webauthn 0.2.0 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5909a9f479ed26b128466cf3843acb514a669e81f0d751d88ff2c5a5cd0a9c7c
-  data.tar.gz: d03b48fa85cf79bae08461ca31635d3b02f21f421ae4fe6ce1f2257e1c50a1f3
+  metadata.gz: 004107dfab888cb866245f75d634764ffb859974f12e5d70b30304a6d8c25ce1
+  data.tar.gz: 2cdfacf2e938a030f494717d644ae394f1f55a759e5eff125face25f7eda16d7
 SHA512:
-  metadata.gz: 232ffa7b3009a5c955711d50fcd16f90f60b8ddc2034f5c626090e42c50175cae27217cad53abf1c09fec8448d3fb507cfb93ca2ed2377ed273084f61ddd010a
-  data.tar.gz: bf6633710657c45f5ef153eaa234fc278f533b2b429f9c475e366194d65e8d06a321c8ef33e01c79d5bf0170fe19c19f60a77d7298912df6cff629eb5dee1c3c
+  metadata.gz: c3080d2ca2560908ff75ab0a100226c9526e3909cdbadc6d166050fbea710b0f48f52f56ea315ff7e2e98d4a877ad5da1e85a12cb9f3f57784b99f5a8416e76a
+  data.tar.gz: e1d08103e408ec0e9b4561d1b24b886a013392ddf13044cf62b13046ea8754aec2ff184f75d48ec1710d4c53bb841f87289e8bbe5c2d5c496f40b683a1b353be

data/.rubocop.yml

@@ -28,8 +28,164 @@ Performance:
 Security:
   Enabled: true
 
+Style/BlockComments:
+  Enabled: true
+
+Style/BracesAroundHashParameters:
+  Enabled: true
+
+Style/CaseEquality:
+  Enabled: true
+
+Style/ClassAndModuleChildren:
+  Enabled: true
+
+Style/ClassMethods:
+  Enabled: true
+
+Style/ClassVars:
+  Enabled: true
+
+Style/CommentAnnotation:
+  Enabled: true
+
+Style/ConditionalAssignment:
+  Enabled: true
+
+Style/DefWithParentheses:
+  Enabled: true
+
+Style/Dir:
+  Enabled: true
+
+Style/EachForSimpleLoop:
+  Enabled: true
+
+Style/EachWithObject:
+  Enabled: true
+
+Style/EmptyBlockParameter:
+  Enabled: true
+
+Style/EmptyCaseCondition:
+  Enabled: true
+
+Style/EmptyElse:
+  Enabled: true
+
+Style/EmptyLambdaParameter:
+  Enabled: true
+
+Style/EmptyLiteral:
+  Enabled: true
+
+Style/EvenOdd:
+  Enabled: true
+
+Style/ExpandPathArguments:
+  Enabled: true
+
+Style/For:
+  Enabled: true
+
 Style/FrozenStringLiteralComment:
   Enabled: true
 
+Style/GlobalVars:
+  Enabled: true
+
+Style/HashSyntax:
+  Enabled: true
+
+Style/IdenticalConditionalBranches:
+  Enabled: true
+
+Style/IfInsideElse:
+  Enabled: true
+
+Style/InverseMethods:
+  Enabled: true
+
+Style/MethodCallWithoutArgsParentheses:
+  Enabled: true
+
+Style/MethodDefParentheses:
+  Enabled: true
+
+Style/MultilineMemoization:
+  Enabled: true
+
+Style/MutableConstant:
+  Enabled: true
+
+Style/NestedParenthesizedCalls:
+  Enabled: true
+
+Style/OptionalArguments:
+  Enabled: true
+
+Style/ParenthesesAroundCondition:
+  Enabled: true
+
+Style/RedundantBegin:
+  Enabled: true
+
+Style/RedundantConditional:
+  Enabled: true
+
+Style/RedundantException:
+  Enabled: true
+
 Style/RedundantFreeze:
   Enabled: true
+
+Style/RedundantParentheses:
+  Enabled: true
+
+Style/RedundantReturn:
+  Enabled: true
+
+Style/RedundantSelf:
+  Enabled: true
+
+Style/Semicolon:
+  Enabled: true
+
+Style/SingleLineMethods:
+  Enabled: true
+
+Style/SpecialGlobalVars:
+  Enabled: true
+
+Style/SymbolLiteral:
+  Enabled: true
+
+Style/TrailingBodyOnClass:
+  Enabled: true
+
+Style/TrailingBodyOnMethodDefinition:
+  Enabled: true
+
+Style/TrailingBodyOnModule:
+  Enabled: true
+
+Style/TrailingMethodEndStatement:
+  Enabled: true
+
+Style/TrivialAccessors:
+  Enabled: true
+
+Style/UnneededInterpolation:
+  Enabled: true
+
+Style/UnneededPercentQ:
+  Enabled: true
+
+Style/UnpackFirst:
+  Enabled: true
+
+Style/YodaCondition:
+  Enabled: true
+
+Style/ZeroLengthPredicate:
+  Enabled: true

