class WebAuthn::AttestationStatement::Packed
Public Instance Methods
valid?(authenticator_data, client_data_hash)
click to toggle source
Follows “Verification procedure”
# File lib/webauthn/attestation_statement/packed.rb, line 11 def valid?(authenticator_data, client_data_hash) valid_format? && valid_algorithm?(authenticator_data.credential) && valid_ec_public_keys?(authenticator_data.credential) && meet_certificate_requirement? && matching_aaguid?(authenticator_data.attested_credential_data.raw_aaguid) && valid_signature?(authenticator_data, client_data_hash) && trustworthy?(aaguid: authenticator_data.aaguid) && [attestation_type, attestation_trust_path] end
Private Instance Methods
attestation_type()
click to toggle source
# File lib/webauthn/attestation_statement/packed.rb, line 55 def attestation_type if attestation_trust_path WebAuthn::AttestationStatement::ATTESTATION_TYPE_BASIC_OR_ATTCA # FIXME: use metadata if available else WebAuthn::AttestationStatement::ATTESTATION_TYPE_SELF end end
meet_certificate_requirement?()
click to toggle source
Check www.w3.org/TR/2018/CR-webauthn-20180807/#packed-attestation-cert-requirements
# File lib/webauthn/attestation_statement/packed.rb, line 43 def meet_certificate_requirement? if attestation_certificate subject = attestation_certificate.subject.to_a attestation_certificate.version == 2 && subject.assoc('OU')&.at(1) == "Authenticator Attestation" && attestation_certificate.extensions.find { |ext| ext.oid == 'basicConstraints' }&.value == 'CA:FALSE' else true end end
self_attestation?()
click to toggle source
# File lib/webauthn/attestation_statement/packed.rb, line 28 def self_attestation? !raw_certificates end
valid_algorithm?(credential)
click to toggle source
# File lib/webauthn/attestation_statement/packed.rb, line 24 def valid_algorithm?(credential) !self_attestation? || algorithm == COSE::Key.deserialize(credential.public_key).alg end
valid_ec_public_keys?(credential)
click to toggle source
# File lib/webauthn/attestation_statement/packed.rb, line 36 def valid_ec_public_keys?(credential) (certificates&.map(&:public_key) || [credential.public_key_object]) .select { |pkey| pkey.is_a?(OpenSSL::PKey::EC) } .all? { |pkey| pkey.check_key } end
valid_format?()
click to toggle source
# File lib/webauthn/attestation_statement/packed.rb, line 32 def valid_format? algorithm && signature end
valid_signature?(authenticator_data, client_data_hash)
click to toggle source
Calls superclass method
WebAuthn::AttestationStatement::Base#valid_signature?
# File lib/webauthn/attestation_statement/packed.rb, line 63 def valid_signature?(authenticator_data, client_data_hash) super( authenticator_data, client_data_hash, attestation_certificate&.public_key || authenticator_data.credential.public_key_object ) end