UY-1353 Updated yubico lib to the latest version;

fixed jackson cbor dependency version;
dropped unused attestation code (which btw was hard to be updated)

Author: golbi

fido/src/main/java/io/imunity/fido/credential/FidoCredentialInfo.java

@@ -4,29 +4,24 @@
  */
 package io.imunity.fido.credential;
 
-import com.fasterxml.jackson.annotation.JsonIgnore;
-import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.core.type.TypeReference;
-import com.yubico.webauthn.RegisteredCredential;
-import com.yubico.webauthn.attestation.Attestation;
-import com.yubico.webauthn.attestation.Transport;
-import com.yubico.webauthn.data.ByteArray;
-import org.apache.logging.log4j.LogManager;
-import org.apache.logging.log4j.Logger;
-import pl.edu.icm.unity.Constants;
+import static java.util.Objects.isNull;
 
 import java.io.IOException;
 import java.util.Collections;
-import java.util.HashMap;
-import java.util.HashSet;
 import java.util.List;
-import java.util.Map;
 import java.util.Objects;
 import java.util.Optional;
-import java.util.Set;
 
-import static java.util.Objects.isNull;
-import static java.util.Objects.nonNull;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+import com.fasterxml.jackson.annotation.JsonIgnore;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.core.type.TypeReference;
+import com.yubico.webauthn.RegisteredCredential;
+import com.yubico.webauthn.data.ByteArray;
+
+import pl.edu.icm.unity.Constants;
 
 /**
  * Holds information about Fido 2 credential details - represents single public key information.
@@ -74,22 +69,6 @@ private FidoCredentialInfo()
 	 */
 	private String aaguid;
 
-	// Attestation properties
-	/**
-	 * Indicates if attestation key was confirmed as trusted during registration.
-	 */
-	private boolean attestationTrusted;
-	/**
-	 * Metadata and authenticator properties
-	 */
-	private String metadataIdentifier;
-	private Map<String, String> vendorProperties;
-	private Map<String, String> deviceProperties;
-	/**
-	 * What transport of data is supported by Authenticator.
-	 */
-	private Set<Transport> transports;
-
 	// Mutable fields
 	/**
 	 * Number of times private key was used to sign challenge - stored also on Authenticator
@@ -134,36 +113,11 @@ public String getAaguid()
 		return aaguid;
 	}
 
-	public boolean isAttestationTrusted()
-	{
-		return attestationTrusted;
-	}
-
 	public String getAttestationFormat()
 	{
 		return attestationFormat;
 	}
 
-	public String getMetadataIdentifier()
-	{
-		return metadataIdentifier;
-	}
-
-	public Map<String, String> getVendorProperties()
-	{
-		return vendorProperties;
-	}
-
-	public Map<String, String> getDeviceProperties()
-	{
-		return deviceProperties;
-	}
-
-	public Set<Transport> getTransports()
-	{
-		return transports;
-	}
-
 	public long getSignatureCount()
 	{
 		return signatureCount;
@@ -242,24 +196,21 @@ public boolean equals(Object o)
 		return registrationTimestamp == that.registrationTimestamp &&
 				userPresent == that.userPresent &&
 				userVerified == that.userVerified &&
-				attestationTrusted == that.attestationTrusted &&
 				signatureCount == that.signatureCount &&
 				Objects.equals(credentialId, that.credentialId) &&
 				Objects.equals(publicKeyCose, that.publicKeyCose) &&
 				Objects.equals(attestationFormat, that.attestationFormat) &&
 				Objects.equals(aaguid, that.aaguid) &&
-				Objects.equals(metadataIdentifier, that.metadataIdentifier) &&
-				Objects.equals(vendorProperties, that.vendorProperties) &&
-				Objects.equals(deviceProperties, that.deviceProperties) &&
-				Objects.equals(transports, that.transports) &&
 				Objects.equals(description, that.description) &&
 				Objects.equals(userHandle, that.userHandle);
 	}
 
 	@Override
 	public int hashCode()
 	{
-		return Objects.hash(registrationTimestamp, credentialId, publicKeyCose, userPresent, userVerified, attestationFormat, aaguid, attestationTrusted, metadataIdentifier, vendorProperties, deviceProperties, transports, signatureCount, description, userHandle);
+		return Objects.hash(registrationTimestamp, credentialId, publicKeyCose, userPresent, userVerified, 
+				attestationFormat, aaguid, 
+				signatureCount, description, userHandle);
 	}
 
 	public static FidoCredentialInfoBuilder builder()
@@ -285,12 +236,6 @@ public static final class FidoCredentialInfoBuilder
 		private String aaguid;
 		private String description;
 
