webauthn 3.0.0 → 3.4.2

data/lib/webauthn/credential.rb

@@ -4,7 +4,6 @@ require "webauthn/public_key_credential/creation_options"
 require "webauthn/public_key_credential/request_options"
 require "webauthn/public_key_credential_with_assertion"
 require "webauthn/public_key_credential_with_attestation"
-require "webauthn/relying_party"
 
 module WebAuthn
   module Credential

data/lib/webauthn/encoder.rb

@@ -1,46 +1,18 @@
 # frozen_string_literal: true
 
-require "base64"
+require "webauthn/encoders"
 
 module WebAuthn
-  def self.standard_encoder
-    @standard_encoder ||= Encoder.new
-  end
-
   class Encoder
+    extend Forwardable
+
     # https://www.w3.org/TR/webauthn-2/#base64url-encoding
     STANDARD_ENCODING = :base64url
 
-    attr_reader :encoding
+    def_delegators :@encoder_klass, :encode, :decode
 
     def initialize(encoding = STANDARD_ENCODING)
-      @encoding = encoding
-    end
-
-    def encode(data)
-      case encoding
-      when :base64
-        Base64.strict_encode64(data)
-      when :base64url
-        Base64.urlsafe_encode64(data, padding: false)
-      when nil, false
-        data
-      else
-        raise "Unsupported or unknown encoding: #{encoding}"
-      end
-    end
-
-    def decode(data)
-      case encoding
-      when :base64
-        Base64.strict_decode64(data)
-      when :base64url
-        Base64.urlsafe_decode64(data)
-      when nil, false
-        data
-      else
-        raise "Unsupported or unknown encoding: #{encoding}"
-      end
+      @encoder_klass = Encoders.lookup(encoding)
     end
   end
 end

data/lib/webauthn/encoders.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+module WebAuthn
+  def self.standard_encoder
+    @standard_encoder ||= Encoders.lookup(Encoder::STANDARD_ENCODING)
+  end
+
+  module Encoders
+    class << self
+      def lookup(encoding)
+        case encoding
+        when :base64
+          Base64Encoder
+        when :base64url
+          Base64UrlEncoder
+        when nil, false
+          NullEncoder
+        else
+          raise "Unsupported or unknown encoding: #{encoding}"
+        end
+      end
+    end
+
+    class Base64Encoder
+      def self.encode(data)
+        [data].pack("m0") # Base64.strict_encode64(data)
+      end
+
+      def self.decode(data)
+        data.unpack1("m0") # Base64.strict_decode64(data)
+      end
+    end
+
+    class Base64UrlEncoder
+      def self.encode(data)
+        data = [data].pack("m0") # Base64.urlsafe_encode64(data, padding: false)
+        data.chomp!("==") or data.chomp!("=")
+        data.tr!("+/", "-_")
+        data
+      end
+
+      def self.decode(data)
+        if !data.end_with?("=") && data.length % 4 != 0 #  Base64.urlsafe_decode64(data)
+          data = data.ljust((data.length + 3) & ~3, "=")
+        end
+
+        data = data.tr("-_", "+/")
+        data.unpack1("m0")
+      end
+    end
+
+    class NullEncoder
+      def self.encode(data)
+        data
+      end
+
+      def self.decode(data)
+        data
+      end
+    end
+  end
+end

data/lib/webauthn/fake_authenticator/attestation_object.rb

@@ -61,7 +61,7 @@ module WebAuthn
           begin
             credential_data =
               if attested_credential_data
-                { id: credential_id, public_key: credential_key.public_key }
+                { id: credential_id, public_key: credential_public_key }
               end
 
