Skip to content

Commit

Permalink
Add support for RS384 and RS512
Browse files Browse the repository at this point in the history
  • Loading branch information
@emlun
emlun committed Jan 26, 2023
1 parent b682288 commit 4f70621
Show file tree
Hide file tree
Showing 9 changed files with 197 additions and 5 deletions.
8 changes: 7 additions & 1 deletion NEWS
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,13 @@
== Version 2.3.1 (unreleased) ==
== Version 2.4.0 (unreleased) ==

`webauthn-server-core`:

New features:

* Added support for RS384 and RS512 signature algorithms.
** Thanks to GitHub user JohnnyJayJay for the contribution, see
https://github.com/Yubico/java-webauthn-server/pull/235

Fixes:

* During `RelyingParty.finishRegistration()` if an `attestationTrustSource` is
Expand Down
8 changes: 7 additions & 1 deletion webauthn-server-core/src/main/java/com/yubico/webauthn/RelyingParty.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -218,6 +218,8 @@ public class RelyingParty {
* <li>{@link com.yubico.webauthn.data.PublicKeyCredentialParameters#ES256 ES384}
* <li>{@link com.yubico.webauthn.data.PublicKeyCredentialParameters#ES256 ES512}
* <li>{@link com.yubico.webauthn.data.PublicKeyCredentialParameters#RS256 RS256}
* <li>{@link com.yubico.webauthn.data.PublicKeyCredentialParameters#RS384 RS384}
* <li>{@link com.yubico.webauthn.data.PublicKeyCredentialParameters#RS512 RS512}
* </ol>
*
* @see PublicKeyCredentialCreationOptions#getAttestation()
Expand All @@ -232,7 +234,9 @@ public class RelyingParty {
PublicKeyCredentialParameters.EdDSA,
PublicKeyCredentialParameters.ES384,
PublicKeyCredentialParameters.ES512,
PublicKeyCredentialParameters.RS256));
PublicKeyCredentialParameters.RS256,
PublicKeyCredentialParameters.RS384,
PublicKeyCredentialParameters.RS512));

/**
* If <code>true</code>, the origin matching rule is relaxed to allow any port number.
Expand Down Expand Up @@ -427,6 +431,8 @@ private static List<PublicKeyCredentialParameters> filterAvailableAlgorithms(
break;

case RS256:
case RS384:
case RS512:
case RS1:
KeyFactory.getInstance("RSA");
break;
Expand Down
2 changes: 2 additions & 0 deletions webauthn-server-core/src/main/java/com/yubico/webauthn/TpmAttestationStatementVerifier.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -217,10 +217,12 @@ private void validateCertInfo(
break;

case ES384:
case RS384:
expectedExtraData = Crypto.sha384(attToBeSigned);
break;

case ES512:
case RS512:
expectedExtraData = Crypto.sha512(attToBeSigned);
break;

Expand Down
10 changes: 10 additions & 0 deletions ...erver-core/src/main/java/com/yubico/webauthn/data/PublicKeyCredentialCreationOptions.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -382,6 +382,8 @@ private static List<PublicKeyCredentialParameters> filterAvailableAlgorithms(
break;

case RS256:
case RS384:
case RS512:
case RS1:
KeyFactory.getInstance("RSA");
break;
Expand Down Expand Up @@ -419,6 +421,14 @@ private static List<PublicKeyCredentialParameters> filterAvailableAlgorithms(
Signature.getInstance("SHA256withRSA");
break;

case RS384:
Signature.getInstance("SHA384withRSA");
break;

case RS512:
Signature.getInstance("SHA512withRSA");
break;

case RS1:
Signature.getInstance("SHA1withRSA");
break;
Expand Down
14 changes: 14 additions & 0 deletions ...thn-server-core/src/main/java/com/yubico/webauthn/data/PublicKeyCredentialParameters.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,20 @@ private PublicKeyCredentialParameters(
public static final PublicKeyCredentialParameters RS256 =
builder().alg(COSEAlgorithmIdentifier.RS256).build();

/**
* Algorithm {@link COSEAlgorithmIdentifier#RS384} and type {@link
* PublicKeyCredentialType#PUBLIC_KEY}.
*/
public static final PublicKeyCredentialParameters RS384 =
builder().alg(COSEAlgorithmIdentifier.RS384).build();

/**
* Algorithm {@link COSEAlgorithmIdentifier#RS512} and type {@link
* PublicKeyCredentialType#PUBLIC_KEY}.
*/
public static final PublicKeyCredentialParameters RS512 =
builder().alg(COSEAlgorithmIdentifier.RS512).build();

public static PublicKeyCredentialParametersBuilder.MandatoryStages builder() {
return new PublicKeyCredentialParametersBuilder.MandatoryStages();
}
Expand Down
128 changes: 128 additions & 0 deletions webauthn-server-core/src/test/scala/com/yubico/webauthn/RegistrationTestData.scala
View file

Large diffs are not rendered by default.

