RubyGems - webauthn - Versions diffs - 1.16.0 → 1.17.0 - Mend

webauthn 1.16.0 → 1.17.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

checksums.yaml +4 -4
data/.rubocop.yml +0 -3
data/CHANGELOG.md +8 -0
data/README.md +9 -2
data/lib/cose/algorithm.rb +6 -0
data/lib/tpm/constants.rb +1 -0
data/lib/webauthn/attestation_statement/tpm.rb +1 -1
data/lib/webauthn/attestation_statement/tpm/pub_area.rb +2 -1
data/lib/webauthn/authenticator_assertion_response.rb +16 -0
data/lib/webauthn/fake_authenticator.rb +3 -1
data/lib/webauthn/fake_client.rb +3 -2
data/lib/webauthn/signature_verifier.rb +2 -2
data/lib/webauthn/version.rb +1 -1
data/webauthn.gemspec +1 -1
metadata +5 -5

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 42985c0e7686cf588be02d1afef8e315e0692561533f076e36419cd2ef3b2c74
-  data.tar.gz: 3970cd2424034f2a28e1ffb92954151aa1ae113391731f63f9d1734c10a61bce
+  metadata.gz: d4cc833d8288e0519614728a71e26e4e7842ec0c597bd7fc839fe9bacbb44c61
+  data.tar.gz: 712c9ad093705954409facf4ee171752ba76865cbca831121a0f88a4c4d9430c
 SHA512:
-  metadata.gz: 6993542bbc3ec899929f6ba5e13b34a347692f13da9efd7cab541de38e0473f2271c0c9e67085bd5e22439c59c97c7dc86680b7579cf578fd973eabc23fea2c4
-  data.tar.gz: c30c9f9e9c43fddf01621eff5f1068b9ecc280649801a53ba7daa736fb1eb88724efaf8e50e4d8768544ce8b2a725318693eec3b84c6d8cef0137d8d712f6e85
+  metadata.gz: 6fd66258429cadca7660ce7c69640b630b13bd21ac4b690d60c37834edcf4b6ce368688186f1b1a23fba8dc4856767314f7a7308e1ae9932f2f51776fabe89cb
+  data.tar.gz: a28362aa5cf1bd451a5b0303750bb55ffd80f2b47c63c9ef04b7f04e300c8b4f997ec0d6a808361503ecb0b780c263d2447c36bde0239657bc3cc5fd6b106719

data/.rubocop.yml CHANGED

@@ -24,9 +24,6 @@ Metrics/LineLength:
 Naming:
   Enabled: true
-Performance:
-  Enabled: true
 Security:
   Enabled: true

data/CHANGELOG.md CHANGED

@@ -1,5 +1,12 @@
 # Changelog
+## [v1.17.0] - 2019-06-18
+### Added
+- Support ES384, ES512, PS384, PS512, RS384 and RS512 credentials. Off by default. Enable by adding any of them to `WebAuthn.configuration.algorithms` array. Thank you @bdewater.
+- Support [Signature Counter](https://www.w3.org/TR/webauthn/#signature-counter) verification. Thank you @bdewater.
 ## [v1.16.0] - 2019-06-13
 ### Added
@@ -187,6 +194,7 @@ Note: Both additions should help making it compatible with Chrome for Android 70
   - `WebAuthn::AuthenticatorAttestationResponse.valid?` can be used to validate fido-u2f attestations returned by the browser
 - Works with ruby 2.5
+[v1.17.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.16.0...v1.17.0/
 [v1.16.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.15.0...v1.16.0/
 [v1.15.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.14.0...v1.15.0/
 [v1.14.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.13.0...v1.14.0/

