Allow unknown MDS enum values and add missing fields

Beyond adding the missing `AttachmentHint` value identified in [issue #446][1] ,
this adds an `UNKNOWN` constant as the default deserialization of all enums in
the MDS data model; this should prevent hard crashes on new enum values in the
future. To ensure that new values don't go unnoticed forever, this also adds a
new integration test that attempts to deserialize the BLOB with enum defaults
disabled and unknown fields forbidden. This should help us detect when new
additions appear in the upstream data, as the integration test runs [once a week
on GitHub Actions][2].

The new test also revealed several other new fields that were missing. I also
added any other new fields defined in immediate proximity to the ones identified
by the test; not all of these added fields have yet appeared in the actual data.

[1]: #466
[2]: https://github.com/Yubico/java-webauthn-server/actions/workflows/integration-test.yml

Author: emlun

NEWS

@@ -11,10 +11,37 @@ Fixes:
 New features:
 
 * Added `AuthenticatorStatus.RETIRED` and `Filters.notRetired()`.
+* Added `AttachmentHint.ATTACHMENT_HINT_SMART_CARD`.
+ ** Thanks to Misagh Moayyed and Erlend Nukke for the contribution, see
+    https://github.com/Yubico/java-webauthn-server/pull/468 and
+    https://github.com/Yubico/java-webauthn-server/pull/467
+* Added `UNKNOWN` constant to all enums in `com.yubico.fido.metadata`:
+ ** `AttachmentHint`
+ ** `AuthenticationAlgorithm`
+ ** `AuthenticatorAttestationType`
+ ** `CtapCertificationId`
+ ** `CtapPinUvAuthProtocolVersion`
+ ** `CtapVersion`
+ ** `ProtocolFamily`
+ ** `PublicKeyRepresentationFormat`
+ ** `TransactionConfirmationDisplayType`
+* Added enum constant `CtapVersion.FIDO_2_3`.
+* Added missing fields to FIDO MDS data model:
+ ** `AuthenticatorGetInfo`: `attestationFormats`, `longTouchForReset`,
+    `uvCountSinceLastPinEntry`, `transportsForReset`, `pinComplexityPolicy`,
+    `pinComplexityPolicyURL`, `maxPINLength`, `authenticatorConfigCommands`
+ ** `BiometricAccuracyDescriptor`: `iAPARThreshold`
+ ** `MetadataStatement`: `friendlyNames`, `iconDark`, `providerLogoLight`,
+    `providerLogoDark`, `keyScope`, `multiDeviceCredentialSupport`,
+    `cxpConfigURL`
+ ** `StatusReport`: `certificationProfiles`, `sunsetDate`, `fipsRevision`,
+    `fipsPhysicalSecurityLevel`
 
 Fixes:
 
 * Added `@since` tags to `AuthenticatorStatus` and `FidoMetadataService` javadoc.
+* All `com.yubico.fido.metadata` enums now deserialize unknown values to
+  `UNKOWN` instead of crashing the parser.
 
 
 == Version 2.8.1 ==

webauthn-server-attestation/src/integrationTest/scala/com/yubico/fido/metadata/FidoMetadataDownloaderIntegrationTest.scala

@@ -1,5 +1,7 @@
 package com.yubico.fido.metadata
 
+import com.fasterxml.jackson.databind.DeserializationFeature
+import com.yubico.fido.metadata.TestCaches.cachedDefaultSettingsDownloader
 import com.yubico.internal.util.CertificateParser
 import com.yubico.webauthn.data.ByteArray
 import org.junit.runner.RunWith
@@ -11,7 +13,6 @@ import org.scalatest.tags.Slow
 import org.scalatestplus.junit.JUnitRunner
 
 import scala.jdk.CollectionConverters.ListHasAsScala
-import scala.jdk.OptionConverters.RichOption
 import scala.util.Success
 import scala.util.Try
 
@@ -24,44 +25,33 @@ class FidoMetadataDownloaderIntegrationTest
     with BeforeAndAfter {
 
   describe("FidoMetadataDownloader with default settings") {
-    // Cache downloaded items to avoid cause unnecessary load on remote servers
-    var trustRootCache: Option[ByteArray] = None
-    var blobCache: Option[ByteArray] = None
-    val downloader =
-      FidoMetadataDownloader
-        .builder()
-        .expectLegalHeader(
-          "Retrieval and use of this BLOB indicates acceptance of the appropriate agreement located at https://fidoalliance.org/metadata/metadata-legal-terms/"
-        )
-        .useDefaultTrustRoot()
-        .useTrustRootCache(
-          () => trustRootCache.toJava,
-          trustRoot => { trustRootCache = Some(trustRoot) },
-        )
-        .useDefaultBlob()
-        .useBlobCache(
-          () => blobCache.toJava,
-          blob => { blobCache = Some(blob) },
-        )
-        .build()
+    val downloader = cachedDefaultSettingsDownloader.build()
 
