Skip to content

Client for looking up metadata about FIDO authenticators, for use by WebAuthn relying parties

License

Notifications You must be signed in to change notification settings

bdewater/fido_metadata

Repository files navigation

FidoMetadata

A Ruby gem for the FIDO Alliance Metadata Service (MDS). The MDS is a way to retrieve data about FIDO2 and U2F authenticators such as make, model, biometric capabilities, security status and the manufacturer root certificate(s). See FIDO TechNotes: The Truth about Attestation for a generic overview.

This gem provides a HTTP client for the MDS that performs the necessary security checks, parses the data into objects, and caches the results for speed and resiliency. It is intended to be used by WebAuthn relying parties wishing to verify attestation statement during registration.

Installation

Add this line to your application's Gemfile:

gem 'fido_metadata'

And then execute:

$ bundle

Or install it yourself as:

$ gem install fido_metadata

Usage

First, you need to register for an access token and configure a cache backend. The cache interface is compatible with Rails' ActiveSupport::Cache::Store, which means you can configure the gem to use your existing cache or a separate one:

FidoMetadata.configure do |config|
  config.cache_backend = Rails.cache # or something like `ActiveSupport::Cache::FileStore.new(...)`
end

Then you can query the table of contents (TOC):

store = FidoMetadata::Store.new
toc = store.table_of_contents
# returns a FidoMetadata::TableOfContents object. `toc.entries` returns an array of FidoMetadata::Entry objects, see
# https://fidoalliance.org/specs/fido-v2.0-ps-20170927/fido-metadata-service-v2.0-ps-20170927.html#metadata-toc-payload-entry-dictionary

Retrieve metadata statement via the authenticator aaguid (FIDO2) or attestation_certificate_key_id (U2F):

store.fetch_statement(aaguid: "0132d110-bf4e-4208-a403-ab4f5f12efe5")
# returns a FidoMetadata::Statement object, see
# https://fidoalliance.org/specs/fido-v2.0-ps-20170927/fido-metadata-statement-v2.0-ps-20170927.html#types

Custom cache backend

It is possible to implement your own backend for using any datastore you'd like, such as your database. The interface you need to implement is as follows:

class CustomMetadataCacheStore
  def read(name, _options = nil)
    # deserialize and return `value`
  end

  def write(name, value, _options = nil)
    # serialize and store `value` so it can be looked up using `name`
  end
end

# and configure the gem to use it:
FidoMetadata.configure do |config|
  config.cache_backend = CustomMetadataCacheStore.new
end

Development

After checking out the repo, run bin/setup to install dependencies. Then, run bin/rspec to run the tests.

You can also run MDS_TOKEN=yourtoken bin/console for an interactive prompt that will allow you to experiment. It is configured to use a simple in-memory cache. If you don't supply the token via the environment variable, the prompt will print instructions to set it in another way.

To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/bdewater/fido_metadata. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.

License

The gem is available as open source under the terms of the MIT License.

The gem and its authors are unaffiliated with the FIDO Alliance. The FIDO and FIDO ALLIANCE trademarks and logos are trademarks of FIDO Alliance, Inc.

About

Client for looking up metadata about FIDO authenticators, for use by WebAuthn relying parties

Resources

License

Code of conduct

Stars

Watchers

Forks

Packages

No packages published