webauthn 1.0.0 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 004107dfab888cb866245f75d634764ffb859974f12e5d70b30304a6d8c25ce1
-  data.tar.gz: 2cdfacf2e938a030f494717d644ae394f1f55a759e5eff125face25f7eda16d7
+  metadata.gz: d6d2e58280b0751e346931762bbd6985f7ac0c89dc7a2ac98ae4658e98b6f68c
+  data.tar.gz: ca2ee35c669f2a31dd7770212deef3712b3089f34e119124977eac70f91cc3d7
 SHA512:
-  metadata.gz: c3080d2ca2560908ff75ab0a100226c9526e3909cdbadc6d166050fbea710b0f48f52f56ea315ff7e2e98d4a877ad5da1e85a12cb9f3f57784b99f5a8416e76a
-  data.tar.gz: e1d08103e408ec0e9b4561d1b24b886a013392ddf13044cf62b13046ea8754aec2ff184f75d48ec1710d4c53bb841f87289e8bbe5c2d5c496f40b683a1b353be
+  metadata.gz: df657808c9a692d6f32b1256917dfb9867abd9fa6dc117059cb92f1d8cb80beb652af7d71b9881add353b20a8dad85cd00448ed8d6a9205070ed6d627882ea58
+  data.tar.gz: 9d417117edd82f9072dad0a98fafe4707121e2fb3cfb62678195e324d9bb68e1f00c35dbe8fc1721abd34ec1d09259decf2c620b4e56af2638cf3ec6ec98e850

data/CHANGELOG.md

@@ -1,5 +1,14 @@
 # Changelog
 
+## [v1.1.0] - 2018-10-04
+
+## Added
+
+- _Registration_ ceremony
+  - `WebAuthn::AuthenticatorAttestationResponse.valid?` optionaly accepts rp_id. Thank you @sorah!
+- _Authentication_ ceremony
+  - `WebAuthn::AuthenticatorAssertionResponse.valid?` optionaly accepts rp_id.
+
 ## [v1.0.0] - 2018-09-07
 
 ### Added
@@ -51,6 +60,7 @@
   - `WebAuthn::AuthenticatorAttestationResponse.valid?` can be used to validate fido-u2f attestations returned by the browser
 - Works with ruby 2.5
 
+[v1.1.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.0.0...v1.1.0/
 [v1.0.0]: https://github.com/cedarcode/webauthn-ruby/compare/v0.2.0...v1.0.0/
 [v0.2.0]: https://github.com/cedarcode/webauthn-ruby/compare/v0.1.0...v0.2.0/
 [v0.1.0]: https://github.com/cedarcode/webauthn-ruby/compare/v0.0.0...v0.1.0/

data/README.md

@@ -3,7 +3,7 @@
 Easily implement WebAuthn in your ruby/rails app
 
 [![Gem](https://img.shields.io/gem/v/webauthn.svg?style=flat-square)](https://rubygems.org/gems/webauthn)
-[![Travis](https://img.shields.io/travis/cedarcode/webauthn-ruby.svg?style=flat-square)](https://travis-ci.org/cedarcode/webauthn-ruby)
+[![Travis](https://img.shields.io/travis/cedarcode/webauthn-ruby/master.svg?style=flat-square)](https://travis-ci.org/cedarcode/webauthn-ruby)
 
 ## What is WebAuthn?
 
@@ -135,7 +135,7 @@ original_origin = "https://www.example.com"
 # previously stored credential for the user that is attempting to sign in.
 allowed_credential = {
   id: credential_id,
-  publick_key: credential_public_key
+  public_key: credential_public_key
 }
 
 if assertion_response.valid?(original_challenge, original_origin, allowed_credential: allowed_credential)

data/lib/webauthn/authenticator_assertion_response.rb

@@ -12,12 +12,16 @@ module WebAuthn
       @signature = signature
     end
 
-    def valid?(original_challenge, original_origin, allowed_credentials:)
-      super(original_challenge, original_origin) &&
+    def valid?(original_challenge, original_origin, allowed_credentials:, rp_id: nil)
+      super(original_challenge, original_origin, rp_id: rp_id) &&
         valid_credential?(allowed_credentials) &&
         valid_signature?(credential_public_key(allowed_credentials))
     end
 
+    def authenticator_data
+      @authenticator_data ||= WebAuthn::AuthenticatorData.new(authenticator_data_bytes)
+    end
+
     private
 
     attr_reader :credential_id, :authenticator_data_bytes, :signature
@@ -42,10 +46,6 @@ module WebAuthn
       allowed_credential_ids.include?(credential_id)
     end
 
-    def authenticator_data
-      @authenticator_data ||= WebAuthn::AuthenticatorData.new(authenticator_data_bytes)
-    end
-
     def credential_public_key(allowed_credentials)
       matched_credential = allowed_credentials.find do |credential|
         credential[:id] == credential_id

data/lib/webauthn/authenticator_attestation_response.rb

@@ -17,7 +17,7 @@ module WebAuthn
       @attestation_object = attestation_object
     end
 
-    def valid?(original_challenge, original_origin)
+    def valid?(original_challenge, original_origin, rp_id: nil)
       super &&
         attestation_statement.valid?(authenticator_data, client_data.hash)
     end
@@ -26,10 +26,6 @@ module WebAuthn
       authenticator_data.credential
     end
 
-    private
-
-    attr_reader :attestation_object
-
     def attestation_statement
       @attestation_statement ||=
         WebAuthn::AttestationStatement.from(attestation["fmt"], attestation["attStmt"])
@@ -47,6 +43,10 @@ module WebAuthn
       @attestation ||= CBOR.decode(attestation_object)
     end
 
+    private
+
+    attr_reader :attestation_object
+
     def type
       WebAuthn::TYPES[:create]
     end

data/lib/webauthn/authenticator_data.rb

@@ -10,6 +10,8 @@ module WebAuthn
     FLAGS_LENGTH = 1
     SIGN_COUNT_LENGTH = 4
 
+    SIGN_COUNT_POSITION = RP_ID_HASH_LENGTH + FLAGS_LENGTH
+
     USER_PRESENT_FLAG_POSITION = 0
     ATTESTED_CREDENTIAL_DATA_INCLUDED_FLAG_POSITION = 6
 
@@ -17,6 +19,8 @@ module WebAuthn
       @data = data
     end
 
+    attr_reader :data
+
     def valid?
       if attested_credential_data_included?
         data.length > base_length && attested_credential_data.valid?
@@ -29,6 +33,10 @@ module WebAuthn
       flags[USER_PRESENT_FLAG_POSITION] == "1"
     end
 
+    def attested_credential_data_included?
+      flags[ATTESTED_CREDENTIAL_DATA_INCLUDED_FLAG_POSITION] == "1"
+    end
+
     def rp_id_hash
       @rp_id_hash ||=
         if valid?
@@ -40,15 +48,21 @@ module WebAuthn
       attested_credential_data.credential
     end
 
-    private
-
-    attr_reader :data
+    def sign_count
+      @sign_count ||= data_at(SIGN_COUNT_POSITION, SIGN_COUNT_LENGTH).unpack1('L>')
+    end
 
     def attested_credential_data
       @attested_credential_data ||=
         AttestedCredentialData.new(data_at(attested_credential_data_position))
     end
 
+    def flags
+      @flags ||= data_at(flags_position, FLAGS_LENGTH).unpack1("b*")
+    end
+
+    private
+
     def attested_credential_data_position
       base_length
     end
@@ -57,18 +71,10 @@ module WebAuthn
       RP_ID_HASH_LENGTH + FLAGS_LENGTH + SIGN_COUNT_LENGTH
     end
 
-    def flags
-      @flags ||= data_at(flags_position, FLAGS_LENGTH).unpack1("b*")
-    end
-
     def flags_position
       RP_ID_HASH_LENGTH
     end
 
-    def attested_credential_data_included?
-      flags[ATTESTED_CREDENTIAL_DATA_INCLUDED_FLAG_POSITION] == "1"
-    end
-
     def data_at(position, length = nil)
       length ||= data.size - position
 

data/lib/webauthn/authenticator_data/attested_credential_data.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require "ostruct"
 require "webauthn/authenticator_data/attested_credential_data/public_key_u2f"
 
 module WebAuthn
@@ -12,7 +11,8 @@ module WebAuthn
 
       UINT16_BIG_ENDIAN_FORMAT = "n*"
 
-      class Credential < OpenStruct; end
+      # FIXME: use keyword_init when we dropped Ruby 2.4 support
+      Credential = Struct.new(:id, :public_key)
 
       def initialize(data)
         @data = data
@@ -25,7 +25,7 @@ module WebAuthn
       def credential
         @credential ||=
           if id
-            Credential.new(id: id, public_key: public_key.to_str)
+            Credential.new(id, public_key.to_str)
           end
       end
 

data/lib/webauthn/authenticator_response.rb

@@ -6,15 +6,19 @@ module WebAuthn
       @client_data_json = client_data_json
     end
 
-    def valid?(original_challenge, original_origin)
+    def valid?(original_challenge, original_origin, rp_id: nil)
       valid_type? &&
         valid_challenge?(original_challenge) &&
         valid_origin?(original_origin) &&
-        valid_rp_id?(original_origin) &&
+        valid_rp_id?(rp_id || rp_id_from_origin(original_origin)) &&
         authenticator_data.valid? &&
         authenticator_data.user_present?
     end
 
+    def client_data
+      @client_data ||= WebAuthn::ClientData.new(client_data_json)
+    end
+
     private
 
     attr_reader :client_data_json
@@ -23,10 +27,6 @@ module WebAuthn
       client_data.type == type
     end
 
-    def client_data
-      @client_data ||= WebAuthn::ClientData.new(client_data_json)
-    end
-
     def valid_challenge?(original_challenge)
       WebAuthn::Utils.authenticator_decode(client_data.challenge) == original_challenge
     end
@@ -35,10 +35,12 @@ module WebAuthn
       client_data.origin == original_origin
     end
 
-    def valid_rp_id?(original_origin)
-      domain = URI.parse(original_origin).host
+    def valid_rp_id?(rp_id)
+      OpenSSL::Digest::SHA256.digest(rp_id) == authenticator_data.rp_id_hash
+    end
 
-      OpenSSL::Digest::SHA256.digest(domain) == authenticator_data.rp_id_hash
+    def rp_id_from_origin(original_origin)
+      URI.parse(original_origin).host
     end
 
     def type

data/lib/webauthn/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WebAuthn
-  VERSION = "1.0.0"
+  VERSION = "1.1.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: webauthn
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.0
 platform: ruby
 authors:
 - Gonzalo Rodriguez
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-09-07 00:00:00.000000000 Z
+date: 2018-10-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cbor
@@ -167,7 +167,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.7
+rubygems_version: 2.7.6
 signing_key: 
 specification_version: 4
 summary: WebAuthn in ruby ― Ruby implementation of a WebAuthn Relying Party