class WebAuthn::AttestationStatement::Packed

Public Instance Methods

valid?(authenticator_data, client_data_hash) click to toggle source

Follows “Verification procedure”

# File lib/webauthn/attestation_statement/packed.rb, line 11
def valid?(authenticator_data, client_data_hash)
  valid_format? &&
    valid_algorithm?(authenticator_data.credential) &&
    valid_ec_public_keys?(authenticator_data.credential) &&
    meet_certificate_requirement? &&
    matching_aaguid?(authenticator_data.attested_credential_data.raw_aaguid) &&
    valid_signature?(authenticator_data, client_data_hash) &&
    trustworthy?(aaguid: authenticator_data.aaguid) &&
    [attestation_type, attestation_trust_path]
end

Private Instance Methods

attestation_type() click to toggle source
# File lib/webauthn/attestation_statement/packed.rb, line 55
def attestation_type
  if attestation_trust_path
    WebAuthn::AttestationStatement::ATTESTATION_TYPE_BASIC_OR_ATTCA # FIXME: use metadata if available
  else
    WebAuthn::AttestationStatement::ATTESTATION_TYPE_SELF
  end
end
meet_certificate_requirement?() click to toggle source

Check www.w3.org/TR/2018/CR-webauthn-20180807/#packed-attestation-cert-requirements

# File lib/webauthn/attestation_statement/packed.rb, line 43
def meet_certificate_requirement?
  if attestation_certificate
    subject = attestation_certificate.subject.to_a

    attestation_certificate.version == 2 &&
      subject.assoc('OU')&.at(1) == "Authenticator Attestation" &&
      attestation_certificate.extensions.find { |ext| ext.oid == 'basicConstraints' }&.value == 'CA:FALSE'
  else
    true
  end
end
self_attestation?() click to toggle source
# File lib/webauthn/attestation_statement/packed.rb, line 28
def self_attestation?
  !raw_certificates
end
valid_algorithm?(credential) click to toggle source
# File lib/webauthn/attestation_statement/packed.rb, line 24
def valid_algorithm?(credential)
  !self_attestation? || algorithm == COSE::Key.deserialize(credential.public_key).alg
end
valid_ec_public_keys?(credential) click to toggle source
# File lib/webauthn/attestation_statement/packed.rb, line 36
def valid_ec_public_keys?(credential)
  (certificates&.map(&:public_key) || [credential.public_key_object])
    .select { |pkey| pkey.is_a?(OpenSSL::PKey::EC) }
    .all? { |pkey| pkey.check_key }
end
valid_format?() click to toggle source
# File lib/webauthn/attestation_statement/packed.rb, line 32
def valid_format?
  algorithm && signature
end
valid_signature?(authenticator_data, client_data_hash) click to toggle source
# File lib/webauthn/attestation_statement/packed.rb, line 63
def valid_signature?(authenticator_data, client_data_hash)
  super(
    authenticator_data,
    client_data_hash,
    attestation_certificate&.public_key || authenticator_data.credential.public_key_object
  )
end