Implement appid extension

Author: emlun

webauthn-server-core/src/main/java/com/yubico/webauthn/ExtensionsValidation.java

@@ -1,13 +1,11 @@
 package com.yubico.webauthn;
 
-import com.fasterxml.jackson.databind.node.ObjectNode;
 import com.upokecenter.cbor.CBORObject;
-import com.yubico.internal.util.ExceptionUtil;
-import com.yubico.internal.util.StreamUtil;
 import com.yubico.webauthn.data.AuthenticatorResponse;
+import com.yubico.webauthn.data.ClientExtensionOutputs;
+import com.yubico.webauthn.data.ExtensionInputs;
 import com.yubico.webauthn.data.PublicKeyCredential;
 import java.util.HashSet;
-import java.util.Optional;
 import java.util.Set;
 import java.util.stream.Collectors;
 import lombok.experimental.UtilityClass;
@@ -16,9 +14,9 @@
 @UtilityClass
 class ExtensionsValidation {
 
-    static boolean validate(Optional<ObjectNode> requested, PublicKeyCredential<? extends AuthenticatorResponse> response) {
-        Set<String> requestedExtensionIds = requested.map(req -> StreamUtil.toSet(req.fieldNames())).orElseGet(HashSet::new);
-        Set<String> clientExtensionIds = StreamUtil.toSet(response.getClientExtensionResults().fieldNames());
+    static boolean validate(ExtensionInputs requested, PublicKeyCredential<? extends AuthenticatorResponse, ? extends ClientExtensionOutputs> response) {
+        Set<String> requestedExtensionIds = requested.getExtensionIds();
+        Set<String> clientExtensionIds = response.getClientExtensionResults().getExtensionIds();
 
         if (!requestedExtensionIds.containsAll(clientExtensionIds)) {
             throw new IllegalArgumentException(String.format(

webauthn-server-core/src/main/java/com/yubico/webauthn/FinishAssertionOptions.java

@@ -3,6 +3,7 @@
 import com.yubico.webauthn.data.AssertionRequest;
 import com.yubico.webauthn.data.AuthenticatorAssertionResponse;
 import com.yubico.webauthn.data.ByteArray;
+import com.yubico.webauthn.data.ClientAssertionExtensionOutputs;
 import com.yubico.webauthn.data.PublicKeyCredential;
 import java.util.Optional;
 import lombok.Builder;
@@ -16,7 +17,7 @@ public class FinishAssertionOptions {
     @NonNull
     private final AssertionRequest request;
     @NonNull
-    private final PublicKeyCredential<AuthenticatorAssertionResponse> response;
+    private final PublicKeyCredential<AuthenticatorAssertionResponse, ClientAssertionExtensionOutputs> response;
 
     @NonNull
     @Builder.Default

webauthn-server-core/src/main/java/com/yubico/webauthn/FinishAssertionSteps.java

@@ -5,9 +5,11 @@
 import com.yubico.webauthn.data.AssertionResult;
 import com.yubico.webauthn.data.AuthenticatorAssertionResponse;
 import com.yubico.webauthn.data.ByteArray;
+import com.yubico.webauthn.data.ClientAssertionExtensionOutputs;
 import com.yubico.webauthn.data.CollectedClientData;
 import com.yubico.webauthn.data.PublicKeyCredential;
 import com.yubico.webauthn.data.UserVerificationRequirement;
+import com.yubico.webauthn.extension.appid.AppId;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.LinkedList;
@@ -27,7 +29,7 @@ class FinishAssertionSteps {
     private static final String CLIENT_DATA_TYPE = "webauthn.get";
 
     private final AssertionRequest request;
-    private final PublicKeyCredential<AuthenticatorAssertionResponse> response;
+    private final PublicKeyCredential<AuthenticatorAssertionResponse, ClientAssertionExtensionOutputs> response;
     private final Optional<ByteArray> callerTokenBindingId;
     private final List<String> origins;
     private final String rpId;
@@ -397,10 +399,22 @@ public class Step11 implements Step<Step10, Step12> {
 
         @Override
         public void validate() {
-            assure(
-                crypto.hash(rpId).equals(response.getResponse().getParsedAuthenticatorData().getRpIdHash()),
-                "Wrong RP ID hash."
-            );
+            try {
+                assure(
+                    crypto.hash(rpId).equals(response.getResponse().getParsedAuthenticatorData().getRpIdHash()),
+                    "Wrong RP ID hash."
+                );
+            } catch (IllegalArgumentException e) {
+                Optional<AppId> appid = request.getPublicKeyCredentialRequestOptions().getExtensions().getAppid();
+                if (appid.isPresent()) {
+                    assure(
+                        crypto.hash(appid.get().getId()).equals(response.getResponse().getParsedAuthenticatorData().getRpIdHash()),
+                        "Wrong RP ID hash."
+                    );
+                } else {
+                    throw e;
+                }
+            }
         }
 
         @Override

webauthn-server-core/src/main/java/com/yubico/webauthn/FinishRegistrationOptions.java

@@ -2,6 +2,7 @@
 
 import com.yubico.webauthn.data.AuthenticatorAttestationResponse;
 import com.yubico.webauthn.data.ByteArray;
+import com.yubico.webauthn.data.ClientRegistrationExtensionOutputs;
 import com.yubico.webauthn.data.PublicKeyCredential;
 import com.yubico.webauthn.data.PublicKeyCredentialCreationOptions;
 import java.util.Optional;
@@ -16,7 +17,7 @@ public class FinishRegistrationOptions {
     @NonNull
     private final PublicKeyCredentialCreationOptions request;
     @NonNull
-    private final PublicKeyCredential<AuthenticatorAttestationResponse> response;
+    private final PublicKeyCredential<AuthenticatorAttestationResponse, ClientRegistrationExtensionOutputs> response;
 
     @NonNull
     @Builder.Default

webauthn-server-core/src/main/java/com/yubico/webauthn/FinishRegistrationSteps.java

@@ -8,6 +8,7 @@
 import com.yubico.webauthn.data.AuthenticatorAttestationResponse;
 import com.yubico.webauthn.data.AuthenticatorSelectionCriteria;
 import com.yubico.webauthn.data.ByteArray;
+import com.yubico.webauthn.data.ClientRegistrationExtensionOutputs;
 import com.yubico.webauthn.data.CollectedClientData;
 import com.yubico.webauthn.data.PublicKeyCredential;
 import com.yubico.webauthn.data.PublicKeyCredentialCreationOptions;
@@ -36,7 +37,7 @@ class FinishRegistrationSteps {
     private static final String CLIENT_DATA_TYPE = "webauthn.create";
 
     private final PublicKeyCredentialCreationOptions request;
-    private final PublicKeyCredential<AuthenticatorAttestationResponse> response;
+    private final PublicKeyCredential<AuthenticatorAttestationResponse, ClientRegistrationExtensionOutputs> response;
     private final Optional<ByteArray> callerTokenBindingId;
     private final List<String> origins;
     private final String rpId;

webauthn-server-core/src/main/java/com/yubico/webauthn/RelyingParty.java

@@ -8,6 +8,8 @@
 import com.yubico.webauthn.data.AuthenticatorAttestationResponse;
 import com.yubico.webauthn.data.AuthenticatorSelectionCriteria;
 import com.yubico.webauthn.data.ByteArray;
+import com.yubico.webauthn.data.ClientAssertionExtensionOutputs;
+import com.yubico.webauthn.data.ClientRegistrationExtensionOutputs;
 import com.yubico.webauthn.data.PublicKeyCredential;
 import com.yubico.webauthn.data.PublicKeyCredentialCreationOptions;
 import com.yubico.webauthn.data.PublicKeyCredentialParameters;
@@ -16,6 +18,7 @@
 import com.yubico.webauthn.data.RelyingPartyIdentity;
 import com.yubico.webauthn.exception.AssertionFailedException;
 import com.yubico.webauthn.exception.RegistrationFailedException;
+import com.yubico.webauthn.extension.appid.AppId;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Optional;
@@ -35,6 +38,8 @@ public class RelyingParty {
     private final List<String> origins;
     private final CredentialRepository credentialRepository;
 
