webauthn 2.5.2 → 3.0.0.alpha1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f07d44a7778995c6bd2531b26f61e8974ba6ccc8dcf5ff1f21886f353423d598
-  data.tar.gz: ecb287679447b3074065f2b06cb0f38b20c9a94114ed2b592d93e99874dfda1a
+  metadata.gz: 1f418eb52a085d8e7c03bd1c3d11b88ed8fe467f4ec01d3178836689d470f436
+  data.tar.gz: 4ab67e8804cbd7d785e29b94760af6db9d6b1e52de1a58bafc74aed19b5b7e21
 SHA512:
-  metadata.gz: 98811fdbdb15cd80defb95a75de555a3775864bb1c1f1ac94af4a605af2fa3acf7908d91a120b5c3e214af890469d5f2194e5e037a9f8a40b03935159be6a1f1
-  data.tar.gz: 8d90a9d37fb83a0ecf5e0c29e8f5154a0ee2170da994238b55fcc4042cb84f6b7fb4e09386e704a2d83f363ef0864fb1fa60c913eea3ae2754e5189435302570
+  metadata.gz: ccdcd22e494079eb67c122c03e3061166f91de50dd0c2bf8662748c976483a9d472fa9f8d6b67db9abf484e8eac182195b5f1e1cca8aaaf88146d831919f1c93
+  data.tar.gz: b2506b530c796ee57e5d037e7dd3692b1e359408fd9757141b6c4f042c43d57344baa09dc63d17ace549927eeea50abaa8c0771a0ab6da0ece5d880362d890db

data/.rubocop.yml

@@ -1,6 +1,5 @@
 require:
   - rubocop-rspec
-  - rubocop-rake
 
 inherit_mode:
   merge:
@@ -9,7 +8,6 @@ inherit_mode:
 AllCops:
   TargetRubyVersion: 2.4
   DisabledByDefault: true
-  NewCops: disable
   Exclude:
     - "gemfiles/**/*"
     - "vendor/**/*"
@@ -26,12 +24,6 @@ Layout:
 Layout/ClassStructure:
   Enabled: true
 
-Layout/EmptyLineBetweenDefs:
-  AllowAdjacentOneLineDefs: true
-
-Layout/EmptyLinesAroundAttributeAccessor:
-  Enabled: true
-
 Layout/FirstMethodArgumentLineBreak:
   Enabled: true
 
@@ -46,60 +38,12 @@ Layout/MultilineAssignmentLayout:
 Layout/MultilineMethodArgumentLineBreaks:
   Enabled: true
 
-Layout/SpaceAroundMethodCallOperator:
-  Enabled: true
-
 Lint:
   Enabled: true
 
-Lint/DeprecatedOpenSSLConstant:
-  Enabled: true
-
-Lint/MixedRegexpCaptureTypes:
-  Enabled: true
-
-Lint/RaiseException:
-  Enabled: true
-
-Lint/StructNewOverride:
-  Enabled: true
-
-Lint/BinaryOperatorWithIdenticalOperands:
-  Enabled: true
-
-Lint/DuplicateElsifCondition:
-  Enabled: true
-
-Lint/DuplicateRescueException:
-  Enabled: true
-
-Lint/EmptyConditionalBody:
-  Enabled: true
-
-Lint/FloatComparison:
-  Enabled: true
-
-Lint/MissingSuper:
-  Enabled: true
-
-Lint/OutOfRangeRegexpRef:
-  Enabled: true
-
-Lint/SelfAssignment:
-  Enabled: true
-
-Lint/TopLevelReturnWithArgument:
-  Enabled: true
-
-Lint/UnreachableLoop:
-  Enabled: true
-
 Naming:
   Enabled: true
 
