Add missing JavaDoc to CredentialRecord and RegisteredCredential

emlun · emlun · commit abb6b073215c · 2023-11-08T17:11:23.000+01:00
diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/CredentialRecord.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/CredentialRecord.java
@@ -1,21 +1,40 @@
 package com.yubico.webauthn;
 
+import com.yubico.webauthn.data.AttestedCredentialData;
+import com.yubico.webauthn.data.AuthenticatorAssertionResponse;
+import com.yubico.webauthn.data.AuthenticatorAttestationResponse;
+import com.yubico.webauthn.data.AuthenticatorData;
 import com.yubico.webauthn.data.AuthenticatorTransport;
 import com.yubico.webauthn.data.ByteArray;
+import com.yubico.webauthn.data.PublicKeyCredentialCreationOptions;
 import com.yubico.webauthn.data.PublicKeyCredentialDescriptor;
+import com.yubico.webauthn.data.PublicKeyCredentialRequestOptions;
+import com.yubico.webauthn.data.UserIdentity;
 import java.util.Optional;
 import java.util.Set;
 import lombok.NonNull;
 
 /**
- * @see <a href="https://w3c.github.io/webauthn/#credential-record">Credential Record</a>
+ * An abstraction of properties of a stored WebAuthn credential.
+ *
+ * @see <a href="https://w3c.github.io/webauthn/#credential-record">Credential Record</a> in Web
+ *     Authentication Level 3 (Editor's Draft)
  * @deprecated EXPERIMENTAL: This is an experimental feature. It is likely to change or be deleted
  *     before reaching a mature release.
  */
 @Deprecated
 public interface CredentialRecord extends ToPublicKeyCredentialDescriptor {
 
   /**
+   * The <a href="https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#credential-id">credential
+   * ID</a> of the credential.
+   *
+   * <p>Implementations MUST NOT return null.
+   *
+   * @see <a href="https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#credential-id">Credential
+   *     ID</a>
+   * @see RegistrationResult#getKeyId()
+   * @see PublicKeyCredentialDescriptor#getId()
    * @deprecated EXPERIMENTAL: This is an experimental feature. It is likely to change or be deleted
    *     before reaching a mature release.
    */
@@ -24,6 +43,13 @@ public interface CredentialRecord extends ToPublicKeyCredentialDescriptor {
   ByteArray getCredentialId();
 
   /**
+   * The <a href="https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#user-handle">user handle</a>
+   * of the user the credential is registered to.
+   *
+   * <p>Implementations MUST NOT return null.
+   *
+   * @see <a href="https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#user-handle">User Handle</a>
+   * @see UserIdentity#getId()
    * @deprecated EXPERIMENTAL: This is an experimental feature. It is likely to change or be deleted
    *     before reaching a mature release.
    */
@@ -32,6 +58,19 @@ public interface CredentialRecord extends ToPublicKeyCredentialDescriptor {
   ByteArray getUserHandle();
 
   /**
+   * The credential public key encoded in COSE_Key format, as defined in Section 7 of <a
+   * href="https://tools.ietf.org/html/rfc8152">RFC 8152</a>.
+   *
+   * <p>This is used to verify the {@link AuthenticatorAssertionResponse#getSignature() signature}
+   * in authentication assertions.
+   *
+   * <p>If your database has credentials encoded in U2F (raw) format, you may need to use {@link
+   * #cosePublicKeyFromEs256Raw(ByteArray)} to convert them before returning them in this method.
+   *
+   * <p>Implementations MUST NOT return null.
+   *
+   * @see AttestedCredentialData#getCredentialPublicKey()
+   * @see RegistrationResult#getPublicKeyCose()
    * @deprecated EXPERIMENTAL: This is an experimental feature. It is likely to change or be deleted
    *     before reaching a mature release.
    */
@@ -40,13 +79,48 @@ public interface CredentialRecord extends ToPublicKeyCredentialDescriptor {
   ByteArray getPublicKeyCose();
 
   /**
+   * The stored <a href="https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#signcount">signature
+   * count</a> of the credential.
+   *
+   * <p>This is used to validate the {@link AuthenticatorData#getSignatureCounter() signature
+   * counter} in authentication assertions.
+   *
+   * @see <a
+   *     href="https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#sctn-authenticator-data">§6.1.
+   *     Authenticator Data</a>
+   * @see AuthenticatorData#getSignatureCounter()
+   * @see AssertionResult#getSignatureCount()
    * @deprecated EXPERIMENTAL: This is an experimental feature. It is likely to change or be deleted
    *     before reaching a mature release.
    */
   @Deprecated
   long getSignatureCount();
 
