webauthn 3.0.0.alpha1 → 3.0.0.alpha2

data/lib/webauthn/attestation_statement/none.rb

@@ -6,12 +6,18 @@ module WebAuthn
   module AttestationStatement
     class None < Base
       def valid?(*_args)
-        if statement == {}
+        if statement == {} && trustworthy?
           [WebAuthn::AttestationStatement::ATTESTATION_TYPE_NONE, nil]
         else
           false
         end
       end
+
+      private
+
+      def attestation_type
+        WebAuthn::AttestationStatement::ATTESTATION_TYPE_NONE
+      end
     end
   end
 end

data/lib/webauthn/attestation_statement/packed.rb

@@ -46,7 +46,7 @@ module WebAuthn
 
           attestation_certificate.version == 2 &&
             subject.assoc('OU')&.at(1) == "Authenticator Attestation" &&
-            attestation_certificate.extensions.find { |ext| ext.oid == 'basicConstraints' }&.value == 'CA:FALSE'
+            attestation_certificate.find_extension('basicConstraints')&.value == 'CA:FALSE'
         else
           true
         end

data/lib/webauthn/attestation_statement/tpm.rb

@@ -42,7 +42,7 @@ module WebAuthn
             OpenSSL::Digest.digest(cose_algorithm.hash_function, certified_extra_data),
             signature_algorithm: tpm_algorithm[:signature],
             hash_algorithm: tpm_algorithm[:hash],
-            root_certificates: root_certificates(aaguid: aaguid)
+            trusted_certificates: root_certificates(aaguid: aaguid)
           )
 
         key_attestation.valid? && key_attestation.key && key_attestation.key.to_pem == key.to_pem
@@ -54,7 +54,7 @@ module WebAuthn
       end
 
       def default_root_certificates
-        ::TPM::KeyAttestation::ROOT_CERTIFICATES
+        ::TPM::KeyAttestation::TRUSTED_CERTIFICATES
       end
 
       def tpm_algorithm

data/lib/webauthn/attestation_statement.rb

@@ -2,6 +2,7 @@
 
 require "webauthn/attestation_statement/android_key"
 require "webauthn/attestation_statement/android_safetynet"
+require "webauthn/attestation_statement/apple"
 require "webauthn/attestation_statement/fido_u2f"
 require "webauthn/attestation_statement/none"
 require "webauthn/attestation_statement/packed"
@@ -18,6 +19,7 @@ module WebAuthn
     ATTESTATION_FORMAT_ANDROID_SAFETYNET = "android-safetynet"
     ATTESTATION_FORMAT_ANDROID_KEY = "android-key"
     ATTESTATION_FORMAT_TPM = "tpm"
+    ATTESTATION_FORMAT_APPLE = "apple"
 
     FORMAT_TO_CLASS = {
       ATTESTATION_FORMAT_NONE => WebAuthn::AttestationStatement::None,
@@ -25,7 +27,8 @@ module WebAuthn
       ATTESTATION_FORMAT_PACKED => WebAuthn::AttestationStatement::Packed,
       ATTESTATION_FORMAT_ANDROID_SAFETYNET => WebAuthn::AttestationStatement::AndroidSafetynet,
       ATTESTATION_FORMAT_ANDROID_KEY => WebAuthn::AttestationStatement::AndroidKey,
-      ATTESTATION_FORMAT_TPM => WebAuthn::AttestationStatement::TPM
+      ATTESTATION_FORMAT_TPM => WebAuthn::AttestationStatement::TPM,
+      ATTESTATION_FORMAT_APPLE => WebAuthn::AttestationStatement::Apple
     }.freeze
 
     def self.from(format, statement, relying_party: WebAuthn.configuration.relying_party)

data/lib/webauthn/authenticator_data/attested_credential_data.rb

@@ -22,9 +22,8 @@ module WebAuthn
       count_bytes_remaining :trailing_bytes_length
       string :trailing_bytes, length: :trailing_bytes_length
 
-      # TODO: use keyword_init when we dropped Ruby 2.4 support
       Credential =
-        Struct.new(:id, :public_key, :algorithm) do
+        Struct.new(:id, :public_key, :algorithm, keyword_init: true) do
           def public_key_object
             COSE::Key.deserialize(public_key).to_pkey
           end
@@ -47,7 +46,7 @@ module WebAuthn
       def credential
         @credential ||=
           if valid?
-            Credential.new(id, public_key, algorithm)
+            Credential.new(id: id, public_key: public_key, algorithm: algorithm)
           end
       end
 

data/lib/webauthn/authenticator_response.rb

@@ -3,7 +3,6 @@
 require "webauthn/authenticator_data"
 require "webauthn/client_data"
 require "webauthn/error"
-require "webauthn/security_utils"
 
 module WebAuthn
   TYPES = { create: "webauthn.create", get: "webauthn.get" }.freeze
@@ -80,7 +79,7 @@ module WebAuthn
     end
 
     def valid_challenge?(expected_challenge)
-      WebAuthn::SecurityUtils.secure_compare(client_data.challenge, expected_challenge)
+      OpenSSL.secure_compare(client_data.challenge, expected_challenge)
     end
 
     def valid_origin?(expected_origin)

data/lib/webauthn/credential_creation_options.rb

@@ -32,6 +32,8 @@ module WebAuthn
       user_display_name: nil,
       rp_name: nil
     )
+      super()
+
       @attestation = attestation
       @authenticator_selection = authenticator_selection
       @exclude_credentials = exclude_credentials

data/lib/webauthn/credential_request_options.rb

@@ -16,6 +16,8 @@ module WebAuthn
     attr_accessor :allow_credentials, :extensions, :user_verification
 
     def initialize(allow_credentials: [], extensions: nil, user_verification: nil)
+      super()
+
       @allow_credentials = allow_credentials
       @extensions = extensions
       @user_verification = user_verification

data/lib/webauthn/fake_authenticator/authenticator_data.rb

@@ -15,7 +15,7 @@ module WebAuthn
         rp_id_hash:,
         credential: {
           id: SecureRandom.random_bytes(16),
-          public_key: OpenSSL::PKey::EC.new("prime256v1").generate_key.public_key
+          public_key: OpenSSL::PKey::EC.generate("prime256v1").public_key
         },
         sign_count: 0,
         user_present: true,

data/lib/webauthn/fake_authenticator.rb

@@ -50,12 +50,20 @@ module WebAuthn
       user_verified: false,
       aaguid: AuthenticatorData::AAGUID,
       sign_count: nil,
-      extensions: nil
+      extensions: nil,
+      allow_credentials: nil
     )
       credential_options = credentials[rp_id]
 
       if credential_options
-        credential_id, credential = credential_options.first
+        allow_credentials ||= credential_options.keys
+        credential_id = (credential_options.keys & allow_credentials).first
+        unless credential_id
+          raise "No matching credentials (allowed=#{allow_credentials}) " \
+                "found for RP #{rp_id} among credentials=#{credential_options}"
+        end
+
+        credential = credential_options[credential_id]
         credential_key = credential[:credential_key]
         credential_sign_count = credential[:sign_count]
 
@@ -87,7 +95,7 @@ module WebAuthn
     attr_reader :credentials
 
     def new_credential
-      [SecureRandom.random_bytes(16), OpenSSL::PKey::EC.new("prime256v1").generate_key, 0]
+      [SecureRandom.random_bytes(16), OpenSSL::PKey::EC.generate("prime256v1"), 0]
     end
 
     def hashed(target)

data/lib/webauthn/fake_client.rb

@@ -73,19 +73,26 @@ module WebAuthn
             user_present: true,
             user_verified: false,
             sign_count: nil,
-            extensions: nil)
+            extensions: nil,
+            user_handle: nil,
+            allow_credentials: nil)
       rp_id ||= URI.parse(origin).host
 
       client_data_json = data_json_for(:get, encoder.decode(challenge))
       client_data_hash = hashed(client_data_json)
 
+      if allow_credentials
+        allow_credentials = allow_credentials.map { |credential| encoder.decode(credential) }
+      end
+
       assertion = authenticator.get_assertion(
         rp_id: rp_id,
         client_data_hash: client_data_hash,
         user_present: user_present,
         user_verified: user_verified,
         sign_count: sign_count,
-        extensions: extensions
+        extensions: extensions,
+        allow_credentials: allow_credentials
       )
 
