Add support for PublicKeyCredentialHint

Yubico · Sep 6, 2024 · cab8c13 · cab8c13
1 parent 37f32c3
commit cab8c13
Show file tree

Hide file tree

Showing 10 changed files with 312 additions and 17 deletions.
diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/RelyingParty.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/RelyingParty.java
@@ -493,7 +493,8 @@ public PublicKeyCredentialCreationOptions startRegistration(
                             .appidExclude(appId)
                             .credProps()
                             .build()))
-            .timeout(startRegistrationOptions.getTimeout());
+            .timeout(startRegistrationOptions.getTimeout())
+            .hints(startRegistrationOptions.getHints());
     attestationConveyancePreference.ifPresent(builder::attestation);
     return builder.build();
   }

diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/RelyingPartyV2.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/RelyingPartyV2.java
@@ -452,7 +452,8 @@ public PublicKeyCredentialCreationOptions startRegistration(
                             .appidExclude(appId)
                             .credProps()
                             .build()))
-            .timeout(startRegistrationOptions.getTimeout());
+            .timeout(startRegistrationOptions.getTimeout())
+            .hints(startRegistrationOptions.getHints());
     attestationConveyancePreference.ifPresent(builder::attestation);
     return builder.build();
   }
@@ -509,7 +510,8 @@ public AssertionRequest startAssertion(StartAssertionOptions startAssertionOptio
                 startAssertionOptions
                     .getExtensions()
                     .merge(startAssertionOptions.getExtensions().toBuilder().appid(appId).build()))
-            .timeout(startAssertionOptions.getTimeout());
+            .timeout(startAssertionOptions.getTimeout())
+            .hints(startAssertionOptions.getHints());
 
     startAssertionOptions.getUserVerification().ifPresent(pkcro::userVerification);
 

diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/StartAssertionOptions.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/StartAssertionOptions.java
@@ -26,8 +26,12 @@
 
 import com.yubico.webauthn.data.AssertionExtensionInputs;
 import com.yubico.webauthn.data.ByteArray;
+import com.yubico.webauthn.data.PublicKeyCredentialHint;
 import com.yubico.webauthn.data.PublicKeyCredentialRequestOptions;
 import com.yubico.webauthn.data.UserVerificationRequirement;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
 import java.util.Optional;
 import lombok.Builder;
 import lombok.NonNull;
@@ -36,7 +40,7 @@
 /** Parameters for {@link RelyingParty#startAssertion(StartAssertionOptions)}. */
 @Value
 @Builder(toBuilder = true)
-public class StartAssertionOptions {
+public final class StartAssertionOptions {
 
   private final String username;
 
@@ -79,6 +83,23 @@ public class StartAssertionOptions {
    */
   private final Long timeout;
 
+  private final List<String> hints;
+
+  private StartAssertionOptions(
+      String username,
+      ByteArray userHandle,
+      @NonNull AssertionExtensionInputs extensions,
+      UserVerificationRequirement userVerification,
+      Long timeout,
+      List<String> hints) {
+    this.username = username;
+    this.userHandle = userHandle;
+    this.extensions = extensions;
+    this.userVerification = userVerification;
+    this.timeout = timeout;
+    this.hints = hints == null ? Collections.emptyList() : Collections.unmodifiableList(hints);
+  }
+
   /**
    * The username of the user to authenticate, if the user has already been identified.
    *
@@ -370,5 +391,20 @@ public StartAssertionOptionsBuilder timeout(long timeout) {
     private StartAssertionOptionsBuilder timeout(Long timeout) {
       return this.timeout(Optional.ofNullable(timeout));
     }
+
+    public StartAssertionOptionsBuilder hints(@NonNull String... hints) {
+      this.hints = Arrays.asList(hints);
+      return this;
+    }
+
+    public StartAssertionOptionsBuilder hints(@NonNull PublicKeyCredentialHint... hints) {
+      return this.hints(
+          Arrays.stream(hints).map(PublicKeyCredentialHint::getValue).toArray(String[]::new));
+    }
+
+    public StartAssertionOptionsBuilder hints(@NonNull List<String> hints) {
+      this.hints = hints;
+      return this;
+    }
   }
 }
diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/StartRegistrationOptions.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/StartRegistrationOptions.java
@@ -26,8 +26,12 @@
 
