webauthn 1.15.0 → 1.16.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ac8a0cc80530217e636ae8c83128363f9f9e725243cb40f5dad4e0941db4149f
-  data.tar.gz: b781f8035cf6c25626b6da8e0ced92838d5d6f5defcecc7180f826af4184540d
+  metadata.gz: 42985c0e7686cf588be02d1afef8e315e0692561533f076e36419cd2ef3b2c74
+  data.tar.gz: 3970cd2424034f2a28e1ffb92954151aa1ae113391731f63f9d1734c10a61bce
 SHA512:
-  metadata.gz: '01449706124d9e42b81c4691075e1de5f6192651a9cb8f798c2b78bb31ef0171d9ece8ef09412b73cbdb3444f38e963455439a5d1cf9eb781c8804e713dd5002'
-  data.tar.gz: 4f5c370130707a529566f4be6887c592c600674caf5f2b198d9329de9b7de3098ec775cc222400d2ab8fe214310058b1b8563b769cc006089ddc1f2910526187
+  metadata.gz: 6993542bbc3ec899929f6ba5e13b34a347692f13da9efd7cab541de38e0473f2271c0c9e67085bd5e22439c59c97c7dc86680b7579cf578fd973eabc23fea2c4
+  data.tar.gz: c30c9f9e9c43fddf01621eff5f1068b9ecc280649801a53ba7daa736fb1eb88724efaf8e50e4d8768544ce8b2a725318693eec3b84c6d8cef0137d8d712f6e85

data/.travis.yml

@@ -4,7 +4,8 @@ cache: bundler
 
 rvm:
   - ruby-head
-  - 2.6.2
+  - 2.7.0-preview1
+  - 2.6.3
   - 2.5.5
   - 2.4.6
   - 2.3.8
@@ -17,6 +18,7 @@ matrix:
   fast_finish: true
   allow_failures:
     - rvm: ruby-head
+    - rvm: 2.7.0-preview1
 
 before_install:
   - wget http://archive.ubuntu.com/ubuntu/pool/universe/f/faketime/libfaketime_0.9.7-3_amd64.deb

data/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## [v1.16.0] - 2019-06-13
+
+### Added
+
+- Ability to enforce [user verification](https://www.w3.org/TR/webauthn/#user-verification) with extra argument in the `#verify` method.
+- Support RS1 (RSA w/ SHA-1) credentials. Off by default. Enable by adding `"RS1"` to `WebAuthn.configuration.algorithms` array.
+- Support PS256 (RSA Probabilistic Signature Scheme w/ SHA-256) credentials. On by default. Thank you @bdewater.
+
 ## [v1.15.0] - 2019-05-16
 
 ### Added
@@ -179,6 +187,7 @@ Note: Both additions should help making it compatible with Chrome for Android 70
   - `WebAuthn::AuthenticatorAttestationResponse.valid?` can be used to validate fido-u2f attestations returned by the browser
 - Works with ruby 2.5
 
+[v1.16.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.15.0...v1.16.0/
 [v1.15.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.14.0...v1.15.0/
 [v1.14.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.13.0...v1.14.0/
 [v1.13.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.12.0...v1.13.0/

data/README.md

@@ -23,6 +23,7 @@ WebAuthn (Web Authentication) is a W3C standard for secure public-key authentica
 - WebAuthn [article](https://en.wikipedia.org/wiki/WebAuthn) in Wikipedia
 - [Web Authentication API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API) in MDN
 - WebAuthn [article with talk](https://developers.google.com/web/updates/2018/05/webauthn) in Google Developers
+- How to use [WebAuthn in Android apps](https://developers.google.com/identity/fido/android/native-apps)
 
