Introduce interface ToPublicKeyCredentialDescriptor

Author: emlun

webauthn-server-core/src/main/java/com/yubico/webauthn/CredentialRecord.java

@@ -2,6 +2,7 @@
 
 import com.yubico.webauthn.data.AuthenticatorTransport;
 import com.yubico.webauthn.data.ByteArray;
+import com.yubico.webauthn.data.PublicKeyCredentialDescriptor;
 import java.util.Optional;
 import java.util.Set;
 import lombok.NonNull;
@@ -12,7 +13,7 @@
  *     before reaching a mature release.
  */
 @Deprecated
-public interface CredentialRecord {
+public interface CredentialRecord extends ToPublicKeyCredentialDescriptor {
 
   /**
    * @deprecated EXPERIMENTAL: This is an experimental feature. It is likely to change or be deleted
@@ -50,10 +51,7 @@ public interface CredentialRecord {
    *     before reaching a mature release.
    */
   @Deprecated
-  @NonNull
-  default Optional<Set<AuthenticatorTransport>> getTransports() {
-    return Optional.empty();
-  }
+  Optional<Set<AuthenticatorTransport>> getTransports();
 
   // boolean isUvInitialized();
 
@@ -70,4 +68,24 @@ default Optional<Set<AuthenticatorTransport>> getTransports() {
    */
   @Deprecated
   Optional<Boolean> isBackedUp();
+
+  /**
+   * This default implementation of {@link
+   * ToPublicKeyCredentialDescriptor#toPublicKeyCredentialDescriptor()} sets the {@link
+   * PublicKeyCredentialDescriptor.PublicKeyCredentialDescriptorBuilder#id(ByteArray) id} field to
+   * the return value of {@link #getCredentialId()} and the {@link
+   * PublicKeyCredentialDescriptor.PublicKeyCredentialDescriptorBuilder#transports(Optional)
+   * transports} field to the return value of {@link #getTransports()}.
+   *
+   * @see <a
+   *     href="https://w3c.github.io/webauthn/#credential-descriptor-for-a-credential-record">credential
+   *     descriptor for a credential record</a> in Web Authentication Level 3 (Editor's Draft)
+   */
+  @Override
+  default PublicKeyCredentialDescriptor toPublicKeyCredentialDescriptor() {
+    return PublicKeyCredentialDescriptor.builder()
+        .id(getCredentialId())
+        .transports(getTransports())
+        .build();
+  }
 }

webauthn-server-core/src/main/java/com/yubico/webauthn/CredentialRepositoryV1ToV2Adapter.java

@@ -1,7 +1,6 @@
 package com.yubico.webauthn;
 
 import com.yubico.webauthn.data.ByteArray;
-import com.yubico.webauthn.data.PublicKeyCredentialDescriptor;
 import java.util.Collections;
 import java.util.Optional;
 import java.util.Set;
@@ -14,7 +13,7 @@ class CredentialRepositoryV1ToV2Adapter
   private final CredentialRepository inner;
 
   @Override
-  public Set<PublicKeyCredentialDescriptor> getCredentialDescriptorsForUserHandle(
+  public Set<? extends ToPublicKeyCredentialDescriptor> getCredentialDescriptorsForUserHandle(
       ByteArray userHandle) {
     return inner
         .getUsernameForUserHandle(userHandle)

webauthn-server-core/src/main/java/com/yubico/webauthn/CredentialRepositoryV2.java

@@ -48,14 +48,24 @@ public interface CredentialRepositoryV2<C extends CredentialRecord> {
    * <p>After a successful registration ceremony, the {@link RegistrationResult#getKeyId()} method
    * returns a value suitable for inclusion in this set.
    *
-   * @return a {@link Set} containing one {@link PublicKeyCredentialDescriptor} for each credential
-   *     registered to the given user. The set MUST NOT be null, but MAY be empty if the user does
-   *     not exist or has no credentials.
+   * <p>Note that the {@link CredentialRecord} interface extends from the expected {@link
+   * ToPublicKeyCredentialDescriptor} return type, so this method MAY return a {@link Set} of the
+   * same item type as the value returned by the {@link #lookup(ByteArray, ByteArray)} method.
+   *
+   * <p>Implementations MUST NOT return null. The returned {@link Set} MUST NOT contain null.
+   *
+   * @return a {@link Set} containing one {@link PublicKeyCredentialDescriptor} (or value that
+   *     implements {@link ToPublicKeyCredentialDescriptor}, for example {@link CredentialRecord})
+   *     for each credential registered to the given user. The set MUST NOT be null, but MAY be
+   *     empty if the user does not exist or has no credentials.
+   * @see ToPublicKeyCredentialDescriptor
+   * @see CredentialRecord
    * @deprecated EXPERIMENTAL: This is an experimental feature. It is likely to change or be deleted
    *     before reaching a mature release.
    */
   @Deprecated
-  Set<PublicKeyCredentialDescriptor> getCredentialDescriptorsForUserHandle(ByteArray userHandle);
+  Set<? extends ToPublicKeyCredentialDescriptor> getCredentialDescriptorsForUserHandle(
+      ByteArray userHandle);
 
