packages feed

webauthn 0.6.0.1 → 0.7.0.0

raw patch · 8 files changed

+45/−7 lines, 8 filesbinary-addedPVP ok

version bump matches the API change (PVP)

API changes (from Hackage documentation)

Files

changelog.md view
@@ -1,3 +1,11 @@+### 0.7.0.0++* [174](https://github.com/tweag/webauthn/pull/174) Correctly verify packed+  attestation when the AAGUID extension of the certitificate is missing. This is+  a backwards-incompatible change for packed attestation responses that+  previously failed due to the missing AAGUID extension. These responses now+  succeed.+ ### 0.6.0.1  * [#167](https://github.com/tweag/webauthn/pull/167) Fix missing file from sdist for testing
+ root-certs/tpm/Nuvoton/NPCTxxxECC521RootCA.crt view

binary file changed (absent → 621 bytes)

+ root-certs/tpm/STMicro/STSAFE ECC Root CA 02.crt view

binary file changed (absent → 606 bytes)

+ root-certs/tpm/STMicro/STSAFE RSA Root CA 02.crt view

binary file changed (absent → 1378 bytes)

src/Crypto/WebAuthn/AttestationStatementFormat/Packed.hs view
@@ -46,7 +46,8 @@ data Statement = Statement   { alg :: Cose.CoseSignAlg,     sig :: BS.ByteString,-    x5c :: Maybe (NE.NonEmpty X509.SignedCertificate, IdFidoGenCeAAGUID)+    -- The AAGUID extension is optional+    x5c :: Maybe (NE.NonEmpty X509.SignedCertificate, Maybe IdFidoGenCeAAGUID)   }   deriving (Eq, Show) @@ -112,9 +113,9 @@                let cert = X509.getCertificate signedCert               aaguidExt <- case X509.extensionGetE (X509.certExtensions cert) of-                Just (Right ext) -> pure ext+                Just (Right ext) -> pure $ Just ext                 Just (Left err) -> Left $ "Failed to decode certificate aaguid extension: " <> Text.pack err-                Nothing -> Left "Certificate aaguid extension is missing"+                Nothing -> pure Nothing               pure $ Just (x5c, aaguidExt)           Just _ -> Left $ "CBOR map didn't have expected value types (alg: int, sig: bytes, [optional] x5c: non-empty list): " <> Text.pack (show xs)         pure $ Statement {..}@@ -159,7 +160,7 @@           pure $ M.SomeAttestationType M.AttestationTypeSelf          -- Basic, AttCA-        Just (x5c@(certCred :| _), IdFidoGenCeAAGUID certAAGUID) -> do+        Just (x5c@(certCred :| _), mbAAGUID) -> do           let cert = X509.getCertificate certCred               pubKey = X509.certPubKey cert           -- Verify that sig is a valid signature over the concatenation of authenticatorData and clientDataHash using@@ -181,8 +182,11 @@            -- If attestnCert contains an extension with OID 1.3.6.1.4.1.45724.1.1.4 (id-fido-gen-ce-aaguid) verify that           -- the value of this extension matches the aaguid in authenticatorData.-          let aaguid = M.acdAaguid credData-          unless (certAAGUID == aaguid) . failure $ CertificateAAGUIDMismatch certAAGUID aaguid+          case mbAAGUID of+            Just (IdFidoGenCeAAGUID certAAGUID) -> do+              let aaguid = M.acdAaguid credData+              unless (certAAGUID == aaguid) . failure $ CertificateAAGUIDMismatch certAAGUID aaguid+            Nothing -> pure ()            pure $             M.SomeAttestationType $
