Skip to content

MDS: Adjust SupportedCtapOptions parsing logic #419

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

MDS: Adjust SupportedCtapOptions parsing logic #419

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
f4981f2
Adjust parsing logic
fdennis Jun 2, 2025
77a8af8
Add test of SupportedCtapOptions serialization stability
emlun Jun 3, 2025
5bceb93
Fix parsing SupportedCtapOptions from empty JSON object
emlun Jun 3, 2025
ad36a8b
Remove redundant builder defaults
emlun Jun 3, 2025
0452830
Move @JsonAlias alongside @JsonProperty in SupportedCtapOptions
emlun Jun 3, 2025
f51c289
Add perCredMgmtRO and fix url to CTAP
fdennis Jun 10, 2025
8a97204
Update JavaDoc
fdennis Jun 10, 2025
6801734
Add perCredMgmtRO to test
fdennis Jun 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
162 changes: 114 additions & 48 deletions webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/SupportedCtapOptions.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,160 +1,226 @@
package com.yubico.fido.metadata;

import com.fasterxml.jackson.annotation.JsonAlias;
import lombok.AccessLevel;
import lombok.AllArgsConstructor;
import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonInclude;
import com.fasterxml.jackson.annotation.JsonProperty;
import lombok.Builder;
import lombok.Value;
import lombok.extern.jackson.Jacksonized;

/**
* A fixed-keys map of CTAP2 option names to Boolean values representing whether an authenticator
* supports the respective option.
*
* @see <a
* href="https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#authenticatorGetInfo">Client
* href="https://fidoalliance.org/specs/fido-v2.2-ps-20250228/fido-client-to-authenticator-protocol-v2.2-ps-20250228.html#authenticatorGetInfo">Client
* to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
*/
@Value
@Builder
@Jacksonized
@AllArgsConstructor(access = AccessLevel.PRIVATE)
public class SupportedCtapOptions {

/**
* @see <a
* href="https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#authenticatorGetInfo">Client
* href="https://fidoalliance.org/specs/fido-v2.2-ps-20250228/fido-client-to-authenticator-protocol-v2.2-ps-20250228.html#authenticatorGetInfo">Client
* to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
*/
@Builder.Default boolean plat = false;
boolean plat;

/**
* @see <a
* href="https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#authenticatorGetInfo">Client
* href="https://fidoalliance.org/specs/fido-v2.2-ps-20250228/fido-client-to-authenticator-protocol-v2.2-ps-20250228.html#authenticatorGetInfo">Client
* to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
*/
@Builder.Default boolean rk = false;
boolean rk;

/**
* If set to <code>true</code> the device is capable of accepting PIN.
*
* @see <a
* href="https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#authenticatorGetInfo">Client
* href="https://fidoalliance.org/specs/fido-v2.2-ps-20250228/fido-client-to-authenticator-protocol-v2.2-ps-20250228.html#authenticatorGetInfo">Client
* to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
*/
@Builder.Default boolean clientPin = false;
@JsonInclude(JsonInclude.Include.NON_DEFAULT)
boolean clientPin;

/**
* @see <a
* href="https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#authenticatorGetInfo">Client
* href="https://fidoalliance.org/specs/fido-v2.2-ps-20250228/fido-client-to-authenticator-protocol-v2.2-ps-20250228.html#authenticatorGetInfo">Client
* to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
*/
@Builder.Default boolean up = false;
boolean up;

/**
* If set to <code>true</code> the device is capable of built-in user verification.
*
* @see <a
* href="https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#authenticatorGetInfo">Client
* href="https://fidoalliance.org/specs/fido-v2.2-ps-20250228/fido-client-to-authenticator-protocol-v2.2-ps-20250228.html#authenticatorGetInfo">Client
* to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
*/
@Builder.Default boolean uv = false;
@JsonInclude(JsonInclude.Include.NON_DEFAULT)
boolean uv;

