Add PRF extension to tests

emlun · emlun · commit acebf793443e · 2025-04-01T12:12:02.000+02:00
diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/data/Extensions.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/data/Extensions.java
@@ -908,7 +908,7 @@ public static class PrfRegistrationOutput {
        * @see <a href="https://www.w3.org/TR/webauthn-3/#prf-extension">§10.1.4. Pseudo-random
        *     function extension (prf)</a>
        */
-      @JsonProperty private final boolean enabled;
+      @JsonProperty private final Boolean enabled;
 
       /**
        * The results of evaluating the PRF for the inputs given in eval or evalByCredential.
@@ -919,14 +919,14 @@ public static class PrfRegistrationOutput {
       @JsonProperty private final PrfValues results;
 
       @JsonCreator
-      private PrfRegistrationOutput(
-          @JsonProperty("enabled") boolean enabled, @JsonProperty("results") PrfValues results) {
+      PrfRegistrationOutput(
+          @JsonProperty("enabled") Boolean enabled, @JsonProperty("results") PrfValues results) {
         this.enabled = enabled;
         this.results = results;
       }
 
       /** TODO */
-      public static PrfRegistrationOutput enabled(final boolean enabled) {
+      public static PrfRegistrationOutput enabled(final Boolean enabled) {
         return new PrfRegistrationOutput(enabled, null);
       }
 
@@ -936,7 +936,7 @@ public static PrfRegistrationOutput results(final PrfValues results) {
       }
 
       public Optional<Boolean> getEnabled() {
-        return Optional.of(enabled);
+        return Optional.ofNullable(enabled);
       }
 
       public Optional<PrfValues> getResults() {
@@ -963,7 +963,7 @@ public static class PrfAuthenticationOutput {
       @JsonProperty private final PrfValues results;
 
       @JsonCreator
-      private PrfAuthenticationOutput(@JsonProperty("results") PrfValues results) {
+      PrfAuthenticationOutput(@JsonProperty("results") PrfValues results) {
         this.results = results;
       }
 
diff --git a/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyAssertionSpec.scala b/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyAssertionSpec.scala
@@ -41,7 +41,9 @@ import com.yubico.webauthn.data.ClientAssertionExtensionOutputs
 import com.yubico.webauthn.data.CollectedClientData
 import com.yubico.webauthn.data.Extensions.LargeBlob.LargeBlobAuthenticationInput
 import com.yubico.webauthn.data.Extensions.LargeBlob.LargeBlobAuthenticationOutput
+import com.yubico.webauthn.data.Extensions.Prf.PrfAuthenticationOutput
 import com.yubico.webauthn.data.Extensions.Uvm.UvmEntry
+import com.yubico.webauthn.data.Generators.Extensions.Prf.arbitraryPrfAuthenticationOutput
 import com.yubico.webauthn.data.Generators._
 import com.yubico.webauthn.data.PublicKeyCredential
 import com.yubico.webauthn.data.PublicKeyCredentialCreationOptions
@@ -2579,6 +2581,33 @@ class RelyingPartyAssertionSpec
         }
       }
 
+      it("pass through prf extension outputs when present.") {
+        forAll(minSuccessful(3)) { prfOutput: PrfAuthenticationOutput =>
+          val result = rp.finishAssertion(
+            FinishAssertionOptions
+              .builder()
+              .request(
+                testDataBase.assertion.get.request
+              )
+              .response(
+                testDataBase.assertion.get.response.toBuilder
+                  .clientExtensionResults(
+                    ClientAssertionExtensionOutputs
+                      .builder()
+                      .prf(prfOutput)
+                      .build()
+                  )
+                  .build()
+              )
+              .build()
+          )
+
+          result.getClientExtensionOutputs.get().getPrf.toScala should equal(
+            Some(prfOutput)
+          )
+        }
+      }
+
       describe("support the uvm extension") {
         it("at authentication time.") {
 
diff --git a/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyRegistrationSpec.scala b/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyRegistrationSpec.scala
@@ -57,7 +57,9 @@ import com.yubico.webauthn.data.Extensions.CredentialProtection.CredentialProtec
 import com.yubico.webauthn.data.Extensions.CredentialProtection.CredentialProtectionPolicy
 import com.yubico.webauthn.data.Extensions.LargeBlob.LargeBlobRegistrationInput.LargeBlobSupport
 import com.yubico.webauthn.data.Extensions.LargeBlob.LargeBlobRegistrationOutput
+import com.yubico.webauthn.data.Extensions.Prf.PrfRegistrationOutput
 import com.yubico.webauthn.data.Extensions.Uvm.UvmEntry
+import com.yubico.webauthn.data.Generators.Extensions.Prf.arbitraryPrfRegistrationOutput
 import com.yubico.webauthn.data.Generators._
 import com.yubico.webauthn.data.PublicKeyCredential
 import com.yubico.webauthn.data.PublicKeyCredentialCreationOptions
@@ -4550,6 +4552,31 @@ class RelyingPartyRegistrationSpec
         }
       }
 
