Merge pull request #47 from Yubico/update-attestation-metadata

Update attestation metadata

Author: emlun

NEWS

@@ -1,15 +1,26 @@
-== Version 1.5.1 (unreleased) ==
+== Version 1.6.0 (unreleased) ==
 
 Security fixes:
 
 - Bumped Jackson dependency to version 2.9.10.1 which has patched CVE-2019-16942
 
+`webauthn-server-core`:
+
 Bug fixes:
 
 - Fixed bug introduced in 1.4.0, which caused
   `RegistrationResult.attestationMetadata` to always be empty.
 
 
+`webauthn-server-attestation`:
+
+- New enum constant `Transport.LIGHTNING`
+- Fixed transports field of YubiKey NEO/NEO-n in `metadata.json`.
+- Added YubiKey 5Ci to `metadata.json`.
+- Most `deviceUrl` fields in `metadata.json` changed to point to stable
+  addresses in Yubico knowledge base instead of dead redirects in store.
+
+
 == Version 1.5.0 ==
 
 Changes:

webauthn-server-attestation/src/main/resources/metadata.json

@@ -1,6 +1,6 @@
 {
   "identifier": "2fb54029-7613-4f1d-94f1-fb876c14a6fe",
-  "version": 5,
+  "version": 11,
   "vendorInfo": {
     "url": "https://yubico.com",
     "imageUrl": "https://developers.yubico.com/U2F/Images/yubico.png",
@@ -14,7 +14,7 @@
       "deviceId": "1.3.6.1.4.1.41482.1.1",
       "displayName": "Security Key NFC by Yubico",
       "transports": 12,
-      "deviceUrl": "https://www.yubico.com/product/security-key-nfc-by-yubico/",
+      "deviceUrl": "https://support.yubico.com/support/solutions/articles/15000019469-security-key-nfc",
       "imageUrl": "https://developers.yubico.com/U2F/Images/SKY-NFC.png",
       "selectors": [
         {
@@ -34,7 +34,7 @@
       "deviceId": "1.3.6.1.4.1.41482.1.1",
       "displayName": "Security Key by Yubico",
       "transports": 4,
-      "deviceUrl": "https://www.yubico.com/products/yubikey-hardware/fido-u2f-security-key/",
+      "deviceUrl": "https://support.yubico.com/support/solutions/articles/15000006900-security-key-by-yubico",
       "imageUrl": "https://developers.yubico.com/U2F/Images/SKY.png",
       "selectors": [
         {
@@ -55,8 +55,8 @@
     {
       "deviceId": "1.3.6.1.4.1.41482.1.2",
       "displayName": "YubiKey NEO/NEO-n",
-      "transports": 4,
-      "deviceUrl": "https://www.yubico.com/products/yubikey-hardware/yubikey-neo/",
+      "transports": 12,
+      "deviceUrl": "https://support.yubico.com/support/solutions/articles/15000006494-yubikey-neo",
       "imageUrl": "https://developers.yubico.com/U2F/Images/NEO.png",
       "selectors": [
         {
@@ -100,7 +100,7 @@
       "deviceId": "1.3.6.1.4.1.41482.1.4",
       "displayName": "YubiKey Edge",
       "transports": 4,
-      "deviceUrl": "https://www.yubico.com/products/yubikey-hardware/",
+      "deviceUrl": "https://support.yubico.com/support/solutions/articles/15000006492-yubikey-edge",
       "imageUrl": "https://developers.yubico.com/U2F/Images/YKE.png",
       "selectors": [
         {
@@ -116,7 +116,7 @@
       "deviceId": "1.3.6.1.4.1.41482.1.5",
       "displayName": "YubiKey 4/YubiKey 4 Nano",
       "transports": 4,
-      "deviceUrl": "https://www.yubico.com/products/yubikey-hardware/yubikey4/",
+      "deviceUrl": "https://support.yubico.com/support/solutions/articles/15000006486-yubikey-4",
       "imageUrl": "https://developers.yubico.com/U2F/Images/YK4.png",
       "selectors": [
         {
@@ -132,7 +132,7 @@
       "deviceId": "1.3.6.1.4.1.41482.1.7",
       "displayName": "YubiKey 5 NFC",
       "transports": 12,
-      "deviceUrl": "https://www.yubico.com/products/yubikey-5-overview/",
+      "deviceUrl": "https://support.yubico.com/support/solutions/articles/15000014174--yubikey-5-nfc",
       "imageUrl": "https://developers.yubico.com/U2F/Images/YK5.png",
       "selectors": [
         {
@@ -151,7 +151,7 @@
       "deviceId": "1.3.6.1.4.1.41482.1.7",
       "displayName": "YubiKey 5 Series security key",
       "transports": 4,
-      "deviceUrl": "https://www.yubico.com/products/yubikey-5-overview/",
+      "deviceUrl": "https://support.yubico.com/support/solutions/articles/15000014180-yubikey-5c",
       "imageUrl": "https://developers.yubico.com/U2F/Images/YK5-series.png",
       "selectors": [
         {
@@ -165,6 +165,25 @@
           }
         }
       ]
+    },
+    {
+      "deviceId": "1.3.6.1.4.1.41482.1.7",
+      "displayName": "YubiKey 5Ci",
+      "transports": 20,
+      "deviceUrl": "https://support.yubico.com/support/solutions/articles/15000027140-yubikey-5ci",
+      "imageUrl": "https://developers.yubico.com/U2F/Images/YK5Ci.png",
+      "selectors": [
+        {
+          "type": "x509Extension",
+          "parameters": {
+            "key": "1.3.6.1.4.1.45724.1.1.4",
+            "value": {
+              "type": "hex",
+              "value": "c5ef55ffad9a4b9fb580adebafe026d0"
+            }
+          }
+        }
+      ]
     }
   ]
 }

webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala

@@ -33,6 +33,9 @@ import com.yubico.webauthn.attestation.resolver.SimpleTrustResolver
 import com.yubico.webauthn.test.RealExamples
 import com.yubico.webauthn.FinishRegistrationOptions
 import com.yubico.webauthn.RelyingParty
+import com.yubico.webauthn.attestation.Transport.LIGHTNING
+import com.yubico.webauthn.attestation.Transport.NFC
+import com.yubico.webauthn.attestation.Transport.USB
 import com.yubico.webauthn.data.PublicKeyCredentialCreationOptions
 import com.yubico.webauthn.data.PublicKeyCredentialParameters
 import com.yubico.webauthn.test.Helpers
@@ -57,7 +60,7 @@ class DeviceIdentificationSpec extends FunSpec with Matchers {
   describe("A RelyingParty with the default StandardMetadataService") {
 
     describe("correctly identifies") {
-      def check(expectedName: String, testData: RealExamples.Example) {
+      def check(expectedName: String, testData: RealExamples.Example, transports: Set[Transport]) {
         val rp = RelyingParty.builder()
           .identity(testData.rp)
           .credentialRepository(Helpers.CredentialRepository.empty)
@@ -78,62 +81,72 @@ class DeviceIdentificationSpec extends FunSpec with Matchers {
         result.getAttestationMetadata.isPresent should be (true)
         result.getAttestationMetadata.get.getDeviceProperties.isPresent should be (true)
         result.getAttestationMetadata.get.getDeviceProperties.get().get("displayName") should equal (expectedName)
+        result.getAttestationMetadata.get.getTransports.isPresent should be (true)
+        result.getAttestationMetadata.get.getTransports.get.asScala should equal (transports)
       }
 
       it("a YubiKey NEO.") {
-        check("YubiKey NEO/NEO-n", RealExamples.YubiKeyNeo)
+        check("YubiKey NEO/NEO-n", RealExamples.YubiKeyNeo, Set(USB, NFC))
       }
       it("a YubiKey 4.") {
-        check("YubiKey 4/YubiKey 4 Nano", RealExamples.YubiKey4)
+        check("YubiKey 4/YubiKey 4 Nano", RealExamples.YubiKey4, Set(USB))
       }
       it("a YubiKey 5 NFC.") {
-        check("YubiKey 5 NFC", RealExamples.YubiKey5)
+        check("YubiKey 5 NFC", RealExamples.YubiKey5, Set(USB, NFC))
       }
       it("a YubiKey 5 Nano.") {
-        check("YubiKey 5 Series security key", RealExamples.YubiKey5Nano)
+        check("YubiKey 5 Series security key", RealExamples.YubiKey5Nano, Set(USB))
+      }
+      it("a YubiKey 5Ci.") {
+        check("YubiKey 5Ci", RealExamples.YubiKey5Ci, Set(USB, LIGHTNING))
       }
       it("a Security Key by Yubico.") {
-        check("Security Key by Yubico", RealExamples.SecurityKey)
+        check("Security Key by Yubico", RealExamples.SecurityKey, Set(USB))
       }
       it("a Security Key 2 by Yubico.") {
-        check("Security Key by Yubico", RealExamples.SecurityKey2)
+        check("Security Key by Yubico", RealExamples.SecurityKey2, Set(USB))
       }
       it("a Security Key NFC by Yubico.") {
-        check("Security Key NFC by Yubico", RealExamples.SecurityKeyNfc)
+        check("Security Key NFC by Yubico", RealExamples.SecurityKeyNfc, Set(USB, NFC))
       }
     }
   }
 
