Release 0.7.0

=== `webauthn-server-core` ===

Breaking changes:

- Deleted parameter `RelyingParty.verifyTypeAttribute`. This was added
  as a workaround while browser implementations were incomplete, and
  should never be used in production.
- Replaced field `RegisteredCredential.publicKey: PublicKey` with
  `publicKeyCose: ByteArray`. This means the library user no longer
  needs to parse the public key before passing it back into the library.
- `RelyingParty.finishAssertion` now throws
  `InvalidSignatureCountException` instead of its supertype
  `AssertionFailedException` when signature count validation is enabled
  and the received signature count is invalid.

New features:

- New parameter `StartAssertionOptions.userVerification` which is
  forwarded into `PublicKeyCredentialRequestOptions` by
  `RelyingParty.startAssertion`

=== `webauthn-server-attestation` ===

- Added attestation metadata for Security Key NFC by Yubico

Author: emlun

NEWS

@@ -1,9 +1,33 @@
-== Version 0.6.0 (unreleased) ==
+== Version 0.7.0 ==
+
+=== `webauthn-server-attestation` ===
+
+* Added attestation metadata for Security Key NFC by Yubico
 
 === `webauthn-server-core` ===
 
 Breaking changes:
 
+* Deleted parameter `RelyingParty.verifyTypeAttribute`. This was added as a
+  workaround while browser implementations were incomplete, and should never be
+  used in production.
+* Replaced field `RegisteredCredential.publicKey: PublicKey` with
+  `publicKeyCose: ByteArray`. This means the library user no longer needs to
+  parse the public key before passing it back into the library.
+* `RelyingParty.finishAssertion` now throws `InvalidSignatureCountException`
+  instead of its supertype `AssertionFailedException` when signature count
+  validation is enabled and the received signature count is invalid.
+
+New features:
+
+* New parameter `StartAssertionOptions.userVerification` which is forwarded into
+  `PublicKeyCredentialRequestOptions` by `RelyingParty.startAssertion`
+
+
+== Version 0.6.0 ==
+
+Breaking changes:
+
 * Classes moved from package `com.yubico.webauthn.data` to `com.yubico.webauthn`:
  **  `AssertionRequest`
  **  `AssertionResult`

README

@@ -16,11 +16,7 @@ authenticators and authenticating registered authenticators.
 
 === Planned breaking changes
 
-* Update spec version from Candidate Recommendation 2018-03-20 to Proposed
-  Recommendation 2018-12-??. This will include at least:
- ** Renaming class `AttestationData` to `AttestedCredentialData`
- ** Deleting enum value `TokenBindingStatus.NOT_SUPPORTED` and constructor
-    `TokenBindingInfo.notSupported()`
+None.
 
 
 === Example Usage

webauthn-server-attestation/src/main/resources/metadata.json

@@ -10,6 +10,26 @@
     "-----BEGIN CERTIFICATE-----\nMIIDHjCCAgagAwIBAgIEG1BT9zANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZ\ndWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAw\nMDBaGA8yMDUwMDkwNDAwMDAwMFowLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290\nIENBIFNlcmlhbCA0NTcyMDA2MzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\nAoIBAQC/jwYuhBVlqaiYWEMsrWFisgJ+PtM91eSrpI4TK7U53mwCIawSDHy8vUmk\n5N2KAj9abvT9NP5SMS1hQi3usxoYGonXQgfO6ZXyUA9a+KAkqdFnBnlyugSeCOep\n8EdZFfsaRFtMjkwz5Gcz2Py4vIYvCdMHPtwaz0bVuzneueIEz6TnQjE63Rdt2zbw\nnebwTG5ZybeWSwbzy+BJ34ZHcUhPAY89yJQXuE0IzMZFcEBbPNRbWECRKgjq//qT\n9nmDOFVlSRCt2wiqPSzluwn+v+suQEBsUjTGMEd25tKXXTkNW21wIWbxeSyUoTXw\nLvGS6xlwQSgNpk2qXYwf8iXg7VWZAgMBAAGjQjBAMB0GA1UdDgQWBBQgIvz0bNGJ\nhjgpToksyKpP9xv9oDAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAN\nBgkqhkiG9w0BAQsFAAOCAQEAjvjuOMDSa+JXFCLyBKsycXtBVZsJ4Ue3LbaEsPY4\nMYN/hIQ5ZM5p7EjfcnMG4CtYkNsfNHc0AhBLdq45rnT87q/6O3vUEtNMafbhU6kt\nhX7Y+9XFN9NpmYxr+ekVY5xOxi8h9JDIgoMP4VB1uS0aunL1IGqrNooL9mmFnL2k\nLVVee6/VR6C5+KSTCMCWppMuJIZII2v9o4dkoZ8Y7QRjQlLfYzd3qGtKbw7xaF1U\nsG/5xUb/Btwb2X2g4InpiB/yt/3CpQXpiWX/K4mBvUKiGn05ZsqeY1gx4g0xLBqc\nU9psmyPzK+Vsgw2jeRQ5JlKDyqE0hebfC1tvFu0CCrJFcw==\n-----END CERTIFICATE-----"
   ],
   "devices": [
+    {
+      "deviceId": "1.3.6.1.4.1.41482.1.1",
+      "displayName": "Security Key NFC by Yubico",
+      "transports": 12,
+      "deviceUrl": "https://www.yubico.com/product/security-key-nfc-by-yubico/",
+      "imageUrl": "https://developers.yubico.com/U2F/Images/SKY-NFC.png",
+      "selectors": [
+        {
+          "type": "x509Extension",
+          "parameters": {
+            "key": "1.3.6.1.4.1.45724.1.1.4",
+            "value": {
+              "type": "hex",
+              "value": "6d44ba9bf6ec2e49b9300c8fe920cb73"
+            }
+          }
+        }
+      ]
+    },
+
     {
       "deviceId": "1.3.6.1.4.1.41482.1.1",
       "displayName": "Security Key by Yubico",

