webauthn 2.5.0 → 3.0.0

data/lib/webauthn/relying_party.rb

@@ -0,0 +1,120 @@
+# frozen_string_literal: true
+
+require "openssl"
+require "webauthn/credential"
+require "webauthn/encoder"
+require "webauthn/error"
+
+module WebAuthn
+  class RootCertificateFinderNotSupportedError < Error; end
+
+  class RelyingParty
+    def self.if_pss_supported(algorithm)
+      OpenSSL::PKey::RSA.instance_methods.include?(:verify_pss) ? algorithm : nil
+    end
+
+    DEFAULT_ALGORITHMS = ["ES256", "PS256", "RS256"].compact.freeze
+
+    def initialize(
+      algorithms: DEFAULT_ALGORITHMS.dup,
+      encoding: WebAuthn::Encoder::STANDARD_ENCODING,
+      origin: nil,
+      id: nil,
+      name: nil,
+      verify_attestation_statement: true,
+      credential_options_timeout: 120000,
+      silent_authentication: false,
+      acceptable_attestation_types: ['None', 'Self', 'Basic', 'AttCA', 'Basic_or_AttCA', 'AnonCA'],
+      attestation_root_certificates_finders: [],
+      legacy_u2f_appid: nil
+    )
+      @algorithms = algorithms
+      @encoding = encoding
+      @origin = origin
+      @id = id
+      @name = name
+      @verify_attestation_statement = verify_attestation_statement
+      @credential_options_timeout = credential_options_timeout
+      @silent_authentication = silent_authentication
+      @acceptable_attestation_types = acceptable_attestation_types
+      @legacy_u2f_appid = legacy_u2f_appid
+      self.attestation_root_certificates_finders = attestation_root_certificates_finders
+    end
+
+    attr_accessor :algorithms,
+                  :encoding,
+                  :origin,
+                  :id,
+                  :name,
+                  :verify_attestation_statement,
+                  :credential_options_timeout,
+                  :silent_authentication,
+                  :acceptable_attestation_types,
+                  :legacy_u2f_appid
+
+    attr_reader :attestation_root_certificates_finders
+
+    # This is the user-data encoder.
+    # Used to decode user input and to encode data provided to the user.
+    def encoder
+      @encoder ||= WebAuthn::Encoder.new(encoding)
+    end
+
+    def attestation_root_certificates_finders=(finders)
+      if !finders.respond_to?(:each)
+        finders = [finders]
+      end
+
+      finders.each do |finder|
+        unless finder.respond_to?(:find)
+          raise RootCertificateFinderNotSupportedError, "Finder must implement `find` method"
+        end
+      end
+
+      @attestation_root_certificates_finders = finders
+    end
+
+    def options_for_registration(**keyword_arguments)
+      WebAuthn::Credential.options_for_create(
+        **keyword_arguments,
+        relying_party: self
+      )
+    end
+
+    def verify_registration(raw_credential, challenge, user_verification: nil)
+      webauthn_credential = WebAuthn::Credential.from_create(raw_credential, relying_party: self)
+
+      if webauthn_credential.verify(challenge, user_verification: user_verification)
+        webauthn_credential
+      end
+    end
+
+    def options_for_authentication(**keyword_arguments)
+      WebAuthn::Credential.options_for_get(
+        **keyword_arguments,
+        relying_party: self
+      )
+    end
+
+    def verify_authentication(
+      raw_credential,
+      challenge,
+      user_verification: nil,
+      public_key: nil,
+      sign_count: nil
+    )
+      webauthn_credential = WebAuthn::Credential.from_get(raw_credential, relying_party: self)
+
+      stored_credential = yield(webauthn_credential) if block_given?
+
+      if webauthn_credential.verify(
+        challenge,
+        public_key: public_key || stored_credential.public_key,
+        sign_count: sign_count || stored_credential.sign_count,
+        user_verification: user_verification
+      )
+        block_given? ? [webauthn_credential, stored_credential] : webauthn_credential
+      end
+    end
+  end
+end

data/lib/webauthn/u2f_migrator.rb

@@ -31,7 +31,10 @@ module WebAuthn
       @credential ||=
         begin
           hash = authenticator_data.send(:credential)
-          WebAuthn::AuthenticatorData::AttestedCredentialData::Credential.new(hash[:id], hash[:public_key].serialize)
+          WebAuthn::AuthenticatorData::AttestedCredentialData::Credential.new(
+            id: hash[:id],
+            public_key: hash[:public_key].serialize
+          )
         end
     end
 

data/lib/webauthn/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WebAuthn
-  VERSION = "2.5.0"
+  VERSION = "3.0.0"
 end

data/webauthn.gemspec

@@ -31,19 +31,17 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.required_ruby_version = ">= 2.4"
+  spec.required_ruby_version = ">= 2.5"
 
   spec.add_dependency "android_key_attestation", "~> 0.3.0"
   spec.add_dependency "awrence", "~> 1.1"
   spec.add_dependency "bindata", "~> 2.4"
   spec.add_dependency "cbor", "~> 0.5.9"
   spec.add_dependency "cose", "~> 1.1"
-  spec.add_dependency "openssl", "~> 2.1"
+  spec.add_dependency "openssl", ">= 2.2"
   spec.add_dependency "safety_net_attestation", "~> 0.4.0"
-  spec.add_dependency "securecompare", "~> 1.0"
-  spec.add_dependency "tpm-key_attestation", "~> 0.10.0"
+  spec.add_dependency "tpm-key_attestation", "~> 0.12.0"
 