18 changes: 18 additions & 0 deletions webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyRegistrationSpec.scala
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4182,6 +4182,24 @@ class RelyingPartyRegistrationSpec
COSEAlgorithmIdentifier.RS256
)
}

it("RS384.") {
pubKeyCredParams should contain(
PublicKeyCredentialParameters.RS384
)
pubKeyCredParams map (_.getAlg) should contain(
COSEAlgorithmIdentifier.RS384
)
}

it("RS512.") {
pubKeyCredParams should contain(
PublicKeyCredentialParameters.RS512
)
pubKeyCredParams map (_.getAlg) should contain(
COSEAlgorithmIdentifier.RS512
)
}
}

describe("do not include") {
Expand Down
11 changes: 9 additions & 2 deletions webauthn-server-core/src/test/scala/com/yubico/webauthn/TestAuthenticator.scala
View file
Original file line number Diff line number Diff line change
Expand Up @@ -909,6 +909,10 @@ object TestAuthenticator {
(TpmAlgHash.SHA512, TpmAlgAsym.ECC)
case COSEAlgorithmIdentifier.RS256 =>
(TpmAlgHash.SHA256, TpmAlgAsym.RSA)
case COSEAlgorithmIdentifier.RS384 =>
(TpmAlgHash.SHA384, TpmAlgAsym.RSA)
case COSEAlgorithmIdentifier.RS512 =>
(TpmAlgHash.SHA512, TpmAlgAsym.RSA)
case COSEAlgorithmIdentifier.RS1 => (TpmAlgHash.SHA1, TpmAlgAsym.RSA)
case COSEAlgorithmIdentifier.EdDSA => ???
}
Expand Down Expand Up @@ -964,6 +968,8 @@ object TestAuthenticator {
case COSEAlgorithmIdentifier.ES512 => 0x0005
case COSEAlgorithmIdentifier.RS1 |
COSEAlgorithmIdentifier.RS256 |
COSEAlgorithmIdentifier.RS384 |
COSEAlgorithmIdentifier.RS512 |
COSEAlgorithmIdentifier.EdDSA =>
???
}))
Expand Down Expand Up @@ -1115,8 +1121,9 @@ object TestAuthenticator {
case COSEAlgorithmIdentifier.ES256 => generateEcKeypair("secp256r1")
case COSEAlgorithmIdentifier.ES384 => generateEcKeypair("secp384r1")
case COSEAlgorithmIdentifier.ES512 => generateEcKeypair("secp521r1")
case COSEAlgorithmIdentifier.RS256 => generateRsaKeypair()
case COSEAlgorithmIdentifier.RS1 => generateRsaKeypair()
case COSEAlgorithmIdentifier.RS256 | COSEAlgorithmIdentifier.RS384 |
COSEAlgorithmIdentifier.RS512 | COSEAlgorithmIdentifier.RS1 =>
generateRsaKeypair()
}

def generateEcKeypair(curve: String = "secp256r1"): KeyPair = {
Expand Down
3 changes: 2 additions & 1 deletion webauthn-server-core/src/test/scala/com/yubico/webauthn/WebAuthnTestCodecs.scala
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,8 @@ object WebAuthnTestCodecs {
val spec = new PKCS8EncodedKeySpec(encodedKey.getBytes)
keyFactory.generatePrivate(spec)

case COSEAlgorithmIdentifier.RS256 | COSEAlgorithmIdentifier.RS1 =>
case COSEAlgorithmIdentifier.RS256 | COSEAlgorithmIdentifier.RS384 |
COSEAlgorithmIdentifier.RS512 | COSEAlgorithmIdentifier.RS1 =>
val keyFactory: KeyFactory = KeyFactory.getInstance("RSA")
val spec = new PKCS8EncodedKeySpec(encodedKey.getBytes)
keyFactory.generatePrivate(spec)
Expand Down

0 comments on commit 4f70621

Please sign in to comment.