data/README.md CHANGED

@@ -127,11 +127,12 @@ begin
   attestation_response.verify(expected_challenge)
   # 1. Register the new user and
-  # 2. Keep Credential ID and Credential Public Key under storage
+  # 2. Keep Credential ID, Credential Public Key and Sign Count under storage
   #    for future authentications
   #    Access by invoking:
   #      `attestation_response.credential.id`
   #      `attestation_response.credential.public_key`
+  #      `attestation_response.authenticator_data.sign_count`
 rescue WebAuthn::VerificationError => e
   # Handle error
 end
@@ -171,11 +172,13 @@ Assuming you have the previously stored Credential Public Key, now in variable `
 #
 # E.g. in https://github.com/cedarcode/webauthn-rails-demo-app we use `Base64.strict_decode64`
 # on the user-agent encoded data before calling `#verify`
+selected_credential_id = "..."
 authenticator_data = "..."
 client_data_json = "..."
 signature = "..."
 assertion_response = WebAuthn::AuthenticatorAssertionResponse.new(
+  credential_id: selected_credential_id,
   authenticator_data: authenticator_data,
   client_data_json: client_data_json,
   signature: signature
@@ -185,7 +188,8 @@ assertion_response = WebAuthn::AuthenticatorAssertionResponse.new(
 # previously stored credential for the user that is attempting to sign in.
 allowed_credential = {
   id: credential_id,
-  public_key: credential_public_key
+  public_key: credential_public_key,
+  sign_count: sign_count,
 }
 begin
@@ -195,6 +199,9 @@ begin
 rescue WebAuthn::VerificationError => e
   # Handle error
 end
+# Find the selected credential in your data storage using `selected_credential_id`
+# Update the stored sign count with the value from `assertion_response.authenticator_data.sign_count`
 ```
 ## Attestation Statement Formats

data/lib/cose/algorithm.rb CHANGED

@@ -27,6 +27,12 @@ module COSE
 end
 COSE::Algorithm.register(-7, "ES256", "SHA256", COSE::Key::EC2::KTY_EC2, "prime256v1")
+COSE::Algorithm.register(-35, "ES384", "SHA384", COSE::Key::EC2::KTY_EC2, "prime256v1")
+COSE::Algorithm.register(-36, "ES512", "SHA512", COSE::Key::EC2::KTY_EC2, "prime256v1")
 COSE::Algorithm.register(-37, "PS256", "SHA256", COSE::Key::RSA::KTY_RSA)
+COSE::Algorithm.register(-38, "PS384", "SHA384", COSE::Key::RSA::KTY_RSA)
+COSE::Algorithm.register(-39, "PS512", "SHA512", COSE::Key::RSA::KTY_RSA)
 COSE::Algorithm.register(-257, "RS256", "SHA256", COSE::Key::RSA::KTY_RSA)
+COSE::Algorithm.register(-258, "RS384", "SHA384", COSE::Key::RSA::KTY_RSA)
+COSE::Algorithm.register(-259, "RS512", "SHA512", COSE::Key::RSA::KTY_RSA)
 COSE::Algorithm.register(-65535, "RS1", "SHA1", COSE::Key::RSA::KTY_RSA)

data/lib/tpm/constants.rb CHANGED

@@ -13,6 +13,7 @@ module TPM
   ALG_SHA256 = 0x000B
   ALG_NULL = 0x0010
   ALG_RSASSA = 0x0014
+  ALG_RSAPSS = 0x0016
   ALG_ECDSA = 0x0018
   ALG_ECC = 0x0023

data/lib/webauthn/attestation_statement/tpm.rb CHANGED

@@ -40,7 +40,7 @@ module WebAuthn
       def valid_signature?
         WebAuthn::SignatureVerifier
           .new(algorithm, attestation_certificate.public_key)
-          .verify(signature, verification_data)
+          .verify(signature, verification_data, rsa_pss_salt_length: :auto)
       end
       def valid_attestation_certificate?

data/lib/webauthn/attestation_statement/tpm/pub_area.rb CHANGED

@@ -17,7 +17,8 @@ module WebAuthn
         }.freeze
         COSE_RSA_TO_TPM_ALG = {
-          COSE::Algorithm.by_name("RS256").id => ::TPM::ALG_RSASSA
+          COSE::Algorithm.by_name("RS256").id => ::TPM::ALG_RSASSA,
+          COSE::Algorithm.by_name("PS256").id => ::TPM::ALG_RSAPSS,
         }.freeze
         COSE_TO_TPM_CURVE = {

data/lib/webauthn/authenticator_assertion_response.rb CHANGED

@@ -10,6 +10,7 @@ require "webauthn/signature_verifier"
 module WebAuthn
   class CredentialVerificationError < VerificationError; end
   class SignatureVerificationError < VerificationError; end
+  class SignCountVerificationError < VerificationError; end
   class AuthenticatorAssertionResponse < AuthenticatorResponse
     def initialize(credential_id:, authenticator_data:, signature:, **options)
@@ -25,6 +26,7 @@ module WebAuthn
       verify_item(:credential, allowed_credentials)
