Release 2.9.0

`webauthn-server-core`:

Security fixes:

- Fixed issue where `RelyingParty.finishAssertion` and
  `RelyingPartyV2.finishAssertion` could return a successful authentication
  result even though the authenticated credential is owned by a different user
  than `StartAssertionOptions.username`. For details see CVE-[TBD] or
  YSA-2026-02: https://www.yubico.com/support/security-advisories/ysa-2026-02/
  - This fix is forward-ported from version 2.8.2 since the issue is also
    present in pre-release 2.9.0-alpha1.

Fixes:

- Added `@since` tags to `AttestationTrustSource` javadoc.

`webauthn-server-attestation`:

Changes:

- `FidoMetadataDownloader` builder method `.downloadBlob(URL)` now logs a
  warning if the given URL is not an HTTPS URL. Javadoc relaxed to not describe
  HTTPS as required since this was never enforced.

New features:

- Added `AuthenticatorStatus.RETIRED` and `Filters.notRetired()`.
- Added `AttachmentHint.ATTACHMENT_HINT_SMART_CARD`.
  - Thanks to Misagh Moayyed and Erlend Nukke for the contribution, see
    #468 and
    #467
- Added `UNKNOWN` constant to all enums in `com.yubico.fido.metadata`:
  - `AttachmentHint`
  - `AuthenticationAlgorithm`
  - `AuthenticatorAttestationType`
  - `CtapCertificationId`
  - `CtapPinUvAuthProtocolVersion`
  - `CtapVersion`
  - `ProtocolFamily`
  - `PublicKeyRepresentationFormat`
  - `TransactionConfirmationDisplayType`
- Added enum constant `CtapVersion.FIDO_2_3`.
- Added missing fields to FIDO MDS data model:
  - `AuthenticatorGetInfo`: `attestationFormats`, `longTouchForReset`,
    `uvCountSinceLastPinEntry`, `transportsForReset`, `pinComplexityPolicy`,
    `pinComplexityPolicyURL`, `maxPINLength`, `authenticatorConfigCommands`
  - `BiometricAccuracyDescriptor`: `iAPARThreshold`
  - `MetadataStatement`: `friendlyNames`, `iconDark`, `providerLogoLight`,
    `providerLogoDark`, `keyScope`, `multiDeviceCredentialSupport`,
    `cxpConfigURL`
  - `StatusReport`: `certificationProfiles`, `sunsetDate`, `fipsRevision`,
    `fipsPhysicalSecurityLevel`
- `FidoMetadataDownloader` now sends the `If-None-Match` request header set to
  the `"no"` of the cached BLOB, if any, and handles `304 Not Modified`
  responses appropriately.
- In `FidoMetadataDownloader` if a BLOB download request returns an HTTP failure
  status, but returns an `ETag` response header matching the `"no"` of the
  cached BLOB, if any, this is now interpreted like a successful `304 Not
  Modified` response.
- Added `.cachePolicy` setting to `FidoMetadataDownloader` to allow dynamically
  opting out of falling back to cache when a BLOB download fails.

Fixes:

- Added `@since` tags to `AuthenticatorStatus` and `FidoMetadataService` javadoc.
- All `com.yubico.fido.metadata` enums now deserialize unknown values to
  `UNKOWN` instead of crashing the parser.

