feat: correctly verify "packed" attestation with self referenced cert

Fixes cedarcode#406.
cheeeeenais · Oct 20, 2023 · 2f1e315 · 2f1e315
1 parent d22ffc8
commit 2f1e315
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 5 deletions.
diff --git a/lib/webauthn/attestation_statement/base.rb b/lib/webauthn/attestation_statement/base.rb
@@ -102,6 +102,15 @@ def trustworthy?(aaguid: nil, attestation_certificate_key_id: nil)
  end
 
  def valid_certificate_chain?(aaguid: nil, attestation_certificate_key_id: nil)
+ root_certificates = root_certificates(
+ aaguid: aaguid,
+ attestation_certificate_key_id: attestation_certificate_key_id
+ )
+
+ if certificates&.one? && root_certificates.include?(attestation_certificate)
+ return true
+ end
+
  attestation_root_certificates_store(
  aaguid: aaguid,
  attestation_certificate_key_id: attestation_certificate_key_id

diff --git a/spec/webauthn/attestation_statement/fido_u2f_spec.rb b/spec/webauthn/attestation_statement/fido_u2f_spec.rb
@@ -32,13 +32,13 @@
  let(:signature) { attestation_key.sign("SHA256", to_be_signed) }
 
  let(:attestation_certificate) do
- issue_certificate(root_certificate, root_key, attestation_key).to_der
+ issue_certificate(root_certificate, root_key, attestation_key)
  end
 
  let(:statement) do
  WebAuthn::AttestationStatement::FidoU2f.new(
  "sig" => signature,
- "x5c" => [attestation_certificate]
+ "x5c" => [attestation_certificate.to_der]
  )
  end
 
@@ -56,6 +56,18 @@
  expect(statement.valid?(authenticator_data, client_data_hash)).to be_truthy
  end
 
+ context 'when the attestation certificate is the only certificate in the certificate chain' do
+ context "and it's equal to one of the root certificates" do
+ before do
+ WebAuthn.configuration.attestation_root_certificates_finders = finder_for(attestation_certificate)
+ end
+
+ it "works" do
+ expect(statement.valid?(authenticator_data, client_data_hash)).to be_truthy
+ end
+ end
+ end
+
  context "when signature is invalid" do
  context "because it was signed with a different signing key (self attested)" do
  let(:signature) { create_ec_key.sign("SHA256", to_be_signed) }
@@ -101,7 +113,7 @@
  let(:statement) do
  WebAuthn::AttestationStatement::FidoU2f.new(
  "sig" => signature,
- "x5c" => [attestation_certificate, attestation_certificate]
+ "x5c" => [attestation_certificate.to_der, attestation_certificate.to_der]
  )
  end
 

diff --git a/spec/webauthn/attestation_statement/packed_spec.rb b/spec/webauthn/attestation_statement/packed_spec.rb
@@ -110,7 +110,7 @@
  extensions: [
  extension_factory.create_extension("basicConstraints", attestation_certificate_basic_constraints, true),
  ]
- ).to_der
+ )
  end
 
  let(:root_key) { create_ec_key }
@@ -125,7 +125,7 @@
  WebAuthn::AttestationStatement::Packed.new(
  "alg" => algorithm,
  "sig" => signature,
- "x5c" => [attestation_certificate]
+ "x5c" => [attestation_certificate.to_der]
  )
  end
 
@@ -137,6 +137,18 @@
  expect(statement.valid?(authenticator_data, client_data_hash)).to be_truthy
  end
 
+ context 'when the attestation certificate is the only certificate in the certificate chain' do
+ context "and it's equal to one of the root certificates" do
+ before do
+ WebAuthn.configuration.attestation_root_certificates_finders = finder_for(attestation_certificate)
+ end
+
+ it "works" do
+ expect(statement.valid?(authenticator_data, client_data_hash)).to be_truthy
+ end
+ end
+ end
+
  context "when signature is invalid" do
  context "because is signed with a different alg" do
  let(:algorithm) { -36 }