webauthn 3.0.0.alpha2 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9f9f14328571fd39b5e19c9a6ec5b427cfd4dea9fc2ab4774135f4453e14b676
-  data.tar.gz: 1e33b7564ea1b3b8aeb32864782a0dad1e0207f1c70c037eb80140db2272ae01
+  metadata.gz: b133f46bd003c9bfb9a8557bb8caeca7239fcd6c185f78e74e0ae578444d576e
+  data.tar.gz: 14a32debc72ddcfe7e752118ebd4db832b8a46a5628ee54830f30eada4159bcf
 SHA512:
-  metadata.gz: b1e22bb07b1ebced7851c592a2a4e8b0e6772e502f402bd841383f8071963e3b0df8c75da66db5623840a32f14799439d09a52c8dabcdd4e5edbef8a0a419a00
-  data.tar.gz: 1a1b1c647a06398edad9d1da94ca8de53202e184f8930b2fe001f82e17d8416516cbaf4db4fd012fd44d1ac5da32c6d8d32c971507584bf00ef9d74b15d535b5
+  metadata.gz: 9b4ff5cee18575b517473fef7d8000d7e41f113b178378e64a4d2b9036d248f4295edd846a519ab76036a270c3066020fbe44847019812c2a5758f2b1b428f4c
+  data.tar.gz: f3ab22709cbf537982e163acc60dbe114217f223b18cb4cf681a3d932e2f31276f8286091e49da392356c1958ada7e2c07a5b86b48d57b597f965a57c1bcf63d

data/.github/workflows/build.yml

@@ -16,6 +16,7 @@ jobs:
       fail-fast: false
       matrix:
         ruby:
+          - '3.2'
           - '3.1'
           - '3.0'
           - '2.7'
@@ -23,7 +24,7 @@ jobs:
           - '2.5'
           - truffleruby
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
     - uses: ruby/setup-ruby@v1
       with:
         ruby-version: ${{ matrix.ruby }}

data/.github/workflows/git.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v2.0.0
+      - uses: actions/checkout@v3
       - name: Block autosquash commits
         uses: xt0rted/block-autosquash-commits-action@v2
         with:

data/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## [v3.0.0] - 2023-02-15
+
+### Added
+
+- Add the capability of handling appid extension #319 [@santiagorodriguez96]
+- Add support for credential backup flags #378 [@santiagorodriguez96]
+- Update dependencies to make gem compatible with OpenSSL 3.1 ([@bdewater],[@santiagorodriguez96])
+
 ## [v3.0.0.alpha2] - 2022-09-12
 
 ### Added
@@ -350,6 +358,7 @@ Note: Both additions should help making it compatible with Chrome for Android 70
   - `WebAuthn::AuthenticatorAttestationResponse.valid?` can be used to validate fido-u2f attestations returned by the browser
 - Works with ruby 2.5
 
+[v3.0.0]: https://github.com/cedarcode/webauthn-ruby/compare/2-stable...v3.0.0/
 [v3.0.0.alpha2]: https://github.com/cedarcode/webauthn-ruby/compare/2-stable...v3.0.0.alpha2/
 [v3.0.0.alpha1]: https://github.com/cedarcode/webauthn-ruby/compare/v2.3.0...v3.0.0.alpha1
 [v2.5.2]: https://github.com/cedarcode/webauthn-ruby/compare/v2.5.1...v2.5.2/

data/README.md

@@ -16,7 +16,7 @@ Makes your Ruby/Rails web server become a functional [WebAuthn Relying Party](ht
 
 Takes care of the [server-side operations](https://www.w3.org/TR/webauthn/#rp-operations) needed to
 [register](https://www.w3.org/TR/webauthn/#registration) or [authenticate](https://www.w3.org/TR/webauthn/#authentication)
-a user [credential](https://www.w3.org/TR/webauthn/#public-key-credential), including the necessary cryptographic checks.
+a user's [public key credential](https://www.w3.org/TR/webauthn/#public-key-credential) (also called a "passkey"), including the necessary cryptographic checks.
 