-Naming/VariableNumber:
-  Enabled: false
-
 RSpec/Be:
   Enabled: true
 

data/.travis.yml

@@ -0,0 +1,39 @@
+dist: bionic
+language: ruby
+
+cache:
+  bundler: true
+  directories:
+    - /home/travis/.rvm/
+
+env:
+  - LIBSSL=1.1 RB=2.7.1
+  - LIBSSL=1.1 RB=2.6.6
+  - LIBSSL=1.1 RB=2.5.8
+  - LIBSSL=1.1 RB=2.4.10
+  - LIBSSL=1.1 RB=ruby-head
+  - LIBSSL=1.0 RB=2.7.1
+  - LIBSSL=1.0 RB=2.6.6
+  - LIBSSL=1.0 RB=2.5.8
+  - LIBSSL=1.0 RB=2.4.10
+  - LIBSSL=1.0 RB=ruby-head
+
+gemfile:
+  - gemfiles/cose_head.gemfile
+  - gemfiles/openssl_head.gemfile
+  - gemfiles/openssl_2_2.gemfile
+  - gemfiles/openssl_2_1.gemfile
+  - gemfiles/openssl_2_0.gemfile
+
+matrix:
+  fast_finish: true
+  allow_failures:
+    - env: LIBSSL=1.1 RB=ruby-head
+    - env: LIBSSL=1.0 RB=ruby-head
+    - gemfile: gemfiles/cose_head.gemfile
+    - gemfile: gemfiles/openssl_head.gemfile
+
+before_install:
+  - ./script/ci/install-openssl
+  - ./script/ci/install-ruby
+  - gem install bundler -v "~> 2.0"

data/Appraisals

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+appraise "cose_head" do
+  gem "cose", git: "https://github.com/cedarcode/cose-ruby"
+end
+
+appraise "openssl_head" do
+  gem "openssl", git: "https://github.com/ruby/openssl"
+end
+
+appraise "openssl_2_2" do
+  gem "openssl", "~> 2.2.0"
+end
+
+appraise "openssl_2_1" do
+  gem "openssl", "~> 2.1.0"
+end
+
+appraise "openssl_2_0" do
+  gem "openssl", "~> 2.0.0"
+end

data/CHANGELOG.md

@@ -6,46 +6,6 @@
 
 - Ability to define multiple relying parties with the introduction of the `WebAuthn::RelyingParty` class ([@padulafacundo], [@brauliomartinezlm])
 
-## [v2.5.1] - 2022-07-13
-
-### Added
-
-- Updated dependencies to make the gem compatible with openssl-3 [@ClearlyClaire]
-
-## [v2.5.1] - 2022-03-20
-
-### Added
-
-- Updated openssl support to be ~>2.2 [@bdewater]
-
-### Removed
-
-- Removed dependency [secure_compare dependency] (https://rubygems.org/gems/secure_compare/versions/0.0.1) and use OpenSSL#secure_compare instead [@bdewater]
-
-## [v2.5.0] - 2021-03-14
-
-### Added
-
-- Support 'apple' attestation statement format ([#343](https://github.com/cedarcode/webauthn-ruby/pull/343) / [@juanarias93], [@santiagorodriguez96])
-- Allow specifying an array of ids as `allow_credentials:` for `FakeClient#get` method ([#335](https://github.com/cedarcode/webauthn-ruby/pull/335) / [@kingjan1999])
-
-### Removed
-
-- No longer accept "removed from the WebAuthn spec" options `rp: { icon: }` and `user: { icon: }` for `WebAuthn::Credential.options_for_create` method ([#326](https://github.com/cedarcode/webauthn-ruby/pull/326) / [@santiagorodriguez96])
-
-## [v2.4.1] - 2021-02-15
-
-### Fixed
-
-- Fix verification of new credential if no attestation provided and 'None' type is not among configured `acceptable_attestation_types`. I.e. reject it instead of letting it go through.
-
-## [v2.4.0] - 2020-09-03
-
-### Added
-
-- Support for ES256K credentials
-- `FakeClient#get` accepts `user_handle:` keyword argument ([@lgarron])
-
 ## [v2.3.0] - 2020-06-27
 
 ### Added
@@ -341,11 +301,6 @@ Note: Both additions should help making it compatible with Chrome for Android 70
 - Works with ruby 2.5
 
 [v3.0.0.alpha1]: https://github.com/cedarcode/webauthn-ruby/compare/2-stable...v3.0.0.alpha1/
-[v2.5.2]: https://github.com/cedarcode/webauthn-ruby/compare/v2.5.0...v2.5.2/
-[v2.5.1]: https://github.com/cedarcode/webauthn-ruby/compare/v2.5.0...v2.5.1/
-[v2.5.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.4.1...v2.5.0/
-[v2.4.1]: https://github.com/cedarcode/webauthn-ruby/compare/v2.4.0...v2.4.1/
-[v2.4.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.3.0...v2.4.0/
 [v2.3.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.2.1...v2.3.0/
 [v2.2.1]: https://github.com/cedarcode/webauthn-ruby/compare/v2.2.0...v2.2.1/
 [v2.2.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.1.0...v2.2.0/
@@ -382,9 +337,3 @@ Note: Both additions should help making it compatible with Chrome for Android 70
 [@ssuttner]: https://github.com/ssuttner
 [@padulafacundo]: https://github.com/padulafacundo
 [@santiagorodriguez96]: https://github.com/santiagorodriguez96
-[@lgarron]: https://github.com/lgarron
-[@juanarias93]: https://github.com/juanarias93
-[@kingjan1999]: https://github.com/@kingjan1999
-[@jdongelmans]: https://github.com/jdongelmans
-[@petergoldstein]: https://github.com/petergoldstein
-[@ClearlyClaire]: https://github.com/ClearlyClaire

