Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change origin/RP ID checks to align better with the spec. #159

Closed
wants to merge 1 commit into from
Closed

Change origin/RP ID checks to align better with the spec. #159

wants to merge 1 commit into from

Conversation

lgarron
Copy link
Contributor

@lgarron lgarron commented Apr 9, 2019

  • Rename the original_origin parameter to current_origin.
  • Make the current_origin parameter optional by defaulting to nil
  • Verify the signature origin against the RP ID.

Addresses issue #150.

This is an attempt to preserve backwards compatibility, while:

  • changing the checks to be against the RP ID, and
  • Making it possible to pass just the RP ID (without the current origin).

lgarron
lgarron commented Apr 9, 2019
View reviewed changes
lib/webauthn/authenticator_response.rb
end

def valid_rp_id?(rp_id)
# TODO: rp_id cannot be a public suffix
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ideally, this line would include a check against a public suffix library. I shied away from putting that in the initial PR.

@lgarron
Copy link
Contributor Author

lgarron commented Apr 9, 2019
edited
Loading

Also, note:

@grzuy
Copy link
Contributor

grzuy commented Apr 9, 2019

Landed :-) 👍

lgarron
lgarron commented Apr 9, 2019
View reviewed changes
lib/webauthn/authenticator_response.rb
@@ -4,6 +4,9 @@

module WebAuthn
class VerificationError < Error; end
# `UnspecifiedRpIdError` is a caller error rather than an error in the webauthn
# response. So we directly subclass `Error`.
class UnspecifiedRpIdError < Error; end
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This happens if the caller doesn't specify either of expected_origin or rp_id. I figured it didn't make sense to call this a VerificationError — perhaps it should be an ArgumentError?

lib/webauthn/authenticator_response.rb
client_data.origin == expected_origin
def valid_origin?(rp_id, expected_origin)
# If the caller specifies the expected origin, check that it exactly matches the signed origin.
return false unless expected_origin.nil? || client_data.origin == expected_origin
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be nice to distinguish between the failure cases. Would it make sense to subclass OriginVerificationError even further?

@lgarron
Change origin/RP ID checks to align better with the spec.
91b6e0a 
- Rename the `original_origin` parameter to `current_origin`.
- Make the `current_origin` parameter optional by defaulting to `nil`
- Verify the signature origin against the RP ID.

Addresses issue #150.
@grzuy
Copy link
Contributor

grzuy commented Apr 10, 2019

Hi @lgarron,

Thank you for the PR.

Isn't this change relaxing the "origin" check in a way we no longer comply with step 5 of "Registering a new credential"

  1. Verify that the value of C.origin matches the Relying Party's origin.

and step 9 of "Verifying an Authentication Assertion"

  1. Verify that the value of C.origin matches the Relying Party's origin.

?

@lgarron
Copy link
Contributor Author

lgarron commented Apr 10, 2019

Hmm, I was assuming the origin would be tied to the RP ID, but I guess it's not.

The RP ID should still be an ancestor domain of client_data domain, although for our use case we actually need the RP ID to be taken from the app ID extension. I'll close this PR for now, and maybe send another one.

@lgarron lgarron closed this Apr 10, 2019
@lgarron lgarron deleted the check-against-rp_id branch April 10, 2019 19:58
@grzuy
Copy link
Contributor

grzuy commented Apr 10, 2019

👍

@grzuy grzuy mentioned this pull request Apr 10, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@lgarron @grzuy