Merge pull request #235 from JohnnyJayJay/feature/more-rsapkcs-algs

Support for RS384 and RS512

NEWS

@@ -2,6 +2,12 @@
 
 `webauthn-server-core`:
 
+New features:
+
+* Added support for RS384 and RS512 signature algorithms.
+ ** Thanks to GitHub user JohnnyJayJay for the contribution, see
+    https://github.com/Yubico/java-webauthn-server/pull/235
+
 Fixes:
 
 * During `RelyingParty.finishRegistration()` if an `attestationTrustSource` is

webauthn-server-core/src/main/java/com/yubico/webauthn/RelyingParty.java

@@ -218,6 +218,8 @@ public class RelyingParty {
    *   <li>{@link com.yubico.webauthn.data.PublicKeyCredentialParameters#ES256 ES384}
    *   <li>{@link com.yubico.webauthn.data.PublicKeyCredentialParameters#ES256 ES512}
    *   <li>{@link com.yubico.webauthn.data.PublicKeyCredentialParameters#RS256 RS256}
+   *   <li>{@link com.yubico.webauthn.data.PublicKeyCredentialParameters#RS384 RS384}
+   *   <li>{@link com.yubico.webauthn.data.PublicKeyCredentialParameters#RS512 RS512}
    * </ol>
    *
    * @see PublicKeyCredentialCreationOptions#getAttestation()
@@ -232,7 +234,9 @@ public class RelyingParty {
               PublicKeyCredentialParameters.EdDSA,
               PublicKeyCredentialParameters.ES384,
               PublicKeyCredentialParameters.ES512,
-              PublicKeyCredentialParameters.RS256));
+              PublicKeyCredentialParameters.RS256,
+              PublicKeyCredentialParameters.RS384,
+              PublicKeyCredentialParameters.RS512));
 
   /**
    * If <code>true</code>, the origin matching rule is relaxed to allow any port number.
@@ -427,6 +431,8 @@ private static List<PublicKeyCredentialParameters> filterAvailableAlgorithms(
                         break;
 
                       case RS256:
+                      case RS384:
+                      case RS512:
                       case RS1:
                         KeyFactory.getInstance("RSA");
                         break;

webauthn-server-core/src/main/java/com/yubico/webauthn/TpmAttestationStatementVerifier.java

@@ -217,10 +217,12 @@ private void validateCertInfo(
         break;
 
       case ES384:
+      case RS384:
         expectedExtraData = Crypto.sha384(attToBeSigned);
         break;
 
       case ES512:
+      case RS512:
         expectedExtraData = Crypto.sha512(attToBeSigned);
         break;
 

webauthn-server-core/src/main/java/com/yubico/webauthn/WebAuthnCodecs.java

@@ -184,6 +184,10 @@ static String getJavaAlgorithmName(COSEAlgorithmIdentifier alg) {
         return "SHA512withECDSA";
       case RS256:
         return "SHA256withRSA";
+      case RS384:
+        return "SHA384withRSA";
+      case RS512:
+        return "SHA512withRSA";
       case RS1:
         return "SHA1withRSA";
       default:

webauthn-server-core/src/main/java/com/yubico/webauthn/data/COSEAlgorithmIdentifier.java

@@ -48,6 +48,8 @@ public enum COSEAlgorithmIdentifier {
   ES384(-35),
   ES512(-36),
   RS256(-257),
+  RS384(-258),
+  RS512(-259),
   RS1(-65535);
 
   @JsonValue @Getter private final long id;

webauthn-server-core/src/main/java/com/yubico/webauthn/data/PublicKeyCredentialCreationOptions.java

@@ -382,6 +382,8 @@ private static List<PublicKeyCredentialParameters> filterAvailableAlgorithms(
                         break;
 
                       case RS256:
+                      case RS384:
+                      case RS512:
                       case RS1:
                         KeyFactory.getInstance("RSA");
                         break;
@@ -419,6 +421,14 @@ private static List<PublicKeyCredentialParameters> filterAvailableAlgorithms(
                         Signature.getInstance("SHA256withRSA");
                         break;
 
+                      case RS384:
+                        Signature.getInstance("SHA384withRSA");
+                        break;
+
+                      case RS512:
+                        Signature.getInstance("SHA512withRSA");
+                        break;
+
                       case RS1:
                         Signature.getInstance("SHA1withRSA");
                         break;

webauthn-server-core/src/main/java/com/yubico/webauthn/data/PublicKeyCredentialParameters.java

@@ -100,6 +100,20 @@ private PublicKeyCredentialParameters(
   public static final PublicKeyCredentialParameters RS256 =
       builder().alg(COSEAlgorithmIdentifier.RS256).build();
 
