Skip to content

Commit

Permalink
Merge branch 'postpone-experimental'
Browse files Browse the repository at this point in the history
emlun committed Jan 30, 2025
2 parents 27dc862 + 47ceee8 commit b1fa6ca
Showing 4 changed files with 108 additions and 108 deletions.
2 changes: 1 addition & 1 deletion NEWS
Original file line number Diff line number Diff line change
@@ -31,7 +31,7 @@
version increase.


== Version 2.6.0 (unreleased) ==
== Version 2.6.0 ==

`webauthn-server-core`:

110 changes: 55 additions & 55 deletions README

Large diffs are not rendered by default.

94 changes: 47 additions & 47 deletions webauthn-server-attestation/README.adoc
Original file line number Diff line number Diff line change
@@ -24,7 +24,7 @@ The FIDO MDS integration does four things:
- Re-download the metadata BLOB when out of date or invalid.
- Provide utilities for selecting trusted metadata entries and authenticators.
- Integrate with the
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.1/com/yubico/webauthn/RelyingParty.html[`RelyingParty`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.6.0/com/yubico/webauthn/RelyingParty.html[`RelyingParty`]
class in the base library, to provide trust root certificates
for verifying attestation statements during credential registrations.

@@ -33,18 +33,18 @@ Notable *non-features* include:
- *Scheduled BLOB downloads.*
+
The
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.1/com/yubico/fido/metadata/FidoMetadataDownloader.html[`FidoMetadataDownloader`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.6.0/com/yubico/fido/metadata/FidoMetadataDownloader.html[`FidoMetadataDownloader`]
class will attempt to download a new BLOB only when its
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.1/com/yubico/fido/metadata/FidoMetadataDownloader.html#loadCachedBlob()[`loadCachedBlob()`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.6.0/com/yubico/fido/metadata/FidoMetadataDownloader.html#loadCachedBlob()[`loadCachedBlob()`]
or
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.1/com/yubico/fido/metadata/FidoMetadataDownloader.html#refreshBlob()[`refreshBlob()`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.6.0/com/yubico/fido/metadata/FidoMetadataDownloader.html#refreshBlob()[`refreshBlob()`]
method is executed.
As the names suggest,
`loadCachedBlob()` downloads a new BLOB only if the cache is empty
or the cached BLOB is invalid or out of date,
while `refreshBlob()` always downloads a new BLOB and falls back
to the cached BLOB only when the new BLOB is invalid in some way.
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.1/com/yubico/fido/metadata/FidoMetadataService.html[`FidoMetadataService`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.6.0/com/yubico/fido/metadata/FidoMetadataService.html[`FidoMetadataService`]
will never re-download a new BLOB once instantiated.
+
You should use some external scheduling mechanism to re-run `loadCachedBlob()`
@@ -57,12 +57,12 @@ classes keep no internal mutable state.
+
The FIDO Metadata Service may from time to time report security issues with particular authenticator models.
The
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.1/com/yubico/fido/metadata/FidoMetadataService.html[`FidoMetadataService`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.6.0/com/yubico/fido/metadata/FidoMetadataService.html[`FidoMetadataService`]
class can be configured with a filter for which authenticators to trust,
and untrusted authenticators can be rejected during registration by setting
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.1/com/yubico/webauthn/RelyingParty.RelyingPartyBuilder.html#allowUntrustedAttestation(boolean)[`.allowUntrustedAttestation(false)`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.6.0/com/yubico/webauthn/RelyingParty.RelyingPartyBuilder.html#allowUntrustedAttestation(boolean)[`.allowUntrustedAttestation(false)`]
on
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.1/com/yubico/webauthn/RelyingParty.html[`RelyingParty`],
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.6.0/com/yubico/webauthn/RelyingParty.html[`RelyingParty`],
but this will not affect any credentials already registered.


