Skip to content

Commit

Permalink
Merge pull request #410 from cedarcode/sr--packed-attestation-verific…
Browse files Browse the repository at this point in the history
…ation-with-batch-self-referenced-certificate

Correctly verify attestation that contains a just a batch certificate that is present in the attestation root certificates
  • Loading branch information
santiagorodriguez96 authored Nov 10, 2023
2 parents d897c1a + 2f1e315 commit 43a491b
Show file tree
Hide file tree
Showing 3 changed files with 38 additions and 5 deletions.
9 changes: 9 additions & 0 deletions lib/webauthn/attestation_statement/base.rb
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,15 @@ def trustworthy?(aaguid: nil, attestation_certificate_key_id: nil)
end

def valid_certificate_chain?(aaguid: nil, attestation_certificate_key_id: nil)
root_certificates = root_certificates(
aaguid: aaguid,
attestation_certificate_key_id: attestation_certificate_key_id
)

if certificates&.one? && root_certificates.include?(attestation_certificate)
return true
end

attestation_root_certificates_store(
aaguid: aaguid,
attestation_certificate_key_id: attestation_certificate_key_id
Expand Down
18 changes: 15 additions & 3 deletions spec/webauthn/attestation_statement/fido_u2f_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -32,13 +32,13 @@
let(:signature) { attestation_key.sign("SHA256", to_be_signed) }

let(:attestation_certificate) do
issue_certificate(root_certificate, root_key, attestation_key).to_der
issue_certificate(root_certificate, root_key, attestation_key)
end

let(:statement) do
WebAuthn::AttestationStatement::FidoU2f.new(
"sig" => signature,
"x5c" => [attestation_certificate]
"x5c" => [attestation_certificate.to_der]
)
end

Expand All @@ -56,6 +56,18 @@
expect(statement.valid?(authenticator_data, client_data_hash)).to be_truthy
end

context 'when the attestation certificate is the only certificate in the certificate chain' do
context "and it's equal to one of the root certificates" do
before do
WebAuthn.configuration.attestation_root_certificates_finders = finder_for(attestation_certificate)
end

it "works" do
expect(statement.valid?(authenticator_data, client_data_hash)).to be_truthy
end
end
end

context "when signature is invalid" do
context "because it was signed with a different signing key (self attested)" do
let(:signature) { create_ec_key.sign("SHA256", to_be_signed) }
Expand Down Expand Up @@ -101,7 +113,7 @@
let(:statement) do
WebAuthn::AttestationStatement::FidoU2f.new(
"sig" => signature,
"x5c" => [attestation_certificate, attestation_certificate]
"x5c" => [attestation_certificate.to_der, attestation_certificate.to_der]
)
end

Expand Down
16 changes: 14 additions & 2 deletions spec/webauthn/attestation_statement/packed_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,7 @@
extensions: [
extension_factory.create_extension("basicConstraints", attestation_certificate_basic_constraints, true),
]
).to_der
)
end

let(:root_key) { create_ec_key }
Expand All @@ -125,7 +125,7 @@
WebAuthn::AttestationStatement::Packed.new(
"alg" => algorithm,
"sig" => signature,
"x5c" => [attestation_certificate]
"x5c" => [attestation_certificate.to_der]
)
end

Expand All @@ -137,6 +137,18 @@
expect(statement.valid?(authenticator_data, client_data_hash)).to be_truthy
end

context 'when the attestation certificate is the only certificate in the certificate chain' do
context "and it's equal to one of the root certificates" do
before do
WebAuthn.configuration.attestation_root_certificates_finders = finder_for(attestation_certificate)
end

it "works" do
expect(statement.valid?(authenticator_data, client_data_hash)).to be_truthy
end
end
end

context "when signature is invalid" do
context "because is signed with a different alg" do
let(:algorithm) { -36 }
Expand Down

0 comments on commit 43a491b

Please sign in to comment.