Skip to content

Commit

Permalink
20240717 update deps (#444)
Browse files Browse the repository at this point in the history
Update compact-jwt to latest version.
  • Loading branch information
Firstyear authored Dec 11, 2024
1 parent 25bc74a commit acac497
Show file tree
Hide file tree
Showing 5 changed files with 21 additions and 65 deletions.
5 changes: 2 additions & 3 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -71,8 +71,8 @@ webauthn-rs-device-catalog = { path = "./device-catalog" }

async-std = { version = "1.6", features = ["attributes"] }
base64 = "0.21"
clap = { version = "=4.4.18", features = ["derive", "env"] }
compact_jwt = "0.2.3"
clap = { version = "^4.5", features = ["derive", "env"] }
compact_jwt = "0.4.2"
futures = "^0.3.25"
hex = "0.4.3"
http = "^0.2.9"
Expand All @@ -89,7 +89,6 @@ rand_chacha = "0.3.1"
serde = { version = "^1.0.141", features = ["derive"] }
serde_cbor_2 = { version = "0.12.0-dev" }
serde_json = "^1.0.79"
tide = "0.16"
thiserror = "^1.0.37"
tokio = { version = "1.22.0", features = [
"sync",
Expand Down
2 changes: 1 addition & 1 deletion compat_tester/webauthn-rs-demo/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ webauthn-rs-demo-shared = { path = "../webauthn-rs-demo-shared", features = ["co
webauthn-rs-core.workspace = true
webauthn-rs = { workspace = true, features = ["conditional-ui", "attestation", "resident-key-support", "danger-allow-state-serialisation"] }

tide.workspace = true
tide = "0.16"
tokio.workspace = true

structopt = { version = "0.3", default-features = false }
Expand Down
65 changes: 9 additions & 56 deletions fido-mds/src/mds.rs
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,11 @@
//! This allows parsing the fido metadata blob and consuming it's content. See `FidoMds`
//! for more.
// use base64urlsafedata::Base64UrlSafeData;
use compact_jwt::{Jws, JwsUnverified, JwtError};
use openssl::stack;
use compact_jwt::{crypto::JwsX509VerifierBuilder, JwsCompact, JwsVerifier, JwtError};
use openssl::x509;
use openssl::x509::store;
use serde::{Deserialize, Serialize};
use std::fmt;
use std::str::FromStr;
use tracing::{debug, error};

use std::collections::BTreeMap;
use std::hash::{Hash, Hasher};
Expand Down Expand Up @@ -1089,67 +1085,24 @@ impl FromStr for FidoMds {
let root_ca = x509::X509::from_pem(GLOBAL_SIGN_ROOT_CA_R3.as_bytes())
.map_err(|_| JwtError::OpenSSLError)?;

let mut ca_store = store::X509StoreBuilder::new().map_err(|_| JwtError::OpenSSLError)?;
ca_store
.add_cert(root_ca)
.map_err(|_| JwtError::OpenSSLError)?;

let ca_store = ca_store.build();

let jws = JwsUnverified::from_str(s)?;
let jws = JwsCompact::from_str(s)?;

let fullchain = jws
.get_x5c_chain()
.and_then(|chain| chain.ok_or(JwtError::InvalidHeaderFormat))?;

let (leaf, chain) = fullchain
.split_first()
.ok_or(JwtError::InvalidHeaderFormat)?;

let mut chain_stack = stack::Stack::new().map_err(|_| JwtError::OpenSSLError)?;

for crt in chain.iter() {
chain_stack
.push(crt.clone())
.map_err(|_| JwtError::OpenSSLError)?;
}

let mut ca_ctx = x509::X509StoreContext::new().map_err(|_| JwtError::OpenSSLError)?;

// Given the ca_store, the leaf cert, and the chain between leaf to ca_store, verify
// the certificate chain.
let res: Result<_, _> = ca_ctx
.init(&ca_store, leaf, &chain_stack, |ca_ctx_ref| {
ca_ctx_ref.verify_cert().map(|_| {
let res = ca_ctx_ref.error();
debug!("{:?}", res);
if res == x509::X509VerifyResult::OK {
Ok(())
} else {
debug!(
"ca_ctx_ref verify cert - error depth={}, sn={:?}",
ca_ctx_ref.error_depth(),
ca_ctx_ref.current_cert().map(|crt| crt.subject_name())
);
Err(JwtError::X5cPublicKeyDenied)
}
})
})
.map_err(|e| {
// If an openssl error occured, dump it here.
error!(?e);
JwtError::OpenSSLError
})?;

debug!(?res);
res?;
let verifier = JwsX509VerifierBuilder::new()
.add_fullchain(fullchain)
.add_trust_root(root_ca)
.build()
.map_err(|_| JwtError::OpenSSLError)?;

// Now we can release the embedded cert, since we have asserted the trust in the chain
// that has signed this metadata.
let released = verifier.verify(&jws)?;

let x: Jws<FidoMds> = jws.validate_embeded()?;
let metadata: FidoMds = released.from_json().map_err(|_| JwtError::Serde)?;

let metadata = x.into_inner();
// trace!(?metadata);

Ok(metadata)
Expand Down
2 changes: 1 addition & 1 deletion tutorial/server/tide/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ license = "MPL-2.0"

[dependencies]
webauthn-rs = { workspace = true, features = ["danger-allow-state-serialisation"] }
tide.workspace = true
tide = "0.16"
async-std.workspace = true
tracing.workspace = true
tracing-subscriber.workspace = true
Expand Down
12 changes: 8 additions & 4 deletions webauthn-rs-core/src/attestation.rs
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ use crate::error::WebauthnError;
use crate::internals::*;
use crate::proto::*;
use base64urlsafedata::HumanBinaryData;
use compact_jwt::{crypto::JwsX509Verifier, JwsCompact, JwsVerifier};
use openssl::hash::MessageDigest;
use openssl::sha::sha256;
use openssl::stack;
Expand Down Expand Up @@ -1291,18 +1292,21 @@ pub(crate) fn verify_android_safetynet_attestation(
|token: &str| -> Result<(Vec<x509::X509>, SafteyNetAttestResponse), SafetyNetError> {
trace!(?token);
use std::str::FromStr;
let jwsu = compact_jwt::JwsUnverified::from_str(token)?;
let jwsu = JwsCompact::from_str(token)?;

let certs = jwsu
.get_x5c_chain()?
.ok_or(SafetyNetError::MissingCertChain)?;

let leaf_cert = certs.first().ok_or(SafetyNetError::BadCert)?;
let leaf_cert = certs.first().cloned().ok_or(SafetyNetError::BadCert)?;

// Verify with the internal certificate.
let jws: compact_jwt::Jws<SafteyNetAttestResponse> = jwsu.validate_embeded()?;
let verifier = JwsX509Verifier::from_x509(leaf_cert.clone())
.map_err(|_| SafetyNetError::BadCert)?;

let verified_claims = jws.into_inner();
let verified_claims: SafteyNetAttestResponse = verifier
.verify(&jwsu)
.and_then(|jws| jws.from_json().map_err(|_| compact_jwt::JwtError::Serde))?;

// 3. Verify that the nonce attribute in the payload of response is identical to the Base64 encoding of the SHA-256 hash of the concatenation of authenticatorData and clientDataHash.
if verified_claims.nonce != data_to_verify.as_slice() {
Expand Down

0 comments on commit acac497

Please sign in to comment.