cedarcode · santiagorodriguez96 · Oct 13, 2023 · Oct 13, 2023 · Oct 13, 2023 · Oct 13, 2023
diff --git a/spec/conformance/Gemfile b/spec/conformance/Gemfile
@@ -2,12 +2,13 @@
 
 source "https://rubygems.org"
 
-ruby "~> 2.7.0"
+ruby "~> 3.2.0"
 
 gem "byebug"
-gem "fido_metadata", "~> 0.4.0"
+gem "fido_metadata", github: 'santiagorodriguez96/fido_metadata', branch: 'sr--support-FIDO-metadata-msd3'
 gem "rack-contrib"
 gem "rubyzip"
 gem "sinatra", "~> 2.0"
 gem "sinatra-contrib"
 gem "webauthn", path: File.join("..", "..")
+gem "webrick"
diff --git a/spec/conformance/Gemfile.lock b/spec/conformance/Gemfile.lock
@@ -1,79 +1,84 @@
+GIT
+ remote: https://github.com/santiagorodriguez96/fido_metadata.git
+ revision: 8280a2ac9bb83a37e9f68e20efdb40eca33ea937
+ branch: sr--support-FIDO-metadata-msd3
+ specs:
+ fido_metadata (0.3.0)
+ jwt (~> 2.0)
+
 PATH
  remote: ../..
  specs:
- webauthn (2.5.1)
+ webauthn (3.0.0)
  android_key_attestation (~> 0.3.0)
  awrence (~> 1.1)
  bindata (~> 2.4)
  cbor (~> 0.5.9)
  cose (~> 1.1)
- openssl (~> 2.2)
+ openssl (>= 2.2)
  safety_net_attestation (~> 0.4.0)
- tpm-key_attestation (~> 0.10.0)
+ tpm-key_attestation (~> 0.12.0)
 
 GEM
  remote: https://rubygems.org/
  specs:
  android_key_attestation (0.3.0)
  awrence (1.2.1)
- backports (3.15.0)
- bindata (2.4.10)
+ bindata (2.4.15)
  byebug (11.0.1)
  cbor (0.5.9.6)
- cose (1.2.0)
+ cose (1.3.0)
  cbor (~> 0.5.9)
  openssl-signature_algorithm (~> 1.0)
- fido_metadata (0.4.0)
- jwt (~> 2.0)
- ipaddr (1.2.4)
  jwt (2.2.1)
  multi_json (1.14.1)
- mustermann (1.1.0)
+ mustermann (2.0.2)
  ruby2_keywords (~> 0.0.1)
- openssl (2.2.1)
- ipaddr
- openssl-signature_algorithm (1.1.1)
- openssl (~> 2.0)
- rack (2.2.3)
- rack-contrib (2.1.0)
+ openssl (3.2.0)
+ openssl-signature_algorithm (1.3.0)
+ openssl (> 2.0)
+ rack (2.2.8)
+ rack-contrib (2.3.0)
  rack (~> 2.0)
- rack-protection (2.0.8.1)
+ rack-protection (2.2.4)
  rack
  ruby2_keywords (0.0.1)
  rubyzip (2.0.0)
  safety_net_attestation (0.4.0)
  jwt (~> 2.0)
- sinatra (2.0.8.1)
- mustermann (~> 1.0)
- rack (~> 2.0)
- rack-protection (= 2.0.8.1)
+ sinatra (2.2.4)
+ mustermann (~> 2.0)
+ rack (~> 2.2)
+ rack-protection (= 2.2.4)
  tilt (~> 2.0)
- sinatra-contrib (2.0.8.1)
- backports (>= 2.8.2)
+ sinatra-contrib (2.2.4)
  multi_json
- mustermann (~> 1.0)
- rack-protection (= 2.0.8.1)
- sinatra (= 2.0.8.1)
+ mustermann (~> 2.0)
+ rack-protection (= 2.2.4)
+ sinatra (= 2.2.4)
  tilt (~> 2.0)
  tilt (2.0.10)
- tpm-key_attestation (0.10.0)
+ tpm-key_attestation (0.12.0)
  bindata (~> 2.4)
+ openssl (> 2.0)
  openssl-signature_algorithm (~> 1.0)
+ webrick (1.8.1)
 
 PLATFORMS
  ruby
 
 DEPENDENCIES
  byebug
- fido_metadata (~> 0.4.0)
+ fido_metadata!
  rack-contrib
  rubyzip
  sinatra (~> 2.0)
  sinatra-contrib
  webauthn!
+ webrick
 
 RUBY VERSION
- ruby 2.7.0p-1
+ ruby 3.2.2p53
 
 BUNDLED WITH
- 2.2.14
+ 2.3.26
diff --git a/spec/conformance/MDSROOT.crt b/spec/conformance/MDSROOT.crt
@@ -1,15 +1,29 @@
+!!!!!DO NOT DYNAMICALLY FETCH THIS CERTIFICATE!!!!!
+!!!!!ADD THIS CERTIFICATE DIRECTLY TO YOUR CERTIFICATE STORAGE OR SOURCE CODE!!!!!
+
+FIDO Alliance Certification TEST Metadata Service Root Certificate
+Expected page status: Valid
+CN=FAKE Root FAKE
+OU=FAKE Metadata 3 BLOB Signing FAKE
+O=FIDO Alliance
+C=US
+Serial number=04 5A 1C 22 66 A1 4F 3F 1F 4D 29 55 12 23 15
+Valid from=01 February 2017
+Valid to=31 January 2045
+
+Base64
 -----BEGIN CERTIFICATE-----
-MIICZzCCAe6gAwIBAgIPBF0rd3WL/GExWV/szYNVMAoGCCqGSM49BAMDMGcxCzAJ
+MIICaDCCAe6gAwIBAgIPBCqih0DiJLW7+UHXx/o1MAoGCCqGSM49BAMDMGcxCzAJ
 BgNVBAYTAlVTMRYwFAYDVQQKDA1GSURPIEFsbGlhbmNlMScwJQYDVQQLDB5GQUtF
-IE1ldGFkYXRhIFRPQyBTaWduaW5nIEZBS0UxFzAVBgNVBAMMDkZBS0UgUm9vdCBG
+IE1ldGFkYXRhIDMgQkxPQiBST09UIEZBS0UxFzAVBgNVBAMMDkZBS0UgUm9vdCBG
 QUtFMB4XDTE3MDIwMTAwMDAwMFoXDTQ1MDEzMTIzNTk1OVowZzELMAkGA1UEBhMC
 VVMxFjAUBgNVBAoMDUZJRE8gQWxsaWFuY2UxJzAlBgNVBAsMHkZBS0UgTWV0YWRh
-dGEgVE9DIFNpZ25pbmcgRkFLRTEXMBUGA1UEAwwORkFLRSBSb290IEZBS0UwdjAQ
-BgcqhkjOPQIBBgUrgQQAIgNiAARcVLd6r4fnNHzs5K2zfbg//4X9/oBqmsdRVtZ9
-iXhlgM9vFYaKviYtqmwkq0D3Lihg3qefeZgXXYi4dFgvzU7ZLBapSNM3CT8RDBe/
-MBJqsPwaRQbIsGmmItmt/ESNQD6jYDBeMAsGA1UdDwQEAwIBBjAPBgNVHRMBAf8E
-BTADAQH/MB0GA1UdDgQWBBTd95rIHO/hX9Oh69szXzD0ahmZWTAfBgNVHSMEGDAW
-gBTd95rIHO/hX9Oh69szXzD0ahmZWTAKBggqhkjOPQQDAwNnADBkAjBkP3L99KEX
-QzviJVGytDMWBmITMBYv1LgNXXiSilWixTyQqHrYrFpLvNFyPZQvS6sCMFMAOUCw
-Ach/515XH0XlDbMgdIe2N4zzdY77TVwiHmsxTFWRT0FtS7fUk85c/LzSPQ==
------END CERTIFICATE-----
+dGEgMyBCTE9CIFJPT1QgRkFLRTEXMBUGA1UEAwwORkFLRSBSb290IEZBS0UwdjAQ
+BgcqhkjOPQIBBgUrgQQAIgNiAASKYiz3YltC6+lmxhPKwA1WFZlIqnX8yL5RybSL
+TKFAPEQeTD9O6mOz+tg8wcSdnVxHzwnXiQKJwhrav70rKc2ierQi/4QUrdsPes8T
+EirZOkCVJurpDFbXZOgs++pa4XmjYDBeMAsGA1UdDwQEAwIBBjAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBQGcfeCs0Y8D+lh6U5B2xSrR74eHTAfBgNVHSMEGDAW
+gBQGcfeCs0Y8D+lh6U5B2xSrR74eHTAKBggqhkjOPQQDAwNoADBlAjEA/xFsgri0
+xubSa3y3v5ormpPqCwfqn9s0MLBAtzCIgxQ/zkzPKctkiwoPtDzI51KnAjAmeMyg
+X2S5Ht8+e+EQnezLJBJXtnkRWY+Zt491wgt/AwSs5PHHMv5QgjELOuMxQBc=
+-----END CERTIFICATE-----
diff --git a/spec/conformance/conformance_cache_store.rb b/spec/conformance/conformance_cache_store.rb
@@ -22,20 +22,20 @@ def setup_metadata_store(endpoint)
  puts("Setting up metadata store TOC")
 
  response = Net::HTTP.post(
- URI("https://mds.certinfra.fidoalliance.org/getEndpoints"),
+ URI("https://mds3.fido.tools/getEndpoints"),
  { endpoint: endpoint }.to_json,
  FidoMetadata::Client::DEFAULT_HEADERS
  )
 
  response.value
  possible_endpoints = JSON.parse(response.body)["result"]
 
- client = FidoMetadata::Client.new(nil)
+ client = FidoMetadata::Client.new
 
  json =
  possible_endpoints.each_with_index do |uri, index|
  puts("Trying endpoint #{index}: #{uri}")
- break client.download_toc(URI(uri), trusted_certs: conformance_certificates)
+ break client.download_toc(URI(uri), algorithms: ["ES256"], trusted_certs: conformance_certificates)
  rescue FidoMetadata::Client::DataIntegrityError, JWT::VerificationError, Net::HTTPFatalError
  nil
  end

diff --git a/spec/conformance/server.rb b/spec/conformance/server.rb
@@ -42,7 +42,6 @@ def self.registered_for(username)
 
 mds_finder =
  MDSFinder.new.tap do |mds|
- mds.token = ""
  mds.cache_backend = ConformanceCacheStore.new
  mds.cache_backend.setup_authenticators
  mds.cache_backend.setup_metadata_store("http://#{host}:#{settings.port}")
@@ -51,7 +50,7 @@ def self.registered_for(username)
 relying_party = WebAuthn::RelyingParty.new(
  origin: "http://#{host}:#{settings.port}",
  name: RP_NAME,
- algorithms: %w(ES256 ES384 ES512 PS256 PS384 PS512 RS256 RS384 RS512 RS1),
+ algorithms: %w(ES256 ES384 ES512 PS256 PS384 PS512 RS256 RS384 RS512 RS1 EdDSA),
  silent_authentication: true,
  attestation_root_certificates_finders: mds_finder
 )