webauthn 2.2.1 → 2.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1c61ea0ee6982c86b8413c42097b7ab9518c0b49e8067a89d5380ed76f214a0b
-  data.tar.gz: 4fe7e8aa42ff3a3894c5bc162575a7f5145c2d1bff6d844c247b434c4ff86854
+  metadata.gz: 4094023fc463d77a38548e294121f819e874bfb1c075ca43b1fb38e41cfd53a2
+  data.tar.gz: f410f8d7e000822943be953265a32e8f81423908e6aff282486d5afa4ab62eb4
 SHA512:
-  metadata.gz: 8ef6c40183c3a7f45ba73e07e96eaa9bac5c05c4a61bb80849cc1ff985b4f139eefe12fcbff0d2988ce22e8c0bc3aa05ba0f41aa5f046b41df1c004ac16b9d8d
-  data.tar.gz: 36563d824c96cccda9281077197a4f0a98475d536f928aad5882e1e9b83c79c7f6b4b97afbd0abce8a58e3953f5fe74fa29a6d9ce644557761e94410e7158318
+  metadata.gz: 23ea57e2264cc45024174e8d7a54bc3d4f373cca916c4453079d5cfccf46caa4dbc5aa4013a54404121274a35e71f97f90a061062a21ca270a8b58d474345fb8
+  data.tar.gz: 3b49c5b5b845fdcfc3b0b647a16aeab07ad219210e8e29835d171e387d6bcc4ac5fe08a4f9d2978ee6db1022363d1c2b06fe0a163a8625038aca51e1d274e903

data/.rubocop.yml

@@ -10,6 +10,7 @@ AllCops:
   DisabledByDefault: true
   Exclude:
     - "gemfiles/**/*"
+    - "vendor/**/*"
 
 Bundler:
   Enabled: true

data/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## [v2.3.0] - 2020-06-27
+
+### Added
+
+- Ability to access extension outputs with `PublicKeyCredential#client_extension_outputs` and `PublicKeyCredential#authenticator_extension_outputs` ([@santiagorodriguez96])
+
 ## [v2.2.1] - 2020-06-06
 
 ### Fixed
@@ -288,6 +294,7 @@ Note: Both additions should help making it compatible with Chrome for Android 70
   - `WebAuthn::AuthenticatorAttestationResponse.valid?` can be used to validate fido-u2f attestations returned by the browser
 - Works with ruby 2.5
 
+[v2.3.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.2.1...v2.3.0/
 [v2.2.1]: https://github.com/cedarcode/webauthn-ruby/compare/v2.2.0...v2.2.1/
 [v2.2.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.1.0...v2.2.0/
 [v2.1.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.0.0...v2.1.0/

data/README.md

@@ -252,6 +252,54 @@ rescue WebAuthn::Error => e
 end
 ```
 
+### Extensions
+
+> The mechanism for generating public key credentials, as well as requesting and generating Authentication assertions, as defined in Web Authentication API, can be extended to suit particular use cases. Each case is addressed by defining a registration extension and/or an authentication extension.
+
+> When creating a public key credential or requesting an authentication assertion, a WebAuthn Relying Party can request the use of a set of extensions. These extensions will be invoked during the requested ceremony if they are supported by the WebAuthn Client and/or the WebAuthn Authenticator. The Relying Party sends the client extension input for each extension in the get() call (for authentication extensions) or create() call (for registration extensions) to the WebAuthn client. [[source](https://www.w3.org/TR/webauthn-2/#sctn-extensions)]
+
+Extensions can be requested in the initiation phase in both Credential Registration and Authentication ceremonies by adding the extension parameter when generating the options for create/get:
+
+```ruby
+# Credential Registration
+creation_options = WebAuthn::Credential.options_for_create(
+  user: { id: user.webauthn_id, name: user.name },
+  exclude: user.credentials.map { |c| c.webauthn_id },
+  extensions: { appidExclude: domain.to_s }
+)
+
+# OR
+
+# Credential Authentication
+options = WebAuthn::Credential.options_for_get(
+  allow: user.credentials.map { |c| c.webauthn_id },
+  extensions: { appid: domain.to_s }
+)
+```
+
+Consequently, after these `options` are sent to the WebAuthn client:
+
+> The WebAuthn client performs client extension processing for each extension that the client supports, and augments the client data as specified by each extension, by including the extension identifier and client extension output values.
+
+> For authenticator extensions, as part of the client extension processing, the client also creates the CBOR authenticator extension input value for each extension (often based on the corresponding client extension input value), and passes them to the authenticator in the create() call (for registration extensions) or the get() call (for authentication extensions).
+
+> The authenticator, in turn, performs additional processing for the extensions that it supports, and returns the CBOR authenticator extension output for each as specified by the extension. Part of the client extension processing for authenticator extensions is to use the authenticator extension output as an input to creating the client extension output. [[source](https://www.w3.org/TR/webauthn-2/#sctn-extensions)]
+
+Finally, you can check the values returned for each extension by calling `client_extension_outputs` and `authenticator_extension_outputs` respectively.
+For example, following the initialization phase for the Credential Authentication ceremony specified in the above example:
+
+```ruby
+webauthn_credential = WebAuthn::Credential.from_get(credential_get_result_hash)
+
+webauthn_credential.client_extension_outputs #=> { "appid" => true }
+webauthn_credential.authenticator_extension_outputs #=> nil
+```
+
+A list of all currently defined extensions:
+
+  - [Last published version](https://www.w3.org/TR/webauthn-2/#sctn-defined-extensions)
+  - [Next version (in draft)](https://w3c.github.io/webauthn/#sctn-defined-extensions)
+
 ## API
 
 #### `WebAuthn.generate_user_id`
@@ -342,6 +390,22 @@ credential_with_assertion.verify(
 )
 ```
 