data/README.md

@@ -6,7 +6,7 @@ For the current release version see https://github.com/cedarcode/webauthn-ruby/b
 ![banner](assets/webauthn-ruby.png)
 
 [![Gem](https://img.shields.io/gem/v/webauthn.svg?style=flat-square)](https://rubygems.org/gems/webauthn)
-[![Travis](https://img.shields.io/travis/cedarcode/webauthn-ruby/master.svg?style=flat-square)](https://travis-ci.com/cedarcode/webauthn-ruby)
+[![Travis](https://img.shields.io/travis/cedarcode/webauthn-ruby/master.svg?style=flat-square)](https://travis-ci.org/cedarcode/webauthn-ruby)
 [![Conventional Commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-informational.svg?style=flat-square)](https://conventionalcommits.org)
 [![Join the chat at https://gitter.im/cedarcode/webauthn-ruby](https://badges.gitter.im/cedarcode/webauthn-ruby.svg)](https://gitter.im/cedarcode/webauthn-ruby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
 
@@ -96,8 +96,6 @@ If you are migrating an existing application from the legacy FIDO U2F JavaScript
 
 ### Configuration
 
-If you have a multi-tenant application or just need to configure WebAuthn differently for separate parts of your application (e.g. if your users authenticate to different subdomains in the same application), we strongly recommend you look at this [Advanced Configuration](docs/advanced_configuration.md) section instead of this.
-
 For a Rails application this would go in `config/initializers/webauthn.rb`.
 
 ```ruby
@@ -410,7 +408,7 @@ credential.authenticator_extension_outputs
 
 ## Attestation
 
-### Attestation Statement Formats
+### Attestation Statement Format
 
 | Attestation Statement Format | Supported? |
 | -------- | :--------: |
@@ -419,7 +417,6 @@ credential.authenticator_extension_outputs
 | tpm (x5c attestation) | Yes |
 | android-key | Yes |
 | android-safetynet | Yes |
-| apple | Yes |
 | fido-u2f | Yes |
 | none | Yes |
 

data/SECURITY.md

@@ -4,12 +4,9 @@
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 2.5.z    | :white_check_mark: |
-| 2.4.z    | :white_check_mark: |
-| 2.3.z    | :white_check_mark: |
-| 2.2.z    | :x: |
-| 2.1.z    | :x: |
-| 2.0.z    | :x: |
+| 2.2.z    | :white_check_mark: |
+| 2.1.z    | :white_check_mark: |
+| 2.0.z    | :white_check_mark: |
 | 1.18.z   | :white_check_mark: |
 | < 1.18   | :x:                |
 

data/docs/u2f_migration.md

@@ -82,7 +82,7 @@ During authentication verification phase, you must pass either the original AppI
 
 ```ruby
 assertion_response = WebAuthn::AuthenticatorAssertionResponse.new(
-  user_handle: params[:response][:userHandle],
+  credential_id: params[:id],
   authenticator_data: params[:response][:authenticatorData],
   client_data_json: params[:response][:clientDataJSON],
   signature: params[:response][:signature],
@@ -90,8 +90,7 @@ assertion_response = WebAuthn::AuthenticatorAssertionResponse.new(
 