   describe("The default AttestationResolver") {
     describe("successfully identifies") {
-      def check(expectedName: String, testData: RealExamples.Example) {
+      def check(expectedName: String, testData: RealExamples.Example, transports: Set[Transport]) {
         val cert = CertificateParser.parseDer(testData.attestationCert.getBytes)
         val resolved = StandardMetadataService.createDefaultAttestationResolver().resolve(cert)
         resolved.isPresent should be (true)
         resolved.get.getDeviceProperties.isPresent should be (true)
         resolved.get.getDeviceProperties.get.get("displayName") should equal (expectedName)
+        resolved.get.getTransports.isPresent should be (true)
+        resolved.get.getTransports.get.asScala should equal (transports)
       }
 
       it("a YubiKey NEO.") {
-        check("YubiKey NEO/NEO-n", RealExamples.YubiKeyNeo)
+        check("YubiKey NEO/NEO-n", RealExamples.YubiKeyNeo, Set(USB, NFC))
       }
       it("a YubiKey 4.") {
-        check("YubiKey 4/YubiKey 4 Nano", RealExamples.YubiKey4)
+        check("YubiKey 4/YubiKey 4 Nano", RealExamples.YubiKey4, Set(USB))
       }
       it("a YubiKey 5 NFC.") {
-        check("YubiKey 5 NFC", RealExamples.YubiKey5)
+        check("YubiKey 5 NFC", RealExamples.YubiKey5, Set(USB, NFC))
       }
       it("a YubiKey 5 Nano.") {
-        check("YubiKey 5 Series security key", RealExamples.YubiKey5Nano)
+        check("YubiKey 5 Series security key", RealExamples.YubiKey5Nano, Set(USB))
+      }
+      it("a YubiKey 5Ci.") {
+        check("YubiKey 5Ci", RealExamples.YubiKey5Ci, Set(USB, LIGHTNING))
       }
       it("a Security Key by Yubico.") {
-        check("Security Key by Yubico", RealExamples.SecurityKey)
+        check("Security Key by Yubico", RealExamples.SecurityKey, Set(USB))
       }
       it("a Security Key 2 by Yubico.") {
-        check("Security Key by Yubico", RealExamples.SecurityKey2)
+        check("Security Key by Yubico", RealExamples.SecurityKey2, Set(USB))
       }
       it("a Security Key NFC by Yubico.") {
-        check("Security Key NFC by Yubico", RealExamples.SecurityKeyNfc)
+        check("Security Key NFC by Yubico", RealExamples.SecurityKeyNfc, Set(USB, NFC))
       }
     }
   }

webauthn-server-core/src/main/java/com/yubico/webauthn/attestation/Transport.java

@@ -50,7 +50,12 @@ public enum Transport {
     /**
      * The authenticator supports communication via Near Field Communication (NFC).
      */
-    NFC(8);
+    NFC(8),
+
+    /**
+     * The authenticator supports communication via Lightning.
+     */
+    LIGHTNING(16);
 
     private final int bitpos;
 

webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyCeremoniesSpec.scala

@@ -106,6 +106,9 @@ class RelyingPartyCeremoniesSpec extends FunSpec with Matchers {
       it("a YubiKey 5 Nano.") {
         check(RealExamples.YubiKey5Nano)
       }
+      it("a YubiKey 5Ci.") {
+        check(RealExamples.YubiKey5Ci)
+      }
       it("a Security Key by Yubico.") {
         check(RealExamples.SecurityKey)
       }

webauthn-server-core/src/test/scala/com/yubico/webauthn/test/RealExamples.scala

@@ -123,6 +123,21 @@ object RealExamples {
     )
   )
 
