webauthn 2.5.0 → 3.0.0.alpha1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1e6487b19f172c0c7e96af23d04e47f91bebd2ef7d20f144f99f85e761a2db86
-  data.tar.gz: 7623405e7cd01708f29897a0d4183fbc8c9b2a3dfb06b9c182646ddaf9c6cb0d
+  metadata.gz: 1f418eb52a085d8e7c03bd1c3d11b88ed8fe467f4ec01d3178836689d470f436
+  data.tar.gz: 4ab67e8804cbd7d785e29b94760af6db9d6b1e52de1a58bafc74aed19b5b7e21
 SHA512:
-  metadata.gz: d2f8d2137b2ee140a3258fbbff8d62e49264b2eafa80f0726dacc16a742addf75625b9da51696db6f3862a85e63f44ca5fc2b73320b1c256dd1c57f96121de24
-  data.tar.gz: dcb2ea914a14944b4bf7c4682394df12e00ddd4a4b0cc1076a03a7368bf4d563d08b61fbbe27ece3ddcbc05a9ed542d8236c1bfce833669c9b60c5d3387b35b4
+  metadata.gz: ccdcd22e494079eb67c122c03e3061166f91de50dd0c2bf8662748c976483a9d472fa9f8d6b67db9abf484e8eac182195b5f1e1cca8aaaf88146d831919f1c93
+  data.tar.gz: b2506b530c796ee57e5d037e7dd3692b1e359408fd9757141b6c4f042c43d57344baa09dc63d17ace549927eeea50abaa8c0771a0ab6da0ece5d880362d890db

data/.rubocop.yml

@@ -1,6 +1,5 @@
 require:
   - rubocop-rspec
-  - rubocop-rake
 
 inherit_mode:
   merge:
@@ -9,7 +8,6 @@ inherit_mode:
 AllCops:
   TargetRubyVersion: 2.4
   DisabledByDefault: true
-  NewCops: disable
   Exclude:
     - "gemfiles/**/*"
     - "vendor/**/*"
@@ -26,12 +24,6 @@ Layout:
 Layout/ClassStructure:
   Enabled: true
 
-Layout/EmptyLineBetweenDefs:
-  AllowAdjacentOneLineDefs: true
-
-Layout/EmptyLinesAroundAttributeAccessor:
-  Enabled: true
-
 Layout/FirstMethodArgumentLineBreak:
   Enabled: true
 
@@ -46,60 +38,12 @@ Layout/MultilineAssignmentLayout:
 Layout/MultilineMethodArgumentLineBreaks:
   Enabled: true
 
-Layout/SpaceAroundMethodCallOperator:
-  Enabled: true
-
 Lint:
   Enabled: true
 
-Lint/DeprecatedOpenSSLConstant:
-  Enabled: true
-
-Lint/MixedRegexpCaptureTypes:
-  Enabled: true
-
-Lint/RaiseException:
-  Enabled: true
-
-Lint/StructNewOverride:
-  Enabled: true
-
-Lint/BinaryOperatorWithIdenticalOperands:
-  Enabled: true
-
-Lint/DuplicateElsifCondition:
-  Enabled: true
-
-Lint/DuplicateRescueException:
-  Enabled: true
-
-Lint/EmptyConditionalBody:
-  Enabled: true
-
-Lint/FloatComparison:
-  Enabled: true
-
-Lint/MissingSuper:
-  Enabled: true
-
-Lint/OutOfRangeRegexpRef:
-  Enabled: true
-
-Lint/SelfAssignment:
-  Enabled: true
-
-Lint/TopLevelReturnWithArgument:
-  Enabled: true
-
-Lint/UnreachableLoop:
-  Enabled: true
-
 Naming:
   Enabled: true
 
