webauthn 3.0.0.alpha2 → 3.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9f9f14328571fd39b5e19c9a6ec5b427cfd4dea9fc2ab4774135f4453e14b676
-  data.tar.gz: 1e33b7564ea1b3b8aeb32864782a0dad1e0207f1c70c037eb80140db2272ae01
+  metadata.gz: 3b23698bdd722a0cda45be7ee9d5ba528f966eb98304a50069242f0a25dcd259
+  data.tar.gz: 4d7bf8874268cbbbfa75136006af9dc5a824b25d3f0522c5f2046092261bae5d
 SHA512:
-  metadata.gz: b1e22bb07b1ebced7851c592a2a4e8b0e6772e502f402bd841383f8071963e3b0df8c75da66db5623840a32f14799439d09a52c8dabcdd4e5edbef8a0a419a00
-  data.tar.gz: 1a1b1c647a06398edad9d1da94ca8de53202e184f8930b2fe001f82e17d8416516cbaf4db4fd012fd44d1ac5da32c6d8d32c971507584bf00ef9d74b15d535b5
+  metadata.gz: bf2d6697ee0c34cccbb1f5f9765e70efe1a8062f73b35cb900894c59f512d81157a836046e8006c9c6d5b0a0b3040f9c76a83417928d0ff9fbaba2db1893aaef
+  data.tar.gz: 2952c2573b030ffbba7837f2ba299e73c7a4e09a3a46b4a7a19c7875b4ea5394a8af00059dda69ae4c3dc34b1531b3aad3d1d1445dc4000260b3cfc4e5e23a98

data/.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

data/.github/workflows/build.yml

@@ -7,7 +7,11 @@
 
 name: build
 
-on: push
+on:  
+  push:
+    branches: [master]
+  pull_request:
+    types: [opened, synchronize]
 
 jobs:
   test:
@@ -16,6 +20,7 @@ jobs:
       fail-fast: false
       matrix:
         ruby:
+          - '3.2'
           - '3.1'
           - '3.0'
           - '2.7'
@@ -23,7 +28,7 @@ jobs:
           - '2.5'
           - truffleruby
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - uses: ruby/setup-ruby@v1
       with:
         ruby-version: ${{ matrix.ruby }}

data/.github/workflows/git.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v2.0.0
+      - uses: actions/checkout@v4
       - name: Block autosquash commits
         uses: xt0rted/block-autosquash-commits-action@v2
         with:

data/CHANGELOG.md

@@ -1,5 +1,29 @@
 # Changelog
 
+## [v3.1.0] - 2023-12-26
+
+### Added
+
+- Add support for optional `authenticator_attachment` in `PublicKeyCredential`. #370 [@8ma10s]
+
+### Fixed
+
+- Fix circular require warning between `webauthn/relying_party` and `webauthn/credential`. #389 [@bdewater]
+- Correctly verify attestation that contains just a batch certificate that is present in the attestation root certificates. #406 [@santiagorodriguez96]
+
+### Changed
+
+- Inlined `base64` implementation. #402 [@olleolleolle]
+- Raise a more descriptive error if input `challenge` is `nil` when verifying the `PublicKeyCredential`. #413 [@soartec-lab]
+
+## [v3.0.0] - 2023-02-15
+
+### Added
+
+- Add the capability of handling appid extension #319 [@santiagorodriguez96]
+- Add support for credential backup flags #378 [@santiagorodriguez96]
+- Update dependencies to make gem compatible with OpenSSL 3.1 ([@bdewater],[@santiagorodriguez96])
+
 ## [v3.0.0.alpha2] - 2022-09-12
 
 ### Added
@@ -350,6 +374,8 @@ Note: Both additions should help making it compatible with Chrome for Android 70
   - `WebAuthn::AuthenticatorAttestationResponse.valid?` can be used to validate fido-u2f attestations returned by the browser
 - Works with ruby 2.5
 
