Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Method to validate a public key #222

Closed
lgarron opened this issue Jun 19, 2019 · 4 comments
Closed

Method to validate a public key #222

lgarron opened this issue Jun 19, 2019 · 4 comments
Labels
area: CBOR parsing area: registration verification type: feature request

Comments

@lgarron
Copy link
Contributor

lgarron commented Jun 19, 2019

We validate public keys in our model for security key registrations.

This was easier when all public keys were a predictable 65-byte EC256 format. As of v1.16.0, it seems that webauthn-ruby made a change to this format even for U2F keys.

It would be useful to have a method to ask webauthn-ruby if a particular public key is valid, independent of any other context (i.e. without having to pass in a client response).
@lgarron lgarron mentioned this issue Jun 19, 2019
Closed
@grzuy
Copy link
Contributor

grzuy commented Jun 22, 2019
edited
Loading

We validate public keys in our model for security key registrations.

This was easier when all public keys were a predictable 65-byte EC256 format. As of v1.16.0, it seems that webauthn-ruby made a change to this format even for U2F keys.

Indeed, it was changed in #139.

It was a mistake on our side to, before v1.12.0, return "65-byte EC256 format" keys, because we wrongly assumed all authenticators would return EC256 keys. Now that more algs are supported, Relying Parties could e.g. receive RS256 keys, among others.

By returning the unmodified "COSE key format" credential public key, is that this is possible.

It would be useful to have a method to ask webauthn-ruby if a particular public key is valid, independent of any other context (i.e. without having to pass in a client response).

@grzuy
Copy link
Contributor

grzuy commented Oct 9, 2019

It would be useful to have a method to ask webauthn-ruby if a particular public key is valid, independent of any other context (i.e. without having to pass in a client response).

Hi @lgarron,

When you say "if a particular public key is valid", are you referring strictly to properly formatted COSE, or are you also referring to something which is more than that?

@grzuy
Copy link
Contributor

grzuy commented Oct 9, 2019

FWIW: For v1.12 and higher, verification doesn't succeed if COSE deserialization/parsing of the credential public key fails.

webauthn-ruby/lib/webauthn/authenticator_attestation_response.rb

Lines 84 to 87 in afeee9c

def valid_attested_credential?
authenticator_data.attested_credential_data_included? &&
authenticator_data.attested_credential_data.valid?
end

webauthn-ruby/lib/webauthn/authenticator_data/attested_credential_data.rb

Lines 26 to 28 in afeee9c

def valid?
data.length >= AAGUID_LENGTH + ID_LENGTH_LENGTH && valid_credential_public_key?
end

webauthn-ruby/lib/webauthn/authenticator_data/attested_credential_data.rb

Lines 55 to 59 in afeee9c

def valid_credential_public_key?
cose_key = COSE::Key.deserialize(public_key)
!!cose_key.alg
end

@ssuttner ssuttner mentioned this issue Nov 29, 2019
Merged
@grzuy
Copy link
Contributor

grzuy commented Jan 3, 2020

#284 was done in an attempt to satisfy, at least in part, this request.

Closing for now.
Let me know if you still think it should be re-opened.

@grzuy grzuy closed this as completed Jan 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area: CBOR parsing area: registration verification type: feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lgarron @grzuy