Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update conformance specs to use FIDO MDS v3 #407

Open
wants to merge 9 commits into
base: master
Choose a base branch
from
2 changes: 1 addition & 1 deletion spec/conformance/.ruby-version
Original file line number Diff line number Diff line change
@@ -1 +1 @@
2.7.2
3.3.5
5 changes: 3 additions & 2 deletions spec/conformance/Gemfile
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,13 @@

source "https://rubygems.org"

ruby "~> 2.7.0"
ruby "~> 3.3.5"

gem "byebug"
gem "fido_metadata", "~> 0.4.0"
gem "fido_metadata", github: 'bdewater/fido_metadata'
gem "rack-contrib"
gem "rubyzip"
gem "sinatra", "~> 2.0"
gem "sinatra-contrib"
gem "webauthn", path: File.join("..", "..")
gem "webrick"
70 changes: 36 additions & 34 deletions spec/conformance/Gemfile.lock
Original file line number Diff line number Diff line change
@@ -1,79 +1,81 @@
GIT
remote: https://github.com/bdewater/fido_metadata.git
revision: fcc1fc1a92f9b0eda5900485d773336494b2c1c6
specs:
fido_metadata (0.3.0)
jwt (~> 2.0)

PATH
remote: ../..
specs:
webauthn (2.5.1)
webauthn (3.1.0)
android_key_attestation (~> 0.3.0)
awrence (~> 1.1)
bindata (~> 2.4)
cbor (~> 0.5.9)
cose (~> 1.1)
openssl (~> 2.2)
openssl (>= 2.2)
safety_net_attestation (~> 0.4.0)
tpm-key_attestation (~> 0.10.0)
tpm-key_attestation (~> 0.12.0)

GEM
remote: https://rubygems.org/
specs:
android_key_attestation (0.3.0)
awrence (1.2.1)
backports (3.15.0)
bindata (2.4.10)
byebug (11.0.1)
cbor (0.5.9.6)
cose (1.2.0)
bindata (2.5.0)
byebug (11.1.3)
cbor (0.5.9.8)
cose (1.3.1)
cbor (~> 0.5.9)
openssl-signature_algorithm (~> 1.0)
fido_metadata (0.4.0)
jwt (~> 2.0)
ipaddr (1.2.4)
jwt (2.2.1)
multi_json (1.14.1)
mustermann (1.1.0)
mustermann (2.0.2)
ruby2_keywords (~> 0.0.1)
openssl (2.2.1)
ipaddr
openssl-signature_algorithm (1.1.1)
openssl (~> 2.0)
rack (2.2.3)
rack-contrib (2.1.0)
openssl (3.2.0)
openssl-signature_algorithm (1.3.0)
openssl (> 2.0)
rack (2.2.8)
rack-contrib (2.3.0)
rack (~> 2.0)
rack-protection (2.0.8.1)
rack-protection (2.2.4)
rack
ruby2_keywords (0.0.1)
rubyzip (2.0.0)
safety_net_attestation (0.4.0)
jwt (~> 2.0)
sinatra (2.0.8.1)
mustermann (~> 1.0)
rack (~> 2.0)
rack-protection (= 2.0.8.1)
sinatra (2.2.4)
mustermann (~> 2.0)
rack (~> 2.2)
rack-protection (= 2.2.4)
tilt (~> 2.0)
sinatra-contrib (2.0.8.1)
backports (>= 2.8.2)
sinatra-contrib (2.2.4)
multi_json
mustermann (~> 1.0)
rack-protection (= 2.0.8.1)
sinatra (= 2.0.8.1)
mustermann (~> 2.0)
rack-protection (= 2.2.4)
sinatra (= 2.2.4)
tilt (~> 2.0)
tilt (2.0.10)
tpm-key_attestation (0.10.0)
tpm-key_attestation (0.12.1)
bindata (~> 2.4)
openssl (> 2.0)
openssl-signature_algorithm (~> 1.0)
webrick (1.8.1)

PLATFORMS
ruby

DEPENDENCIES
byebug
fido_metadata (~> 0.4.0)
fido_metadata!
rack-contrib
rubyzip
sinatra (~> 2.0)
sinatra-contrib
webauthn!
webrick

RUBY VERSION
ruby 2.7.0p-1
ruby 3.3.5p100

BUNDLED WITH
2.2.14
2.5.23
36 changes: 25 additions & 11 deletions spec/conformance/MDSROOT.crt
Original file line number Diff line number Diff line change
@@ -1,15 +1,29 @@
!!!!!DO NOT DYNAMICALLY FETCH THIS CERTIFICATE!!!!!
!!!!!ADD THIS CERTIFICATE DIRECTLY TO YOUR CERTIFICATE STORAGE OR SOURCE CODE!!!!!