+  /**
+   * Algorithm {@link COSEAlgorithmIdentifier#RS384} and type {@link
+   * PublicKeyCredentialType#PUBLIC_KEY}.
+   */
+  public static final PublicKeyCredentialParameters RS384 =
+      builder().alg(COSEAlgorithmIdentifier.RS384).build();
+
+  /**
+   * Algorithm {@link COSEAlgorithmIdentifier#RS512} and type {@link
+   * PublicKeyCredentialType#PUBLIC_KEY}.
+   */
+  public static final PublicKeyCredentialParameters RS512 =
+      builder().alg(COSEAlgorithmIdentifier.RS512).build();
+
   public static PublicKeyCredentialParametersBuilder.MandatoryStages builder() {
     return new PublicKeyCredentialParametersBuilder.MandatoryStages();
   }

webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyRegistrationSpec.scala

@@ -4182,6 +4182,24 @@ class RelyingPartyRegistrationSpec
               COSEAlgorithmIdentifier.RS256
             )
           }
+
+          it("RS384.") {
+            pubKeyCredParams should contain(
+              PublicKeyCredentialParameters.RS384
+            )
+            pubKeyCredParams map (_.getAlg) should contain(
+              COSEAlgorithmIdentifier.RS384
+            )
+          }
+
+          it("RS512.") {
+            pubKeyCredParams should contain(
+              PublicKeyCredentialParameters.RS512
+            )
+            pubKeyCredParams map (_.getAlg) should contain(
+              COSEAlgorithmIdentifier.RS512
+            )
+          }
         }
 
         describe("do not include") {

webauthn-server-core/src/test/scala/com/yubico/webauthn/TestAuthenticator.scala

@@ -909,6 +909,10 @@ object TestAuthenticator {
         (TpmAlgHash.SHA512, TpmAlgAsym.ECC)
       case COSEAlgorithmIdentifier.RS256 =>
         (TpmAlgHash.SHA256, TpmAlgAsym.RSA)
+      case COSEAlgorithmIdentifier.RS384 =>
+        (TpmAlgHash.SHA384, TpmAlgAsym.RSA)
+      case COSEAlgorithmIdentifier.RS512 =>
+        (TpmAlgHash.SHA512, TpmAlgAsym.RSA)
       case COSEAlgorithmIdentifier.RS1   => (TpmAlgHash.SHA1, TpmAlgAsym.RSA)
       case COSEAlgorithmIdentifier.EdDSA => ???
     }
@@ -964,6 +968,8 @@ object TestAuthenticator {
                 case COSEAlgorithmIdentifier.ES512 => 0x0005
                 case COSEAlgorithmIdentifier.RS1 |
                     COSEAlgorithmIdentifier.RS256 |
+                    COSEAlgorithmIdentifier.RS384 |
+                    COSEAlgorithmIdentifier.RS512 |
                     COSEAlgorithmIdentifier.EdDSA =>
                   ???
               }))
@@ -1115,8 +1121,9 @@ object TestAuthenticator {
       case COSEAlgorithmIdentifier.ES256 => generateEcKeypair("secp256r1")
       case COSEAlgorithmIdentifier.ES384 => generateEcKeypair("secp384r1")
       case COSEAlgorithmIdentifier.ES512 => generateEcKeypair("secp521r1")
-      case COSEAlgorithmIdentifier.RS256 => generateRsaKeypair()
-      case COSEAlgorithmIdentifier.RS1   => generateRsaKeypair()
+      case COSEAlgorithmIdentifier.RS256 | COSEAlgorithmIdentifier.RS384 |
+          COSEAlgorithmIdentifier.RS512 | COSEAlgorithmIdentifier.RS1 =>
+        generateRsaKeypair()
     }
 
   def generateEcKeypair(curve: String = "secp256r1"): KeyPair = {

webauthn-server-core/src/test/scala/com/yubico/webauthn/WebAuthnTestCodecs.scala

@@ -51,7 +51,8 @@ object WebAuthnTestCodecs {
         val spec = new PKCS8EncodedKeySpec(encodedKey.getBytes)
         keyFactory.generatePrivate(spec)
 
-      case COSEAlgorithmIdentifier.RS256 | COSEAlgorithmIdentifier.RS1 =>
+      case COSEAlgorithmIdentifier.RS256 | COSEAlgorithmIdentifier.RS384 |
+          COSEAlgorithmIdentifier.RS512 | COSEAlgorithmIdentifier.RS1 =>
         val keyFactory: KeyFactory = KeyFactory.getInstance("RSA")
         val spec = new PKCS8EncodedKeySpec(encodedKey.getBytes)
         keyFactory.generatePrivate(spec)