 assertion_response.verify(
   expected_challenge,
-  public_key: credential.public_key,
-  sign_count: credential.count,
+  allowed_credentials: [credential],
   rp_id: params[:clientExtensionResults][:appid] ? domain.to_s : domain.host,
 )
 ```

data/gemfiles/cose_head.gemfile

@@ -0,0 +1,7 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "cose", git: "https://github.com/cedarcode/cose-ruby"
+
+gemspec path: "../"

data/gemfiles/openssl_2_0.gemfile

@@ -0,0 +1,7 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "openssl", "~> 2.0.0"
+
+gemspec path: "../"

data/gemfiles/openssl_2_1.gemfile

@@ -0,0 +1,7 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "openssl", "~> 2.1.0"
+
+gemspec path: "../"

data/gemfiles/openssl_2_2.gemfile

@@ -0,0 +1,7 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "openssl", "~> 2.2.0"
+
+gemspec path: "../"

data/gemfiles/openssl_head.gemfile

@@ -0,0 +1,7 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "openssl", git: "https://github.com/ruby/openssl"
+
+gemspec path: "../"

data/lib/cose/rsapkcs1_algorithm.rb

@@ -40,11 +40,4 @@ end
 COSE::Algorithm.register(RSAPKCS1Algorithm.new(-257, "RS256", hash_function: "SHA256"))
 COSE::Algorithm.register(RSAPKCS1Algorithm.new(-258, "RS384", hash_function: "SHA384"))
 COSE::Algorithm.register(RSAPKCS1Algorithm.new(-259, "RS512", hash_function: "SHA512"))
-
-# Patch openssl-signature_algorithm gem to support discouraged/deprecated RSA-PKCS#1 with SHA-1
-# (RS1 in JOSE/COSE terminology) algorithm needed for WebAuthn.
-OpenSSL::SignatureAlgorithm::RSAPKCS1.const_set(
-  :ACCEPTED_HASH_FUNCTIONS,
-  OpenSSL::SignatureAlgorithm::RSAPKCS1::ACCEPTED_HASH_FUNCTIONS + ["SHA1"]
-)
 COSE::Algorithm.register(RSAPKCS1Algorithm.new(-65535, "RS1", hash_function: "SHA1"))

data/lib/webauthn/attestation_object.rb

@@ -10,18 +10,22 @@ module WebAuthn
   class AttestationObject
     extend Forwardable
 
-    def self.deserialize(attestation_object)
-      from_map(CBOR.decode(attestation_object))
+    def self.deserialize(attestation_object, relying_party)
+      from_map(CBOR.decode(attestation_object), relying_party)
     end
 
-    def self.from_map(map)
+    def self.from_map(map, relying_party)
       new(
         authenticator_data: WebAuthn::AuthenticatorData.deserialize(map["authData"]),
-        attestation_statement: WebAuthn::AttestationStatement.from(map["fmt"], map["attStmt"])
+        attestation_statement: WebAuthn::AttestationStatement.from(
+          map["fmt"],
+          map["attStmt"],
+          relying_party: relying_party
+        )
       )
     end
 
-    attr_reader :authenticator_data, :attestation_statement
+    attr_reader :authenticator_data, :attestation_statement, :relying_party
 
     def initialize(authenticator_data:, attestation_statement:)
       @authenticator_data = authenticator_data

data/lib/webauthn/attestation_statement/android_key.rb

@@ -20,6 +20,10 @@ module WebAuthn
 
       private
 
+      def matching_public_key?(authenticator_data)
+        attestation_certificate.public_key.to_der == authenticator_data.credential.public_key_object.to_der
+      end
+
       def valid_attestation_challenge?(client_data_hash)
         android_key_attestation.verify_challenge(client_data_hash)
       rescue AndroidKeyAttestation::ChallengeMismatchError

data/lib/webauthn/attestation_statement/android_safetynet.rb

@@ -16,6 +16,10 @@ module WebAuthn
           [attestation_type, attestation_trust_path]
       end
 
+      def attestation_certificate
+        attestation_trust_path.first
+      end
+
       private
 
       def valid_response?(authenticator_data, client_data_hash)
@@ -48,7 +52,7 @@ module WebAuthn
       end
 
       # SafetyNetAttestation returns full chain including root, WebAuthn expects only the x5c certificates
-      def certificates
+      def attestation_trust_path
         attestation_response.certificate_chain[0..-2]
       end
 

data/lib/webauthn/attestation_statement/base.rb

@@ -16,20 +16,19 @@ module WebAuthn
     ATTESTATION_TYPE_SELF = "Self"
     ATTESTATION_TYPE_ATTCA = "AttCA"
     ATTESTATION_TYPE_BASIC_OR_ATTCA = "Basic_or_AttCA"
-    ATTESTATION_TYPE_ANONCA = "AnonCA"
 
