Release 1.7.0

webauthn-server-attestation:

- Updated name of AAGUID `2fc0579f811347eab116bb5a8db9202a` to "YubiKey 5/5C NFC"
- Changed name of "YubiKey 5 Series security key" to "YubiKey 5 Series"

webauthn-server-core:

Changes:

- Fixed crash on unknown attestation statement formats
  - Unless `RelyingParty.allowUntrustedAttestation` is set to `false`, unknown
    attestation statements will now pass as untrusted attestations, instead of
    throwing an IllegalArgumentException.
- Disambiguated Jackson deserialization of class `AuthenticatorTransport`

New features:

- Class `RegisteredCredential` can now be serialized to and deserialized from
  JSON.

Author: emlun

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,37 @@
+name: "Code scanning - action"
+
+on:
+  push:
+  pull_request:
+  schedule:
+    - cron: '0 12 * * 2'
+
+jobs:
+  CodeQL-Build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+      with:
+        # We must fetch at least the immediate parents so that if this is
+        # a pull request then we can checkout the head.
+        fetch-depth: 2
+
+    # If this run was triggered by a pull request event, then checkout
+    # the head of the pull request instead of the merge commit.
+    - run: git checkout HEAD^2
+      if: ${{ github.event_name == 'pull_request' }}
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1

.github/workflows/release-verify-signatures.yml

@@ -23,7 +23,9 @@ jobs:
         java-version: ${{ matrix.java }}
 
     - name: Build jars
-      run: ./gradlew jar
+      run: |
+        java --version
+        ./gradlew jar
 
     - name: Fetch keys
       run: gpg --no-default-keyring --keyring yubico --keyserver hkps://keys.openpgp.org --recv-keys 57A9DEED4C6D962A923BB691816F3ED99921835E

.github/workflows/scan.yml

@@ -8,7 +8,7 @@ on:
 
 env:
   SCAN_IMG:
-    yes-docker-local.artifactory.in.yubico.org/static-code-analysis/java:v1
+    yubico-yes-docker-local.jfrog.io/static-code-analysis/java:v1
   SECRET: ${{ secrets.ARTIFACTORY_READER_TOKEN }}
 
 jobs:
@@ -21,7 +21,7 @@ jobs:
     - name: Scan and fail on warnings
       run: |
         if [ "${SECRET}" != "" ]; then
-          docker login yes-docker-local.artifactory.in.yubico.org/ \
+          docker login yubico-yes-docker-local.jfrog.io/ \
             -u svc-static-code-analysis-reader -p ${SECRET}
           docker pull ${SCAN_IMG}
           docker run -v${PWD}:/k \

NEWS

@@ -1,60 +1,83 @@
+== Version 1.7.0 ==
+
+webauthn-server-attestation:
+
+* Updated name of AAGUID `2fc0579f811347eab116bb5a8db9202a` to "YubiKey 5/5C NFC"
+* Changed name of "YubiKey 5 Series security key" to "YubiKey 5 Series"
+
+webauthn-server-core:
+
+Changes:
+
+* Fixed crash on unknown attestation statement formats
+ ** Unless `RelyingParty.allowUntrustedAttestation` is set to `false`, unknown
+    attestation statements will now pass as untrusted attestations, instead of
+    throwing an IllegalArgumentException.
+* Disambiguated Jackson deserialization of class `AuthenticatorTransport`
+
+New features:
+
+* Class `RegisteredCredential` can now be serialized to and deserialized from
+  JSON.
+
+
 == Version 1.6.4 ==
 
-- Changed dependency declarations to version ranges
-- Bumped Guava dependency to version [24.1.1,30) in response to CVE-2018-10237
+* Changed dependency declarations to version ranges
+* Bumped Guava dependency to version [24.1.1,30) in response to CVE-2018-10237
 
 
 == Version 1.6.3 ==
 
 webauthn-server-attestation:
 
-- Added new YubiKey AAGUIDs to metadata.json
+* Added new YubiKey AAGUIDs to metadata.json
 
 
 webauthn-server-core:
 
-- Bumped Jackson dependency to version 2.11.0 in response to CVEs:
-  - CVE-2020-9546
-  - CVE-2020-10672
-  - CVE-2020-10969
-  - CVE-2020-11620
-- Fixed incorrect JavaDoc on AssertionResult.isSignatureCounterValid(): it will
+* Bumped Jackson dependency to version 2.11.0 in response to CVEs:
+ ** CVE-2020-9546
+ ** CVE-2020-10672
+ ** CVE-2020-10969
+ ** CVE-2020-11620
+* Fixed incorrect JavaDoc on AssertionResult.isSignatureCounterValid(): it will
   also return true if both counters are zero.
 
