[FIDO] Support extensions #161

AdamVe · 2024-11-20T13:01:16Z

Adds support for defined FIDO extensions (see CTAP2.1 and Webauthn specifications). This PR also adds simple framework for adding new extensions, by extending the Extension class and implementing relevant methods.

Extension processing happens during BasicWebauthnClient.makeCredential and BasicWebauthnClient.getAssertion calls, based on the creation and request options.

Results are exposed through PublicKeyCredential.getClientExtensionResults().

The following extensions are implemented:

hmac-secret
prf
credProps
credProtect
credBlob
largeBlob
minPinLength

A new BasicWebauthnClient constructor takes a list of Extension objects which it will process, by default the list contains defined extensions.

There are instrumented tests for each of the extensions (note that a supporting HW is needed for running the tests).

…sions

…ensions

github-advanced-security

SpotBugs found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

dainnilsson · 2024-11-22T09:05:48Z

fido/src/main/java/com/yubico/yubikit/fido/client/BasicWebAuthnClient.java

@@ -364,6 +418,24 @@ public CredentialManager getCredentialManager(char[] pin)
        }
    }

+    protected static class WithExtensionResults<T> {


Could we just re-use Pair for this?

Yes, will update 👍🏻

AdamVe added 30 commits September 25, 2024 18:06

wip

9901dfa

poc

8524e9b

credBlob

f03d145

largeBlob

f626d4d

handle unit tests

39eaa58

update log message

4188ac7

PRF extension implementation

b72f4b1

credProps instrumented test

33ac890

PRF instrumented tests

d64aa66

LargeBlob instrumented tests

240ab63

refactor instrumented tests of existing extensions

dfcceff

credBlob and its instrumented test

12ea9eb

use ExtensionDataProvider

37a1d53

fix hmacGetSecret/hmacCreateSecret, add tests

6cfb025

credential list filtering

08bcd31

refactor exts permission and data provider APIs

a981b49

remove dataProvider, use only b64 encoding

f56968a

prf evalByCredential parameter impl

b6d1ef8

simplify internal client api

90d5457

move extension processing to client

cca52eb

move LargeBlobs to correct package

252f62d

simplify

eb86be2

refactor internal processing APIs

e4a2a53

unify processing result for input and output

e96f097

use ServiceLoader for extensions

90656f1

Merge branch 'adamve/fido_extensions_refactor' into adamve/fido_exten…

6f3787c

…sions

update arguments API

a7c9d5a

fix pinuvauth for makeCred/getAssertions

0102ab2

simplify public API

6275a31

update extension API

e2d59cc

AdamVe added 7 commits November 19, 2024 18:41

Merge branch 'adamve/fido_extensions_refactor_2' into adamve/fido_ext…

3a8d9ec

…ensions

remove extensions services

3c818b7

rename test classes

f008bf7

Add credProtect instrumented test

c9f02df

add minPinLength extensions test

6c71e24

fix Preferred ResidentKeyRequirement

cf198de

update CTAP errors

59719bc

github-advanced-security bot found potential problems Nov 20, 2024

View reviewed changes

AdamVe added 7 commits November 20, 2024 15:38

self review

abac677

fix Extensions.fromMap

5ad1555

update javadoc

f518c77

unify javadoc format in file

585daf2

fix spotbugs warnings

5945e5d

remove usage of Stream API

06ca113

review public extensions API

1850f47

dainnilsson reviewed Nov 22, 2024

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[FIDO] Support extensions #161

[FIDO] Support extensions #161

AdamVe commented Nov 20, 2024

github-advanced-security bot left a comment

dainnilsson Nov 22, 2024

AdamVe Nov 22, 2024

[FIDO] Support extensions #161

Are you sure you want to change the base?

[FIDO] Support extensions #161

Conversation

AdamVe commented Nov 20, 2024

github-advanced-security bot left a comment

Choose a reason for hiding this comment

dainnilsson Nov 22, 2024

Choose a reason for hiding this comment

AdamVe Nov 22, 2024

Choose a reason for hiding this comment