webauthn 1.6.0 → 1.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 25e0a04470e52f5f6640aacc66c9653792ea8b5dc9fc7639d6d876b0fdd8921a
-  data.tar.gz: 4291b2831b3cee590445af283f7979b98d0da02950e5ffd161f14aad9754b4e1
+  metadata.gz: 861ba8a05d52230a89d8ba009d93e656c42c7f9add389767f0cd3cf6bf97c8c2
+  data.tar.gz: a3c7d357340f381c4ea06e3ed8aa5711549573eb9f59e591a332f7224a55a2dd
 SHA512:
-  metadata.gz: 3681ac63ac7bab1629e23010e93641fc3f522ada0ee2b5259f933465bb3dd6b8bdfa4b726bb803759fbb452e137c6624bad4bd52b4e86c31f9fd789edde6537c
-  data.tar.gz: bf4aa5c49e3421b7f112de0ce638d0fe18465040ebf258e51b12c7d379ba624e2f72d3ad4400cf1f782e440a6605f60180622be8a01c74b3ab8658f16293152f
+  metadata.gz: dcad6286a076eea7af7d3bfde6c708cb291a2d8102c8722db8a6372baedf6541df470d54717ed2c347a2f0e703a7bcf190cffbef9c8f90cbe6475064ee00f542
+  data.tar.gz: 8b28576e8ce15e632ca54e78fd4cf94ac2c34a506c84b085baa19623787e50d60eb0ed7253edbd87523639353a4cdb448c7bfc94dedf1563ae764e9ff1e4cd28

data/.travis.yml

@@ -2,11 +2,11 @@ sudo: false
 language: ruby
 cache: bundler
 rvm:
-  - 2.6.0-preview2
+  - 2.6.0-preview3
   - 2.5.3
   - 2.4.5
   - 2.3.8
 matrix:
   fast_finish: true
   allow_failures:
-    - rvm: 2.6.0-preview2
+    - rvm: 2.6.0-preview3

data/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## [v1.7.0] - 2018-11-08
+
+### Added
+
+- _Registration_ ceremony
+  - `WebAuthn::AuthenticatorAttestationResponse` exposes attestation type and trust path via `#attestation_type` and `#attestation_trust_path` methods. Thank you @bdewater!
+
 ## [v1.6.0] - 2018-11-01
 
 ### Added
@@ -97,6 +104,7 @@ Note: Both additions should help making it compatible with Chrome for Android 70
   - `WebAuthn::AuthenticatorAttestationResponse.valid?` can be used to validate fido-u2f attestations returned by the browser
 - Works with ruby 2.5
 
+[v1.7.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.6.0...v1.7.0/
 [v1.6.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.5.0...v1.6.0/
 [v1.5.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.4.0...v1.5.0/
 [v1.4.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.3.0...v1.4.0/

data/README.md

@@ -21,11 +21,16 @@ This gem will help your ruby server act as a conforming [_Relying-Party_](https:
 Currently supporting [Web Authentication API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API):
   - [Mozilla Firefox](https://www.mozilla.org/firefox/) 60+
   - [Google Chrome](https://www.google.com/chrome/) 67+
-  - [Google Chrome for Android Beta](https://play.google.com/store/apps/details?id=com.chrome.beta) 70+
+  - [Google Chrome for Android](https://play.google.com/store/apps/details?id=com.android.chrome) 70+
 
 ### A conforming Authenticator
 
-- [Security Key by Yubico](https://www.yubico.com/product/security-key-by-yubico/) (used to test/develop this gem)
+* Roaming authenticators
+  * [Security Key by Yubico](https://www.yubico.com/product/security-key-by-yubico/)
+  * [YubiKey 5 Series](https://www.yubico.com/products/yubikey-5-overview/) key
+* Platform authenticators
+  * Android's Fingerprint Scanner
+  * MacBook [Touch ID](https://en.wikipedia.org/wiki/Touch_ID)
 
 NOTE: Firefox states ([Firefox 60 release notes](https://www.mozilla.org/en-US/firefox/60.0/releasenotes/)) they only support USB FIDO2 or FIDO U2F enabled devices in their current implementation (version 60).
   It's up to the gem's user to verify user agent compatibility if any other device wants to be used as the authenticator component.
@@ -48,6 +53,8 @@ Or install it yourself as:
 
 ## Usage
 
+NOTE: You can find a working example on how to use this gem in a __Rails__ app in [webauthn-rails-demo-app](https://github.com/cedarcode/webauthn-rails-demo-app).
+
 ### Registration
 
 #### Initiation phase

data/lib/webauthn/attestation_statement.rb

@@ -9,6 +9,13 @@ module WebAuthn
     ATTESTATION_FORMAT_PACKED = 'packed'
     ATTESTATION_FORMAT_ANDROID_SAFETYNET = "android-safetynet"
 
