Merge pull request #363 from Yubico/credProps-authenticatorDisplayName

Added credProps.authenticatorDisplayName

Author: fdennis

NEWS

@@ -51,6 +51,10 @@ New features:
 * (Experimental) Added property `RegisteredCredential.transports`.
  ** NOTE: Experimental features may receive breaking changes without a major
     version increase.
+* (Experimental) Added property `credProps.authenticatorDisplayName`.
+ ** NOTE: Experimental features may receive breaking changes without a major
+    version increase.
+* (Experimental) Added `credProps` extension to assertion extension outputs.
 
 
 == Version 2.5.2 ==

webauthn-server-core/src/main/java/com/yubico/webauthn/AssertionResult.java

@@ -35,6 +35,7 @@
 import com.yubico.webauthn.data.AuthenticatorResponse;
 import com.yubico.webauthn.data.ByteArray;
 import com.yubico.webauthn.data.ClientAssertionExtensionOutputs;
+import com.yubico.webauthn.data.Extensions;
 import com.yubico.webauthn.data.PublicKeyCredential;
 import com.yubico.webauthn.data.PublicKeyCredentialRequestOptions;
 import com.yubico.webauthn.data.UserIdentity;
@@ -281,4 +282,33 @@ public Optional<AuthenticatorAssertionExtensionOutputs> getAuthenticatorExtensio
     return AuthenticatorAssertionExtensionOutputs.fromAuthenticatorData(
         credentialResponse.getResponse().getParsedAuthenticatorData());
   }
+
+  /**
+   * Retrieve a suitable nickname for this credential, if one is available. This MAY differ from
+   * {@link RegistrationResult#getAuthenticatorDisplayName() the value returned during
+   * registration}, if any. In that case the application may want to offer the user to update the
+   * previously stored value, if any.
+   *
+   * <p>This returns the <code>authenticatorDisplayName</code> output from the <a
+   * href="https://w3c.github.io/webauthn/#sctn-authenticator-credential-properties-extension">
+   * <code>credProps</code></a> extension.
+   *
+   * @return A user-chosen or vendor-default display name for the credential, if available.
+   *     Otherwise empty.
+   * @see <a
+   *     href="https://w3c.github.io/webauthn/#dom-credentialpropertiesoutput-authenticatordisplayname">
+   *     <code>authenticatorDisplayName</code> in §10.1.3. Credential Properties Extension
+   *     (credProps)</a>
+   * @see RegistrationResult#getAuthenticatorDisplayName()
+   * @see Extensions.CredentialProperties.CredentialPropertiesOutput#getAuthenticatorDisplayName()
+   * @deprecated EXPERIMENTAL: This feature is from a not yet mature standard; it could change as
+   *     the standard matures.
+   */
+  @JsonIgnore
+  @Deprecated
+  public Optional<String> getAuthenticatorDisplayName() {
+    return getClientExtensionOutputs()
+        .flatMap(outputs -> outputs.getCredProps())
+        .flatMap(credProps -> credProps.getAuthenticatorDisplayName());
+  }
 }

