From 7abbb006b1ea59a5dbbb5b539745e8b47d915bfe Mon Sep 17 00:00:00 2001 From: Santiago Rodriguez <46354312+santiagorodriguez96@users.noreply.github.com> Date: Thu, 26 Jun 2025 13:46:25 -0300 Subject: [PATCH 1/2] chore: update `u2f_migrator` seeds Taken from WebAuthn specification level 3: https://www.w3.org/TR/2025/WD-webauthn-3-20250127/#sctn-test-vectors-fido-u2f-es256 --- spec/support/seeds.rb | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/spec/support/seeds.rb b/spec/support/seeds.rb index b6f519b9..bc410a19 100644 --- a/spec/support/seeds.rb +++ b/spec/support/seeds.rb @@ -60,20 +60,19 @@ def seeds }, u2f_migration: { stored_credential: { - app_id: "https://f69df4d9.ngrok.io/appid", - certificate: "MIIBNDCB26ADAgECAgp2ubKB51u9YwjcMAoGCCqGSM49BAMCMBUxEzARBgNVBAMTClUyRiBJc3N1ZXIwGhcLMDAwMTAxMDAwMFoXCzAwMDEwMTAwMDBaMBUxEzARBgNVBAMTClUyRiBEZXZpY2UwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQfqziP5Gobu7FmIoFH0WCaD15knMWpIiLgeero1dVBVt2qo62PNI6GktGDUkzCwoj5pENTzTFVDUqAZTHDHTN1oxcwFTATBgsrBgEEAYLlHAIBAQQEAwIFIDAKBggqhkjOPQQDAgNIADBFAiEAwaOmji8WpyFGJwV/YrtyjJ4D56G6YtBGUk5FbSwvP3MCIAtfeOURqhgSn28jbZITIn2StOZ+31PoFt+wXZ3IuQ/e", - key_handle: "1a9tIwwYiYNdmfmxVaksOkxKapK2HtDNSsL4MssbCHILhkMzA0xZYk5IHmBljyblTQ_SnsQea-QEMzgTN2L1Mw", - public_key: "BBbTnfbd5sY+rCxZDQi87+akvZedjIqR8567GfrsLR0Gnp4zBpD5zhdSq1wKPvhzEoKJvFuYel1cpdTCzpahrBA=", - counter: 41, + app_id: "https://example.org/appid", + certificate: "MIICITCCAcegAwIBAgIQBPZtxlQup3Gd6kFtMlokATAKBggqhkjOPQQDAjBiMR4wHAYDVQQDDBVXZWJBdXRobiB0ZXN0IHZlY3RvcnMxDDAKBgNVBAoMA1czQzElMCMGA1UECwwcQXV0aGVudGljYXRvciBBdHRlc3RhdGlvbiBDQTELMAkGA1UEBhMCQUEwIBcNMjQwMTAxMDAwMDAwWhgPMzAyNDAxMDEwMDAwMDBaMF8xHjAcBgNVBAMMFVdlYkF1dGhuIHRlc3QgdmVjdG9yczEMMAoGA1UECgwDVzNDMSIwIAYDVQQLDBlBdXRoZW50aWNhdG9yIEF0dGVzdGF0aW9uMQswCQYDVQQGEwJBQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFb/+nCT3t5Grv7vtuUgx8zHiWdjbi+SWCunFFX2TpOTLf875ODU72jj47c6oIfiagoKMLAtwqojCdtMOi/JNt6jYDBeMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBRCCCLrGQi1zTkRAX+8rUZBwF4FozAfBgNVHSMEGDAWgBRFr/cVsN14Z0H+6ZbrwWVHo5MbHjAKBggqhkjOPQQDAgNIADBFAiANC3d/CgsYGtKDAnWswxUP1gkkMLzQNP13vre9+MLVRgIhANSGTt2V2qOScICFXfGZ8XFymbJKXuzvvQF0Vam5NNj2", + key_handle: "pLpuLSz-xDZI19JcXtVlm8GPK3gVOFJ-vUkt4DJWvfQ=", + public_key: "BLDWLeazD4bwusepAWlRORwuMYSeLmRmHL0rE819VQitUDsL2io1eppLNEdaKOZbZgtImKnj6bvwgg1DSUKX7dA=", + counter: 0, }, assertion: { - origin: "https://f69df4d9.ngrok.io", - challenge: "v7G2KR2NYPW6AWxfevjMYflTxbWQqLwEoaZkOnm25K8=", - id: "1a9tIwwYiYNdmfmxVaksOkxKapK2HtDNSsL4MssbCHILhkMzA0xZYk5IHmBljyblTQ/SnsQea+QEMzgTN2L1Mw==", + origin: "https://example.org", + challenge: "+QxhKYHYT1mUON4aUA92km6SzIS++OAsbiNVPwBIVDU=", response: { - client_data_json: "eyJjaGFsbGVuZ2UiOiJ2N0cyS1IyTllQVzZBV3hmZXZqTVlmbFR4YldRcUx3RW9hWmtPbm0yNUs4Iiwib3JpZ2luIjoiaHR0cHM6Ly9mNjlkZjRkOS5uZ3Jvay5pbyIsInR5cGUiOiJ3ZWJhdXRobi5nZXQifQ==", - signature: "MEYCIQCvDq6m7mzBlfhbu+Y20018/iesDoaRyMOwMjVLUgKdJQIhAMFscVb7oUrIhEU/btWUWMj9xjXN9PSUio6ApytJ4Vd7", - authenticator_data: "wqc1M3OySstQSIGfoFIjkPhIJrGaCJiQKPeryg70zSsBAAAAbQ==" + client_data_json: "eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiLVF4aEtZSFlUMW1VT040YVVBOTJrbTZTeklTLS1PQXNiaU5WUHdCSVZEVSIsIm9yaWdpbiI6Imh0dHBzOi8vZXhhbXBsZS5vcmciLCJjcm9zc09yaWdpbiI6ZmFsc2V9", + signature: "MEUCID6+MZ0WQ1rW9deqfQbw8LR7/zMvvUnMfAAmgDF2ksUmAiEApgp546w47JGxWS38AC/GznH9fcYUx5Zva62N+1KCg+c=", + authenticator_data: "HIcRkL9v+l6dYGTcxfrXQ/usPPfCIO8wnPdFumKDZbcBAAAAAA==" } } }, From 7980dc00c732cf170a698684d951fbfb6d2ba3a5 Mon