+    @Builder.Default
+    private final Optional<AppId> appId = Optional.empty();
     @Builder.Default
     private final ChallengeGenerator challengeGenerator = new RandomChallengeGenerator();
     @Builder.Default
@@ -91,7 +96,7 @@ public RegistrationResult finishRegistration(FinishRegistrationOptions finishReg
      */
     FinishRegistrationSteps _finishRegistration(
         PublicKeyCredentialCreationOptions request,
-        PublicKeyCredential<AuthenticatorAttestationResponse> response,
+        PublicKeyCredential<AuthenticatorAttestationResponse, ClientRegistrationExtensionOutputs> response,
         Optional<ByteArray> callerTokenBindingId
     ) {
         return FinishRegistrationSteps.builder()
@@ -120,7 +125,12 @@ public AssertionRequest startAssertion(StartAssertionOptions startAssertionOptio
                     startAssertionOptions.getUsername().map(un ->
                         new ArrayList<>(credentialRepository.getCredentialIdsForUsername(un)))
                 )
-                .extensions(startAssertionOptions.getExtensions())
+                .extensions(
+                    startAssertionOptions.getExtensions()
+                        .toBuilder()
+                        .appid(appId)
+                        .build()
+                )
                 .build()
             )
             .build();
@@ -144,7 +154,7 @@ public AssertionResult finishAssertion(FinishAssertionOptions finishAssertionOpt
      */
     FinishAssertionSteps _finishAssertion(
         AssertionRequest request,
-        PublicKeyCredential<AuthenticatorAssertionResponse> response,
+        PublicKeyCredential<AuthenticatorAssertionResponse, ClientAssertionExtensionOutputs> response,
         Optional<ByteArray> callerTokenBindingId // = None.asJava
     ) {
         return FinishAssertionSteps.builder()

webauthn-server-core/src/main/java/com/yubico/webauthn/StartAssertionOptions.java

@@ -1,6 +1,6 @@
 package com.yubico.webauthn;
 
-import com.fasterxml.jackson.databind.node.ObjectNode;
+import com.yubico.webauthn.data.AssertionExtensionInputs;
 import java.util.Optional;
 import lombok.Builder;
 import lombok.NonNull;
@@ -16,7 +16,7 @@ public class StartAssertionOptions {
 
     @NonNull
     @Builder.Default
-    private final Optional<ObjectNode> extensions = Optional.empty();
+    private final AssertionExtensionInputs extensions = AssertionExtensionInputs.builder().build();
 
 
 }

webauthn-server-core/src/main/java/com/yubico/webauthn/StartRegistrationOptions.java

@@ -1,8 +1,7 @@
 package com.yubico.webauthn;
 
-import com.fasterxml.jackson.databind.node.ObjectNode;
+import com.yubico.webauthn.data.RegistrationExtensionInputs;
 import com.yubico.webauthn.data.UserIdentity;
-import java.util.Optional;
 import lombok.Builder;
 import lombok.NonNull;
 import lombok.Value;
@@ -16,7 +15,7 @@ public class StartRegistrationOptions {
 
     @NonNull
     @Builder.Default
-    private final Optional<ObjectNode> extensions = Optional.empty();
+    private final RegistrationExtensionInputs extensions = RegistrationExtensionInputs.builder().build();
 
     @Builder.Default
     private final boolean requireResidentKey = false;

webauthn-server-core/src/main/java/com/yubico/webauthn/data/AssertionExtensionInputs.java

@@ -0,0 +1,38 @@
+package com.yubico.webauthn.data;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnore;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.yubico.webauthn.extension.appid.AppId;
+import java.util.HashSet;
+import java.util.Optional;
+import java.util.Set;
+import lombok.Builder;
+import lombok.NonNull;
+import lombok.Value;
+
+@Value
+@Builder(toBuilder = true)
+public class AssertionExtensionInputs implements ExtensionInputs {
+
+    @Builder.Default
+    private final Optional<AppId> appid = Optional.empty();
+
+    @JsonCreator
+    private AssertionExtensionInputs(
+        @NonNull @JsonProperty("appid") Optional<AppId> appid
+    ) {
+        this.appid = appid;
+    }
+
+    @Override
+    @JsonIgnore
+    public Set<String> getExtensionIds() {
+        Set<String> ids = new HashSet<>();
+
+        appid.ifPresent((id) -> ids.add("appid"));
+
+        return ids;
+    }
+
+}

webauthn-server-core/src/main/java/com/yubico/webauthn/data/ClientAssertionExtensionOutputs.java

@@ -0,0 +1,38 @@
+package com.yubico.webauthn.data;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnore;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Optional;
+import java.util.Set;
+import lombok.Builder;
+import lombok.NonNull;
+import lombok.Value;
+
+@Value
+@Builder
+public class ClientAssertionExtensionOutputs implements ClientExtensionOutputs {
+
+    @Builder.Default
+    private final Optional<Boolean> appid = Optional.empty();
+
+    @JsonCreator
+    private ClientAssertionExtensionOutputs(
+        @NonNull @JsonProperty("appid") Optional<Boolean> appid
+    ) {
+        this.appid = appid;
+    }
+
+    @Override
+    @JsonIgnore
+    public Set<String> getExtensionIds() {
+        Set<String> ids = new HashSet<>();
+
+        appid.ifPresent((id) -> ids.add("appid"));
+
+        return ids;
+    }
+
+}