webauthn 2.2.0 → 2.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ab7bf6dcca17e3cfe29921d5eb1b93202864d397c5e3a923b6626e365b2caf39
-  data.tar.gz: 5d77612f3ba67243a44a93aab9cf6be9178728f5701fbae52d7a48a0590be356
+  metadata.gz: 1c61ea0ee6982c86b8413c42097b7ab9518c0b49e8067a89d5380ed76f214a0b
+  data.tar.gz: 4fe7e8aa42ff3a3894c5bc162575a7f5145c2d1bff6d844c247b434c4ff86854
 SHA512:
-  metadata.gz: cd9e2477f0b3e36f440a3bcd16694329abd4aab1e32df5a96441a54493689f9b2287a7bfbcd510ad6132784e18ad494e797964f6403f084c5fafb91c2bc7dd38
-  data.tar.gz: 04eae0faa11df97e39d9e62f848e1dec2cce409829776ed00de928674e841eb0143c82803d2a32d6f01f429ac402dead7120ee9bc3cc46f45333415a478ed6eb
+  metadata.gz: 8ef6c40183c3a7f45ba73e07e96eaa9bac5c05c4a61bb80849cc1ff985b4f139eefe12fcbff0d2988ce22e8c0bc3aa05ba0f41aa5f046b41df1c004ac16b9d8d
+  data.tar.gz: 36563d824c96cccda9281077197a4f0a98475d536f928aad5882e1e9b83c79c7f6b4b97afbd0abce8a58e3953f5fe74fa29a6d9ce644557761e94410e7158318

data/.rubocop.yml

@@ -20,6 +20,9 @@ Gemspec:
 Layout:
   Enabled: true
 
+Layout/ClassStructure:
+  Enabled: true
+
 Layout/FirstMethodArgumentLineBreak:
   Enabled: true
 

data/.travis.yml

@@ -1,26 +1,39 @@
 dist: bionic
 language: ruby
-cache: bundler
 
-rvm:
-  - ruby-head
-  - 2.7.0
-  - 2.6.5
-  - 2.5.7
-  - 2.4.9
+cache:
+  bundler: true
+  directories:
+    - /home/travis/.rvm/
+
+env:
+  - LIBSSL=1.1 RB=2.7.1
+  - LIBSSL=1.1 RB=2.6.6
+  - LIBSSL=1.1 RB=2.5.8
+  - LIBSSL=1.1 RB=2.4.10
+  - LIBSSL=1.1 RB=ruby-head
+  - LIBSSL=1.0 RB=2.7.1
+  - LIBSSL=1.0 RB=2.6.6
+  - LIBSSL=1.0 RB=2.5.8
+  - LIBSSL=1.0 RB=2.4.10
+  - LIBSSL=1.0 RB=ruby-head
 
 gemfile:
   - gemfiles/cose_head.gemfile
   - gemfiles/openssl_head.gemfile
+  - gemfiles/openssl_2_2.gemfile
   - gemfiles/openssl_2_1.gemfile
   - gemfiles/openssl_2_0.gemfile
 
 matrix:
   fast_finish: true
   allow_failures:
-    - rvm: ruby-head
+    - env: LIBSSL=1.1 RB=ruby-head
+    - env: LIBSSL=1.0 RB=ruby-head
     - gemfile: gemfiles/cose_head.gemfile
     - gemfile: gemfiles/openssl_head.gemfile
 
 before_install:
+  - ./script/ci/install-openssl
+  - ./script/ci/install-ruby
   - gem install bundler -v "~> 2.0"

data/Appraisals

@@ -8,6 +8,10 @@ appraise "openssl_head" do
   gem "openssl", git: "https://github.com/ruby/openssl"
 end
 