+      it("pass through prf extension outputs when present.") {
+        forAll(minSuccessful(3)) { prfOutput: PrfRegistrationOutput =>
+          val testData = RegistrationTestData.Packed.BasicAttestation
+          val result = rp.finishRegistration(
+            FinishRegistrationOptions
+              .builder()
+              .request(testData.request)
+              .response(
+                testData.response.toBuilder
+                  .clientExtensionResults(
+                    ClientRegistrationExtensionOutputs
+                      .builder()
+                      .prf(prfOutput)
+                      .build()
+                  )
+                  .build()
+              )
+              .build()
+          )
+          result.getClientExtensionOutputs.get().getPrf.toScala should equal(
+            Some(prfOutput)
+          )
+        }
+      }
+
       describe("support the uvm extension") {
         it("at registration time.") {
 
diff --git a/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyStartOperationSpec.scala b/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyStartOperationSpec.scala
@@ -34,6 +34,10 @@ import com.yubico.webauthn.data.AuthenticatorTransport
 import com.yubico.webauthn.data.ByteArray
 import com.yubico.webauthn.data.Extensions.CredentialProtection.CredentialProtectionInput
 import com.yubico.webauthn.data.Extensions.CredentialProtection.CredentialProtectionPolicy
+import com.yubico.webauthn.data.Extensions.Prf.PrfAuthenticationInput
+import com.yubico.webauthn.data.Extensions.Prf.PrfRegistrationInput
+import com.yubico.webauthn.data.Generators.Extensions.Prf.arbitraryPrfAuthenticationInput
+import com.yubico.webauthn.data.Generators.Extensions.Prf.arbitraryPrfRegistrationInput
 import com.yubico.webauthn.data.Generators.Extensions.registrationExtensionInputs
 import com.yubico.webauthn.data.Generators._
 import com.yubico.webauthn.data.PublicKeyCredentialCreationOptions
@@ -578,6 +582,40 @@ class RelyingPartyStartOperationSpec
         }
       }
 
+      it("by default does not set the prf extension.") {
+        val rp = relyingParty(userId = userId)
+        val result = rp.startRegistration(
+          StartRegistrationOptions
+            .builder()
+            .user(userId)
+            .build()
+        )
+        result.getExtensions.getPrf.toScala should be(
+          None
+        )
+      }
+
+      it("sets the prf extension if enabled in StartRegistrationOptions.") {
+        forAll {
+          (
+              extensions: RegistrationExtensionInputs,
+              prf: PrfRegistrationInput,
+          ) =>
+            val rp = relyingParty(userId = userId)
+            val result = rp.startRegistration(
+              StartRegistrationOptions
+                .builder()
+                .user(userId)
+                .extensions(extensions.toBuilder.prf(prf).build())
+                .build()
+            )
+
+            result.getExtensions.getPrf.toScala should equal(
+              Some(prf)
+            )
+        }
+      }
+
       it("respects the residentKey setting.") {
         val rp = relyingParty(userId = userId)
 
@@ -1063,6 +1101,35 @@ class RelyingPartyStartOperationSpec
           )
         }
       }
+
+      it("by default does not set the prf extension.") {
+        val rp = relyingParty(userId = userId)
+        val result = rp.startAssertion(
+          StartAssertionOptions
+            .builder()
+            .build()
+        )
+        result.getPublicKeyCredentialRequestOptions.getExtensions.getPrf.toScala should be(
+          None
+        )
+      }
+
+      it("sets the prf extension if enabled in StartAssertionOptions.") {
+        forAll {
+          (extensions: AssertionExtensionInputs, prf: PrfAuthenticationInput) =>
+            val rp = relyingParty(userId = userId)
+            val result = rp.startAssertion(
+              StartAssertionOptions
+                .builder()
+                .extensions(extensions.toBuilder.prf(prf).build())
+                .build()
+            )
+
+            result.getPublicKeyCredentialRequestOptions.getExtensions.getPrf.toScala should equal(
+              Some(prf)
+            )
+        }
+      }
     }
   }
 
@@ -1557,6 +1624,40 @@ class RelyingPartyStartOperationSpec
         }
       }
 
+      it("by default does not set the prf extension.") {
+        val rp = relyingParty(userId = userId)
+        val result = rp.startRegistration(
+          StartRegistrationOptions
+            .builder()
+            .user(userId)
+            .build()
+        )
+        result.getExtensions.getPrf.toScala should be(
+          None
+        )
+      }
+
+      it("sets the prf extension if enabled in StartRegistrationOptions.") {
+        forAll {
+          (
+              extensions: RegistrationExtensionInputs,
+              prf: PrfRegistrationInput,
+          ) =>
+            val rp = relyingParty(userId = userId)
+            val result = rp.startRegistration(
+              StartRegistrationOptions
+                .builder()
+                .user(userId)
+                .extensions(extensions.toBuilder.prf(prf).build())
+                .build()
+            )
+
+            result.getExtensions.getPrf.toScala should equal(
+              Some(prf)
+            )
+        }
+      }
+
       it("respects the residentKey setting.") {
         val rp = relyingParty(userId = userId)
 