     ATTESTATION_TYPES_WITH_ROOT = [
       ATTESTATION_TYPE_BASIC,
       ATTESTATION_TYPE_BASIC_OR_ATTCA,
-      ATTESTATION_TYPE_ATTCA,
-      ATTESTATION_TYPE_ANONCA
+      ATTESTATION_TYPE_ATTCA
     ].freeze
 
     class Base
       AAGUID_EXTENSION_OID = "1.3.6.1.4.1.45724.1.1.4"
 
-      def initialize(statement)
+      def initialize(statement, relying_party = WebAuthn.configuration.relying_party)
         @statement = statement
+        @relying_party = relying_party
       end
 
       def valid?(_authenticator_data, _client_data_hash)
@@ -44,28 +43,32 @@ module WebAuthn
         certificates&.first
       end
 
+      def certificate_chain
+        if certificates
+          certificates[1..-1]
+        end
+      end
+
       def attestation_certificate_key_id
-        attestation_certificate.subject_key_identifier&.unpack("H*")&.[](0)
+        raw_subject_key_identifier&.unpack("H*")&.[](0)
       end
 
       private
 
-      attr_reader :statement
+      attr_reader :statement, :relying_party
 
       def matching_aaguid?(attested_credential_data_aaguid)
-        extension = attestation_certificate&.find_extension(AAGUID_EXTENSION_OID)
+        extension = attestation_certificate&.extensions&.detect { |ext| ext.oid == AAGUID_EXTENSION_OID }
         if extension
-          aaguid_value = OpenSSL::ASN1.decode(extension.value_der).value
-          aaguid_value == attested_credential_data_aaguid
+          # `extension.value` mangles data into ASCII, so we must manually compare bytes
+          # see https://github.com/ruby/openssl/pull/234
+          extension.to_der[-WebAuthn::AuthenticatorData::AttestedCredentialData::AAGUID_LENGTH..-1] ==
+            attested_credential_data_aaguid
         else
           true
         end
       end
 
-      def matching_public_key?(authenticator_data)
-        attestation_certificate.public_key.to_der == authenticator_data.credential.public_key_object.to_der
-      end
-
       def certificates
         @certificates ||=
           raw_certificates&.map do |raw_certificate|
@@ -93,10 +96,10 @@ module WebAuthn
 
       def trustworthy?(aaguid: nil, attestation_certificate_key_id: nil)
         if ATTESTATION_TYPES_WITH_ROOT.include?(attestation_type)
-          configuration.acceptable_attestation_types.include?(attestation_type) &&
+          relying_party.acceptable_attestation_types.include?(attestation_type) &&
             valid_certificate_chain?(aaguid: aaguid, attestation_certificate_key_id: attestation_certificate_key_id)
         else
-          configuration.acceptable_attestation_types.include?(attestation_type)
+          relying_party.acceptable_attestation_types.include?(attestation_type)
         end
       end
 
@@ -120,7 +123,7 @@ module WebAuthn
 
       def root_certificates(aaguid: nil, attestation_certificate_key_id: nil)
         root_certificates =
-          configuration.attestation_root_certificates_finders.reduce([]) do |certs, finder|
+          relying_party.attestation_root_certificates_finders.reduce([]) do |certs, finder|
             if certs.empty?
               finder.find(
                 attestation_format: format,
@@ -139,6 +142,15 @@ module WebAuthn
         end
       end
 
+      def raw_subject_key_identifier
+        extension = attestation_certificate.extensions.detect { |ext| ext.oid == "subjectKeyIdentifier" }
+        return unless extension
+
+        ext_asn1 = OpenSSL::ASN1.decode(extension.to_der)
+        ext_value = ext_asn1.value.last
+        OpenSSL::ASN1.decode(ext_value.value).value
+      end
+
       def valid_signature?(authenticator_data, client_data_hash, public_key = attestation_certificate.public_key)
         raise("Incompatible algorithm and key") unless cose_algorithm.compatible_key?(public_key)
 
@@ -158,14 +170,10 @@ module WebAuthn
       def cose_algorithm
         @cose_algorithm ||=
           COSE::Algorithm.find(algorithm).tap do |alg|
-            alg && configuration.algorithms.include?(alg.name) ||
+            alg && relying_party.algorithms.include?(alg.name) ||
               raise(UnsupportedAlgorithm, "Unsupported algorithm #{algorithm}")
           end
       end
-
-      def configuration
-        WebAuthn.configuration
