search

cedarcode / webauthn-ruby

WebAuthn ruby server library ― Make your Ruby/Rails web server become a conformant WebAuthn Relying Party
https://rubygems.org/gems/webauthn
MIT License
649 stars 53 forks source link

Support openssl 3.0 #359

Closed pravi closed 2 years ago

pravi commented 2 years ago

In debian, we already moved to openssl 3.0 (via ruby 3.0) and ruby-webauthn no longer work. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005444 Please add support for openssl 3.0

Between openssl is included with ruby, so I wonder if you need to specify it explicitly.

pravi commented 2 years ago

https://github.com/ruby/openssl/blob/master/History.md#compatibility-notes has list of incompatible changes.

loqs commented 2 years ago

@pravi it is not possible with the current openssl ruby gem as the link you provided notes 'Deprecate the ability to modify OpenSSL::PKey::PKey instances'. Modification includes creating a key with a set value. See also https://github.com/cedarcode/webauthn-ruby/pull/324#issuecomment-1054743293 If you revert https://github.com/ruby/openssl/commit/5e2e66cce870ea86001dbb0eaa3092badfd37994 and https://github.com/ruby/openssl/commit/8ee6a582c7e4614eec4f5ca5ab59898fbcb50d2a then updated this gem to allow openssl 3.0 you would have support provided a PKey is never modified once set. The code would allow its modification but internally all that would be changed is a cached copy of the key which would no longer match the actual value in use. Once https://github.com/ruby/openssl/pull/399/commits/bac56c50e680cdcc5f546413656b8cb5537ce775 or something else that allows creating a PKey with a set value is merged into the openssl gem it can be used by webauthn-ruby and cose and OpenSSL 3.0 can be supported. Edit: https://github.com/ruby/openssl/issues/498 mentions a work around using ASN.1 representation see also https://github.com/cedarcode/cose-ruby/pull/61

ClearlyClaire commented 2 years ago

Yes, the API changed to make some structures immutable without offering a convenient way to build them. This can be worked around using other representations, such as ASN.1, which I have proposed for a few dependencies:

Unfortunately, I had no reaction from anyone maintaining those gems, so this is kind of stalled so far.

brauliomartinezlm commented 2 years ago

@ClearlyClaire I'm so sorry for the delay on my side to follow up on these PRs. I've been quite busy for the last few months. I'll be paying attention to them and the one you opened for this gem shortly.

I'm fully aware OpenSSL 3 support is becoming a problem for a lot of people using this gem.

brauliomartinezlm commented 2 years ago

This has been address by all the amazing contributions from @ClearlyClaire. Apologies for the delay on processing them 🙏 . I'm closing this issue now that webauthn 2.5.2 has been released with support for openssl 3

paul-oms commented 2 years ago

Thank you so much @brauliomartinezlm @ClearlyClaire - I was battling all day with a dependency conflict for OpenSSL 3 on a new dev machine and an app with this gem, and then today I woke up to a new version of Webauthn that fixes it. Thanks!