Author: emlun

NEWS

@@ -1,3 +1,74 @@
+== Version 2.9.0 ==
+
+`webauthn-server-core`:
+
+Security fixes:
+
+* Fixed issue where `RelyingParty.finishAssertion` and
+  `RelyingPartyV2.finishAssertion` could return a successful authentication
+  result even though the authenticated credential is owned by a different user
+  than `StartAssertionOptions.username`. For details see CVE-[TBD] or
+  YSA-2026-02: https://www.yubico.com/support/security-advisories/ysa-2026-02/
+ ** This fix is forward-ported from version 2.8.2 since the issue is also
+    present in pre-release 2.9.0-alpha1.
+
+Fixes:
+
+* Added `@since` tags to `AttestationTrustSource` javadoc.
+
+`webauthn-server-attestation`:
+
+Changes:
+
+* `FidoMetadataDownloader` builder method `.downloadBlob(URL)` now logs a
+  warning if the given URL is not an HTTPS URL. Javadoc relaxed to not describe
+  HTTPS as required since this was never enforced.
+
+New features:
+
+* Added `AuthenticatorStatus.RETIRED` and `Filters.notRetired()`.
+* Added `AttachmentHint.ATTACHMENT_HINT_SMART_CARD`.
+ ** Thanks to Misagh Moayyed and Erlend Nukke for the contribution, see
+    https://github.com/Yubico/java-webauthn-server/pull/468 and
+    https://github.com/Yubico/java-webauthn-server/pull/467
+* Added `UNKNOWN` constant to all enums in `com.yubico.fido.metadata`:
+ ** `AttachmentHint`
+ ** `AuthenticationAlgorithm`
+ ** `AuthenticatorAttestationType`
+ ** `CtapCertificationId`
+ ** `CtapPinUvAuthProtocolVersion`
+ ** `CtapVersion`
+ ** `ProtocolFamily`
+ ** `PublicKeyRepresentationFormat`
+ ** `TransactionConfirmationDisplayType`
+* Added enum constant `CtapVersion.FIDO_2_3`.
+* Added missing fields to FIDO MDS data model:
+ ** `AuthenticatorGetInfo`: `attestationFormats`, `longTouchForReset`,
+    `uvCountSinceLastPinEntry`, `transportsForReset`, `pinComplexityPolicy`,
+    `pinComplexityPolicyURL`, `maxPINLength`, `authenticatorConfigCommands`
+ ** `BiometricAccuracyDescriptor`: `iAPARThreshold`
+ ** `MetadataStatement`: `friendlyNames`, `iconDark`, `providerLogoLight`,
+    `providerLogoDark`, `keyScope`, `multiDeviceCredentialSupport`,
+    `cxpConfigURL`
+ ** `StatusReport`: `certificationProfiles`, `sunsetDate`, `fipsRevision`,
+    `fipsPhysicalSecurityLevel`
+* `FidoMetadataDownloader` now sends the `If-None-Match` request header set to
+  the `"no"` of the cached BLOB, if any, and handles `304 Not Modified`
+  responses appropriately.
+* In `FidoMetadataDownloader` if a BLOB download request returns an HTTP failure
+  status, but returns an `ETag` response header matching the `"no"` of the
+  cached BLOB, if any, this is now interpreted like a successful `304 Not
+  Modified` response.
+* Added `.cachePolicy` setting to `FidoMetadataDownloader` to allow dynamically
+  opting out of falling back to cache when a BLOB download fails.
+
+Fixes:
+
+* Added `@since` tags to `AuthenticatorStatus` and `FidoMetadataService` javadoc.
+* All `com.yubico.fido.metadata` enums now deserialize unknown values to
+  `UNKOWN` instead of crashing the parser.
+
+
 == Version 2.8.2 ==
 
 Security fixes:

README

@@ -16,7 +16,7 @@ dependencies {
   // Spotless dropped Java 8 support in version 2.33.0
   // spotless-plugin-gradle dropped Java <17 support in version 8.0.0
   if (JavaVersion.current().isCompatibleWith(JavaVersion.VERSION_17)) {
-    implementation("com.diffplug.spotless:spotless-plugin-gradle:8.1.0")
+    implementation("com.diffplug.spotless:spotless-plugin-gradle:8.2.0")
     implementation("io.github.cosmicsilence:gradle-scalafix:0.2.2")
   }
 }

buildSrc/build.gradle.kts

@@ -61,6 +61,9 @@ val integrationTest = task<Test>("integrationTest") {
   testClassesDirs = sourceSets["integrationTest"].output.classesDirs
   classpath = sourceSets["integrationTest"].runtimeClasspath
   shouldRunAfter(tasks.test)
+  val mdsCacheDir = project.layout.buildDirectory.dir("fido-mds-cache").get().asFile
+  mdsCacheDir.mkdir()
+  environment("FIDO_MDS_CACHE_DIR", mdsCacheDir.absolutePath)
 }
 tasks["check"].dependsOn(integrationTest)
 