+  val YubiKey5Ci = Example(
+    RelyingPartyIdentity.builder().id("example.com").name("Example RP").build(),
+    UserIdentity.builder().name("test@example.org").displayName("A. User").id(ByteArray.fromBase64Url("dXNlcl9pZA==")).build(),
+    AttestationExample(
+      """{"type": "webauthn.create", "clientExtensions": {}, "challenge": "Y2hhbGxlbmdl", "origin": "https://example.com"}""",
+      ByteArray.fromBase64Url("o2NmbXRmcGFja2VkZ2F0dFN0bXSjY2FsZyZjc2lnWEYwRAIgXOZEuIaBrKT5VYJu9_D410HgJRm1SenwlKiXtcQxe0ICIG1_ycPCKHPjEsgRFVr4WdK5IY8K7aCyAc03c1-wnBJCY3g1Y4FZAsEwggK9MIIBpaADAgECAgQr8Xx4MA0GCSqGSIb3DQEBCwUAMC4xLDAqBgNVBAMTI1l1YmljbyBVMkYgUm9vdCBDQSBTZXJpYWwgNDU3MjAwNjMxMCAXDTE0MDgwMTAwMDAwMFoYDzIwNTAwOTA0MDAwMDAwWjBuMQswCQYDVQQGEwJTRTESMBAGA1UECgwJWXViaWNvIEFCMSIwIAYDVQQLDBlBdXRoZW50aWNhdG9yIEF0dGVzdGF0aW9uMScwJQYDVQQDDB5ZdWJpY28gVTJGIEVFIFNlcmlhbCA3MzcyNDYzMjgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR0wseEI8hxLptI8llYZvxwQK5M3wfXd9WFrwSTme36kjy-tJ-XFvn1WnhsNCUfyPNePehbVnBQOMcLoScZYHmLo2wwajAiBgkrBgEEAYLECgIEFTEuMy42LjEuNC4xLjQxNDgyLjEuNzATBgsrBgEEAYLlHAIBAQQEAwICJDAhBgsrBgEEAYLlHAEBBAQSBBDF71X_rZpLn7WAreuv4CbQMAwGA1UdEwEB_wQCMAAwDQYJKoZIhvcNAQELBQADggEBAItuk3adeE1u6dkA0nECf8J35Lgm5mw5udSIucstLQU9ZrTVNjwXugnxsT5oVriRN7o1BB-Lz7KJmtDw34kvh_uA11A9Ksf6veIV3hK-ugN7WNok7gn0t6IWOZF1xVr7lyo0XgbV88Kh-_D1biUqc5u49qSvTH-Jx1WrUxeFh1S1CTpmvmYGdzgWE32qLsNeoscPkbtkVSYbB8hwPb7SbV_WbBBLzJEPn79oMJ_e-63B12iLdyu2K_PKuibBsqSVHioe6cnvksZktkDykn-ZedRDpNOyBGo-89eBA9tLIYx_bP8Mg9tCoIP8GZzh2P2joujOF4F0O1xkICNI9MB3-6JoYXV0aERhdGFYxKN5pvbur7mlXjeMEYA04nUeaC-rny0wqxPSElWGzhlHQQAAAATF71X_rZpLn7WAreuv4CbQAEDDAvEvv-vY_dFxV_gwT7mhKUN9M6PatW8FqDSEjXAaJL4EjL5exyo-FIaoqgH4lfmw-19_6ao6j9zPlFGHBmUOpQECAyYgASFYILUgImoYph7H0FqX_aKS3A4Ph1Aki_Edg9YB6oxw7nrIIlgghBKeVu0Z4cV6-Cya1H2ZTeeWdisBlK6QWDM89ne6794=")
+    ),
+    AssertionExample(
+      id = ByteArray.fromBase64Url("wwLxL7_r2P3RcVf4ME-5oSlDfTOj2rVvBag0hI1wGiS-BIy-XscqPhSGqKoB-JX5sPtff-mqOo_cz5RRhwZlDg=="),
+      clientData = """{"type": "webauthn.get", "clientExtensions": {}, "challenge": "Q0hBTExFTkdF", "origin": "https://example.com"}""",
+      authDataBytes = ByteArray.fromBase64Url("o3mm9u6vuaVeN4wRgDTidR5oL6ufLTCrE9ISVYbOGUcBAAAABw=="),
+      sig = ByteArray.fromBase64Url("MEQCIHqWh09siRtXwUCVOnTrWUTfJfe9zv0_-WYd376qUcBqAiBMdsCPp-LpUEhgSbOz8y6hS1YTKFgpN-nIrpYDTxQhiA=="),
+    )
+  )
+
   val SecurityKey = Example(
     RelyingPartyIdentity.builder().id("example.com").name("Example RP").build(),
     UserIdentity.builder().name("test@example.org").displayName("A. User").id(ByteArray.fromBase64Url("dXNlcl9pZA==")).build(),