Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for RS384 and RS512 #235

Merged
merged 4 commits into from
Jan 26, 2023
Merged

Support for RS384 and RS512 #235

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
3015729
Add RS384 and RS512 to algorithm ID enum
JohnnyJayJay Oct 6, 2022
6fa3f77
Add Java algorithm name mappings for RS384 and RS512
JohnnyJayJay Oct 6, 2022
b682288
Merge branch 'main' into feature/more-rsapkcs-algs
emlun Jan 19, 2023
4f70621
Add support for RS384 and RS512
emlun Jan 26, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion NEWS
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,13 @@
== Version 2.3.1 (unreleased) ==
== Version 2.4.0 (unreleased) ==

`webauthn-server-core`:

New features:

* Added support for RS384 and RS512 signature algorithms.
** Thanks to GitHub user JohnnyJayJay for the contribution, see
https://github.com/Yubico/java-webauthn-server/pull/235

Fixes:

* During `RelyingParty.finishRegistration()` if an `attestationTrustSource` is
Expand Down
8 changes: 7 additions & 1 deletion webauthn-server-core/src/main/java/com/yubico/webauthn/RelyingParty.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -218,6 +218,8 @@ public class RelyingParty {
* <li>{@link com.yubico.webauthn.data.PublicKeyCredentialParameters#ES256 ES384}
* <li>{@link com.yubico.webauthn.data.PublicKeyCredentialParameters#ES256 ES512}
* <li>{@link com.yubico.webauthn.data.PublicKeyCredentialParameters#RS256 RS256}
* <li>{@link com.yubico.webauthn.data.PublicKeyCredentialParameters#RS384 RS384}
* <li>{@link com.yubico.webauthn.data.PublicKeyCredentialParameters#RS512 RS512}
* </ol>
*
* @see PublicKeyCredentialCreationOptions#getAttestation()
Expand All @@ -232,7 +234,9 @@ public class RelyingParty {
PublicKeyCredentialParameters.EdDSA,
PublicKeyCredentialParameters.ES384,
PublicKeyCredentialParameters.ES512,
PublicKeyCredentialParameters.RS256));
PublicKeyCredentialParameters.RS256,
PublicKeyCredentialParameters.RS384,
PublicKeyCredentialParameters.RS512));

/**
* If <code>true</code>, the origin matching rule is relaxed to allow any port number.
Expand Down Expand Up @@ -427,6 +431,8 @@ private static List<PublicKeyCredentialParameters> filterAvailableAlgorithms(
break;

case RS256:
case RS384:
case RS512:
case RS1:
KeyFactory.getInstance("RSA");
break;
Expand Down
2 changes: 2 additions & 0 deletions webauthn-server-core/src/main/java/com/yubico/webauthn/TpmAttestationStatementVerifier.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -217,10 +217,12 @@ private void validateCertInfo(
break;

case ES384:
case RS384:
expectedExtraData = Crypto.sha384(attToBeSigned);
break;

case ES512:
case RS512:
expectedExtraData = Crypto.sha512(attToBeSigned);
break;

Expand Down
4 changes: 4 additions & 0 deletions webauthn-server-core/src/main/java/com/yubico/webauthn/WebAuthnCodecs.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,10 @@ static String getJavaAlgorithmName(COSEAlgorithmIdentifier alg) {
return "SHA512withECDSA";
case RS256:
return "SHA256withRSA";
case RS384:
return "SHA384withRSA";
case RS512:
return "SHA512withRSA";
case RS1:
return "SHA1withRSA";
default:
Expand Down
2 changes: 2 additions & 0 deletions webauthn-server-core/src/main/java/com/yubico/webauthn/data/COSEAlgorithmIdentifier.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,8 @@ public enum COSEAlgorithmIdentifier {
ES384(-35),
ES512(-36),
RS256(-257),
RS384(-258),
RS512(-259),
RS1(-65535);

@JsonValue @Getter private final long id;
Expand Down
10 changes: 10 additions & 0 deletions ...erver-core/src/main/java/com/yubico/webauthn/data/PublicKeyCredentialCreationOptions.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -382,6 +382,8 @@ private static List<PublicKeyCredentialParameters> filterAvailableAlgorithms(
break;

case RS256:
case RS384:
case RS512:
case RS1:
KeyFactory.getInstance("RSA");
break;
Expand Down Expand Up @@ -419,6 +421,14 @@ private static List<PublicKeyCredentialParameters> filterAvailableAlgorithms(
Signature.getInstance("SHA256withRSA");
break;

case RS384:
Signature.getInstance("SHA384withRSA");
break;

case RS512:
Signature.getInstance("SHA512withRSA");
break;

case RS1:
Signature.getInstance("SHA1withRSA");
break;
Expand Down
14 changes: 14 additions & 0 deletions ...thn-server-core/src/main/java/com/yubico/webauthn/data/PublicKeyCredentialParameters.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,20 @@ private PublicKeyCredentialParameters(
public static final PublicKeyCredentialParameters RS256 =
builder().alg(COSEAlgorithmIdentifier.RS256).build();