@@ -97,15 +97,15 @@ Maven:
<dependency>
<groupId>com.yubico</groupId>
<artifactId>webauthn-server-attestation</artifactId>
<version>2.5.1</version>
<version>2.6.0</version>
<scope>compile</scope>
</dependency>
----------

Gradle:

----------
implementation("com.yubico:webauthn-server-attestation:2.5.1")
implementation("com.yubico:webauthn-server-attestation:2.6.0")
----------


@@ -114,7 +114,7 @@ implementation("com.yubico:webauthn-server-attestation:2.5.1")
This library uses link:https://semver.org/[semantic versioning].
The public API consists of all public classes, methods and fields in the `com.yubico.fido.metadata` package and its subpackages,
i.e., everything covered by the
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.1/com/yubico/fido/metadata/package-summary.html[Javadoc].
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.6.0/com/yubico/fido/metadata/package-summary.html[Javadoc].

Package-private classes and methods are NOT part of the public API.
The `com.yubico:yubico-util` module is NOT part of the public API.
@@ -126,23 +126,23 @@ Breaking changes to these will NOT be reflected in version numbers.
Using this module consists of 5 major steps:

1. Create a
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.1/com/yubico/fido/metadata/FidoMetadataDownloader.html[`FidoMetadataDownloader`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.6.0/com/yubico/fido/metadata/FidoMetadataDownloader.html[`FidoMetadataDownloader`]
instance to download and cache metadata BLOBs,
and a
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.1/com/yubico/fido/metadata/FidoMetadataService.html[`FidoMetadataService`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.6.0/com/yubico/fido/metadata/FidoMetadataService.html[`FidoMetadataService`]
instance to make use of the downloaded BLOB.
See the JavaDoc for these classes for details on how to construct them.
+
[WARNING]
=====
Unlike other classes in this module and the core library,
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.1/com/yubico/fido/metadata/FidoMetadataDownloader.html[`FidoMetadataDownloader`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.6.0/com/yubico/fido/metadata/FidoMetadataDownloader.html[`FidoMetadataDownloader`]
is NOT THREAD SAFE since its
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.1/com/yubico/fido/metadata/FidoMetadataDownloader.html#loadCachedBlob()[`loadCachedBlob()`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.6.0/com/yubico/fido/metadata/FidoMetadataDownloader.html#loadCachedBlob()[`loadCachedBlob()`]
and
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.1/com/yubico/fido/metadata/FidoMetadataDownloader.html#refreshBlob()[`refreshBlob()`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.6.0/com/yubico/fido/metadata/FidoMetadataDownloader.html#refreshBlob()[`refreshBlob()`]
methods read and write caches.
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.1/com/yubico/fido/metadata/FidoMetadataService.html[`FidoMetadataService`],
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.6.0/com/yubico/fido/metadata/FidoMetadataService.html[`FidoMetadataService`],
on the other hand, is thread safe,
and `FidoMetadataDownloader` instances can be reused
for subsequent `loadCachedBlob()` and `refreshBlob()` calls
@@ -167,18 +167,18 @@ FidoMetadataService mds = FidoMetadataService.builder()
----------

2. Set the
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.1/com/yubico/fido/metadata/FidoMetadataService.html[`FidoMetadataService`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.6.0/com/yubico/fido/metadata/FidoMetadataService.html[`FidoMetadataService`]
as the
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.1/com/yubico/webauthn/RelyingParty.RelyingPartyBuilder.html#attestationTrustSource(com.yubico.webauthn.attestation.AttestationTrustSource)[`attestationTrustSource`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.6.0/com/yubico/webauthn/RelyingParty.RelyingPartyBuilder.html#attestationTrustSource(com.yubico.webauthn.attestation.AttestationTrustSource)[`attestationTrustSource`]
on your
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.1/com/yubico/webauthn/RelyingParty.html[`RelyingParty`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.6.0/com/yubico/webauthn/RelyingParty.html[`RelyingParty`]
instance,
and set
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.1/com/yubico/webauthn/RelyingParty.RelyingPartyBuilder.html#attestationConveyancePreference(com.yubico.webauthn.data.AttestationConveyancePreference)[`attestationConveyancePreference(AttestationConveyancePreference.DIRECT)`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.6.0/com/yubico/webauthn/RelyingParty.RelyingPartyBuilder.html#attestationConveyancePreference(com.yubico.webauthn.data.AttestationConveyancePreference)[`attestationConveyancePreference(AttestationConveyancePreference.DIRECT)`]
on `RelyingParty`
to request an attestation statement for new registrations.
Optionally also set
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.1/com/yubico/webauthn/RelyingParty.RelyingPartyBuilder.html#allowUntrustedAttestation(boolean)[`.allowUntrustedAttestation(false)`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.6.0/com/yubico/webauthn/RelyingParty.RelyingPartyBuilder.html#allowUntrustedAttestation(boolean)[`.allowUntrustedAttestation(false)`]
on `RelyingParty` to require trusted attestation for new registrations.
+
[source,java]
@@ -193,9 +193,9 @@ RelyingParty rp = RelyingParty.builder()
----------