+#### `PublicKeyCredential#client_extension_outputs`
+
+```ruby
+credential = WebAuthn::Credential.from_create(params[:publicKeyCredential])
+
+credential.client_extension_outputs
+```
+
+#### `PublicKeyCredential#authenticator_extension_outputs`
+
+```ruby
+credential = WebAuthn::Credential.from_create(params[:publicKeyCredential])
+
+credential.authenticator_extension_outputs
+```
+
 ## Attestation
 
 ### Attestation Statement Format

data/lib/webauthn/attestation_statement/android_key.rb

@@ -3,7 +3,6 @@
 require "android_key_attestation"
 require "openssl"
 require "webauthn/attestation_statement/base"
-require "webauthn/signature_verifier"
 
 module WebAuthn
   module AttestationStatement
@@ -21,12 +20,6 @@ module WebAuthn
 
       private
 
-      def valid_signature?(authenticator_data, client_data_hash)
-        WebAuthn::SignatureVerifier
-          .new(algorithm, attestation_certificate.public_key)
-          .verify(signature, authenticator_data.data + client_data_hash)
-      end
-
       def matching_public_key?(authenticator_data)
         attestation_certificate.public_key.to_der == authenticator_data.credential.public_key_object.to_der
       end

data/lib/webauthn/attestation_statement/base.rb

@@ -1,11 +1,16 @@
 # frozen_string_literal: true
 
+require "cose/algorithm"
+require "cose/error"
+require "cose/rsapkcs1_algorithm"
 require "openssl"
 require "webauthn/authenticator_data/attested_credential_data"
 require "webauthn/error"
 
 module WebAuthn
   module AttestationStatement
+    class UnsupportedAlgorithm < Error; end
+
     ATTESTATION_TYPE_NONE = "None"
     ATTESTATION_TYPE_BASIC = "Basic"
     ATTESTATION_TYPE_SELF = "Self"
@@ -19,8 +24,6 @@ module WebAuthn
     ].freeze
 
     class Base
-      class NotSupportedError < Error; end
-
       AAGUID_EXTENSION_OID = "1.3.6.1.4.1.45724.1.1.4"
 
       def initialize(statement)
@@ -147,6 +150,30 @@ module WebAuthn
         OpenSSL::ASN1.decode(ext_value.value).value
       end
 
+      def valid_signature?(authenticator_data, client_data_hash, public_key = attestation_certificate.public_key)
+        raise("Incompatible algorithm and key") unless cose_algorithm.compatible_key?(public_key)
+
+        cose_algorithm.verify(
+          public_key,
+          signature,
+          verification_data(authenticator_data, client_data_hash)
+        )
+      rescue COSE::Error
+        false
+      end
+
+      def verification_data(authenticator_data, client_data_hash)
+        authenticator_data.data + client_data_hash
+      end
+
+      def cose_algorithm
+        @cose_algorithm ||=
+          COSE::Algorithm.find(algorithm).tap do |alg|
+            alg && configuration.algorithms.include?(alg.name) ||
+              raise(UnsupportedAlgorithm, "Unsupported algorithm #{algorithm}")
+          end
+      end
+
       def configuration
         WebAuthn.configuration
       end

data/lib/webauthn/attestation_statement/fido_u2f.rb

@@ -4,7 +4,6 @@ require "cose"
 require "openssl"
 require "webauthn/attestation_statement/base"
 require "webauthn/attestation_statement/fido_u2f/public_key"
-require "webauthn/signature_verifier"
 
 module WebAuthn
   module AttestationStatement
@@ -48,10 +47,8 @@ module WebAuthn
         attested_credential_data_aaguid == WebAuthn::AuthenticatorData::AttestedCredentialData::ZEROED_AAGUID
       end
 
