[FIDO] Support extensions

android/build.gradle

@@ -41,7 +41,7 @@ dependencies {
     testImplementation project(':testing')
     testImplementation 'androidx.test.ext:junit:1.2.1'
     testImplementation 'org.robolectric:robolectric:4.11.1'
-    testImplementation 'org.mockito:mockito-core:5.12.0'
+    testImplementation 'org.mockito:mockito-core:5.13.0'
 
     androidTestImplementation 'androidx.test.ext:junit:1.2.1'
     androidTestImplementation 'androidx.test:runner:1.6.1'

core/src/main/java/com/yubico/yubikit/core/fido/CtapException.java

@@ -41,6 +41,7 @@ public class CtapException extends CommandException {
     public static final byte ERR_LIMIT_EXCEEDED = 0x15;
     public static final byte ERR_UNSUPPORTED_EXTENSION = 0x16;
     public static final byte ERR_FP_DATABASE_FULL = 0x17;
+    public static final byte ERR_LARGE_BLOB_STORAGE_FULL = 0x18;
     public static final byte ERR_CREDENTIAL_EXCLUDED = 0x19;
     public static final byte ERR_PROCESSING = 0x21;
     public static final byte ERR_INVALID_CREDENTIAL = 0x22;
@@ -63,7 +64,9 @@ public class CtapException extends CommandException {
     public static final byte ERR_PIN_AUTH_INVALID = 0x33;
     public static final byte ERR_PIN_AUTH_BLOCKED = 0x34;
     public static final byte ERR_PIN_NOT_SET = 0x35;
+    @Deprecated // use ERR_PUAT_REQUIRED
     public static final byte ERR_PIN_REQUIRED = 0x36;
+    public static final byte ERR_PUAT_REQUIRED = 0x36; // CTAP2.1 naming
     public static final byte ERR_PIN_POLICY_VIOLATION = 0x37;
     public static final byte ERR_PIN_TOKEN_EXPIRED = 0x38;
     public static final byte ERR_REQUEST_TOO_LARGE = 0x39;

fido/build.gradle

@@ -2,6 +2,8 @@ apply plugin: 'yubikit-java-library'
 
 dependencies {
     api project(':core')
+
+    testImplementation 'org.mockito:mockito-core:5.13.0'
 }
 
 ext.pomName = "Yubico YubiKit ${project.name.capitalize()}"

fido/src/main/java/com/yubico/yubikit/fido/client/ClientError.java

@@ -91,7 +91,7 @@ static ClientError wrapCtapException(CtapException error) {
             case CtapException.ERR_INVALID_CBOR:
             case CtapException.ERR_MISSING_PARAMETER:
             case CtapException.ERR_INVALID_OPTION:
-            case CtapException.ERR_PIN_REQUIRED:
+            case CtapException.ERR_PUAT_REQUIRED:
             case CtapException.ERR_PIN_INVALID:
             case CtapException.ERR_PIN_BLOCKED:
             case CtapException.ERR_PIN_NOT_SET:

fido/src/main/java/com/yubico/yubikit/fido/client/CredentialManager.java

@@ -96,7 +96,7 @@ public Map<PublicKeyCredentialDescriptor, PublicKeyCredentialUserEntity> getCred
             Map<PublicKeyCredentialDescriptor, PublicKeyCredentialUserEntity> credentials = new HashMap<>();
             byte[] rpIdHash = rpIdHashes.get(rpId);
             if (rpIdHash == null) {
-                rpIdHash = BasicWebAuthnClient.hash(rpId.getBytes(StandardCharsets.UTF_8));
+                rpIdHash = BasicWebAuthnClient.Utils.hash(rpId.getBytes(StandardCharsets.UTF_8));
             }
 
             for (CredentialManagement.CredentialData credData : credentialManagement.enumerateCredentials(rpIdHash)) {

fido/src/main/java/com/yubico/yubikit/fido/client/MultipleAssertionsAvailable.java

@@ -34,9 +34,9 @@
  */
 public class MultipleAssertionsAvailable extends Throwable {
     private final byte[] clientDataJson;
-    private final List<Ctap2Session.AssertionData> assertions;
+    private final List<BasicWebAuthnClient.WithExtensionResults<Ctap2Session.AssertionData>> assertions;
 
