Parse signCount and expose at AuthenticatorData#sign_count

[sorah]

This patch allows RP to check signature count mismatch.
https://www.w3.org/TR/2018/CR-webauthn-20180807/#sign-counter

Note: I assume AuthenticatorData is exposed to library users in this PR; see #69

[brauliomartinezlm]

@sorah Thank you for the PR!
Did you planned this PR as a first step to add the sign_count validation in a later one?

We initially didn't add support to it because it got deprioritized at first as it was state in the recommendation that how to react to the detection of a mismatch depended individually on the RP

https://www.w3.org/TR/2018/CR-webauthn-20180807/#sign-counter

Detecting a signature counter mismatch does not indicate whether the current operation was performed by a cloned authenticator or the original authenticator. Relying Parties should address this situation appropriately relative to their individual situations, i.e., their risk tolerance.

But I'm 100% all in to add this validation as long as we provide a way for the gem user to fairly decide on how to react to a mismatch in the sign count. Would love to see opinions in such regard given that the Candidate Recommendation leaves the decision open.

[sorah]

Did you planned this PR as a first step to add the sign_count validation in a later one?

Yes.

But I'm 100% all in to add this validation as long as we provide a way for the gem user to fairly decide on how to react to a mismatch in the sign count.

Agreed, I don't think we don't need to implement sign counter validation in valid? method right now. But we lack a choice for RP implementation (at least I want to check and log,) so I believe exposing the value is a good starting point.

[sorah]

WDYT? I understand there's no reason to hide the data since #69 is merged.

[brauliomartinezlm]

Yeah, this is good to go. Sorry for the delay and thank you for doing this PR 👍

[sorah]

No worries, thank you! 😺