ruby 2.2 support

[neurosnap]

Greetings!

Our production authentication service unfortunately requires ruby 2.2. I was able to install this gem but the version number is 1.3.0 and it looks like the only reason that works is because there was no minimum ruby version specified in the gemspec at that time.

Before I dig in too deep trying to get this gem to work, I wanted to ask if there's any hint that ruby 2.2 will work with this gem?

Thanks!

[neurosnap]

For anyone curious, I managed to get this library working with ruby 2.2 https://github.com/aptible/webauthn-ruby/pull/1.

My next concern is the security impact of using webauthn-ruby v1.3.0: can we use this version of the library or are there security implications we should be concerned about?

Thanks!

[bdewater]

Gem 1.3.0 is really old, I can't vouch for its security. Skimming the changelog you're at least missing out on signature counter verification (1.17.0) and if you need attestation support, this is incomplete and what's there is not correctly implemented.

If you must backport gems, why not spend that effort on 2.1.0 which was the latest version to support Ruby 2.3?

[neurosnap]

Thanks for the tip, much appreciated. I managed to get 2.1.0 to work -- at least for signing. The only issue is I had to rip out openssl 2.0. What is the primary motivation for including that gem instead of using what was built into the ruby version?

[bdewater]

Nice that you got it to work. The motivation in https://github.com/cedarcode/webauthn-ruby/commit/1560d737fca1e90ac8568fa7772a173baf77d176 was consistency of the OpenSSL gem used across Ruby versions for ease of development against Ruby 2.3, 2.4, and 2.5 at the time (2.6 to be released later that year). This was after Ruby started gemifying the standard library.

Assuming we can close this issue now. Best of luck with the eventual upgrade 🤞