-Naming/VariableNumber:
-  Enabled: false
-
 RSpec/Be:
   Enabled: true
 

data/.travis.yml

@@ -0,0 +1,39 @@
+dist: bionic
+language: ruby
+
+cache:
+  bundler: true
+  directories:
+    - /home/travis/.rvm/
+
+env:
+  - LIBSSL=1.1 RB=2.7.1
+  - LIBSSL=1.1 RB=2.6.6
+  - LIBSSL=1.1 RB=2.5.8
+  - LIBSSL=1.1 RB=2.4.10
+  - LIBSSL=1.1 RB=ruby-head
+  - LIBSSL=1.0 RB=2.7.1
+  - LIBSSL=1.0 RB=2.6.6
+  - LIBSSL=1.0 RB=2.5.8
+  - LIBSSL=1.0 RB=2.4.10
+  - LIBSSL=1.0 RB=ruby-head
+
+gemfile:
+  - gemfiles/cose_head.gemfile
+  - gemfiles/openssl_head.gemfile
+  - gemfiles/openssl_2_2.gemfile
+  - gemfiles/openssl_2_1.gemfile
+  - gemfiles/openssl_2_0.gemfile
+
+matrix:
+  fast_finish: true
+  allow_failures:
+    - env: LIBSSL=1.1 RB=ruby-head
+    - env: LIBSSL=1.0 RB=ruby-head
+    - gemfile: gemfiles/cose_head.gemfile
+    - gemfile: gemfiles/openssl_head.gemfile
+
+before_install:
+  - ./script/ci/install-openssl
+  - ./script/ci/install-ruby
+  - gem install bundler -v "~> 2.0"

data/Appraisals

@@ -1,5 +1,13 @@
 # frozen_string_literal: true
 
+appraise "cose_head" do
+  gem "cose", git: "https://github.com/cedarcode/cose-ruby"
+end
+
+appraise "openssl_head" do
+  gem "openssl", git: "https://github.com/ruby/openssl"
+end
+
 appraise "openssl_2_2" do
   gem "openssl", "~> 2.2.0"
 end
@@ -7,3 +15,7 @@ end
 appraise "openssl_2_1" do
   gem "openssl", "~> 2.1.0"
 end
+
+appraise "openssl_2_0" do
+  gem "openssl", "~> 2.0.0"
+end

data/CHANGELOG.md

@@ -6,30 +6,6 @@
 
 - Ability to define multiple relying parties with the introduction of the `WebAuthn::RelyingParty` class ([@padulafacundo], [@brauliomartinezlm])
 
-## [v2.5.0] - 2021-03-14
-
-### Added
-
-- Support 'apple' attestation statement format ([#343](https://github.com/cedarcode/webauthn-ruby/pull/343) / [@juanarias93], [@santiagorodriguez96])
-- Allow specifying an array of ids as `allow_credentials:` for `FakeClient#get` method ([#335](https://github.com/cedarcode/webauthn-ruby/pull/335) / [@kingjan1999])
-
-### Removed
-
-- No longer accept "removed from the WebAuthn spec" options `rp: { icon: }` and `user: { icon: }` for `WebAuthn::Credential.options_for_create` method ([#326](https://github.com/cedarcode/webauthn-ruby/pull/326) / [@santiagorodriguez96])
-
-## [v2.4.1] - 2021-02-15
-
-### Fixed
-
-- Fix verification of new credential if no attestation provided and 'None' type is not among configured `acceptable_attestation_types`. I.e. reject it instead of letting it go through.
-
-## [v2.4.0] - 2020-09-03
-
-### Added
-
-- Support for ES256K credentials
-- `FakeClient#get` accepts `user_handle:` keyword argument ([@lgarron])
-
 ## [v2.3.0] - 2020-06-27
 
 ### Added
@@ -325,9 +301,6 @@ Note: Both additions should help making it compatible with Chrome for Android 70
 - Works with ruby 2.5
 
 [v3.0.0.alpha1]: https://github.com/cedarcode/webauthn-ruby/compare/2-stable...v3.0.0.alpha1/
-[v2.5.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.4.1...v2.5.0/
-[v2.4.1]: https://github.com/cedarcode/webauthn-ruby/compare/v2.4.0...v2.4.1/
-[v2.4.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.3.0...v2.4.0/
 [v2.3.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.2.1...v2.3.0/
 [v2.2.1]: https://github.com/cedarcode/webauthn-ruby/compare/v2.2.0...v2.2.1/
 [v2.2.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.1.0...v2.2.0/
@@ -364,6 +337,3 @@ Note: Both additions should help making it compatible with Chrome for Android 70
 [@ssuttner]: https://github.com/ssuttner
 [@padulafacundo]: https://github.com/padulafacundo
 [@santiagorodriguez96]: https://github.com/santiagorodriguez96
-[@lgarron]: https://github.com/lgarron
-[@juanarias93]: https://github.com/juanarias93
-[@kingjan1999]: https://github.com/@kingjan1999

data/README.md

@@ -6,7 +6,7 @@ For the current release version see https://github.com/cedarcode/webauthn-ruby/b
 ![banner](assets/webauthn-ruby.png)
 
