Release 1.6.0

Security fixes:

- Bumped Jackson dependency to version 2.9.10.1 which has patched CVE-2019-16942

`webauthn-server-core`:

Bug fixes:

- Fixed bug introduced in 1.4.0, which caused
  `RegistrationResult.attestationMetadata` to always be empty.

`webauthn-server-attestation`:

- New enum constant `Transport.LIGHTNING`
- Fixed transports field of YubiKey NEO/NEO-n in `metadata.json`.
- Added YubiKey 5Ci to `metadata.json`.
- Most `deviceUrl` fields in `metadata.json` changed to point to stable
  addresses in Yubico knowledge base instead of dead redirects in store.

Author: emlun

NEWS

@@ -1,3 +1,26 @@
+== Version 1.6.0 ==
+
+Security fixes:
+
+- Bumped Jackson dependency to version 2.9.10.1 which has patched CVE-2019-16942
+
+`webauthn-server-core`:
+
+Bug fixes:
+
+- Fixed bug introduced in 1.4.0, which caused
+  `RegistrationResult.attestationMetadata` to always be empty.
+
+
+`webauthn-server-attestation`:
+
+- New enum constant `Transport.LIGHTNING`
+- Fixed transports field of YubiKey NEO/NEO-n in `metadata.json`.
+- Added YubiKey 5Ci to `metadata.json`.
+- Most `deviceUrl` fields in `metadata.json` changed to point to stable
+  addresses in Yubico knowledge base instead of dead redirects in store.
+
+
 == Version 1.5.0 ==
 
 Changes:

build.gradle

@@ -51,9 +51,9 @@ allprojects {
 Map<String, String> dependencyVersions = [
   'ch.qos.logback:logback-classic:1.2.3',
   'com.augustcellars.cose:cose-java:1.0.0',
-  'com.fasterxml.jackson.core:jackson-databind:2.9.9.3',
-  'com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:2.9.9',
-  'com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.9.9',
+  'com.fasterxml.jackson.core:jackson-databind:2.9.10.1',
+  'com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:2.9.10',
+  'com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.9.10',
   'com.google.guava:guava:19.0',
   'com.upokecenter:cbor:4.0.1',
   'javax.activation:activation:1.1.1',

webauthn-server-attestation/src/main/resources/metadata.json

@@ -1,6 +1,6 @@
 {
   "identifier": "2fb54029-7613-4f1d-94f1-fb876c14a6fe",
-  "version": 5,
+  "version": 11,
   "vendorInfo": {
     "url": "https://yubico.com",
     "imageUrl": "https://developers.yubico.com/U2F/Images/yubico.png",
@@ -14,7 +14,7 @@
       "deviceId": "1.3.6.1.4.1.41482.1.1",
       "displayName": "Security Key NFC by Yubico",
       "transports": 12,
-      "deviceUrl": "https://www.yubico.com/product/security-key-nfc-by-yubico/",
+      "deviceUrl": "https://support.yubico.com/support/solutions/articles/15000019469-security-key-nfc",
       "imageUrl": "https://developers.yubico.com/U2F/Images/SKY-NFC.png",
       "selectors": [
         {
@@ -34,7 +34,7 @@
       "deviceId": "1.3.6.1.4.1.41482.1.1",
       "displayName": "Security Key by Yubico",
       "transports": 4,
-      "deviceUrl": "https://www.yubico.com/products/yubikey-hardware/fido-u2f-security-key/",
+      "deviceUrl": "https://support.yubico.com/support/solutions/articles/15000006900-security-key-by-yubico",
       "imageUrl": "https://developers.yubico.com/U2F/Images/SKY.png",
       "selectors": [
         {
@@ -55,8 +55,8 @@
     {
       "deviceId": "1.3.6.1.4.1.41482.1.2",
       "displayName": "YubiKey NEO/NEO-n",
-      "transports": 4,
-      "deviceUrl": "https://www.yubico.com/products/yubikey-hardware/yubikey-neo/",
+      "transports": 12,
+      "deviceUrl": "https://support.yubico.com/support/solutions/articles/15000006494-yubikey-neo",
       "imageUrl": "https://developers.yubico.com/U2F/Images/NEO.png",
       "selectors": [
         {
@@ -100,7 +100,7 @@
       "deviceId": "1.3.6.1.4.1.41482.1.4",
       "displayName": "YubiKey Edge",
       "transports": 4,
-      "deviceUrl": "https://www.yubico.com/products/yubikey-hardware/",
+      "deviceUrl": "https://support.yubico.com/support/solutions/articles/15000006492-yubikey-edge",
       "imageUrl": "https://developers.yubico.com/U2F/Images/YKE.png",
       "selectors": [
         {
@@ -116,7 +116,7 @@
       "deviceId": "1.3.6.1.4.1.41482.1.5",
       "displayName": "YubiKey 4/YubiKey 4 Nano",
       "transports": 4,
-      "deviceUrl": "https://www.yubico.com/products/yubikey-hardware/yubikey4/",
+      "deviceUrl": "https://support.yubico.com/support/solutions/articles/15000006486-yubikey-4",
       "imageUrl": "https://developers.yubico.com/U2F/Images/YK4.png",
       "selectors": [
         {
@@ -132,7 +132,7 @@
       "deviceId": "1.3.6.1.4.1.41482.1.7",
       "displayName": "YubiKey 5 NFC",
       "transports": 12,
-      "deviceUrl": "https://www.yubico.com/products/yubikey-5-overview/",
+      "deviceUrl": "https://support.yubico.com/support/solutions/articles/15000014174--yubikey-5-nfc",
       "imageUrl": "https://developers.yubico.com/U2F/Images/YK5.png",
       "selectors": [
         {
@@ -151,7 +151,7 @@
       "deviceId": "1.3.6.1.4.1.41482.1.7",
       "displayName": "YubiKey 5 Series security key",
       "transports": 4,
-      "deviceUrl": "https://www.yubico.com/products/yubikey-5-overview/",
+      "deviceUrl": "https://support.yubico.com/support/solutions/articles/15000014180-yubikey-5c",
       "imageUrl": "https://developers.yubico.com/U2F/Images/YK5-series.png",
       "selectors": [
         {
@@ -165,6 +165,25 @@
           }
         }
       ]
+    },
+    {
+      "deviceId": "1.3.6.1.4.1.41482.1.7",
+      "displayName": "YubiKey 5Ci",
+      "transports": 20,
+      "deviceUrl": "https://support.yubico.com/support/solutions/articles/15000027140-yubikey-5ci",
+      "imageUrl": "https://developers.yubico.com/U2F/Images/YK5Ci.png",
+      "selectors": [
+        {
+          "type": "x509Extension",
+          "parameters": {
+            "key": "1.3.6.1.4.1.45724.1.1.4",
+            "value": {
+              "type": "hex",
+              "value": "c5ef55ffad9a4b9fb580adebafe026d0"
+            }
+          }
+        }
+      ]
     }
   ]
 }

webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala

@@ -0,0 +1,154 @@
+// Copyright (c) 2018, Yubico AB
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are met:
+//
+// 1. Redistributions of source code must retain the above copyright notice, this
+//    list of conditions and the following disclaimer.
+//
+// 2. Redistributions in binary form must reproduce the above copyright notice,
+//    this list of conditions and the following disclaimer in the documentation
+//    and/or other materials provided with the distribution.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+package com.yubico.webauthn.attestation
+
+import java.util.Collections
+
+import com.yubico.internal.util.CertificateParser
+import com.yubico.internal.util.JacksonCodecs
+import com.yubico.webauthn.attestation.resolver.SimpleAttestationResolver
+import com.yubico.webauthn.attestation.resolver.SimpleTrustResolver
+import com.yubico.webauthn.test.RealExamples
+import com.yubico.webauthn.FinishRegistrationOptions
+import com.yubico.webauthn.RelyingParty
+import com.yubico.webauthn.attestation.Transport.LIGHTNING
+import com.yubico.webauthn.attestation.Transport.NFC
+import com.yubico.webauthn.attestation.Transport.USB
+import com.yubico.webauthn.data.PublicKeyCredentialCreationOptions
+import com.yubico.webauthn.data.PublicKeyCredentialParameters
+import com.yubico.webauthn.test.Helpers
+import org.junit.runner.RunWith
+import org.scalatest.FunSpec
+import org.scalatest.Matchers
+import org.scalatest.junit.JUnitRunner
+
+import scala.collection.JavaConverters._
+
+
+@RunWith(classOf[JUnitRunner])
+class DeviceIdentificationSpec extends FunSpec with Matchers {
+
+  def metadataService(metadataJson: String): StandardMetadataService = {
+    val metadata = Collections.singleton(JacksonCodecs.json().readValue(metadataJson, classOf[MetadataObject]))
+    new StandardMetadataService(
+      new SimpleAttestationResolver(metadata, SimpleTrustResolver.fromMetadata(metadata))
+    )
+  }
+
+  describe("A RelyingParty with the default StandardMetadataService") {
+
+    describe("correctly identifies") {
+      def check(expectedName: String, testData: RealExamples.Example, transports: Set[Transport]) {
+        val rp = RelyingParty.builder()
+          .identity(testData.rp)
+          .credentialRepository(Helpers.CredentialRepository.empty)
+          .metadataService(new StandardMetadataService())
+          .build()
+
+        val result = rp.finishRegistration(FinishRegistrationOptions.builder()
+          .request(PublicKeyCredentialCreationOptions.builder()
+            .rp(testData.rp)
+            .user(testData.user)
+            .challenge(testData.attestation.challenge)
+            .pubKeyCredParams(List(PublicKeyCredentialParameters.ES256).asJava)
+            .build())
+          .response(testData.attestation.credential)
+          .build());
+
+        result.isAttestationTrusted should be (true)
+        result.getAttestationMetadata.isPresent should be (true)
+        result.getAttestationMetadata.get.getDeviceProperties.isPresent should be (true)
+        result.getAttestationMetadata.get.getDeviceProperties.get().get("displayName") should equal (expectedName)
+        result.getAttestationMetadata.get.getTransports.isPresent should be (true)
+        result.getAttestationMetadata.get.getTransports.get.asScala should equal (transports)
+      }
+
+      it("a YubiKey NEO.") {
+        check("YubiKey NEO/NEO-n", RealExamples.YubiKeyNeo, Set(USB, NFC))
+      }
+      it("a YubiKey 4.") {