             AuthenticatorData.new(
@@ -76,6 +76,15 @@ module WebAuthn
             )
           end
       end
+
+      def credential_public_key
+        case credential_key
+        when OpenSSL::PKey::RSA, OpenSSL::PKey::EC
+          credential_key.public_key
+        when OpenSSL::PKey::PKey
+          OpenSSL::PKey.read(credential_key.public_to_der)
+        end
+      end
     end
   end
 end

data/lib/webauthn/fake_authenticator/authenticator_data.rb

@@ -140,7 +140,9 @@ module WebAuthn
 
           key = COSE::Key::EC2.from_pkey(credential[:public_key])
           key.alg = alg[key.crv]
-
+        when OpenSSL::PKey::PKey
+          key = COSE::Key::OKP.from_pkey(credential[:public_key])
+          key.alg = -8
         end
 
         key.serialize

data/lib/webauthn/fake_authenticator.rb

@@ -20,10 +20,11 @@ module WebAuthn
       backup_eligibility: false,
       backup_state: false,
       attested_credential_data: true,
+      algorithm: nil,
       sign_count: nil,
       extensions: nil
     )
-      credential_id, credential_key, credential_sign_count = new_credential
+      credential_id, credential_key, credential_sign_count = new_credential(algorithm)
       sign_count ||= credential_sign_count
 
       credentials[rp_id] ||= {}
@@ -85,7 +86,14 @@ module WebAuthn
           extensions: extensions
         ).serialize
 
-        signature = credential_key.sign("SHA256", authenticator_data + client_data_hash)
+        signature_digest_algorithm =
+          case credential_key
+          when OpenSSL::PKey::RSA, OpenSSL::PKey::EC
+            'SHA256'
+          when OpenSSL::PKey::PKey
+            nil
+          end
+        signature = credential_key.sign(signature_digest_algorithm, authenticator_data + client_data_hash)
         credential[:sign_count] += 1
 
         {
@@ -102,8 +110,21 @@ module WebAuthn
 
     attr_reader :credentials
 
-    def new_credential
-      [SecureRandom.random_bytes(16), OpenSSL::PKey::EC.generate("prime256v1"), 0]
+    def new_credential(algorithm)
+      algorithm ||= 'ES256'
+      credential_key =
+        case algorithm
+        when 'ES256'
+          OpenSSL::PKey::EC.generate('prime256v1')
+        when 'RS256'
+          OpenSSL::PKey::RSA.new(2048)
+        when 'EdDSA'
+          OpenSSL::PKey.generate_key("ED25519")
+        else
+          raise "Unsupported algorithm #{algorithm}"
+        end
+
+      [SecureRandom.random_bytes(16), credential_key, 0]
     end
 
     def hashed(target)

data/lib/webauthn/fake_client.rb

@@ -32,6 +32,7 @@ module WebAuthn
       backup_eligibility: false,
       backup_state: false,
       attested_credential_data: true,
+      credential_algorithm: nil,
       extensions: nil
     )
       rp_id ||= URI.parse(origin).host
@@ -47,6 +48,7 @@ module WebAuthn
         backup_eligibility: backup_eligibility,
         backup_state: backup_state,
         attested_credential_data: attested_credential_data,
+        algorithm: credential_algorithm,
         extensions: extensions
       )
 
@@ -64,10 +66,12 @@ module WebAuthn
         "type" => "public-key",
         "id" => internal_encoder.encode(id),
         "rawId" => encoder.encode(id),
+        "authenticatorAttachment" => 'platform',
         "clientExtensionResults" => extensions,
         "response" => {
           "attestationObject" => encoder.encode(attestation_object),
-          "clientDataJSON" => encoder.encode(client_data_json)
+          "clientDataJSON" => encoder.encode(client_data_json),
+          "transports" => ["internal"],
         }
       }
     end
@@ -108,6 +112,7 @@ module WebAuthn
         "id" => internal_encoder.encode(assertion[:credential_id]),
         "rawId" => encoder.encode(assertion[:credential_id]),
         "clientExtensionResults" => extensions,
+        "authenticatorAttachment" => 'platform',
         "response" => {
           "clientDataJSON" => encoder.encode(client_data_json),
           "authenticatorData" => encoder.encode(assertion[:authenticator_data]),

data/lib/webauthn/json_serializer.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module WebAuthn
+  module JSONSerializer
+    # Argument wildcard for Ruby on Rails controller automatic object JSON serialization
+    def as_json(*)
+      deep_camelize_keys(to_hash)
+    end
+
+    private
+
+    def to_hash
+      attributes.each_with_object({}) do |attribute_name, hash|
+        value = send(attribute_name)
+
+        if value.respond_to?(:as_json)
+          value = value.as_json
+        end
+
+        if value
+          hash[attribute_name] = value
+        end
+      end
+    end
+
+    def deep_camelize_keys(object)
+      case object
+      when Hash
+        object.each_with_object({}) do |(key, value), result|
+          result[camelize(key)] = deep_camelize_keys(value)
+        end
+      when Array
+        object.map { |element| deep_camelize_keys(element) }
+      else
+        object
+      end
+    end
+
+    def camelize(term)
+      first_term, *rest = term.to_s.split('_')
+
+      [first_term, *rest.map(&:capitalize)].join.to_sym
+    end
+  end
+end