 import com.yubico.webauthn.data.AuthenticatorSelectionCriteria;
 import com.yubico.webauthn.data.PublicKeyCredentialCreationOptions;
+import com.yubico.webauthn.data.PublicKeyCredentialHint;
 import com.yubico.webauthn.data.RegistrationExtensionInputs;
 import com.yubico.webauthn.data.UserIdentity;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
 import java.util.Optional;
 import lombok.Builder;
 import lombok.NonNull;
@@ -36,7 +40,7 @@
 /** Parameters for {@link RelyingParty#startRegistration(StartRegistrationOptions)}. */
 @Value
 @Builder(toBuilder = true)
-public class StartRegistrationOptions {
+public final class StartRegistrationOptions {
 
   /** Identifiers for the user creating a credential. */
   @NonNull private final UserIdentity user;
@@ -64,6 +68,21 @@ public class StartRegistrationOptions {
    */
   private final Long timeout;
 
+  private final List<String> hints;
+
+  private StartRegistrationOptions(
+      @NonNull UserIdentity user,
+      AuthenticatorSelectionCriteria authenticatorSelection,
+      @NonNull RegistrationExtensionInputs extensions,
+      Long timeout,
+      List<String> hints) {
+    this.user = user;
+    this.authenticatorSelection = authenticatorSelection;
+    this.extensions = extensions;
+    this.timeout = timeout;
+    this.hints = hints == null ? Collections.emptyList() : Collections.unmodifiableList(hints);
+  }
+
   /**
    * Constraints on what kind of authenticator the user is allowed to use to create the credential,
    * and on features that authenticator must or should support.
@@ -157,5 +176,20 @@ public StartRegistrationOptionsBuilder timeout(@NonNull Optional<Long> timeout)
     public StartRegistrationOptionsBuilder timeout(long timeout) {
       return this.timeout(Optional.of(timeout));
     }
+
+    public StartRegistrationOptionsBuilder hints(@NonNull String... hints) {
+      this.hints = Arrays.asList(hints);
+      return this;
+    }
+
+    public StartRegistrationOptionsBuilder hints(@NonNull PublicKeyCredentialHint... hints) {
+      return this.hints(
+          Arrays.stream(hints).map(PublicKeyCredentialHint::getValue).toArray(String[]::new));
+    }
+
+    public StartRegistrationOptionsBuilder hints(@NonNull List<String> hints) {
+      this.hints = hints;
+      return this;
+    }
   }
 }
diff --git a/...erver-core/src/main/java/com/yubico/webauthn/data/PublicKeyCredentialCreationOptions.java b/...erver-core/src/main/java/com/yubico/webauthn/data/PublicKeyCredentialCreationOptions.java
@@ -36,6 +36,7 @@
 import java.security.KeyFactory;
 import java.security.NoSuchAlgorithmException;
 import java.security.Signature;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 import java.util.Optional;
@@ -94,6 +95,8 @@ public class PublicKeyCredentialCreationOptions {
    */
   private final Long timeout;
 
+  private final List<String> hints;
+
   /**
    * Intended for use by Relying Parties that wish to limit the creation of multiple credentials for
    * the same account on a single authenticator. The client is requested to return an error if the
@@ -136,6 +139,7 @@ private PublicKeyCredentialCreationOptions(
       @NonNull @JsonProperty("pubKeyCredParams")
           List<PublicKeyCredentialParameters> pubKeyCredParams,
       @JsonProperty("timeout") Long timeout,
+      @JsonProperty("hints") List<String> hints,
       @JsonProperty("excludeCredentials") Set<PublicKeyCredentialDescriptor> excludeCredentials,
       @JsonProperty("authenticatorSelection") AuthenticatorSelectionCriteria authenticatorSelection,
       @JsonProperty("attestation") AttestationConveyancePreference attestation,
@@ -145,6 +149,7 @@ private PublicKeyCredentialCreationOptions(
     this.challenge = challenge;
     this.pubKeyCredParams = filterAvailableAlgorithms(pubKeyCredParams);
     this.timeout = timeout;
+    this.hints = hints == null ? Collections.emptyList() : Collections.unmodifiableList(hints);
     this.excludeCredentials =
         excludeCredentials == null
             ? null
@@ -317,6 +322,22 @@ public PublicKeyCredentialCreationOptionsBuilder timeout(long timeout) {
       return this.timeout(Optional.of(timeout));
     }
 