+        check("YubiKey 4/YubiKey 4 Nano", RealExamples.YubiKey4, Set(USB))
+      }
+      it("a YubiKey 5 NFC.") {
+        check("YubiKey 5 NFC", RealExamples.YubiKey5, Set(USB, NFC))
+      }
+      it("a YubiKey 5 Nano.") {
+        check("YubiKey 5 Series security key", RealExamples.YubiKey5Nano, Set(USB))
+      }
+      it("a YubiKey 5Ci.") {
+        check("YubiKey 5Ci", RealExamples.YubiKey5Ci, Set(USB, LIGHTNING))
+      }
+      it("a Security Key by Yubico.") {
+        check("Security Key by Yubico", RealExamples.SecurityKey, Set(USB))
+      }
+      it("a Security Key 2 by Yubico.") {
+        check("Security Key by Yubico", RealExamples.SecurityKey2, Set(USB))
+      }
+      it("a Security Key NFC by Yubico.") {
+        check("Security Key NFC by Yubico", RealExamples.SecurityKeyNfc, Set(USB, NFC))
+      }
+    }
+  }
+
+  describe("The default AttestationResolver") {
+    describe("successfully identifies") {
+      def check(expectedName: String, testData: RealExamples.Example, transports: Set[Transport]) {
+        val cert = CertificateParser.parseDer(testData.attestationCert.getBytes)
+        val resolved = StandardMetadataService.createDefaultAttestationResolver().resolve(cert)
+        resolved.isPresent should be (true)
+        resolved.get.getDeviceProperties.isPresent should be (true)
+        resolved.get.getDeviceProperties.get.get("displayName") should equal (expectedName)
+        resolved.get.getTransports.isPresent should be (true)
+        resolved.get.getTransports.get.asScala should equal (transports)
+      }
+
+      it("a YubiKey NEO.") {
+        check("YubiKey NEO/NEO-n", RealExamples.YubiKeyNeo, Set(USB, NFC))
+      }
+      it("a YubiKey 4.") {
+        check("YubiKey 4/YubiKey 4 Nano", RealExamples.YubiKey4, Set(USB))
+      }
+      it("a YubiKey 5 NFC.") {
+        check("YubiKey 5 NFC", RealExamples.YubiKey5, Set(USB, NFC))
+      }
+      it("a YubiKey 5 Nano.") {
+        check("YubiKey 5 Series security key", RealExamples.YubiKey5Nano, Set(USB))
+      }
+      it("a YubiKey 5Ci.") {
+        check("YubiKey 5Ci", RealExamples.YubiKey5Ci, Set(USB, LIGHTNING))
+      }
+      it("a Security Key by Yubico.") {
+        check("Security Key by Yubico", RealExamples.SecurityKey, Set(USB))
+      }
+      it("a Security Key 2 by Yubico.") {
+        check("Security Key by Yubico", RealExamples.SecurityKey2, Set(USB))
+      }
+      it("a Security Key NFC by Yubico.") {
+        check("Security Key NFC by Yubico", RealExamples.SecurityKeyNfc, Set(USB, NFC))
+      }
+    }
+  }
+
+}

webauthn-server-core/src/main/java/com/yubico/webauthn/RegistrationResult.java

@@ -112,9 +112,8 @@ public class RegistrationResult {
      * @see <a href="https://www.w3.org/TR/2019/PR-webauthn-20190117/#sctn-attestation">§6.4. Attestation</a>
      * @see com.yubico.webauthn.RelyingParty.RelyingPartyBuilder#metadataService(Optional)
      */
-    @Builder.Default
     @Builder.ObtainVia(method = "getAttestationMetadata")
-    private final Attestation attestationMetadata = null;
+    private final Attestation attestationMetadata;
 
     @JsonCreator
     private RegistrationResult(

webauthn-server-core/src/main/java/com/yubico/webauthn/attestation/Transport.java

@@ -50,7 +50,12 @@ public enum Transport {
     /**
      * The authenticator supports communication via Near Field Communication (NFC).
      */
-    NFC(8);
+    NFC(8),
+
+    /**
+     * The authenticator supports communication via Lightning.
+     */
+    LIGHTNING(16);
 
     private final int bitpos;