 ## Prerequisites
 

data/lib/cose/algorithm.rb

@@ -27,4 +27,6 @@ module COSE
 end
 
 COSE::Algorithm.register(-7, "ES256", "SHA256", COSE::Key::EC2::KTY_EC2, "prime256v1")
+COSE::Algorithm.register(-37, "PS256", "SHA256", COSE::Key::RSA::KTY_RSA)
 COSE::Algorithm.register(-257, "RS256", "SHA256", COSE::Key::RSA::KTY_RSA)
+COSE::Algorithm.register(-65535, "RS1", "SHA1", COSE::Key::RSA::KTY_RSA)

data/lib/webauthn/authenticator_assertion_response.rb

@@ -20,8 +20,8 @@ module WebAuthn
       @signature = signature
     end
 
-    def verify(expected_challenge, expected_origin = nil, allowed_credentials:, rp_id: nil)
-      super(expected_challenge, expected_origin, rp_id: rp_id)
+    def verify(expected_challenge, expected_origin = nil, allowed_credentials:, user_verification: nil, rp_id: nil)
+      super(expected_challenge, expected_origin, user_verification: user_verification, rp_id: rp_id)
 
       verify_item(:credential, allowed_credentials)
       verify_item(:signature, credential_cose_key(allowed_credentials))

data/lib/webauthn/authenticator_attestation_response.rb

@@ -21,7 +21,7 @@ module WebAuthn
       @attestation_object = attestation_object
     end
 
-    def verify(expected_challenge, expected_origin = nil, rp_id: nil)
+    def verify(expected_challenge, expected_origin = nil, user_verification: nil, rp_id: nil)
       super
 
       verify_item(:attestation_statement)

data/lib/webauthn/authenticator_data.rb

@@ -24,13 +24,9 @@ module WebAuthn
     attr_reader :data
 
     def valid?
-      if attested_credential_data_included? || extension_data_included?
-        data.length > base_length &&
-          (!attested_credential_data_included? || attested_credential_data.valid?) &&
-          (!extension_data_included? || extension_data)
-      else
-        data.length == base_length
-      end
+      valid_length? &&
+        (!attested_credential_data_included? || attested_credential_data.valid?) &&
+        (!extension_data_included? || extension_data)
     end
 
     def user_flagged?
@@ -74,7 +70,7 @@ module WebAuthn
     end
 
     def extension_data
-      @extension_data ||= CBOR.decode(data_at(extension_data_position))
+      @extension_data ||= CBOR.decode(raw_extension_data)
     end
 
     def flags
@@ -83,6 +79,14 @@ module WebAuthn
 
     private
 
+    def valid_length?
+      data.length == base_length + attested_credential_data_length + extension_data_length
+    end
+
+    def raw_extension_data
+      data_at(extension_data_position)
+    end
+
     def attested_credential_data_position
       base_length
     end
@@ -95,6 +99,14 @@ module WebAuthn
       end
     end
 
+    def extension_data_length
+      if extension_data_included?
+        raw_extension_data.length
+      else
+        0
+      end
+    end
+
     def extension_data_position
       base_length + attested_credential_data_length
     end

data/lib/webauthn/authenticator_response.rb

@@ -17,13 +17,14 @@ module WebAuthn
   class TokenBindingVerificationError < VerificationError; end
   class TypeVerificationError < VerificationError; end
   class UserPresenceVerificationError < VerificationError; end
+  class UserVerifiedVerificationError < VerificationError; end
 
   class AuthenticatorResponse
     def initialize(client_data_json:)
       @client_data_json = client_data_json
     end
 
-    def verify(expected_challenge, expected_origin = nil, rp_id: nil)
+    def verify(expected_challenge, expected_origin = nil, user_verification: nil, rp_id: nil)
       expected_origin ||= WebAuthn.configuration.origin || raise("Unspecified expected origin")
       rp_id ||= WebAuthn.configuration.rp_id
 
@@ -34,6 +35,7 @@ module WebAuthn
       verify_item(:authenticator_data)
       verify_item(:rp_id, rp_id || rp_id_from_origin(expected_origin))
       verify_item(:user_presence)
+      verify_item(:user_verified, user_verification)
 
       true
     end
@@ -90,6 +92,14 @@ module WebAuthn
       authenticator_data.user_flagged?
     end
 
+    def valid_user_verified?(user_verification)
+      if user_verification
+        authenticator_data.user_verified?
+      else
+        true
+      end
+    end
+
     def rp_id_from_origin(expected_origin)
       URI.parse(expected_origin).host
     end

data/lib/webauthn/configuration.rb

@@ -10,8 +10,19 @@ module WebAuthn
   end
 
   class Configuration
+    def self.if_pss_supported(algorithm)
+      OpenSSL::PKey::RSA.instance_methods.include?(:verify_pss) ? algorithm : nil
+    end
+
+    DEFAULT_ALGORITHMS = ["ES256", if_pss_supported("PS256"), "RS256"].compact.freeze
+
+    attr_accessor :algorithms
     attr_accessor :origin
     attr_accessor :rp_id
     attr_accessor :rp_name
+
+    def initialize
+      @algorithms = DEFAULT_ALGORITHMS.dup
+    end
   end
 end

data/lib/webauthn/credential_creation_options.rb

@@ -14,14 +14,24 @@ module WebAuthn
   end
 
   class CredentialCreationOptions < CredentialOptions
-    DEFAULT_ALGORITHMS = ["ES256", "RS256"].freeze
     DEFAULT_RP_NAME = "web-server"
 
-    DEFAULT_PUB_KEY_CRED_PARAMS = DEFAULT_ALGORITHMS.map do |alg_name|
-      { type: "public-key", alg: COSE::Algorithm.by_name(alg_name).id }
-    end.freeze
+    attr_accessor :attestation, :authenticator_selection, :exclude_credentials, :extensions
 
-    def initialize(user_id:, user_name:, user_display_name: nil, rp_name: nil)
+    def initialize(
+      attestation: nil,
+      authenticator_selection: nil,
+      exclude_credentials: nil,
+      extensions: nil,
+      user_id:,
+      user_name:,
+      user_display_name: nil,
+      rp_name: nil
+    )
+      @attestation = attestation
+      @authenticator_selection = authenticator_selection
+      @exclude_credentials = exclude_credentials
+      @extensions = extensions
       @user_id = user_id
       @user_name = user_name
       @user_display_name = user_display_name
@@ -29,16 +39,36 @@ module WebAuthn
     end
 
     def to_h
-      {
+      options = {
         challenge: challenge,
         pubKeyCredParams: pub_key_cred_params,
         user: { id: user.id, name: user.name, displayName: user.display_name },
         rp: { name: rp.name }
       }
+
+      if attestation
+        options[:attestation] = attestation
+      end
+
+      if authenticator_selection
+        options[:authenticatorSelection] = authenticator_selection
+      end
+
+      if exclude_credentials
+        options[:excludeCredentials] = exclude_credentials
+      end
+
+      if extensions
+        options[:extensions] = extensions
+      end
+
+      options
     end
 
     def pub_key_cred_params
-      DEFAULT_PUB_KEY_CRED_PARAMS
+      WebAuthn.configuration.algorithms.map do |alg_name|
+        { type: "public-key", alg: COSE::Algorithm.by_name(alg_name).id }
+      end
     end
 
     def rp

data/lib/webauthn/credential_request_options.rb

@@ -8,12 +8,26 @@ module WebAuthn
   end
 
   class CredentialRequestOptions < CredentialOptions
-    def to_h
-      { challenge: challenge, allowCredentials: allow_credentials }
+    attr_accessor :allow_credentials, :extensions, :user_verification
+
+    def initialize(allow_credentials: [], extensions: nil, user_verification: nil)
+      @allow_credentials = allow_credentials
+      @extensions = extensions
+      @user_verification = user_verification
     end
 
-    def allow_credentials
-      []
+    def to_h
+      options = { challenge: challenge, allowCredentials: allow_credentials }
+
+      if extensions
+        options[:extensions] = extensions
+      end
+
+      if user_verification
+        options[:userVerification] = user_verification
+      end
+
+      options
     end
   end
 end

data/lib/webauthn/fake_authenticator/authenticator_data.rb

@@ -9,23 +9,34 @@ module WebAuthn
     class AuthenticatorData
       AAGUID = SecureRandom.random_bytes(16)
 
-      def initialize(rp_id_hash:, credential: nil, sign_count: 0, user_present: true, user_verified: !user_present,
-                     aaguid: AAGUID)
+      def initialize(
+        rp_id_hash:,
+        credential: {
+          id: SecureRandom.random_bytes(16),
+          public_key: OpenSSL::PKey::EC.new("prime256v1").generate_key.public_key
+        },
+        sign_count: 0,
+        user_present: true,
+        user_verified: !user_present,
+        aaguid: AAGUID,
+        extensions: { "fakeExtension" => "fakeExtensionValue" }
+      )
         @rp_id_hash = rp_id_hash
         @credential = credential
         @sign_count = sign_count
         @user_present = user_present
         @user_verified = user_verified
         @aaguid = aaguid
+        @extensions = extensions
       end
 
       def serialize
-        rp_id_hash + flags + serialized_sign_count + attested_credential_data + extensions
+        rp_id_hash + flags + serialized_sign_count + attested_credential_data + extension_data
       end
 
       private
 
-      attr_reader :rp_id_hash, :credential, :sign_count, :user_present, :user_verified
+      attr_reader :rp_id_hash, :credential, :sign_count, :user_present, :user_verified, :extensions
 
       def flags
         [
@@ -58,8 +69,12 @@ module WebAuthn
           end
       end
 
