Merge pull request #279 from cedarcode/refactor_certs

refactor: make x5c nomenclature more consistent

lib/android_safetynet/attestation_response.rb

@@ -52,10 +52,8 @@ def cts_profile_match?
  payload["ctsProfileMatch"]
  end
 
- def certificate_chain
- @certificate_chain ||= headers[CERTIRICATE_CHAIN_HEADER].map do |cert|
- OpenSSL::X509::Certificate.new(Base64.strict_decode64(cert))
- end
+ def leaf_certificate
+ certificate_chain[0]
  end
 
  def valid_timestamp?
@@ -91,8 +89,10 @@ def trust_store
  self.class.trust_store
  end
 
- def leaf_certificate
- certificate_chain[0]
+ def certificate_chain
+ @certificate_chain ||= headers[CERTIRICATE_CHAIN_HEADER].map do |cert|
+ OpenSSL::X509::Certificate.new(Base64.strict_decode64(cert))
+ end
  end
 
  def signing_certificates

lib/webauthn/attestation_statement/android_key.rb

@@ -22,7 +22,7 @@ def valid?(authenticator_data, client_data_hash)
  all_applications_field_not_present? &&
  valid_authorization_list_origin? &&
  valid_authorization_list_purpose? &&
- [WebAuthn::AttestationStatement::ATTESTATION_TYPE_BASIC, attestation_certificate_chain]
+ [WebAuthn::AttestationStatement::ATTESTATION_TYPE_BASIC, attestation_trust_path]
  end
 
  private

lib/webauthn/attestation_statement/android_safetynet.rb

@@ -12,11 +12,11 @@ def valid?(authenticator_data, client_data_hash)
  valid_response?(authenticator_data, client_data_hash) &&
  valid_version? &&
  cts_profile_match? &&
- [WebAuthn::AttestationStatement::ATTESTATION_TYPE_BASIC, attestation_certificate]
+ [WebAuthn::AttestationStatement::ATTESTATION_TYPE_BASIC, attestation_trust_path]
  end
 
  def attestation_certificate
- attestation_response.certificate_chain[0]
+ attestation_response.leaf_certificate
  end
 
  private
@@ -40,6 +40,16 @@ def cts_profile_match?
  attestation_response.cts_profile_match?
  end
 
+ def attestation_trust_path
+ # FIXME: Change this to be the chain.
+ #
+ # The WebAuthn Level 1 spec said this needs to be just the attestation certificate.
+ # However, that was an error and it fixed on the Level 2 draft version.
+ #
+ # See https://github.com/w3c/webauthn/pull/1142
+ attestation_certificate
+ end
+
  def attestation_response
  @attestation_response ||= ::AndroidSafetynet::AttestationResponse.new(statement["response"])
  end

lib/webauthn/attestation_statement/base.rb

@@ -27,7 +27,13 @@ def valid?(_authenticator_data, _client_data_hash)
  end
 
  def attestation_certificate
- attestation_certificate_chain&.first
+ certificates&.first
+ end
+
+ def certificate_chain
+ if certificates
+ certificates[1..-1]
+ end
  end
 
  private
@@ -46,8 +52,8 @@ def matching_aaguid?(attested_credential_data_aaguid)
  end
  end
 
- def attestation_certificate_chain
- @attestation_certificate_chain ||= raw_attestation_certificates&.map do |raw_certificate|
+ def certificates
+ @certificates ||= raw_certificates&.map do |raw_certificate|
  OpenSSL::X509::Certificate.new(raw_certificate)
  end
  end
@@ -56,7 +62,7 @@ def algorithm
  statement["alg"]
  end
 
- def raw_attestation_certificates
+ def raw_certificates
  statement["x5c"]
  end
 
@@ -67,6 +73,12 @@ def raw_ecdaa_key_id
  def signature
  statement["sig"]
  end
+
+ def attestation_trust_path
+ if certificates&.any?
+ certificates
+ end
+ end
  end
  end
 end

lib/webauthn/attestation_statement/fido_u2f.rb

@@ -17,14 +17,14 @@ def valid?(authenticator_data, client_data_hash)
  valid_credential_public_key?(authenticator_data.credential.public_key) &&
  valid_aaguid?(authenticator_data.attested_credential_data.raw_aaguid) &&
  valid_signature?(authenticator_data, client_data_hash) &&
- [WebAuthn::AttestationStatement::ATTESTATION_TYPE_BASIC_OR_ATTCA, [attestation_certificate]]
+ [WebAuthn::AttestationStatement::ATTESTATION_TYPE_BASIC_OR_ATTCA, attestation_trust_path]
  end
 
  private
 
  def valid_format?
- !!(raw_attestation_certificates && signature) &&
- raw_attestation_certificates.length == VALID_ATTESTATION_CERTIFICATE_COUNT
+ !!(raw_certificates && signature) &&
+ raw_certificates.length == VALID_ATTESTATION_CERTIFICATE_COUNT
  end
 
  def valid_certificate_public_key?

lib/webauthn/attestation_statement/packed.rb

@@ -30,12 +30,12 @@ def valid_algorithm?(credential)
  end
 
  def self_attestation?
- !raw_attestation_certificates && !raw_ecdaa_key_id
+ !raw_certificates && !raw_ecdaa_key_id
  end
 
  def valid_format?
  algorithm && signature && (
- [raw_attestation_certificates, raw_ecdaa_key_id].compact.size < 2
+ [raw_certificates, raw_ecdaa_key_id].compact.size < 2
  )
  end
 
@@ -46,15 +46,15 @@ def check_unsupported_feature
  end
 
  def valid_certificate_chain?
- if attestation_certificate_chain
- attestation_certificate_chain[1..-1].all? { |c| certificate_in_use?(c) }
+ if certificate_chain
+ certificate_chain.all? { |c| certificate_in_use?(c) }
  else
  true
  end
  end
 
  def valid_ec_public_keys?(credential)
- (attestation_certificate_chain&.map(&:public_key) || [credential.public_key_object])
+ (certificates&.map(&:public_key) || [credential.public_key_object])
  .select { |pkey| pkey.is_a?(OpenSSL::PKey::EC) }
  .all? { |pkey| pkey.check_key }
  end
@@ -89,8 +89,8 @@ def valid_signature?(authenticator_data, client_data_hash)
  end
 
  def attestation_type_and_trust_path
- if raw_attestation_certificates&.any?
- [WebAuthn::AttestationStatement::ATTESTATION_TYPE_BASIC_OR_ATTCA, attestation_certificate_chain]
+ if attestation_trust_path
+ [WebAuthn::AttestationStatement::ATTESTATION_TYPE_BASIC_OR_ATTCA, attestation_trust_path]
  else
  [WebAuthn::AttestationStatement::ATTESTATION_TYPE_SELF, nil]
  end

lib/webauthn/attestation_statement/tpm.rb

@@ -80,18 +80,14 @@ def cose_algorithm
  end
 
  def attestation_type
- if raw_attestation_certificates && !raw_ecdaa_key_id
+ if raw_certificates && !raw_ecdaa_key_id
  ATTESTATION_TYPE_ATTCA
- elsif raw_ecdaa_key_id && !raw_attestation_certificates
+ elsif raw_ecdaa_key_id && !raw_certificates
  ATTESTATION_TYPE_ECDAA
  else
  raise "Attestation type invalid"
  end
  end
-
- def attestation_trust_path
- attestation_certificate_chain
- end
  end
  end
 end