@@ -2060,6 +2161,35 @@ class RelyingPartyStartOperationSpec
           )
         }
       }
+
+      it("by default does not set the prf extension.") {
+        val rp = relyingParty(userId = userId)
+        val result = rp.startAssertion(
+          StartAssertionOptions
+            .builder()
+            .build()
+        )
+        result.getPublicKeyCredentialRequestOptions.getExtensions.getPrf.toScala should be(
+          None
+        )
+      }
+
+      it("sets the prf extension if enabled in StartAssertionOptions.") {
+        forAll {
+          (extensions: AssertionExtensionInputs, prf: PrfAuthenticationInput) =>
+            val rp = relyingParty(userId = userId)
+            val result = rp.startAssertion(
+              StartAssertionOptions
+                .builder()
+                .extensions(extensions.toBuilder.prf(prf).build())
+                .build()
+            )
+
+            result.getPublicKeyCredentialRequestOptions.getExtensions.getPrf.toScala should equal(
+              Some(prf)
+            )
+        }
+      }
     }
   }
 
diff --git a/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyV2AssertionSpec.scala b/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyV2AssertionSpec.scala
@@ -41,7 +41,9 @@ import com.yubico.webauthn.data.ClientAssertionExtensionOutputs
 import com.yubico.webauthn.data.CollectedClientData
 import com.yubico.webauthn.data.Extensions.LargeBlob.LargeBlobAuthenticationInput
 import com.yubico.webauthn.data.Extensions.LargeBlob.LargeBlobAuthenticationOutput
+import com.yubico.webauthn.data.Extensions.Prf.PrfAuthenticationOutput
 import com.yubico.webauthn.data.Extensions.Uvm.UvmEntry
+import com.yubico.webauthn.data.Generators.Extensions.Prf.arbitraryPrfAuthenticationOutput
 import com.yubico.webauthn.data.Generators._
 import com.yubico.webauthn.data.PublicKeyCredential
 import com.yubico.webauthn.data.PublicKeyCredentialCreationOptions
@@ -2657,6 +2659,35 @@ class RelyingPartyV2AssertionSpec
         }
       }
 
+      it("pass through prf extension outputs when present.") {
+        forAll(minSuccessful(3)) { prfOutput: PrfAuthenticationOutput =>
+          val result = rp.finishAssertion(
+            FinishAssertionOptions
+              .builder()
+              .request(
+                testDataBase.assertion.get.request.toBuilder
+                  .userHandle(testDataBase.userId.getId)
+                  .build()
+              )
+              .response(
+                testDataBase.assertion.get.response.toBuilder
+                  .clientExtensionResults(
+                    ClientAssertionExtensionOutputs
+                      .builder()
+                      .prf(prfOutput)
+                      .build()
+                  )
+                  .build()
+              )
+              .build()
+          )
+
+          result.getClientExtensionOutputs.get().getPrf.toScala should equal(
+            Some(prfOutput)
+          )
+        }
+      }
+
       describe("support the uvm extension") {
         it("at authentication time.") {
 
diff --git a/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyV2RegistrationSpec.scala b/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyV2RegistrationSpec.scala
@@ -57,7 +57,9 @@ import com.yubico.webauthn.data.Extensions.CredentialProtection.CredentialProtec
 import com.yubico.webauthn.data.Extensions.CredentialProtection.CredentialProtectionPolicy
 import com.yubico.webauthn.data.Extensions.LargeBlob.LargeBlobRegistrationInput.LargeBlobSupport
 import com.yubico.webauthn.data.Extensions.LargeBlob.LargeBlobRegistrationOutput
+import com.yubico.webauthn.data.Extensions.Prf.PrfRegistrationOutput
 import com.yubico.webauthn.data.Extensions.Uvm.UvmEntry
+import com.yubico.webauthn.data.Generators.Extensions.Prf.arbitraryPrfRegistrationOutput
 import com.yubico.webauthn.data.Generators._
 import com.yubico.webauthn.data.PublicKeyCredential
 import com.yubico.webauthn.data.PublicKeyCredentialCreationOptions
@@ -4459,6 +4461,33 @@ class RelyingPartyV2RegistrationSpec
         }
       }
 
+      it("pass through prf extension outputs when present.") {
+        forAll(minSuccessful(3)) { prfOutput: PrfRegistrationOutput =>
+          val testData = RegistrationTestData.Packed.BasicAttestation
+          val result = rp.finishRegistration(
+            FinishRegistrationOptions
+              .builder()
+              .request(
+                testData.request
+              )
+              .response(
+                testData.response.toBuilder
+                  .clientExtensionResults(
+                    ClientRegistrationExtensionOutputs
+                      .builder()
+                      .prf(prfOutput)
+                      .build()
+                  )
+                  .build()
+              )
+              .build()
+          )
+          result.getClientExtensionOutputs.get().getPrf.toScala should equal(
+            Some(prfOutput)
+          )
+        }
+      }
+
       describe("support the uvm extension") {
         it("at registration time.") {
 
diff --git a/webauthn-server-core/src/test/scala/com/yubico/webauthn/data/Generators.scala b/webauthn-server-core/src/test/scala/com/yubico/webauthn/data/Generators.scala