 [![Gem](https://img.shields.io/gem/v/webauthn.svg?style=flat-square)](https://rubygems.org/gems/webauthn)
-[![Travis](https://img.shields.io/travis/cedarcode/webauthn-ruby/master.svg?style=flat-square)](https://travis-ci.com/cedarcode/webauthn-ruby)
+[![Travis](https://img.shields.io/travis/cedarcode/webauthn-ruby/master.svg?style=flat-square)](https://travis-ci.org/cedarcode/webauthn-ruby)
 [![Conventional Commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-informational.svg?style=flat-square)](https://conventionalcommits.org)
 [![Join the chat at https://gitter.im/cedarcode/webauthn-ruby](https://badges.gitter.im/cedarcode/webauthn-ruby.svg)](https://gitter.im/cedarcode/webauthn-ruby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
 
@@ -408,7 +408,7 @@ credential.authenticator_extension_outputs
 
 ## Attestation
 
-### Attestation Statement Formats
+### Attestation Statement Format
 
 | Attestation Statement Format | Supported? |
 | -------- | :--------: |
@@ -417,7 +417,6 @@ credential.authenticator_extension_outputs
 | tpm (x5c attestation) | Yes |
 | android-key | Yes |
 | android-safetynet | Yes |
-| apple | Yes |
 | fido-u2f | Yes |
 | none | Yes |
 

data/SECURITY.md

@@ -4,12 +4,9 @@
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 2.5.z    | :white_check_mark: |
-| 2.4.z    | :white_check_mark: |
-| 2.3.z    | :white_check_mark: |
-| 2.2.z    | :x: |
-| 2.1.z    | :x: |
-| 2.0.z    | :x: |
+| 2.2.z    | :white_check_mark: |
+| 2.1.z    | :white_check_mark: |
+| 2.0.z    | :white_check_mark: |
 | 1.18.z   | :white_check_mark: |
 | < 1.18   | :x:                |
 

data/gemfiles/cose_head.gemfile

@@ -0,0 +1,7 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "cose", git: "https://github.com/cedarcode/cose-ruby"
+
+gemspec path: "../"

data/gemfiles/openssl_2_0.gemfile

@@ -0,0 +1,7 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "openssl", "~> 2.0.0"
+
+gemspec path: "../"

data/gemfiles/openssl_head.gemfile

@@ -0,0 +1,7 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "openssl", git: "https://github.com/ruby/openssl"
+
+gemspec path: "../"

data/lib/cose/rsapkcs1_algorithm.rb

@@ -40,11 +40,4 @@ end
 COSE::Algorithm.register(RSAPKCS1Algorithm.new(-257, "RS256", hash_function: "SHA256"))
 COSE::Algorithm.register(RSAPKCS1Algorithm.new(-258, "RS384", hash_function: "SHA384"))
 COSE::Algorithm.register(RSAPKCS1Algorithm.new(-259, "RS512", hash_function: "SHA512"))
-
-# Patch openssl-signature_algorithm gem to support discouraged/deprecated RSA-PKCS#1 with SHA-1
-# (RS1 in JOSE/COSE terminology) algorithm needed for WebAuthn.
-OpenSSL::SignatureAlgorithm::RSAPKCS1.const_set(
-  :ACCEPTED_HASH_FUNCTIONS,
-  OpenSSL::SignatureAlgorithm::RSAPKCS1::ACCEPTED_HASH_FUNCTIONS + ["SHA1"]
-)
 COSE::Algorithm.register(RSAPKCS1Algorithm.new(-65535, "RS1", hash_function: "SHA1"))

data/lib/webauthn/attestation_object.rb

@@ -10,18 +10,22 @@ module WebAuthn
   class AttestationObject
     extend Forwardable
 
-    def self.deserialize(attestation_object)
-      from_map(CBOR.decode(attestation_object))
+    def self.deserialize(attestation_object, relying_party)
+      from_map(CBOR.decode(attestation_object), relying_party)
     end
 
-    def self.from_map(map)
+    def self.from_map(map, relying_party)
       new(
         authenticator_data: WebAuthn::AuthenticatorData.deserialize(map["authData"]),
-        attestation_statement: WebAuthn::AttestationStatement.from(map["fmt"], map["attStmt"])
+        attestation_statement: WebAuthn::AttestationStatement.from(
+          map["fmt"],
+          map["attStmt"],
+          relying_party: relying_party
+        )
       )
     end
 