-      end
     end
   end
 end

data/lib/webauthn/attestation_statement/none.rb

@@ -6,18 +6,12 @@ module WebAuthn
   module AttestationStatement
     class None < Base
       def valid?(*_args)
-        if statement == {} && trustworthy?
+        if statement == {}
           [WebAuthn::AttestationStatement::ATTESTATION_TYPE_NONE, nil]
         else
           false
         end
       end
-
-      private
-
-      def attestation_type
-        WebAuthn::AttestationStatement::ATTESTATION_TYPE_NONE
-      end
     end
   end
 end

data/lib/webauthn/attestation_statement/packed.rb

@@ -46,7 +46,7 @@ module WebAuthn
 
           attestation_certificate.version == 2 &&
             subject.assoc('OU')&.at(1) == "Authenticator Attestation" &&
-            attestation_certificate.find_extension('basicConstraints')&.value == 'CA:FALSE'
+            attestation_certificate.extensions.find { |ext| ext.oid == 'basicConstraints' }&.value == 'CA:FALSE'
         else
           true
         end

data/lib/webauthn/attestation_statement/tpm.rb

@@ -42,7 +42,7 @@ module WebAuthn
             OpenSSL::Digest.digest(cose_algorithm.hash_function, certified_extra_data),
             signature_algorithm: tpm_algorithm[:signature],
             hash_algorithm: tpm_algorithm[:hash],
-            trusted_certificates: root_certificates(aaguid: aaguid)
+            root_certificates: root_certificates(aaguid: aaguid)
           )
 
         key_attestation.valid? && key_attestation.key && key_attestation.key.to_pem == key.to_pem
@@ -54,7 +54,7 @@ module WebAuthn
       end
 
       def default_root_certificates
-        ::TPM::KeyAttestation::TRUSTED_CERTIFICATES
+        ::TPM::KeyAttestation::ROOT_CERTIFICATES
       end
 
       def tpm_algorithm

data/lib/webauthn/attestation_statement.rb

@@ -2,7 +2,6 @@
 
 require "webauthn/attestation_statement/android_key"
 require "webauthn/attestation_statement/android_safetynet"
-require "webauthn/attestation_statement/apple"
 require "webauthn/attestation_statement/fido_u2f"
 require "webauthn/attestation_statement/none"
 require "webauthn/attestation_statement/packed"
@@ -19,7 +18,6 @@ module WebAuthn
     ATTESTATION_FORMAT_ANDROID_SAFETYNET = "android-safetynet"
     ATTESTATION_FORMAT_ANDROID_KEY = "android-key"
     ATTESTATION_FORMAT_TPM = "tpm"
-    ATTESTATION_FORMAT_APPLE = "apple"
 
     FORMAT_TO_CLASS = {
       ATTESTATION_FORMAT_NONE => WebAuthn::AttestationStatement::None,
@@ -27,15 +25,14 @@ module WebAuthn
       ATTESTATION_FORMAT_PACKED => WebAuthn::AttestationStatement::Packed,
       ATTESTATION_FORMAT_ANDROID_SAFETYNET => WebAuthn::AttestationStatement::AndroidSafetynet,
       ATTESTATION_FORMAT_ANDROID_KEY => WebAuthn::AttestationStatement::AndroidKey,
-      ATTESTATION_FORMAT_TPM => WebAuthn::AttestationStatement::TPM,
-      ATTESTATION_FORMAT_APPLE => WebAuthn::AttestationStatement::Apple
+      ATTESTATION_FORMAT_TPM => WebAuthn::AttestationStatement::TPM
     }.freeze
 
-    def self.from(format, statement)
+    def self.from(format, statement, relying_party: WebAuthn.configuration.relying_party)
       klass = FORMAT_TO_CLASS[format]
 
       if klass
-        klass.new(statement)
+        klass.new(statement, relying_party)
       else
         raise(FormatNotSupportedError, "Unsupported attestation format '#{format}'")
       end

data/lib/webauthn/authenticator_assertion_response.rb

@@ -10,8 +10,8 @@ module WebAuthn
   class SignCountVerificationError < VerificationError; end
 
   class AuthenticatorAssertionResponse < AuthenticatorResponse
-    def self.from_client(response)
-      encoder = WebAuthn.configuration.encoder
+    def self.from_client(response, relying_party: WebAuthn.configuration.relying_party)
+      encoder = relying_party.encoder
 
       user_handle =
         if response["userHandle"]
@@ -22,7 +22,8 @@ module WebAuthn
         authenticator_data: encoder.decode(response["authenticatorData"]),
         client_data_json: encoder.decode(response["clientDataJSON"]),
         signature: encoder.decode(response["signature"]),
-        user_handle: user_handle
+        user_handle: user_handle,
+        relying_party: relying_party
       )
     end