webauthn-server-core/src/main/java/com/yubico/webauthn/FinishAssertionSteps.java

@@ -25,14 +25,20 @@
 package com.yubico.webauthn;
 
 
+import COSE.CoseException;
+import com.fasterxml.jackson.core.JsonProcessingException;
 import com.yubico.internal.util.CollectionUtil;
+import com.yubico.internal.util.WebAuthnCodecs;
 import com.yubico.webauthn.data.AuthenticatorAssertionResponse;
 import com.yubico.webauthn.data.ByteArray;
 import com.yubico.webauthn.data.ClientAssertionExtensionOutputs;
 import com.yubico.webauthn.data.CollectedClientData;
 import com.yubico.webauthn.data.PublicKeyCredential;
 import com.yubico.webauthn.data.UserVerificationRequirement;
+import com.yubico.webauthn.exception.InvalidSignatureCountException;
 import com.yubico.webauthn.extension.appid.AppId;
+import java.io.IOException;
+import java.security.PublicKey;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.LinkedList;
@@ -60,8 +66,6 @@ final class FinishAssertionSteps {
     private final String rpId;
     private final CredentialRepository credentialRepository;
 
-    @Builder.Default
-    private final boolean validateTypeAttribute = true;
     @Builder.Default
     private final boolean validateSignatureCounter = true;
     @Builder.Default
@@ -71,14 +75,14 @@ public Step0 begin() {
         return new Step0();
     }
 
-    public AssertionResult run() {
+    public AssertionResult run() throws InvalidSignatureCountException {
         return begin().run();
     }
 
     private interface Step<A extends Step<?, ?>, B extends Step<?, ?>> {
         B nextStep();
 
-        void validate();
+        void validate() throws InvalidSignatureCountException;
 
         List<String> getPrevWarnings();
 
@@ -101,12 +105,12 @@ default List<String> allWarnings() {
             return CollectionUtil.immutableList(result);
         }
 
-        default B next() {
+        default B next() throws InvalidSignatureCountException {
             validate();
             return nextStep();
         }
 
-        default AssertionResult run() {
+        default AssertionResult run() throws InvalidSignatureCountException {
             if (isFinished()) {
                 return result().get();
             } else {
@@ -330,18 +334,10 @@ public List<String> getWarnings() {
 
         @Override
         public void validate() {
-            if (!
-                CLIENT_DATA_TYPE.equals(clientData.getType())
-            ) {
-                final String message = String.format(
-                    "The \"type\" in the client data must be exactly \"%s\", was: %s", CLIENT_DATA_TYPE, clientData.getType()
-                );
-                if (validateTypeAttribute) {
-                    throw new IllegalArgumentException(message);
-                } else {
-                    warnings.add(message);
-                }
-            }
+            assure(CLIENT_DATA_TYPE.equals(clientData.getType()),
+                "The \"type\" in the client data must be exactly \"%s\", was: %s",
+                CLIENT_DATA_TYPE, clientData.getType()
+            );
         }
 
         @Override
@@ -553,9 +549,29 @@ public class Step16 implements Step<Step15, Step17> {
 
         @Override
         public void validate() {
+            final ByteArray cose = credential.getPublicKeyCose();
+            final PublicKey key;
+
+            try {
+                key = WebAuthnCodecs.importCoseP256PublicKey(cose);
+            } catch (CoseException | IOException e) {
+                String coseString;
+                try {
+                    coseString = WebAuthnCodecs.json().writeValueAsString(cose.getBytes());
+                } catch (JsonProcessingException e2) {
+                    coseString = "(Failed to write as string)";
+                }
+
+                throw new IllegalArgumentException(String.format(
+                    "Failed to decode public key: Credential ID: {} COSE: {}",
+                    credential.getCredentialId().getBase64Url(),
+                    coseString
+                ));
+            }
+
             if (!
                 crypto.verifySignature(
-                    credential.getPublicKey(),
+                    key,
                     signedBytes(),
                     response.getResponse().getSignature()
                 )
@@ -581,13 +597,15 @@ public class Step17 implements Step<Step16, Finished> {
         private final List<String> prevWarnings;
 