+[v3.1.0]: https://github.com/cedarcode/webauthn-ruby/compare/v3.0.0...v3.1.0/
+[v3.0.0]: https://github.com/cedarcode/webauthn-ruby/compare/2-stable...v3.0.0/
 [v3.0.0.alpha2]: https://github.com/cedarcode/webauthn-ruby/compare/2-stable...v3.0.0.alpha2/
 [v3.0.0.alpha1]: https://github.com/cedarcode/webauthn-ruby/compare/v2.3.0...v3.0.0.alpha1
 [v2.5.2]: https://github.com/cedarcode/webauthn-ruby/compare/v2.5.1...v2.5.2/

data/README.md

@@ -6,7 +6,7 @@ For the current release version see https://github.com/cedarcode/webauthn-ruby/b
 ![banner](assets/webauthn-ruby.png)
 
 [![Gem](https://img.shields.io/gem/v/webauthn.svg?style=flat-square)](https://rubygems.org/gems/webauthn)
-[![Travis](https://img.shields.io/travis/cedarcode/webauthn-ruby/master.svg?style=flat-square)](https://travis-ci.com/cedarcode/webauthn-ruby)
+[![Build](https://github.com/cedarcode/webauthn-ruby/actions/workflows/build.yml/badge.svg?branch=master)](https://github.com/cedarcode/webauthn-ruby/actions/workflows/build.yml)
 [![Conventional Commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-informational.svg?style=flat-square)](https://conventionalcommits.org)
 [![Join the chat at https://gitter.im/cedarcode/webauthn-ruby](https://badges.gitter.im/cedarcode/webauthn-ruby.svg)](https://gitter.im/cedarcode/webauthn-ruby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
 
@@ -16,7 +16,7 @@ Makes your Ruby/Rails web server become a functional [WebAuthn Relying Party](ht
 
 Takes care of the [server-side operations](https://www.w3.org/TR/webauthn/#rp-operations) needed to
 [register](https://www.w3.org/TR/webauthn/#registration) or [authenticate](https://www.w3.org/TR/webauthn/#authentication)
-a user [credential](https://www.w3.org/TR/webauthn/#public-key-credential), including the necessary cryptographic checks.
+a user's [public key credential](https://www.w3.org/TR/webauthn/#public-key-credential) (also called a "passkey"), including the necessary cryptographic checks.
 
 ## Table of Contents
 
@@ -52,7 +52,7 @@ WebAuthn (Web Authentication) is a W3C standard for secure public-key authentica
 
 - WebAuthn [W3C Recommendation](https://www.w3.org/TR/webauthn/) (i.e. "The Standard")
 - [Web Authentication API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API) in MDN
-- How to use [WebAuthn in Android apps](https://developers.google.com/identity/fido/android/native-apps)
+- How to use WebAuthn in native [Android](https://developers.google.com/identity/fido/android/native-apps) or [macOS/iOS/iPadOS](https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication) apps.
 - [Security Benefits for WebAuthn Servers (a.k.a Relying Parties)](https://www.w3.org/TR/webauthn/#sctn-rp-benefits)
 
 ## Prerequisites
@@ -89,7 +89,7 @@ Or install it yourself as:
 
 ## Usage
 
-You can find a working example on how to use this gem in a __Rails__ app in [webauthn-rails-demo-app](https://github.com/cedarcode/webauthn-rails-demo-app).
+You can find a working example on how to use this gem in a pasword-less login in a __Rails__ app in [webauthn-rails-demo-app](https://github.com/cedarcode/webauthn-rails-demo-app). If you want to see an example on how to use this gem as a second factor authenticator in a __Rails__ application instead, you can check it in [webauthn-2fa-rails-demo](https://github.com/cedarcode/webauthn-2fa-rails-demo).
 