3. After performing registrations, inspect the
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.1/com/yubico/webauthn/RegistrationResult.html#isAttestationTrusted()[`isAttestationTrusted()`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.6.0/com/yubico/webauthn/RegistrationResult.html#isAttestationTrusted()[`isAttestationTrusted()`]
result in
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.1/com/yubico/webauthn/RegistrationResult.html[`RegistrationResult`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.6.0/com/yubico/webauthn/RegistrationResult.html[`RegistrationResult`]
to determine whether the authenticator presented an attestation statement that could be verified
by any of the trusted attestation certificates in the FIDO Metadata Service.
+
@@ -212,7 +212,7 @@ if (result.isAttestationTrusted()) {
----------

4. If needed, use the `findEntries` methods of
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.1/com/yubico/fido/metadata/FidoMetadataService.html[`FidoMetadataService`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.6.0/com/yubico/fido/metadata/FidoMetadataService.html[`FidoMetadataService`]
to retrieve additional authenticator metadata for new registrations.
+
[source,java]
@@ -227,19 +227,19 @@ Set<MetadataBLOBPayloadEntry> metadata = mds.findEntries(result);
== Selecting trusted authenticators

The
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.1/com/yubico/fido/metadata/FidoMetadataService.html[`FidoMetadataService`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.6.0/com/yubico/fido/metadata/FidoMetadataService.html[`FidoMetadataService`]
class can be configured with filters for which authenticators to trust.
When the `FidoMetadataService` is used as the
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.1/com/yubico/webauthn/RelyingParty.RelyingPartyBuilder.html#attestationTrustSource(com.yubico.webauthn.attestation.AttestationTrustSource)[`attestationTrustSource`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.6.0/com/yubico/webauthn/RelyingParty.RelyingPartyBuilder.html#attestationTrustSource(com.yubico.webauthn.attestation.AttestationTrustSource)[`attestationTrustSource`]
in
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.1/com/yubico/webauthn/RelyingParty.html[`RelyingParty`],
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.6.0/com/yubico/webauthn/RelyingParty.html[`RelyingParty`],
this will be reflected in the
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.1/com/yubico/webauthn/RegistrationResult.html#isAttestationTrusted()[`.isAttestationTrusted()`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.6.0/com/yubico/webauthn/RegistrationResult.html#isAttestationTrusted()[`.isAttestationTrusted()`]
result in
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.1/com/yubico/webauthn/RegistrationResult.html[`RegistrationResult`].
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.6.0/com/yubico/webauthn/RegistrationResult.html[`RegistrationResult`].
Any authenticators not trusted will also be rejected for new registrations
if you set
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.1/com/yubico/webauthn/RelyingParty.RelyingPartyBuilder.html#allowUntrustedAttestation(boolean)[`.allowUntrustedAttestation(false)`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.6.0/com/yubico/webauthn/RelyingParty.RelyingPartyBuilder.html#allowUntrustedAttestation(boolean)[`.allowUntrustedAttestation(false)`]
on `RelyingParty`.