 
 == Version 1.6.2 ==
 
-- Fixed dependencies missing from release POM metadata
+* Fixed dependencies missing from release POM metadata
 
 
 == Version 1.6.1 ==
 
 Security fixes:
 
-- Bumped Jackson dependency to version 2.9.10.3 in response to CVE-2019-20330
+* Bumped Jackson dependency to version 2.9.10.3 in response to CVE-2019-20330
   and CVE-2020-8840
 
 
 == Version 1.6.0 ==
 
 Security fixes:
 
-- Bumped Jackson dependency to version 2.9.10.1 which has patched CVE-2019-16942
+* Bumped Jackson dependency to version 2.9.10.1 which has patched CVE-2019-16942
 
 `webauthn-server-core`:
 
 Bug fixes:
 
-- Fixed bug introduced in 1.4.0, which caused
+* Fixed bug introduced in 1.4.0, which caused
   `RegistrationResult.attestationMetadata` to always be empty.
 
 
 `webauthn-server-attestation`:
 
-- New enum constant `Transport.LIGHTNING`
-- Fixed transports field of YubiKey NEO/NEO-n in `metadata.json`.
-- Added YubiKey 5Ci to `metadata.json`.
-- Most `deviceUrl` fields in `metadata.json` changed to point to stable
+* New enum constant `Transport.LIGHTNING`
+* Fixed transports field of YubiKey NEO/NEO-n in `metadata.json`.
+* Added YubiKey 5Ci to `metadata.json`.
+* Most `deviceUrl` fields in `metadata.json` changed to point to stable
   addresses in Yubico knowledge base instead of dead redirects in store.
 
 

build.gradle

@@ -7,8 +7,8 @@ buildscript {
   }
 }
 plugins {
-  id 'com.github.kt3k.coveralls' version '2.10.1'
-  id 'io.codearte.nexus-staging' version '0.21.2'
+  id 'com.github.kt3k.coveralls' version '2.10.2'
+  id 'io.codearte.nexus-staging' version '0.22.0'
   id 'io.franzbecker.gradle-lombok' version '4.0.0'
 }
 

webauthn-server-attestation/src/main/resources/metadata.json

@@ -1,6 +1,6 @@
 {
   "identifier": "2fb54029-7613-4f1d-94f1-fb876c14a6fe",
-  "version": 12,
+  "version": 14,
   "vendorInfo": {
     "url": "https://yubico.com",
     "imageUrl": "https://developers.yubico.com/U2F/Images/yubico.png",
@@ -72,6 +72,7 @@
         }
       ]
     },
+
     {
       "deviceId": "1.3.6.1.4.1.41482.1.2",
       "displayName": "YubiKey NEO/NEO-n",
@@ -94,6 +95,7 @@
         }
       ]
     },
+
     {
       "deviceId": "1.3.6.1.4.1.41482.1.3",
       "displayName": "YubiKey Plus",
@@ -116,6 +118,7 @@
         }
       ]
     },
+
     {
       "deviceId": "1.3.6.1.4.1.41482.1.4",
       "displayName": "YubiKey Edge",
@@ -132,6 +135,7 @@
         }
       ]
     },
+
     {
       "deviceId": "1.3.6.1.4.1.41482.1.5",
       "displayName": "YubiKey 4/YubiKey 4 Nano",
@@ -148,6 +152,7 @@
         }
       ]
     },
+
     {
       "deviceId": "1.3.6.1.4.1.41482.1.7",
       "displayName": "YubiKey 5 NFC",
@@ -164,7 +169,17 @@
               "value": "fa2b99dc9e3942578f924a30d23c4118"
             }
           }
-        },
+        }
+      ]
+    },
+
+    {
+      "deviceId": "1.3.6.1.4.1.41482.1.7",
+      "displayName": "YubiKey 5/5C NFC",
+      "transports": 12,
+      "deviceUrl": "https://support.yubico.com/support/solutions/articles/15000014174--yubikey-5-nfc",
+      "imageUrl": "https://developers.yubico.com/U2F/Images/YK5.png",
+      "selectors": [
         {
           "type": "x509Extension",
           "parameters": {
@@ -177,9 +192,10 @@
         }
       ]
     },
+
     {
       "deviceId": "1.3.6.1.4.1.41482.1.7",
-      "displayName": "YubiKey 5 Series security key",
+      "displayName": "YubiKey 5 Series",
       "transports": 4,
       "deviceUrl": "https://support.yubico.com/support/solutions/articles/15000014180-yubikey-5c",
       "imageUrl": "https://developers.yubico.com/U2F/Images/YK5-series.png",
@@ -206,6 +222,7 @@
         }
       ]
     },
+
     {
       "deviceId": "1.3.6.1.4.1.41482.1.7",
       "displayName": "YubiKey 5Ci",

webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala

@@ -94,8 +94,17 @@ class DeviceIdentificationSpec extends FunSpec with Matchers {
       it("a YubiKey 5 NFC.") {
         check("YubiKey 5 NFC", RealExamples.YubiKey5, Set(USB, NFC))
       }
+      it("an early YubiKey 5 NFC.") {
+        check("YubiKey 5 NFC", RealExamples.YubiKey5Nfc, Set(USB, NFC))
+      }
+      it("a newer YubiKey 5 NFC.") {
+        check("YubiKey 5/5C NFC", RealExamples.YubiKey5NfcPost5cNfc, Set(USB, NFC))
+      }
+      it("a YubiKey 5C NFC.") {
+        check("YubiKey 5/5C NFC", RealExamples.YubiKey5cNfc, Set(USB, NFC))
+      }
       it("a YubiKey 5 Nano.") {
-        check("YubiKey 5 Series security key", RealExamples.YubiKey5Nano, Set(USB))
+        check("YubiKey 5 Series", RealExamples.YubiKey5Nano, Set(USB))
       }
       it("a YubiKey 5Ci.") {
         check("YubiKey 5Ci", RealExamples.YubiKey5Ci, Set(USB, LIGHTNING))
@@ -133,8 +142,17 @@ class DeviceIdentificationSpec extends FunSpec with Matchers {
       it("a YubiKey 5 NFC.") {
         check("YubiKey 5 NFC", RealExamples.YubiKey5, Set(USB, NFC))
       }
+      it("an early YubiKey 5 NFC.") {
+        check("YubiKey 5 NFC", RealExamples.YubiKey5Nfc, Set(USB, NFC))
+      }
+      it("a newer YubiKey 5 NFC.") {
+        check("YubiKey 5/5C NFC", RealExamples.YubiKey5NfcPost5cNfc, Set(USB, NFC))
+      }
+      it("a YubiKey 5C NFC.") {
+        check("YubiKey 5/5C NFC", RealExamples.YubiKey5cNfc, Set(USB, NFC))
+      }
       it("a YubiKey 5 Nano.") {
-        check("YubiKey 5 Series security key", RealExamples.YubiKey5Nano, Set(USB))
+        check("YubiKey 5 Series", RealExamples.YubiKey5Nano, Set(USB))
       }
       it("a YubiKey 5Ci.") {
         check("YubiKey 5Ci", RealExamples.YubiKey5Ci, Set(USB, LIGHTNING))

webauthn-server-core/src/main/java/com/yubico/webauthn/FinishRegistrationSteps.java

@@ -463,7 +463,7 @@ public AttestationType attestationType() {
                                 return AttestationType.ECDAA;
                             }
                         default:
-                            throw new IllegalArgumentException("Failed to resolve attestation type; unknown attestation statement format: " + attestation.getFormat());
+                            return AttestationType.UNKNOWN;
                     }
                 }
             } catch (IOException | CoseException | CertificateException e) {
@@ -509,6 +509,7 @@ public Optional<AttestationTrustResolver> trustResolver() {
             switch (attestationType) {
                 case NONE:
                 case SELF_ATTESTATION:
+                case UNKNOWN:
                     return Optional.empty();
 
                 case ATTESTATION_CA:
@@ -562,6 +563,10 @@ public void validate() {
                     assure(allowUntrustedAttestation, "No attestation is not allowed.");
                     break;
 
+                case UNKNOWN:
+                    assure(allowUntrustedAttestation, "Unknown attestation statement formats are not allowed.");
+                    break;
+
                 default:
                     throw new UnsupportedOperationException("Attestation type not implemented: " + attestationType);
             }
@@ -574,8 +579,9 @@ public Step17 nextStep() {
 
         public boolean attestationTrusted() {
             switch (attestationType) {
-                case SELF_ATTESTATION:
                 case NONE:
+                case SELF_ATTESTATION:
+                case UNKNOWN:
                     return false;
 
                 case ATTESTATION_CA:

webauthn-server-core/src/main/java/com/yubico/webauthn/RegisteredCredential.java

@@ -24,14 +24,14 @@
 
 package com.yubico.webauthn;
 
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
 import com.yubico.webauthn.data.AttestedCredentialData;
 import com.yubico.webauthn.data.AuthenticatorAssertionResponse;
 import com.yubico.webauthn.data.AuthenticatorData;
 import com.yubico.webauthn.data.ByteArray;
 import com.yubico.webauthn.data.PublicKeyCredentialDescriptor;
 import com.yubico.webauthn.data.UserIdentity;
-import lombok.AccessLevel;
-import lombok.AllArgsConstructor;
 import lombok.Builder;
 import lombok.NonNull;
 import lombok.Value;
@@ -46,9 +46,8 @@
  * </p>
  */
 @Value
-@AllArgsConstructor(access = AccessLevel.PRIVATE)
 @Builder(toBuilder = true)
-public class RegisteredCredential {
+public final class RegisteredCredential {
 
     /**
      * The <a href="https://www.w3.org/TR/2019/PR-webauthn-20190117/#credential-id">credential ID</a> of the
@@ -103,6 +102,19 @@ public class RegisteredCredential {
     @Builder.Default
     private final long signatureCount = 0;
 
+    @JsonCreator
+    private RegisteredCredential(
+        @NonNull @JsonProperty("credentialId") ByteArray credentialId,
+        @NonNull @JsonProperty("userHandle") ByteArray userHandle,
+        @NonNull @JsonProperty("publicKeyCose") ByteArray publicKeyCose,
+        @JsonProperty("signatureCount") long signatureCount
+    ) {
+        this.credentialId = credentialId;
+        this.userHandle = userHandle;
+        this.publicKeyCose = publicKeyCose;
+        this.signatureCount = signatureCount;
+    }
+
     public static RegisteredCredentialBuilder.MandatoryStages builder() {
         return new RegisteredCredentialBuilder.MandatoryStages();
     }