       {
@@ -97,7 +104,7 @@ module WebAuthn
           "clientDataJSON" => encoder.encode(client_data_json),
           "authenticatorData" => encoder.encode(assertion[:authenticator_data]),
           "signature" => encoder.encode(assertion[:signature]),
-          "userHandle" => nil
+          "userHandle" => user_handle ? encoder.encode(user_handle) : nil
         }
       }
     end

data/lib/webauthn/public_key_credential/entity.rb

@@ -5,11 +5,10 @@ require "awrence"
 module WebAuthn
   class PublicKeyCredential
     class Entity
-      attr_reader :name, :icon
+      attr_reader :name
 
-      def initialize(name:, icon: nil)
+      def initialize(name:)
         @name = name
-        @icon = icon
       end
 
       def as_json
@@ -37,7 +36,7 @@ module WebAuthn
       end
 
       def attributes
-        [:name, :icon]
+        [:name]
       end
     end
   end

data/lib/webauthn/relying_party.rb

@@ -13,7 +13,7 @@ module WebAuthn
       OpenSSL::PKey::RSA.instance_methods.include?(:verify_pss) ? algorithm : nil
     end
 
-    DEFAULT_ALGORITHMS = ["ES256", if_pss_supported("PS256"), "RS256"].compact.freeze
+    DEFAULT_ALGORITHMS = ["ES256", "PS256", "RS256"].compact.freeze
 
     def initialize(
       algorithms: DEFAULT_ALGORITHMS.dup,
@@ -24,7 +24,7 @@ module WebAuthn
       verify_attestation_statement: true,
       credential_options_timeout: 120000,
       silent_authentication: false,
-      acceptable_attestation_types: ['None', 'Self', 'Basic', 'AttCA', 'Basic_or_AttCA'],
+      acceptable_attestation_types: ['None', 'Self', 'Basic', 'AttCA', 'Basic_or_AttCA', 'AnonCA'],
       attestation_root_certificates_finders: []
     )
       @algorithms = algorithms

data/lib/webauthn/u2f_migrator.rb

@@ -31,7 +31,10 @@ module WebAuthn
       @credential ||=
         begin
           hash = authenticator_data.send(:credential)
-          WebAuthn::AuthenticatorData::AttestedCredentialData::Credential.new(hash[:id], hash[:public_key].serialize)
+          WebAuthn::AuthenticatorData::AttestedCredentialData::Credential.new(
+            id: hash[:id],
+            public_key: hash[:public_key].serialize
+          )
         end
     end
 

data/lib/webauthn/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WebAuthn
-  VERSION = "3.0.0.alpha1"
+  VERSION = "3.0.0.alpha2"
 end

data/webauthn.gemspec

@@ -31,23 +31,22 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.required_ruby_version = ">= 2.4"
+  spec.required_ruby_version = ">= 2.5"
 
   spec.add_dependency "android_key_attestation", "~> 0.3.0"
   spec.add_dependency "awrence", "~> 1.1"
   spec.add_dependency "bindata", "~> 2.4"
   spec.add_dependency "cbor", "~> 0.5.9"
-  spec.add_dependency "cose", "~> 1.0"
-  spec.add_dependency "openssl", "~> 2.0"
+  spec.add_dependency "cose", "~> 1.1"
+  spec.add_dependency "openssl", ">= 2.2", "< 3.1"
   spec.add_dependency "safety_net_attestation", "~> 0.4.0"
-  spec.add_dependency "securecompare", "~> 1.0"
-  spec.add_dependency "tpm-key_attestation", "~> 0.9.0"
+  spec.add_dependency "tpm-key_attestation", "~> 0.11.0"
 
