2024 update

.github/workflows/ci.yml → .github/workflows/robot.yml

@@ -2,37 +2,33 @@ on:
   push:
     branches:
       - main
+      - next
   pull_request:
     branches:
       - main
-name: CI check
+name: Build robot
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     name: Build and deploy
     steps:
       - name: Check out code
-        uses: actions/checkout@v3.1.0
+        uses: actions/checkout@v4
         with:
-          submodules: true
+          fetch-tags: true
+          fetch-depth: 0
       - name: Set SSH key
-        uses: webfactory/ssh-agent@v0.7.0
+        uses: webfactory/ssh-agent@v0.9.0
         with:
           ssh-private-key: ${{ secrets.SSH_KEY }}
       - name: Add known host key
         run: ssh-keyscan javacard.pro >> ~/.ssh/known_hosts
-      - name: Cache local Maven repository
-        uses: actions/[email protected]
-        with:
-          path: ~/.m2/repository
-          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
-          restore-keys: |
-            ${{ runner.os }}-maven-
       - name: Setup java
-        uses: actions/setup-java@v3.6.0
+        uses: actions/setup-java@v4
         with:
           java-version: 17
-          distribution: temurin
+          distribution: zulu
+          cache: maven
       - name: Compile and verify
         run: ./mvnw -U -B -T1C verify
       - name: Deploy snapshot

.mvn/wrapper/maven-wrapper.properties

@@ -14,5 +14,7 @@
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
-distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.8.6/apache-maven-3.8.6-bin.zip
-wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar
+wrapperVersion=3.3.2
+distributionType=script
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.9/apache-maven-3.9.9-bin.zip
+wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar

common/pom.xml

@@ -14,12 +14,12 @@
         <dependency>
             <groupId>com.github.martinpaljak</groupId>
             <artifactId>apdu4j-core</artifactId>
-            <version>2020r3</version>
+            <version>24.09.26.2</version>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.dataformat</groupId>
             <artifactId>jackson-dataformat-cbor</artifactId>
-            <version>2.14.0</version>
+            <version>2.18.1</version>
         </dependency>
         <dependency>
             <groupId>org.bouncycastle</groupId>

common/src/main/java/pro/javacard/fido2/common/AuthenticatorData.java

@@ -44,6 +44,7 @@ static EnumSet<Flag> fromByte(byte b) {
     final ObjectNode extensions;
 
 
+    // TODO: spotbugs pro.javacard.fido2.common.AuthenticatorData CT_CONSTRUCTOR_THROW
     private AuthenticatorData(byte[] authData, byte[] rpIdHash, EnumSet<Flag> flags, long counter, AttestationData attestation, ObjectNode extensions) {
         this.authData = authData.clone();
         this.rpIdHash = rpIdHash.clone();

common/src/main/java/pro/javacard/fido2/common/COSEPublicKey.java

@@ -28,7 +28,7 @@ public class COSEPublicKey {
     static COSEPublicKey fromBytes(byte[] cbor) throws IOException {
         CBORParser parser = factory.createParser(cbor);
         ObjectNode parsed = parser.readValueAsTree();
-        byte[] encoded = Arrays.copyOf(cbor, (int) parser.getCurrentLocation().getByteOffset() - 1);
+        byte[] encoded = Arrays.copyOf(cbor, (int) parser.currentLocation().getByteOffset() - 1);
 
         final PublicKey pubkey;
         switch (parsed.get("3").asInt()) {

common/src/main/java/pro/javacard/fido2/common/CTAP2ProtocolHelpers.java

@@ -27,7 +27,7 @@
 import static pro.javacard.fido2.common.CTAP2Enums.Error.valueOf;
 import static pro.javacard.fido2.common.CryptoUtils.concatenate;
 
-@SuppressWarnings("deprecation")
+@SuppressWarnings({"deprecation", "rawtypes"})
 public class CTAP2ProtocolHelpers {
     private static final Logger logger = LoggerFactory.getLogger(CTAP2ProtocolHelpers.class);
 
