fix: verify AAGUID match for packed basic attestation

cedarcode · Mar 12, 2019 · 1e6ba27 · 1e6ba27
1 parent fa80397
commit 1e6ba27
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/lib/webauthn/attestation_statement/base.rb b/lib/webauthn/attestation_statement/base.rb
@@ -7,6 +7,8 @@ module AttestationStatement
  class Base
  class NotSupportedError < Error; end
 
+ AAGUID_EXTENSION_OID = "1.3.6.1.4.1.45724.1.1.4"
+
  def initialize(statement)
  @statement = statement
  end

diff --git a/lib/webauthn/attestation_statement/packed.rb b/lib/webauthn/attestation_statement/packed.rb
@@ -15,6 +15,7 @@ def valid?(authenticator_data, client_data_hash)
  valid_format? &&
  valid_certificate_chain?(authenticator_data.credential) &&
  meet_certificate_requirement? &&
+ matching_aaguid?(authenticator_data.attested_credential_data.aaguid) &&
  valid_signature?(authenticator_data, client_data_hash) &&
  attestation_type_and_trust_path
  end
@@ -79,6 +80,18 @@ def meet_certificate_requirement?
  end
  end
 
+ def matching_aaguid?(attested_credential_data_aaguid)
+ extension = attestation_certificate&.extensions&.detect { |ext| ext.oid == AAGUID_EXTENSION_OID }
+ if extension
+ # `extension.value` mangles data into ASCII, so we must manually compare bytes
+ # see https://github.com/ruby/openssl/pull/234
+ extension.to_der[-WebAuthn::AuthenticatorData::AttestedCredentialData::AAGUID_LENGTH..-1] ==
+ attested_credential_data_aaguid
+ else
+ true
+ end
+ end
+
  def valid_signature?(authenticator_data, client_data_hash)
  (attestation_certificate&.public_key || authenticator_data.credential.public_key_object).verify(
  "SHA256",