data/lib/webauthn/public_key_credential/entity.rb

@@ -1,40 +1,18 @@
 # frozen_string_literal: true
 
-require "awrence"
-
 module WebAuthn
   class PublicKeyCredential
     class Entity
+      include JSONSerializer
+
       attr_reader :name
 
       def initialize(name:)
         @name = name
       end
 
-      def as_json
-        to_hash.to_camelback_keys
-      end
-
       private
 
-      def to_hash
-        hash = {}
-
-        attributes.each do |attribute_name|
-          value = send(attribute_name)
-
-          if value.respond_to?(:as_json)
-            value = value.as_json
-          end
-
-          if value
-            hash[attribute_name] = value
-          end
-        end
-
-        hash
-      end
-
       def attributes
         [:name]
       end

data/lib/webauthn/public_key_credential/options.rb

@@ -1,11 +1,12 @@
 # frozen_string_literal: true
 
-require "awrence"
 require "securerandom"
 
 module WebAuthn
   class PublicKeyCredential
     class Options
+      include JSONSerializer
+
       CHALLENGE_LENGTH = 32
 
       attr_reader :timeout, :extensions, :relying_party
@@ -20,31 +21,8 @@ module WebAuthn
         encoder.encode(raw_challenge)
       end
 
-      # Argument wildcard for Ruby on Rails controller automatic object JSON serialization
-      def as_json(*)
-        to_hash.to_camelback_keys
-      end
-
       private
 
-      def to_hash
-        hash = {}
-
-        attributes.each do |attribute_name|
-          value = send(attribute_name)
-
-          if value.respond_to?(:as_json)
-            value = value.as_json
-          end
-
-          if value
-            hash[attribute_name] = value
-          end
-        end
-
-        hash
-      end
-
       def attributes
         [:challenge, :timeout, :extensions]
       end

data/lib/webauthn/public_key_credential.rb

@@ -4,7 +4,9 @@ require "webauthn/encoder"
 
 module WebAuthn
   class PublicKeyCredential
-    attr_reader :type, :id, :raw_id, :client_extension_outputs, :response
+    class InvalidChallengeError < Error; end
+
+    attr_reader :type, :id, :raw_id, :client_extension_outputs, :authenticator_attachment, :response
 
     def self.from_client(credential, relying_party: WebAuthn.configuration.relying_party)
       new(
@@ -12,6 +14,7 @@ module WebAuthn
         id: credential["id"],
         raw_id: relying_party.encoder.decode(credential["rawId"]),
         client_extension_outputs: credential["clientExtensionResults"],
+        authenticator_attachment: credential["authenticatorAttachment"],
         response: response_class.from_client(credential["response"], relying_party: relying_party),
         relying_party: relying_party
       )
@@ -22,6 +25,7 @@ module WebAuthn
       id:,
       raw_id:,
       response:,
+      authenticator_attachment: nil,
       client_extension_outputs: {},
       relying_party: WebAuthn.configuration.relying_party
     )
@@ -29,11 +33,18 @@ module WebAuthn
       @id = id
       @raw_id = raw_id
       @client_extension_outputs = client_extension_outputs
+      @authenticator_attachment = authenticator_attachment
       @response = response
       @relying_party = relying_party
     end
 
-    def verify(*_args)
+    def verify(challenge, *_args)
+      unless valid_class?(challenge)
+        msg = "challenge must be a String. input challenge class: #{challenge.class}"
+
+        raise(InvalidChallengeError, msg)
+      end
+
       valid_type? || raise("invalid type")
       valid_id? || raise("invalid id")
 
@@ -68,6 +79,10 @@ module WebAuthn
       raw_id && id && raw_id == WebAuthn.standard_encoder.decode(id)
     end
 
+    def valid_class?(challenge)
+      challenge.is_a?(String)
+    end
+
     def authenticator_data
       response&.authenticator_data
     end

data/lib/webauthn/public_key_credential_with_assertion.rb

@@ -9,13 +9,14 @@ module WebAuthn
       WebAuthn::AuthenticatorAssertionResponse
     end
 
-    def verify(challenge, public_key:, sign_count:, user_verification: nil)
+    def verify(challenge, public_key:, sign_count:, user_presence: nil, user_verification: nil)
       super
 
       response.verify(
         encoder.decode(challenge),
         public_key: encoder.decode(public_key),
         sign_count: sign_count,
+        user_presence: user_presence,
         user_verification: user_verification,
         rp_id: appid_extension_output ? appid : nil
       )

data/lib/webauthn/public_key_credential_with_attestation.rb

@@ -9,10 +9,10 @@ module WebAuthn
       WebAuthn::AuthenticatorAttestationResponse
     end
 
-    def verify(challenge, user_verification: nil)
+    def verify(challenge, user_presence: nil, user_verification: nil)
       super
 
-      response.verify(encoder.decode(challenge), user_verification: user_verification)
+      response.verify(encoder.decode(challenge), user_presence: user_presence, user_verification: user_verification)
 
       true
     end

data/lib/webauthn/relying_party.rb

@@ -9,15 +9,16 @@ module WebAuthn
   class RootCertificateFinderNotSupportedError < Error; end
 
   class RelyingParty
+    DEFAULT_ALGORITHMS = ["ES256", "PS256", "RS256"].compact.freeze
+
     def self.if_pss_supported(algorithm)
       OpenSSL::PKey::RSA.instance_methods.include?(:verify_pss) ? algorithm : nil
     end
 
-    DEFAULT_ALGORITHMS = ["ES256", "PS256", "RS256"].compact.freeze
-
     def initialize(
       algorithms: DEFAULT_ALGORITHMS.dup,
       encoding: WebAuthn::Encoder::STANDARD_ENCODING,
+      allowed_origins: nil,
       origin: nil,
       id: nil,
       name: nil,
@@ -30,7 +31,7 @@ module WebAuthn
     )
       @algorithms = algorithms
       @encoding = encoding
-      @origin = origin
+      @allowed_origins = allowed_origins
       @id = id
       @name = name
       @verify_attestation_statement = verify_attestation_statement
@@ -38,12 +39,13 @@ module WebAuthn
       @silent_authentication = silent_authentication
       @acceptable_attestation_types = acceptable_attestation_types
       @legacy_u2f_appid = legacy_u2f_appid
+      self.origin = origin
       self.attestation_root_certificates_finders = attestation_root_certificates_finders
     end
 
     attr_accessor :algorithms,
                   :encoding,
-                  :origin,
+                  :allowed_origins,
                   :id,
                   :name,
                   :verify_attestation_statement,
@@ -52,7 +54,7 @@ module WebAuthn
                   :acceptable_attestation_types,
                   :legacy_u2f_appid
 
-    attr_reader :attestation_root_certificates_finders
+    attr_reader :attestation_root_certificates_finders, :origin
 
     # This is the user-data encoder.
     # Used to decode user input and to encode data provided to the user.
@@ -81,10 +83,10 @@ module WebAuthn
       )
     end
 
-    def verify_registration(raw_credential, challenge, user_verification: nil)
+    def verify_registration(raw_credential, challenge, user_presence: nil, user_verification: nil)
       webauthn_credential = WebAuthn::Credential.from_create(raw_credential, relying_party: self)
 
-      if webauthn_credential.verify(challenge, user_verification: user_verification)
+      if webauthn_credential.verify(challenge, user_presence: user_presence, user_verification: user_verification)
         webauthn_credential
       end
     end
@@ -99,6 +101,7 @@ module WebAuthn
     def verify_authentication(
       raw_credential,
       challenge,
+      user_presence: nil,
       user_verification: nil,
       public_key: nil,
       sign_count: nil
@@ -111,10 +114,24 @@ module WebAuthn
         challenge,
         public_key: public_key || stored_credential.public_key,
         sign_count: sign_count || stored_credential.sign_count,
+        user_presence: user_presence,
         user_verification: user_verification
       )
         block_given? ? [webauthn_credential, stored_credential] : webauthn_credential
       end
     end
+
+    # DEPRECATED: This method will be removed in future.
+    def origin=(new_origin)
+      return if new_origin.nil?
+
+      warn(
+        "DEPRECATION WARNING: `WebAuthn.origin` is deprecated and will be removed in future. "\
+        "Please use `WebAuthn.allowed_origins` instead "\
+        "that also allows configuring multiple origins per Relying Party"
+      )
+
+      @allowed_origins ||= Array(new_origin) # rubocop:disable Naming/MemoizedInstanceVariableName
+    end
   end
 end