-      def valid_signature?(authenticator_data, client_data_hash)
-        WebAuthn::SignatureVerifier
-          .new(VALID_ATTESTATION_CERTIFICATE_ALGORITHM, certificate_public_key)
-          .verify(signature, verification_data(authenticator_data, client_data_hash))
+      def algorithm
+        VALID_ATTESTATION_CERTIFICATE_ALGORITHM.id
       end
 
       def verification_data(authenticator_data, client_data_hash)

data/lib/webauthn/attestation_statement/packed.rb

@@ -2,7 +2,6 @@
 
 require "openssl"
 require "webauthn/attestation_statement/base"
-require "webauthn/signature_verifier"
 
 module WebAuthn
   # Implements https://www.w3.org/TR/2018/CR-webauthn-20180807/#packed-attestation
@@ -53,15 +52,6 @@ module WebAuthn
         end
       end
 
-      def valid_signature?(authenticator_data, client_data_hash)
-        signature_verifier = WebAuthn::SignatureVerifier.new(
-          algorithm,
-          attestation_certificate&.public_key || authenticator_data.credential.public_key_object
-        )
-
-        signature_verifier.verify(signature, authenticator_data.data + client_data_hash)
-      end
-
       def attestation_type
         if attestation_trust_path
           WebAuthn::AttestationStatement::ATTESTATION_TYPE_BASIC_OR_ATTCA # FIXME: use metadata if available
@@ -69,6 +59,14 @@ module WebAuthn
           WebAuthn::AttestationStatement::ATTESTATION_TYPE_SELF
         end
       end
+
+      def valid_signature?(authenticator_data, client_data_hash)
+        super(
+          authenticator_data,
+          client_data_hash,
+          attestation_certificate&.public_key || authenticator_data.credential.public_key_object
+        )
+      end
     end
   end
 end

data/lib/webauthn/attestation_statement/tpm.rb

@@ -4,7 +4,6 @@ require "cose/algorithm"
 require "openssl"
 require "tpm/key_attestation"
 require "webauthn/attestation_statement/base"
-require "webauthn/signature_verifier"
 
 module WebAuthn
   module AttestationStatement

data/lib/webauthn/authenticator_assertion_response.rb

@@ -3,7 +3,6 @@
 require "webauthn/authenticator_data"
 require "webauthn/authenticator_response"
 require "webauthn/encoder"
-require "webauthn/signature_verifier"
 require "webauthn/public_key"
 
 module WebAuthn
@@ -54,9 +53,7 @@ module WebAuthn
     attr_reader :authenticator_data_bytes, :signature
 
     def valid_signature?(webauthn_public_key)
-      WebAuthn::SignatureVerifier
-        .new(webauthn_public_key.alg, webauthn_public_key.pkey)
-        .verify(signature, authenticator_data_bytes + client_data.hash)
+      webauthn_public_key.verify(signature, authenticator_data_bytes + client_data.hash)
     end
 
     def valid_sign_count?(stored_sign_count)

data/lib/webauthn/fake_authenticator.rb

@@ -18,7 +18,8 @@ module WebAuthn
       user_present: true,
       user_verified: false,
       attested_credential_data: true,
-      sign_count: nil
+      sign_count: nil,
+      extensions: nil
     )
       credential_id, credential_key, credential_sign_count = new_credential
       sign_count ||= credential_sign_count
@@ -37,7 +38,8 @@ module WebAuthn
         user_present: user_present,
         user_verified: user_verified,
         attested_credential_data: attested_credential_data,
-        sign_count: sign_count
+        sign_count: sign_count,
+        extensions: extensions
       ).serialize
     end
 
@@ -47,7 +49,8 @@ module WebAuthn
       user_present: true,
       user_verified: false,
       aaguid: AuthenticatorData::AAGUID,
-      sign_count: nil
+      sign_count: nil,
+      extensions: nil
     )
       credential_options = credentials[rp_id]
 