/**
* @see <a
* href="https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#authenticatorGetInfo">Client
* href="https://fidoalliance.org/specs/fido-v2.2-ps-20250228/fido-client-to-authenticator-protocol-v2.2-ps-20250228.html#authenticatorGetInfo">Client
* to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
*/
@JsonAlias("uvToken")
@Builder.Default
boolean pinUvAuthToken = false;
boolean pinUvAuthToken;

/**
* @see <a
* href="https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#authenticatorGetInfo">Client
* href="https://fidoalliance.org/specs/fido-v2.2-ps-20250228/fido-client-to-authenticator-protocol-v2.2-ps-20250228.html#authenticatorGetInfo">Client
* to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
*/
@Builder.Default boolean noMcGaPermissionsWithClientPin = false;
boolean noMcGaPermissionsWithClientPin;

/**
* @see <a
* href="https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#authenticatorGetInfo">Client
* href="https://fidoalliance.org/specs/fido-v2.2-ps-20250228/fido-client-to-authenticator-protocol-v2.2-ps-20250228.html#authenticatorGetInfo">Client
* to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
*/
@Builder.Default boolean largeBlobs = false;
boolean largeBlobs;

/**
* If set to <code>true</code> the authenticator is enterprise attestation capable.
*
* @see <a
* href="https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#authenticatorGetInfo">Client
* href="https://fidoalliance.org/specs/fido-v2.2-ps-20250228/fido-client-to-authenticator-protocol-v2.2-ps-20250228.html#authenticatorGetInfo">Client
* to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
*/
@Builder.Default boolean ep = false;
@JsonInclude(JsonInclude.Include.NON_DEFAULT)
boolean ep;

/**
* If set to <code>true</code> the authenticator supports the authenticatorBioEnrollment commands.
*
* @see <a
* href="https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#authenticatorGetInfo">Client
* href="https://fidoalliance.org/specs/fido-v2.2-ps-20250228/fido-client-to-authenticator-protocol-v2.2-ps-20250228.html#authenticatorGetInfo">Client
* to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
*/
@Builder.Default boolean bioEnroll = false;
@JsonInclude(JsonInclude.Include.NON_DEFAULT)
boolean bioEnroll;

/**
* If set to <code>true</code> the authenticator supports the Prototype authenticatorBioEnrollment
* (0x40) commands.
*
* @see <a
* href="https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#authenticatorGetInfo">Client
* href="https://fidoalliance.org/specs/fido-v2.2-ps-20250228/fido-client-to-authenticator-protocol-v2.2-ps-20250228.html#authenticatorGetInfo">Client
* to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
*/
@Builder.Default boolean userVerificationMgmtPreview = false;
@JsonInclude(JsonInclude.Include.NON_DEFAULT)
boolean userVerificationMgmtPreview;

/**
* @see <a
* href="https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#authenticatorGetInfo">Client
* href="https://fidoalliance.org/specs/fido-v2.2-ps-20250228/fido-client-to-authenticator-protocol-v2.2-ps-20250228.html#authenticatorGetInfo">Client
* to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
*/
@Builder.Default boolean uvBioEnroll = false;
boolean uvBioEnroll;

/**
* @see <a
* href="https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#authenticatorGetInfo">Client
* href="https://fidoalliance.org/specs/fido-v2.2-ps-20250228/fido-client-to-authenticator-protocol-v2.2-ps-20250228.html#authenticatorGetInfo">Client
* to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
*/
@JsonAlias("config")
@Builder.Default
boolean authnrCfg = false;
boolean authnrCfg;

/**
* @see <a
* href="https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#authenticatorGetInfo">Client
* href="https://fidoalliance.org/specs/fido-v2.2-ps-20250228/fido-client-to-authenticator-protocol-v2.2-ps-20250228.html#authenticatorGetInfo">Client
* to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
*/
@Builder.Default boolean uvAcfg = false;
boolean uvAcfg;

/**
* @see <a
* href="https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#authenticatorGetInfo">Client
* href="https://fidoalliance.org/specs/fido-v2.2-ps-20250228/fido-client-to-authenticator-protocol-v2.2-ps-20250228.html#authenticatorGetInfo">Client
* to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
*/
@Builder.Default boolean credMgmt = false;
boolean credMgmt;