-		private boolean attestationTrusted;
-		private String metadataIdentifier;
-		private Map<String, String> vendorProperties;
-		private Map<String, String> deviceProperties;
-		private Set<Transport> transports;
-
 		private String userHandle;
 
 		private FidoCredentialInfoBuilder()
@@ -308,11 +253,6 @@ private FidoCredentialInfoBuilder(FidoCredentialInfo credentialInfo)
 			this.attestationFormat = credentialInfo.attestationFormat;
 			this.aaguid = credentialInfo.aaguid;
 			this.description = credentialInfo.description;
-			this.attestationTrusted = credentialInfo.attestationTrusted;
-			this.metadataIdentifier = credentialInfo.metadataIdentifier;
-			this.vendorProperties = credentialInfo.vendorProperties;
-			this.deviceProperties = credentialInfo.deviceProperties;
-			this.transports = credentialInfo.transports;
 			this.userHandle = credentialInfo.userHandle;;
 		}
 
@@ -345,53 +285,6 @@ public FidoCredentialInfoBuilder registrationTime(long registrationTime)
 			return this;
 		}
 
-
-		public FidoCredentialInfoBuilder attestationTrusted(boolean attestationTrusted)
-		{
-			this.attestationTrusted = attestationTrusted;
-			return this;
-		}
-
-		public FidoCredentialInfoBuilder metadataIdentifier(String metadataIdentifier)
-		{
-			this.metadataIdentifier = metadataIdentifier;
-			return this;
-		}
-
-		public FidoCredentialInfoBuilder vendorProperties(Map<String, String> vendorProperties)
-		{
-			if (nonNull(vendorProperties) && !vendorProperties.isEmpty())
-				this.vendorProperties = new HashMap<>(vendorProperties);
-			return this;
-		}
-
-		public FidoCredentialInfoBuilder deviceProperties(Map<String, String> deviceProperties)
-		{
-			if (nonNull(deviceProperties) && !deviceProperties.isEmpty())
-				this.deviceProperties = new HashMap<>(deviceProperties);
-			return this;
-		}
-
-		public FidoCredentialInfoBuilder transports(Set<Transport> transports)
-		{
-			if (nonNull(transports) && !transports.isEmpty())
-				this.transports = new HashSet<>(transports);
-			return this;
-		}
-
-		public FidoCredentialInfoBuilder attestationMetadata(Attestation attestationMetadata)
-		{
-			if (nonNull(attestationMetadata))
-			{
-				this.attestationTrusted = attestationMetadata.isTrusted();
-				this.metadataIdentifier = attestationMetadata.getMetadataIdentifier().orElse(null);
-				this.vendorProperties = attestationMetadata.getVendorProperties().orElse(null);
-				this.deviceProperties = attestationMetadata.getDeviceProperties().orElse(null);
-				this.transports = attestationMetadata.getTransports().orElse(null);
-			}
-			return this;
-		}
-
 		public FidoCredentialInfoBuilder userPresent(final boolean userPresent)
 		{
 			this.userPresent = userPresent;
@@ -447,12 +340,6 @@ public FidoCredentialInfo build()
 				info.aaguid = null; // for NONE attestation aaguid is always reset to 0s
 			}
 
-			info.attestationTrusted = this.attestationTrusted;
-			info.metadataIdentifier = this.metadataIdentifier;
-			info.vendorProperties = this.vendorProperties;
-			info.deviceProperties = this.deviceProperties;
-			info.transports = this.transports;
-
 			info.description = this.description;
 
 			return info;

fido/src/main/java/io/imunity/fido/service/FidoCredentialRegistrationVerificator.java

@@ -8,14 +8,14 @@
 import com.yubico.webauthn.FinishRegistrationOptions;
 import com.yubico.webauthn.RegistrationResult;
 import com.yubico.webauthn.StartRegistrationOptions;
-import com.yubico.webauthn.attestation.Attestation;
 import com.yubico.webauthn.data.AttestedCredentialData;
 import com.yubico.webauthn.data.AuthenticatorAttestationResponse;
 import com.yubico.webauthn.data.AuthenticatorSelectionCriteria;
 import com.yubico.webauthn.data.ByteArray;
 import com.yubico.webauthn.data.ClientRegistrationExtensionOutputs;
 import com.yubico.webauthn.data.PublicKeyCredential;
 import com.yubico.webauthn.data.PublicKeyCredentialCreationOptions;
+import com.yubico.webauthn.data.ResidentKeyRequirement;
 import com.yubico.webauthn.data.UserIdentity;
 import com.yubico.webauthn.data.UserVerificationRequirement;
 import com.yubico.webauthn.exception.RegistrationFailedException;
@@ -61,19 +61,18 @@ class FidoCredentialRegistrationVerificator implements FidoRegistration
 	private AdvertisedAddressProvider addressProvider;
 