webauthn-server-core/src/main/java/com/yubico/webauthn/AssertionResultV2.java

@@ -35,6 +35,7 @@
 import com.yubico.webauthn.data.AuthenticatorResponse;
 import com.yubico.webauthn.data.ByteArray;
 import com.yubico.webauthn.data.ClientAssertionExtensionOutputs;
+import com.yubico.webauthn.data.Extensions;
 import com.yubico.webauthn.data.PublicKeyCredential;
 import java.util.Optional;
 import lombok.AccessLevel;
@@ -243,4 +244,33 @@ public Optional<AuthenticatorAssertionExtensionOutputs> getAuthenticatorExtensio
     return AuthenticatorAssertionExtensionOutputs.fromAuthenticatorData(
         credentialResponse.getResponse().getParsedAuthenticatorData());
   }
+
+  /**
+   * Retrieve a suitable nickname for this credential, if one is available. This MAY differ from
+   * {@link RegistrationResult#getAuthenticatorDisplayName() the value returned during
+   * registration}, if any. In that case the application may want to offer the user to update the
+   * previously stored value, if any.
+   *
+   * <p>This returns the <code>authenticatorDisplayName</code> output from the <a
+   * href="https://w3c.github.io/webauthn/#sctn-authenticator-credential-properties-extension">
+   * <code>credProps</code></a> extension.
+   *
+   * @return A user-chosen or vendor-default display name for the credential, if available.
+   *     Otherwise empty.
+   * @see <a
+   *     href="https://w3c.github.io/webauthn/#dom-credentialpropertiesoutput-authenticatordisplayname">
+   *     <code>authenticatorDisplayName</code> in §10.1.3. Credential Properties Extension
+   *     (credProps)</a>
+   * @see RegistrationResult#getAuthenticatorDisplayName()
+   * @see Extensions.CredentialProperties.CredentialPropertiesOutput#getAuthenticatorDisplayName()
+   * @deprecated EXPERIMENTAL: This feature is from a not yet mature standard; it could change as
+   *     the standard matures.
+   */
+  @JsonIgnore
+  @Deprecated
+  public Optional<String> getAuthenticatorDisplayName() {
+    return getClientExtensionOutputs()
+        .flatMap(outputs -> outputs.getCredProps())
+        .flatMap(credProps -> credProps.getAuthenticatorDisplayName());
+  }
 }

webauthn-server-core/src/main/java/com/yubico/webauthn/RegistrationResult.java

@@ -39,6 +39,7 @@
 import com.yubico.webauthn.data.AuthenticatorResponse;
 import com.yubico.webauthn.data.ByteArray;
 import com.yubico.webauthn.data.ClientRegistrationExtensionOutputs;
+import com.yubico.webauthn.data.Extensions;
 import com.yubico.webauthn.data.PublicKeyCredential;
 import com.yubico.webauthn.data.PublicKeyCredentialDescriptor;
 import java.io.IOException;
@@ -367,6 +368,33 @@ public Optional<Boolean> isDiscoverable() {
         .flatMap(credProps -> credProps.getRk());
   }
 
+  /**
+   * Retrieve a suitable nickname for this credential, if one is available.
+   *
+   * <p>This returns the <code>authenticatorDisplayName</code> output from the <a
+   * href="https://w3c.github.io/webauthn/#sctn-authenticator-credential-properties-extension">
+   * <code>credProps</code></a> extension.
+   *
+   * @return A user-chosen or vendor-default display name for the credential, if available.
+   *     Otherwise empty.
+   * @see <a
+   *     href="https://w3c.github.io/webauthn/#dom-credentialpropertiesoutput-authenticatordisplayname">
+   *     <code>authenticatorDisplayName</code> in §10.1.3. Credential Properties Extension
+   *     (credProps)</a>
+   * @see AssertionResult#getAuthenticatorDisplayName()
+   * @see AssertionResultV2#getAuthenticatorDisplayName()
+   * @see Extensions.CredentialProperties.CredentialPropertiesOutput#getAuthenticatorDisplayName()
+   * @deprecated EXPERIMENTAL: This feature is from a not yet mature standard; it could change as
+   *     the standard matures.
+   */
+  @JsonIgnore
+  @Deprecated
+  public Optional<String> getAuthenticatorDisplayName() {
+    return getClientExtensionOutputs()
+        .flatMap(outputs -> outputs.getCredProps())
+        .flatMap(credProps -> credProps.getAuthenticatorDisplayName());
+  }
+
   /**
    * The <a
    * href="https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#attestation-trust-path">attestation

webauthn-server-core/src/main/java/com/yubico/webauthn/data/ClientAssertionExtensionOutputs.java

@@ -64,13 +64,18 @@ public class ClientAssertionExtensionOutputs implements ClientExtensionOutputs {
    */
   private final Boolean appid;
 
+  private final Extensions.CredentialProperties.CredentialPropertiesOutput credProps;
+
   private final Extensions.LargeBlob.LargeBlobAuthenticationOutput largeBlob;
 
   @JsonCreator
   private ClientAssertionExtensionOutputs(
       @JsonProperty("appid") Boolean appid,
+      @JsonProperty("credProps")
+          Extensions.CredentialProperties.CredentialPropertiesOutput credProps,
       @JsonProperty("largeBlob") Extensions.LargeBlob.LargeBlobAuthenticationOutput largeBlob) {
     this.appid = appid;
+    this.credProps = credProps;
     this.largeBlob = largeBlob;
   }
 