/**
* @see <a
* href="https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#authenticatorGetInfo">Client
* href="https://fidoalliance.org/specs/fido-v2.2-ps-20250228/fido-client-to-authenticator-protocol-v2.2-ps-20250228.html#authenticatorGetInfo">Client
* to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
*/
@Builder.Default boolean credentialMgmtPreview = false;
boolean perCredMgmtRO;

/**
* @see <a
* href="https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#authenticatorGetInfo">Client
* href="https://fidoalliance.org/specs/fido-v2.2-ps-20250228/fido-client-to-authenticator-protocol-v2.2-ps-20250228.html#authenticatorGetInfo">Client
* to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
*/
@Builder.Default boolean setMinPINLength = false;
@JsonInclude(JsonInclude.Include.NON_DEFAULT)
boolean credentialMgmtPreview;

/**
* @see <a
* href="https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#authenticatorGetInfo">Client
* href="https://fidoalliance.org/specs/fido-v2.2-ps-20250228/fido-client-to-authenticator-protocol-v2.2-ps-20250228.html#authenticatorGetInfo">Client
* to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
*/
@Builder.Default boolean makeCredUvNotRqd = false;
boolean setMinPINLength;

/**
* @see <a
* href="https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#authenticatorGetInfo">Client
* href="https://fidoalliance.org/specs/fido-v2.2-ps-20250228/fido-client-to-authenticator-protocol-v2.2-ps-20250228.html#authenticatorGetInfo">Client
* to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
*/
@Builder.Default boolean alwaysUv = false;
boolean makeCredUvNotRqd;

/**
* If set to <code>true</code> the authenticator supports the Always Require User Verification
* feature.
*
* @see <a
* href="https://fidoalliance.org/specs/fido-v2.2-ps-20250228/fido-client-to-authenticator-protocol-v2.2-ps-20250228.html#authenticatorGetInfo">Client
* to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
*/
@JsonInclude(JsonInclude.Include.NON_DEFAULT)
boolean alwaysUv;

@JsonCreator
private SupportedCtapOptions(
@JsonProperty("plat") Boolean plat,
@JsonProperty("rk") Boolean rk,
@JsonProperty("clientPin") Boolean clientPin,
@JsonProperty("up") Boolean up,
@JsonProperty("uv") Boolean uv,
@JsonAlias("uvToken") @JsonProperty("pinUvAuthToken") Boolean pinUvAuthToken,
@JsonProperty("noMcGaPermissionsWithClientPin") Boolean noMcGaPermissionsWithClientPin,
@JsonProperty("largeBlobs") Boolean largeBlobs,
@JsonProperty("ep") Boolean ep,
@JsonProperty("bioEnroll") Boolean bioEnroll,
@JsonProperty("userVerificationMgmtPreview") Boolean userVerificationMgmtPreview,
@JsonProperty("uvBioEnroll") Boolean uvBioEnroll,
@JsonAlias("config") @JsonProperty("authnrCfg") Boolean authnrCfg,
@JsonProperty("uvAcfg") Boolean uvAcfg,
@JsonProperty("credMgmt") Boolean credMgmt,
@JsonProperty("perCredMgmtRO") Boolean perCredMgmtRO,
@JsonProperty("credentialMgmtPreview") Boolean credentialMgmtPreview,
@JsonProperty("setMinPINLength") Boolean setMinPINLength,
@JsonProperty("makeCredUvNotRqd") Boolean makeCredUvNotRqd,
@JsonProperty("alwaysUv") Boolean alwaysUv) {
this.plat = Boolean.TRUE.equals(plat);
this.rk = Boolean.TRUE.equals(rk);
this.clientPin = clientPin != null;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'll need to update the JavaDoc for clientPin since the behaviour here is no longer the same as in the CTAP spec.