+    ATTESTATION_TYPE_NONE = "None"
+    ATTESTATION_TYPE_BASIC = "Basic"
+    ATTESTATION_TYPE_SELF = "Self"
+    ATTESTATION_TYPE_ATTCA = "AttCA"
+    ATTESTATION_TYPE_ECDAA = "ECDAA"
+    ATTESTATION_TYPE_BASIC_OR_ATTCA = "Basic_or_AttCA"
+
     def self.from(format, statement)
       case format
       when ATTESTATION_FORMAT_NONE

data/lib/webauthn/attestation_statement/android_safetynet.rb

@@ -18,7 +18,8 @@ module WebAuthn
           valid_attestation_domain? &&
           valid_version? &&
           valid_nonce?(authenticator_data, client_data_hash) &&
-          cts_profile_match?
+          cts_profile_match? &&
+          [WebAuthn::AttestationStatement::ATTESTATION_TYPE_BASIC, attestation_certificate]
       end
 
       private

data/lib/webauthn/attestation_statement/fido_u2f.rb

@@ -11,7 +11,8 @@ module WebAuthn
       def valid?(authenticator_data, client_data_hash)
         valid_format? &&
           valid_certificate_public_key? &&
-          valid_signature?(authenticator_data, client_data_hash)
+          valid_signature?(authenticator_data, client_data_hash) &&
+          [WebAuthn::AttestationStatement::ATTESTATION_TYPE_BASIC_OR_ATTCA, [attestation_certificate]]
       end
 
       private

data/lib/webauthn/attestation_statement/none.rb

@@ -6,7 +6,7 @@ module WebAuthn
   module AttestationStatement
     class None < Base
       def valid?(*_args)
-        true
+        [WebAuthn::AttestationStatement::ATTESTATION_TYPE_NONE, nil]
       end
     end
   end

data/lib/webauthn/attestation_statement/packed.rb

@@ -15,7 +15,8 @@ module WebAuthn
         valid_format? &&
           valid_certificate_chain?(authenticator_data.credential) &&
           meet_certificate_requirement? &&
-          valid_signature?(authenticator_data, client_data_hash)
+          valid_signature?(authenticator_data, client_data_hash) &&
+          attestation_type_and_trust_path
       end
 
       private
@@ -67,12 +68,15 @@ module WebAuthn
 
       # Check https://www.w3.org/TR/2018/CR-webauthn-20180807/#packed-attestation-cert-requirements
       def meet_certificate_requirement?
-        return true unless attestation_certificate
-        subject = attestation_certificate.subject.to_a
-
-        attestation_certificate.version == 2 &&
-          subject.assoc('OU')&.at(1) == "Authenticator Attestation" &&
-          attestation_certificate.extensions.find { |ext| ext.oid == 'basicConstraints' }&.value == 'CA:FALSE'
+        if attestation_certificate
+          subject = attestation_certificate.subject.to_a
+
+          attestation_certificate.version == 2 &&
+            subject.assoc('OU')&.at(1) == "Authenticator Attestation" &&
+            attestation_certificate.extensions.find { |ext| ext.oid == 'basicConstraints' }&.value == 'CA:FALSE'
+        else
+          true
+        end
       end
 
       def valid_signature?(authenticator_data, client_data_hash)
@@ -86,6 +90,14 @@ module WebAuthn
       def verification_data(authenticator_data, client_data_hash)
         authenticator_data.data + client_data_hash
       end
+
+      def attestation_type_and_trust_path
+        if raw_attestation_certificates&.any?
+          [WebAuthn::AttestationStatement::ATTESTATION_TYPE_BASIC_OR_ATTCA, attestation_certificate_chain]
+        else
+          [WebAuthn::AttestationStatement::ATTESTATION_TYPE_SELF, nil]
+        end
+      end
     end
   end
 end

data/lib/webauthn/authenticator_attestation_response.rb

@@ -11,6 +11,8 @@ require "webauthn/client_data"
 
 module WebAuthn
   class AuthenticatorAttestationResponse < AuthenticatorResponse
+    attr_reader :attestation_type, :attestation_trust_path
+
     def initialize(attestation_object:, **options)
       super(options)
 
@@ -18,8 +20,14 @@ module WebAuthn
     end
 
     def valid?(original_challenge, original_origin, rp_id: nil)
-      super &&
-        attestation_statement.valid?(authenticator_data, client_data.hash)
+      valid_response = super
+      return false unless valid_response
+
+      valid_attestation = attestation_statement.valid?(authenticator_data, client_data.hash)
+      return false unless valid_attestation
+
+      @attestation_type, @attestation_trust_path = valid_attestation
+      true
     end
 
     def credential

data/lib/webauthn/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WebAuthn
-  VERSION = "1.6.0"
+  VERSION = "1.7.0"
 end

data/webauthn.gemspec

@@ -38,5 +38,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "byebug", "~> 10.0"
   spec.add_development_dependency "rake", "~> 12.0"
   spec.add_development_dependency "rspec", "~> 3.0"
-  spec.add_development_dependency "rubocop", "0.57.0"
+  spec.add_development_dependency "rubocop", "0.60.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: webauthn
 version: !ruby/object:Gem::Version
-  version: 1.6.0
+  version: 1.7.0
 platform: ruby
 authors:
 - Gonzalo Rodriguez
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-11-01 00:00:00.000000000 Z
+date: 2018-11-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cbor
@@ -135,14 +135,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.57.0
+        version: 0.60.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.57.0
+        version: 0.60.0
 description: 
 email:
 - gonzalo@cedarcode.com
@@ -203,7 +203,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 2.7.7
 signing_key: 
 specification_version: 4
 summary: WebAuthn in ruby ― Ruby implementation of a WebAuthn Relying Party