FIDO Alliance Certification TEST Metadata Service Root Certificate
Expected page status: Valid
CN=FAKE Root FAKE
OU=FAKE Metadata 3 BLOB Signing FAKE
O=FIDO Alliance
C=US
Serial number=04 5A 1C 22 66 A1 4F 3F 1F 4D 29 55 12 23 15
Valid from=01 February 2017
Valid to=31 January 2045

Base64
-----BEGIN CERTIFICATE-----
MIICZzCCAe6gAwIBAgIPBF0rd3WL/GExWV/szYNVMAoGCCqGSM49BAMDMGcxCzAJ
MIICaDCCAe6gAwIBAgIPBCqih0DiJLW7+UHXx/o1MAoGCCqGSM49BAMDMGcxCzAJ
BgNVBAYTAlVTMRYwFAYDVQQKDA1GSURPIEFsbGlhbmNlMScwJQYDVQQLDB5GQUtF
IE1ldGFkYXRhIFRPQyBTaWduaW5nIEZBS0UxFzAVBgNVBAMMDkZBS0UgUm9vdCBG
IE1ldGFkYXRhIDMgQkxPQiBST09UIEZBS0UxFzAVBgNVBAMMDkZBS0UgUm9vdCBG
QUtFMB4XDTE3MDIwMTAwMDAwMFoXDTQ1MDEzMTIzNTk1OVowZzELMAkGA1UEBhMC
VVMxFjAUBgNVBAoMDUZJRE8gQWxsaWFuY2UxJzAlBgNVBAsMHkZBS0UgTWV0YWRh
dGEgVE9DIFNpZ25pbmcgRkFLRTEXMBUGA1UEAwwORkFLRSBSb290IEZBS0UwdjAQ
BgcqhkjOPQIBBgUrgQQAIgNiAARcVLd6r4fnNHzs5K2zfbg//4X9/oBqmsdRVtZ9
iXhlgM9vFYaKviYtqmwkq0D3Lihg3qefeZgXXYi4dFgvzU7ZLBapSNM3CT8RDBe/
MBJqsPwaRQbIsGmmItmt/ESNQD6jYDBeMAsGA1UdDwQEAwIBBjAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBTd95rIHO/hX9Oh69szXzD0ahmZWTAfBgNVHSMEGDAW
gBTd95rIHO/hX9Oh69szXzD0ahmZWTAKBggqhkjOPQQDAwNnADBkAjBkP3L99KEX
QzviJVGytDMWBmITMBYv1LgNXXiSilWixTyQqHrYrFpLvNFyPZQvS6sCMFMAOUCw
Ach/515XH0XlDbMgdIe2N4zzdY77TVwiHmsxTFWRT0FtS7fUk85c/LzSPQ==
-----END CERTIFICATE-----
dGEgMyBCTE9CIFJPT1QgRkFLRTEXMBUGA1UEAwwORkFLRSBSb290IEZBS0UwdjAQ
BgcqhkjOPQIBBgUrgQQAIgNiAASKYiz3YltC6+lmxhPKwA1WFZlIqnX8yL5RybSL
TKFAPEQeTD9O6mOz+tg8wcSdnVxHzwnXiQKJwhrav70rKc2ierQi/4QUrdsPes8T
EirZOkCVJurpDFbXZOgs++pa4XmjYDBeMAsGA1UdDwQEAwIBBjAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBQGcfeCs0Y8D+lh6U5B2xSrR74eHTAfBgNVHSMEGDAW
gBQGcfeCs0Y8D+lh6U5B2xSrR74eHTAKBggqhkjOPQQDAwNoADBlAjEA/xFsgri0
xubSa3y3v5ormpPqCwfqn9s0MLBAtzCIgxQ/zkzPKctkiwoPtDzI51KnAjAmeMyg
X2S5Ht8+e+EQnezLJBJXtnkRWY+Zt491wgt/AwSs5PHHMv5QgjELOuMxQBc=
-----END CERTIFICATE-----
6 changes: 3 additions & 3 deletions spec/conformance/conformance_cache_store.rb
Original file line number Diff line number Diff line change
Expand Up @@ -22,20 +22,20 @@ def setup_metadata_store(endpoint)
puts("Setting up metadata store TOC")

response = Net::HTTP.post(
URI("https://mds.certinfra.fidoalliance.org/getEndpoints"),
URI("https://mds3.fido.tools/getEndpoints"),
{ endpoint: endpoint }.to_json,
FidoMetadata::Client::DEFAULT_HEADERS
)

response.value
possible_endpoints = JSON.parse(response.body)["result"]

client = FidoMetadata::Client.new(nil)
client = FidoMetadata::Client.new

json =
possible_endpoints.each_with_index do |uri, index|
puts("Trying endpoint #{index}: #{uri}")
break client.download_toc(URI(uri), trusted_certs: conformance_certificates)
break client.download_toc(URI(uri), algorithms: ["ES256"], trusted_certs: conformance_certificates)
rescue FidoMetadata::Client::DataIntegrityError, JWT::VerificationError, Net::HTTPFatalError
nil
end
Expand Down
3 changes: 1 addition & 2 deletions spec/conformance/server.rb
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,6 @@ def self.registered_for(username)

mds_finder =
MDSFinder.new.tap do |mds|
mds.token = ""
mds.cache_backend = ConformanceCacheStore.new
mds.cache_backend.setup_authenticators
mds.cache_backend.setup_metadata_store("http://#{host}:#{settings.port}")
Expand All @@ -51,7 +50,7 @@ def self.registered_for(username)
relying_party = WebAuthn::RelyingParty.new(
origin: "http://#{host}:#{settings.port}",
name: RP_NAME,
algorithms: %w(ES256 ES384 ES512 PS256 PS384 PS512 RS256 RS384 RS512 RS1),
algorithms: %w(ES256 ES384 ES512 PS256 PS384 PS512 RS256 RS384 RS512 RS1 EdDSA),
silent_authentication: true,
attestation_root_certificates_finders: mds_finder
)
Expand Down