The filter has two stages: a "prefilter" which selects metadata entries to include in the data source,
@@ -302,17 +302,17 @@ entry,
and the default registration-time filter excludes any authenticator
with a matching `ATTESTATION_KEY_COMPROMISE` status report entry.
To customize the filters, configure the
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.1/com/yubico/fido/metadata/FidoMetadataService.FidoMetadataServiceBuilder.html#prefilter(java.util.function.Predicate)[`.prefilter(Predicate)`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.6.0/com/yubico/fido/metadata/FidoMetadataService.FidoMetadataServiceBuilder.html#prefilter(java.util.function.Predicate)[`.prefilter(Predicate)`]
and
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.1/com/yubico/fido/metadata/FidoMetadataService.FidoMetadataServiceBuilder.html#filter(java.util.function.Predicate)[`.filter(Predicate)`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.6.0/com/yubico/fido/metadata/FidoMetadataService.FidoMetadataServiceBuilder.html#filter(java.util.function.Predicate)[`.filter(Predicate)`]
settings in
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.1/com/yubico/fido/metadata/FidoMetadataService.html[`FidoMetadataService`].
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.6.0/com/yubico/fido/metadata/FidoMetadataService.html[`FidoMetadataService`].
The filters are predicate functions;
each metadata entry will be included in the data source if and only if the prefilter predicate returns `true` for that entry.
Similarly during registration or metadata lookup, the authenticator will be matched with each metadata entry
only if the registration-time filter returns `true` for that pair of authenticator and metadata entry.
You can also use the
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.1/com/yubico/fido/metadata/FidoMetadataService.Filters.html#allOf(java.util.function.Predicate\...)[`FidoMetadataService.Filters.allOf()`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.6.0/com/yubico/fido/metadata/FidoMetadataService.Filters.html#allOf(java.util.function.Predicate\...)[`FidoMetadataService.Filters.allOf()`]
combinator to merge several predicates into one.

[NOTE]
@@ -322,10 +322,10 @@ This is true for both the prefilter and the registration-time filter.
If you want to maintain the default filter in addition to the new behaviour,
you must include the default condition in the new filter.
For example, you can use
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.1/com/yubico/fido/metadata/FidoMetadataService.Filters.html#allOf(java.util.function.Predicate\...)[`FidoMetadataService.Filters.allOf()`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.6.0/com/yubico/fido/metadata/FidoMetadataService.Filters.html#allOf(java.util.function.Predicate\...)[`FidoMetadataService.Filters.allOf()`]
to combine a predefined filter with a custom one.
The default filters are available via static functions in
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.1/com/yubico/fido/metadata/FidoMetadataService.Filters.html[`FidoMetadataService.Filters`].
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.6.0/com/yubico/fido/metadata/FidoMetadataService.Filters.html[`FidoMetadataService.Filters`].
=====


@@ -346,9 +346,9 @@ This is why any enforceable attestation policy must disallow unknown trust roots

Note that unknown and untrusted attestation is allowed by default,
but can be disallowed by explicitly configuring
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.1/com/yubico/webauthn/RelyingParty.html[`RelyingParty`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.6.0/com/yubico/webauthn/RelyingParty.html[`RelyingParty`]
with
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.1/com/yubico/webauthn/RelyingParty.RelyingPartyBuilder.html#allowUntrustedAttestation(boolean)[`.allowUntrustedAttestation(false)`].
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.6.0/com/yubico/webauthn/RelyingParty.RelyingPartyBuilder.html#allowUntrustedAttestation(boolean)[`.allowUntrustedAttestation(false)`].