   /**
+   * Transport hints as to how the client might communicate with the authenticator this credential
+   * is bound to.
+   *
+   * <p>Implementations SHOULD return the value returned by {@link
+   * AuthenticatorAttestationResponse#getTransports()} when the credential was created. That value
+   * SHOULD NOT be modified.
+   *
+   * <p>Implementations MUST NOT return null.
+   *
+   * <p>This is used to set {@link PublicKeyCredentialDescriptor#getTransports()} in {@link
+   * PublicKeyCredentialCreationOptions#getExcludeCredentials() excludeCredentials} in {@link
+   * RelyingParty#startRegistration(StartRegistrationOptions)} and and {@link
+   * PublicKeyCredentialRequestOptions#getAllowCredentials() allowCredentials} in {@link
+   * RelyingParty#startAssertion(StartAssertionOptions)}.
+   *
+   * @see <a
+   *     href="https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#dom-authenticatorattestationresponse-gettransports">getTransports()
+   *     in 5.2.1. Information About Public Key Credential (interface
+   *     AuthenticatorAttestationResponse)</a>
+   * @see <a
+   *     href="https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#dom-publickeycredentialdescriptor-transports">transports
+   *     in 5.8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor)</a>
+   * @see AuthenticatorAttestationResponse#getTransports()
+   * @see PublicKeyCredentialDescriptor#getTransports()
    * @deprecated EXPERIMENTAL: This is an experimental feature. It is likely to change or be deleted
    *     before reaching a mature release.
    */
@@ -56,15 +130,50 @@ public interface CredentialRecord extends ToPublicKeyCredentialDescriptor {
   // boolean isUvInitialized();
 
   /**
+   * The state of the <a href="https://w3c.github.io/webauthn/#authdata-flags-be">BE flag</a> when
+   * this credential was registered, if known.
+   *
+   * <p>If absent, it is not known whether or not this credential is backup eligible.
+   *
+   * <p>If present and <code>true</code>, the credential is backup eligible: it can be backed up in
+   * some way, most commonly by syncing the private key to a cloud account.
+   *
+   * <p>If present and <code>false</code>, the credential is not backup eligible: it cannot be
+   * backed up in any way.
+   *
+   * <p>{@link CredentialRecord} implementations SHOULD return the first known value returned by
+   * {@link RegistrationResult#isBackupEligible()} or {@link AssertionResult#isBackupEligible()}, if
+   * known. If unknown, {@link CredentialRecord} implementations SHOULD return <code>
+   * Optional.empty()</code>.
+   *
+   * <p>Implementations MUST NOT return null.
+   *
    * @deprecated EXPERIMENTAL: This is an experimental feature. It is likely to change or be deleted
-   *     before reaching a mature release.
+   *     before reaching a mature release. EXPERIMENTAL: This feature is from a not yet mature
+   *     standard; it could change as the standard matures.
    */
   @Deprecated
   Optional<Boolean> isBackupEligible();
 
   /**
+   * The last known state of the <a href="https://w3c.github.io/webauthn/#authdata-flags-bs">BS
+   * flag</a> for this credential, if known.
+   *
+   * <p>If absent, the backup state of the credential is not known.
+   *
+   * <p>If present and <code>true</code>, the credential is believed to be currently backed up.
+   *
+   * <p>If present and <code>false</code>, the credential is believed to not be currently backed up.
+   *
+   * <p>{@link CredentialRecord} implementations SHOULD return the most recent value returned by
+   * {@link AssertionResult#isBackedUp()} or {@link RegistrationResult#isBackedUp()}, if known. If
+   * unknown, {@link CredentialRecord} implementations SHOULD return <code>Optional.empty()</code>.
+   *
+   * <p>Implementations MUST NOT return null.
+   *
    * @deprecated EXPERIMENTAL: This is an experimental feature. It is likely to change or be deleted
-   *     before reaching a mature release.
+   *     before reaching a mature release. EXPERIMENTAL: This feature is from a not yet mature
+   *     standard; it could change as the standard matures.
    */
   @Deprecated
   Optional<Boolean> isBackedUp();
diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/RegisteredCredential.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/RegisteredCredential.java
@@ -31,11 +31,14 @@
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.yubico.webauthn.data.AttestedCredentialData;
 import com.yubico.webauthn.data.AuthenticatorAssertionResponse;
+import com.yubico.webauthn.data.AuthenticatorAttestationResponse;
 import com.yubico.webauthn.data.AuthenticatorData;
 import com.yubico.webauthn.data.AuthenticatorTransport;
 import com.yubico.webauthn.data.ByteArray;
 import com.yubico.webauthn.data.COSEAlgorithmIdentifier;
+import com.yubico.webauthn.data.PublicKeyCredentialCreationOptions;
 import com.yubico.webauthn.data.PublicKeyCredentialDescriptor;
+import com.yubico.webauthn.data.PublicKeyCredentialRequestOptions;
 import com.yubico.webauthn.data.UserIdentity;
 import java.io.IOException;
 import java.security.NoSuchAlgorithmException;
@@ -120,6 +123,33 @@ public PublicKey getParsedPublicKey()
    */
   @Builder.Default private final long signatureCount = 0;
 
