Metadata service support

.gitignore

@@ -13,3 +13,5 @@
 /Gemfile.lock
 /gemfiles/*.gemfile.lock
 .byebug_history
+
+/spec/conformance/metadata.zip

lib/webauthn.rb

@@ -3,5 +3,8 @@
 require "webauthn/configuration"
 require "webauthn/credential_creation_options"
 require "webauthn/credential_request_options"
+require "webauthn/metadata/client"
+require "webauthn/metadata/statement"
+require "webauthn/metadata/table_of_contents"
 require "webauthn/public_key_credential"
 require "webauthn/version"

lib/webauthn/attestation_statement/base.rb

@@ -3,6 +3,7 @@
 require "openssl"
 require "webauthn/authenticator_data/attested_credential_data"
 require "webauthn/error"
+require "webauthn/metadata/store"
 
 module WebAuthn
   module AttestationStatement
@@ -18,6 +19,8 @@ class NotSupportedError < Error; end
 
       AAGUID_EXTENSION_OID = "1.3.6.1.4.1.45724.1.1.4"
 
+      attr_reader :metadata_entry, :metadata_statement
+
       def initialize(statement)
         @statement = statement
       end
@@ -67,6 +70,23 @@ def raw_ecdaa_key_id
       def signature
         statement["sig"]
       end
+
+      def metadata_store
+        @metadata_store ||= WebAuthn::Metadata::Store.new
+      end
+
+      def find_metadata(aaguid)
+        @metadata_entry = metadata_store.fetch_entry(aaguid: aaguid)
+        @metadata_statement = metadata_store.fetch_statement(aaguid: aaguid)
+      end
+
+      def build_trust_store(root_certificates)
+        trust_store = OpenSSL::X509::Store.new
+        root_certificates.each do |certificate|
+          trust_store.add_cert(certificate)
+        end
+        trust_store
+      end
     end
   end
 end

lib/webauthn/attestation_statement/fido_u2f.rb

@@ -17,9 +17,27 @@ def valid?(authenticator_data, client_data_hash)
           valid_credential_public_key?(authenticator_data.credential.public_key) &&
           valid_aaguid?(authenticator_data.attested_credential_data.raw_aaguid) &&
           valid_signature?(authenticator_data, client_data_hash) &&
+          certificate_chain_trusted? &&
           [WebAuthn::AttestationStatement::ATTESTATION_TYPE_BASIC_OR_ATTCA, [attestation_certificate]]
       end
 
+      def attestation_certificate_key_id
+        return @attestation_certificate_key_id if defined?(@attestation_certificate_key_id)
+
+        @attestation_certificate_key_id = begin
+          extension = attestation_certificate.extensions.detect { |ext| ext.oid == "subjectKeyIdentifier" }
+          return if extension.nil? || extension.critical?
+
+          sequence = OpenSSL::ASN1.decode(extension.to_der)
+          octet_string = sequence.detect do |value|
+            value.tag_class == :UNIVERSAL && value.tag == OpenSSL::ASN1::OCTET_STRING
+          end
+          return unless octet_string
+
+          OpenSSL::ASN1.decode(octet_string.value).value.unpack("H*")[0]
+        end
+      end
+
       private
 
       def valid_format?
@@ -51,6 +69,14 @@ def valid_signature?(authenticator_data, client_data_hash)
           .verify(signature, verification_data(authenticator_data, client_data_hash))
       end
 