+appraise "openssl_2_2" do
+  gem "openssl", "~> 2.2.0"
+end
+
 appraise "openssl_2_1" do
   gem "openssl", "~> 2.1.0"
 end

data/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## [v2.2.1] - 2020-06-06
+
+### Fixed
+
+- Fixed compatibility with OpenSSL-C (libssl) v1.0.2 ([@santiagorodriguez96])
+
 ## [v2.2.0] - 2020-03-14
 
 ### Added
@@ -282,6 +288,7 @@ Note: Both additions should help making it compatible with Chrome for Android 70
   - `WebAuthn::AuthenticatorAttestationResponse.valid?` can be used to validate fido-u2f attestations returned by the browser
 - Works with ruby 2.5
 
+[v2.2.1]: https://github.com/cedarcode/webauthn-ruby/compare/v2.2.0...v2.2.1/
 [v2.2.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.1.0...v2.2.0/
 [v2.1.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.0.0...v2.1.0/
 [v2.0.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.18.0...v2.0.0/
@@ -314,3 +321,4 @@ Note: Both additions should help making it compatible with Chrome for Android 70
 [@sorah]: https://github.com/sorah
 [@ssuttner]: https://github.com/ssuttner
 [@padulafacundo]: https://github.com/padulafacundo
+[@santiagorodriguez96]: https://github.com/santiagorodriguez96

data/README.md

@@ -66,11 +66,10 @@ Known conformant pairs are, for example:
 - Mozilla Firefox for Desktop and Yubico's Security Key roaming authenticator via USB
 - Safari in iOS 13.3+ and YubiKey 5 NFC via NFC
 
-For a detailed picture about what is conformant and what not, you can refer to:
-
-- [apowers313/fido2-webauthn-status](https://github.com/apowers313/fido2-webauthn-status)
-- [FIDO certified products](https://fidoalliance.org/certification/fido-certified-products)
+For a complete list:
 
+- User Agents (Clients): [Can I Use: Web Authentication API](https://caniuse.com/#search=webauthn)
+- Authenticators: [FIDO certified products](https://fidoalliance.org/certification/fido-certified-products) (search for Type=Authenticator and Specification=FIDO2)
 
 ## Install
 
@@ -151,7 +150,7 @@ if !user.webauthn_id
 end
 
 options = WebAuthn::Credential.options_for_create(
-  user: { id: user.webauthn_id, name: user.name }
+  user: { id: user.webauthn_id, name: user.name },
   exclude: user.credentials.map { |c| c.webauthn_id }
 )
 
@@ -351,9 +350,7 @@ credential_with_assertion.verify(
 | -------- | :--------: |
 | packed (self attestation) | Yes |
 | packed (x5c attestation) | Yes |
-| packed (ECDAA attestation) | No |
 | tpm (x5c attestation) | Yes |
-| tpm (ECDAA attestation) | No |
 | android-key | Yes |
 | android-safetynet | Yes |
 | fido-u2f | Yes |

data/gemfiles/openssl_2_2.gemfile

@@ -0,0 +1,7 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "openssl", "~> 2.2.0"
+
+gemspec path: "../"

data/lib/cose/rsapkcs1_algorithm.rb

@@ -21,6 +21,10 @@ class RSAPKCS1Algorithm < COSE::Algorithm::SignatureAlgorithm
     OpenSSL::SignatureAlgorithm::RSAPKCS1
   end
 
+  def valid_key?(key)
+    to_cose_key(key).is_a?(COSE::Key::RSA)
+  end
+
   def to_pkey(key)
     case key
     when COSE::Key::RSA

data/lib/webauthn/attestation_object.rb

@@ -8,6 +8,8 @@ require "webauthn/authenticator_data"
 
 module WebAuthn
   class AttestationObject
+    extend Forwardable
+
     def self.deserialize(attestation_object)
       from_map(CBOR.decode(attestation_object))
     end
@@ -35,8 +37,6 @@ module WebAuthn
       attestation_statement.valid?(authenticator_data, client_data_hash)
     end
 