 ## Table of Contents
 
@@ -52,7 +52,7 @@ WebAuthn (Web Authentication) is a W3C standard for secure public-key authentica
 
 - WebAuthn [W3C Recommendation](https://www.w3.org/TR/webauthn/) (i.e. "The Standard")
 - [Web Authentication API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API) in MDN
-- How to use [WebAuthn in Android apps](https://developers.google.com/identity/fido/android/native-apps)
+- How to use WebAuthn in native [Android](https://developers.google.com/identity/fido/android/native-apps) or [macOS/iOS/iPadOS](https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication) apps.
 - [Security Benefits for WebAuthn Servers (a.k.a Relying Parties)](https://www.w3.org/TR/webauthn/#sctn-rp-benefits)
 
 ## Prerequisites
@@ -89,7 +89,7 @@ Or install it yourself as:
 
 ## Usage
 
-You can find a working example on how to use this gem in a __Rails__ app in [webauthn-rails-demo-app](https://github.com/cedarcode/webauthn-rails-demo-app).
+You can find a working example on how to use this gem in a pasword-less login in a __Rails__ app in [webauthn-rails-demo-app](https://github.com/cedarcode/webauthn-rails-demo-app). If you want to see an example on how to use this gem as a second factor authenticator in a __Rails__ application instead, you can check it in [webauthn-2fa-rails-demo](https://github.com/cedarcode/webauthn-2fa-rails-demo).
 
 If you are migrating an existing application from the legacy FIDO U2F JavaScript API to WebAuthn, also refer to
 [`docs/u2f_migration.md`](docs/u2f_migration.md).

data/docs/advanced_configuration.md

@@ -21,7 +21,7 @@ Intead of the [Global Configuration](../README.md#configuration) you place in `c
   relying_party = WebAuthn::RelyingParty.new(
     # This value needs to match `window.location.origin` evaluated by
     # the User Agent during registration and authentication ceremonies.
-    origin: "https://admin.example.com"
+    origin: "https://admin.example.com",
 
     # Relying Party name for display purposes
     name: "Admin Site for Example Inc."
@@ -71,7 +71,7 @@ if !user.webauthn_id
   user.update!(webauthn_id: WebAuthn.generate_user_id)
 end
 
-options = relying_party.options_for_create(
+options = relying_party.options_for_registration(
   user: { id: user.webauthn_id, name: user.name },
   exclude: user.credentials.map { |c| c.webauthn_id }
 )

data/docs/u2f_migration.md

@@ -53,7 +53,7 @@ migrated_credential.authenticator_data.sign_count
 
 ## Authenticate migrated U2F credentials
 
-Following the documentation on the [authentication initiation](https://github.com/cedarcode/webauthn-ruby/blob/master/README.md#authentication),
+Following the documentation on the [authentication initiation](https://github.com/cedarcode/webauthn-ruby/blob/master/README.md#initiation-phase-1),
 you need to specify the [FIDO AppID extension](https://www.w3.org/TR/webauthn/#sctn-appid-extension) for U2F migratedq
 credentials. The WebAuthn standard explains:
 
@@ -65,33 +65,26 @@ For the earlier given example `domain` this means:
 - FIDO AppID: `https://login.example.com`
 - Valid RP IDs: `login.example.com` (default) and `example.com`
 
+You can request the use of the `appid` extension by setting the AppID in the configuration, like this:
+
+```ruby
+WebAuthn.configure do |config|
+  config.legacy_u2f_appid = "https://login.example.com"
+end
+```
+
+By doing this, the `appid` extension will be automatically requested when generating the options for get:
+
 ```ruby
-credential_request_options = WebAuthn.credential_request_options
-credential_request_options[:extensions] = { appid: domain.to_s }
+options = WebAuthn::Credential.options_for_get
 ```
 
 On the frontend, in the resolved value from `navigator.credentials.get({ "publicKey": credentialRequestOptions })` add
 a call to [getClientExtensionResults()](https://www.w3.org/TR/webauthn/#dom-publickeycredential-getclientextensionresults)
 and send its result to your backend alongside the `id`/`rawId` and `response` values. If the authenticator used the AppID
-extension, the returned value will contain `{ "appid": true }`. In the example below, we use `clientExtensionResults`.
+extension, the returned value will contain `{ "appid": true }`.
 
-During authentication verification phase, you must pass either the original AppID or the RP ID as the `rp_id` argument:
+During authentication verification phase, if you followed the [verification phase documentation](https://github.com/cedarcode/webauthn-ruby#verification-phase-1) and have set the AppID in the config, the method `PublicKeyCredentialWithAssertion#verify` will be smart enough to determine if it should use the AppID or the RP ID to verify the WebAuthn credential, depending on the output of the `appid` client extension:
 
