class WebAuthn::AttestationStatement::TPM

Constants

COSE_ALG_TO_TPM
TPM_V2

Public Instance Methods

valid?(authenticator_data, client_data_hash) click to toggle source
# File lib/webauthn/attestation_statement/tpm.rb, line 20
def valid?(authenticator_data, client_data_hash)
  attestation_type == ATTESTATION_TYPE_ATTCA &&
    ver == TPM_V2 &&
    valid_key_attestation?(
      authenticator_data.data + client_data_hash,
      authenticator_data.credential.public_key_object,
      authenticator_data.aaguid
    ) &&
    matching_aaguid?(authenticator_data.attested_credential_data.raw_aaguid) &&
    trustworthy?(aaguid: authenticator_data.aaguid) &&
    [attestation_type, attestation_trust_path]
end

Private Instance Methods

attestation_type() click to toggle source
# File lib/webauthn/attestation_statement/tpm.rb, line 72
def attestation_type
  if raw_certificates
    ATTESTATION_TYPE_ATTCA
  else
    raise "Attestation type invalid"
  end
end
cose_algorithm() click to toggle source
# File lib/webauthn/attestation_statement/tpm.rb, line 68
def cose_algorithm
  @cose_algorithm ||= COSE::Algorithm.find(algorithm)
end
default_root_certificates() click to toggle source
# File lib/webauthn/attestation_statement/tpm.rb, line 56
def default_root_certificates
  ::TPM::KeyAttestation::ROOT_CERTIFICATES
end
tpm_algorithm() click to toggle source
# File lib/webauthn/attestation_statement/tpm.rb, line 60
def tpm_algorithm
  COSE_ALG_TO_TPM[cose_algorithm.name] || raise("Unsupported algorithm #{cose_algorithm.name}")
end
valid_certificate_chain?(**_) click to toggle source
# File lib/webauthn/attestation_statement/tpm.rb, line 51
def valid_certificate_chain?(**_)
  # Already performed as part of #valid_key_attestation?
  true
end
valid_key_attestation?(certified_extra_data, key, aaguid) click to toggle source
# File lib/webauthn/attestation_statement/tpm.rb, line 35
def valid_key_attestation?(certified_extra_data, key, aaguid)
  key_attestation =
    ::TPM::KeyAttestation.new(
      statement["certInfo"],
      signature,
      statement["pubArea"],
      certificates,
      OpenSSL::Digest.digest(cose_algorithm.hash_function, certified_extra_data),
      signature_algorithm: tpm_algorithm[:signature],
      hash_algorithm: tpm_algorithm[:hash],
      root_certificates: root_certificates(aaguid: aaguid)
    )

  key_attestation.valid? && key_attestation.key && key_attestation.key.to_pem == key.to_pem
end
ver() click to toggle source
# File lib/webauthn/attestation_statement/tpm.rb, line 64
def ver
  statement["ver"]
end