-  spec.add_development_dependency "appraisal", "~> 2.4"
   spec.add_development_dependency "bundler", ">= 1.17", "< 3.0"
   spec.add_development_dependency "byebug", "~> 11.0"
   spec.add_development_dependency "rake", "~> 13.0"

metadata

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: webauthn
 version: !ruby/object:Gem::Version
-  version: 2.5.0
+  version: 3.0.0
 platform: ruby
 authors:
 - Gonzalo Rodriguez
 - Braulio Martinez
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-03-14 00:00:00.000000000 Z
+date: 2023-02-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: android_key_attestation
@@ -85,16 +85,16 @@ dependencies:
   name: openssl
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.1'
+        version: '2.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.1'
+        version: '2.2'
 - !ruby/object:Gem::Dependency
   name: safety_net_attestation
   requirement: !ruby/object:Gem::Requirement
@@ -109,48 +109,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.4.0
-- !ruby/object:Gem::Dependency
-  name: securecompare
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: tpm-key_attestation
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.10.0
+        version: 0.12.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.10.0
-- !ruby/object:Gem::Dependency
-  name: appraisal
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.4'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.4'
+        version: 0.12.0
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -266,10 +238,10 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".github/workflows/build.yml"
+- ".github/workflows/git.yml"
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
-- Appraisals
 - CHANGELOG.md
 - CONTRIBUTING.md
 - Gemfile
@@ -279,9 +251,8 @@ files:
 - SECURITY.md
 - bin/console
 - bin/setup
+- docs/advanced_configuration.md
 - docs/u2f_migration.md
-- gemfiles/openssl_2_1.gemfile
-- gemfiles/openssl_2_2.gemfile
 - lib/cose/rsapkcs1_algorithm.rb
 - lib/webauthn.rb
 - lib/webauthn/attestation_object.rb
@@ -325,7 +296,7 @@ files:
 - lib/webauthn/public_key_credential/user_entity.rb
 - lib/webauthn/public_key_credential_with_assertion.rb
 - lib/webauthn/public_key_credential_with_attestation.rb
-- lib/webauthn/security_utils.rb
+- lib/webauthn/relying_party.rb
 - lib/webauthn/u2f_migrator.rb
 - lib/webauthn/version.rb
 - webauthn.gemspec
@@ -336,7 +307,7 @@ metadata:
   bug_tracker_uri: https://github.com/cedarcode/webauthn-ruby/issues
   changelog_uri: https://github.com/cedarcode/webauthn-ruby/blob/master/CHANGELOG.md
   source_code_uri: https://github.com/cedarcode/webauthn-ruby
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -344,15 +315,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.4'
+      version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.14
-signing_key: 
+rubygems_version: 3.2.32
+signing_key:
 specification_version: 4
 summary: WebAuthn ruby server library
 test_files: []

data/Appraisals

@@ -1,9 +0,0 @@
-# frozen_string_literal: true
-
-appraise "openssl_2_2" do
-  gem "openssl", "~> 2.2.0"
-end
-
-appraise "openssl_2_1" do
-  gem "openssl", "~> 2.1.0"
-end

data/gemfiles/openssl_2_1.gemfile

@@ -1,7 +0,0 @@
-# This file was generated by Appraisal
-
-source "https://rubygems.org"
-
-gem "openssl", "~> 2.1.0"
-
-gemspec path: "../"

data/gemfiles/openssl_2_2.gemfile

@@ -1,7 +0,0 @@
-# This file was generated by Appraisal
-
-source "https://rubygems.org"
-
-gem "openssl", "~> 2.2.0"
-
-gemspec path: "../"

data/lib/webauthn/security_utils.rb

@@ -1,20 +0,0 @@
-# frozen_string_literal: true
-
-require "securecompare"
-
-module WebAuthn
-  module SecurityUtils
-    # Constant time string comparison, for variable length strings.
-    # This code was adapted from Rails ActiveSupport::SecurityUtils
-    #
-    # The values are first processed by SHA256, so that we don't leak length info
-    # via timing attacks.
-    def secure_compare(first_string, second_string)
-      first_string_sha256 = ::Digest::SHA256.digest(first_string)
-      second_string_sha256 = ::Digest::SHA256.digest(second_string)
-
-      SecureCompare.compare(first_string_sha256, second_string_sha256) && first_string == second_string
-    end
-    module_function :secure_compare
-  end
-end