data/CHANGELOG.md

@@ -1,6 +1,18 @@
 # Changelog
 
-## [Unreleased]
+## [v1.0.0] - 2018-09-07
+
+### Added
+
+- _Authentication_ ceremony
+  - Support multiple credentials per user by letting `WebAuthn::AuthenticatorAssertionResponse.valid?` receive multiple allowed credentials
+
+### Changed
+
+- _Registration_ ceremony
+  - Use 32-byte challenge instead of 16-byte
+- _Authentication_ ceremony
+  - Use 32-byte challenge instead of 16-byte
 
 ## [v0.2.0] - 2018-06-08
 
@@ -39,6 +51,6 @@
   - `WebAuthn::AuthenticatorAttestationResponse.valid?` can be used to validate fido-u2f attestations returned by the browser
 - Works with ruby 2.5
 
-[Unreleased]: https://github.com/cedarcode/webauthn-ruby/compare/v0.2.0...HEAD/
+[v1.0.0]: https://github.com/cedarcode/webauthn-ruby/compare/v0.2.0...v1.0.0/
 [v0.2.0]: https://github.com/cedarcode/webauthn-ruby/compare/v0.1.0...v0.2.0/
 [v0.1.0]: https://github.com/cedarcode/webauthn-ruby/compare/v0.0.0...v0.1.0/

data/README.md

@@ -1,12 +1,10 @@
 # WebAuthn :key:
 
-Easily implement WebAuthn in your ruby web server
+Easily implement WebAuthn in your ruby/rails app
 
 [![Gem](https://img.shields.io/gem/v/webauthn.svg?style=flat-square)](https://rubygems.org/gems/webauthn)
 [![Travis](https://img.shields.io/travis/cedarcode/webauthn-ruby.svg?style=flat-square)](https://travis-ci.org/cedarcode/webauthn-ruby)
 
-## WARNING: This gem is in the early development phase. Use on production at your own risk.
-
 ## What is WebAuthn?
 
 - [WebAuthn article with Google IO 2018 talk](https://developers.google.com/web/updates/2018/05/webauthn)
@@ -16,7 +14,7 @@ Easily implement WebAuthn in your ruby web server
 
 ## Prerequisites
 
-This gem will help your ruby server act as a conforming [_Relying-Party_](https://www.w3.org/TR/webauthn/#relying-party), in WebAuthn terminology. But for the [_Registration_](https://www.w3.org/TR/webauthn/#registration) and [_Authentiction_](https://www.w3.org/TR/webauthn/#authentication) ceremonies to work, you will also need
+This gem will help your ruby server act as a conforming [_Relying-Party_](https://www.w3.org/TR/webauthn/#relying-party), in WebAuthn terminology. But for the [_Registration_](https://www.w3.org/TR/webauthn/#registration) and [_Authentication_](https://www.w3.org/TR/webauthn/#authentication) ceremonies to work, you will also need
 
 ### A conforming User Agent
 
@@ -153,6 +151,24 @@ After checking out the repo, run `bin/setup` to install dependencies. Then, run
 
 To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
 
+### Commit message format
+
+Each commit message follows the `<type>: <message>` format.
+
+The "message" starts with lowercase and the "type" is one of:
+
+* __build__: Changes that affect the build system or external dependencies
+* __ci__: Changes to the CI configuration files and scripts
+* __docs__: Documentation only changes
+* __feat__: A new feature
+* __fix__: A bug fix
+* __perf__: A code change that improves performance
+* __refactor__: A code change that neither fixes a bug nor adds a feature
+* __style__: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
+* __test__: Adding missing tests or correcting existing tests
+
+Inspired in a subset of [Angular's Commit Message Guidelines](https://github.com/angular/angular/blob/master/CONTRIBUTING.md#-commit-message-guidelines).
+
 ## Contributing
 