-  spec.add_development_dependency "appraisal", "~> 2.3.0"
   spec.add_development_dependency "bundler", ">= 1.17", "< 3.0"
   spec.add_development_dependency "byebug", "~> 11.0"
   spec.add_development_dependency "rake", "~> 13.0"
   spec.add_development_dependency "rspec", "~> 3.8"
-  spec.add_development_dependency "rubocop", "0.80.1"
-  spec.add_development_dependency "rubocop-rspec", "~> 1.38.1"
+  spec.add_development_dependency "rubocop", "~> 1.9.1"
+  spec.add_development_dependency "rubocop-rake", "~> 0.5.1"
+  spec.add_development_dependency "rubocop-rspec", "~> 2.2.0"
 end

metadata

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: webauthn
 version: !ruby/object:Gem::Version
-  version: 3.0.0.alpha1
+  version: 3.0.0.alpha2
 platform: ruby
 authors:
 - Gonzalo Rodriguez
 - Braulio Martinez
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-06-27 00:00:00.000000000 Z
+date: 2022-09-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: android_key_attestation
@@ -73,28 +73,34 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1.1'
 - !ruby/object:Gem::Dependency
   name: openssl
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.2'
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.2'
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.1'
 - !ruby/object:Gem::Dependency
   name: safety_net_attestation
   requirement: !ruby/object:Gem::Requirement
@@ -109,48 +115,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.4.0
-- !ruby/object:Gem::Dependency
-  name: securecompare
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: tpm-key_attestation
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.9.0
+        version: 0.11.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.9.0
-- !ruby/object:Gem::Dependency
-  name: appraisal
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 2.3.0
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 2.3.0
+        version: 0.11.0
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -217,30 +195,44 @@ dependencies:
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.9.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.9.1
+- !ruby/object:Gem::Dependency
+  name: rubocop-rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.80.1
+        version: 0.5.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.80.1
+        version: 0.5.1
 - !ruby/object:Gem::Dependency
   name: rubocop-rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.38.1
+        version: 2.2.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.38.1
+        version: 2.2.0
 description: |-
   WebAuthn ruby server library ― Make your application a W3C Web Authentication conformant
       Relying Party and allow your users to authenticate with U2F and FIDO2 authenticators.
@@ -251,11 +243,11 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/build.yml"
+- ".github/workflows/git.yml"
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
-- ".travis.yml"
-- Appraisals
 - CHANGELOG.md
 - CONTRIBUTING.md
 - Gemfile
@@ -265,18 +257,15 @@ files:
 - SECURITY.md
 - bin/console
 - bin/setup
+- docs/advanced_configuration.md
 - docs/u2f_migration.md
-- gemfiles/cose_head.gemfile
-- gemfiles/openssl_2_0.gemfile
-- gemfiles/openssl_2_1.gemfile
-- gemfiles/openssl_2_2.gemfile
-- gemfiles/openssl_head.gemfile
 - lib/cose/rsapkcs1_algorithm.rb
 - lib/webauthn.rb
 - lib/webauthn/attestation_object.rb
 - lib/webauthn/attestation_statement.rb
 - lib/webauthn/attestation_statement/android_key.rb
 - lib/webauthn/attestation_statement/android_safetynet.rb
+- lib/webauthn/attestation_statement/apple.rb
 - lib/webauthn/attestation_statement/base.rb
 - lib/webauthn/attestation_statement/fido_u2f.rb
 - lib/webauthn/attestation_statement/fido_u2f/public_key.rb
@@ -314,11 +303,8 @@ files:
 - lib/webauthn/public_key_credential_with_assertion.rb
 - lib/webauthn/public_key_credential_with_attestation.rb
 - lib/webauthn/relying_party.rb
-- lib/webauthn/security_utils.rb
 - lib/webauthn/u2f_migrator.rb
 - lib/webauthn/version.rb
-- script/ci/install-openssl
-- script/ci/install-ruby
 - webauthn.gemspec
 homepage: https://github.com/cedarcode/webauthn-ruby
 licenses:
@@ -327,7 +313,7 @@ metadata:
   bug_tracker_uri: https://github.com/cedarcode/webauthn-ruby/issues
   changelog_uri: https://github.com/cedarcode/webauthn-ruby/blob/master/CHANGELOG.md
   source_code_uri: https://github.com/cedarcode/webauthn-ruby
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -335,15 +321,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.4'
+      version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">"
     - !ruby/object:Gem::Version
       version: 1.3.1
 requirements: []
-rubygems_version: 3.1.4
-signing_key: 
+rubygems_version: 3.2.32
+signing_key:
 specification_version: 4
 summary: WebAuthn ruby server library
 test_files: []