+  /**
+   * Transport hints as to how the client might communicate with the authenticator this credential
+   * is bound to.
+   *
+   * <p>This SHOULD be set to the value returned by {@link
+   * AuthenticatorAttestationResponse#getTransports()} when the credential was created. That value
+   * SHOULD NOT be modified.
+   *
+   * <p>This is only used if the {@link RelyingParty} is configured with a {@link
+   * CredentialRepositoryV2}, in which case this is used to set {@link
+   * PublicKeyCredentialDescriptor#getTransports()} in {@link
+   * PublicKeyCredentialCreationOptions#getExcludeCredentials() excludeCredentials} in {@link
+   * RelyingParty#startRegistration(StartRegistrationOptions)} and {@link
+   * PublicKeyCredentialRequestOptions#getAllowCredentials() allowCredentials} in {@link
+   * RelyingParty#startAssertion(StartAssertionOptions)}. This is not used if the {@link
+   * RelyingParty} is configured with a {@link CredentialRepository}.
+   *
+   * @see <a
+   *     href="https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#dom-authenticatorattestationresponse-gettransports">getTransports()
+   *     in 5.2.1. Information About Public Key Credential (interface
+   *     AuthenticatorAttestationResponse)</a>
+   * @see <a
+   *     href="https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#dom-publickeycredentialdescriptor-transports">transports
+   *     in 5.8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor)</a>
+   * @see AuthenticatorAttestationResponse#getTransports()
+   * @see PublicKeyCredentialDescriptor#getTransports()
+   */
   @Builder.Default private final Set<AuthenticatorTransport> transports = null;
 
   /**
@@ -188,6 +218,33 @@ private RegisteredCredential(
     this.backupState = backupState;
   }
 
+  /**
+   * Transport hints as to how the client might communicate with the authenticator this credential
+   * is bound to.
+   *
+   * <p>This SHOULD be set to the value returned by {@link
+   * AuthenticatorAttestationResponse#getTransports()} when the credential was created. That value
+   * SHOULD NOT be modified.
+   *
+   * <p>This is only used if the {@link RelyingParty} is configured with a {@link
+   * CredentialRepositoryV2}, in which case this is used to set {@link
+   * PublicKeyCredentialDescriptor#getTransports()} in {@link
+   * PublicKeyCredentialCreationOptions#getExcludeCredentials() excludeCredentials} in {@link
+   * RelyingParty#startRegistration(StartRegistrationOptions)} and {@link
+   * PublicKeyCredentialRequestOptions#getAllowCredentials() allowCredentials} in {@link
+   * RelyingParty#startAssertion(StartAssertionOptions)}. This is not used if the {@link
+   * RelyingParty} is configured with a {@link CredentialRepository}.
+   *
+   * @see <a
+   *     href="https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#dom-authenticatorattestationresponse-gettransports">getTransports()
+   *     in 5.2.1. Information About Public Key Credential (interface
+   *     AuthenticatorAttestationResponse)</a>
+   * @see <a
+   *     href="https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#dom-publickeycredentialdescriptor-transports">transports
+   *     in 5.8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor)</a>
+   * @see AuthenticatorAttestationResponse#getTransports()
+   * @see PublicKeyCredentialDescriptor#getTransports()
+   */
   @Override
   public Optional<Set<AuthenticatorTransport>> getTransports() {
     return Optional.ofNullable(transports);