@@ -41,6 +41,7 @@ public static void setProtocolDebug(OutputStream debug) {
     }
 
     static {
+        // FIXME: QUOTE_FIELD_NAMES in com.fasterxml.jackson.core.JsonGenerator.Feature has been deprecated
         mapper.configure(JsonGenerator.Feature.QUOTE_FIELD_NAMES, false); // We have numerics in visual
     }
 

common/src/main/java/pro/javacard/fido2/common/CTAPProtocolError.java

@@ -2,6 +2,7 @@
 
 public class CTAPProtocolError extends RuntimeException {
 
+    private static final long serialVersionUID = 6495521863179051131L;
     public CTAPProtocolError(String message) {
         super(message);
     }

common/src/main/java/pro/javacard/fido2/common/MakeCredentialCommand.java

@@ -30,6 +30,8 @@ public class MakeCredentialCommand {
     byte[] pinAuth;
     int pinProtocol = -1;
 
+    int enterpriseAttestation = -1;
+
     public MakeCredentialCommand withClientDataHash(byte[] hash) {
         clientDataHash = hash.clone();
         return this;
@@ -86,6 +88,13 @@ public MakeCredentialCommand withOption(String option, boolean value) {
         return this;
     }
 
+    public MakeCredentialCommand withEnterpriseAttestation(int variant) {
+        if (!(variant == 1 || variant == 2))
+            throw new IllegalArgumentException("enterpriseAttestation must be 1 or 2");
+        enterpriseAttestation = variant;
+        return this;
+    }
+
     // Build the CBOR structure
     public byte[] build() {
         if (clientDataHash == null || origin == null || userId == null || algorithms.size() == 0)
@@ -106,6 +115,8 @@ public byte[] build() {
                 numElements++;
             if (excludeList.size() > 0)
                 numElements++;
+            if (enterpriseAttestation != -1)
+                numElements++;
 
             generator.writeStartObject(numElements);
 
@@ -183,6 +194,10 @@ public byte[] build() {
                 generator.writeFieldId(MakeCredentialCommandParameter.pinProtocol.value());
                 generator.writeNumber(pinProtocol);
             }
+            if (enterpriseAttestation != -1) {
+                generator.writeFieldId(MakeCredentialCommandParameter.enterpriseAttestation.value());
+                generator.writeNumber(enterpriseAttestation);
+            }
             generator.writeEndObject();
 
             generator.close();

common/src/main/java/pro/javacard/fido2/common/U2FAuthenticate.java

@@ -51,7 +51,6 @@ public static byte[] toAuthenticateCommand(GetAssertionCommand command) throws I
         return u2fcmd;
     }
 
-    @SuppressWarnings("deprecation")
     public static byte[] toCBOR(GetAssertionCommand command, byte[] response) throws IOException {
 
         byte[] appId = PINProtocols.sha256(command.origin.getBytes(StandardCharsets.UTF_8));

common/src/main/java/pro/javacard/fido2/common/U2FRegister.java

@@ -30,7 +30,6 @@ void verifyU2FRegistration(MakeCredentialCommand command) throws IllegalArgument
             throw new IllegalArgumentException("U2F supports only P256");
     }
 
-    @SuppressWarnings("deprecation")
     public static byte[] toCBOR(MakeCredentialCommand command, byte[] response) throws IOException {
 
         int offset = 0;
@@ -95,7 +94,7 @@ public static byte[] toCBOR(MakeCredentialCommand command, byte[] response) thro
         generator.writeFieldName("sig");
         generator.writeBinary(signature);
         generator.writeFieldName("x5c");
-        generator.writeStartArray(1);
+        generator.writeStartArray(null, 1);
         generator.writeBinary(cert);
         generator.writeEndArray();
         generator.writeEndObject(); // sig+x509 dict

common/src/main/java/pro/javacard/fido2/common/WebAuthnPlatform.java

@@ -10,6 +10,7 @@
 import java.util.*;
 