 > If true, the AppID was used and thus, when verifying an assertion, the Relying Party MUST expect the `rpIdHash` to be
 > the hash of the _AppID_, not the RP ID.
-
-```ruby
-assertion_response = WebAuthn::AuthenticatorAssertionResponse.new(
-  user_handle: params[:response][:userHandle],
-  authenticator_data: params[:response][:authenticatorData],
-  client_data_json: params[:response][:clientDataJSON],
-  signature: params[:response][:signature],
-)
-
-assertion_response.verify(
-  expected_challenge,
-  public_key: credential.public_key,
-  sign_count: credential.count,
-  rp_id: params[:clientExtensionResults][:appid] ? domain.to_s : domain.host,
-)
-```

data/lib/webauthn/authenticator_data.rb

@@ -19,9 +19,9 @@ module WebAuthn
     struct :flags do
       bit1 :extension_data_included
       bit1 :attested_credential_data_included
-      bit1 :reserved_for_future_use_4
-      bit1 :reserved_for_future_use_3
       bit1 :reserved_for_future_use_2
+      bit1 :backup_state
+      bit1 :backup_eligibility
       bit1 :user_verified
       bit1 :reserved_for_future_use_1
       bit1 :user_present
@@ -58,6 +58,14 @@ module WebAuthn
       flags.user_verified == 1
     end
 
+    def credential_backup_eligible?
+      flags.backup_eligibility == 1
+    end
+
+    def credential_backed_up?
+      flags.backup_state == 1
+    end
+
     def attested_credential_data_included?
       flags.attested_credential_data_included == 1
     end

data/lib/webauthn/configuration.rb

@@ -33,7 +33,9 @@ module WebAuthn
                    :attestation_root_certificates_finders,
                    :attestation_root_certificates_finders=,
                    :encoder,
-                   :encoder=
+                   :encoder=,
+                   :legacy_u2f_appid,
+                   :legacy_u2f_appid=
 
     attr_reader :relying_party
 

data/lib/webauthn/fake_authenticator/attestation_object.rb

@@ -13,6 +13,8 @@ module WebAuthn
         credential_key:,
         user_present: true,
         user_verified: false,
+        backup_eligibility: false,
+        backup_state: false,
         attested_credential_data: true,
         sign_count: 0,
         extensions: nil
@@ -23,6 +25,8 @@ module WebAuthn
         @credential_key = credential_key
         @user_present = user_present
         @user_verified = user_verified
+        @backup_eligibility = backup_eligibility
+        @backup_state = backup_state
         @attested_credential_data = attested_credential_data
         @sign_count = sign_count
         @extensions = extensions
@@ -45,6 +49,8 @@ module WebAuthn
         :credential_key,
         :user_present,
         :user_verified,
+        :backup_eligibility,
+        :backup_state,
         :attested_credential_data,
         :sign_count,
         :extensions
@@ -63,6 +69,8 @@ module WebAuthn
               credential: credential_data,
               user_present: user_present,
               user_verified: user_verified,
+              backup_eligibility: backup_eligibility,
+              backup_state: backup_state,
               sign_count: 0,
               extensions: extensions
             )

data/lib/webauthn/fake_authenticator/authenticator_data.rb

@@ -20,6 +20,8 @@ module WebAuthn
         sign_count: 0,
         user_present: true,
         user_verified: !user_present,
+        backup_eligibility: false,
+        backup_state: false,
         aaguid: AAGUID,
         extensions: { "fakeExtension" => "fakeExtensionValue" }
       )
@@ -28,6 +30,8 @@ module WebAuthn
         @sign_count = sign_count
         @user_present = user_present
         @user_verified = user_verified
+        @backup_eligibility = backup_eligibility
+        @backup_state = backup_state
         @aaguid = aaguid
         @extensions = extensions
       end
@@ -38,7 +42,13 @@ module WebAuthn
 
       private
 
-      attr_reader :rp_id_hash, :credential, :user_present, :user_verified, :extensions
+      attr_reader :rp_id_hash,
+                  :credential,
+                  :user_present,
+                  :user_verified,
+                  :extensions,
+                  :backup_eligibility,
+                  :backup_state
 
       def flags
         [
@@ -46,8 +56,8 @@ module WebAuthn
             bit(:user_present),
             reserved_for_future_use_bit,
             bit(:user_verified),
-            reserved_for_future_use_bit,
-            reserved_for_future_use_bit,
+            bit(:backup_eligibility),
+            bit(:backup_state),
             reserved_for_future_use_bit,
             attested_credential_data_included_bit,
             extension_data_included_bit
@@ -108,7 +118,12 @@ module WebAuthn
       end
 
