RubyGems - webauthn - Versions diffs - 1.16.0 → 1.17.0 - Mend

webauthn 1.16.0 → 1.17.0

Files changed (15) hide show

checksums.yaml +4 -4
data/.rubocop.yml +0 -3
data/CHANGELOG.md +8 -0
data/README.md +9 -2
data/lib/cose/algorithm.rb +6 -0
data/lib/tpm/constants.rb +1 -0
data/lib/webauthn/attestation_statement/tpm.rb +1 -1
data/lib/webauthn/attestation_statement/tpm/pub_area.rb +2 -1
data/lib/webauthn/authenticator_assertion_response.rb +16 -0
data/lib/webauthn/fake_authenticator.rb +3 -1
data/lib/webauthn/fake_client.rb +3 -2
data/lib/webauthn/signature_verifier.rb +2 -2
data/lib/webauthn/version.rb +1 -1
data/webauthn.gemspec +1 -1
metadata +5 -5

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 42985c0e7686cf588be02d1afef8e315e0692561533f076e36419cd2ef3b2c74
-  data.tar.gz: 3970cd2424034f2a28e1ffb92954151aa1ae113391731f63f9d1734c10a61bce
+  metadata.gz: d4cc833d8288e0519614728a71e26e4e7842ec0c597bd7fc839fe9bacbb44c61
+  data.tar.gz: 712c9ad093705954409facf4ee171752ba76865cbca831121a0f88a4c4d9430c
 SHA512:
-  metadata.gz: 6993542bbc3ec899929f6ba5e13b34a347692f13da9efd7cab541de38e0473f2271c0c9e67085bd5e22439c59c97c7dc86680b7579cf578fd973eabc23fea2c4
-  data.tar.gz: c30c9f9e9c43fddf01621eff5f1068b9ecc280649801a53ba7daa736fb1eb88724efaf8e50e4d8768544ce8b2a725318693eec3b84c6d8cef0137d8d712f6e85
+  metadata.gz: 6fd66258429cadca7660ce7c69640b630b13bd21ac4b690d60c37834edcf4b6ce368688186f1b1a23fba8dc4856767314f7a7308e1ae9932f2f51776fabe89cb
+  data.tar.gz: a28362aa5cf1bd451a5b0303750bb55ffd80f2b47c63c9ef04b7f04e300c8b4f997ec0d6a808361503ecb0b780c263d2447c36bde0239657bc3cc5fd6b106719

data/.rubocop.yml CHANGED

@@ -24,9 +24,6 @@ Metrics/LineLength:
 Naming:
   Enabled: true
-Performance:
-  Enabled: true
 Security:
   Enabled: true

data/CHANGELOG.md CHANGED

@@ -1,5 +1,12 @@
 # Changelog
+## [v1.17.0] - 2019-06-18
+### Added
+- Support ES384, ES512, PS384, PS512, RS384 and RS512 credentials. Off by default. Enable by adding any of them to `WebAuthn.configuration.algorithms` array. Thank you @bdewater.
+- Support [Signature Counter](https://www.w3.org/TR/webauthn/#signature-counter) verification. Thank you @bdewater.
 ## [v1.16.0] - 2019-06-13
 ### Added
@@ -187,6 +194,7 @@ Note: Both additions should help making it compatible with Chrome for Android 70
   - `WebAuthn::AuthenticatorAttestationResponse.valid?` can be used to validate fido-u2f attestations returned by the browser
 - Works with ruby 2.5
+[v1.17.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.16.0...v1.17.0/
 [v1.16.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.15.0...v1.16.0/
 [v1.15.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.14.0...v1.15.0/
 [v1.14.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.13.0...v1.14.0/