   /**
    * Look up the public key, backup flags and current signature count for the given credential

webauthn-server-core/src/main/java/com/yubico/webauthn/RelyingPartyV2.java

@@ -49,12 +49,12 @@
 import java.security.SecureRandom;
 import java.security.Signature;
 import java.time.Clock;
-import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 import java.util.Optional;
 import java.util.Set;
+import java.util.stream.Collectors;
 import lombok.Builder;
 import lombok.NonNull;
 import lombok.Value;
@@ -431,8 +431,12 @@ public PublicKeyCredentialCreationOptions startRegistration(
             .challenge(generateChallenge())
             .pubKeyCredParams(preferredPubkeyParams)
             .excludeCredentials(
-                credentialRepository.getCredentialDescriptorsForUserHandle(
-                    startRegistrationOptions.getUser().getId()))
+                credentialRepository
+                    .getCredentialDescriptorsForUserHandle(
+                        startRegistrationOptions.getUser().getId())
+                    .stream()
+                    .map(ToPublicKeyCredentialDescriptor::toPublicKeyCredentialDescriptor)
+                    .collect(Collectors.toSet()))
             .authenticatorSelection(startRegistrationOptions.getAuthenticatorSelection())
             .extensions(
                 startRegistrationOptions
@@ -488,7 +492,13 @@ public AssertionRequest startAssertion(StartAssertionOptions startAssertionOptio
                                             .getUsername()
                                             .flatMap(unr::getUserHandleForUsername)))
                     .map(credentialRepository::getCredentialDescriptorsForUserHandle)
-                    .map(ArrayList::new))
+                    .map(
+                        descriptors ->
+                            descriptors.stream()
+                                .map(
+                                    ToPublicKeyCredentialDescriptor
+                                        ::toPublicKeyCredentialDescriptor)
+                                .collect(Collectors.toList())))
             .extensions(
                 startAssertionOptions
                     .getExtensions()

webauthn-server-core/src/main/java/com/yubico/webauthn/ToPublicKeyCredentialDescriptor.java

@@ -0,0 +1,34 @@
+package com.yubico.webauthn;
+
+import com.yubico.webauthn.data.PublicKeyCredentialDescriptor;
+
+/**
+ * A type that can be converted into a {@link PublicKeyCredentialDescriptor} value.
+ *
+ * @see PublicKeyCredentialDescriptor
+ * @see <a
+ *     href="https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#dictdef-publickeycredentialdescriptor">§5.10.3.
+ *     Credential Descriptor (dictionary PublicKeyCredentialDescriptor)</a>
+ * @see CredentialRecord
+ * @deprecated EXPERIMENTAL: This is an experimental feature. It is likely to change or be deleted
+ *     before reaching a mature release.
+ */
+@Deprecated
+public interface ToPublicKeyCredentialDescriptor {
+
+  /**
+   * Convert this value to a {@link PublicKeyCredentialDescriptor} value.
+   *
+   * <p>Implementations MUST NOT return null.
+   *
+   * @see PublicKeyCredentialDescriptor
+   * @see <a
+   *     href="https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#dictdef-publickeycredentialdescriptor">§5.10.3.
+   *     Credential Descriptor (dictionary PublicKeyCredentialDescriptor)</a>
+   * @see CredentialRecord
+   * @deprecated EXPERIMENTAL: This is an experimental feature. It is likely to change or be deleted
+   *     before reaching a mature release.
+   */
+  @Deprecated
+  PublicKeyCredentialDescriptor toPublicKeyCredentialDescriptor();
+}

webauthn-server-core/src/main/java/com/yubico/webauthn/data/PublicKeyCredentialDescriptor.java

@@ -29,6 +29,7 @@
 import com.yubico.internal.util.CollectionUtil;
 import com.yubico.internal.util.ComparableUtil;
 import com.yubico.webauthn.RegistrationResult;
+import com.yubico.webauthn.ToPublicKeyCredentialDescriptor;
 import java.util.Optional;
 import java.util.Set;
 import java.util.SortedSet;
@@ -49,7 +50,8 @@
  */
 @Value
 @Builder(toBuilder = true)
-public class PublicKeyCredentialDescriptor implements Comparable<PublicKeyCredentialDescriptor> {
+public class PublicKeyCredentialDescriptor
+    implements Comparable<PublicKeyCredentialDescriptor>, ToPublicKeyCredentialDescriptor {
 
   /** The type of the credential the caller is referring to. */
   @NonNull @Builder.Default
@@ -108,6 +110,18 @@ public static PublicKeyCredentialDescriptorBuilder.MandatoryStages builder() {
     return new PublicKeyCredentialDescriptorBuilder.MandatoryStages();
   }
 
