Add missing FIDO MDS data model fields

Author: emlun

NEWS

@@ -25,6 +25,17 @@ New features:
  ** ProtocolFamily`
  ** PublicKeyRepresentationFormat`
  ** TransactionConfirmationDisplayType`
+* Added enum constant `CtapVersion.FIDO_2_3`.
+* Added missing fields to FIDO MDS data model:
+ ** `AuthenticatorGetInfo`: `attestationFormats`, `longTouchForReset`,
+    `uvCountSinceLastPinEntry`, `transportsForReset`, `pinComplexityPolicy`,
+    `pinComplexityPolicyURL`, `maxPINLength`, `authenticatorConfigCommands`
+ ** `BiometricAccuracyDescriptor`: `iAPARThreshold`
+ ** `MetadataStatement`: `friendlyNames`, `iconDark`, `providerLogoLight`,
+    `providerLogoDark`, `keyScope`, `multiDeviceCredentialSupport`,
+    `cxpConfigURL`
+ ** `StatusReport`: `certificationProfiles`, `sunsetDate`, `fipsRevision`,
+    `fipsPhysicalSecurityLevel`
 
 Fixes:
 

webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/AuthenticatorGetInfo.java

@@ -45,9 +45,11 @@
 @Builder(toBuilder = true)
 @Jacksonized
 @JsonIgnoreProperties({
-  "maxAuthenticatorConfigLength",
-  "defaultCredProtect"
-}) // Present in example but not defined
+  "maxAuthenticatorConfigLength", // Present in example but not defined
+  "defaultCredProtect", // Present in example but not defined
+  "encIdentifier", // Nonsensical in MDS context
+  "encCredStoreState" // Nonsensical in MDS context
+})
 public class AuthenticatorGetInfo {
 
   /**
@@ -178,6 +180,139 @@ public class AuthenticatorGetInfo {
   Integer remainingDiscoverableCredentials;
   Set<Integer> vendorPrototypeConfigCommands;
 