-    MultipleAssertionsAvailable(byte[] clientDataJson, List<Ctap2Session.AssertionData> assertions) {
+    MultipleAssertionsAvailable(byte[] clientDataJson, List<BasicWebAuthnClient.WithExtensionResults<Ctap2Session.AssertionData>> assertions) {
         super("Request returned multiple assertions");
 
         this.clientDataJson = clientDataJson;
@@ -65,10 +65,10 @@ public int getAssertionCount() {
      */
     public List<PublicKeyCredentialUserEntity> getUsers() throws UserInformationNotAvailableError {
         List<PublicKeyCredentialUserEntity> users = new ArrayList<>();
-        for (Ctap2Session.AssertionData assertion : assertions) {
+        for (BasicWebAuthnClient.WithExtensionResults<Ctap2Session.AssertionData> assertion : assertions) {
             try {
                 users.add(PublicKeyCredentialUserEntity.fromMap(
-                        Objects.requireNonNull(assertion.getUser()),
+                        Objects.requireNonNull(assertion.data.getUser()),
                         SerializationType.CBOR
                 ));
             } catch (NullPointerException e) {
@@ -89,20 +89,20 @@ public PublicKeyCredential select(int index) {
         if (assertions.isEmpty()) {
             throw new IllegalStateException("Assertion has already been selected");
         }
-        Ctap2Session.AssertionData assertion = assertions.get(index);
+        BasicWebAuthnClient.WithExtensionResults<Ctap2Session.AssertionData> assertion = assertions.get(index);
         assertions.clear();
 
-        final Map<String, ?> user = Objects.requireNonNull(assertion.getUser());
-        final Map<String, ?> credential = Objects.requireNonNull(assertion.getCredential());
+        final Map<String, ?> user = Objects.requireNonNull(assertion.data.getUser());
+        final Map<String, ?> credential = Objects.requireNonNull(assertion.data.getCredential());
         final byte[] credentialId = Objects.requireNonNull((byte[]) credential.get(PublicKeyCredentialDescriptor.ID));
         return new PublicKeyCredential(
                 credentialId,
                 new AuthenticatorAssertionResponse(
                         clientDataJson,
-                        assertion.getAuthenticatorData(),
-                        assertion.getSignature(),
+                        assertion.data.getAuthenticatorData(),
+                        assertion.data.getSignature(),
                         Objects.requireNonNull((byte[]) user.get(PublicKeyCredentialUserEntity.ID))
-                )
-        );
+                ),
+                assertion.clientExtensionResults);
     }
 }

fido/src/main/java/com/yubico/yubikit/fido/client/extensions/CredBlobExtension.java

@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) 2024 Yubico.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.yubico.yubikit.fido.client.extensions;
+
+import static com.yubico.yubikit.core.internal.codec.Base64.fromUrlSafeString;
+
+import com.yubico.yubikit.fido.ctap.Ctap2Session;
+import com.yubico.yubikit.fido.ctap.PinUvAuthProtocol;
+import com.yubico.yubikit.fido.webauthn.PublicKeyCredentialCreationOptions;
+import com.yubico.yubikit.fido.webauthn.PublicKeyCredentialRequestOptions;
+
+import java.util.Collections;
+
+import javax.annotation.Nullable;
+
+public class CredBlobExtension extends Extension {
+
+    public CredBlobExtension() {
+        super("credBlob");
+    }
+
+    @Nullable
+    @Override
+    public RegistrationProcessor makeCredential(
+            Ctap2Session ctap,
+            PublicKeyCredentialCreationOptions options,
+            PinUvAuthProtocol pinUvAuthProtocol) {
+
+        if (isSupported(ctap)) {
+            String b64Blob = (String) options.getExtensions().get("credBlob");
+            if (b64Blob != null) {
+                byte[] blob = fromUrlSafeString(b64Blob);
+                if (blob.length <= ctap.getCachedInfo().getMaxCredBlobLength()) {
+                    return new RegistrationProcessor(
+                            pinToken -> Collections.singletonMap(name, blob)
+                    );
+                }
+            }
+        }
+        return null;
+    }
+
+    @Nullable
+    @Override
+    public AuthenticationProcessor getAssertion(
+            Ctap2Session ctap,
+            PublicKeyCredentialRequestOptions options,
+            PinUvAuthProtocol pinUvAuthProtocol) {
+        if (isSupported(ctap) &&
+                Boolean.TRUE.equals(options.getExtensions().get("getCredBlob"))) {
+            return new AuthenticationProcessor(
+                    (AuthenticationInput) (selected, pinToken) -> Collections.singletonMap(name, true)
+            );
+        }
+        return null;
+    }
+}

fido/src/main/java/com/yubico/yubikit/fido/client/extensions/CredPropsExtension.java