+  /**
+   * This implementation of {@link
+   * ToPublicKeyCredentialDescriptor#toPublicKeyCredentialDescriptor()} is a no-op which returns
+   * <code>this</code> unchanged.
+   *
+   * @return <code>this</code>.
+   */
+  @Override
+  public PublicKeyCredentialDescriptor toPublicKeyCredentialDescriptor() {
+    return this;
+  }
+
   public static class PublicKeyCredentialDescriptorBuilder {
     private Set<AuthenticatorTransport> transports = null;
 

webauthn-server-core/src/test/scala/com/yubico/webauthn/test/Helpers.scala

@@ -6,6 +6,7 @@ import com.yubico.webauthn.CredentialRepositoryV2
 import com.yubico.webauthn.RegisteredCredential
 import com.yubico.webauthn.RegistrationResult
 import com.yubico.webauthn.RegistrationTestData
+import com.yubico.webauthn.ToPublicKeyCredentialDescriptor
 import com.yubico.webauthn.UsernameRepository
 import com.yubico.webauthn.data.AuthenticatorTransport
 import com.yubico.webauthn.data.ByteArray
@@ -141,7 +142,7 @@ object Helpers {
 
       override def getCredentialDescriptorsForUserHandle(
           userHandle: ByteArray
-      ): java.util.Set[PublicKeyCredentialDescriptor] = {
+      ): java.util.Set[_ <: ToPublicKeyCredentialDescriptor] = {
         getCredentialIdsCount += 1
         inner.getCredentialDescriptorsForUserHandle(userHandle)
       }
@@ -166,19 +167,14 @@ object Helpers {
       new CredentialRepositoryV2[C] {
         override def getCredentialDescriptorsForUserHandle(
             userHandle: ByteArray
-        ): java.util.Set[PublicKeyCredentialDescriptor] =
+        ): java.util.Set[_ <: ToPublicKeyCredentialDescriptor] =
           users
             .filter({
               case (u, c) =>
                 u.getId == userHandle && c.getUserHandle == userHandle
             })
             .map({
-              case (_, credential) =>
-                PublicKeyCredentialDescriptor
-                  .builder()
-                  .id(credential.getCredentialId)
-                  .transports(credential.getTransports)
-                  .build()
+              case (_, credential) => credential
             })
             .toSet
             .asJava
@@ -305,6 +301,10 @@ object Helpers {
       override def getPublicKeyCose: ByteArray =
         testData.response.getResponse.getParsedAuthenticatorData.getAttestedCredentialData.get.getCredentialPublicKey
       override def getSignatureCount: Long = signatureCount
+
+      override def getTransports
+          : Optional[java.util.Set[AuthenticatorTransport]] =
+        Optional.of(testData.response.getResponse.getTransports)
       override def isBackupEligible: Optional[java.lang.Boolean] = toJava(be)
       override def isBackedUp: Optional[java.lang.Boolean] = toJava(bs)
     }

webauthn-server-demo/src/main/java/demo/webauthn/InMemoryRegistrationStorage.java

@@ -30,7 +30,6 @@
 import com.yubico.webauthn.CredentialRepositoryV2;
 import com.yubico.webauthn.UsernameRepository;
 import com.yubico.webauthn.data.ByteArray;
-import com.yubico.webauthn.data.PublicKeyCredentialDescriptor;
 import demo.webauthn.data.CredentialRegistration;
 import java.util.Collection;
 import java.util.HashSet;
@@ -56,16 +55,8 @@ public class InMemoryRegistrationStorage
   ////////////////////////////////////////////////////////////////////////////////
 
   @Override
-  public Set<PublicKeyCredentialDescriptor> getCredentialDescriptorsForUserHandle(
-      ByteArray userHandle) {
-    return getRegistrationsByUserHandle(userHandle).stream()
-        .map(
-            registration ->
-                PublicKeyCredentialDescriptor.builder()
-                    .id(registration.getCredential().getCredentialId())
-                    .transports(registration.getTransports())
-                    .build())
-        .collect(Collectors.toSet());
+  public Set<CredentialRegistration> getCredentialDescriptorsForUserHandle(ByteArray userHandle) {
+    return getRegistrationsByUserHandle(userHandle);
   }
 
   @Override
@@ -135,13 +126,13 @@ public Collection<CredentialRegistration> getRegistrationsByUsername(String user
     }
   }
 
-  public Collection<CredentialRegistration> getRegistrationsByUserHandle(ByteArray userHandle) {
+  public Set<CredentialRegistration> getRegistrationsByUserHandle(ByteArray userHandle) {
     return storage.asMap().values().stream()
         .flatMap(Collection::stream)
         .filter(
             credentialRegistration ->
                 userHandle.equals(credentialRegistration.getUserIdentity().getId()))
-        .collect(Collectors.toList());
+        .collect(Collectors.toSet());
   }
 
   public void updateSignatureCount(AssertionResultV2<CredentialRegistration> result) {