Yubico · AdamVe · May 16, 2025 · May 16, 2025 · May 20, 2025 · May 21, 2025
diff --git a/fido/src/main/java/com/yubico/yubikit/fido/client/extensions/HmacSecretExtension.java b/fido/src/main/java/com/yubico/yubikit/fido/client/extensions/HmacSecretExtension.java
diff --git a/fido/src/main/java/com/yubico/yubikit/fido/client/extensions/ThirdPartyPaymentExtension.java b/fido/src/main/java/com/yubico/yubikit/fido/client/extensions/ThirdPartyPaymentExtension.java
@@ -0,0 +1,112 @@
+/*
+ * Copyright (C) 2025 Yubico.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.yubico.yubikit.fido.client.extensions;
+
+import com.yubico.yubikit.fido.ctap.Ctap2Session;
+import com.yubico.yubikit.fido.ctap.PinUvAuthProtocol;
+import com.yubico.yubikit.fido.webauthn.Extensions;
+import com.yubico.yubikit.fido.webauthn.PublicKeyCredentialCreationOptions;
+import com.yubico.yubikit.fido.webauthn.PublicKeyCredentialRequestOptions;
+import java.util.Collections;
+import java.util.Map;
+import javax.annotation.Nullable;
+
+/**
+ * Implements the Third-party payment authentication (thirdPartyPayment) CTAP2 extension.
+ *
+ * <p>This extension allows a Relying Party to indicate that a credential can be used for Payment
+ * authentication initiated by a party (website or native application) that is not the Relying
+ * Party.
+ *
+ * <p>Note that most of the processing for the WebAuthn extension needs to be done by the client.
+ * Therefore this extension is not included in the default extensions list, and should not be used
+ * without a client that supports the WebAuthn payment extension.
+ *
+ * @see <a
+ *     href="https://fidoalliance.org/specs/fido-v2.2-ps-20250228/fido-client-to-authenticator-protocol-v2.2-ps-20250228.html#sctn-thirdPartyPayment-extension">Third-Party
+ *     Payment authentication (thirdPartyPayment)</a>
+ * @see <a href="https://www.w3.org/TR/secure-payment-confirmation">Secure Payment Confirmation</a>
+ */
+public class ThirdPartyPaymentExtension extends Extension {
+
+  private static final String THIRD_PARTY_PAYMENT = "thirdPartyPayment";
+  private static final String PAYMENT = "payment";
+  private static final String IS_PAYMENT = "isPayment";
+
+  public ThirdPartyPaymentExtension() {
+    super(THIRD_PARTY_PAYMENT);
+  }
+
+  @Nullable
+  @Override
+  public RegistrationProcessor makeCredential(
+      Ctap2Session ctap,
+      PublicKeyCredentialCreationOptions options,
+      PinUvAuthProtocol pinUvAuthProtocol) {
+
+    if (!isSupported(ctap)) {
+      return null;
+    }
+
+    Boolean isPayment = getIsPayment(options.getExtensions());
+    if (isPayment == null) {
+      return null;
+    }
+
+    return new RegistrationProcessor(
+        (pinToken) ->
+            Collections.singletonMap(THIRD_PARTY_PAYMENT, Boolean.TRUE.equals(isPayment)));
+  }
+
+  @Nullable
+  @Override
+  public AuthenticationProcessor getAssertion(
+      Ctap2Session ctap,
+      PublicKeyCredentialRequestOptions options,
+      PinUvAuthProtocol pinUvAuthProtocol) {
+
+    if (!isSupported(ctap)) {
+      return null;
+    }
+
+    Boolean isPayment = getIsPayment(options.getExtensions());
+    if (isPayment == null) {
+      return null;
+    }
+
+    final AuthenticationInput prepareInput =
+        (selected, pinToken) ->
+            Collections.singletonMap(THIRD_PARTY_PAYMENT, Boolean.TRUE.equals(isPayment));
+
+    return new AuthenticationProcessor(prepareInput);
+  }
+
+  @SuppressWarnings("unchecked")
+  @Nullable
+  private Boolean getIsPayment(@Nullable Extensions extensions) {
+    if (extensions == null) {
+      return null;
+    }
+
+    Map<String, ?> payment = (Map<String, ?>) extensions.get(PAYMENT);
+    if (payment == null) {
+      return null;
+    }
+
+    return (Boolean) payment.get(IS_PAYMENT);
+  }
+}
diff --git a/fido/src/main/java/com/yubico/yubikit/fido/ctap/ClientPin.java b/fido/src/main/java/com/yubico/yubikit/fido/ctap/ClientPin.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2020-2023 Yubico.
+ * Copyright (C) 2020-2025 Yubico.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -61,6 +61,7 @@ public class ClientPin {
   public static final int PIN_PERMISSION_BE = 0x08;
   public static final int PIN_PERMISSION_LBW = 0x10;
   public static final int PIN_PERMISSION_ACFG = 0x20;
+  public static final int PIN_PERMISSION_PCMR = 0x40;
 
   private final Ctap2Session ctap;
   private final PinUvAuthProtocol pinUvAuth;

diff --git a/fido/src/main/java/com/yubico/yubikit/fido/ctap/CredentialManagement.java b/fido/src/main/java/com/yubico/yubikit/fido/ctap/CredentialManagement.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2020-2023 Yubico.
+ * Copyright (C) 2020-2025 Yubico.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -81,6 +81,10 @@ public static boolean isSupported(Ctap2Session.InfoData info) {
     return supportsCredMgmt(info) || supportsCredentialMgmtPreview(info);
   }
 
+  public static boolean isReadonlySupported(Ctap2Session.InfoData info) {
+    return Boolean.TRUE.equals(info.getOptions().get("perCredMgmtRO"));
+  }
+
   private static boolean supportsCredMgmt(Ctap2Session.InfoData info) {
     return Boolean.TRUE.equals(info.getOptions().get("credMgmt"));
   }