+    public PublicKeyCredentialCreationOptionsBuilder hints(@NonNull String... hints) {
+      this.hints = Arrays.asList(hints);
+      return this;
+    }
+
+    public PublicKeyCredentialCreationOptionsBuilder hints(
+        @NonNull PublicKeyCredentialHint... hints) {
+      return this.hints(
+          Arrays.stream(hints).map(PublicKeyCredentialHint::getValue).toArray(String[]::new));
+    }
+
+    public PublicKeyCredentialCreationOptionsBuilder hints(List<String> hints) {
+      this.hints = hints;
+      return this;
+    }
+
     /**
      * Intended for use by Relying Parties that wish to limit the creation of multiple credentials
      * for the same account on a single authenticator. The client is requested to return an error if

diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/data/PublicKeyCredentialHint.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/data/PublicKeyCredentialHint.java
@@ -0,0 +1,110 @@
+// Copyright (c) 2018, Yubico AB
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are met:
+//
+// 1. Redistributions of source code must retain the above copyright notice, this
+//    list of conditions and the following disclaimer.
+//
+// 2. Redistributions in binary form must reproduce the above copyright notice,
+//    this list of conditions and the following disclaimer in the documentation
+//    and/or other materials provided with the distribution.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+package com.yubico.webauthn.data;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonValue;
+import java.util.stream.Stream;
+import lombok.AccessLevel;
+import lombok.AllArgsConstructor;
+import lombok.NonNull;
+import lombok.Value;
+
+/**
+ * Authenticators may communicate with Clients using a variety of transports. This enumeration
+ * defines a hint as to how Clients might communicate with a particular Authenticator in order to
+ * obtain an assertion for a specific credential. Note that these hints represent the Relying
+ * Party's best belief as to how an Authenticator may be reached. A Relying Party may obtain a list
+ * of transports hints from some attestation statement formats or via some out-of-band mechanism; it
+ * is outside the scope of this specification to define that mechanism.
+ *
+ * <p>Authenticators may implement various transports for communicating with clients. This
+ * enumeration defines hints as to how clients might communicate with a particular authenticator in
+ * order to obtain an assertion for a specific credential. Note that these hints represent the
+ * WebAuthn Relying Party's best belief as to how an authenticator may be reached. A Relying Party
+ * may obtain a list of transports hints from some attestation statement formats or via some
+ * out-of-band mechanism; it is outside the scope of the Web Authentication specification to define
+ * that mechanism.
+ *
+ * @see <a
+ *     href="https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#enumdef-authenticatortransport">§5.10.4.
+ *     Authenticator Transport Enumeration (enum AuthenticatorTransport)</a>
+ */
+@Value
+@AllArgsConstructor(access = AccessLevel.PRIVATE)
+public class PublicKeyCredentialHint {
+
+  @JsonValue @NonNull private final String value;
+
+  public static final PublicKeyCredentialHint SECURITY_KEY =
+      new PublicKeyCredentialHint("security-key");
+
+  public static final PublicKeyCredentialHint CLIENT_DEVICE =
+      new PublicKeyCredentialHint("client-device");
+
+  public static final PublicKeyCredentialHint HYBRID = new PublicKeyCredentialHint("hybrid");
+
+  /**
+   * @return An array containing all predefined values of {@link PublicKeyCredentialHint} known by
+   *     this implementation.
+   */
+  public static PublicKeyCredentialHint[] values() {
+    return new PublicKeyCredentialHint[] {SECURITY_KEY, CLIENT_DEVICE, HYBRID};
+  }
+
+  /**
+   * @return If <code>value</code> is the same as that of any of {@link #SECURITY_KEY}, {@link
+   *     #CLIENT_DEVICE} or {@link #HYBRID}, returns that constant instance. Otherwise returns a new
+   *     instance containing <code>value</code>.
+   * @see #valueOf(String)
+   */
+  @JsonCreator
+  public static PublicKeyCredentialHint of(@NonNull String value) {
+    return Stream.of(values())
+        .filter(v -> v.getValue().equals(value))
+        .findAny()
+        .orElseGet(() -> new PublicKeyCredentialHint(value));
+  }
+
+  /**
+   * @return If <code>name</code> equals <code>"SECURITY_KEY"</code>, <code>"CLIENT_DEVICE"</code>
+   *     or <code>"HYBRID"</code>, returns the constant by that name.
+   * @throws IllegalArgumentException if <code>name</code> is anything else.
+   * @see #of(String)
+   */
+  public static PublicKeyCredentialHint valueOf(String name) {
+    switch (name) {
+      case "SECURITY_KEY":
+        return SECURITY_KEY;
+      case "CLIENT_DEVICE":
+        return CLIENT_DEVICE;
+      case "HYBRID":
+        return HYBRID;
+      default:
+        throw new IllegalArgumentException(
+            "No constant com.yubico.webauthn.data.PublicKeyCredentialHint." + name);
+    }
+  }
+}
diff --git a/...server-core/src/main/java/com/yubico/webauthn/data/PublicKeyCredentialRequestOptions.java b/...server-core/src/main/java/com/yubico/webauthn/data/PublicKeyCredentialRequestOptions.java
@@ -31,6 +31,8 @@
 import com.fasterxml.jackson.databind.node.ObjectNode;
 import com.yubico.internal.util.CollectionUtil;
 import com.yubico.internal.util.JacksonCodecs;
+import java.util.Arrays;
+import java.util.Collections;
 import java.util.List;
 import java.util.Optional;
 import lombok.Builder;
@@ -66,6 +68,8 @@ public class PublicKeyCredentialRequestOptions {
    */
   private final Long timeout;
 