 If you are migrating an existing application from the legacy FIDO U2F JavaScript API to WebAuthn, also refer to
 [`docs/u2f_migration.md`](docs/u2f_migration.md).

data/docs/advanced_configuration.md

@@ -21,7 +21,7 @@ Intead of the [Global Configuration](../README.md#configuration) you place in `c
   relying_party = WebAuthn::RelyingParty.new(
     # This value needs to match `window.location.origin` evaluated by
     # the User Agent during registration and authentication ceremonies.
-    origin: "https://admin.example.com"
+    origin: "https://admin.example.com",
 
     # Relying Party name for display purposes
     name: "Admin Site for Example Inc."
@@ -59,7 +59,7 @@ Intead of the [Global Configuration](../README.md#configuration) you place in `c
 
 **DISCLAIMER: This API was released on version 3.0.0.alpha1 and is still under evaluation. Although it has been throughly tested and it is fully functional it might be changed until the final release of version 3.0.0.**
 
-The explanation for each ceremony can be found in depth in [Credential Registration](../README.md#credential-registration) and [Credential Authentication](../README.md#credential-authentication) but if you choose this instance based approach to define your WebAuthn configurations and assuming `relying_party` is the result of an instance you get through `WebAuthn::RelytingParty.new(...)` the code in those explanations needs to be updated to:
+The explanation for each ceremony can be found in depth in [Credential Registration](../README.md#credential-registration) and [Credential Authentication](../README.md#credential-authentication) but if you choose this instance based approach to define your WebAuthn configurations and assuming `relying_party` is the result of an instance you get through `WebAuthn::RelyingParty.new(...)` the code in those explanations needs to be updated to:
 
 ### Credential Registration
 
@@ -71,9 +71,9 @@ if !user.webauthn_id
   user.update!(webauthn_id: WebAuthn.generate_user_id)
 end
 
-options = relying_party.options_for_create(
+options = relying_party.options_for_registration(
   user: { id: user.webauthn_id, name: user.name },
-  exclude: user.credentials.map { |c| c.webauthn_id }
+  exclude: user.credentials.map { |c| c.external_id }
 )
 