       def context
-        { user_present: user_present, user_verified: user_verified }
+        {
+          user_present: user_present,
+          user_verified: user_verified,
+          backup_eligibility: backup_eligibility,
+          backup_state: backup_state
+        }
       end
 
       def cose_credential_public_key

data/lib/webauthn/fake_authenticator.rb

@@ -17,6 +17,8 @@ module WebAuthn
       client_data_hash:,
       user_present: true,
       user_verified: false,
+      backup_eligibility: false,
+      backup_state: false,
       attested_credential_data: true,
       sign_count: nil,
       extensions: nil
@@ -37,6 +39,8 @@ module WebAuthn
         credential_key: credential_key,
         user_present: user_present,
         user_verified: user_verified,
+        backup_eligibility: backup_eligibility,
+        backup_state: backup_state,
         attested_credential_data: attested_credential_data,
         sign_count: sign_count,
         extensions: extensions
@@ -48,6 +52,8 @@ module WebAuthn
       client_data_hash:,
       user_present: true,
       user_verified: false,
+      backup_eligibility: false,
+      backup_state: false,
       aaguid: AuthenticatorData::AAGUID,
       sign_count: nil,
       extensions: nil,
@@ -71,6 +77,8 @@ module WebAuthn
           rp_id_hash: hashed(rp_id),
           user_present: user_present,
           user_verified: user_verified,
+          backup_eligibility: backup_eligibility,
+          backup_state: backup_state,
           aaguid: aaguid,
           credential: nil,
           sign_count: sign_count || credential_sign_count,

data/lib/webauthn/fake_client.rb

@@ -29,6 +29,8 @@ module WebAuthn
       rp_id: nil,
       user_present: true,
       user_verified: false,
+      backup_eligibility: false,
+      backup_state: false,
       attested_credential_data: true,
       extensions: nil
     )
@@ -42,6 +44,8 @@ module WebAuthn
         client_data_hash: client_data_hash,
         user_present: user_present,
         user_verified: user_verified,
+        backup_eligibility: backup_eligibility,
+        backup_state: backup_state,
         attested_credential_data: attested_credential_data,
         extensions: extensions
       )
@@ -72,6 +76,8 @@ module WebAuthn
             rp_id: nil,
             user_present: true,
             user_verified: false,
+            backup_eligibility: false,
+            backup_state: true,
             sign_count: nil,
             extensions: nil,
             user_handle: nil,
@@ -90,6 +96,8 @@ module WebAuthn
         client_data_hash: client_data_hash,
         user_present: user_present,
         user_verified: user_verified,
+        backup_eligibility: backup_eligibility,
+        backup_state: backup_state,
         sign_count: sign_count,
         extensions: extensions,
         allow_credentials: allow_credentials

data/lib/webauthn/public_key_credential/options.rb

@@ -13,7 +13,7 @@ module WebAuthn
       def initialize(timeout: nil, extensions: nil, relying_party: WebAuthn.configuration.relying_party)
         @relying_party = relying_party
         @timeout = timeout || default_timeout
-        @extensions = extensions
+        @extensions = default_extensions.merge(extensions || {})
       end
 
       def challenge
@@ -61,6 +61,10 @@ module WebAuthn
         relying_party.credential_options_timeout
       end
 
+      def default_extensions
+        {}
+      end
+
       def as_public_key_descriptors(ids)
         Array(ids).map { |id| { type: TYPE_PUBLIC_KEY, id: id } }
       end

data/lib/webauthn/public_key_credential/request_options.rb

@@ -26,6 +26,16 @@ module WebAuthn
         super.concat([:allow_credentials, :rp_id, :user_verification])
       end
 
+      def default_extensions
+        extensions = super || {}
+
+        if relying_party.legacy_u2f_appid
+          extensions.merge!(appid: relying_party.legacy_u2f_appid)
+        end
+
+        extensions
+      end
+
       def allow_credentials_from_allow
         if allow
           as_public_key_descriptors(allow)

data/lib/webauthn/public_key_credential.rb

@@ -13,7 +13,7 @@ module WebAuthn
         raw_id: relying_party.encoder.decode(credential["rawId"]),
         client_extension_outputs: credential["clientExtensionResults"],
         response: response_class.from_client(credential["response"], relying_party: relying_party),
-        encoder: relying_party.encoder
+        relying_party: relying_party
       )
     end
 
