webauthn 3.0.0 → 3.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b133f46bd003c9bfb9a8557bb8caeca7239fcd6c185f78e74e0ae578444d576e
-  data.tar.gz: 14a32debc72ddcfe7e752118ebd4db832b8a46a5628ee54830f30eada4159bcf
+  metadata.gz: 3b23698bdd722a0cda45be7ee9d5ba528f966eb98304a50069242f0a25dcd259
+  data.tar.gz: 4d7bf8874268cbbbfa75136006af9dc5a824b25d3f0522c5f2046092261bae5d
 SHA512:
-  metadata.gz: 9b4ff5cee18575b517473fef7d8000d7e41f113b178378e64a4d2b9036d248f4295edd846a519ab76036a270c3066020fbe44847019812c2a5758f2b1b428f4c
-  data.tar.gz: f3ab22709cbf537982e163acc60dbe114217f223b18cb4cf681a3d932e2f31276f8286091e49da392356c1958ada7e2c07a5b86b48d57b597f965a57c1bcf63d
+  metadata.gz: bf2d6697ee0c34cccbb1f5f9765e70efe1a8062f73b35cb900894c59f512d81157a836046e8006c9c6d5b0a0b3040f9c76a83417928d0ff9fbaba2db1893aaef
+  data.tar.gz: 2952c2573b030ffbba7837f2ba299e73c7a4e09a3a46b4a7a19c7875b4ea5394a8af00059dda69ae4c3dc34b1531b3aad3d1d1445dc4000260b3cfc4e5e23a98

data/.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

data/.github/workflows/build.yml

@@ -7,7 +7,11 @@
 
 name: build
 
-on: push
+on:  
+  push:
+    branches: [master]
+  pull_request:
+    types: [opened, synchronize]
 
 jobs:
   test:
@@ -24,7 +28,7 @@ jobs:
           - '2.5'
           - truffleruby
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - uses: ruby/setup-ruby@v1
       with:
         ruby-version: ${{ matrix.ruby }}

data/.github/workflows/git.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Block autosquash commits
         uses: xt0rted/block-autosquash-commits-action@v2
         with:

data/CHANGELOG.md

@@ -1,5 +1,21 @@
 # Changelog
 
+## [v3.1.0] - 2023-12-26
+
+### Added
+
+- Add support for optional `authenticator_attachment` in `PublicKeyCredential`. #370 [@8ma10s]
+
+### Fixed
+
+- Fix circular require warning between `webauthn/relying_party` and `webauthn/credential`. #389 [@bdewater]
+- Correctly verify attestation that contains just a batch certificate that is present in the attestation root certificates. #406 [@santiagorodriguez96]
+
+### Changed
+
+- Inlined `base64` implementation. #402 [@olleolleolle]
+- Raise a more descriptive error if input `challenge` is `nil` when verifying the `PublicKeyCredential`. #413 [@soartec-lab]
+
 ## [v3.0.0] - 2023-02-15
 
 ### Added
@@ -358,6 +374,7 @@ Note: Both additions should help making it compatible with Chrome for Android 70
   - `WebAuthn::AuthenticatorAttestationResponse.valid?` can be used to validate fido-u2f attestations returned by the browser
 - Works with ruby 2.5
 
+[v3.1.0]: https://github.com/cedarcode/webauthn-ruby/compare/v3.0.0...v3.1.0/
 [v3.0.0]: https://github.com/cedarcode/webauthn-ruby/compare/2-stable...v3.0.0/
 [v3.0.0.alpha2]: https://github.com/cedarcode/webauthn-ruby/compare/2-stable...v3.0.0.alpha2/
 [v3.0.0.alpha1]: https://github.com/cedarcode/webauthn-ruby/compare/v2.3.0...v3.0.0.alpha1

data/README.md

@@ -6,7 +6,7 @@ For the current release version see https://github.com/cedarcode/webauthn-ruby/b
 ![banner](assets/webauthn-ruby.png)
 
 [![Gem](https://img.shields.io/gem/v/webauthn.svg?style=flat-square)](https://rubygems.org/gems/webauthn)
-[![Travis](https://img.shields.io/travis/cedarcode/webauthn-ruby/master.svg?style=flat-square)](https://travis-ci.com/cedarcode/webauthn-ruby)
+[![Build](https://github.com/cedarcode/webauthn-ruby/actions/workflows/build.yml/badge.svg?branch=master)](https://github.com/cedarcode/webauthn-ruby/actions/workflows/build.yml)
 [![Conventional Commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-informational.svg?style=flat-square)](https://conventionalcommits.org)
 [![Join the chat at https://gitter.im/cedarcode/webauthn-ruby](https://badges.gitter.im/cedarcode/webauthn-ruby.svg)](https://gitter.im/cedarcode/webauthn-ruby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
 

data/docs/advanced_configuration.md

@@ -59,7 +59,7 @@ Intead of the [Global Configuration](../README.md#configuration) you place in `c
 