 # Store the newly generated challenge somewhere so you can have it
@@ -106,7 +106,7 @@ begin
 
   # Store Credential ID, Credential Public Key and Sign Count for future authentications
   user.credentials.create!(
-    webauthn_id: webauthn_credential.id,
+    external_id: webauthn_credential.id,
     public_key: webauthn_credential.public_key,
     sign_count: webauthn_credential.sign_count
   )
@@ -120,7 +120,7 @@ end
 #### Initiation phase
 
 ```ruby
-options = relying_party.options_for_get(allow: user.credentials.map { |c| c.webauthn_id })
+options = relying_party.options_for_authentication(allow: user.credentials.map { |c| c.webauthn_id })
 
 # Store the newly generated challenge somewhere so you can have it
 # for the verification phase.
@@ -148,9 +148,9 @@ begin
   webauthn_credential, stored_credential = relying_party.verify_authentication(
     params[:publicKeyCredential],
     session[:authentication_challenge]
-  ) do
+  ) do |webauthn_credential|
     # the returned object needs to respond to #public_key and #sign_count
-    user.credentials.find_by(webauthn_id: webauthn_credential.id)
+    user.credentials.find_by(external_id: webauthn_credential.id)
   end
 
   # Update the stored credential sign count with the value from `webauthn_credential.sign_count`

data/docs/u2f_migration.md

@@ -53,7 +53,7 @@ migrated_credential.authenticator_data.sign_count
 
 ## Authenticate migrated U2F credentials
 
-Following the documentation on the [authentication initiation](https://github.com/cedarcode/webauthn-ruby/blob/master/README.md#authentication),
+Following the documentation on the [authentication initiation](https://github.com/cedarcode/webauthn-ruby/blob/master/README.md#initiation-phase-1),
 you need to specify the [FIDO AppID extension](https://www.w3.org/TR/webauthn/#sctn-appid-extension) for U2F migratedq
 credentials. The WebAuthn standard explains:
 
@@ -65,33 +65,26 @@ For the earlier given example `domain` this means:
 - FIDO AppID: `https://login.example.com`
 - Valid RP IDs: `login.example.com` (default) and `example.com`
 
+You can request the use of the `appid` extension by setting the AppID in the configuration, like this:
+
+```ruby
+WebAuthn.configure do |config|
+  config.legacy_u2f_appid = "https://login.example.com"
+end
+```
+
+By doing this, the `appid` extension will be automatically requested when generating the options for get:
+
 ```ruby
-credential_request_options = WebAuthn.credential_request_options
-credential_request_options[:extensions] = { appid: domain.to_s }
+options = WebAuthn::Credential.options_for_get
 ```
 
 On the frontend, in the resolved value from `navigator.credentials.get({ "publicKey": credentialRequestOptions })` add
 a call to [getClientExtensionResults()](https://www.w3.org/TR/webauthn/#dom-publickeycredential-getclientextensionresults)
 and send its result to your backend alongside the `id`/`rawId` and `response` values. If the authenticator used the AppID
-extension, the returned value will contain `{ "appid": true }`. In the example below, we use `clientExtensionResults`.
+extension, the returned value will contain `{ "appid": true }`.
 
-During authentication verification phase, you must pass either the original AppID or the RP ID as the `rp_id` argument:
+During authentication verification phase, if you followed the [verification phase documentation](https://github.com/cedarcode/webauthn-ruby#verification-phase-1) and have set the AppID in the config, the method `PublicKeyCredentialWithAssertion#verify` will be smart enough to determine if it should use the AppID or the RP ID to verify the WebAuthn credential, depending on the output of the `appid` client extension:
 
 > If true, the AppID was used and thus, when verifying an assertion, the Relying Party MUST expect the `rpIdHash` to be
 > the hash of the _AppID_, not the RP ID.
-
-```ruby
-assertion_response = WebAuthn::AuthenticatorAssertionResponse.new(
-  user_handle: params[:response][:userHandle],
-  authenticator_data: params[:response][:authenticatorData],
-  client_data_json: params[:response][:clientDataJSON],
-  signature: params[:response][:signature],
-)
-
-assertion_response.verify(
-  expected_challenge,
-  public_key: credential.public_key,
-  sign_count: credential.count,
-  rp_id: params[:clientExtensionResults][:appid] ? domain.to_s : domain.host,
-)
-```

data/lib/webauthn/attestation_statement/base.rb