@@ -23,14 +23,14 @@ module WebAuthn
       raw_id:,
       response:,
       client_extension_outputs: {},
-      encoder: WebAuthn.configuration.encoder
+      relying_party: WebAuthn.configuration.relying_party
     )
       @type = type
       @id = id
       @raw_id = raw_id
       @client_extension_outputs = client_extension_outputs
       @response = response
-      @encoder = encoder
+      @relying_party = relying_party
     end
 
     def verify(*_args)
@@ -48,9 +48,17 @@ module WebAuthn
       authenticator_data.extension_data if authenticator_data&.extension_data_included?
     end
 
+    def backup_eligible?
+      authenticator_data&.credential_backup_eligible?
+    end
+
+    def backed_up?
+      authenticator_data&.credential_backed_up?
+    end
+
     private
 
-    attr_reader :encoder
+    attr_reader :relying_party
 
     def valid_type?
       type == TYPE_PUBLIC_KEY
@@ -63,5 +71,9 @@ module WebAuthn
     def authenticator_data
       response&.authenticator_data
     end
+
+    def encoder
+      relying_party.encoder
+    end
   end
 end

data/lib/webauthn/public_key_credential_with_assertion.rb

@@ -16,7 +16,8 @@ module WebAuthn
         encoder.decode(challenge),
         public_key: encoder.decode(public_key),
         sign_count: sign_count,
-        user_verification: user_verification
+        user_verification: user_verification,
+        rp_id: appid_extension_output ? appid : nil
       )
 
       true
@@ -31,5 +32,17 @@ module WebAuthn
     def raw_user_handle
       response.user_handle
     end
+
+    private
+
+    def appid_extension_output
+      return if client_extension_outputs.nil?
+
+      client_extension_outputs['appid']
+    end
+
+    def appid
+      URI.parse(relying_party.legacy_u2f_appid || raise("Unspecified legacy U2F AppID")).to_s
+    end
   end
 end

data/lib/webauthn/relying_party.rb

@@ -25,7 +25,8 @@ module WebAuthn
       credential_options_timeout: 120000,
       silent_authentication: false,
       acceptable_attestation_types: ['None', 'Self', 'Basic', 'AttCA', 'Basic_or_AttCA', 'AnonCA'],
-      attestation_root_certificates_finders: []
+      attestation_root_certificates_finders: [],
+      legacy_u2f_appid: nil
     )
       @algorithms = algorithms
       @encoding = encoding
@@ -36,6 +37,7 @@ module WebAuthn
       @credential_options_timeout = credential_options_timeout
       @silent_authentication = silent_authentication
       @acceptable_attestation_types = acceptable_attestation_types
+      @legacy_u2f_appid = legacy_u2f_appid
       self.attestation_root_certificates_finders = attestation_root_certificates_finders
     end
 
@@ -47,7 +49,8 @@ module WebAuthn
                   :verify_attestation_statement,
                   :credential_options_timeout,
                   :silent_authentication,
-                  :acceptable_attestation_types
+                  :acceptable_attestation_types,
+                  :legacy_u2f_appid
 
     attr_reader :attestation_root_certificates_finders
 

data/lib/webauthn/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WebAuthn
-  VERSION = "3.0.0.alpha2"
+  VERSION = "3.0.0"
 end

data/webauthn.gemspec

@@ -38,9 +38,9 @@ Gem::Specification.new do |spec|
   spec.add_dependency "bindata", "~> 2.4"
   spec.add_dependency "cbor", "~> 0.5.9"
   spec.add_dependency "cose", "~> 1.1"
-  spec.add_dependency "openssl", ">= 2.2", "< 3.1"
+  spec.add_dependency "openssl", ">= 2.2"
   spec.add_dependency "safety_net_attestation", "~> 0.4.0"
-  spec.add_dependency "tpm-key_attestation", "~> 0.11.0"
+  spec.add_dependency "tpm-key_attestation", "~> 0.12.0"
 
   spec.add_development_dependency "bundler", ">= 1.17", "< 3.0"
   spec.add_development_dependency "byebug", "~> 11.0"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: webauthn
 version: !ruby/object:Gem::Version
-  version: 3.0.0.alpha2
+  version: 3.0.0
 platform: ruby
 authors:
 - Gonzalo Rodriguez
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-09-15 00:00:00.000000000 Z
+date: 2023-02-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: android_key_attestation
@@ -88,9 +88,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '2.2'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '3.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -98,9 +95,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '2.2'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '3.1'
 - !ruby/object:Gem::Dependency
   name: safety_net_attestation
   requirement: !ruby/object:Gem::Requirement
@@ -121,14 +115,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.11.0
+        version: 0.12.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.11.0
+        version: 0.12.0
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -324,9 +318,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
 rubygems_version: 3.2.32
 signing_key: