webauthn 3.1.0 → 3.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3b23698bdd722a0cda45be7ee9d5ba528f966eb98304a50069242f0a25dcd259
-  data.tar.gz: 4d7bf8874268cbbbfa75136006af9dc5a824b25d3f0522c5f2046092261bae5d
+  metadata.gz: 4531338c1a9301a58aea6f70458311891a81c06f50e2c223eb812ec24e980e2c
+  data.tar.gz: fae69f115e3f93a942446d30115e0268b0a73bd13a9a565b4235ed5103ab7b98
 SHA512:
-  metadata.gz: bf2d6697ee0c34cccbb1f5f9765e70efe1a8062f73b35cb900894c59f512d81157a836046e8006c9c6d5b0a0b3040f9c76a83417928d0ff9fbaba2db1893aaef
-  data.tar.gz: 2952c2573b030ffbba7837f2ba299e73c7a4e09a3a46b4a7a19c7875b4ea5394a8af00059dda69ae4c3dc34b1531b3aad3d1d1445dc4000260b3cfc4e5e23a98
+  metadata.gz: '038380bb699e7e9d8ee728b256ae2de062bebed3b9531174c5d428e210bcb6896ba4907ea17343239193900d7d1ffc97bde73e99323e12b8377887f7ba0dcd9a'
+  data.tar.gz: eb7062a1dde7a0099154580075bf060a32bdcf000c8156c77048829e38e89e227e0f3d5a15f2d80ba9c408733f94c399bb96f8d19a184bad36943f8309ce3d4a

data/.github/workflows/build.yml

@@ -7,7 +7,7 @@
 
 name: build
 
-on:  
+on:
   push:
     branches: [master]
   pull_request:
@@ -20,6 +20,8 @@ jobs:
       fail-fast: false
       matrix:
         ruby:
+          - '3.4.0-preview2'
+          - '3.3'
           - '3.2'
           - '3.1'
           - '3.0'
@@ -33,4 +35,16 @@ jobs:
       with:
         ruby-version: ${{ matrix.ruby }}
         bundler-cache: true
-    - run: bundle exec rake
+    - run: bundle exec rspec
+      env:
+        RUBYOPT: ${{ startsWith(matrix.ruby, '3.4') && '--enable=frozen-string-literal' || '' }}
+
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.3'
+          bundler-cache: true
+      - run: bundle exec rubocop -f github

data/CHANGELOG.md

@@ -1,5 +1,32 @@
 # Changelog
 
+## [v3.2.1] - 2024-11-14
+
+### Fixed
+
+- Fix JSON Serializer generating json with attributes with a null value. [#442](https://github.com/cedarcode/webauthn-ruby/pull/442) @santiagorodriguez96
+
+## [v3.2.0] - 2024-11-13
+
+### Added
+
+- Added `AuthenticatorAttestationResponse#transports` for accessing the response's `transports` value. [#421](https://github.com/cedarcode/webauthn-ruby/pull/421) [@santiagorodriguez96]
+- `WebAuthn::AuthenticatorAssertionResponse#verify` and `WebAuthn::AuthenticatorAttestationResponse#verify`,
+  as well as `RelyingParty#verify_registration` and `RelyingParty#verify_authentication` now accept a `user_presence`
+  keyword arg in order to be able to skip the user presence check for specific attestation and assertion verifications.
+  By default, user presence will be checked unless `silent_authentication` is enabled for the Relying Party (as it was before).
+  [#432](https://github.com/cedarcode/webauthn-ruby/pull/432), [#434](https://github.com/cedarcode/webauthn-ruby/pull/434), [#435](https://github.com/cedarcode/webauthn-ruby/pull/435) ([@nov](https://github.com/nov), [@santiagorodriguez96])
+- `WebAuthn::FakeClient#create` and `WebAuthn::FakeAuthenticator#make_credential` now support a `credential_algorithm` and
+  `algorithm` param (respectively) for choosing the algorithm to use for creating the credential.
+  Supported values are: 'ES256', 'RSA256' and 'EdDSA'. [#400](https://github.com/cedarcode/webauthn-ruby/pull/400), [#437](https://github.com/cedarcode/webauthn-ruby/pull/437) [@santiagorodriguez96]
+- Remove `awrence` dependency. [#436](https://github.com/cedarcode/webauthn-ruby/pull/436) [@npezza](https://github.com/npezza93)
+- Run tests with Ruby 3.3. [#416](https://github.com/cedarcode/webauthn-ruby/pull/416) [@santiagorodriguez96]
+- Run tests with Ruby 3.4.0-preview2. [#436](https://github.com/cedarcode/webauthn-ruby/pull/436) [@npezza](https://github.com/npezza93)
+
+### Changed
+
+- Remove unused class `AttestationTrustworthinessVerificationError`. [#412](https://github.com/cedarcode/webauthn-ruby/pull/412) [@soartec-lab]
+
 ## [v3.1.0] - 2023-12-26
 
 ### Added

data/lib/webauthn/authenticator_assertion_response.rb

@@ -37,8 +37,22 @@ module WebAuthn
       @user_handle = user_handle
     end
 
-    def verify(expected_challenge, expected_origin = nil, public_key:, sign_count:, user_verification: nil, rp_id: nil)
-      super(expected_challenge, expected_origin, user_verification: user_verification, rp_id: rp_id)
+    def verify(
+      expected_challenge,
+      expected_origin = nil,
+      public_key:,
+      sign_count:,
+      user_presence: nil,
+      user_verification: nil,
+      rp_id: nil
+    )
+      super(
+        expected_challenge,
+        expected_origin,
+        user_presence: user_presence,
+        user_verification: user_verification,
+        rp_id: rp_id
+      )
       verify_item(:signature, WebAuthn::PublicKey.deserialize(public_key))
       verify_item(:sign_count, sign_count)
 

data/lib/webauthn/authenticator_attestation_response.rb

@@ -12,7 +12,6 @@ require "webauthn/encoder"
 
 module WebAuthn
   class AttestationStatementVerificationError < VerificationError; end
-  class AttestationTrustworthinessVerificationError < VerificationError; end
   class AttestedCredentialVerificationError < VerificationError; end
 
   class AuthenticatorAttestationResponse < AuthenticatorResponse
@@ -23,21 +22,23 @@ module WebAuthn
 
       new(
         attestation_object: encoder.decode(response["attestationObject"]),
+        transports: response["transports"],
         client_data_json: encoder.decode(response["clientDataJSON"]),
         relying_party: relying_party
       )
     end
 
-    attr_reader :attestation_type, :attestation_trust_path
+    attr_reader :attestation_type, :attestation_trust_path, :transports
 
-    def initialize(attestation_object:, **options)
+    def initialize(attestation_object:, transports: [], **options)
       super(**options)
 
       @attestation_object_bytes = attestation_object
+      @transports = transports
       @relying_party = relying_party
     end
 
-    def verify(expected_challenge, expected_origin = nil, user_verification: nil, rp_id: nil)
+    def verify(expected_challenge, expected_origin = nil, user_presence: nil, user_verification: nil, rp_id: nil)
       super
 
       verify_item(:attested_credential)

data/lib/webauthn/authenticator_response.rb

@@ -24,7 +24,7 @@ module WebAuthn
       @relying_party = relying_party
     end
 
-    def verify(expected_challenge, expected_origin = nil, user_verification: nil, rp_id: nil)
+    def verify(expected_challenge, expected_origin = nil, user_presence: nil, user_verification: nil, rp_id: nil)
       expected_origin ||= relying_party.origin || raise("Unspecified expected origin")
       rp_id ||= relying_party.id
 
@@ -35,7 +35,8 @@ module WebAuthn
       verify_item(:authenticator_data)
       verify_item(:rp_id, rp_id || rp_id_from_origin(expected_origin))
 
-      if !relying_party.silent_authentication
+      # Fallback to RP configuration unless user_presence is passed in explicitely
+      if user_presence.nil? && !relying_party.silent_authentication || user_presence
         verify_item(:user_presence)
       end
 

data/lib/webauthn/fake_authenticator/attestation_object.rb

@@ -61,7 +61,7 @@ module WebAuthn
           begin
             credential_data =
               if attested_credential_data
-                { id: credential_id, public_key: credential_key.public_key }
+                { id: credential_id, public_key: credential_public_key }
               end
 
             AuthenticatorData.new(
@@ -76,6 +76,15 @@ module WebAuthn
             )
           end
       end
+
+      def credential_public_key
+        case credential_key
+        when OpenSSL::PKey::RSA, OpenSSL::PKey::EC
+          credential_key.public_key
+        when OpenSSL::PKey::PKey
+          OpenSSL::PKey.read(credential_key.public_to_der)
+        end
+      end
     end
   end
 end

data/lib/webauthn/fake_authenticator/authenticator_data.rb

@@ -140,7 +140,9 @@ module WebAuthn
 
           key = COSE::Key::EC2.from_pkey(credential[:public_key])
           key.alg = alg[key.crv]
-
+        when OpenSSL::PKey::PKey
+          key = COSE::Key::OKP.from_pkey(credential[:public_key])
+          key.alg = -8
         end
 
         key.serialize

data/lib/webauthn/fake_authenticator.rb

@@ -20,10 +20,11 @@ module WebAuthn
       backup_eligibility: false,
       backup_state: false,
       attested_credential_data: true,
+      algorithm: nil,
       sign_count: nil,
       extensions: nil
     )
-      credential_id, credential_key, credential_sign_count = new_credential
+      credential_id, credential_key, credential_sign_count = new_credential(algorithm)
       sign_count ||= credential_sign_count
 
       credentials[rp_id] ||= {}
@@ -85,7 +86,14 @@ module WebAuthn
           extensions: extensions
         ).serialize
 
-        signature = credential_key.sign("SHA256", authenticator_data + client_data_hash)
+        signature_digest_algorithm =
+          case credential_key
+          when OpenSSL::PKey::RSA, OpenSSL::PKey::EC
+            'SHA256'
+          when OpenSSL::PKey::PKey
+            nil
+          end
+        signature = credential_key.sign(signature_digest_algorithm, authenticator_data + client_data_hash)
         credential[:sign_count] += 1
 
         {
@@ -102,8 +110,21 @@ module WebAuthn
 
     attr_reader :credentials
 
-    def new_credential
-      [SecureRandom.random_bytes(16), OpenSSL::PKey::EC.generate("prime256v1"), 0]
+    def new_credential(algorithm)
+      algorithm ||= 'ES256'
+      credential_key =
+        case algorithm
+        when 'ES256'
+          OpenSSL::PKey::EC.generate('prime256v1')
+        when 'RS256'
+          OpenSSL::PKey::RSA.new(2048)
+        when 'EdDSA'
+          OpenSSL::PKey.generate_key("ED25519")
+        else
+          raise "Unsupported algorithm #{algorithm}"
+        end
+
+      [SecureRandom.random_bytes(16), credential_key, 0]
     end
 
     def hashed(target)

data/lib/webauthn/fake_client.rb

@@ -32,6 +32,7 @@ module WebAuthn
       backup_eligibility: false,
       backup_state: false,
       attested_credential_data: true,
+      credential_algorithm: nil,
       extensions: nil
     )
       rp_id ||= URI.parse(origin).host
@@ -47,6 +48,7 @@ module WebAuthn
         backup_eligibility: backup_eligibility,
         backup_state: backup_state,
         attested_credential_data: attested_credential_data,
+        algorithm: credential_algorithm,
         extensions: extensions
       )
 
@@ -68,7 +70,8 @@ module WebAuthn
         "clientExtensionResults" => extensions,
         "response" => {
           "attestationObject" => encoder.encode(attestation_object),
-          "clientDataJSON" => encoder.encode(client_data_json)
+          "clientDataJSON" => encoder.encode(client_data_json),
+          "transports" => ["internal"],
         }
       }
     end

data/lib/webauthn/json_serializer.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module WebAuthn
+  module JSONSerializer
+    # Argument wildcard for Ruby on Rails controller automatic object JSON serialization
+    def as_json(*)
+      to_hash_with_camelized_keys
+    end
+
+    private
+
+    def to_hash_with_camelized_keys
+      attributes.each_with_object({}) do |attribute_name, hash|
+        value = send(attribute_name)
+
+        if value && value.respond_to?(:as_json)
+          hash[camelize(attribute_name)] = value.as_json
+        elsif value
+          hash[camelize(attribute_name)] = deep_camelize_keys(value)
+        end
+      end
+    end
+
+    def deep_camelize_keys(object)
+      case object
+      when Hash
+        object.each_with_object({}) do |(key, value), result|
+          result[camelize(key)] = deep_camelize_keys(value)
+        end
+      when Array
+        object.map { |element| deep_camelize_keys(element) }
+      else
+        object
+      end
+    end
+
+    def camelize(term)
+      first_term, *rest = term.to_s.split('_')
+
+      [first_term, *rest.map(&:capitalize)].join.to_sym
+    end
+  end
+end

data/lib/webauthn/public_key_credential/entity.rb

@@ -1,40 +1,18 @@
 # frozen_string_literal: true
 
-require "awrence"
-
 module WebAuthn
   class PublicKeyCredential
     class Entity
+      include JSONSerializer
+
       attr_reader :name
 
       def initialize(name:)
         @name = name
       end
 
-      def as_json
-        to_hash.to_camelback_keys
-      end
-
       private
 
-      def to_hash
-        hash = {}
-
-        attributes.each do |attribute_name|
-          value = send(attribute_name)
-
-          if value.respond_to?(:as_json)
-            value = value.as_json
-          end
-
-          if value
-            hash[attribute_name] = value
-          end
-        end
-
-        hash
-      end
-
       def attributes
         [:name]
       end

data/lib/webauthn/public_key_credential/options.rb

@@ -1,11 +1,12 @@
 # frozen_string_literal: true
 
-require "awrence"
 require "securerandom"
 
 module WebAuthn
   class PublicKeyCredential
     class Options
+      include JSONSerializer
+
       CHALLENGE_LENGTH = 32
 
       attr_reader :timeout, :extensions, :relying_party
@@ -20,31 +21,8 @@ module WebAuthn
         encoder.encode(raw_challenge)
       end
 