+  private final List<String> hints;
+
   /**
    * Specifies the relying party identifier claimed by the caller.
    *
@@ -112,12 +116,14 @@ public class PublicKeyCredentialRequestOptions {
   private PublicKeyCredentialRequestOptions(
       @NonNull @JsonProperty("challenge") ByteArray challenge,
       @JsonProperty("timeout") Long timeout,
+      @JsonProperty("hints") List<String> hints,
       @JsonProperty("rpId") String rpId,
       @JsonProperty("allowCredentials") List<PublicKeyCredentialDescriptor> allowCredentials,
       @JsonProperty("userVerification") UserVerificationRequirement userVerification,
       @NonNull @JsonProperty("extensions") AssertionExtensionInputs extensions) {
     this.challenge = challenge;
     this.timeout = timeout;
+    this.hints = hints == null ? Collections.emptyList() : Collections.unmodifiableList(hints);
     this.rpId = rpId;
     this.allowCredentials =
         allowCredentials == null ? null : CollectionUtil.immutableList(allowCredentials);
@@ -213,6 +219,22 @@ public PublicKeyCredentialRequestOptionsBuilder timeout(long timeout) {
       return this.timeout(Optional.of(timeout));
     }
 
+    public PublicKeyCredentialRequestOptionsBuilder hints(@NonNull String... hints) {
+      this.hints = Arrays.asList(hints);
+      return this;
+    }
+
+    public PublicKeyCredentialRequestOptionsBuilder hints(
+        @NonNull PublicKeyCredentialHint... hints) {
+      return this.hints(
+          Arrays.stream(hints).map(PublicKeyCredentialHint::getValue).toArray(String[]::new));
+    }
+
+    public PublicKeyCredentialRequestOptionsBuilder hints(List<String> hints) {
+      this.hints = hints;
+      return this;
+    }
+
     /**
      * Specifies the relying party identifier claimed by the caller.
      *