@@ -102,6 +102,15 @@ module WebAuthn
       end
 
       def valid_certificate_chain?(aaguid: nil, attestation_certificate_key_id: nil)
+        root_certificates = root_certificates(
+          aaguid: aaguid,
+          attestation_certificate_key_id: attestation_certificate_key_id
+        )
+
+        if certificates&.one? && root_certificates.include?(attestation_certificate)
+          return true
+        end
+
         attestation_root_certificates_store(
           aaguid: aaguid,
           attestation_certificate_key_id: attestation_certificate_key_id

data/lib/webauthn/authenticator_data.rb

@@ -19,9 +19,9 @@ module WebAuthn
     struct :flags do
       bit1 :extension_data_included
       bit1 :attested_credential_data_included
-      bit1 :reserved_for_future_use_4
-      bit1 :reserved_for_future_use_3
       bit1 :reserved_for_future_use_2
+      bit1 :backup_state
+      bit1 :backup_eligibility
       bit1 :user_verified
       bit1 :reserved_for_future_use_1
       bit1 :user_present
@@ -58,6 +58,14 @@ module WebAuthn
       flags.user_verified == 1
     end
 
+    def credential_backup_eligible?
+      flags.backup_eligibility == 1
+    end
+
+    def credential_backed_up?
+      flags.backup_state == 1
+    end
+
     def attested_credential_data_included?
       flags.attested_credential_data_included == 1
     end

data/lib/webauthn/configuration.rb

@@ -33,7 +33,9 @@ module WebAuthn
                    :attestation_root_certificates_finders,
                    :attestation_root_certificates_finders=,
                    :encoder,
-                   :encoder=
+                   :encoder=,
+                   :legacy_u2f_appid,
+                   :legacy_u2f_appid=
 
     attr_reader :relying_party
 

data/lib/webauthn/credential.rb

@@ -4,7 +4,6 @@ require "webauthn/public_key_credential/creation_options"
 require "webauthn/public_key_credential/request_options"
 require "webauthn/public_key_credential_with_assertion"
 require "webauthn/public_key_credential_with_attestation"
-require "webauthn/relying_party"
 
 module WebAuthn
   module Credential

data/lib/webauthn/encoder.rb

@@ -20,9 +20,12 @@ module WebAuthn
     def encode(data)
       case encoding
       when :base64
-        Base64.strict_encode64(data)
+        [data].pack("m0") # Base64.strict_encode64(data)
       when :base64url
-        Base64.urlsafe_encode64(data, padding: false)
+        data = [data].pack("m0") # Base64.urlsafe_encode64(data, padding: false)
+        data.chomp!("==") or data.chomp!("=")
+        data.tr!("+/", "-_")
+        data
       when nil, false
         data
       else
@@ -33,9 +36,15 @@ module WebAuthn
     def decode(data)
       case encoding
       when :base64
-        Base64.strict_decode64(data)
+        data.unpack1("m0") # Base64.strict_decode64(data)
       when :base64url
-        Base64.urlsafe_decode64(data)
+        if !data.end_with?("=") && data.length % 4 != 0 #  Base64.urlsafe_decode64(data)
+          data = data.ljust((data.length + 3) & ~3, "=")
+          data.tr!("-_", "+/")
+        else
+          data = data.tr("-_", "+/")
+        end
+        data.unpack1("m0")
       when nil, false
         data
       else

data/lib/webauthn/fake_authenticator/attestation_object.rb

@@ -13,6 +13,8 @@ module WebAuthn
         credential_key:,
         user_present: true,
         user_verified: false,
+        backup_eligibility: false,
+        backup_state: false,
         attested_credential_data: true,
         sign_count: 0,
         extensions: nil
@@ -23,6 +25,8 @@ module WebAuthn
         @credential_key = credential_key
         @user_present = user_present
         @user_verified = user_verified
+        @backup_eligibility = backup_eligibility
+        @backup_state = backup_state
         @attested_credential_data = attested_credential_data
         @sign_count = sign_count
         @extensions = extensions
@@ -45,6 +49,8 @@ module WebAuthn
         :credential_key,
         :user_present,
         :user_verified,
+        :backup_eligibility,
+        :backup_state,
         :attested_credential_data,
         :sign_count,
         :extensions
@@ -63,6 +69,8 @@ module WebAuthn
               credential: credential_data,
               user_present: user_present,
               user_verified: user_verified,
+              backup_eligibility: backup_eligibility,
+              backup_state: backup_state,
               sign_count: 0,
