search

cedarcode / webauthn-ruby

WebAuthn ruby server library ― Make your Ruby/Rails web server become a conformant WebAuthn Relying Party
https://rubygems.org/gems/webauthn
MIT License
644 stars 51 forks source link

feat: Apple App Attestation proof-of-concept. #385

Closed fcbr closed 1 year ago

fcbr commented 1 year ago

We're looking into using this gem with Apple App attestation support, so I implemented the app-appattest format. This is just a proof-of-concept code, we haven't tested it end-to-end, only manually.

The format and its validations are described here.

I would love to hear your feedback on this and also your opinion on two aspects that I had to deal with:

However there is no way to distinguish between development and production environment -- I added a new configuration to the RelyingParty class for that.

At this point in the class we have no access to the key identifier, so I have no idea how to support it -- any ideas?

Let me know your thoughts, thanks!

bdewater commented 1 year ago

I'm not familiar with Apple App Attest, it sounds familiar in purpose to Android Key Attestation?

Historically the preference has been to keep code supporting various attestation formats mostly outside of this gem, especially if they can be used in stand-alone context. It seems Apple App Attest uses the WebAuthn format but can be used in non-FIDO cases as well. If that's correct, poking around in https://github.com/cedarcode/webauthn-ruby/tree/master/lib/webauthn/attestation_statement and the related gems these files use can provide clues.

fcbr commented 1 year ago

Thanks for the feedback -- indeed it is Apple's way of asserting that a particular app was not tampered with.

I think going the standalone route also makes sense and will resolve some of the impedance mismatch that we're facing during this POC phase. I did notice that other webauthn libraries have implemented support for this format (sometimes with reservations like yours), so that added to the confusion. Examples: fido2-net-lib, webauthn4j.