/**
* Algorithm {@link COSEAlgorithmIdentifier#RS384} and type {@link
* PublicKeyCredentialType#PUBLIC_KEY}.
*/
public static final PublicKeyCredentialParameters RS384 =
builder().alg(COSEAlgorithmIdentifier.RS384).build();

/**
* Algorithm {@link COSEAlgorithmIdentifier#RS512} and type {@link
* PublicKeyCredentialType#PUBLIC_KEY}.
*/
public static final PublicKeyCredentialParameters RS512 =
builder().alg(COSEAlgorithmIdentifier.RS512).build();

public static PublicKeyCredentialParametersBuilder.MandatoryStages builder() {
return new PublicKeyCredentialParametersBuilder.MandatoryStages();
}
Expand Down
128 changes: 128 additions & 0 deletions webauthn-server-core/src/test/scala/com/yubico/webauthn/RegistrationTestData.scala
View file
Open in desktop

Large diffs are not rendered by default.

18 changes: 18 additions & 0 deletions webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyRegistrationSpec.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4182,6 +4182,24 @@ class RelyingPartyRegistrationSpec
COSEAlgorithmIdentifier.RS256
)
}

it("RS384.") {
pubKeyCredParams should contain(
PublicKeyCredentialParameters.RS384
)
pubKeyCredParams map (_.getAlg) should contain(
COSEAlgorithmIdentifier.RS384
)
}

it("RS512.") {
pubKeyCredParams should contain(
PublicKeyCredentialParameters.RS512
)
pubKeyCredParams map (_.getAlg) should contain(
COSEAlgorithmIdentifier.RS512
)
}
}

describe("do not include") {
Expand Down
11 changes: 9 additions & 2 deletions webauthn-server-core/src/test/scala/com/yubico/webauthn/TestAuthenticator.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -909,6 +909,10 @@ object TestAuthenticator {
(TpmAlgHash.SHA512, TpmAlgAsym.ECC)
case COSEAlgorithmIdentifier.RS256 =>
(TpmAlgHash.SHA256, TpmAlgAsym.RSA)
case COSEAlgorithmIdentifier.RS384 =>
(TpmAlgHash.SHA384, TpmAlgAsym.RSA)
case COSEAlgorithmIdentifier.RS512 =>
(TpmAlgHash.SHA512, TpmAlgAsym.RSA)
case COSEAlgorithmIdentifier.RS1 => (TpmAlgHash.SHA1, TpmAlgAsym.RSA)
case COSEAlgorithmIdentifier.EdDSA => ???
}
Expand Down Expand Up @@ -964,6 +968,8 @@ object TestAuthenticator {
case COSEAlgorithmIdentifier.ES512 => 0x0005
case COSEAlgorithmIdentifier.RS1 |
COSEAlgorithmIdentifier.RS256 |
COSEAlgorithmIdentifier.RS384 |
COSEAlgorithmIdentifier.RS512 |
COSEAlgorithmIdentifier.EdDSA =>
???
}))
Expand Down Expand Up @@ -1115,8 +1121,9 @@ object TestAuthenticator {
case COSEAlgorithmIdentifier.ES256 => generateEcKeypair("secp256r1")
case COSEAlgorithmIdentifier.ES384 => generateEcKeypair("secp384r1")
case COSEAlgorithmIdentifier.ES512 => generateEcKeypair("secp521r1")
case COSEAlgorithmIdentifier.RS256 => generateRsaKeypair()
case COSEAlgorithmIdentifier.RS1 => generateRsaKeypair()
case COSEAlgorithmIdentifier.RS256 | COSEAlgorithmIdentifier.RS384 |
COSEAlgorithmIdentifier.RS512 | COSEAlgorithmIdentifier.RS1 =>
generateRsaKeypair()
}

def generateEcKeypair(curve: String = "secp256r1"): KeyPair = {
Expand Down
3 changes: 2 additions & 1 deletion webauthn-server-core/src/test/scala/com/yubico/webauthn/WebAuthnTestCodecs.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,8 @@ object WebAuthnTestCodecs {
val spec = new PKCS8EncodedKeySpec(encodedKey.getBytes)
keyFactory.generatePrivate(spec)

case COSEAlgorithmIdentifier.RS256 | COSEAlgorithmIdentifier.RS1 =>
case COSEAlgorithmIdentifier.RS256 | COSEAlgorithmIdentifier.RS384 |
COSEAlgorithmIdentifier.RS512 | COSEAlgorithmIdentifier.RS1 =>
val keyFactory: KeyFactory = KeyFactory.getInstance("RSA")
val spec = new PKCS8EncodedKeySpec(encodedKey.getBytes)
keyFactory.generatePrivate(spec)
Expand Down