Handle U2F-registered security keys.

lgarron · Sep 28, 2018 · e748508 · e748508
1 parent c519fe9
commit e748508
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 3 deletions.
diff --git a/lib/webauthn/authenticator_assertion_response.rb b/lib/webauthn/authenticator_assertion_response.rb
@@ -18,6 +18,12 @@ def valid?(original_challenge, original_origin, allowed_credentials:)
         valid_signature?(credential_public_key(allowed_credentials))
     end
 
+    def valid_u2f_registered?(original_challenge, original_rp_id, allowed_credentials:)
+      super(original_challenge, original_rp_id) &&
+        valid_credential?(allowed_credentials) &&
+        valid_signature?(credential_public_key(allowed_credentials))
+    end
+
     private
 
     attr_reader :credential_id, :authenticator_data_bytes, :signature
@@ -38,7 +44,6 @@ def valid_signature?(public_key_bytes)
 
     def valid_credential?(allowed_credentials)
       allowed_credential_ids = allowed_credentials.map { |credential| credential[:id] }
-
       allowed_credential_ids.include?(credential_id)
     end
 

diff --git a/lib/webauthn/authenticator_response.rb b/lib/webauthn/authenticator_response.rb
@@ -10,7 +10,15 @@ def valid?(original_challenge, original_origin)
       valid_type? &&
         valid_challenge?(original_challenge) &&
         valid_origin?(original_origin) &&
-        valid_rp_id?(original_origin) &&
+        authenticator_data.valid? &&
+        authenticator_data.user_present?
+    end
+
+    def valid_u2f_registered?(original_challenge, original_rp_id)
+      valid_type? &&
+        valid_challenge?(original_challenge) &&
+        valid_origin_u2f_registered?(original_rp_id) &&
+        valid_rp_id_u2f_registered?(original_rp_id) &&
         authenticator_data.valid? &&
         authenticator_data.user_present?
     end
@@ -37,8 +45,16 @@ def valid_origin?(original_origin)
 
     def valid_rp_id?(original_origin)
       domain = URI.parse(original_origin).host
+      OpenSSL::Digest::SHA256.digest(original_origin) == authenticator_data.rp_id_hash
+    end
+
+    # TODO: Not needed?
+    def valid_origin_u2f_registered?(original_rp_id)
+      URI.parse(client_data.origin).host == URI.parse(original_rp_id).host
+    end
 
-      OpenSSL::Digest::SHA256.digest(domain) == authenticator_data.rp_id_hash
+    def valid_rp_id_u2f_registered?(original_rp_id)
+      OpenSSL::Digest::SHA256.digest(original_rp_id) == authenticator_data.rp_id_hash
     end
 
     def type