               extensions: extensions
             )

data/lib/webauthn/fake_authenticator/authenticator_data.rb

@@ -20,6 +20,8 @@ module WebAuthn
         sign_count: 0,
         user_present: true,
         user_verified: !user_present,
+        backup_eligibility: false,
+        backup_state: false,
         aaguid: AAGUID,
         extensions: { "fakeExtension" => "fakeExtensionValue" }
       )
@@ -28,6 +30,8 @@ module WebAuthn
         @sign_count = sign_count
         @user_present = user_present
         @user_verified = user_verified
+        @backup_eligibility = backup_eligibility
+        @backup_state = backup_state
         @aaguid = aaguid
         @extensions = extensions
       end
@@ -38,7 +42,13 @@ module WebAuthn
 
       private
 
-      attr_reader :rp_id_hash, :credential, :user_present, :user_verified, :extensions
+      attr_reader :rp_id_hash,
+                  :credential,
+                  :user_present,
+                  :user_verified,
+                  :extensions,
+                  :backup_eligibility,
+                  :backup_state
 
       def flags
         [
@@ -46,8 +56,8 @@ module WebAuthn
             bit(:user_present),
             reserved_for_future_use_bit,
             bit(:user_verified),
-            reserved_for_future_use_bit,
-            reserved_for_future_use_bit,
+            bit(:backup_eligibility),
+            bit(:backup_state),
             reserved_for_future_use_bit,
             attested_credential_data_included_bit,
             extension_data_included_bit
@@ -108,7 +118,12 @@ module WebAuthn
       end
 
       def context
-        { user_present: user_present, user_verified: user_verified }
+        {
+          user_present: user_present,
+          user_verified: user_verified,
+          backup_eligibility: backup_eligibility,
+          backup_state: backup_state
+        }
       end
 
       def cose_credential_public_key

data/lib/webauthn/fake_authenticator.rb

@@ -17,6 +17,8 @@ module WebAuthn
       client_data_hash:,
       user_present: true,
       user_verified: false,
+      backup_eligibility: false,
+      backup_state: false,
       attested_credential_data: true,
       sign_count: nil,
       extensions: nil
@@ -37,6 +39,8 @@ module WebAuthn
         credential_key: credential_key,
         user_present: user_present,
         user_verified: user_verified,
+        backup_eligibility: backup_eligibility,
+        backup_state: backup_state,
         attested_credential_data: attested_credential_data,
         sign_count: sign_count,
         extensions: extensions
@@ -48,6 +52,8 @@ module WebAuthn
       client_data_hash:,
       user_present: true,
       user_verified: false,
+      backup_eligibility: false,
+      backup_state: false,
       aaguid: AuthenticatorData::AAGUID,
       sign_count: nil,
       extensions: nil,
@@ -71,6 +77,8 @@ module WebAuthn
           rp_id_hash: hashed(rp_id),
           user_present: user_present,
           user_verified: user_verified,
+          backup_eligibility: backup_eligibility,
+          backup_state: backup_state,
           aaguid: aaguid,
           credential: nil,
           sign_count: sign_count || credential_sign_count,

data/lib/webauthn/fake_client.rb

@@ -29,6 +29,8 @@ module WebAuthn
       rp_id: nil,
       user_present: true,
       user_verified: false,
+      backup_eligibility: false,
+      backup_state: false,
       attested_credential_data: true,
       extensions: nil
     )
@@ -42,6 +44,8 @@ module WebAuthn
         client_data_hash: client_data_hash,
         user_present: user_present,
         user_verified: user_verified,
+        backup_eligibility: backup_eligibility,
+        backup_state: backup_state,
         attested_credential_data: attested_credential_data,
         extensions: extensions
       )
@@ -60,6 +64,7 @@ module WebAuthn
         "type" => "public-key",
         "id" => internal_encoder.encode(id),
         "rawId" => encoder.encode(id),
+        "authenticatorAttachment" => 'platform',
         "clientExtensionResults" => extensions,
         "response" => {
           "attestationObject" => encoder.encode(attestation_object),
@@ -72,6 +77,8 @@ module WebAuthn
             rp_id: nil,
             user_present: true,
             user_verified: false,
+            backup_eligibility: false,
+            backup_state: true,
             sign_count: nil,