 **DISCLAIMER: This API was released on version 3.0.0.alpha1 and is still under evaluation. Although it has been throughly tested and it is fully functional it might be changed until the final release of version 3.0.0.**
 
-The explanation for each ceremony can be found in depth in [Credential Registration](../README.md#credential-registration) and [Credential Authentication](../README.md#credential-authentication) but if you choose this instance based approach to define your WebAuthn configurations and assuming `relying_party` is the result of an instance you get through `WebAuthn::RelytingParty.new(...)` the code in those explanations needs to be updated to:
+The explanation for each ceremony can be found in depth in [Credential Registration](../README.md#credential-registration) and [Credential Authentication](../README.md#credential-authentication) but if you choose this instance based approach to define your WebAuthn configurations and assuming `relying_party` is the result of an instance you get through `WebAuthn::RelyingParty.new(...)` the code in those explanations needs to be updated to:
 
 ### Credential Registration
 
@@ -73,7 +73,7 @@ end
 
 options = relying_party.options_for_registration(
   user: { id: user.webauthn_id, name: user.name },
-  exclude: user.credentials.map { |c| c.webauthn_id }
+  exclude: user.credentials.map { |c| c.external_id }
 )
 
 # Store the newly generated challenge somewhere so you can have it
@@ -106,7 +106,7 @@ begin
 
   # Store Credential ID, Credential Public Key and Sign Count for future authentications
   user.credentials.create!(
-    webauthn_id: webauthn_credential.id,
+    external_id: webauthn_credential.id,
     public_key: webauthn_credential.public_key,
     sign_count: webauthn_credential.sign_count
   )
@@ -120,7 +120,7 @@ end
 #### Initiation phase
 
 ```ruby
-options = relying_party.options_for_get(allow: user.credentials.map { |c| c.webauthn_id })
+options = relying_party.options_for_authentication(allow: user.credentials.map { |c| c.webauthn_id })
 
 # Store the newly generated challenge somewhere so you can have it
 # for the verification phase.
@@ -148,9 +148,9 @@ begin
   webauthn_credential, stored_credential = relying_party.verify_authentication(
     params[:publicKeyCredential],
     session[:authentication_challenge]
-  ) do
+  ) do |webauthn_credential|
     # the returned object needs to respond to #public_key and #sign_count
-    user.credentials.find_by(webauthn_id: webauthn_credential.id)
+    user.credentials.find_by(external_id: webauthn_credential.id)
   end
 
   # Update the stored credential sign count with the value from `webauthn_credential.sign_count`

data/lib/webauthn/attestation_statement/base.rb

@@ -102,6 +102,15 @@ module WebAuthn
       end
 
       def valid_certificate_chain?(aaguid: nil, attestation_certificate_key_id: nil)
+        root_certificates = root_certificates(
+          aaguid: aaguid,
+          attestation_certificate_key_id: attestation_certificate_key_id
+        )
+
+        if certificates&.one? && root_certificates.include?(attestation_certificate)
+          return true
+        end
+
         attestation_root_certificates_store(
           aaguid: aaguid,
           attestation_certificate_key_id: attestation_certificate_key_id

data/lib/webauthn/credential.rb

@@ -4,7 +4,6 @@ require "webauthn/public_key_credential/creation_options"
 require "webauthn/public_key_credential/request_options"
 require "webauthn/public_key_credential_with_assertion"
 require "webauthn/public_key_credential_with_attestation"
-require "webauthn/relying_party"
 
 module WebAuthn
   module Credential

data/lib/webauthn/encoder.rb

@@ -20,9 +20,12 @@ module WebAuthn
     def encode(data)
       case encoding
       when :base64
-        Base64.strict_encode64(data)
+        [data].pack("m0") # Base64.strict_encode64(data)
       when :base64url
-        Base64.urlsafe_encode64(data, padding: false)
+        data = [data].pack("m0") # Base64.urlsafe_encode64(data, padding: false)
+        data.chomp!("==") or data.chomp!("=")
+        data.tr!("+/", "-_")
+        data
       when nil, false
         data
       else
@@ -33,9 +36,15 @@ module WebAuthn
     def decode(data)
       case encoding
       when :base64
-        Base64.strict_decode64(data)
+        data.unpack1("m0") # Base64.strict_decode64(data)
       when :base64url
-        Base64.urlsafe_decode64(data)
+        if !data.end_with?("=") && data.length % 4 != 0 #  Base64.urlsafe_decode64(data)