@@ -63,6 +66,7 @@ module WebAuthn
           aaguid: aaguid,
           credential: nil,
           sign_count: sign_count || credential_sign_count,
+          extensions: extensions
         ).serialize
 
         signature = credential_key.sign("SHA256", authenticator_data + client_data_hash)

data/lib/webauthn/fake_authenticator/attestation_object.rb

@@ -14,7 +14,8 @@ module WebAuthn
         user_present: true,
         user_verified: false,
         attested_credential_data: true,
-        sign_count: 0
+        sign_count: 0,
+        extensions: nil
       )
         @client_data_hash = client_data_hash
         @rp_id_hash = rp_id_hash
@@ -24,6 +25,7 @@ module WebAuthn
         @user_verified = user_verified
         @attested_credential_data = attested_credential_data
         @sign_count = sign_count
+        @extensions = extensions
       end
 
       def serialize
@@ -44,7 +46,8 @@ module WebAuthn
         :user_present,
         :user_verified,
         :attested_credential_data,
-        :sign_count
+        :sign_count,
+        :extensions
       )
 
       def authenticator_data
@@ -60,7 +63,8 @@ module WebAuthn
               credential: credential_data,
               user_present: user_present,
               user_verified: user_verified,
-              sign_count: 0
+              sign_count: 0,
+              extensions: extensions
             )
           end
       end

data/lib/webauthn/fake_client.rb

@@ -29,7 +29,8 @@ module WebAuthn
       rp_id: nil,
       user_present: true,
       user_verified: false,
-      attested_credential_data: true
+      attested_credential_data: true,
+      extensions: nil
     )
       rp_id ||= URI.parse(origin).host
 
@@ -41,7 +42,8 @@ module WebAuthn
         client_data_hash: client_data_hash,
         user_present: user_present,
         user_verified: user_verified,
-        attested_credential_data: attested_credential_data
+        attested_credential_data: attested_credential_data,
+        extensions: extensions
       )
 
       id =
@@ -58,6 +60,7 @@ module WebAuthn
         "type" => "public-key",
         "id" => internal_encoder.encode(id),
         "rawId" => encoder.encode(id),
+        "clientExtensionResults" => extensions,
         "response" => {
           "attestationObject" => encoder.encode(attestation_object),
           "clientDataJSON" => encoder.encode(client_data_json)
@@ -65,7 +68,12 @@ module WebAuthn
       }
     end
 
-    def get(challenge: fake_challenge, rp_id: nil, user_present: true, user_verified: false, sign_count: nil)
+    def get(challenge: fake_challenge,
+            rp_id: nil,
+            user_present: true,
+            user_verified: false,
+            sign_count: nil,
+            extensions: nil)
       rp_id ||= URI.parse(origin).host
 
       client_data_json = data_json_for(:get, encoder.decode(challenge))
@@ -77,12 +85,14 @@ module WebAuthn
         user_present: user_present,
         user_verified: user_verified,
         sign_count: sign_count,
+        extensions: extensions
       )
 
       {
         "type" => "public-key",
         "id" => internal_encoder.encode(assertion[:credential_id]),
         "rawId" => encoder.encode(assertion[:credential_id]),
+        "clientExtensionResults" => extensions,
         "response" => {
           "clientDataJSON" => encoder.encode(client_data_json),
           "authenticatorData" => encoder.encode(assertion[:authenticator_data]),

data/lib/webauthn/public_key.rb

@@ -1,11 +1,15 @@
 # frozen_string_literal: true
 
-require "webauthn/attestation_statement/fido_u2f/public_key"
-require "cose/key"
 require "cose/algorithm"
+require "cose/error"
+require "cose/key"
+require "cose/rsapkcs1_algorithm"
+require "webauthn/attestation_statement/fido_u2f/public_key"
 
 module WebAuthn
   class PublicKey
+    class UnsupportedAlgorithm < Error; end
+
     def self.deserialize(public_key)
       cose_key =
         if WebAuthn::AttestationStatement::FidoU2f::PublicKey.uncompressed_point?(public_key)
@@ -45,5 +49,20 @@ module WebAuthn
     def alg
       @cose_key.alg
     end
+
+    def verify(signature, verification_data)
+      cose_algorithm.verify(pkey, signature, verification_data)
+    rescue COSE::Error
+      false
+    end
+
+    private
+
+    def cose_algorithm
+      @cose_algorithm ||= COSE::Algorithm.find(alg) || raise(
+        UnsupportedAlgorithm,
+        "The public key algorithm #{alg} is not among the available COSE algorithms"
+      )
+    end
   end
 end