             extensions: nil,
             user_handle: nil,
@@ -90,6 +97,8 @@ module WebAuthn
         client_data_hash: client_data_hash,
         user_present: user_present,
         user_verified: user_verified,
+        backup_eligibility: backup_eligibility,
+        backup_state: backup_state,
         sign_count: sign_count,
         extensions: extensions,
         allow_credentials: allow_credentials
@@ -100,6 +109,7 @@ module WebAuthn
         "id" => internal_encoder.encode(assertion[:credential_id]),
         "rawId" => encoder.encode(assertion[:credential_id]),
         "clientExtensionResults" => extensions,
+        "authenticatorAttachment" => 'platform',
         "response" => {
           "clientDataJSON" => encoder.encode(client_data_json),
           "authenticatorData" => encoder.encode(assertion[:authenticator_data]),

data/lib/webauthn/public_key_credential/options.rb

@@ -13,7 +13,7 @@ module WebAuthn
       def initialize(timeout: nil, extensions: nil, relying_party: WebAuthn.configuration.relying_party)
         @relying_party = relying_party
         @timeout = timeout || default_timeout
-        @extensions = extensions
+        @extensions = default_extensions.merge(extensions || {})
       end
 
       def challenge
@@ -61,6 +61,10 @@ module WebAuthn
         relying_party.credential_options_timeout
       end
 
+      def default_extensions
+        {}
+      end
+
       def as_public_key_descriptors(ids)
         Array(ids).map { |id| { type: TYPE_PUBLIC_KEY, id: id } }
       end

data/lib/webauthn/public_key_credential/request_options.rb

@@ -26,6 +26,16 @@ module WebAuthn
         super.concat([:allow_credentials, :rp_id, :user_verification])
       end
 
+      def default_extensions
+        extensions = super || {}
+
+        if relying_party.legacy_u2f_appid
+          extensions.merge!(appid: relying_party.legacy_u2f_appid)
+        end
+
+        extensions
+      end
+
       def allow_credentials_from_allow
         if allow
           as_public_key_descriptors(allow)

data/lib/webauthn/public_key_credential.rb

@@ -4,7 +4,9 @@ require "webauthn/encoder"
 
 module WebAuthn
   class PublicKeyCredential
-    attr_reader :type, :id, :raw_id, :client_extension_outputs, :response
+    class InvalidChallengeError < Error; end
+
+    attr_reader :type, :id, :raw_id, :client_extension_outputs, :authenticator_attachment, :response
 
     def self.from_client(credential, relying_party: WebAuthn.configuration.relying_party)
       new(
@@ -12,8 +14,9 @@ module WebAuthn
         id: credential["id"],
         raw_id: relying_party.encoder.decode(credential["rawId"]),
         client_extension_outputs: credential["clientExtensionResults"],
+        authenticator_attachment: credential["authenticatorAttachment"],
         response: response_class.from_client(credential["response"], relying_party: relying_party),
-        encoder: relying_party.encoder
+        relying_party: relying_party
       )
     end
 
@@ -22,18 +25,26 @@ module WebAuthn
       id:,
       raw_id:,
       response:,
+      authenticator_attachment: nil,
       client_extension_outputs: {},
-      encoder: WebAuthn.configuration.encoder
+      relying_party: WebAuthn.configuration.relying_party
     )
       @type = type
       @id = id
       @raw_id = raw_id
       @client_extension_outputs = client_extension_outputs
+      @authenticator_attachment = authenticator_attachment
       @response = response
-      @encoder = encoder
+      @relying_party = relying_party
     end
 
-    def verify(*_args)
+    def verify(challenge, *_args)
+      unless valid_class?(challenge)
+        msg = "challenge must be a String. input challenge class: #{challenge.class}"
+
+        raise(InvalidChallengeError, msg)
+      end
+
       valid_type? || raise("invalid type")
       valid_id? || raise("invalid id")
 
@@ -48,9 +59,17 @@ module WebAuthn
       authenticator_data.extension_data if authenticator_data&.extension_data_included?
     end
 
+    def backup_eligible?
+      authenticator_data&.credential_backup_eligible?
+    end
+
+    def backed_up?
+      authenticator_data&.credential_backed_up?
+    end
+
     private
 
-    attr_reader :encoder
+    attr_reader :relying_party
 
     def valid_type?
       type == TYPE_PUBLIC_KEY
@@ -60,8 +79,16 @@ module WebAuthn
       raw_id && id && raw_id == WebAuthn.standard_encoder.decode(id)
     end
 
