From 7ef5f1e7a97551439c2909009e9877d18bb0a89c Mon Sep 17 00:00:00 2001 From: Santiago Rodriguez Date: Fri, 13 Oct 2023 12:50:13 -0300 Subject: [PATCH 01/10] build(conformanceTests): bump `webauthn` version --- spec/conformance/Gemfile.lock | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/spec/conformance/Gemfile.lock b/spec/conformance/Gemfile.lock index 54d9982b..582a273a 100644 --- a/spec/conformance/Gemfile.lock +++ b/spec/conformance/Gemfile.lock @@ -1,39 +1,35 @@ PATH remote: ../.. specs: - webauthn (2.5.1) + webauthn (3.4.0) android_key_attestation (~> 0.3.0) - awrence (~> 1.1) bindata (~> 2.4) cbor (~> 0.5.9) cose (~> 1.1) - openssl (~> 2.2) + openssl (>= 2.2) safety_net_attestation (~> 0.4.0) - tpm-key_attestation (~> 0.10.0) + tpm-key_attestation (~> 0.14.0) GEM remote: https://rubygems.org/ specs: android_key_attestation (0.3.0) - awrence (1.2.1) backports (3.15.0) - bindata (2.4.10) + bindata (2.5.0) byebug (11.0.1) - cbor (0.5.9.6) - cose (1.2.0) + cbor (0.5.9.8) + cose (1.3.1) cbor (~> 0.5.9) openssl-signature_algorithm (~> 1.0) fido_metadata (0.4.0) jwt (~> 2.0) - ipaddr (1.2.4) jwt (2.2.1) multi_json (1.14.1) mustermann (1.1.0) ruby2_keywords (~> 0.0.1) - openssl (2.2.1) - ipaddr - openssl-signature_algorithm (1.1.1) - openssl (~> 2.0) + openssl (3.3.0) + openssl-signature_algorithm (1.3.0) + openssl (> 2.0) rack (2.2.3) rack-contrib (2.1.0) rack (~> 2.0) @@ -56,8 +52,9 @@ GEM sinatra (= 2.0.8.1) tilt (~> 2.0) tilt (2.0.10) - tpm-key_attestation (0.10.0) + tpm-key_attestation (0.14.0) bindata (~> 2.4) + openssl (> 2.0) openssl-signature_algorithm (~> 1.0) PLATFORMS @@ -76,4 +73,4 @@ RUBY VERSION ruby 2.7.0p-1 BUNDLED WITH - 2.2.14 + 2.3.26 From d590b99e87bee4bac31879d5797bbb2f3e9ac1d0 Mon Sep 17 00:00:00 2001 From: Santiago Rodriguez <46354312+santiagorodriguez96@users.noreply.github.com> Date: Fri, 8 Nov 2024 17:44:00 -0300 Subject: [PATCH 02/10] build(conformanceTests): bump `byebug` --- spec/conformance/Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/conformance/Gemfile.lock b/spec/conformance/Gemfile.lock index 582a273a..bc25be7b 100644 --- a/spec/conformance/Gemfile.lock +++ b/spec/conformance/Gemfile.lock @@ -16,7 +16,7 @@ GEM android_key_attestation (0.3.0) backports (3.15.0) bindata (2.5.0) - byebug (11.0.1) + byebug (11.1.3) cbor (0.5.9.8) cose (1.3.1) cbor (~> 0.5.9) From 27d36a226000ba77940036448d30ea684c262b07 Mon Sep 17 00:00:00 2001 From: Santiago Rodriguez Date: Fri, 13 Oct 2023 12:50:56 -0300 Subject: [PATCH 03/10] build(conformanceTests): bump `fido_metadata` version --- spec/conformance/Gemfile | 2 +- spec/conformance/Gemfile.lock | 12 +++++++++--- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/spec/conformance/Gemfile b/spec/conformance/Gemfile index e414b4d8..e09f0b38 100644 --- a/spec/conformance/Gemfile +++ b/spec/conformance/Gemfile @@ -5,7 +5,7 @@ source "https://rubygems.org" ruby "~> 2.7.0" gem "byebug" -gem "fido_metadata", "~> 0.4.0" +gem "fido_metadata", github: 'santiagorodriguez96/fido_metadata', branch: 'sr--support-FIDO-metadata-msd3' gem "rack-contrib" gem "rubyzip" gem "sinatra", "~> 2.0" diff --git a/spec/conformance/Gemfile.lock b/spec/conformance/Gemfile.lock index bc25be7b..c3d3c334 100644 --- a/spec/conformance/Gemfile.lock +++ b/spec/conformance/Gemfile.lock @@ -1,3 +1,11 @@ +GIT + remote: https://github.com/santiagorodriguez96/fido_metadata.git + revision: 8280a2ac9bb83a37e9f68e20efdb40eca33ea937 + branch: sr--support-FIDO-metadata-msd3 + specs: + fido_metadata (0.3.0) + jwt (~> 2.0) + PATH remote: ../.. specs: @@ -21,8 +29,6 @@ GEM cose (1.3.1) cbor (~> 0.5.9) openssl-signature_algorithm (~> 1.0) - fido_metadata (0.4.0) - jwt (~> 2.0) jwt (2.2.1) multi_json (1.14.1) mustermann (1.1.0) @@ -62,7 +68,7 @@ PLATFORMS DEPENDENCIES byebug - fido_metadata (~> 0.4.0) + fido_metadata! rack-contrib rubyzip sinatra (~> 2.0) From e63af28928487044d8d26e9655c9d0b6acd35df0 Mon Sep 17 00:00:00 2001 From: Santiago Rodriguez Date: Fri, 13 Oct 2023 12:54:57 -0300 Subject: [PATCH 04/10] build(conformanceTests): use ruby `3.4.2` for conformance specs --- spec/conformance/.ruby-version | 2 +- spec/conformance/Gemfile | 2 +- spec/conformance/Gemfile.lock | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/spec/conformance/.ruby-version b/spec/conformance/.ruby-version index 37c2961c..4d9d11cf 100644 --- a/spec/conformance/.ruby-version +++ b/spec/conformance/.ruby-version @@ -1 +1 @@ -2.7.2 +3.4.2 diff --git a/spec/conformance/Gemfile b/spec/conformance/Gemfile index e09f0b38..1e1b5e46 100644 --- a/spec/conformance/Gemfile +++ b/spec/conformance/Gemfile @@ -2,7 +2,7 @@ source "https://rubygems.org" -ruby "~> 2.7.0" +ruby "~> 3.4.2" gem "byebug" gem "fido_metadata", github: 'santiagorodriguez96/fido_metadata', branch: 'sr--support-FIDO-metadata-msd3' diff --git a/spec/conformance/Gemfile.lock b/spec/conformance/Gemfile.lock index c3d3c334..c2d33801 100644 --- a/spec/conformance/Gemfile.lock +++ b/spec/conformance/Gemfile.lock @@ -76,7 +76,7 @@ DEPENDENCIES webauthn! RUBY VERSION - ruby 2.7.0p-1 + ruby 3.4.2p28 BUNDLED WITH 2.3.26 From f41759bb26bd9e8e66b5c8a4b6d7d98b87316f4c Mon Sep 17 00:00:00 2001 From: Santiago Rodriguez <46354312+santiagorodriguez96@users.noreply.github.com> Date: Fri, 8 Nov 2024 17:58:25 -0300 Subject: [PATCH 05/10] build(conformanceTests): update bundler --- spec/conformance/Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/conformance/Gemfile.lock b/spec/conformance/Gemfile.lock index c2d33801..c5ef57c5 100644 --- a/spec/conformance/Gemfile.lock +++ b/spec/conformance/Gemfile.lock @@ -79,4 +79,4 @@ RUBY VERSION ruby 3.4.2p28 BUNDLED WITH - 2.3.26 + 2.6.5 From efb90fb0b47fec17b900c56110b4b3fa8f72cf4b Mon