data/README.md CHANGED

@@ -127,11 +127,12 @@ begin
   attestation_response.verify(expected_challenge)
   # 1. Register the new user and
-  # 2. Keep Credential ID and Credential Public Key under storage
+  # 2. Keep Credential ID, Credential Public Key and Sign Count under storage
   #    for future authentications
   #    Access by invoking:
   #      `attestation_response.credential.id`
   #      `attestation_response.credential.public_key`
+  #      `attestation_response.authenticator_data.sign_count`
 rescue WebAuthn::VerificationError => e
   # Handle error
 end
@@ -171,11 +172,13 @@ Assuming you have the previously stored Credential Public Key, now in variable `
 #
 # E.g. in https://github.com/cedarcode/webauthn-rails-demo-app we use `Base64.strict_decode64`
 # on the user-agent encoded data before calling `#verify`
+selected_credential_id = "..."
 authenticator_data = "..."
 client_data_json = "..."
 signature = "..."
 assertion_response = WebAuthn::AuthenticatorAssertionResponse.new(
+  credential_id: selected_credential_id,
   authenticator_data: authenticator_data,
   client_data_json: client_data_json,
   signature: signature
@@ -185,7 +188,8 @@ assertion_response = WebAuthn::AuthenticatorAssertionResponse.new(
 # previously stored credential for the user that is attempting to sign in.
 allowed_credential = {
   id: credential_id,
-  public_key: credential_public_key
+  public_key: credential_public_key,
+  sign_count: sign_count,
 }
 begin
@@ -195,6 +199,9 @@ begin
 rescue WebAuthn::VerificationError => e
   # Handle error
 end
+# Find the selected credential in your data storage using `selected_credential_id`
+# Update the stored sign count with the value from `assertion_response.authenticator_data.sign_count`
 ```
 ## Attestation Statement Formats

data/lib/cose/algorithm.rb CHANGED

@@ -27,6 +27,12 @@ module COSE
 end
 COSE::Algorithm.register(-7, "ES256", "SHA256", COSE::Key::EC2::KTY_EC2, "prime256v1")
+COSE::Algorithm.register(-35, "ES384", "SHA384", COSE::Key::EC2::KTY_EC2, "prime256v1")
+COSE::Algorithm.register(-36, "ES512", "SHA512", COSE::Key::EC2::KTY_EC2, "prime256v1")
 COSE::Algorithm.register(-37, "PS256", "SHA256", COSE::Key::RSA::KTY_RSA)
+COSE::Algorithm.register(-38, "PS384", "SHA384", COSE::Key::RSA::KTY_RSA)
+COSE::Algorithm.register(-39, "PS512", "SHA512", COSE::Key::RSA::KTY_RSA)
 COSE::Algorithm.register(-257, "RS256", "SHA256", COSE::Key::RSA::KTY_RSA)
+COSE::Algorithm.register(-258, "RS384", "SHA384", COSE::Key::RSA::KTY_RSA)
+COSE::Algorithm.register(-259, "RS512", "SHA512", COSE::Key::RSA::KTY_RSA)
 COSE::Algorithm.register(-65535, "RS1", "SHA1", COSE::Key::RSA::KTY_RSA)

data/lib/tpm/constants.rb CHANGED

@@ -13,6 +13,7 @@ module TPM
   ALG_SHA256 = 0x000B
   ALG_NULL = 0x0010
   ALG_RSASSA = 0x0014
+  ALG_RSAPSS = 0x0016
   ALG_ECDSA = 0x0018
   ALG_ECC = 0x0023

data/lib/webauthn/attestation_statement/tpm.rb CHANGED

@@ -40,7 +40,7 @@ module WebAuthn
       def valid_signature?
         WebAuthn::SignatureVerifier
           .new(algorithm, attestation_certificate.public_key)
-          .verify(signature, verification_data)
+          .verify(signature, verification_data, rsa_pss_salt_length: :auto)
       end
       def valid_attestation_certificate?

data/lib/webauthn/attestation_statement/tpm/pub_area.rb CHANGED

@@ -17,7 +17,8 @@ module WebAuthn
         }.freeze
         COSE_RSA_TO_TPM_ALG = {
-          COSE::Algorithm.by_name("RS256").id => ::TPM::ALG_RSASSA
+          COSE::Algorithm.by_name("RS256").id => ::TPM::ALG_RSASSA,
+          COSE::Algorithm.by_name("PS256").id => ::TPM::ALG_RSAPSS,
         }.freeze
         COSE_TO_TPM_CURVE = {

data/lib/webauthn/authenticator_assertion_response.rb CHANGED

@@ -10,6 +10,7 @@ require "webauthn/signature_verifier"
 module WebAuthn
   class CredentialVerificationError < VerificationError; end
   class SignatureVerificationError < VerificationError; end
+  class SignCountVerificationError < VerificationError; end
   class AuthenticatorAssertionResponse < AuthenticatorResponse
     def initialize(credential_id:, authenticator_data:, signature:, **options)
@@ -25,6 +26,7 @@ module WebAuthn
       verify_item(:credential, allowed_credentials)
       verify_item(:signature, credential_cose_key(allowed_credentials))
+      verify_item(:sign_count, allowed_credentials)
       true
     end
@@ -43,6 +45,20 @@ module WebAuthn
         .verify(signature, authenticator_data_bytes + client_data.hash)
     end
+    def valid_sign_count?(allowed_credentials)
+      matched_credential = allowed_credentials.find do |credential|
+        credential[:id] == credential_id
+      end
+      # TODO: make passing sign count mandatory in next major version
+      stored_sign_count = matched_credential.fetch(:sign_count, 0)
+      if authenticator_data.sign_count.nonzero? || stored_sign_count.nonzero?
+        authenticator_data.sign_count > stored_sign_count
+      else
+        true
+      end
+    end
     def valid_credential?(allowed_credentials)
       allowed_credential_ids = allowed_credentials.map { |credential| credential[:id] }

data/lib/webauthn/fake_authenticator.rb CHANGED

@@ -35,7 +35,8 @@ module WebAuthn
       client_data_hash:,
       user_present: true,
       user_verified: false,
-      aaguid: AuthenticatorData::AAGUID
+      aaguid: AuthenticatorData::AAGUID,
+      sign_count: 0
     )
       credential_options = credentials[rp_id]
@@ -47,6 +48,7 @@ module WebAuthn
           user_present: user_present,
           user_verified: user_verified,
           aaguid: aaguid,
+          sign_count: sign_count,
         ).serialize
         signature = credential_key.sign("SHA256", authenticator_data + client_data_hash)

data/lib/webauthn/fake_client.rb CHANGED

@@ -41,7 +41,7 @@ module WebAuthn
       }
     end
-    def get(challenge: fake_challenge, rp_id: nil, user_present: true, user_verified: false)
+    def get(challenge: fake_challenge, rp_id: nil, user_present: true, user_verified: false, sign_count: 0)
       rp_id ||= URI.parse(origin).host
       client_data_json = data_json_for(:get, challenge)
@@ -51,7 +51,8 @@ module WebAuthn
         rp_id: rp_id,
         client_data_hash: client_data_hash,
         user_present: user_present,
-        user_verified: user_verified
+        user_verified: user_verified,
+        sign_count: sign_count,
       )
       {

data/lib/webauthn/signature_verifier.rb CHANGED

@@ -22,10 +22,10 @@ module WebAuthn
       validate
     end
-    def verify(signature, verification_data)
+    def verify(signature, verification_data, rsa_pss_salt_length: :digest)
       if rsa_pss?
         public_key.verify_pss(cose_algorithm.hash, signature, verification_data,
-                              salt_length: :digest, mgf1_hash: cose_algorithm.hash)
+                              salt_length: rsa_pss_salt_length, mgf1_hash: cose_algorithm.hash)
       else
         public_key.verify(cose_algorithm.hash, signature, verification_data)
       end

data/lib/webauthn/version.rb CHANGED

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module WebAuthn
-  VERSION = "1.16.0"
+  VERSION = "1.17.0"
 end

data/webauthn.gemspec CHANGED

@@ -43,5 +43,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "byebug", "~> 11.0"
   spec.add_development_dependency "rake", "~> 12.3"
   spec.add_development_dependency "rspec", "~> 3.8"
-  spec.add_development_dependency "rubocop", "0.67.2"
+  spec.add_development_dependency "rubocop", "0.71.0"
 end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: webauthn
 version: !ruby/object:Gem::Version
-  version: 1.16.0
+  version: 1.17.0
 platform: ruby
 authors:
 - Gonzalo Rodriguez
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2019-06-13 00:00:00.000000000 Z
+date: 2019-06-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bindata
@@ -183,14 +183,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.67.2
+        version: 0.71.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.67.2
+        version: 0.71.0
 description: |-
   WebAuthn ruby server library ― Make your application a W3C Web Authentication conformant
       Relying Party and allow your users to authenticate with U2F and FIDO 2.0 authenticators.
@@ -283,7 +283,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.0.4
 signing_key:
 specification_version: 4
 summary: WebAuthn ruby server library