-      # Argument wildcard for Ruby on Rails controller automatic object JSON serialization
-      def as_json(*)
-        to_hash.to_camelback_keys
-      end
-
       private
 
-      def to_hash
-        hash = {}
-
-        attributes.each do |attribute_name|
-          value = send(attribute_name)
-
-          if value.respond_to?(:as_json)
-            value = value.as_json
-          end
-
-          if value
-            hash[attribute_name] = value
-          end
-        end
-
-        hash
-      end
-
       def attributes
         [:challenge, :timeout, :extensions]
       end

data/lib/webauthn/public_key_credential_with_assertion.rb

@@ -9,13 +9,14 @@ module WebAuthn
       WebAuthn::AuthenticatorAssertionResponse
     end
 
-    def verify(challenge, public_key:, sign_count:, user_verification: nil)
+    def verify(challenge, public_key:, sign_count:, user_presence: nil, user_verification: nil)
       super
 
       response.verify(
         encoder.decode(challenge),
         public_key: encoder.decode(public_key),
         sign_count: sign_count,
+        user_presence: user_presence,
         user_verification: user_verification,
         rp_id: appid_extension_output ? appid : nil
       )

data/lib/webauthn/public_key_credential_with_attestation.rb

@@ -9,10 +9,10 @@ module WebAuthn
       WebAuthn::AuthenticatorAttestationResponse
     end
 
-    def verify(challenge, user_verification: nil)
+    def verify(challenge, user_presence: nil, user_verification: nil)
       super
 
-      response.verify(encoder.decode(challenge), user_verification: user_verification)
+      response.verify(encoder.decode(challenge), user_presence: user_presence, user_verification: user_verification)
 
       true
     end

data/lib/webauthn/relying_party.rb

@@ -81,10 +81,10 @@ module WebAuthn
       )
     end
 
-    def verify_registration(raw_credential, challenge, user_verification: nil)
+    def verify_registration(raw_credential, challenge, user_presence: nil, user_verification: nil)
       webauthn_credential = WebAuthn::Credential.from_create(raw_credential, relying_party: self)
 
-      if webauthn_credential.verify(challenge, user_verification: user_verification)
+      if webauthn_credential.verify(challenge, user_presence: user_presence, user_verification: user_verification)
         webauthn_credential
       end
     end
@@ -99,6 +99,7 @@ module WebAuthn
     def verify_authentication(
       raw_credential,
       challenge,
+      user_presence: nil,
       user_verification: nil,
       public_key: nil,
       sign_count: nil
@@ -111,6 +112,7 @@ module WebAuthn
         challenge,
         public_key: public_key || stored_credential.public_key,
         sign_count: sign_count || stored_credential.sign_count,
+        user_presence: user_presence,
         user_verification: user_verification
       )
         block_given? ? [webauthn_credential, stored_credential] : webauthn_credential

data/lib/webauthn/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WebAuthn
-  VERSION = "3.1.0"
+  VERSION = "3.2.1"
 end

data/lib/webauthn.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require "webauthn/json_serializer"
 require "webauthn/configuration"
 require "webauthn/credential"
 require "webauthn/credential_creation_options"

data/webauthn.gemspec

@@ -34,7 +34,6 @@ Gem::Specification.new do |spec|
   spec.required_ruby_version = ">= 2.5"
 
   spec.add_dependency "android_key_attestation", "~> 0.3.0"
-  spec.add_dependency "awrence", "~> 1.1"
   spec.add_dependency "bindata", "~> 2.4"
   spec.add_dependency "cbor", "~> 0.5.9"
   spec.add_dependency "cose", "~> 1.1"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: webauthn
 version: !ruby/object:Gem::Version
-  version: 3.1.0
+  version: 3.2.1
 platform: ruby
 authors:
 - Gonzalo Rodriguez
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-12-26 00:00:00.000000000 Z
+date: 2024-11-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: android_key_attestation
@@ -25,20 +25,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.3.0
-- !ruby/object:Gem::Dependency
-  name: awrence
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.1'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.1'
 - !ruby/object:Gem::Dependency
   name: bindata
   requirement: !ruby/object:Gem::Requirement
@@ -301,6 +287,7 @@ files:
 - lib/webauthn/fake_authenticator/attestation_object.rb
 - lib/webauthn/fake_authenticator/authenticator_data.rb
 - lib/webauthn/fake_client.rb
+- lib/webauthn/json_serializer.rb
 - lib/webauthn/public_key.rb
 - lib/webauthn/public_key_credential.rb
 - lib/webauthn/public_key_credential/creation_options.rb
@@ -337,7 +324,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
+rubygems_version: 3.5.11
 signing_key:
 specification_version: 4
 summary: WebAuthn ruby server library