     it("downloads and verifies the root cert and BLOB successfully.") {
-      val blob = Try(downloader.loadCachedBlob)
+      val blob = Try(TestCaches.cacheSynchronized(downloader.loadCachedBlob))
       blob shouldBe a[Success[_]]
       blob.get should not be null
     }
 
     it(
       "does not encounter any CRLDistributionPoints entries in unknown format."
     ) {
-      val blob = Try(downloader.loadCachedBlob)
+      val blob = Try(TestCaches.cacheSynchronized(downloader.loadCachedBlob))
       blob shouldBe a[Success[_]]
       val trustRootCert =
-        CertificateParser.parseDer(trustRootCache.get.getBytes)
-      val certChain = downloader
-        .fetchHeaderCertChain(
-          trustRootCert,
-          FidoMetadataDownloader.parseBlob(blobCache.get).getBlob.getHeader,
+        CertificateParser.parseDer(
+          TestCaches.getTrustRootCache.get.get.getBytes
+        )
+      val certChain = TestCaches
+        .cacheSynchronized(
+          downloader
+            .fetchHeaderCertChain(
+              trustRootCert,
+              downloader
+                .parseBlob(TestCaches.getBlobCache.get.get)
+                .getBlob
+                .getHeader,
+            )
         )
         .asScala :+ trustRootCert
       for { cert <- certChain } {
@@ -76,4 +66,29 @@ class FidoMetadataDownloaderIntegrationTest
     }
   }
 
+  describe("FidoMetadataDownloader with strict JSON deserialization settings") {
+    val downloader = cachedDefaultSettingsDownloader
+      .headerJsonMapper(() =>
+        com.yubico.internal.util.JacksonCodecs
+          .json()
+          .configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, true)
+      )
+      .payloadJsonMapper(() =>
+        com.yubico.internal.util.JacksonCodecs
+          .json()
+          .configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, true)
+          .configure(
+            DeserializationFeature.READ_UNKNOWN_ENUM_VALUES_USING_DEFAULT_VALUE,
+            false,
+          )
+      )
+      .build()
+
+    it("downloads and parses the BLOB successfully.") {
+      val blob = Try(TestCaches.cacheSynchronized(downloader.loadCachedBlob))
+      blob shouldBe a[Success[_]]
+      blob.get should not be null
+    }
+  }
+
 }

webauthn-server-attestation/src/integrationTest/scala/com/yubico/fido/metadata/FidoMetadataServiceIntegrationTest.scala

@@ -5,6 +5,7 @@ import com.yubico.fido.metadata.AttachmentHint.ATTACHMENT_HINT_INTERNAL
 import com.yubico.fido.metadata.AttachmentHint.ATTACHMENT_HINT_NFC
 import com.yubico.fido.metadata.AttachmentHint.ATTACHMENT_HINT_WIRED
 import com.yubico.fido.metadata.AttachmentHint.ATTACHMENT_HINT_WIRELESS
+import com.yubico.fido.metadata.TestCaches.cachedDefaultSettingsDownloader
 import com.yubico.internal.util.CertificateParser
 import com.yubico.webauthn.FinishRegistrationOptions
 import com.yubico.webauthn.RelyingParty
@@ -22,7 +23,6 @@ import org.scalatestplus.junit.JUnitRunner
 
 import java.time.Clock
 import java.time.ZoneOffset
-import java.util.Optional
 import scala.jdk.CollectionConverters.SetHasAsJava
 import scala.jdk.CollectionConverters.SetHasAsScala
 import scala.jdk.OptionConverters.RichOptional
@@ -40,21 +40,12 @@ class FidoMetadataServiceIntegrationTest
   describe("FidoMetadataService") {
 
     describe("downloaded with default settings") {
-      val downloader = FidoMetadataDownloader
-        .builder()
-        .expectLegalHeader(
-          "Retrieval and use of this BLOB indicates acceptance of the appropriate agreement located at https://fidoalliance.org/metadata/metadata-legal-terms/"
-        )
-        .useDefaultTrustRoot()
-        .useTrustRootCache(() => Optional.empty(), _ => {})
-        .useDefaultBlob()
-        .useBlobCache(() => Optional.empty(), _ => {})
-        .build()
+      val downloader = cachedDefaultSettingsDownloader.build()
       val fidoMds =
         Try(
           FidoMetadataService
             .builder()
-            .useBlob(downloader.loadCachedBlob())
+            .useBlob(TestCaches.cacheSynchronized(downloader.loadCachedBlob()))
             .build()
         )
 

webauthn-server-attestation/src/integrationTest/scala/com/yubico/fido/metadata/TestCaches.scala