-    attr_reader :authenticator_data, :attestation_statement
+    attr_reader :authenticator_data, :attestation_statement, :relying_party
 
     def initialize(authenticator_data:, attestation_statement:)
       @authenticator_data = authenticator_data

data/lib/webauthn/attestation_statement/android_key.rb

@@ -20,6 +20,10 @@ module WebAuthn
 
       private
 
+      def matching_public_key?(authenticator_data)
+        attestation_certificate.public_key.to_der == authenticator_data.credential.public_key_object.to_der
+      end
+
       def valid_attestation_challenge?(client_data_hash)
         android_key_attestation.verify_challenge(client_data_hash)
       rescue AndroidKeyAttestation::ChallengeMismatchError

data/lib/webauthn/attestation_statement/android_safetynet.rb

@@ -16,6 +16,10 @@ module WebAuthn
           [attestation_type, attestation_trust_path]
       end
 
+      def attestation_certificate
+        attestation_trust_path.first
+      end
+
       private
 
       def valid_response?(authenticator_data, client_data_hash)
@@ -48,7 +52,7 @@ module WebAuthn
       end
 
       # SafetyNetAttestation returns full chain including root, WebAuthn expects only the x5c certificates
-      def certificates
+      def attestation_trust_path
         attestation_response.certificate_chain[0..-2]
       end
 

data/lib/webauthn/attestation_statement/base.rb

@@ -16,20 +16,19 @@ module WebAuthn
     ATTESTATION_TYPE_SELF = "Self"
     ATTESTATION_TYPE_ATTCA = "AttCA"
     ATTESTATION_TYPE_BASIC_OR_ATTCA = "Basic_or_AttCA"
-    ATTESTATION_TYPE_ANONCA = "AnonCA"
 
     ATTESTATION_TYPES_WITH_ROOT = [
       ATTESTATION_TYPE_BASIC,
       ATTESTATION_TYPE_BASIC_OR_ATTCA,
-      ATTESTATION_TYPE_ATTCA,
-      ATTESTATION_TYPE_ANONCA
+      ATTESTATION_TYPE_ATTCA
     ].freeze
 
     class Base
       AAGUID_EXTENSION_OID = "1.3.6.1.4.1.45724.1.1.4"
 
-      def initialize(statement)
+      def initialize(statement, relying_party = WebAuthn.configuration.relying_party)
         @statement = statement
+        @relying_party = relying_party
       end
 
       def valid?(_authenticator_data, _client_data_hash)
@@ -44,13 +43,19 @@ module WebAuthn
         certificates&.first
       end
 
+      def certificate_chain
+        if certificates
+          certificates[1..-1]
+        end
+      end
+
       def attestation_certificate_key_id
         raw_subject_key_identifier&.unpack("H*")&.[](0)
       end
 
       private
 
-      attr_reader :statement
+      attr_reader :statement, :relying_party
 
       def matching_aaguid?(attested_credential_data_aaguid)
         extension = attestation_certificate&.extensions&.detect { |ext| ext.oid == AAGUID_EXTENSION_OID }
@@ -64,10 +69,6 @@ module WebAuthn
         end
       end
 
-      def matching_public_key?(authenticator_data)
-        attestation_certificate.public_key.to_der == authenticator_data.credential.public_key_object.to_der
-      end
-
       def certificates
         @certificates ||=
           raw_certificates&.map do |raw_certificate|
@@ -95,10 +96,10 @@ module WebAuthn
 
       def trustworthy?(aaguid: nil, attestation_certificate_key_id: nil)
         if ATTESTATION_TYPES_WITH_ROOT.include?(attestation_type)
-          configuration.acceptable_attestation_types.include?(attestation_type) &&
+          relying_party.acceptable_attestation_types.include?(attestation_type) &&
             valid_certificate_chain?(aaguid: aaguid, attestation_certificate_key_id: attestation_certificate_key_id)
         else
-          configuration.acceptable_attestation_types.include?(attestation_type)
+          relying_party.acceptable_attestation_types.include?(attestation_type)
         end
       end
 
@@ -122,7 +123,7 @@ module WebAuthn
 
       def root_certificates(aaguid: nil, attestation_certificate_key_id: nil)
         root_certificates =
-          configuration.attestation_root_certificates_finders.reduce([]) do |certs, finder|
+          relying_party.attestation_root_certificates_finders.reduce([]) do |certs, finder|
             if certs.empty?
               finder.find(
                 attestation_format: format,
@@ -169,14 +170,10 @@ module WebAuthn
       def cose_algorithm
         @cose_algorithm ||=
           COSE::Algorithm.find(algorithm).tap do |alg|
-            alg && configuration.algorithms.include?(alg.name) ||
+            alg && relying_party.algorithms.include?(alg.name) ||
               raise(UnsupportedAlgorithm, "Unsupported algorithm #{algorithm}")
           end
       end
-
-      def configuration
-        WebAuthn.configuration
-      end
     end
   end
 end