+      def certificate_chain_trusted?
+        find_metadata
+        return false unless metadata_statement
+
+        trust_store = build_trust_store(metadata_statement.attestation_root_certificates)
+        trust_store.verify(attestation_certificate, attestation_certificate_chain[1..-1])
+      end
+
       def verification_data(authenticator_data, client_data_hash)
         "\x00" +
           authenticator_data.rp_id_hash +
@@ -62,6 +88,14 @@ def verification_data(authenticator_data, client_data_hash)
       def public_key_u2f(cose_key_data)
         PublicKey.new(cose_key_data)
       end
+
+      def find_metadata
+        key_id = attestation_certificate_key_id
+        return unless key_id
+
+        @metadata_entry = metadata_store.fetch_entry(attestation_certificate_key_id: key_id)
+        @metadata_statement = metadata_store.fetch_statement(attestation_certificate_key_id: key_id)
+      end
     end
   end
 end

lib/webauthn/attestation_statement/packed.rb

@@ -15,11 +15,11 @@ def valid?(authenticator_data, client_data_hash)
 
         valid_format? &&
           valid_algorithm?(authenticator_data.credential) &&
-          valid_certificate_chain? &&
           valid_ec_public_keys?(authenticator_data.credential) &&
           meet_certificate_requirement? &&
           matching_aaguid?(authenticator_data.attested_credential_data.raw_aaguid) &&
           valid_signature?(authenticator_data, client_data_hash) &&
+          certificate_chain_trusted?(authenticator_data.attested_credential_data.aaguid) &&
           attestation_type_and_trust_path
       end
 
@@ -45,9 +45,13 @@ def check_unsupported_feature
         end
       end
 
-      def valid_certificate_chain?
+      def certificate_chain_trusted?(aaguid)
         if attestation_certificate_chain
-          attestation_certificate_chain[1..-1].all? { |c| certificate_in_use?(c) }
+          find_metadata(aaguid)
+          return false unless metadata_statement
+
+          trust_store = build_trust_store(metadata_statement.attestation_root_certificates)
+          trust_store.verify(attestation_certificate, attestation_certificate_chain[1..-1])
         else
           true
         end
@@ -65,20 +69,13 @@ def meet_certificate_requirement?
           subject = attestation_certificate.subject.to_a
 
           attestation_certificate.version == 2 &&
-            certificate_in_use?(attestation_certificate) &&
             subject.assoc('OU')&.at(1) == "Authenticator Attestation" &&
             attestation_certificate.extensions.find { |ext| ext.oid == 'basicConstraints' }&.value == 'CA:FALSE'
         else
           true
         end
       end
 
-      def certificate_in_use?(certificate)
-        now = Time.now
-
-        certificate.not_before < now && now < certificate.not_after
-      end
-
       def valid_signature?(authenticator_data, client_data_hash)
         signature_verifier = WebAuthn::SignatureVerifier.new(
           algorithm,

lib/webauthn/authenticator_attestation_response.rb

@@ -59,8 +59,10 @@ def aaguid
       end
     end
 
-    def attestation_certificate_key
-      raw_subject_key_identifier(attestation_statement.attestation_certificate)&.unpack("H*")&.[](0)
+    def attestation_certificate_key_id
+      if attestation_statement.respond_to?(:attestation_certificate_key_id)
+        attestation_statement.attestation_certificate_key_id
+      end
     end
 
     private
@@ -79,14 +81,5 @@ def valid_attested_credential?
     def valid_attestation_statement?
       @attestation_type, @attestation_trust_path = attestation_statement.valid?(authenticator_data, client_data.hash)
     end
-
-    def raw_subject_key_identifier(certificate)
-      extension = certificate.extensions.detect { |ext| ext.oid == "subjectKeyIdentifier" }
-      return unless extension
-
-      ext_asn1 = OpenSSL::ASN1.decode(extension.to_der)
-      ext_value = ext_asn1.value.last
-      OpenSSL::ASN1.decode(ext_value.value).value
-    end
   end
 end

lib/webauthn/configuration.rb

@@ -24,6 +24,8 @@ def self.if_pss_supported(algorithm)
     attr_accessor :rp_name
     attr_accessor :verify_attestation_statement
     attr_accessor :credential_options_timeout
+    attr_accessor :metadata_token
+    attr_accessor :cache_backend
 