@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2024 Yubico.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.yubico.yubikit.fido.client.extensions;
+
+import com.yubico.yubikit.fido.ctap.Ctap2Session;
+import com.yubico.yubikit.fido.ctap.PinUvAuthProtocol;
+import com.yubico.yubikit.fido.webauthn.AuthenticatorSelectionCriteria;
+import com.yubico.yubikit.fido.webauthn.PublicKeyCredentialCreationOptions;
+import com.yubico.yubikit.fido.webauthn.ResidentKeyRequirement;
+
+import java.util.Collections;
+
+import javax.annotation.Nullable;
+
+public class CredPropsExtension extends Extension {
+
+    public CredPropsExtension() {
+        super("credProps");
+    }
+
+    @Nullable
+    @Override
+    public RegistrationProcessor makeCredential(
+            Ctap2Session ctap,
+            PublicKeyCredentialCreationOptions options,
+            PinUvAuthProtocol pinUvAuthProtocol) {
+
+        if (options.getExtensions().has(name)) {
+            AuthenticatorSelectionCriteria authenticatorSelection = options.getAuthenticatorSelection();
+            String optionsRk = authenticatorSelection != null
+                    ? authenticatorSelection.getResidentKey()
+                    : null;
+            Boolean authenticatorRk = (Boolean) ctap.getCachedInfo().getOptions().get("rk");
+            boolean rk = (ResidentKeyRequirement.REQUIRED.equals(optionsRk) ||
+                    (ResidentKeyRequirement.PREFERRED.equals(optionsRk) &&
+                            Boolean.TRUE.equals(authenticatorRk)));
+
+            return new RegistrationProcessor(
+                    (attestationObject, pinToken) ->
+                            Collections.singletonMap(name,
+                                    Collections.singletonMap("rk", rk)));
+        }
+        return null;
+    }
+}

fido/src/main/java/com/yubico/yubikit/fido/client/extensions/CredProtectExtension.java

@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2024 Yubico.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.yubico.yubikit.fido.client.extensions;
+
+import com.yubico.yubikit.fido.ctap.Ctap2Session;
+import com.yubico.yubikit.fido.ctap.PinUvAuthProtocol;
+import com.yubico.yubikit.fido.webauthn.Extensions;
+import com.yubico.yubikit.fido.webauthn.PublicKeyCredentialCreationOptions;
+
+import java.util.Collections;
+
+import javax.annotation.Nullable;
+
+public class CredProtectExtension extends Extension {
+
+    static final String OPTIONAL = "userVerificationOptional";
+    static final String OPTIONAL_WITH_LIST = "userVerificationOptionalWithCredentialIDList";
+    static final String REQUIRED = "userVerificationRequired";
+
+    public CredProtectExtension() {
+        super("credProtect");
+    }
+
+    @Nullable
+    @Override
+    public RegistrationProcessor makeCredential(
+            Ctap2Session ctap,
+            PublicKeyCredentialCreationOptions options,
+            PinUvAuthProtocol pinUvAuthProtocol) {
+
+        Extensions extensions = options.getExtensions();
+        String credentialProtectionPolicy = (String) extensions.get("credentialProtectionPolicy");
+        if (credentialProtectionPolicy == null) {
+            return null;
+        }
+
+        Integer credProtect = credProtectValue(credentialProtectionPolicy);
+        Boolean enforce = (Boolean) extensions.get("enforceCredentialProtectionPolicy");
+        if (Boolean.TRUE.equals(enforce) &&
+                !isSupported(ctap) &&
+                credProtect != null &&
+                credProtect > 0x01) {
+            throw new IllegalArgumentException("Authenticator does not support Credential Protection");
+        }
+        return credProtect != null
+                ? new RegistrationProcessor(
+                pinToken -> Collections.singletonMap(name, credProtect))
+                : null;
+    }
+
+    @Nullable
+    private Integer credProtectValue(String optionsValue) {
+        switch(optionsValue) {
+            case OPTIONAL:
+                return 0x01;
+            case OPTIONAL_WITH_LIST:
+                return 0x02;
+            case REQUIRED:
+                return 0x03;
+            default:
+                return null;
+        }
+    }
+}