webauthn-server-attestation/README.adoc

@@ -1,5 +1,7 @@
 package com.yubico.fido.metadata
 
+import com.fasterxml.jackson.databind.DeserializationFeature
+import com.yubico.fido.metadata.TestCaches.cachedDefaultSettingsDownloader
 import com.yubico.internal.util.CertificateParser
 import com.yubico.webauthn.data.ByteArray
 import org.junit.runner.RunWith
@@ -11,7 +13,6 @@ import org.scalatest.tags.Slow
 import org.scalatestplus.junit.JUnitRunner
 
 import scala.jdk.CollectionConverters.ListHasAsScala
-import scala.jdk.OptionConverters.RichOption
 import scala.util.Success
 import scala.util.Try
 
@@ -24,44 +25,34 @@ class FidoMetadataDownloaderIntegrationTest
     with BeforeAndAfter {
 
   describe("FidoMetadataDownloader with default settings") {
-    // Cache downloaded items to avoid cause unnecessary load on remote servers
-    var trustRootCache: Option[ByteArray] = None
-    var blobCache: Option[ByteArray] = None
-    val downloader =
-      FidoMetadataDownloader
-        .builder()
-        .expectLegalHeader(
-          "Retrieval and use of this BLOB indicates acceptance of the appropriate agreement located at https://fidoalliance.org/metadata/metadata-legal-terms/"
-        )
-        .useDefaultTrustRoot()
-        .useTrustRootCache(
-          () => trustRootCache.toJava,
-          trustRoot => { trustRootCache = Some(trustRoot) },
-        )
-        .useDefaultBlob()
-        .useBlobCache(
-          () => blobCache.toJava,
-          blob => { blobCache = Some(blob) },
-        )
-        .build()
+    val downloader = cachedDefaultSettingsDownloader.build()
 
     it("downloads and verifies the root cert and BLOB successfully.") {
-      val blob = Try(downloader.loadCachedBlob)
+      val blob = Try(TestCaches.cacheSynchronized(downloader.loadCachedBlob))
       blob shouldBe a[Success[_]]
       blob.get should not be null
     }
 
     it(
       "does not encounter any CRLDistributionPoints entries in unknown format."
     ) {
-      val blob = Try(downloader.loadCachedBlob)
+      val blob = Try(TestCaches.cacheSynchronized(downloader.loadCachedBlob))
       blob shouldBe a[Success[_]]
       val trustRootCert =
-        CertificateParser.parseDer(trustRootCache.get.getBytes)
-      val certChain = downloader
-        .fetchHeaderCertChain(
-          trustRootCert,
-          FidoMetadataDownloader.parseBlob(blobCache.get).getBlob.getHeader,
+        CertificateParser.parseDer(
+          TestCaches.trustRootCache.get.getBytes
+        )
+
+      val certChain = TestCaches
+        .cacheSynchronized(
+          downloader
+            .fetchHeaderCertChain(
+              trustRootCert,
+              downloader
+                .parseBlob(TestCaches.blobCache.get)
+                .getBlob
+                .getHeader,
+            )
         )
         .asScala :+ trustRootCert
       for { cert <- certChain } {
@@ -76,4 +67,29 @@ class FidoMetadataDownloaderIntegrationTest
     }
   }
 
+  describe("FidoMetadataDownloader with strict JSON deserialization settings") {
+    val downloader = cachedDefaultSettingsDownloader
+      .headerJsonMapper(() =>
+        com.yubico.internal.util.JacksonCodecs
+          .json()
+          .configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, true)
+      )
+      .payloadJsonMapper(() =>
+        com.yubico.internal.util.JacksonCodecs
+          .json()
+          .configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, true)
+          .configure(
+            DeserializationFeature.READ_UNKNOWN_ENUM_VALUES_USING_DEFAULT_VALUE,
+            false,
+          )
+      )
+      .build()
+
+    it("downloads and parses the BLOB successfully.") {
+      val blob = Try(TestCaches.cacheSynchronized(downloader.loadCachedBlob))
+      blob shouldBe a[Success[_]]
+      blob.get should not be null
+    }
+  }
+
 }