 	@Autowired
-	public FidoCredentialRegistrationVerificator(final MessageSource msg, final FidoEntityHelper entityHelper,
-												 final UnityFidoRegistrationStorage.UnityFidoRegistrationStorageCache fidoStorage,
-												 final AdvertisedAddressProvider addressProvider)
+	public FidoCredentialRegistrationVerificator(MessageSource msg, FidoEntityHelper entityHelper,
+			UnityFidoRegistrationStorage.UnityFidoRegistrationStorageCache fidoStorage,
+			AdvertisedAddressProvider addressProvider)
 	{
 		this.msg = msg;
 		this.entityHelper = entityHelper;
 		this.fidoStorage = fidoStorage;
 		this.addressProvider = addressProvider;
 	}
 
-	public SimpleEntry<String, String> getRegistrationOptions(final String credentialName, final String credentialConfiguration,
-															  final Long entityId, final String username,
-															  final boolean useResidentKey) throws FidoException
+	public SimpleEntry<String, String> getRegistrationOptions(String credentialName, String credentialConfiguration,
+			Long entityId, String username, boolean useResidentKey) throws FidoException
 	{
 		Optional<Identities> resolvedUsername = entityHelper.resolveUsername(entityId, username);
 		if (!resolvedUsername.isPresent() && (isNull(username) || username.isEmpty()))
@@ -84,7 +83,10 @@ public SimpleEntry<String, String> getRegistrationOptions(final String credentia
 		String displayName = resolvedUsername.map(entityHelper::getDisplayName).orElse(username);
 
 		FidoCredential fidoCredential = FidoCredential.deserialize(credentialConfiguration);
-		PublicKeyCredentialCreationOptions registrationRequest = getRelyingParty(addressProvider.get().getHost(), fidoStorage.getInstance(credentialName), fidoCredential)
+		ResidentKeyRequirement residentKeyRequirement = fidoCredential.isLoginLessAllowed() && useResidentKey ? 
+				ResidentKeyRequirement.PREFERRED : ResidentKeyRequirement.DISCOURAGED;
+		PublicKeyCredentialCreationOptions registrationRequest = getRelyingParty(addressProvider.get().getHost(), 
+				fidoStorage.getInstance(credentialName), fidoCredential)
 				.startRegistration(StartRegistrationOptions.builder()
 				.user(UserIdentity.builder()
 						.name(registrationUsername)
@@ -93,7 +95,7 @@ public SimpleEntry<String, String> getRegistrationOptions(final String credentia
 						.build())
 				.authenticatorSelection(AuthenticatorSelectionCriteria.builder()
 						.userVerification(UserVerificationRequirement.valueOf(fidoCredential.getUserVerification()))
-						.requireResidentKey(fidoCredential.isLoginLessAllowed() && useResidentKey)
+						.residentKey(residentKeyRequirement)
 						.build())
 				.build());
 
@@ -110,8 +112,8 @@ public SimpleEntry<String, String> getRegistrationOptions(final String credentia
 		return new SimpleEntry<>(reqId, json);
 	}
 
-	public FidoCredentialInfo createFidoCredentials(final String credentialName, final String credentialConfiguration,
-													final String reqId, final String responseJson) throws FidoException
+	public FidoCredentialInfo createFidoCredentials(String credentialName, String credentialConfiguration,
+			String reqId, String responseJson) throws FidoException
 	{
 		log.debug("Fido finalize registration for reqId: {}", reqId);
 		try
@@ -122,7 +124,9 @@ public FidoCredentialInfo createFidoCredentials(final String credentialName, fin
 
 			PublicKeyCredential<AuthenticatorAttestationResponse, ClientRegistrationExtensionOutputs> pkc =
 					PublicKeyCredential.parseRegistrationResponseJson(responseJson);
-			RegistrationResult result = getRelyingParty(addressProvider.get().getHost(), fidoStorage.getInstance(credentialName), FidoCredential.deserialize(credentialConfiguration))
+			RegistrationResult result = getRelyingParty(addressProvider.get().getHost(), 
+						fidoStorage.getInstance(credentialName), 
+						FidoCredential.deserialize(credentialConfiguration))
 					.finishRegistration(FinishRegistrationOptions.builder()
 					.request(registrationRequest)
 					.response(pkc)
@@ -135,11 +139,11 @@ public FidoCredentialInfo createFidoCredentials(final String credentialName, fin
 		}
 	}
 