     def initialize
       @algorithms = DEFAULT_ALGORITHMS.dup

lib/webauthn/metadata/Root.cer

@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICQzCCAcigAwIBAgIORqmxkzowRM99NQZJurcwCgYIKoZIzj0EAwMwUzELMAkG
+A1UEBhMCVVMxFjAUBgNVBAoTDUZJRE8gQWxsaWFuY2UxHTAbBgNVBAsTFE1ldGFk
+YXRhIFRPQyBTaWduaW5nMQ0wCwYDVQQDEwRSb290MB4XDTE1MDYxNzAwMDAwMFoX
+DTQ1MDYxNzAwMDAwMFowUzELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUZJRE8gQWxs
+aWFuY2UxHTAbBgNVBAsTFE1ldGFkYXRhIFRPQyBTaWduaW5nMQ0wCwYDVQQDEwRS
+b290MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEFEoo+6jdxg6oUuOloqPjK/nVGyY+
+AXCFz1i5JR4OPeFJs+my143ai0p34EX4R1Xxm9xGi9n8F+RxLjLNPHtlkB3X4ims
+rfIx7QcEImx1cMTgu5zUiwxLX1ookVhIRSoso2MwYTAOBgNVHQ8BAf8EBAMCAQYw
+DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU0qUfC6f2YshA1Ni9udeO0VS7vEYw
+HwYDVR0jBBgwFoAU0qUfC6f2YshA1Ni9udeO0VS7vEYwCgYIKoZIzj0EAwMDaQAw
+ZgIxAKulGbSFkDSZusGjbNkAhAkqTkLWo3GrN5nRBNNk2Q4BlG+AvM5q9wa5WciW
+DcMdeQIxAMOEzOFsxX9Bo0h4LOFE5y5H8bdPFYW+l5gy1tQiJv+5NUyM2IBB55XU
+YjdBz56jSA==
+-----END CERTIFICATE-----

lib/webauthn/metadata/attributes.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module WebAuthn
+  module Metadata
+    module Attributes
+      def underscore_name(name)
+        name
+          .gsub(/([A-Z]+)([A-Z][a-z])/, '\1_\2')
+          .gsub(/([a-z\d])([A-Z])/, '\1_\2')
+          .downcase
+          .to_sym
+      end
+      private :underscore_name
+
+      def json_accessor(name, coercer = nil)
+        underscored_name = underscore_name(name)
+        attr_accessor underscored_name
+
+        if coercer
+          define_method(:"#{underscored_name}=") do |value|
+            coerced_value = coercer.coerce(value)
+            instance_variable_set(:"@#{underscored_name}", coerced_value)
+          end
+        end
+      end
+
+      def from_json(hash = {})
+        instance = new
+        hash.each do |k, v|
+          method_name = :"#{underscore_name(k)}="
+          instance.public_send(method_name, v) if instance.respond_to?(method_name)
+        end
+
+        instance
+      end
+    end
+  end
+end

lib/webauthn/metadata/biometric_accuracy_descriptor.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require "webauthn/metadata/attributes"
+
+module WebAuthn
+  module Metadata
+    class BiometricAccuracyDescriptor
+      extend Attributes
+
+      json_accessor("selfAttestedFRR")
+      json_accessor("selfAttestedFAR")
+      json_accessor("maxTemplates")
+      json_accessor("maxRetries")
+      json_accessor("blockSlowdown")
+    end
+  end
+end

lib/webauthn/metadata/biometric_status_report.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require "webauthn/metadata/attributes"
+require "webauthn/metadata/coercer/date"
+
+module WebAuthn
+  module Metadata
+    class BiometricStatusReport
+      extend Attributes
+
+      json_accessor("certLevel")
+      json_accessor("modality")
+      json_accessor("effectiveDate", Coercer::Date)
+      json_accessor("certificationDescriptor")
+      json_accessor("certificateNumber")
+      json_accessor("certificationPolicyVersion")
+      json_accessor("certificationRequirementsVersion")
+    end
+  end
+end