Sep 17 00:00:00 2001 From: Santiago Rodriguez <46354312+santiagorodriguez96@users.noreply.github.com> Date: Fri, 28 Feb 2025 19:02:16 -0300 Subject: [PATCH 06/10] build(conformanceTests): add `webrick` We have to add `webrick` too as it was removed from Ruby's standard library in 3.0 (https://bugs.ruby-lang.org/issues/17303). --- spec/conformance/Gemfile | 1 + spec/conformance/Gemfile.lock | 2 ++ 2 files changed, 3 insertions(+) diff --git a/spec/conformance/Gemfile b/spec/conformance/Gemfile index 1e1b5e46..c9213837 100644 --- a/spec/conformance/Gemfile +++ b/spec/conformance/Gemfile @@ -11,3 +11,4 @@ gem "rubyzip" gem "sinatra", "~> 2.0" gem "sinatra-contrib" gem "webauthn", path: File.join("..", "..") +gem "webrick", "~> 1.9" diff --git a/spec/conformance/Gemfile.lock b/spec/conformance/Gemfile.lock index c5ef57c5..3675069b 100644 --- a/spec/conformance/Gemfile.lock +++ b/spec/conformance/Gemfile.lock @@ -62,6 +62,7 @@ GEM bindata (~> 2.4) openssl (> 2.0) openssl-signature_algorithm (~> 1.0) + webrick (1.9.1) PLATFORMS ruby @@ -74,6 +75,7 @@ DEPENDENCIES sinatra (~> 2.0) sinatra-contrib webauthn! + webrick (~> 1.9) RUBY VERSION ruby 3.4.2p28 From 05537673f7da0ed136fd04041cef6a1c96740a8b Mon Sep 17 00:00:00 2001 From: Santiago Rodriguez Date: Fri, 13 Oct 2023 12:44:46 -0300 Subject: [PATCH 07/10] feature(conformanceTests): use MDS v3 --- spec/conformance/MDSROOT.crt | 36 ++++++++++++++------- spec/conformance/conformance_cache_store.rb | 6 ++-- spec/conformance/server.rb | 3 +- 3 files changed, 29 insertions(+), 16 deletions(-) diff --git a/spec/conformance/MDSROOT.crt b/spec/conformance/MDSROOT.crt index d80f44af..46d19c7f 100644 --- a/spec/conformance/MDSROOT.crt +++ b/spec/conformance/MDSROOT.crt @@ -1,15 +1,29 @@ +!!!!!DO NOT DYNAMICALLY FETCH THIS CERTIFICATE!!!!! +!!!!!ADD THIS CERTIFICATE DIRECTLY TO YOUR CERTIFICATE STORAGE OR SOURCE CODE!!!!! + +FIDO Alliance Certification TEST Metadata Service Root Certificate +Expected page status: Valid +CN=FAKE Root FAKE +OU=FAKE Metadata 3 BLOB Signing FAKE +O=FIDO Alliance +C=US +Serial number=04 5A 1C 22 66 A1 4F 3F 1F 4D 29 55 12 23 15 +Valid from=01 February 2017 +Valid to=31 January 2045 + +Base64 -----BEGIN CERTIFICATE----- -MIICZzCCAe6gAwIBAgIPBF0rd3WL/GExWV/szYNVMAoGCCqGSM49BAMDMGcxCzAJ +MIICaDCCAe6gAwIBAgIPBCqih0DiJLW7+UHXx/o1MAoGCCqGSM49BAMDMGcxCzAJ BgNVBAYTAlVTMRYwFAYDVQQKDA1GSURPIEFsbGlhbmNlMScwJQYDVQQLDB5GQUtF -IE1ldGFkYXRhIFRPQyBTaWduaW5nIEZBS0UxFzAVBgNVBAMMDkZBS0UgUm9vdCBG +IE1ldGFkYXRhIDMgQkxPQiBST09UIEZBS0UxFzAVBgNVBAMMDkZBS0UgUm9vdCBG QUtFMB4XDTE3MDIwMTAwMDAwMFoXDTQ1MDEzMTIzNTk1OVowZzELMAkGA1UEBhMC VVMxFjAUBgNVBAoMDUZJRE8gQWxsaWFuY2UxJzAlBgNVBAsMHkZBS0UgTWV0YWRh -dGEgVE9DIFNpZ25pbmcgRkFLRTEXMBUGA1UEAwwORkFLRSBSb290IEZBS0UwdjAQ -BgcqhkjOPQIBBgUrgQQAIgNiAARcVLd6r4fnNHzs5K2zfbg//4X9/oBqmsdRVtZ9 -iXhlgM9vFYaKviYtqmwkq0D3Lihg3qefeZgXXYi4dFgvzU7ZLBapSNM3CT8RDBe/ -MBJqsPwaRQbIsGmmItmt/ESNQD6jYDBeMAsGA1UdDwQEAwIBBjAPBgNVHRMBAf8E -BTADAQH/MB0GA1UdDgQWBBTd95rIHO/hX9Oh69szXzD0ahmZWTAfBgNVHSMEGDAW -gBTd95rIHO/hX9Oh69szXzD0ahmZWTAKBggqhkjOPQQDAwNnADBkAjBkP3L99KEX -QzviJVGytDMWBmITMBYv1LgNXXiSilWixTyQqHrYrFpLvNFyPZQvS6sCMFMAOUCw -Ach/515XH0XlDbMgdIe2N4zzdY77TVwiHmsxTFWRT0FtS7fUk85c/LzSPQ== ------END CERTIFICATE----- +dGEgMyBCTE9CIFJPT1QgRkFLRTEXMBUGA1UEAwwORkFLRSBSb290IEZBS0UwdjAQ +BgcqhkjOPQIBBgUrgQQAIgNiAASKYiz3YltC6+lmxhPKwA1WFZlIqnX8yL5RybSL +TKFAPEQeTD9O6mOz+tg8wcSdnVxHzwnXiQKJwhrav70rKc2ierQi/4QUrdsPes8T +EirZOkCVJurpDFbXZOgs++pa4XmjYDBeMAsGA1UdDwQEAwIBBjAPBgNVHRMBAf8E +BTADAQH/MB0GA1UdDgQWBBQGcfeCs0Y8D+lh6U5B2xSrR74eHTAfBgNVHSMEGDAW +gBQGcfeCs0Y8D+lh6U5B2xSrR74eHTAKBggqhkjOPQQDAwNoADBlAjEA/xFsgri0 +xubSa3y3v5ormpPqCwfqn9s0MLBAtzCIgxQ/zkzPKctkiwoPtDzI51KnAjAmeMyg +X2S5Ht8+e+EQnezLJBJXtnkRWY+Zt491wgt/AwSs5PHHMv5QgjELOuMxQBc= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/spec/conformance/conformance_cache_store.rb b/spec/conformance/conformance_cache_store.rb index 6890f158..cbc89208 100644 --- a/spec/conformance/conformance_cache_store.rb +++ b/spec/conformance/conformance_cache_store.rb @@ -22,7 +22,7 @@ def setup_metadata_store(endpoint) puts("Setting up metadata store TOC") response = Net::HTTP.post( - URI("https://mds.certinfra.fidoalliance.org/getEndpoints"), + URI("https://mds3.fido.tools/getEndpoints"), { endpoint: endpoint }.to_json, FidoMetadata::Client::DEFAULT_HEADERS ) @@ -30,12 +30,12 @@ def setup_metadata_store(endpoint) response.value possible_endpoints = JSON.parse(response.body)["result"] - client = FidoMetadata::Client.new(nil) + client = FidoMetadata::Client.new json = possible_endpoints.each_with_index do |uri, index| puts("Trying endpoint #{index}: #{uri}") - break client.download_toc(URI(uri), trusted_certs: conformance_certificates) + break client.download_toc(URI(uri), algorithms: ["ES256"], trusted_certs: conformance_certificates) rescue FidoMetadata::Client::DataIntegrityError, JWT::VerificationError, Net::HTTPFatalError nil end diff --git a/spec/conformance/server.rb b/spec/conformance/server.rb index b1fded40..e4abecea 100644 --- a/spec/conformance/server.rb +++ b/spec/conformance/server.rb @@ -42,7 +42,6 @@ def self.registered_for(username) mds_finder = MDSFinder.new.tap do |mds| - mds.token = "" mds.cache_backend = ConformanceCacheStore.new mds.cache_backend.setup_authenticators mds.cache_backend.setup_metadata_store("http://#{host}:#{settings.port}") @@ -51,7 +50,7 @@ def self.registered_for(username) relying_party = WebAuthn::RelyingParty.new( origin: "http://#{host}:#{settings.port}", name: RP_NAME, - algorithms: %w(ES256 ES384 ES512 PS256 PS384 PS512 RS256 RS384 RS512 RS1), + algorithms: %w(ES256 ES384 ES512 PS256 PS384 PS512 RS256 RS384 RS512 RS1 EdDSA), silent_authentication: true, attestation_root_certificates_finders: mds_finder ) From f889f8ffd1215b89001379dd413b6c97642a67f3 Mon Sep 17 00:00:00 2001 From: Santiago Rodriguez <46354312+santiagorodriguez96@users.noreply.github.com> Date: Fri, 8 Nov 2024 17:39:09 -0300 Subject: [PATCH 08/10] build(conformanceTests): point `fido_metadata` to its repo's `main` branch --- spec/conformance/Gemfile | 2 +- spec/conformance/Gemfile.lock | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/spec/conformance/Gemfile b/spec/conformance/Gemfile index c9213837..40fc646c 100644 --- a/spec/conformance/Gemfile +++ b/spec/conformance/Gemfile @@ -5,7 +5,7 @@ source "https://rubygems.org" ruby "~> 3.4.2" gem "byebug" -gem "fido_metadata", github: 'santiagorodriguez96/fido_metadata', branch: 'sr--support-FIDO-metadata-msd3' +gem "fido_metadata", github: 'bdewater/fido_metadata' gem "rack-contrib" gem "rubyzip" gem "sinatra", "~> 2.0" diff --git a/spec/conformance/Gemfile.lock b/spec/conformance/Gemfile.lock index 3675069b..84758bb2 100644 --- a/spec/conformance/Gemfile.lock +++ b/spec/conformance/Gemfile.lock @@ -1,7 +1,6 @@ GIT - remote: https://github.com/santiagorodriguez96/fido_metadata.git - revision: 8280a2ac9bb83a37e9f68e20efdb40eca33ea937 - branch: sr--support-FIDO-metadata-msd3 + remote: https://github.com/bdewater/fido_metadata.git + revision: fcc1fc1a92f9b0eda5900485d773336494b2c1c6 specs: fido_metadata (0.3.0) jwt (~> 2.0) From 1b39924e7c532c18234abeb7f3ae7ecb4ca1d6ab Mon Sep 17 00:00:00 2001 From: Santiago Rodriguez <46354312+santiagorodriguez96@users.noreply.github.com> Date: Fri, 28 Feb 2025 17:44:06 -0300 Subject: [PATCH 09/10] build(conformanceTests): bump `sinatra` from `2.2.4` to `4.1.1` --- spec/conformance/Gemfile | 2 +- spec/conformance/Gemfile.lock | 43 ++++++++++++++++++++--------------- 2 files changed, 26 insertions(+), 19 deletions(-) diff --git a/spec/conformance/Gemfile b/spec/conformance/Gemfile index 40fc646c..e4dee57f 100644 --- a/spec/conformance/Gemfile +++ b/spec/conformance/Gemfile @@ -8,7 +8,7 @@ gem "byebug" gem "fido_metadata", github: 'bdewater/fido_metadata' gem "rack-contrib" gem "rubyzip" -gem "sinatra", "~> 2.0" +gem "sinatra", "~> 4.0" gem "sinatra-contrib" gem "webauthn", path: File.join("..", "..") gem "webrick", "~> 1.9" diff --git a/spec/conformance/Gemfile.lock b/spec/conformance/Gemfile.lock index 84758bb2..321979f6 100644 --- a/spec/conformance/Gemfile.lock +++ b/spec/conformance/Gemfile.lock @@ -21,7 +21,7 @@ GEM remote: https://rubygems.org/ specs: android_key_attestation (0.3.0) - backports (3.15.0) + base64 (0.2.0) bindata (2.5.0) byebug (11.1.3) cbor (0.5.9.8) @@ -29,32 +29,39 @@ GEM cbor (~> 0.5.9) openssl-signature_algorithm (~> 1.0) jwt (2.2.1) + logger (1.6.6) multi_json (1.14.1) - mustermann (1.1.0) + mustermann (3.0.3) ruby2_keywords (~> 0.0.1) openssl (3.3.0) openssl-signature_algorithm (1.3.0) openssl (> 2.0) - rack (2.2.3) - rack-contrib (2.1.0) - rack (~> 2.0) - rack-protection (2.0.8.1) - rack + rack (3.1.10) + rack-contrib (2.5.0) + rack (< 4) + rack-protection (4.1.1) + base64 (>= 0.1.0) + logger (>= 1.6.0) + rack (>= 3.0.0, < 4) + rack-session (2.1.0) + base64 (>= 0.1.0) + rack (>= 3.0.0) ruby2_keywords (0.0.1) rubyzip (2.0.0) safety_net_attestation (0.4.0) jwt (~> 2.0) - sinatra (2.0.8.1) - mustermann (~> 1.0) - rack (~> 2.0) - rack-protection (= 2.0.8.1) + sinatra (4.1.1) + logger (>= 1.6.0) + mustermann (~> 3.0) + rack (>= 3.0.0, < 4) + rack-protection (= 4.1.1) + rack-session (>= 2.0.0, < 3) tilt (~> 2.0) - sinatra-contrib (2.0.8.1) - backports (>= 2.8.2) - multi_json - mustermann (~> 1.0) - rack-protection (= 2.0.8.1) - sinatra (= 2.0.8.1) + sinatra-contrib (4.1.1) + multi_json (>= 0.0.2) + mustermann (~> 3.0) + rack-protection (= 4.1.1) + sinatra (= 4.1.1) tilt (~> 2.0) tilt (2.0.10) tpm-key_attestation (0.14.0) @@ -71,7 +78,7 @@ DEPENDENCIES fido_metadata! rack-contrib rubyzip - sinatra (~> 2.0) + sinatra (~> 4.0) sinatra-contrib webauthn! webrick (~> 1.9) From d58e43e344795775682c93793dc68c25e3737746 Mon Sep 17 00:00:00 2001 From: Santiago Rodriguez <46354312+santiagorodriguez96@users.noreply.github.com> Date: Fri, 28 Feb 2025 17:45:50 -0300 Subject: [PATCH 10/10] build(conformanceTests): add `puma` and `rackup` Fixes an error where `sinatra` was not being able to start. ``` Sinatra could not start, the required gems weren't found! Add them to your bundle with: bundle add rackup puma or install them with: gem install rackup puma ``` --- spec/conformance/Gemfile | 2 ++ spec/conformance/Gemfile.lock | 7 +++++++ 2 files changed, 9 insertions(+) diff --git a/spec/conformance/Gemfile b/spec/conformance/Gemfile index e4dee57f..ee6d9b8d 100644 --- a/spec/conformance/Gemfile +++ b/spec/conformance/Gemfile @@ -6,7 +6,9 @@ ruby "~> 3.4.2" gem "byebug" gem "fido_metadata", github: 'bdewater/fido_metadata' +gem "puma", "~> 6.6" gem "rack-contrib" +gem "rackup", "~> 2.2" gem "rubyzip" gem "sinatra", "~> 4.0" gem "sinatra-contrib" diff --git a/spec/conformance/Gemfile.lock b/spec/conformance/Gemfile.lock index 321979f6..96348037 100644 --- a/spec/conformance/Gemfile.lock +++ b/spec/conformance/Gemfile.lock @@ -33,9 +33,12 @@ GEM multi_json (1.14.1) mustermann (3.0.3) ruby2_keywords (~> 0.0.1) + nio4r (2.7.4) openssl (3.3.0) openssl-signature_algorithm (1.3.0) openssl (> 2.0) + puma (6.6.0) + nio4r (~> 2.0) rack (3.1.10) rack-contrib (2.5.0) rack (< 4) @@ -46,6 +49,8 @@ GEM rack-session (2.1.0) base64 (>= 0.1.0) rack (>= 3.0.0) + rackup (2.2.1) + rack (>= 3) ruby2_keywords (0.0.1) rubyzip (2.0.0) safety_net_attestation (0.4.0) @@ -76,7 +81,9 @@ PLATFORMS DEPENDENCIES byebug fido_metadata! + puma (~> 6.6) rack-contrib + rackup (~> 2.2) rubyzip sinatra (~> 4.0) sinatra-contrib