 Bug reports and pull requests are welcome on GitHub at https://github.com/cedarcode/webauthn-ruby.

data/Rakefile

@@ -7,4 +7,4 @@ require "rubocop/rake_task"
 RSpec::Core::RakeTask.new(:spec)
 RuboCop::RakeTask.new
 
-task :default => [:rubocop, :spec]
+task default: [:rubocop, :spec]

data/lib/cose/ecdsa.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module COSE
+  module ECDSA
+    ALG_ES256 = -7
+  end
+end

data/lib/webauthn.rb

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
+require "cose/ecdsa"
 require "webauthn/authenticator_attestation_response"
 require "webauthn/authenticator_assertion_response"
-require "webauthn/cose/ecdsa"
 require "webauthn/utils"
 require "webauthn/version"
 
@@ -34,7 +34,7 @@ module WebAuthn
   end
 
   def self.challenge
-    SecureRandom.random_bytes(16)
+    SecureRandom.random_bytes(32)
   end
   private_class_method :challenge
 end

data/lib/webauthn/authenticator_assertion_response.rb

@@ -12,10 +12,10 @@ module WebAuthn
       @signature = signature
     end
 
-    def valid?(original_challenge, original_origin, allowed_credential:)
+    def valid?(original_challenge, original_origin, allowed_credentials:)
       super(original_challenge, original_origin) &&
-        valid_credential?(allowed_credential[:id]) &&
-        valid_signature?(allowed_credential[:public_key])
+        valid_credential?(allowed_credentials) &&
+        valid_signature?(credential_public_key(allowed_credentials))
     end
 
     private
@@ -36,14 +36,24 @@ module WebAuthn
       )
     end
 
-    def valid_credential?(allowed_credential_id)
-      allowed_credential_id == credential_id
+    def valid_credential?(allowed_credentials)
+      allowed_credential_ids = allowed_credentials.map { |credential| credential[:id] }
+
+      allowed_credential_ids.include?(credential_id)
     end
 
     def authenticator_data
       @authenticator_data ||= WebAuthn::AuthenticatorData.new(authenticator_data_bytes)
     end
 
+    def credential_public_key(allowed_credentials)
+      matched_credential = allowed_credentials.find do |credential|
+        credential[:id] == credential_id
+      end
+
+      matched_credential[:public_key]
+    end
+
     def type
       WebAuthn::TYPES[:get]
     end

data/lib/webauthn/authenticator_data.rb

@@ -58,7 +58,7 @@ module WebAuthn
     end
 
     def flags
-      @flags ||= data_at(flags_position, FLAGS_LENGTH).unpack("b*").first
+      @flags ||= data_at(flags_position, FLAGS_LENGTH).unpack1("b*")
     end
 
     def flags_position

data/lib/webauthn/authenticator_data/attested_credential_data.rb

@@ -48,10 +48,7 @@ module WebAuthn
       end
 
       def id_length
-        @id_length ||=
-          data_at(id_length_position, ID_LENGTH_LENGTH)
-          .unpack(UINT16_BIG_ENDIAN_FORMAT)
-          .first
+        @id_length ||= data_at(id_length_position, ID_LENGTH_LENGTH).unpack1(UINT16_BIG_ENDIAN_FORMAT)
       end
 
       def id_length_position

data/lib/webauthn/authenticator_data/attested_credential_data/public_key_u2f.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
-require "webauthn/cose/ecdsa"
-require "webauthn/cose/key/ec2"
+require "cose/ecdsa"
+require "cose/key/ec2"
 
 module WebAuthn
   class AuthenticatorData
@@ -17,7 +17,7 @@ module WebAuthn
           data.size >= COORDINATE_LENGTH * 2 &&
             cose_key.x_coordinate.length == COORDINATE_LENGTH &&
             cose_key.y_coordinate.length == COORDINATE_LENGTH &&
-            cose_key.algorithm == WebAuthn::COSE::ECDSA::ALG_ES256
+            cose_key.algorithm == COSE::ECDSA::ALG_ES256
         end
 
         def to_str

data/lib/webauthn/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WebAuthn
-  VERSION = "0.2.0"
+  VERSION = "1.0.0"
 end

data/webauthn.gemspec

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-lib = File.expand_path("../lib", __FILE__)
+lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require "webauthn/version"
 
