Update conformance specs to use FIDO MDS v3 (#407)

* build(conformanceTests): bump `webauthn` version

* build(conformanceTests): bump `byebug`

* build(conformanceTests): bump `fido_metadata` version

* build(conformanceTests): use ruby `3.4.2` for conformance specs

* build(conformanceTests): update bundler

* build(conformanceTests): add `webrick`

We have to add `webrick` too as it was removed from Ruby's standard
library in 3.0 (https://bugs.ruby-lang.org/issues/17303).

* feature(conformanceTests): use MDS v3

* build(conformanceTests): point `fido_metadata` to its repo's `main` branch

* build(conformanceTests): bump `sinatra` from `2.2.4` to `4.1.1`

* build(conformanceTests): add `puma` and `rackup`

Fixes an error where `sinatra` was not being able to start.

```
Sinatra could not start, the required gems weren't found!

Add them to your bundle with:

    bundle add rackup puma

or install them with:

    gem install rackup puma
```

Author: santiagorodriguez96

spec/conformance/.ruby-version

@@ -1 +1 @@
-2.7.2
+3.4.2

spec/conformance/Gemfile

@@ -2,12 +2,15 @@
 
 source "https://rubygems.org"
 
-ruby "~> 2.7.0"
+ruby "~> 3.4.2"
 
 gem "byebug"
-gem "fido_metadata", "~> 0.4.0"
+gem "fido_metadata", github: 'bdewater/fido_metadata'
+gem "puma", "~> 6.6"
 gem "rack-contrib"
+gem "rackup", "~> 2.2"
 gem "rubyzip"
-gem "sinatra", "~> 2.0"
+gem "sinatra", "~> 4.0"
 gem "sinatra-contrib"
 gem "webauthn", path: File.join("..", "..")
+gem "webrick", "~> 1.9"

spec/conformance/Gemfile.lock

@@ -1,79 +1,97 @@
+GIT
+  remote: https://github.com/bdewater/fido_metadata.git
+  revision: fcc1fc1a92f9b0eda5900485d773336494b2c1c6
+  specs:
+    fido_metadata (0.3.0)
+      jwt (~> 2.0)
+
 PATH
   remote: ../..
   specs:
-    webauthn (2.5.1)
+    webauthn (3.4.0)
       android_key_attestation (~> 0.3.0)
-      awrence (~> 1.1)
       bindata (~> 2.4)
       cbor (~> 0.5.9)
       cose (~> 1.1)
-      openssl (~> 2.2)
+      openssl (>= 2.2)
       safety_net_attestation (~> 0.4.0)
-      tpm-key_attestation (~> 0.10.0)
+      tpm-key_attestation (~> 0.14.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
     android_key_attestation (0.3.0)
-    awrence (1.2.1)
-    backports (3.15.0)
-    bindata (2.4.10)
-    byebug (11.0.1)
-    cbor (0.5.9.6)
-    cose (1.2.0)
+    base64 (0.2.0)
+    bindata (2.5.0)
+    byebug (11.1.3)
+    cbor (0.5.9.8)
+    cose (1.3.1)
       cbor (~> 0.5.9)
       openssl-signature_algorithm (~> 1.0)
-    fido_metadata (0.4.0)
-      jwt (~> 2.0)
-    ipaddr (1.2.4)
     jwt (2.2.1)
+    logger (1.6.6)
     multi_json (1.14.1)
-    mustermann (1.1.0)
+    mustermann (3.0.3)
       ruby2_keywords (~> 0.0.1)
-    openssl (2.2.1)
-      ipaddr
-    openssl-signature_algorithm (1.1.1)
-      openssl (~> 2.0)
-    rack (2.2.3)
-    rack-contrib (2.1.0)
-      rack (~> 2.0)
-    rack-protection (2.0.8.1)
-      rack
+    nio4r (2.7.4)
+    openssl (3.3.0)
+    openssl-signature_algorithm (1.3.0)
+      openssl (> 2.0)
+    puma (6.6.0)
+      nio4r (~> 2.0)
+    rack (3.1.10)
+    rack-contrib (2.5.0)
+      rack (< 4)
+    rack-protection (4.1.1)
+      base64 (>= 0.1.0)
+      logger (>= 1.6.0)
+      rack (>= 3.0.0, < 4)
+    rack-session (2.1.0)
+      base64 (>= 0.1.0)
+      rack (>= 3.0.0)
+    rackup (2.2.1)
+      rack (>= 3)
     ruby2_keywords (0.0.1)
     rubyzip (2.0.0)
     safety_net_attestation (0.4.0)
       jwt (~> 2.0)
-    sinatra (2.0.8.1)
-      mustermann (~> 1.0)
-      rack (~> 2.0)
-      rack-protection (= 2.0.8.1)
+    sinatra (4.1.1)
+      logger (>= 1.6.0)
+      mustermann (~> 3.0)
+      rack (>= 3.0.0, < 4)
+      rack-protection (= 4.1.1)
+      rack-session (>= 2.0.0, < 3)
       tilt (~> 2.0)
-    sinatra-contrib (2.0.8.1)
-      backports (>= 2.8.2)
-      multi_json
-      mustermann (~> 1.0)
-      rack-protection (= 2.0.8.1)
-      sinatra (= 2.0.8.1)
+    sinatra-contrib (4.1.1)
+      multi_json (>= 0.0.2)
+      mustermann (~> 3.0)
+      rack-protection (= 4.1.1)
+      sinatra (= 4.1.1)
       tilt (~> 2.0)
     tilt (2.0.10)
-    tpm-key_attestation (0.10.0)
+    tpm-key_attestation (0.14.0)
       bindata (~> 2.4)
+      openssl (> 2.0)
       openssl-signature_algorithm (~> 1.0)
+    webrick (1.9.1)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
   byebug
-  fido_metadata (~> 0.4.0)
+  fido_metadata!
+  puma (~> 6.6)
   rack-contrib
+  rackup (~> 2.2)
   rubyzip
-  sinatra (~> 2.0)
+  sinatra (~> 4.0)
   sinatra-contrib
   webauthn!
+  webrick (~> 1.9)
 