         @Override
-        public void validate() {
+        public void validate() throws InvalidSignatureCountException {
             if (validateSignatureCounter) {
-                assure(
-                    signatureCounterValid(),
-                    "Signature counter must increase. Stored value: %s, received value: %s",
-                    storedSignatureCountBefore(), assertionSignatureCount()
-                );
+                if (!signatureCounterValid()) {
+                    throw new InvalidSignatureCountException(
+                        response.getId(),
+                        storedSignatureCountBefore() + 1,
+                        assertionSignatureCount()
+                    );
+                }
             }
         }
 

webauthn-server-core/src/main/java/com/yubico/webauthn/FinishRegistrationSteps.java

@@ -68,14 +68,12 @@ final class FinishRegistrationSteps {
     private final Optional<ByteArray> callerTokenBindingId;
     private final Set<String> origins;
     private final String rpId;
-    private final Boolean allowUntrustedAttestation;
+    private final boolean allowUntrustedAttestation;
     private final Optional<MetadataService> metadataService;
     private final CredentialRepository credentialRepository;
 
     @Builder.Default
-    private final Boolean allowUnrequestedExtensions = false;
-    @Builder.Default
-    private final Boolean validateTypeAttribute = true;
+    private final boolean allowUnrequestedExtensions = false;
 
 
     public Step1 begin() {
@@ -172,20 +170,10 @@ public class Step3 implements Step<Step4> {
 
         @Override
         public void validate() {
-            final String type = clientData.getType();
-
-            if (!CLIENT_DATA_TYPE.equals(type)) {
-                final String message = String.format(
-                    "The \"type\" in the client data must be exactly \"%s\", was: %s",
-                    CLIENT_DATA_TYPE, clientData.getType()
-                );
-
-                if (validateTypeAttribute) {
-                    throw new IllegalArgumentException(message);
-                } else {
-                    warnings.add(message);
-                }
-            }
+            assure(CLIENT_DATA_TYPE.equals(clientData.getType()),
+                "The \"type\" in the client data must be exactly \"%s\", was: %s",
+                CLIENT_DATA_TYPE, clientData.getType()
+            );
         }
 
         @Override

webauthn-server-core/src/main/java/com/yubico/webauthn/RegisteredCredential.java

@@ -24,12 +24,12 @@
 
 package com.yubico.webauthn;
 
+import com.yubico.webauthn.data.AttestedCredentialData;
 import com.yubico.webauthn.data.AuthenticatorAssertionResponse;
 import com.yubico.webauthn.data.AuthenticatorData;
 import com.yubico.webauthn.data.ByteArray;
 import com.yubico.webauthn.data.PublicKeyCredentialDescriptor;
 import com.yubico.webauthn.data.UserIdentity;
-import java.security.PublicKey;
 import lombok.AccessLevel;
 import lombok.AllArgsConstructor;
 import lombok.Builder;
@@ -71,17 +71,19 @@ public class RegisteredCredential {
     private final ByteArray userHandle;
 
     /**
-     * The public key of the credential.
+     * The credential public key encoded in COSE_Key format, as defined in Section 7 of <a
+     * href="https://tools.ietf.org/html/rfc8152">RFC 8152</a>.
      *
      * <p>
      * This is used to verify the {@link AuthenticatorAssertionResponse#getSignature() signature} in authentication
      * assertions.
      * </p>
      *
+     * @see AttestedCredentialData#getCredentialPublicKey()
      * @see RegistrationResult#getPublicKeyCose()
      */
     @NonNull
-    private final PublicKey publicKey;
+    private final ByteArray publicKeyCose;
 
     /**
      * The stored <a href="https://w3c.github.io/webauthn/#signcount">signature count</a> of the credential.
@@ -116,8 +118,8 @@ public Step3 userHandle(ByteArray userHandle) {
                 }
             }
             public class Step3 {
-                public RegisteredCredentialBuilder publicKey(PublicKey publicKey) {
-                    return builder.publicKey(publicKey);
+                public RegisteredCredentialBuilder publicKeyCose(ByteArray publicKeyCose) {
+                    return builder.publicKeyCose(publicKeyCose);
                 }
             }
         }

webauthn-server-core/src/main/java/com/yubico/webauthn/RegistrationResult.java

@@ -87,7 +87,7 @@ public class RegistrationResult {
      * signatures.
      * </p>
      *
-     * @see RegisteredCredential#getPublicKey()
+     * @see RegisteredCredential#getPublicKeyCose()
      */
     @NonNull
     private final ByteArray publicKeyCose;