+    def valid_class?(challenge)
+      challenge.is_a?(String)
+    end
+
     def authenticator_data
       response&.authenticator_data
     end
+
+    def encoder
+      relying_party.encoder
+    end
   end
 end

data/lib/webauthn/public_key_credential_with_assertion.rb

@@ -16,7 +16,8 @@ module WebAuthn
         encoder.decode(challenge),
         public_key: encoder.decode(public_key),
         sign_count: sign_count,
-        user_verification: user_verification
+        user_verification: user_verification,
+        rp_id: appid_extension_output ? appid : nil
       )
 
       true
@@ -31,5 +32,17 @@ module WebAuthn
     def raw_user_handle
       response.user_handle
     end
+
+    private
+
+    def appid_extension_output
+      return if client_extension_outputs.nil?
+
+      client_extension_outputs['appid']
+    end
+
+    def appid
+      URI.parse(relying_party.legacy_u2f_appid || raise("Unspecified legacy U2F AppID")).to_s
+    end
   end
 end

data/lib/webauthn/relying_party.rb

@@ -25,7 +25,8 @@ module WebAuthn
       credential_options_timeout: 120000,
       silent_authentication: false,
       acceptable_attestation_types: ['None', 'Self', 'Basic', 'AttCA', 'Basic_or_AttCA', 'AnonCA'],
-      attestation_root_certificates_finders: []
+      attestation_root_certificates_finders: [],
+      legacy_u2f_appid: nil
     )
       @algorithms = algorithms
       @encoding = encoding
@@ -36,6 +37,7 @@ module WebAuthn
       @credential_options_timeout = credential_options_timeout
       @silent_authentication = silent_authentication
       @acceptable_attestation_types = acceptable_attestation_types
+      @legacy_u2f_appid = legacy_u2f_appid
       self.attestation_root_certificates_finders = attestation_root_certificates_finders
     end
 
@@ -47,7 +49,8 @@ module WebAuthn
                   :verify_attestation_statement,
                   :credential_options_timeout,
                   :silent_authentication,
-                  :acceptable_attestation_types
+                  :acceptable_attestation_types,
+                  :legacy_u2f_appid
 
     attr_reader :attestation_root_certificates_finders
 

data/lib/webauthn/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WebAuthn
-  VERSION = "3.0.0.alpha2"
+  VERSION = "3.1.0"
 end

data/webauthn.gemspec

@@ -38,10 +38,11 @@ Gem::Specification.new do |spec|
   spec.add_dependency "bindata", "~> 2.4"
   spec.add_dependency "cbor", "~> 0.5.9"
   spec.add_dependency "cose", "~> 1.1"
-  spec.add_dependency "openssl", ">= 2.2", "< 3.1"
+  spec.add_dependency "openssl", ">= 2.2"
   spec.add_dependency "safety_net_attestation", "~> 0.4.0"
-  spec.add_dependency "tpm-key_attestation", "~> 0.11.0"
+  spec.add_dependency "tpm-key_attestation", "~> 0.12.0"
 
+  spec.add_development_dependency "base64", ">= 0.1.0"
   spec.add_development_dependency "bundler", ">= 1.17", "< 3.0"
   spec.add_development_dependency "byebug", "~> 11.0"
   spec.add_development_dependency "rake", "~> 13.0"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: webauthn
 version: !ruby/object:Gem::Version
-  version: 3.0.0.alpha2
+  version: 3.1.0
 platform: ruby
 authors:
 - Gonzalo Rodriguez
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-09-15 00:00:00.000000000 Z
+date: 2023-12-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: android_key_attestation
@@ -88,9 +88,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '2.2'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '3.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -98,9 +95,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '2.2'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '3.1'
 - !ruby/object:Gem::Dependency
   name: safety_net_attestation
   requirement: !ruby/object:Gem::Requirement
@@ -121,14 +115,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.11.0
+        version: 0.12.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.11.0
+        version: 0.12.0
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.0
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -243,6 +251,7 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/dependabot.yml"
 - ".github/workflows/build.yml"
 - ".github/workflows/git.yml"
 - ".gitignore"
@@ -324,11 +333,11 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
-rubygems_version: 3.2.32
+rubygems_version: 3.4.10
 signing_key:
 specification_version: 4
 summary: WebAuthn ruby server library