 RUBY VERSION
-   ruby 2.7.0p-1
+   ruby 3.4.2p28
 
 BUNDLED WITH
-   2.2.14
+   2.6.5

spec/conformance/MDSROOT.crt

@@ -1,15 +1,29 @@
+!!!!!DO NOT DYNAMICALLY FETCH THIS CERTIFICATE!!!!!
+!!!!!ADD THIS CERTIFICATE DIRECTLY TO YOUR CERTIFICATE STORAGE OR SOURCE CODE!!!!!
+
+FIDO Alliance Certification TEST Metadata Service Root Certificate
+Expected page status: Valid
+CN=FAKE Root FAKE
+OU=FAKE Metadata 3 BLOB Signing FAKE
+O=FIDO Alliance
+C=US
+Serial number=04 5A 1C 22 66 A1 4F 3F 1F  4D 29 55 12 23 15
+Valid from=01 February 2017
+Valid to=31 January 2045
+
+Base64
 -----BEGIN CERTIFICATE-----
-MIICZzCCAe6gAwIBAgIPBF0rd3WL/GExWV/szYNVMAoGCCqGSM49BAMDMGcxCzAJ
+MIICaDCCAe6gAwIBAgIPBCqih0DiJLW7+UHXx/o1MAoGCCqGSM49BAMDMGcxCzAJ
 BgNVBAYTAlVTMRYwFAYDVQQKDA1GSURPIEFsbGlhbmNlMScwJQYDVQQLDB5GQUtF
-IE1ldGFkYXRhIFRPQyBTaWduaW5nIEZBS0UxFzAVBgNVBAMMDkZBS0UgUm9vdCBG
+IE1ldGFkYXRhIDMgQkxPQiBST09UIEZBS0UxFzAVBgNVBAMMDkZBS0UgUm9vdCBG
 QUtFMB4XDTE3MDIwMTAwMDAwMFoXDTQ1MDEzMTIzNTk1OVowZzELMAkGA1UEBhMC
 VVMxFjAUBgNVBAoMDUZJRE8gQWxsaWFuY2UxJzAlBgNVBAsMHkZBS0UgTWV0YWRh
-dGEgVE9DIFNpZ25pbmcgRkFLRTEXMBUGA1UEAwwORkFLRSBSb290IEZBS0UwdjAQ
-BgcqhkjOPQIBBgUrgQQAIgNiAARcVLd6r4fnNHzs5K2zfbg//4X9/oBqmsdRVtZ9
-iXhlgM9vFYaKviYtqmwkq0D3Lihg3qefeZgXXYi4dFgvzU7ZLBapSNM3CT8RDBe/
-MBJqsPwaRQbIsGmmItmt/ESNQD6jYDBeMAsGA1UdDwQEAwIBBjAPBgNVHRMBAf8E
-BTADAQH/MB0GA1UdDgQWBBTd95rIHO/hX9Oh69szXzD0ahmZWTAfBgNVHSMEGDAW
-gBTd95rIHO/hX9Oh69szXzD0ahmZWTAKBggqhkjOPQQDAwNnADBkAjBkP3L99KEX
-QzviJVGytDMWBmITMBYv1LgNXXiSilWixTyQqHrYrFpLvNFyPZQvS6sCMFMAOUCw
-Ach/515XH0XlDbMgdIe2N4zzdY77TVwiHmsxTFWRT0FtS7fUk85c/LzSPQ==
------END CERTIFICATE-----
+dGEgMyBCTE9CIFJPT1QgRkFLRTEXMBUGA1UEAwwORkFLRSBSb290IEZBS0UwdjAQ
+BgcqhkjOPQIBBgUrgQQAIgNiAASKYiz3YltC6+lmxhPKwA1WFZlIqnX8yL5RybSL
+TKFAPEQeTD9O6mOz+tg8wcSdnVxHzwnXiQKJwhrav70rKc2ierQi/4QUrdsPes8T
+EirZOkCVJurpDFbXZOgs++pa4XmjYDBeMAsGA1UdDwQEAwIBBjAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBQGcfeCs0Y8D+lh6U5B2xSrR74eHTAfBgNVHSMEGDAW
+gBQGcfeCs0Y8D+lh6U5B2xSrR74eHTAKBggqhkjOPQQDAwNoADBlAjEA/xFsgri0
+xubSa3y3v5ormpPqCwfqn9s0MLBAtzCIgxQ/zkzPKctkiwoPtDzI51KnAjAmeMyg
+X2S5Ht8+e+EQnezLJBJXtnkRWY+Zt491wgt/AwSs5PHHMv5QgjELOuMxQBc=
+-----END CERTIFICATE-----

spec/conformance/conformance_cache_store.rb

@@ -22,20 +22,20 @@ def setup_metadata_store(endpoint)
     puts("Setting up metadata store TOC")
 
     response = Net::HTTP.post(
-      URI("https://mds.certinfra.fidoalliance.org/getEndpoints"),
+      URI("https://mds3.fido.tools/getEndpoints"),
       { endpoint: endpoint }.to_json,
       FidoMetadata::Client::DEFAULT_HEADERS
     )
 
     response.value
     possible_endpoints = JSON.parse(response.body)["result"]
 
-    client = FidoMetadata::Client.new(nil)
+    client = FidoMetadata::Client.new
 
     json =
       possible_endpoints.each_with_index do |uri, index|
         puts("Trying endpoint #{index}: #{uri}")
-        break client.download_toc(URI(uri), trusted_certs: conformance_certificates)
+        break client.download_toc(URI(uri), algorithms: ["ES256"], trusted_certs: conformance_certificates)
       rescue FidoMetadata::Client::DataIntegrityError, JWT::VerificationError, Net::HTTPFatalError
         nil
       end

spec/conformance/server.rb

@@ -42,7 +42,6 @@ def self.registered_for(username)
 
 mds_finder =
   MDSFinder.new.tap do |mds|
-    mds.token = ""
     mds.cache_backend = ConformanceCacheStore.new
     mds.cache_backend.setup_authenticators
     mds.cache_backend.setup_metadata_store("http://#{host}:#{settings.port}")
@@ -51,7 +50,7 @@ def self.registered_for(username)
 relying_party = WebAuthn::RelyingParty.new(
   origin: "http://#{host}:#{settings.port}",
   name: RP_NAME,
-  algorithms: %w(ES256 ES384 ES512 PS256 PS384 PS512 RS256 RS384 RS512 RS1),
+  algorithms: %w(ES256 ES384 ES512 PS256 PS384 PS512 RS256 RS384 RS512 RS1 EdDSA),
   silent_authentication: true,
   attestation_root_certificates_finders: mds_finder
 )