data/lib/webauthn/public_key_credential.rb

@@ -4,21 +4,23 @@ require "webauthn/encoder"
 
 module WebAuthn
   class PublicKeyCredential
-    attr_reader :type, :id, :raw_id, :response
+    attr_reader :type, :id, :raw_id, :client_extension_outputs, :response
 
     def self.from_client(credential)
       new(
         type: credential["type"],
         id: credential["id"],
         raw_id: WebAuthn.configuration.encoder.decode(credential["rawId"]),
+        client_extension_outputs: credential["clientExtensionResults"],
         response: response_class.from_client(credential["response"])
       )
     end
 
-    def initialize(type:, id:, raw_id:, response:)
+    def initialize(type:, id:, raw_id:, client_extension_outputs: {}, response:)
       @type = type
       @id = id
       @raw_id = raw_id
+      @client_extension_outputs = client_extension_outputs
       @response = response
     end
 
@@ -30,7 +32,11 @@ module WebAuthn
     end
 
     def sign_count
-      response&.authenticator_data&.sign_count
+      authenticator_data&.sign_count
+    end
+
+    def authenticator_extension_outputs
+      authenticator_data.extension_data if authenticator_data&.extension_data_included?
     end
 
     private
@@ -43,6 +49,10 @@ module WebAuthn
       raw_id && id && raw_id == WebAuthn.standard_encoder.decode(id)
     end
 
+    def authenticator_data
+      response&.authenticator_data
+    end
+
     def encoder
       WebAuthn.configuration.encoder
     end

data/lib/webauthn/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WebAuthn
-  VERSION = "2.2.1"
+  VERSION = "2.3.0"
 end

data/webauthn.gemspec

@@ -43,7 +43,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "securecompare", "~> 1.0"
   spec.add_dependency "tpm-key_attestation", "~> 0.9.0"
 
-  spec.add_development_dependency "appraisal", "~> 2.2.0"
+  spec.add_development_dependency "appraisal", "~> 2.3.0"
   spec.add_development_dependency "bundler", ">= 1.17", "< 3.0"
   spec.add_development_dependency "byebug", "~> 11.0"
   spec.add_development_dependency "rake", "~> 13.0"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: webauthn
 version: !ruby/object:Gem::Version
-  version: 2.2.1
+  version: 2.3.0
 platform: ruby
 authors:
 - Gonzalo Rodriguez
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-06-06 00:00:00.000000000 Z
+date: 2020-06-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: android_key_attestation
@@ -143,14 +143,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.2.0
+        version: 2.3.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.2.0
+        version: 2.3.0
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -314,7 +314,6 @@ files:
 - lib/webauthn/public_key_credential_with_assertion.rb
 - lib/webauthn/public_key_credential_with_attestation.rb
 - lib/webauthn/security_utils.rb
-- lib/webauthn/signature_verifier.rb
 - lib/webauthn/u2f_migrator.rb
 - lib/webauthn/version.rb
 - script/ci/install-openssl

data/lib/webauthn/signature_verifier.rb

@@ -1,52 +0,0 @@
-# frozen_string_literal: true
-
-require "cose"
-require "cose/rsapkcs1_algorithm"
-require "openssl"
-require "webauthn/error"
-
-module WebAuthn
-  class SignatureVerifier
-    class UnsupportedAlgorithm < Error; end
-
-    def initialize(algorithm, public_key)
-      @algorithm = algorithm
-      @public_key = public_key
-
-      validate
-    end
-
-    def verify(signature, verification_data)
-      cose_algorithm.verify(public_key, signature, verification_data)
-    rescue COSE::Error
-      false
-    end
-
-    private
-
-    attr_reader :algorithm, :public_key
-
-    def cose_algorithm
-      case algorithm
-      when COSE::Algorithm::Base
-        algorithm
-      else
-        COSE::Algorithm.find(algorithm)
-      end
-    end
-
-    def validate
-      if !cose_algorithm
-        raise UnsupportedAlgorithm, "Unsupported algorithm #{algorithm}"
-      elsif !supported_algorithms.include?(cose_algorithm.name)
-        raise UnsupportedAlgorithm, "Unsupported algorithm #{algorithm}"
-      elsif !cose_algorithm.compatible_key?(public_key)
-        raise("Incompatible algorithm and key")
-      end
-    end
-
-    def supported_algorithms
-      WebAuthn.configuration.algorithms
-    end
-  end
-end