+  /**
+   * @since 2.9.0
+   * @see <a
+   *     href="https://fidoalliance.org/specs/fido-v2.3-ps-20260226/fido-client-to-authenticator-protocol-v2.3-ps-20260226.html#authenticatorGetInfo">Client
+   *     to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
+   */
+  List<String> attestationFormats;
+
+  /**
+   * <code>true</code> if the <code>longTouchForReset</code> member is set to <code>true</code> or
+   * <code>false</code> in the metadata statement. <code>false</code> if the <code>longTouchForReset
+   * </code> member is absent in the metadata statement.
+   *
+   * @since 2.9.0
+   * @see <a
+   *     href="https://fidoalliance.org/specs/fido-v2.3-ps-20260226/fido-client-to-authenticator-protocol-v2.3-ps-20260226.html#authenticatorGetInfo">Client
+   *     to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
+   */
+  boolean longTouchForReset;
+
+  /**
+   * @since 2.9.0
+   * @see <a
+   *     href="https://fidoalliance.org/specs/fido-v2.3-ps-20260226/fido-client-to-authenticator-protocol-v2.3-ps-20260226.html#authenticatorGetInfo">Client
+   *     to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
+   */
+  Integer uvCountSinceLastPinEntry;
+
+  /**
+   * @since 2.9.0
+   * @see <a
+   *     href="https://fidoalliance.org/specs/fido-v2.3-ps-20260226/fido-client-to-authenticator-protocol-v2.3-ps-20260226.html#authenticatorGetInfo">Client
+   *     to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
+   */
+  Set<String> transportsForReset;
+
+  /**
+   * <code>true</code> if the <code>pinComplexityPolicy</code> member is set to <code>true</code> or
+   * <code>false</code> in the metadata statement. <code>false</code> if the <code>
+   * pinComplexityPolicy</code> member is absent in the metadata statement.
+   *
+   * @since 2.9.0
+   * @see <a
+   *     href="https://fidoalliance.org/specs/fido-v2.3-ps-20260226/fido-client-to-authenticator-protocol-v2.3-ps-20260226.html#authenticatorGetInfo">Client
+   *     to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
+   */
+  boolean pinComplexityPolicy;
+
+  /**
+   * @since 2.9.0
+   * @see <a
+   *     href="https://fidoalliance.org/specs/fido-v2.3-ps-20260226/fido-client-to-authenticator-protocol-v2.3-ps-20260226.html#authenticatorGetInfo">Client
+   *     to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
+   */
+  String pinComplexityPolicyURL;
+
+  /**
+   * @since 2.9.0
+   * @see <a
+   *     href="https://fidoalliance.org/specs/fido-v2.3-ps-20260226/fido-client-to-authenticator-protocol-v2.3-ps-20260226.html#authenticatorGetInfo">Client
+   *     to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
+   */
+  Integer maxPINLength;
+
+  /**
+   * @since 2.9.0
+   * @see <a
+   *     href="https://fidoalliance.org/specs/fido-v2.3-ps-20260226/fido-client-to-authenticator-protocol-v2.3-ps-20260226.html#authenticatorGetInfo">Client
+   *     to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
+   */
+  Set<Integer> authenticatorConfigCommands;
+
+  AuthenticatorGetInfo(
+      @NonNull Set<CtapVersion> versions,
+      Set<String> extensions,
+      AAGUID aaguid,
+      SupportedCtapOptions options,
+      Integer maxMsgSize,
+      Set<CtapPinUvAuthProtocolVersion> pinUvAuthProtocols,
+      Integer maxCredentialCountInList,
+      Integer maxCredentialIdLength,
+      Set<AuthenticatorTransport> transports,
+      List<PublicKeyCredentialParameters> algorithms,
+      Integer maxSerializedLargeBlobArray,
+      Boolean forcePINChange,
+      Integer minPINLength,
+      Integer firmwareVersion,
+      Integer maxCredBlobLength,
+      Integer maxRPIDsForSetMinPINLength,
+      Integer preferredPlatformUvAttempts,
+      Set<UserVerificationMethod> uvModality,
+      Map<CtapCertificationId, Integer> certifications,
+      Integer remainingDiscoverableCredentials,
+      Set<Integer> vendorPrototypeConfigCommands,
+      List<String> attestationFormats,
+      Boolean longTouchForReset,
+      Integer uvCountSinceLastPinEntry,
+      Set<String> transportsForReset,
+      Boolean pinComplexityPolicy,
+      String pinComplexityPolicyURL,
+      Integer maxPINLength,
+      Set<Integer> authenticatorConfigCommands) {
+    this.versions = versions;
+    this.extensions = extensions;
+    this.aaguid = aaguid;
+    this.options = options;
+    this.maxMsgSize = maxMsgSize;
+    this.pinUvAuthProtocols = pinUvAuthProtocols;
+    this.maxCredentialCountInList = maxCredentialCountInList;
+    this.maxCredentialIdLength = maxCredentialIdLength;
+    this.transports = transports;
+    this.algorithms = algorithms;
+    this.maxSerializedLargeBlobArray = maxSerializedLargeBlobArray;
+    this.forcePINChange = forcePINChange;
+    this.minPINLength = minPINLength;
+    this.firmwareVersion = firmwareVersion;
+    this.maxCredBlobLength = maxCredBlobLength;
+    this.maxRPIDsForSetMinPINLength = maxRPIDsForSetMinPINLength;
+    this.preferredPlatformUvAttempts = preferredPlatformUvAttempts;
+    this.uvModality = uvModality;
+    this.certifications = certifications;
+    this.remainingDiscoverableCredentials = remainingDiscoverableCredentials;
+    this.vendorPrototypeConfigCommands = vendorPrototypeConfigCommands;
+    this.attestationFormats = attestationFormats;
+    this.longTouchForReset = longTouchForReset != null;
+    this.uvCountSinceLastPinEntry = uvCountSinceLastPinEntry;
+    this.transportsForReset = transportsForReset;
+    this.pinComplexityPolicy = pinComplexityPolicy != null;
+    this.pinComplexityPolicyURL = pinComplexityPolicyURL;
+    this.maxPINLength = maxPINLength;
+    this.authenticatorConfigCommands = authenticatorConfigCommands;
+  }
+
   /**
    * @see <a
    *     href="https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#authenticatorGetInfo">Client
@@ -358,6 +493,66 @@ public Optional<Set<Integer>> getVendorPrototypeConfigCommands() {
     return Optional.ofNullable(vendorPrototypeConfigCommands);
   }
 