data/lib/webauthn/u2f_migrator.rb

@@ -43,7 +43,9 @@ module WebAuthn
     end
 
     def attestation_trust_path
-      @attestation_trust_path ||= [OpenSSL::X509::Certificate.new(Base64.strict_decode64(@certificate))]
+      @attestation_trust_path ||= [
+        OpenSSL::X509::Certificate.new(WebAuthn::Encoders::Base64Encoder.decode(@certificate))
+      ]
     end
 
     private
@@ -51,14 +53,14 @@ module WebAuthn
     # https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-client-to-authenticator-protocol-v2.0-rd-20180702.html#u2f-authenticatorMakeCredential-interoperability
     # Let credentialId be a credentialIdLength byte array initialized with CTAP1/U2F response key handle bytes.
     def credential_id
-      Base64.urlsafe_decode64(@key_handle)
+      WebAuthn::Encoders::Base64UrlEncoder.decode(@key_handle)
     end
 
     # Let x9encodedUserPublicKey be the user public key returned in the U2F registration response message [U2FRawMsgs].
     # Let coseEncodedCredentialPublicKey be the result of converting x9encodedUserPublicKey’s value from ANS X9.62 /
     # Sec-1 v2 uncompressed curve point representation [SEC1V2] to COSE_Key representation ([RFC8152] Section 7).
     def credential_cose_key
-      decoded_public_key = Base64.strict_decode64(@public_key)
+      decoded_public_key = WebAuthn::Encoders::Base64Encoder.decode(@public_key)
       if WebAuthn::AttestationStatement::FidoU2f::PublicKey.uncompressed_point?(decoded_public_key)
         COSE::Key::EC2.new(
           alg: COSE::Algorithm.by_name("ES256").id,

data/lib/webauthn/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WebAuthn
-  VERSION = "3.0.0"
+  VERSION = "3.4.2"
 end

data/lib/webauthn.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require "webauthn/json_serializer"
 require "webauthn/configuration"
 require "webauthn/credential"
 require "webauthn/credential_creation_options"

data/webauthn.gemspec

@@ -34,19 +34,18 @@ Gem::Specification.new do |spec|
   spec.required_ruby_version = ">= 2.5"
 
   spec.add_dependency "android_key_attestation", "~> 0.3.0"
-  spec.add_dependency "awrence", "~> 1.1"
   spec.add_dependency "bindata", "~> 2.4"
   spec.add_dependency "cbor", "~> 0.5.9"
   spec.add_dependency "cose", "~> 1.1"
   spec.add_dependency "openssl", ">= 2.2"
-  spec.add_dependency "safety_net_attestation", "~> 0.4.0"
-  spec.add_dependency "tpm-key_attestation", "~> 0.12.0"
+  spec.add_dependency "safety_net_attestation", "~> 0.5.0"
+  spec.add_dependency "tpm-key_attestation", "~> 0.14.0"
 
   spec.add_development_dependency "bundler", ">= 1.17", "< 3.0"
   spec.add_development_dependency "byebug", "~> 11.0"
   spec.add_development_dependency "rake", "~> 13.0"
   spec.add_development_dependency "rspec", "~> 3.8"
-  spec.add_development_dependency "rubocop", "~> 1.9.1"
-  spec.add_development_dependency "rubocop-rake", "~> 0.5.1"
-  spec.add_development_dependency "rubocop-rspec", "~> 2.2.0"
+  spec.add_development_dependency "rubocop", "~> 1"
+  spec.add_development_dependency "rubocop-rake", "~> 0.5"
+  spec.add_development_dependency "rubocop-rspec", ">= 2.2", "< 4.0"
 end