Don't return transports from attestation if unknown or empty

emlun · emlun · commit 00bab2df39a9 · 2021-04-19T18:41:21.000+02:00
diff --git a/NEWS b/NEWS
@@ -1,3 +1,11 @@
+== Version 1.9.0 (unreleased) ==
+
+webauthn-server-attestation:
+
+* Fixed that `SimpleAttestationResolver` would return empty transports when
+  transports are unknown.
+
+
 == Version 1.8.0 ==
 
 Changes:
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/resolver/SimpleAttestationResolver.java b/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/resolver/SimpleAttestationResolver.java
@@ -31,6 +31,7 @@
 import com.yubico.internal.util.CertificateParser;
 import com.yubico.internal.util.CollectionUtil;
 import com.yubico.internal.util.ExceptionUtil;
+import com.yubico.internal.util.OptionalUtil;
 import com.yubico.webauthn.attestation.Attestation;
 import com.yubico.webauthn.attestation.AttestationResolver;
 import com.yubico.webauthn.attestation.DeviceMatcher;
@@ -135,9 +136,11 @@ public Optional<Attestation> resolve(
                   .vendorProperties(Optional.of(vendorProperties))
                   .deviceProperties(Optional.ofNullable(deviceProperties))
                   .transports(
-                      Optional.of(
-                          Transport.fromInt(
-                              getTransports(attestationCertificate) | metadataTransports)))
+                      OptionalUtil.zipWith(
+                              getTransports(attestationCertificate),
+                              Optional.of(metadataTransports).filter(t -> t != 0),
+                              (a, b) -> a | b)
+                          .map(Transport::fromInt))
                   .build();
             });
   }
@@ -158,11 +161,11 @@ private boolean deviceMatches(
     }
   }
 
-  private static int getTransports(X509Certificate cert) {
+  private static Optional<Integer> getTransports(X509Certificate cert) {
     byte[] extensionValue = cert.getExtensionValue(TRANSPORTS_EXT_OID);
 
     if (extensionValue == null) {
-      return 0;
+      return Optional.empty();
     }
 
     ExceptionUtil.assure(
@@ -186,14 +189,14 @@ private static int getTransports(X509Certificate cert) {
       }
     }
 
-    return transports;
+    return Optional.of(transports);
   }
 
   @Override
   public Attestation untrustedFromCertificate(X509Certificate attestationCertificate) {
     return Attestation.builder()
         .trusted(false)
-        .transports(Optional.of(Transport.fromInt(getTransports(attestationCertificate))))
+        .transports(getTransports(attestationCertificate).map(Transport::fromInt))
         .build();
   }
 }
diff --git a/yubico-util/src/main/java/com/yubico/internal/util/OptionalUtil.java b/yubico-util/src/main/java/com/yubico/internal/util/OptionalUtil.java
@@ -0,0 +1,27 @@
+package com.yubico.internal.util;
+
+import java.util.Optional;
+import java.util.function.BinaryOperator;
+import lombok.experimental.UtilityClass;
+
+/** Utilities for working with {@link Optional} values. */
+@UtilityClass
+public class OptionalUtil {
+
+  /**
+   * If both <code>a</code> and <code>b</code> are present, return <code>f(a, b)</code>.
+   *
+   * <p>If only <code>a</code> is present, return <code>a</code>.
+   *
+   * <p>Otherwise, return <code>b</code>.
+   */
+  public static <T> Optional<T> zipWith(Optional<T> a, Optional<T> b, BinaryOperator<T> f) {
+    if (a.isPresent() && b.isPresent()) {
+      return Optional.of(f.apply(a.get(), b.get()));
+    } else if (a.isPresent()) {
+      return a;
+    } else {
+      return b;
+    }
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,7 @@`
`31`	`31`	`import com.yubico.internal.util.CertificateParser;`
`32`	`32`	`import com.yubico.internal.util.CollectionUtil;`
`33`	`33`	`import com.yubico.internal.util.ExceptionUtil;`
	`34`	`+import com.yubico.internal.util.OptionalUtil;`
`34`	`35`	`import com.yubico.webauthn.attestation.Attestation;`
`35`	`36`	`import com.yubico.webauthn.attestation.AttestationResolver;`
`36`	`37`	`import com.yubico.webauthn.attestation.DeviceMatcher;`
`@@ -135,9 +136,11 @@ public Optional<Attestation> resolve(`
`135`	`136`	`.vendorProperties(Optional.of(vendorProperties))`
`136`	`137`	`.deviceProperties(Optional.ofNullable(deviceProperties))`
`137`	`138`	`.transports(`
`138`		`- Optional.of(`
`139`		`- Transport.fromInt(`
`140`		`- getTransports(attestationCertificate) \| metadataTransports)))`
	`139`	`+ OptionalUtil.zipWith(`
	`140`	`+ getTransports(attestationCertificate),`
	`141`	`+ Optional.of(metadataTransports).filter(t -> t != 0),`
	`142`	`+ (a, b) -> a \| b)`
	`143`	`+ .map(Transport::fromInt))`
`141`	`144`	`.build();`
`142`	`145`	`});`
`143`	`146`	`}`
`@@ -158,11 +161,11 @@ private boolean deviceMatches(`
`158`	`161`	`}`
`159`	`162`	`}`
`160`	`163`
`161`		`- private static int getTransports(X509Certificate cert) {`
	`164`	`+ private static Optional<Integer> getTransports(X509Certificate cert) {`
`162`	`165`	`byte[] extensionValue = cert.getExtensionValue(TRANSPORTS_EXT_OID);`
`163`	`166`
`164`	`167`	`if (extensionValue == null) {`
`165`		`- return 0;`
	`168`	`+ return Optional.empty();`
`166`	`169`	`}`
`167`	`170`
`168`	`171`	`ExceptionUtil.assure(`
`@@ -186,14 +189,14 @@ private static int getTransports(X509Certificate cert) {`
`186`	`189`	`}`
`187`	`190`	`}`
`188`	`191`
`189`		`- return transports;`
	`192`	`+ return Optional.of(transports);`
`190`	`193`	`}`
`191`	`194`
`192`	`195`	`@Override`
`193`	`196`	`public Attestation untrustedFromCertificate(X509Certificate attestationCertificate) {`
`194`	`197`	`return Attestation.builder()`
`195`	`198`	`.trusted(false)`
`196`		`- .transports(Optional.of(Transport.fromInt(getTransports(attestationCertificate))))`
	`199`	`+ .transports(getTransports(attestationCertificate).map(Transport::fromInt))`
`197`	`200`	`.build();`
`198`	`201`	`}`
`199`	`202`	`}`