Release 2.5.2

Fixes: - Allow unknown properties in `credProps` client extension output.
Yubico · Apr 22, 2024 · fed0930 · fed0930 · github-actions · Apr 22, 2024
2 parents a3698be + 821e211
commit fed0930
Show file tree

Hide file tree

Showing 7 changed files with 89 additions and 63 deletions.
diff --git a/.github/workflows/release-verify-signatures.yml b/.github/workflows/release-verify-signatures.yml
@@ -39,7 +39,7 @@ jobs:
 
     strategy:
       matrix:
-        java: ["17.0.7"]
+        java: ["17.0.10"]
         distribution: [temurin, zulu, microsoft]
 
     steps:

diff --git a/NEWS b/NEWS
@@ -1,3 +1,10 @@
+== Version 2.5.2 ==
+
+Fixes:
+
+* Allow unknown properties in `credProps` client extension output.
+
+
 == Version 2.5.1 ==
 
 Changes:

diff --git a/README b/README
diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/data/ExtensionOutputs.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/data/ExtensionOutputs.java
@@ -4,7 +4,15 @@
 import java.util.Set;
 
 public interface ExtensionOutputs {
-  /** Returns a {@link Set} of the extension IDs for which an extension output is present. */
+  /**
+   * Returns a {@link Set} of recognized extension IDs for which an extension output is present.
+   *
+   * <p>This only includes extension identifiers recognized by the java-webauthn-server library.
+   * Recognized extensions can be found as the properties of {@link
+   * ClientRegistrationExtensionOutputs} for registration ceremonies, and {@link
+   * ClientAssertionExtensionOutputs} for authentication ceremonies. Unknown extension identifiers
+   * are silently ignored.
+   */
   @JsonIgnore
   Set<String> getExtensionIds();
 }
diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/data/Extensions.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/data/Extensions.java
@@ -1,6 +1,7 @@
 package com.yubico.webauthn.data;
 
 import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.annotation.JsonValue;
 import com.upokecenter.cbor.CBORObject;
@@ -63,6 +64,7 @@ public static class CredentialProperties {
      *     Credential Properties Extension (credProps)</a>
      */
     @Value
+    @JsonIgnoreProperties(ignoreUnknown = true)
     public static class CredentialPropertiesOutput {
       @JsonProperty("rk")
       private final Boolean rk;

diff --git a/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyRegistrationSpec.scala b/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyRegistrationSpec.scala
@@ -258,12 +258,21 @@ class RelyingPartyRegistrationSpec
                 },
                 "clientExtensionResults": {
                   "appidExclude": true,
-                  "org.example.foo": "bar"
+                  "org.example.foo": "bar",
+                  "credProps": {
+                    "rk": false,
+                    "authenticatorDisplayName": "My passkey",
+                    "unknownProperty": ["unknown-value"]
+                  }
                 }
               }""")
             pkc.getClientExtensionResults.getExtensionIds should contain(
               "appidExclude"
             )
+            pkc.getClientExtensionResults.getExtensionIds should contain(
+              "credProps"
+            )
+            pkc.getClientExtensionResults.getExtensionIds should not contain ("org.example.foo")
           }
         }
 

diff --git a/webauthn-server-demo/README b/webauthn-server-demo/README
@@ -44,7 +44,7 @@ layer.
 This layer manages the general architecture of the system, and is where most
 business logic and integration code would go. The demo server implements the
 "persistent" storage of users and credential registrations - the
-link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.1/com/yubico/webauthn/CredentialRepository.html[`CredentialRepository`]
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.2/com/yubico/webauthn/CredentialRepository.html[`CredentialRepository`]
 integration point - as the
 link:src/main/java/demo/webauthn/InMemoryRegistrationStorage.java[`InMemoryRegistrationStorage`]
 class, which simply keeps them stored in memory for a limited time. The
@@ -58,7 +58,7 @@ would be specific to a particular Relying Party (RP) would go in this layer.
 - The server layer in turn calls the *library layer*, which is where the
   link:../webauthn-server-core/[`webauthn-server-core`]
   library gets involved. The entry point into the library is the
-  link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.1/com/yubico/webauthn/RelyingParty.html[`RelyingParty`]
+  link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.2/com/yubico/webauthn/RelyingParty.html[`RelyingParty`]
   class.
 +
 This layer implements the Web Authentication
@@ -69,11 +69,11 @@ and exposes integration points for storage of challenges and credentials. Some
 notable integration points are:
 +
 ** The library user must provide an implementation of the
-link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.1/com/yubico/webauthn/CredentialRepository.html[`CredentialRepository`]
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.2/com/yubico/webauthn/CredentialRepository.html[`CredentialRepository`]
 interface to use for looking up stored public keys, user handles and signature
 counters.
 ** The library user can optionally provide an instance of the
-link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.1/com/yubico/webauthn/attestation/AttestationTrustSource.html[`AttestationTrustSource`]
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.2/com/yubico/webauthn/attestation/AttestationTrustSource.html[`AttestationTrustSource`]
 interface to enable identification and validation of authenticator models. This
 instance is then used to look up trusted attestation root certificates. The
 link:../webauthn-server-attestation/[`webauthn-server-attestation`]
@@ -158,7 +158,7 @@ correct environment.
     Authentication demo'`
 
   - `YUBICO_WEBAUTHN_USE_FIDO_MDS`: If set to `true` (case-insensitive), use
-    https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.1/com/yubico/fido/metadata/FidoMetadataService.html[`FidoMetadataService`]
+    https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.2/com/yubico/fido/metadata/FidoMetadataService.html[`FidoMetadataService`]
     from the link:../webauthn-server-attestation[`webauthn-server-attestation`]
     module as a source of attestation data in addition to the static JSON file
     bundled with the demo. This will write cache files to the
Package	Coverage	Stats	Prev	Prev
Overall	81 % 🔻	1285 🔻 / 1583 🔻	81 %	1368 / 1669
`com.yubico.fido.metadata`	69 % 🟢	225 🔺 / 323 🔹	68 %	222 / 323
`com.yubico.internal.util`	47 % 🟢	57 🔹 / 120 🔻	46 %	57 / 123
`com.yubico.webauthn`	86 % 🔻	570 🔻 / 656 🔻	88 %	647 / 733
`com.yubico.webauthn.attestation`	92 % 🔹	13 🔹 / 14 🔹	92 %	13 / 14
`com.yubico.webauthn.data`	93 % 🔻	395 🔻 / 423 🔻	94 %	404 / 429
`com.yubico.webauthn.extension.appid`	100 % 🏆	13 🔹 / 13 🔹	100 %	13 / 13
`com.yubico.webauthn.extension.uvm`	50 % 🔹	12 🔹 / 24 🔹	50 %	12 / 24
`com.yubico.webauthn.meta`	0 % 🔹	0 🔹 / 10 🔹	0 %	0 / 10