Sep 17 00:00:00 2001 From: Santiago Rodriguez <46354312+santiagorodriguez96@users.noreply.github.com> Date: Thu, 26 Jun 2025 16:11:08 -0300 Subject: [PATCH 2/2] test: update specs --- .../authenticator_assertion_response_spec.rb | 2 +- .../public_key_credential_with_assertion_spec.rb | 4 ++-- spec/webauthn/u2f_migrator_spec.rb | 12 ++++++------ 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/spec/webauthn/authenticator_assertion_response_spec.rb b/spec/webauthn/authenticator_assertion_response_spec.rb index 36a5d0f4..165734b7 100644 --- a/spec/webauthn/authenticator_assertion_response_spec.rb +++ b/spec/webauthn/authenticator_assertion_response_spec.rb @@ -502,7 +502,7 @@ end describe "migrated U2F credential" do - let(:origin) { "https://f69df4d9.ngrok.io" } + let(:origin) { "https://example.org" } let(:app_id) { "#{origin}/appid" } let(:migrated_credential) do WebAuthn::U2fMigrator.new( diff --git a/spec/webauthn/public_key_credential_with_assertion_spec.rb b/spec/webauthn/public_key_credential_with_assertion_spec.rb index 497a05ee..23f5fd87 100644 --- a/spec/webauthn/public_key_credential_with_assertion_spec.rb +++ b/spec/webauthn/public_key_credential_with_assertion_spec.rb @@ -298,7 +298,7 @@ ).to be_truthy end - context "if appid extension is not requested" do + context "if appid extension output is not present" do let(:public_key_credential) do WebAuthn::PublicKeyCredentialWithAssertion.new( type: credential_type, @@ -331,7 +331,7 @@ end.to raise_error("Unspecified legacy U2F AppID") end - context "if appid extension is not requested" do + context "if appid extension output is not present" do let(:public_key_credential) do WebAuthn::PublicKeyCredentialWithAssertion.new( type: credential_type, diff --git a/spec/webauthn/u2f_migrator_spec.rb b/spec/webauthn/u2f_migrator_spec.rb index dbae3b1a..ff56e221 100644 --- a/spec/webauthn/u2f_migrator_spec.rb +++ b/spec/webauthn/u2f_migrator_spec.rb @@ -18,11 +18,11 @@ end let(:stored_credential) { seeds[:u2f_migration][:stored_credential] } - let(:app_id) { URI("https://f69df4d9.ngrok.io") } + let(:app_id) { URI("https://example.org") } it "returns the credential ID" do expect(WebAuthn::Encoders::Base64Encoder.encode(u2f_migrator.credential.id)) - .to eq("1a9tIwwYiYNdmfmxVaksOkxKapK2HtDNSsL4MssbCHILhkMzA0xZYk5IHmBljyblTQ/SnsQea+QEMzgTN2L1Mw==") + .to eq("pLpuLSz+xDZI19JcXtVlm8GPK3gVOFJ+vUkt4DJWvfQ=") end it "returns the credential public key in COSE format" do @@ -30,8 +30,8 @@ expect(public_key.alg).to eq(-7) expect(public_key.crv).to eq(1) - expect(public_key.x).to eq(WebAuthn::Encoders::Base64Encoder.decode("FtOd9t3mxj6sLFkNCLzv5qS9l52MipHznrsZ+uwtHQY=")) - expect(public_key.y).to eq(WebAuthn::Encoders::Base64Encoder.decode("np4zBpD5zhdSq1wKPvhzEoKJvFuYel1cpdTCzpahrBA=")) + expect(public_key.x).to eq(WebAuthn::Encoders::Base64Encoder.decode("sNYt5rMPhvC6x6kBaVE5HC4xhJ4uZGYcvSsTzX1VCK0=")) + expect(public_key.y).to eq(WebAuthn::Encoders::Base64Encoder.decode("UDsL2io1eppLNEdaKOZbZgtImKnj6bvwgg1DSUKX7dA=")) end it "returns the signature counter" do @@ -45,7 +45,7 @@ it "returns the attestation certificate" do certificate = u2f_migrator.attestation_trust_path.first - expect(certificate.subject.to_s).to eq("/CN=U2F Device") - expect(certificate.issuer.to_s).to eq("/CN=U2F Issuer") + expect(certificate.subject.to_s).to eq("/CN=WebAuthn test vectors/O=W3C/OU=Authenticator Attestation/C=AA") + expect(certificate.issuer.to_s).to eq("/CN=WebAuthn test vectors/O=W3C/OU=Authenticator Attestation CA/C=AA") end end