-      def extensions
-        CBOR.encode("fakeExtension" => "fakeExtensionValue")
+      def extension_data
+        if extensions
+          CBOR.encode(extensions)
+        else
+          ""
+        end
       end
 
       def bit(flag)
@@ -79,7 +94,7 @@ module WebAuthn
       end
 
       def extension_data_included_bit
-        if extensions.empty?
+        if extension_data.empty?
           "0"
         else
           "1"

data/lib/webauthn/public_key_credential.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require "base64"
+
+module WebAuthn
+  class PublicKeyCredential
+    VALID_TYPE = "public-key"
+
+    attr_reader :type, :id, :raw_id, :response
+
+    def initialize(type:, id:, raw_id:, response:)
+      @type = type
+      @id = id
+      @raw_id = raw_id
+      @response = response
+    end
+
+    def verify(*args)
+      valid_type? || raise("invalid type")
+      valid_id? || raise("invalid id")
+      response.verify(*args)
+
+      true
+    end
+
+    private
+
+    def valid_type?
+      type == VALID_TYPE
+    end
+
+    def valid_id?
+      raw_id && id && raw_id == Base64.urlsafe_decode64(id)
+    end
+  end
+end

data/lib/webauthn/signature_verifier.rb

@@ -23,7 +23,12 @@ module WebAuthn
     end
 
     def verify(signature, verification_data)
-      public_key.verify(cose_algorithm.hash, signature, verification_data)
+      if rsa_pss?
+        public_key.verify_pss(cose_algorithm.hash, signature, verification_data,
+                              salt_length: :digest, mgf1_hash: cose_algorithm.hash)
+      else
+        public_key.verify(cose_algorithm.hash, signature, verification_data)
+      end
     end
 
     private
@@ -39,14 +44,22 @@ module WebAuthn
       end
     end
 
+    def rsa_pss?
+      cose_algorithm.name.start_with?("PS")
+    end
+
     def validate
-      if cose_algorithm
-        if !KTY_MAP[cose_algorithm.kty].include?(public_key.class)
-          raise("Incompatible algorithm and key")
-        end
-      else
+      if !cose_algorithm
+        raise UnsupportedAlgorithm, "Unsupported algorithm #{algorithm}"
+      elsif !supported_algorithms.include?(cose_algorithm.name)
         raise UnsupportedAlgorithm, "Unsupported algorithm #{algorithm}"
+      elsif !KTY_MAP[cose_algorithm.kty].include?(public_key.class)
+        raise("Incompatible algorithm and key")
       end
     end
+
+    def supported_algorithms
+      WebAuthn.configuration.algorithms
+    end
   end
 end

data/lib/webauthn/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WebAuthn
-  VERSION = "1.15.0"
+  VERSION = "1.16.0"
 end

data/lib/webauthn.rb

@@ -5,4 +5,5 @@ require "webauthn/authenticator_assertion_response"
 require "webauthn/configuration"
 require "webauthn/credential_creation_options"
 require "webauthn/credential_request_options"
+require "webauthn/public_key_credential"
 require "webauthn/version"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: webauthn
 version: !ruby/object:Gem::Version
-  version: 1.15.0
+  version: 1.16.0
 platform: ruby
 authors:
 - Gonzalo Rodriguez
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-05-16 00:00:00.000000000 Z
+date: 2019-06-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bindata
@@ -256,6 +256,7 @@ files:
 - lib/webauthn/fake_authenticator/attestation_object.rb
 - lib/webauthn/fake_authenticator/authenticator_data.rb
 - lib/webauthn/fake_client.rb
+- lib/webauthn/public_key_credential.rb
 - lib/webauthn/security_utils.rb
 - lib/webauthn/signature_verifier.rb
 - lib/webauthn/version.rb