== Alignment with FIDO MDS spec
@@ -358,17 +358,17 @@ link:https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.h
The library implements these as closely as possible, but with some slight departures from the spec:

* Processing rules steps 1-7 are implemented as specified, by the
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.1/com/yubico/fido/metadata/FidoMetadataDownloader.html[`FidoMetadataDownloader`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.6.0/com/yubico/fido/metadata/FidoMetadataDownloader.html[`FidoMetadataDownloader`]
class.
All "SHOULD" clauses are also respected, with some caveats:

** Step 3 states "The `nextUpdate` field of the Metadata BLOB specifies a date when the download SHOULD occur at latest".
`FidoMetadataDownloader` does not automatically re-download the BLOB.
Instead, each time the
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.1/com/yubico/fido/metadata/FidoMetadataDownloader.html#loadCachedBlob()[`loadCachedBlob()`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.6.0/com/yubico/fido/metadata/FidoMetadataDownloader.html#loadCachedBlob()[`loadCachedBlob()`]
method is executed it checks whether a new BLOB should be downloaded.
The
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.1/com/yubico/fido/metadata/FidoMetadataDownloader.html#refreshBlob()[`refreshBlob()`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.6.0/com/yubico/fido/metadata/FidoMetadataDownloader.html#refreshBlob()[`refreshBlob()`]
method always attempts to download a new BLOB when executed,
but also does not trigger re-downloads automatically.
+
@@ -380,7 +380,7 @@ until the next execution of `.loadCachedBlob()` or `.refreshBlob()`.

* Metadata entries are not stored or cached individually, instead the BLOB is cached as a whole.
In processing rules step 8, neither `FidoMetadataDownloader` nor
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.1/com/yubico/fido/metadata/FidoMetadataService.html[`FidoMetadataService`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.6.0/com/yubico/fido/metadata/FidoMetadataService.html[`FidoMetadataService`]
performs any comparison between versions of a metadata entry.
Policy for ignoring metadata entries can be configured via the filter settings in `FidoMetadataService`.
See above for details.
@@ -392,7 +392,7 @@ There are also some other requirements throughout the spec, which may not be obv
states that "The Relying party MUST reject the Metadata Statement if the `authenticatorVersion` has not increased"
in an `UPDATE_AVAILABLE` status report.
Thus,
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.1/com/yubico/fido/metadata/FidoMetadataService.html[`FidoMetadataService`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.6.0/com/yubico/fido/metadata/FidoMetadataService.html[`FidoMetadataService`]
silently ignores any `MetadataBLOBPayloadEntry`
whose `metadataStatement.authenticatorVersion` is present and not greater than or equal to
the `authenticatorVersion` in the respective status report.
@@ -402,16 +402,16 @@ There are also some other requirements throughout the spec, which may not be obv
link:https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html#info-statuses[AuthenticatorStatus section]
states that "FIDO Servers MUST silently ignore all unknown AuthenticatorStatus values".
Thus any unknown status values will be parsed as
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.1/com/yubico/fido/metadata/AuthenticatorStatus.html#UNKNOWN[`AuthenticatorStatus.UNKNOWN`],
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.6.0/com/yubico/fido/metadata/AuthenticatorStatus.html#UNKNOWN[`AuthenticatorStatus.UNKNOWN`],
and
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.1/com/yubico/fido/metadata/MetadataBLOBPayloadEntry.html[`MetadataBLOBPayloadEntry`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.6.0/com/yubico/fido/metadata/MetadataBLOBPayloadEntry.html[`MetadataBLOBPayloadEntry`]
will silently ignore any status report with that status.