data/.travis.yml

@@ -1,39 +0,0 @@
-dist: bionic
-language: ruby
-
-cache:
-  bundler: true
-  directories:
-    - /home/travis/.rvm/
-
-env:
-  - LIBSSL=1.1 RB=2.7.1
-  - LIBSSL=1.1 RB=2.6.6
-  - LIBSSL=1.1 RB=2.5.8
-  - LIBSSL=1.1 RB=2.4.10
-  - LIBSSL=1.1 RB=ruby-head
-  - LIBSSL=1.0 RB=2.7.1
-  - LIBSSL=1.0 RB=2.6.6
-  - LIBSSL=1.0 RB=2.5.8
-  - LIBSSL=1.0 RB=2.4.10
-  - LIBSSL=1.0 RB=ruby-head
-
-gemfile:
-  - gemfiles/cose_head.gemfile
-  - gemfiles/openssl_head.gemfile
-  - gemfiles/openssl_2_2.gemfile
-  - gemfiles/openssl_2_1.gemfile
-  - gemfiles/openssl_2_0.gemfile
-
-matrix:
-  fast_finish: true
-  allow_failures:
-    - env: LIBSSL=1.1 RB=ruby-head
-    - env: LIBSSL=1.0 RB=ruby-head
-    - gemfile: gemfiles/cose_head.gemfile
-    - gemfile: gemfiles/openssl_head.gemfile
-
-before_install:
-  - ./script/ci/install-openssl
-  - ./script/ci/install-ruby
-  - gem install bundler -v "~> 2.0"

data/Appraisals

@@ -1,21 +0,0 @@
-# frozen_string_literal: true
-
-appraise "cose_head" do
-  gem "cose", git: "https://github.com/cedarcode/cose-ruby"
-end
-
-appraise "openssl_head" do
-  gem "openssl", git: "https://github.com/ruby/openssl"
-end
-
-appraise "openssl_2_2" do
-  gem "openssl", "~> 2.2.0"
-end
-
-appraise "openssl_2_1" do
-  gem "openssl", "~> 2.1.0"
-end
-
-appraise "openssl_2_0" do
-  gem "openssl", "~> 2.0.0"
-end

data/gemfiles/cose_head.gemfile

@@ -1,7 +0,0 @@
-# This file was generated by Appraisal
-
-source "https://rubygems.org"
-
-gem "cose", git: "https://github.com/cedarcode/cose-ruby"
-
-gemspec path: "../"

data/gemfiles/openssl_2_0.gemfile

@@ -1,7 +0,0 @@
-# This file was generated by Appraisal
-
-source "https://rubygems.org"
-
-gem "openssl", "~> 2.0.0"
-
-gemspec path: "../"

data/gemfiles/openssl_2_1.gemfile

@@ -1,7 +0,0 @@
-# This file was generated by Appraisal
-
-source "https://rubygems.org"
-
-gem "openssl", "~> 2.1.0"
-
-gemspec path: "../"

data/gemfiles/openssl_2_2.gemfile

@@ -1,7 +0,0 @@
-# This file was generated by Appraisal
-
-source "https://rubygems.org"
-
-gem "openssl", "~> 2.2.0"
-
-gemspec path: "../"

data/gemfiles/openssl_head.gemfile

@@ -1,7 +0,0 @@
-# This file was generated by Appraisal
-
-source "https://rubygems.org"
-
-gem "openssl", git: "https://github.com/ruby/openssl"
-
-gemspec path: "../"

data/lib/webauthn/security_utils.rb

@@ -1,20 +0,0 @@
-# frozen_string_literal: true
-
-require "securecompare"
-
-module WebAuthn
-  module SecurityUtils
-    # Constant time string comparison, for variable length strings.
-    # This code was adapted from Rails ActiveSupport::SecurityUtils
-    #
-    # The values are first processed by SHA256, so that we don't leak length info
-    # via timing attacks.
-    def secure_compare(first_string, second_string)
-      first_string_sha256 = ::Digest::SHA256.digest(first_string)
-      second_string_sha256 = ::Digest::SHA256.digest(second_string)
-
-      SecureCompare.compare(first_string_sha256, second_string_sha256) && first_string == second_string
-    end
-    module_function :secure_compare
-  end
-end