+  /**
+   * @since 2.9.0
+   * @see <a
+   *     href="https://fidoalliance.org/specs/fido-v2.3-ps-20260226/fido-client-to-authenticator-protocol-v2.3-ps-20260226.html#authenticatorGetInfo">Client
+   *     to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
+   */
+  public Optional<List<String>> getAttestationFormats() {
+    return Optional.ofNullable(attestationFormats);
+  }
+
+  /**
+   * @since 2.9.0
+   * @see <a
+   *     href="https://fidoalliance.org/specs/fido-v2.3-ps-20260226/fido-client-to-authenticator-protocol-v2.3-ps-20260226.html#authenticatorGetInfo">Client
+   *     to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
+   */
+  public Optional<Integer> getUvCountSinceLastPinEntry() {
+    return Optional.ofNullable(uvCountSinceLastPinEntry);
+  }
+
+  /**
+   * @since 2.9.0
+   * @see <a
+   *     href="https://fidoalliance.org/specs/fido-v2.3-ps-20260226/fido-client-to-authenticator-protocol-v2.3-ps-20260226.html#authenticatorGetInfo">Client
+   *     to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
+   */
+  public Optional<Set<String>> getTransportsForReset() {
+    return Optional.ofNullable(transportsForReset);
+  }
+
+  /**
+   * @since 2.9.0
+   * @see <a
+   *     href="https://fidoalliance.org/specs/fido-v2.3-ps-20260226/fido-client-to-authenticator-protocol-v2.3-ps-20260226.html#authenticatorGetInfo">Client
+   *     to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
+   */
+  public Optional<String> getPinComplexityPolicyURL() {
+    return Optional.ofNullable(pinComplexityPolicyURL);
+  }
+
+  /**
+   * @since 2.9.0
+   * @see <a
+   *     href="https://fidoalliance.org/specs/fido-v2.3-ps-20260226/fido-client-to-authenticator-protocol-v2.3-ps-20260226.html#authenticatorGetInfo">Client
+   *     to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
+   */
+  public Optional<Integer> getMaxPINLength() {
+    return Optional.ofNullable(maxPINLength);
+  }
+
+  /**
+   * @since 2.9.0
+   * @see <a
+   *     href="https://fidoalliance.org/specs/fido-v2.3-ps-20260226/fido-client-to-authenticator-protocol-v2.3-ps-20260226.html#authenticatorGetInfo">Client
+   *     to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
+   */
+  public Optional<Set<Integer>> getAuthenticatorConfigCommands() {
+    return Optional.ofNullable(authenticatorConfigCommands);
+  }
+
   private static class SetFromIntJsonDeserializer
       extends JsonDeserializer<Set<UserVerificationMethod>> {
     @Override

webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/BiometricAccuracyDescriptor.java

@@ -1,5 +1,6 @@
 package com.yubico.fido.metadata;
 
+import com.fasterxml.jackson.annotation.JsonProperty;
 import java.util.Optional;
 import lombok.Builder;
 import lombok.Value;
@@ -24,6 +25,7 @@ public class BiometricAccuracyDescriptor {
 
   Double selfAttestedFRR;
   Double selfAttestedFAR;
+  Double iAPARThreshold;
   Integer maxTemplates;
   Integer maxRetries;
   Integer blockSlowdown;
@@ -46,6 +48,17 @@ public Optional<Double> getSelfAttestedFAR() {
     return Optional.ofNullable(selfAttestedFAR);
   }
 
+  /**
+   * @since 2.9.0
+   * @see <a
+   *     href="https://fidoalliance.org/specs/mds/fido-metadata-statement-v3.1-ps-20250521.html#sctn-type-bad">FIDO
+   *     Metadata Statement §3.3. BiometricAccuracyDescriptor dictionary</a>
+   */
+  @JsonProperty("iAPARThreshold")
+  public Optional<Double> getIAPARThreshold() {
+    return Optional.ofNullable(iAPARThreshold);
+  }
+
   /**
    * @see <a
    *     href="https://fidoalliance.org/specs/mds/fido-metadata-statement-v3.0-ps-20210518.html#biometricaccuracydescriptor-dictionary">FIDO

webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/CtapVersion.java

@@ -1,5 +1,6 @@
 package com.yubico.fido.metadata;
 
+import com.fasterxml.jackson.annotation.JsonAlias;
 import com.fasterxml.jackson.annotation.JsonEnumDefaultValue;
 
 /**
@@ -17,6 +18,7 @@ public enum CtapVersion {
    * @since 2.9.0
    */
   @JsonEnumDefaultValue
+  @JsonAlias("FIDO_2_2") // Forbidden by CTAP 2.3 spec
   UNKNOWN,
 
   /**
@@ -45,5 +47,13 @@ public enum CtapVersion {
    *     href="https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#authenticatorGetInfo">Client
    *     to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
    */
-  FIDO_2_1;
+  FIDO_2_1,
+
+  /**
+   * @since 2.9.0
+   * @see <a
+   *     href="https://fidoalliance.org/specs/fido-v2.3-ps-20260226/fido-client-to-authenticator-protocol-v2.3-ps-20260226.html#authenticatorGetInfo">Client
+   *     to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)</a>
+   */
+  FIDO_2_3;
 }