib/webauthn/public_key_credential/user_entity.rb
 - lib/webauthn/public_key_credential_with_assertion.rb
 - lib/webauthn/public_key_credential_with_attestation.rb
+- lib/webauthn/relying_party.rb
 - lib/webauthn/security_utils.rb
 - lib/webauthn/u2f_migrator.rb
 - lib/webauthn/version.rb
@@ -337,11 +338,11 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '2.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
-rubygems_version: 3.2.8
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: WebAuthn ruby server library