FidoMetadata
A Ruby gem for the FIDO Alliance Metadata Service (MDS). The MDS is a way to retrieve data about FIDO2 and U2F authenticators such as make, model, biometric capabilities, security status and the manufacturer root certificate(s). See FIDO TechNotes: The Truth about Attestation for a generic overview.
This gem provides a HTTP client for the MDS that performs the necessary security checks, parses the data into objects, and caches the results for speed and resiliency. It is intended to be used by WebAuthn relying parties wishing to verify attestation statement during registration.
Installation
Add this line to your application's Gemfile:
gem 'fido_metadata'
And then execute:
$ bundle
Or install it yourself as:
$ gem install fido_metadata
Usage
First, you need to register for an access token and configure a cache backend.
The cache interface is compatible with Rails' ActiveSupport::Cache::Store
, which means you can configure the gem to use your existing cache or a separate one:
FidoMetadata.configure do |config|
config.cache_backend = Rails.cache # or something like `ActiveSupport::Cache::FileStore.new(...)`
end
Then you can query the table of contents (TOC):
store = FidoMetadata::Store.new
toc = store.table_of_contents
# returns a FidoMetadata::TableOfContents object. `toc.entries` returns an array of FidoMetadata::Entry objects, see
# https://fidoalliance.org/specs/fido-v2.0-ps-20170927/fido-metadata-service-v2.0-ps-20170927.html#metadata-toc-payload-entry-dictionary
Retrieve metadata statement via the authenticator aaguid
(FIDO2) or attestation_certificate_key_id
(U2F):
store.fetch_statement(aaguid: "0132d110-bf4e-4208-a403-ab4f5f12efe5")
# returns a FidoMetadata::Statement object, see
# https://fidoalliance.org/specs/fido-v2.0-ps-20170927/fido-metadata-statement-v2.0-ps-20170927.html#types
Custom cache backend
It is possible to implement your own backend for using any datastore you'd like, such as your database. The interface you need to implement is as follows:
class CustomMetadataCacheStore
def read(name, _options = nil)
# deserialize and return `value`
end
def write(name, value, _options = nil)
# serialize and store `value` so it can be looked up using `name`
end
end
# and configure the gem to use it:
FidoMetadata.configure do |config|
config.cache_backend = CustomMetadataCacheStore.new
end
Development
After checking out the repo, run bin/setup
to install dependencies. Then, run bin/rspec
to run the tests.
You can also run MDS_TOKEN=yourtoken bin/console
for an interactive prompt that will allow you to experiment. It is configured to use a simple in-memory cache. If you don't supply the token via the environment variable, the prompt will print instructions to set it in another way.
To install this gem onto your local machine, run bundle exec rake install
. To release a new version, update the version number in version.rb
, and then run bundle exec rake release
, which will create a git tag for the version, push git commits and tags, and push the .gem
file to rubygems.org.
Contributing
Bug reports and pull requests are welcome on GitHub at https://github.com/bdewater/fido_metadata. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.
License
The gem is available as open source under the terms of the MIT License.
The gem and its authors are unaffiliated with the FIDO Alliance. The FIDO and FIDO ALLIANCE trademarks and logos are trademarks of FIDO Alliance, Inc.