tests/Main.hs view
@@ -239,6 +239,20 @@         True         registry         predeterminedDateTime+    it "the response without a aaguid extension works" $+      registerTestFromFile+        "tests/responses/attestation/without-aaguid.json"+        "https://mercury.com/"+        "mercury.com"+        -- Uses "Dynamic Softtoken CA", which is an unknown software CA. And+        -- thus not verifiable by this library, which, by default, requires+        -- hardware attestation.+        False+        registry+        HG.DateTime+          { dtDate = HG.Date {dateYear = 2023, dateMonth = HG.July, dateDay = 18},+            dtTime = HG.TimeOfDay {todHour = HG.Hours 21, todMin = HG.Minutes 7, todSec = HG.Seconds 6, todNSec = HG.NanoSeconds 0}+          }   describe "AndroidKey register" $ do     it "tests whether the fixed android key register has a valid attestation" $       registerTestFromFile
+ tests/responses/attestation/without-aaguid.json view
@@ -0,0 +1,12 @@+{+  "extensions": {},+  "id": "vfEtvnc1AQrSir7_YemYlkW8V0lU7TDph0adJ1idgb8",+  "clientExtensionResults": {},+  "rawId": "vfEtvnc1AQrSir7_YemYlkW8V0lU7TDph0adJ1idgb8",+  "response": {+    "attestationObject": "o2NmbXRmcGFja2VkZ2F0dFN0bXSjY2FsZyZjc2lnWEYwRAIgF-sybDid3qXIYj9CH3FPewnSh3cCtcPnJfy91TTVdlQCIBxlKf6S9WmZU4BvH30zWiGRFcue3Al9cRym1hM8tEFEY3g1Y4FZAj4wggI6MIIB4aADAgECAgECMAoGCCqGSM49BAMCMF4xCzAJBgNVBAYTAkFVMQwwCgYDVQQIDANRTEQxIjAgBgNVBAoMGVdlYmF1dGhuIEF1dGhlbnRpY2F0b3IgUlMxHTAbBgNVBAMMFER5bmFtaWMgU29mdHRva2VuIENBMB4XDTIzMDcxNzIxMDcwNloXDTIzMDcxODIxMDcwNlowgZAxCzAJBgNVBAYTAkFVMQwwCgYDVQQIDANRTEQxIjAgBgNVBAoMGVdlYmF1dGhuIEF1dGhlbnRpY2F0b3IgUlMxKzApBgNVBAMMIkR5bmFtaWMgU29mdHRva2VuIExlYWYgQ2VydGlmaWNhdGUxIjAgBgNVBAsMGUF1dGhlbnRpY2F0b3IgQXR0ZXN0YXRpb24wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASVfWwCBPKro-N8qPmdTvHeL_0pklJiKU9t1ZUQf0JAsWTF_IiLqaK5iOCXDJ5IJfWaPRjFR0FXoRr--UGDMmsno10wWzAJBgNVHRMEAjAAMA4GA1UdDwEB_wQEAwIF4DAdBgNVHQ4EFgQU4ya71rpbUK4i_13TAUnXjTRmdFYwHwYDVR0jBBgwFoAU2jmj7l5rSw0yVb_vlWAYkK_YBwkwCgYIKoZIzj0EAwIDRwAwRAIgHkDSfA66vhTgSZffiMpP3G93qWLDcx6dCqZwHXhFIkYCIH7oDCPWl35DJkVWOPf1dUAlcrakMmHKthk78UG998dEaGF1dGhEYXRhWKSjN24DOxAOYYfBLybx16MskvRz-_qsWChC-u57I1w_AEUAAAAAD7m8vKDUQEK7sFWbwWMeKAAgvfEtvnc1AQrSir7_YemYlkW8V0lU7TDph0adJ1idgb-lAQIDJiABIVggqVKqgQBYpSqao2HzPgFsYdrjoIH2JADpwP14cnMYtPgiWCC3ELxU2Q9YVPiD3GobKUMVYHNevzDcBWvp41f2yTSoCw",+    "clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoicUM2ejZ5TllydnM2Tlc0WkRTamNXdyIsIm9yaWdpbiI6Imh0dHBzOi8vbWVyY3VyeS5jb20vIiwidG9rZW5CaW5kaW5nIjpudWxsfQ",+    "transports": null+  },+  "type": "public-key"+}
webauthn.cabal view
@@ -1,6 +1,6 @@ cabal-version: 2.4 name: webauthn-version: 0.6.0.1+version: 0.7.0.0 license: Apache-2.0 license-file: LICENSE copyright: