webauthn 0.6.0.1 → 0.7.0.0
raw patch · 8 files changed
+45/−7 lines, 8 filesbinary-addedPVP ok
version bump matches the API change (PVP)
API changes (from Hackage documentation)
Files
- changelog.md +8/−0
- root-certs/tpm/Nuvoton/NPCTxxxECC521RootCA.crt binary
- root-certs/tpm/STMicro/STSAFE ECC Root CA 02.crt binary
- root-certs/tpm/STMicro/STSAFE RSA Root CA 02.crt binary
- src/Crypto/WebAuthn/AttestationStatementFormat/Packed.hs +10/−6
- tests/Main.hs +14/−0
- tests/responses/attestation/without-aaguid.json +12/−0
- webauthn.cabal +1/−1
changelog.md view
@@ -1,3 +1,11 @@+### 0.7.0.0++* [174](https://github.com/tweag/webauthn/pull/174) Correctly verify packed+ attestation when the AAGUID extension of the certitificate is missing. This is+ a backwards-incompatible change for packed attestation responses that+ previously failed due to the missing AAGUID extension. These responses now+ succeed.+ ### 0.6.0.1 * [#167](https://github.com/tweag/webauthn/pull/167) Fix missing file from sdist for testing
+ root-certs/tpm/Nuvoton/NPCTxxxECC521RootCA.crt view
binary file changed (absent → 621 bytes)
+ root-certs/tpm/STMicro/STSAFE ECC Root CA 02.crt view
binary file changed (absent → 606 bytes)
+ root-certs/tpm/STMicro/STSAFE RSA Root CA 02.crt view
binary file changed (absent → 1378 bytes)
src/Crypto/WebAuthn/AttestationStatementFormat/Packed.hs view
@@ -46,7 +46,8 @@ data Statement = Statement { alg :: Cose.CoseSignAlg, sig :: BS.ByteString,- x5c :: Maybe (NE.NonEmpty X509.SignedCertificate, IdFidoGenCeAAGUID)+ -- The AAGUID extension is optional+ x5c :: Maybe (NE.NonEmpty X509.SignedCertificate, Maybe IdFidoGenCeAAGUID) } deriving (Eq, Show) @@ -112,9 +113,9 @@ let cert = X509.getCertificate signedCert aaguidExt <- case X509.extensionGetE (X509.certExtensions cert) of- Just (Right ext) -> pure ext+ Just (Right ext) -> pure $ Just ext Just (Left err) -> Left $ "Failed to decode certificate aaguid extension: " <> Text.pack err- Nothing -> Left "Certificate aaguid extension is missing"+ Nothing -> pure Nothing pure $ Just (x5c, aaguidExt) Just _ -> Left $ "CBOR map didn't have expected value types (alg: int, sig: bytes, [optional] x5c: non-empty list): " <> Text.pack (show xs) pure $ Statement {..}@@ -159,7 +160,7 @@ pure $ M.SomeAttestationType M.AttestationTypeSelf -- Basic, AttCA- Just (x5c@(certCred :| _), IdFidoGenCeAAGUID certAAGUID) -> do+ Just (x5c@(certCred :| _), mbAAGUID) -> do let cert = X509.getCertificate certCred pubKey = X509.certPubKey cert -- Verify that sig is a valid signature over the concatenation of authenticatorData and clientDataHash using@@ -181,8 +182,11 @@ -- If attestnCert contains an extension with OID 1.3.6.1.4.1.45724.1.1.4 (id-fido-gen-ce-aaguid) verify that -- the value of this extension matches the aaguid in authenticatorData.- let aaguid = M.acdAaguid credData- unless (certAAGUID == aaguid) . failure $ CertificateAAGUIDMismatch certAAGUID aaguid+ case mbAAGUID of+ Just (IdFidoGenCeAAGUID certAAGUID) -> do+ let aaguid = M.acdAaguid credData+ unless (certAAGUID == aaguid) . failure $ CertificateAAGUIDMismatch certAAGUID aaguid+ Nothing -> pure () pure $ M.SomeAttestationType $
tests/Main.hs view
@@ -239,6 +239,20 @@ True registry predeterminedDateTime+ it "the response without a aaguid extension works" $+ registerTestFromFile+ "tests/responses/attestation/without-aaguid.json"+ "https://mercury.com/"+ "mercury.com"+ -- Uses "Dynamic Softtoken CA", which is an unknown software CA. And+ -- thus not verifiable by this library, which, by default, requires+ -- hardware attestation.+ False+ registry+ HG.DateTime+ { dtDate = HG.Date {dateYear = 2023, dateMonth = HG.July, dateDay = 18},+ dtTime = HG.TimeOfDay {todHour = HG.Hours 21, todMin = HG.Minutes 7, todSec = HG.Seconds 6, todNSec = HG.NanoSeconds 0}+ } describe "AndroidKey register" $ do it "tests whether the fixed android key register has a valid attestation" $ registerTestFromFile
+ tests/responses/attestation/without-aaguid.json view
@@ -0,0 +1,12 @@+{+ "extensions": {},+ "id": "vfEtvnc1AQrSir7_YemYlkW8V0lU7TDph0adJ1idgb8",+ "clientExtensionResults": {},+ "rawId": "vfEtvnc1AQrSir7_YemYlkW8V0lU7TDph0adJ1idgb8",+ "response": {+ "attestationObject": "o2NmbXRmcGFja2VkZ2F0dFN0bXSjY2FsZyZjc2lnWEYwRAIgF-sybDid3qXIYj9CH3FPewnSh3cCtcPnJfy91TTVdlQCIBxlKf6S9WmZU4BvH30zWiGRFcue3Al9cRym1hM8tEFEY3g1Y4FZAj4wggI6MIIB4aADAgECAgECMAoGCCqGSM49BAMCMF4xCzAJBgNVBAYTAkFVMQwwCgYDVQQIDANRTEQxIjAgBgNVBAoMGVdlYmF1dGhuIEF1dGhlbnRpY2F0b3IgUlMxHTAbBgNVBAMMFER5bmFtaWMgU29mdHRva2VuIENBMB4XDTIzMDcxNzIxMDcwNloXDTIzMDcxODIxMDcwNlowgZAxCzAJBgNVBAYTAkFVMQwwCgYDVQQIDANRTEQxIjAgBgNVBAoMGVdlYmF1dGhuIEF1dGhlbnRpY2F0b3IgUlMxKzApBgNVBAMMIkR5bmFtaWMgU29mdHRva2VuIExlYWYgQ2VydGlmaWNhdGUxIjAgBgNVBAsMGUF1dGhlbnRpY2F0b3IgQXR0ZXN0YXRpb24wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASVfWwCBPKro-N8qPmdTvHeL_0pklJiKU9t1ZUQf0JAsWTF_IiLqaK5iOCXDJ5IJfWaPRjFR0FXoRr--UGDMmsno10wWzAJBgNVHRMEAjAAMA4GA1UdDwEB_wQEAwIF4DAdBgNVHQ4EFgQU4ya71rpbUK4i_13TAUnXjTRmdFYwHwYDVR0jBBgwFoAU2jmj7l5rSw0yVb_vlWAYkK_YBwkwCgYIKoZIzj0EAwIDRwAwRAIgHkDSfA66vhTgSZffiMpP3G93qWLDcx6dCqZwHXhFIkYCIH7oDCPWl35DJkVWOPf1dUAlcrakMmHKthk78UG998dEaGF1dGhEYXRhWKSjN24DOxAOYYfBLybx16MskvRz-_qsWChC-u57I1w_AEUAAAAAD7m8vKDUQEK7sFWbwWMeKAAgvfEtvnc1AQrSir7_YemYlkW8V0lU7TDph0adJ1idgb-lAQIDJiABIVggqVKqgQBYpSqao2HzPgFsYdrjoIH2JADpwP14cnMYtPgiWCC3ELxU2Q9YVPiD3GobKUMVYHNevzDcBWvp41f2yTSoCw",+ "clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoicUM2ejZ5TllydnM2Tlc0WkRTamNXdyIsIm9yaWdpbiI6Imh0dHBzOi8vbWVyY3VyeS5jb20vIiwidG9rZW5CaW5kaW5nIjpudWxsfQ",+ "transports": null+ },+ "type": "public-key"+}
webauthn.cabal view
@@ -1,6 +1,6 @@ cabal-version: 2.4 name: webauthn-version: 0.6.0.1+version: 0.7.0.0 license: Apache-2.0 license-file: LICENSE copyright: