search

cedarcode / webauthn-ruby

WebAuthn ruby server library ― Make your Ruby/Rails web server become a conformant WebAuthn Relying Party
https://rubygems.org/gems/webauthn
MIT License
658 stars 55 forks source link

Fix outdated Apple App Attest root certificate #348

Closed Ilushkanama closed 2 years ago

Ilushkanama commented 3 years ago

Hello and thank you for this library, especially for the Apple App Attest support.

Seems like App Attest ROOT_CERTIFICATE is outdated — it differs from the certificate at Apple's website. This causes valid attest data to not pass the trustworthy? check.

The easiest way to fix it is to update the ROOT_CERTIFICATE value. I can create a PR with such update, but it may not be the best solution in case Apple keeps updating certificates.

santiagorodriguez96 commented 3 years ago

Hi @Ilushkanama 👋 !

Thank you for the report!

I think it makes sense to go for the easy fix right now, although I agree that we'll probably have to come up with something if the certificate keeps changing. In the meantime, I'll make sure that we monitor the certificate every week or so in case it changes again so we don't have to wait for another issue reporting it to update it.

Having said that, feel free to open the PR to fix this! If not I will try to do it as soon as possible.

Anyway, glad to hear that you are giving a try to the Apple Attest support!

Ilushkanama commented 3 years ago

Hey @santiagorodriguez96,

Certificate monitoring would be great, and thank you for not overcomplicating things.

349 is ready.

santiagorodriguez96 commented 2 years ago

Hey again @Ilushkanama, sorry for the late response!

I realized that the ROOT_CERTIFICATE from version this gem is not really outdated, it's just a different certificate altogether. Here you can see a list with both of them: the one that we use on this gem Apple WebAuthn Root CA and the one that you suggested Apple_App_Attestation_Root_CA.

Then I gave it a try to the Apple Attestation Format from the v2.5 and I it is working for me 🙂
I was testing on a Safari browser using the TouchID of my MacBook.

After that I changed ROOT_CERTIFICATE to be the one you were suggesting and the verification it's failing for me with AttestationStatementVerificationError.

I couldn't find any information in the Webauthn specification regarding which root certificate should be used to validate the certificate chain, but in the PR in which the Apple Attestation Format was added to the specification they were implying that the one we are using on this gem Apple WebAuthn Root CA is the correct one – take a look at this thread.

Would you be so kind to give more detail about the error you are getting? Maybe something like the gem version, the security key that you are using or what are you doing in the Relaying Party to indicate that you want to receive an attestation statement. That would be really helpful.

Thanks! 🙂

brauliomartinezlm commented 2 years ago

Closing due to inactivity. Feel free to reopen in case you want to follow up @Ilushkanama