this.up = Boolean.TRUE.equals(up);
this.uv = uv != null;
this.pinUvAuthToken = Boolean.TRUE.equals(pinUvAuthToken);
this.noMcGaPermissionsWithClientPin = Boolean.TRUE.equals(noMcGaPermissionsWithClientPin);
this.largeBlobs = Boolean.TRUE.equals(largeBlobs);
this.ep = ep != null;
this.bioEnroll = bioEnroll != null;
this.userVerificationMgmtPreview = userVerificationMgmtPreview != null;
this.uvBioEnroll = Boolean.TRUE.equals(uvBioEnroll);
this.authnrCfg = Boolean.TRUE.equals(authnrCfg);
this.uvAcfg = Boolean.TRUE.equals(uvAcfg);
this.credMgmt = Boolean.TRUE.equals(credMgmt);
this.perCredMgmtRO = Boolean.TRUE.equals(perCredMgmtRO);
this.credentialMgmtPreview = Boolean.TRUE.equals(credentialMgmtPreview);
this.setMinPINLength = Boolean.TRUE.equals(setMinPINLength);
this.makeCredUvNotRqd = Boolean.TRUE.equals(makeCredUvNotRqd);
this.alwaysUv = alwaysUv != null;
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like an perCredMgmtRO option has been added (between credMgmt and credentialMgmtPreview) since this class was written, we should add that too.

}
62 changes: 62 additions & 0 deletions webauthn-server-attestation/src/test/scala/com/yubico/fido/metadata/MetadataBlobSpec.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,17 @@
package com.yubico.fido.metadata

import com.yubico.fido.metadata.Generators.arbitrarySupportedCtapOptions
import com.yubico.internal.util.JacksonCodecs
import com.yubico.webauthn.data.ByteArray
import org.scalacheck.Arbitrary
import org.scalacheck.Gen
import org.scalatest.funspec.AnyFunSpec
import org.scalatest.matchers.should.Matchers
import org.scalatestplus.scalacheck.ScalaCheckDrivenPropertyChecks

import scala.jdk.CollectionConverters.SetHasAsScala
import scala.jdk.OptionConverters.RichOptional

class MetadataBlobSpec
extends AnyFunSpec
with Matchers
Expand Down Expand Up @@ -50,4 +56,60 @@ class MetadataBlobSpec
}
}

describe("SupportedCtapOptions") {
it("can be parsed from an empty JSON object.") {
val options = JacksonCodecs
.json()
.readValue("{}", classOf[SupportedCtapOptions])
options should not be null
options.isPlat should be(false)
options.isRk should be(false)
options.isUp should be(false)
options.isUv should be(false)
options.isPinUvAuthToken should be(false)
options.isNoMcGaPermissionsWithClientPin should be(false)
options.isLargeBlobs should be(false)
options.isEp should be(false)
options.isBioEnroll should be(false)
options.isUserVerificationMgmtPreview should be(false)
options.isUvBioEnroll should be(false)
options.isAuthnrCfg should be(false)
options.isUvAcfg should be(false)
options.isCredMgmt should be(false)
options.isPerCredMgmtRO should be(false)
options.isCredentialMgmtPreview should be(false)
options.isSetMinPINLength should be(false)
options.isMakeCredUvNotRqd should be(false)
options.isAlwaysUv should be(false)
}

it(
"are structurally identical after multiple (de)serialization round-trips."
) {
val json = JacksonCodecs.json()
val blob = json
.readValue(
ByteArray
.fromBase64Url(FidoMds3Examples.BlobPayloadBase64url)
.getBytes,
classOf[MetadataBLOBPayload],
)
val blobOptions = blob.getEntries.asScala
.flatMap(entry => entry.getMetadataStatement.toScala)
.flatMap(statement => statement.getAuthenticatorGetInfo.toScala)
.flatMap(info => info.getOptions.toScala)
forAll(Gen.oneOf(Arbitrary.arbitrary, Gen.oneOf(blobOptions))) {
(options1: SupportedCtapOptions) =>
val encoded1 = json.writeValueAsBytes(options1)
val options2 = json.readValue(encoded1, classOf[SupportedCtapOptions])
val encoded2 = json.writeValueAsBytes(options2)
val options3 = json.readValue(encoded2, classOf[SupportedCtapOptions])

options2 should not be null
options2 should equal(options1)
options3 should not be null
options3 should equal(options1)
}
}
}
}