       verify_item(:signature, credential_cose_key(allowed_credentials))
+      verify_item(:sign_count, allowed_credentials)
       true
     end
@@ -43,6 +45,20 @@ module WebAuthn
         .verify(signature, authenticator_data_bytes + client_data.hash)
     end
+    def valid_sign_count?(allowed_credentials)
+      matched_credential = allowed_credentials.find do |credential|
+        credential[:id] == credential_id
+      end
+      # TODO: make passing sign count mandatory in next major version
+      stored_sign_count = matched_credential.fetch(:sign_count, 0)
+      if authenticator_data.sign_count.nonzero? || stored_sign_count.nonzero?
+        authenticator_data.sign_count > stored_sign_count
+      else
+        true
+      end
+    end
     def valid_credential?(allowed_credentials)
       allowed_credential_ids = allowed_credentials.map { |credential| credential[:id] }

data/lib/webauthn/fake_authenticator.rb CHANGED

@@ -35,7 +35,8 @@ module WebAuthn
       client_data_hash:,
       user_present: true,
       user_verified: false,
-      aaguid: AuthenticatorData::AAGUID
+      aaguid: AuthenticatorData::AAGUID,
+      sign_count: 0
     )
       credential_options = credentials[rp_id]
@@ -47,6 +48,7 @@ module WebAuthn
           user_present: user_present,
           user_verified: user_verified,
           aaguid: aaguid,
+          sign_count: sign_count,
         ).serialize
         signature = credential_key.sign("SHA256", authenticator_data + client_data_hash)

data/lib/webauthn/fake_client.rb CHANGED

@@ -41,7 +41,7 @@ module WebAuthn
       }
     end
-    def get(challenge: fake_challenge, rp_id: nil, user_present: true, user_verified: false)
+    def get(challenge: fake_challenge, rp_id: nil, user_present: true, user_verified: false, sign_count: 0)
       rp_id ||= URI.parse(origin).host
       client_data_json = data_json_for(:get, challenge)
@@ -51,7 +51,8 @@ module WebAuthn
         rp_id: rp_id,
         client_data_hash: client_data_hash,
         user_present: user_present,
-        user_verified: user_verified
+        user_verified: user_verified,
+        sign_count: sign_count,
       )
       {

data/lib/webauthn/signature_verifier.rb CHANGED

@@ -22,10 +22,10 @@ module WebAuthn
       validate
     end
-    def verify(signature, verification_data)
+    def verify(signature, verification_data, rsa_pss_salt_length: :digest)
       if rsa_pss?
         public_key.verify_pss(cose_algorithm.hash, signature, verification_data,
-                              salt_length: :digest, mgf1_hash: cose_algorithm.hash)
+                              salt_length: rsa_pss_salt_length, mgf1_hash: cose_algorithm.hash)
       else
         public_key.verify(cose_algorithm.hash, signature, verification_data)
       end

data/lib/webauthn/version.rb CHANGED

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module WebAuthn
-  VERSION = "1.16.0"
+  VERSION = "1.17.0"
 end

data/webauthn.gemspec CHANGED

@@ -43,5 +43,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "byebug", "~> 11.0"
   spec.add_development_dependency "rake", "~> 12.3"
   spec.add_development_dependency "rspec", "~> 3.8"
-  spec.add_development_dependency "rubocop", "0.67.2"
+  spec.add_development_dependency "rubocop", "0.71.0"
 end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: webauthn
 version: !ruby/object:Gem::Version
-  version: 1.16.0
+  version: 1.17.0
 platform: ruby
 authors:
 - Gonzalo Rodriguez
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2019-06-13 00:00:00.000000000 Z
+date: 2019-06-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bindata
@@ -183,14 +183,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.67.2
+        version: 0.71.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.67.2
+        version: 0.71.0
 description: |-
   WebAuthn ruby server library ― Make your application a W3C Web Authentication conformant
       Relying Party and allow your users to authenticate with U2F and FIDO 2.0 authenticators.
@@ -283,7 +283,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.0.4
 signing_key:
 specification_version: 4
 summary: WebAuthn ruby server library