 // WebAuthn cargo cult for testing purposes.
+@SuppressWarnings("rawtypes")
 public class WebAuthnPlatform {
 
     static final ObjectMapper json = new ObjectMapper();

pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <groupId>com.github.martinpaljak</groupId>
         <artifactId>metacard</artifactId>
-        <version>22.11.15</version>
+        <version>24.11.17</version>
     </parent>
     <packaging>pom</packaging>
     <artifactId>fido2-toolbox</artifactId>
@@ -37,7 +37,7 @@
                         <configuration>
                             <rules>
                                 <requireMavenVersion>
-                                    <version>[3.6.8,)</version>
+                                    <version>[3.9.9,)</version>
                                 </requireMavenVersion>
                                 <requireJavaVersion>
                                     <version>[17,)</version>
@@ -51,7 +51,6 @@
                 <!-- FIDO depends on Ed25519 keys, thus targeting JDK17+ -->
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-compiler-plugin</artifactId>
-                <version>3.10.1</version>
                 <executions>
                     <execution>
                         <id>default-compile</id>

spotbugs.xml

@@ -13,4 +13,8 @@
         <Class name="~pro.javacard.fido2.cli.XFIDOConfig.*"/>
         <Bug pattern="UUF_UNUSED_FIELD,URF_UNREAD_FIELD,UUF_UNUSED_PUBLIC_OR_PROTECTED_FIELD,URF_UNREAD_PUBLIC_OR_PROTECTED_FIELD"/>
     </Match>
+    <Match>
+        <class name="pro.javacard.fido2.common.AuthenticatorData"/>
+        <Bug pattern="CT_CONSTRUCTOR_THROW"/>
+    </Match>
 </FindBugsFilter>

tool/pom.xml

@@ -30,22 +30,22 @@
         <dependency>
             <groupId>net.java.dev.jna</groupId>
             <artifactId>jna-platform</artifactId>
-            <version>5.12.1</version>
+            <version>5.15.0</version>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.dataformat</groupId>
             <artifactId>jackson-dataformat-yaml</artifactId>
-            <version>2.14.0</version>
+            <version>2.18.1</version>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.dataformat</groupId>
             <artifactId>jackson-dataformat-properties</artifactId>
-            <version>2.14.0</version>
+            <version>2.18.1</version>
         </dependency>
         <dependency>
             <groupId>com.github.martinpaljak</groupId>
             <artifactId>globalplatformpro</artifactId>
-            <version>21.12.31</version>
+            <version>24.10.15</version>
         </dependency>
         <dependency>
             <groupId>org.testng</groupId>
@@ -109,7 +109,7 @@
                     </execution>
                 </executions>
             </plugin>
-            <!-- Package for Windows -->
+            <!-- Package for Windows
             <plugin>
                 <groupId>com.akathist.maven.plugins.launch4j</groupId>
                 <artifactId>launch4j-maven-plugin</artifactId>
@@ -154,7 +154,7 @@
                         </configuration>
                     </execution>
                 </executions>
-            </plugin>
+            </plugin> -->
         </plugins>
     </build>
 </project>

tool/src/main/java/pro/javacard/fido2/cli/CommandLineInterface.java

@@ -49,6 +49,7 @@ abstract class CommandLineInterface {
     protected static OptionSpec<String> OPT_AUTHENTICATE = parser.acceptsAll(Arrays.asList("a", "authenticate"), "Get assertion / authenticate").withRequiredArg().describedAs("[user@]domain");
 
     // Arguments for registration/authentication
+    protected static OptionSpec<Integer> OPT_EA = parser.acceptsAll(Arrays.asList("ea"),  "Enterprise Attestation (FIDO2)").withOptionalArg().ofType(Integer.class).defaultsTo(1);
     protected static OptionSpec<Void> OPT_RK = parser.acceptsAll(Arrays.asList("rk", "discoverable"), "Discoverable (FIDO2)");
     protected static OptionSpec<String> OPT_HMAC_SECRET = parser.acceptsAll(Arrays.asList("hmac-secret"), "Use hmac-secret (FIDO2)").withOptionalArg().describedAs("hex");
     protected static OptionSpec<Integer> OPT_PROTECT = parser.acceptsAll(Arrays.asList("protect"), "Use credProtect (FIDO2)").withRequiredArg().ofType(Integer.class);