@@ -10,7 +10,7 @@ Gem::Specification.new do |spec|
   spec.authors       = ["Gonzalo Rodriguez", "Braulio Martinez"]
   spec.email         = ["gonzalo@cedarcode.com", "braulio@cedarcode.com"]
 
-  spec.summary       = %q{Web Authentication API Relying Party in ruby}
+  spec.summary       = "WebAuthn in ruby ― Ruby implementation of a WebAuthn Relying Party"
   spec.homepage      = "https://github.com/cedarcode/webauthn-ruby"
   spec.license       = "MIT"
 
@@ -28,6 +28,7 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency "cbor", "~> 0.5.9.2"
+  spec.add_dependency "cose", "~> 0.1.0"
 
   spec.add_development_dependency "bundler", "~> 1.16"
   spec.add_development_dependency "byebug", "~> 10.0"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: webauthn
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 1.0.0
 platform: ruby
 authors:
 - Gonzalo Rodriguez
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-06-08 00:00:00.000000000 Z
+date: 2018-09-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cbor
@@ -25,6 +25,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.5.9.2
+- !ruby/object:Gem::Dependency
+  name: cose
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.1.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.1.0
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -114,6 +128,7 @@ files:
 - Rakefile
 - bin/console
 - bin/setup
+- lib/cose/ecdsa.rb
 - lib/webauthn.rb
 - lib/webauthn/attestation_statement.rb
 - lib/webauthn/attestation_statement/base.rb
@@ -126,8 +141,6 @@ files:
 - lib/webauthn/authenticator_data/attested_credential_data/public_key_u2f.rb
 - lib/webauthn/authenticator_response.rb
 - lib/webauthn/client_data.rb
-- lib/webauthn/cose/ecdsa.rb
-- lib/webauthn/cose/key/ec2.rb
 - lib/webauthn/utils.rb
 - lib/webauthn/version.rb
 - webauthn.gemspec
@@ -157,5 +170,5 @@ rubyforge_project:
 rubygems_version: 2.7.7
 signing_key: 
 specification_version: 4
-summary: Web Authentication API Relying Party in ruby
+summary: WebAuthn in ruby ― Ruby implementation of a WebAuthn Relying Party
 test_files: []

data/lib/webauthn/cose/ecdsa.rb

@@ -1,9 +0,0 @@
-# frozen_string_literal: true
-
-module WebAuthn
-  module COSE
-    module ECDSA
-      ALG_ES256 = -7
-    end
-  end
-end

data/lib/webauthn/cose/key/ec2.rb

@@ -1,53 +0,0 @@
-# frozen_string_literal: true
-
-module WebAuthn
-  # COSE module has the potential to being extracted out of WebAuthn
-  module COSE
-    module Key
-      class EC2
-        KTY_LABEL = 1
-        ALG_LABEL = 3
-
-        CRV_LABEL = -1
-        X_LABEL = -2
-        Y_LABEL = -3
-
-        KTY_EC2 = 2
-
-        attr_reader :algorithm, :curve, :x_coordinate, :y_coordinate
-
-        def initialize(algorithm: nil, curve:, x_coordinate:, y_coordinate:)
-          if !curve
-            raise ArgumentError, "Required curve is missing"
-          elsif !x_coordinate
-            raise ArgumentError, "Required x-coordinate is missing"
-          elsif !y_coordinate
-            raise ArgumentError, "Required y-coordinate is missing"
-          else
-            @algorithm = algorithm
-            @curve = curve
-            @x_coordinate = x_coordinate
-            @y_coordinate = y_coordinate
-          end
-        end
-
-        def self.from_map(map)
-          if map[KTY_LABEL] == KTY_EC2
-            new(
-              algorithm: map[ALG_LABEL],
-              curve: map[CRV_LABEL],
-              x_coordinate: map[X_LABEL],
-              y_coordinate: map[Y_LABEL]
-            )
-          else
-            raise "Not an EC2 key"
-          end
-        end
-
-        def self.from_cbor(cbor)
-          from_map(CBOR.decode(cbor))
-        end
-      end
-    end
-  end
-end