+          data = data.ljust((data.length + 3) & ~3, "=")
+          data.tr!("-_", "+/")
+        else
+          data = data.tr("-_", "+/")
+        end
+        data.unpack1("m0")
       when nil, false
         data
       else

data/lib/webauthn/fake_client.rb

@@ -64,6 +64,7 @@ module WebAuthn
         "type" => "public-key",
         "id" => internal_encoder.encode(id),
         "rawId" => encoder.encode(id),
+        "authenticatorAttachment" => 'platform',
         "clientExtensionResults" => extensions,
         "response" => {
           "attestationObject" => encoder.encode(attestation_object),
@@ -108,6 +109,7 @@ module WebAuthn
         "id" => internal_encoder.encode(assertion[:credential_id]),
         "rawId" => encoder.encode(assertion[:credential_id]),
         "clientExtensionResults" => extensions,
+        "authenticatorAttachment" => 'platform',
         "response" => {
           "clientDataJSON" => encoder.encode(client_data_json),
           "authenticatorData" => encoder.encode(assertion[:authenticator_data]),

data/lib/webauthn/public_key_credential.rb

@@ -4,7 +4,9 @@ require "webauthn/encoder"
 
 module WebAuthn
   class PublicKeyCredential
-    attr_reader :type, :id, :raw_id, :client_extension_outputs, :response
+    class InvalidChallengeError < Error; end
+
+    attr_reader :type, :id, :raw_id, :client_extension_outputs, :authenticator_attachment, :response
 
     def self.from_client(credential, relying_party: WebAuthn.configuration.relying_party)
       new(
@@ -12,6 +14,7 @@ module WebAuthn
         id: credential["id"],
         raw_id: relying_party.encoder.decode(credential["rawId"]),
         client_extension_outputs: credential["clientExtensionResults"],
+        authenticator_attachment: credential["authenticatorAttachment"],
         response: response_class.from_client(credential["response"], relying_party: relying_party),
         relying_party: relying_party
       )
@@ -22,6 +25,7 @@ module WebAuthn
       id:,
       raw_id:,
       response:,
+      authenticator_attachment: nil,
       client_extension_outputs: {},
       relying_party: WebAuthn.configuration.relying_party
     )
@@ -29,11 +33,18 @@ module WebAuthn
       @id = id
       @raw_id = raw_id
       @client_extension_outputs = client_extension_outputs
+      @authenticator_attachment = authenticator_attachment
       @response = response
       @relying_party = relying_party
     end
 
-    def verify(*_args)
+    def verify(challenge, *_args)
+      unless valid_class?(challenge)
+        msg = "challenge must be a String. input challenge class: #{challenge.class}"
+
+        raise(InvalidChallengeError, msg)
+      end
+
       valid_type? || raise("invalid type")
       valid_id? || raise("invalid id")
 
@@ -68,6 +79,10 @@ module WebAuthn
       raw_id && id && raw_id == WebAuthn.standard_encoder.decode(id)
     end
 
+    def valid_class?(challenge)
+      challenge.is_a?(String)
+    end
+
     def authenticator_data
       response&.authenticator_data
     end

data/lib/webauthn/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WebAuthn
-  VERSION = "3.0.0"
+  VERSION = "3.1.0"
 end

data/webauthn.gemspec

@@ -42,6 +42,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "safety_net_attestation", "~> 0.4.0"
   spec.add_dependency "tpm-key_attestation", "~> 0.12.0"
 
+  spec.add_development_dependency "base64", ">= 0.1.0"
   spec.add_development_dependency "bundler", ">= 1.17", "< 3.0"
   spec.add_development_dependency "byebug", "~> 11.0"
   spec.add_development_dependency "rake", "~> 13.0"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: webauthn
 version: !ruby/object:Gem::Version
-  version: 3.0.0
+  version: 3.1.0
 platform: ruby
 authors:
 - Gonzalo Rodriguez
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-02-15 00:00:00.000000000 Z
+date: 2023-12-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: android_key_attestation
@@ -123,6 +123,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.12.0
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.0
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -237,6 +251,7 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/dependabot.yml"
 - ".github/workflows/build.yml"
 - ".github/workflows/git.yml"
 - ".gitignore"
@@ -322,7 +337,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.32
+rubygems_version: 3.4.10
 signing_key:
 specification_version: 4
 summary: WebAuthn ruby server library