@@ -81,6 +86,9 @@ public Set<String> getExtensionIds() {
     if (appid != null) {
       ids.add(Extensions.Appid.EXTENSION_ID);
     }
+    if (credProps != null) {
+      ids.add(Extensions.CredentialProperties.EXTENSION_ID);
+    }
     if (largeBlob != null) {
       ids.add(Extensions.LargeBlob.EXTENSION_ID);
     }
@@ -100,6 +108,24 @@ public Optional<Boolean> getAppid() {
     return Optional.ofNullable(appid);
   }
 
+  /**
+   * The extension output for the Credential Properties Extension (<code>credProps</code>), if any.
+   *
+   * <p>This value MAY be present but have all members empty if the extension was successfully
+   * processed but no credential properties could be determined.
+   *
+   * @see com.yubico.webauthn.data.Extensions.CredentialProperties.CredentialPropertiesOutput
+   * @see <a
+   *     href="https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#sctn-authenticator-credential-properties-extension">§10.4.
+   *     Credential Properties Extension (credProps)</a>
+   * @deprecated EXPERIMENTAL: This feature is from a not yet mature standard; it could change as
+   *     the standard matures.
+   */
+  @Deprecated
+  public Optional<Extensions.CredentialProperties.CredentialPropertiesOutput> getCredProps() {
+    return Optional.ofNullable(credProps);
+  }
+
   /**
    * The extension output for the <a
    * href="https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#sctn-large-blob-extension">Large blob

webauthn-server-core/src/main/java/com/yubico/webauthn/data/Extensions.java

@@ -6,6 +6,9 @@
 import com.fasterxml.jackson.annotation.JsonValue;
 import com.upokecenter.cbor.CBORObject;
 import com.upokecenter.cbor.CBORType;
+import com.yubico.webauthn.AssertionResult;
+import com.yubico.webauthn.AssertionResultV2;
+import com.yubico.webauthn.RegistrationResult;
 import com.yubico.webauthn.StartRegistrationOptions;
 import com.yubico.webauthn.extension.uvm.KeyProtectionType;
 import com.yubico.webauthn.extension.uvm.MatcherProtectionType;
@@ -71,9 +74,15 @@ public static class CredentialPropertiesOutput {
       @JsonProperty("rk")
       private final Boolean rk;
 
+      @JsonProperty("authenticatorDisplayName")
+      private final String authenticatorDisplayName;
+
       @JsonCreator
-      private CredentialPropertiesOutput(@JsonProperty("rk") Boolean rk) {
+      private CredentialPropertiesOutput(
+          @JsonProperty("rk") Boolean rk,
+          @JsonProperty("authenticatorDisplayName") String authenticatorDisplayName) {
         this.rk = rk;
+        this.authenticatorDisplayName = authenticatorDisplayName;
       }
 
       /**
@@ -105,6 +114,34 @@ private CredentialPropertiesOutput(@JsonProperty("rk") Boolean rk) {
       public Optional<Boolean> getRk() {
         return Optional.ofNullable(rk);
       }
+
+      /**
+       * This OPTIONAL property is a human-palatable description of the credential's managing
+       * authenticator, chosen by the user.
+       *
+       * <p>If the application supports setting "nicknames" for registered credentials, then this
+       * value may be a suitable default value for such a nickname.
+       *
+       * <p>In an authentication ceremony, if this value is different from the stored nickname, then
+       * the application may want to offer the user to update the stored nickname to match this
+       * value.
+       *
+       * @return A user-chosen or vendor-default display name for the credential, if available.
+       *     Otherwise empty.
+       * @see <a
+       *     href="https://w3c.github.io/webauthn/#dom-credentialpropertiesoutput-authenticatordisplayname">
+       *     <code>authenticatorDisplayName</code> in §10.1.3. Credential Properties Extension
+       *     (credProps)</a>
+       * @see RegistrationResult#getAuthenticatorDisplayName()
+       * @see AssertionResult#getAuthenticatorDisplayName()
+       * @see AssertionResultV2#getAuthenticatorDisplayName()
+       * @deprecated EXPERIMENTAL: This feature is from a not yet mature standard; it could change
+       *     as the standard matures.
+       */
+      @Deprecated
+      public Optional<String> getAuthenticatorDisplayName() {
+        return Optional.ofNullable(authenticatorDisplayName);
+      }
     }
   }
 

webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyAssertionSpec.scala

@@ -38,6 +38,7 @@ import com.yubico.webauthn.data.AuthenticatorTransport
 import com.yubico.webauthn.data.ByteArray
 import com.yubico.webauthn.data.ClientAssertionExtensionOutputs
 import com.yubico.webauthn.data.CollectedClientData
+import com.yubico.webauthn.data.Extensions.CredentialProperties.CredentialPropertiesOutput
 import com.yubico.webauthn.data.Extensions.LargeBlob.LargeBlobAuthenticationInput
 import com.yubico.webauthn.data.Extensions.LargeBlob.LargeBlobAuthenticationOutput
 import com.yubico.webauthn.data.Extensions.Uvm.UvmEntry
@@ -2845,6 +2846,55 @@ class RelyingPartyAssertionSpec
               )
             }
           }
+
+          describe("exposes the credProps.authenticatorDisplayName extension output as getAuthenticatorDisplayName()") {
+            val pkcTemplate =
+              TestAuthenticator.createAssertion(
+                challenge =
+                  request.getPublicKeyCredentialRequestOptions.getChallenge,
+                credentialKey = credentialKeypair,
+                credentialId = credential.getId,
+              )
+
+            it("""when set to "hej".""") {
+              val pkc = pkcTemplate.toBuilder
+                .clientExtensionResults(
+                  pkcTemplate.getClientExtensionResults.toBuilder
+                    .credProps(
+                      CredentialPropertiesOutput
+                        .builder()
+                        .authenticatorDisplayName("hej")
+                        .build()
+                    )
+                    .build()
+                )
+                .build()
+              val result = rp.finishAssertion(
+                FinishAssertionOptions
+                  .builder()
+                  .request(request)
+                  .response(pkc)
+                  .build()
+              )
+
+              result.getAuthenticatorDisplayName.toScala should equal(
+                Some("hej")
+              )
+            }
+
+            it("when not available.") {
+              val pkc = pkcTemplate
+              val result = rp.finishAssertion(
+                FinishAssertionOptions
+                  .builder()
+                  .request(request)
+                  .response(pkc)
+                  .build()
+              )
+
+              result.getAuthenticatorDisplayName.toScala should equal(None)
+            }
+          }
         }
       }
     }

webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyRegistrationSpec.scala

@@ -4289,6 +4289,51 @@ class RelyingPartyRegistrationSpec
         }
       }
 
+      describe("expose the credProps.authenticatorDisplayName extension output as RegistrationResult.getAuthenticatorDisplayName()") {
+        val testDataBase = RegistrationTestData.Packed.BasicAttestation
+        val testData = testDataBase.copy(requestedExtensions =
+          testDataBase.request.getExtensions.toBuilder.credProps().build()
+        )
+
+        it("""when set to "hej".""") {
+          val result = rp.finishRegistration(
+            FinishRegistrationOptions
+              .builder()
+              .request(testData.request)
+              .response(
+                testData.response.toBuilder
+                  .clientExtensionResults(
+                    ClientRegistrationExtensionOutputs
+                      .builder()
+                      .credProps(
+                        CredentialPropertiesOutput
+                          .builder()
+                          .authenticatorDisplayName("hej")
+                          .build()
+                      )
+                      .build()
+                  )
+                  .build()
+              )
+              .build()
+          )
+
+          result.getAuthenticatorDisplayName.toScala should equal(Some("hej"))
+        }
+
+        it("when not available.") {
+          val result = rp.finishRegistration(
+            FinishRegistrationOptions
+              .builder()
+              .request(testData.request)
+              .response(testData.response)
+              .build()
+          )
+
+          result.getAuthenticatorDisplayName.toScala should equal(None)
+        }
+      }
+
       describe("support the largeBlob extension") {
         it("being enabled at registration time.") {
           val testData = RegistrationTestData.Packed.BasicAttestation