-	private FidoCredentialInfo createFidoCredentialInfo(PublicKeyCredential<AuthenticatorAttestationResponse, ClientRegistrationExtensionOutputs> pkc,
-														PublicKeyCredentialCreationOptions registrationRequest, RegistrationResult result)
+	private FidoCredentialInfo createFidoCredentialInfo(PublicKeyCredential<AuthenticatorAttestationResponse, 
+			ClientRegistrationExtensionOutputs> pkc,
+			PublicKeyCredentialCreationOptions registrationRequest, 
+			RegistrationResult result)
 	{
-		Optional<Attestation> attestationMetadata = result.getAttestationMetadata();
-
 		return FidoCredentialInfo.builder()
 				.registrationTime(System.currentTimeMillis())
 				.credentialId(result.getKeyId().getId())
@@ -148,8 +152,8 @@ private FidoCredentialInfo createFidoCredentialInfo(PublicKeyCredential<Authenti
 				.userPresent(pkc.getResponse().getParsedAuthenticatorData().getFlags().UP)
 				.userVerified(pkc.getResponse().getParsedAuthenticatorData().getFlags().UV)
 				.attestationFormat(pkc.getResponse().getAttestation().getFormat())
-				.aaguid(pkc.getResponse().getParsedAuthenticatorData().getAttestedCredentialData().map(AttestedCredentialData::getAaguid).map(ByteArray::getHex).orElse(null))
-				.attestationMetadata(attestationMetadata.orElse(null))
+				.aaguid(pkc.getResponse().getParsedAuthenticatorData().getAttestedCredentialData()
+						.map(AttestedCredentialData::getAaguid).map(ByteArray::getHex).orElse(null))
 				.userHandle(new FidoUserHandle(registrationRequest.getUser().getId().getBytes()).asString())
 				.build();
 	}

fido/src/main/java/io/imunity/fido/service/FidoCredentialVerificator.java

@@ -285,10 +285,10 @@ static RelyingParty getRelyingParty(String hostName, UnityFidoRegistrationStorag
 						.name(credentialConfiguration.getHostName())
 						.build())
 				.credentialRepository(storage)
-				.attestationConveyancePreference(AttestationConveyancePreference.valueOf(credentialConfiguration.getAttestationConveyance()))
+				.attestationConveyancePreference(AttestationConveyancePreference.valueOf(
+						credentialConfiguration.getAttestationConveyance()))
 				.allowUntrustedAttestation(true)
 				.allowOriginPort(true)
-				.allowUnrequestedExtensions(true)
 				.build();
 	}
 

fido/src/test/java/io/imunity/fido/credential/FidoCredentialInfoTest.java

@@ -4,20 +4,17 @@
  */
 package io.imunity.fido.credential;
 
-import com.google.common.collect.ImmutableMap;
-import com.yubico.webauthn.attestation.Transport;
-import com.yubico.webauthn.data.ByteArray;
-import com.yubico.webauthn.data.exception.HexException;
-import org.junit.Test;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotEquals;
 
-import java.util.Arrays;
 import java.util.Collections;
-import java.util.HashSet;
 import java.util.List;
 import java.util.Random;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNotEquals;
+import org.junit.Test;
+
+import com.yubico.webauthn.data.ByteArray;
+import com.yubico.webauthn.data.exception.HexException;
 
 /**
  * Test for {@link FidoCredentialInfo} class
@@ -110,11 +107,6 @@ private FidoCredentialInfo generateCredential() throws HexException
 				.userVerified(random.nextBoolean())
 				.attestationFormat("android")
 				.aaguid("123456789012345678" + random.nextInt(1000))
-				.attestationTrusted(random.nextBoolean())
-				.metadataIdentifier("metadataIdentyfier" + random.nextInt(1000))
-				.vendorProperties(ImmutableMap.of("k1", "v1" + random.nextInt(1000)))
-				.deviceProperties(ImmutableMap.of("k2", "v2" + random.nextInt(1000)))
-				.transports(new HashSet<>(Arrays.asList(Transport.USB)))
 				.signatureCount(random.nextInt(1000))
 				.description("Description " + random.nextInt(1000))
 				.userHandle("a1bec3d4e5f" + random.nextInt(1000))