-    extend Forwardable
-
     def_delegators :authenticator_data, :credential, :aaguid
     def_delegators :attestation_statement, :attestation_certificate_key_id
   end

data/lib/webauthn/attestation_statement/base.rb

@@ -10,7 +10,6 @@ module WebAuthn
     ATTESTATION_TYPE_BASIC = "Basic"
     ATTESTATION_TYPE_SELF = "Self"
     ATTESTATION_TYPE_ATTCA = "AttCA"
-    ATTESTATION_TYPE_ECDAA = "ECDAA"
     ATTESTATION_TYPE_BASIC_OR_ATTCA = "Basic_or_AttCA"
 
     ATTESTATION_TYPES_WITH_ROOT = [
@@ -81,10 +80,6 @@ module WebAuthn
         statement["x5c"]
       end
 
-      def raw_ecdaa_key_id
-        statement["ecdaaKeyId"]
-      end
-
       def signature
         statement["sig"]
       end

data/lib/webauthn/attestation_statement/packed.rb

@@ -6,13 +6,10 @@ require "webauthn/signature_verifier"
 
 module WebAuthn
   # Implements https://www.w3.org/TR/2018/CR-webauthn-20180807/#packed-attestation
-  # ECDAA attestation is unsupported.
   module AttestationStatement
     class Packed < Base
       # Follows "Verification procedure"
       def valid?(authenticator_data, client_data_hash)
-        check_unsupported_feature
-
         valid_format? &&
           valid_algorithm?(authenticator_data.credential) &&
           valid_ec_public_keys?(authenticator_data.credential) &&
@@ -30,19 +27,11 @@ module WebAuthn
       end
 
       def self_attestation?
-        !raw_certificates && !raw_ecdaa_key_id
+        !raw_certificates
       end
 
       def valid_format?
-        algorithm && signature && (
-          [raw_certificates, raw_ecdaa_key_id].compact.size < 2
-        )
-      end
-
-      def check_unsupported_feature
-        if raw_ecdaa_key_id
-          raise NotSupportedError, "ecdaaKeyId of the packed attestation format is not implemented yet"
-        end
+        algorithm && signature
       end
 
       def valid_ec_public_keys?(credential)

data/lib/webauthn/attestation_statement/tpm.rb

@@ -19,23 +19,16 @@ module WebAuthn
       }.freeze
 
       def valid?(authenticator_data, client_data_hash)
-        case attestation_type
-        when ATTESTATION_TYPE_ATTCA
+        attestation_type == ATTESTATION_TYPE_ATTCA &&
           ver == TPM_V2 &&
-            valid_key_attestation?(
-              authenticator_data.data + client_data_hash,
-              authenticator_data.credential.public_key_object,
-              authenticator_data.aaguid
-            ) &&
-            matching_aaguid?(authenticator_data.attested_credential_data.raw_aaguid) &&
-            trustworthy?(aaguid: authenticator_data.aaguid) &&
-            [attestation_type, attestation_trust_path]
-        when ATTESTATION_TYPE_ECDAA
-          raise(
-            WebAuthn::AttestationStatement::Base::NotSupportedError,
-            "Attestation type ECDAA is not supported"
-          )
-        end
+          valid_key_attestation?(
+            authenticator_data.data + client_data_hash,
+            authenticator_data.credential.public_key_object,
+            authenticator_data.aaguid
+          ) &&
+          matching_aaguid?(authenticator_data.attested_credential_data.raw_aaguid) &&
+          trustworthy?(aaguid: authenticator_data.aaguid) &&
+          [attestation_type, attestation_trust_path]
       end
 
       private
@@ -78,10 +71,8 @@ module WebAuthn
       end
 
       def attestation_type
-        if raw_certificates && !raw_ecdaa_key_id
+        if raw_certificates
           ATTESTATION_TYPE_ATTCA
-        elsif raw_ecdaa_key_id && !raw_certificates
-          ATTESTATION_TYPE_ECDAA
         else
           raise "Attestation type invalid"
         end

data/lib/webauthn/authenticator_attestation_response.rb

@@ -16,6 +16,8 @@ module WebAuthn
   class AttestedCredentialVerificationError < VerificationError; end
 
   class AuthenticatorAttestationResponse < AuthenticatorResponse
+    extend Forwardable
+
     def self.from_client(response)
       encoder = WebAuthn.configuration.encoder
 
@@ -48,8 +50,6 @@ module WebAuthn
       @attestation_object ||= WebAuthn::AttestationObject.deserialize(attestation_object_bytes)
     end
 
-    extend Forwardable
-
     def_delegators(
       :attestation_object,
       :aaguid,

data/lib/webauthn/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WebAuthn
-  VERSION = "2.2.0"
+  VERSION = "2.2.1"
 end

data/script/ci/install-openssl

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+set -e
+
+if [[ "$LIBSSL" == "1.0" ]]; then
+  sudo apt-get install libssl1.0-dev
+fi

data/script/ci/install-ruby

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+source "$HOME/.rvm/scripts/rvm"
+
+if [[ "$LIBSSL" == "1.0" ]]; then
+  rvm use --install $RB --autolibs=read-only --disable-binary
+elif [[ "$LIBSSL" == "1.1" ]]; then
+  rvm use --install $RB --binary --fuzzy
+fi
+
+[[ "`ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'`" =~ "OpenSSL $LIBSSL" ]] || { echo "Wrong libssl version"; exit 1; }

data/webauthn.gemspec

@@ -37,11 +37,11 @@ Gem::Specification.new do |spec|
   spec.add_dependency "awrence", "~> 1.1"
   spec.add_dependency "bindata", "~> 2.4"
   spec.add_dependency "cbor", "~> 0.5.9"
-  spec.add_dependency "cose", "~> 0.11.0"
+  spec.add_dependency "cose", "~> 1.0"
   spec.add_dependency "openssl", "~> 2.0"
   spec.add_dependency "safety_net_attestation", "~> 0.4.0"
   spec.add_dependency "securecompare", "~> 1.0"
-  spec.add_dependency "tpm-key_attestation", "~> 0.7.0"
+  spec.add_dependency "tpm-key_attestation", "~> 0.9.0"
 
   spec.add_development_dependency "appraisal", "~> 2.2.0"
   spec.add_development_dependency "bundler", ">= 1.17", "< 3.0"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: webauthn
 version: !ruby/object:Gem::Version
-  version: 2.2.0
+  version: 2.2.1
 platform: ruby
 authors:
 - Gonzalo Rodriguez
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-03-14 00:00:00.000000000 Z
+date: 2020-06-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: android_key_attestation
@@ -73,14 +73,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.11.0
+        version: '1.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.11.0
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: openssl
   requirement: !ruby/object:Gem::Requirement
@@ -129,14 +129,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.7.0
+        version: 0.9.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.7.0
+        version: 0.9.0
 - !ruby/object:Gem::Dependency
   name: appraisal
   requirement: !ruby/object:Gem::Requirement
@@ -269,6 +269,7 @@ files:
 - gemfiles/cose_head.gemfile
 - gemfiles/openssl_2_0.gemfile
 - gemfiles/openssl_2_1.gemfile
+- gemfiles/openssl_2_2.gemfile
 - gemfiles/openssl_head.gemfile
 - lib/cose/rsapkcs1_algorithm.rb
 - lib/webauthn.rb
@@ -316,6 +317,8 @@ files:
 - lib/webauthn/signature_verifier.rb
 - lib/webauthn/u2f_migrator.rb
 - lib/webauthn/version.rb
+- script/ci/install-openssl
+- script/ci/install-ruby
 - webauthn.gemspec
 homepage: https://github.com/cedarcode/webauthn-ruby
 licenses:
@@ -339,7 +342,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: WebAuthn ruby server library