== Overriding certificate path validation

The
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.1/com/yubico/fido/metadata/FidoMetadataDownloader.html[`FidoMetadataDownloader`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.6.0/com/yubico/fido/metadata/FidoMetadataDownloader.html[`FidoMetadataDownloader`]
class uses `CertPathValidator.getInstance("PKIX")` to retrieve a `CertPathValidator` instance.
If you need to override any aspect of certificate path validation,
such as CRL retrieval or OCSP, you may provide a custom `CertPathValidator` provider for the `"PKIX"` algorithm.
10 changes: 5 additions & 5 deletions webauthn-server-demo/README
Original file line number Diff line number Diff line change
@@ -46,7 +46,7 @@ layer.
This layer manages the general architecture of the system, and is where most
business logic and integration code would go. The demo server implements the
"persistent" storage of users and credential registrations - the
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.4/com/yubico/webauthn/CredentialRepository.html[`CredentialRepository`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.6.0/com/yubico/webauthn/CredentialRepository.html[`CredentialRepository`]
integration point - as the
link:https://github.com/Yubico/java-webauthn-server/blob/main/webauthn-server-demo/src/main/java/demo/webauthn/InMemoryRegistrationStorage.java[`InMemoryRegistrationStorage`]
class, which simply keeps them stored in memory for a limited time. The
@@ -60,7 +60,7 @@ would be specific to a particular Relying Party (RP) would go in this layer.
- The server layer in turn calls the *library layer*, which is where the
link:../webauthn-server-core/[`webauthn-server-core`]
library gets involved. The entry point into the library is the
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.4/com/yubico/webauthn/RelyingParty.html[`RelyingParty`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.6.0/com/yubico/webauthn/RelyingParty.html[`RelyingParty`]
class.
+
This layer implements the Web Authentication
@@ -71,14 +71,14 @@ and exposes integration points for storage of challenges and credentials. Some
notable integration points are:
+
** The library user must provide an implementation of the
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.4/com/yubico/webauthn/CredentialRepository.html[`CredentialRepository`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.6.0/com/yubico/webauthn/CredentialRepository.html[`CredentialRepository`]
interface to use for looking up stored public keys, user handles and signature
counters.
The example app does this via the
link:https://github.com/Yubico/java-webauthn-server/blob/main/webauthn-server-demo/src/main/java/demo/webauthn/InMemoryRegistrationStorage.java[`InMemoryRegistrationStorage`]
class.
** The library user can optionally provide an instance of the
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.4/com/yubico/webauthn/attestation/AttestationTrustSource.html[`AttestationTrustSource`]
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.6.0/com/yubico/webauthn/attestation/AttestationTrustSource.html[`AttestationTrustSource`]
interface to enable identification and validation of authenticator models. This
instance is then used to look up trusted attestation root certificates. The
link:../webauthn-server-attestation/[`webauthn-server-attestation`]
@@ -170,7 +170,7 @@ controlled by the parent web server.
the server will report. Example: `YUBICO_WEBAUTHN_RP_NAME='Yubico Web Authentication demo'`

- `YUBICO_WEBAUTHN_USE_FIDO_MDS`: If set to `true` (case-insensitive), use
https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.4/com/yubico/fido/metadata/FidoMetadataService.html[`FidoMetadataService`]
https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.6.0/com/yubico/fido/metadata/FidoMetadataService.html[`FidoMetadataService`]
from the link:../webauthn-server-attestation[`webauthn-server-attestation`]
module as a source of attestation data in addition to the static JSON file
bundled with the demo. This will write cache files to the

1 comment on commit b1fa6ca

@github-actions
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mutation test results

Package Coverage Stats Prev Prev
Overall 78 % 🟢 1475 🔺 / 1878 🔺 77 % 1402 / 1804
com.yubico.fido.metadata 68 % 🟢 232 🔺 / 337 🔹 68 % 230 / 337
com.yubico.internal.util 44 % 🔻 127 🔻 / 288 🔹 44 % 129 / 288
com.yubico.webauthn 89 % 🟢 656 🔺 / 736 🔺 88 % 586 / 663
com.yubico.webauthn.attestation 93 % 🔹 15 🔹 / 16 🔹 93 % 15 / 16
com.yubico.webauthn.data 92 % 🔹 420 🔺 / 454 🔺 92 % 417 / 453
com.yubico.webauthn.extension.appid 100 % 🏆 13 🔹 / 13 🔹 100 % 13 / 13
com.yubico.webauthn.extension.uvm 50 % 🔹 12 🔹 / 24 🔹 50 % 12 / 24
com.yubico.webauthn.meta 0 % 🔹 0 🔹 / 10 🔹 0 % 0 / 10

Previous run: 47ceee8 - Diff

Detailed reports: workflow run #294

Please sign in to comment.