@@ -0,0 +1,42 @@
+package com.yubico.fido.metadata
+
+import com.yubico.webauthn.data.ByteArray
+
+import java.util.Optional
+import java.util.function.Consumer
+import java.util.function.Supplier
+import scala.jdk.OptionConverters.RichOption
+
+object TestCaches {
+
+  // Cache downloaded items to avoid unnecessary load on remote servers, and so tests don't have to wait for rate limiting
+
+  private var trustRootCache: Option[ByteArray] = None
+  val getTrustRootCache: Supplier[Optional[ByteArray]] = () =>
+    trustRootCache.toJava
+  val setTrustRootCache: Consumer[ByteArray] = trustRoot => {
+    trustRootCache = Some(trustRoot)
+  }
+
+  private var blobCache: Option[ByteArray] = None
+  val getBlobCache: Supplier[Optional[ByteArray]] = () => blobCache.toJava
+  val setBlobCache: Consumer[ByteArray] = blob => { blobCache = Some(blob) }
+
+  def cachedDefaultSettingsDownloader
+      : FidoMetadataDownloader.FidoMetadataDownloaderBuilder =
+    FidoMetadataDownloader
+      .builder()
+      .expectLegalHeader(
+        "Retrieval and use of this BLOB indicates acceptance of the appropriate agreement located at https://fidoalliance.org/metadata/metadata-legal-terms/"
+      )
+      .useDefaultTrustRoot()
+      .useTrustRootCache(getTrustRootCache, setTrustRootCache)
+      .useDefaultBlob()
+      .useBlobCache(getBlobCache, setBlobCache)
+
+  /** Evaluate <code>expr</code> with an exclusive lock on the test cache. */
+  def cacheSynchronized[A](expr: => A): A = {
+    this.synchronized(expr)
+  }
+
+}

webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/AttachmentHint.java

@@ -1,5 +1,6 @@
 package com.yubico.fido.metadata;
 
+import com.fasterxml.jackson.annotation.JsonEnumDefaultValue;
 import com.fasterxml.jackson.annotation.JsonValue;
 
 /**
@@ -22,6 +23,14 @@
  */
 public enum AttachmentHint {
 
+  /**
+   * (NOT DEFINED IN SPEC) Placeholder for any unknown {@link AttachmentHint} value.
+   *
+   * @since 2.9.0
+   */
+  @JsonEnumDefaultValue
+  UNKNOWN(0, "UNKNOWN"),
+
   /**
    * This flag MAY be set to indicate that the authenticator is permanently attached to the FIDO
    * User Device.
@@ -129,7 +138,20 @@ public enum AttachmentHint {
    *     href="https://fidoalliance.org/specs/common-specs/fido-registry-v2.2-rd-20210525.html#authenticator-attachment-hints">FIDO
    *     Registry of Predefined Values §3.4 Authenticator Attachment Hints</a>
    */
-  ATTACHMENT_HINT_WIFI_DIRECT(0x0100, "wifi_direct");
+  ATTACHMENT_HINT_WIFI_DIRECT(0x0100, "wifi_direct"),
+
+  /**
+   * This flag MAY be set to indicate that an external authenticator is able to communicate by
+   * ISO7816 messages with the FIDO User Device. As part of authenticator metadata, or when
+   * reporting characteristics through discovery, if this flag is set, the {@link
+   * #ATTACHMENT_HINT_WIRED} flag SHOULD also be set.
+   *
+   * @since 2.9.0
+   * @see <a
+   *     href="https://fidoalliance.org/specs/common-specs/fido-registry-v2.3-rd-20260105.html#authenticator-attachment-hints">FIDO
+   *     Registry of Predefined Values §3.4 Authenticator Attachment Hints</a>
+   */
+  ATTACHMENT_HINT_SMART_CARD(0x0200, "smart-card");
 
   private final int value;
 

webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/AuthenticationAlgorithm.java

@@ -1,5 +1,6 @@
 package com.yubico.fido.metadata;
 
+import com.fasterxml.jackson.annotation.JsonEnumDefaultValue;
 import com.fasterxml.jackson.annotation.JsonValue;
 
 /**
@@ -15,6 +16,14 @@
  */
 public enum AuthenticationAlgorithm {
 
+  /**
+   * (NOT DEFINED IN SPEC) Placeholder for any unknown {@link AuthenticationAlgorithm} value.
+   *
+   * @since 2.9.0
+   */
+  @JsonEnumDefaultValue
+  UNKNOWN(0, "UNKNOWN"),
+
   /**
    * @see <a
    *     href="https://fidoalliance.org/specs/common-specs/fido-registry-v2.2-rd-20210525.html#authentication-algorithms">FIDO

webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/AuthenticatorAttestationType.java

@@ -1,5 +1,6 @@
 package com.yubico.fido.metadata;
 
+import com.fasterxml.jackson.annotation.JsonEnumDefaultValue;
 import com.fasterxml.jackson.annotation.JsonValue;
 
 /**
@@ -15,6 +16,14 @@
  */
 public enum AuthenticatorAttestationType {
 
+  /**
+   * (NOT DEFINED IN SPEC) Placeholder for any unknown {@link AuthenticatorAttestationType} value.
+   *
+   * @since 2.9.0
+   */
+  @JsonEnumDefaultValue
+  UNKNOWN(0, "UNKNOWN"),
+
   /**
    * Indicates full basic attestation, based on an attestation private key shared among a class of
    * authenticators (e.g. same model). Authenticators must provide its attestation signature during