webauthn-server-attestation/build.gradle.kts

@@ -5,6 +5,7 @@ import com.yubico.fido.metadata.AttachmentHint.ATTACHMENT_HINT_INTERNAL
 import com.yubico.fido.metadata.AttachmentHint.ATTACHMENT_HINT_NFC
 import com.yubico.fido.metadata.AttachmentHint.ATTACHMENT_HINT_WIRED
 import com.yubico.fido.metadata.AttachmentHint.ATTACHMENT_HINT_WIRELESS
+import com.yubico.fido.metadata.TestCaches.cachedDefaultSettingsDownloader
 import com.yubico.internal.util.CertificateParser
 import com.yubico.webauthn.FinishRegistrationOptions
 import com.yubico.webauthn.RelyingParty
@@ -22,7 +23,6 @@ import org.scalatestplus.junit.JUnitRunner
 
 import java.time.Clock
 import java.time.ZoneOffset
-import java.util.Optional
 import scala.jdk.CollectionConverters.SetHasAsJava
 import scala.jdk.CollectionConverters.SetHasAsScala
 import scala.jdk.OptionConverters.RichOptional
@@ -40,21 +40,19 @@ class FidoMetadataServiceIntegrationTest
   describe("FidoMetadataService") {
 
     describe("downloaded with default settings") {
-      val downloader = FidoMetadataDownloader
-        .builder()
-        .expectLegalHeader(
-          "Retrieval and use of this BLOB indicates acceptance of the appropriate agreement located at https://fidoalliance.org/metadata/metadata-legal-terms/"
-        )
-        .useDefaultTrustRoot()
-        .useTrustRootCache(() => Optional.empty(), _ => {})
-        .useDefaultBlob()
-        .useBlobCache(() => Optional.empty(), _ => {})
-        .build()
+      val downloader = cachedDefaultSettingsDownloader.build()
       val fidoMds =
         Try(
           FidoMetadataService
             .builder()
-            .useBlob(downloader.loadCachedBlob())
+            .useBlob(
+              TestCaches.cacheSynchronized(
+                // Since the integration tests cache downloads to file:
+                // Use refreshBlob() here to always exercise the HTTP part of the downloader,
+                // and loadCachedBlob() elsewhere to not cause unnecessary server load.
+                downloader.refreshBlob()
+              )
+            )
             .build()
         )
 

webauthn-server-attestation/src/integrationTest/scala/com/yubico/fido/metadata/FidoMetadataDownloaderIntegrationTest.scala

@@ -0,0 +1,44 @@
+package com.yubico.fido.metadata
+
+import com.yubico.webauthn.data.ByteArray
+
+import java.nio.file.Path
+import scala.jdk.OptionConverters.RichOptional
+
+object TestCaches {
+
+  // Cache downloaded items to avoid unnecessary load on remote servers, and so tests don't have to wait for rate limiting
+
+  private val trustRootCacheFile = Path
+    .of(sys.env.getOrElse("FIDO_MDS_CACHE_DIR", "."), "trust-root-cache.bin")
+    .toFile
+  private val blobCacheFile = Path
+    .of(sys.env.getOrElse("FIDO_MDS_CACHE_DIR", "."), "blob-cache.bin")
+    .toFile
+
+  def trustRootCache: Option[ByteArray] =
+    cachedDefaultSettingsDownloader
+      .build()
+      .readCacheFile(trustRootCacheFile)
+      .toScala
+  def blobCache: Option[ByteArray] =
+    cachedDefaultSettingsDownloader.build().readCacheFile(blobCacheFile).toScala
+
+  def cachedDefaultSettingsDownloader
+      : FidoMetadataDownloader.FidoMetadataDownloaderBuilder =
+    FidoMetadataDownloader
+      .builder()
+      .expectLegalHeader(
+        "Retrieval and use of this BLOB indicates acceptance of the appropriate agreement located at https://fidoalliance.org/metadata/metadata-legal-terms/"
+      )
+      .useDefaultTrustRoot()
+      .useTrustRootCacheFile(trustRootCacheFile)
+      .useDefaultBlob()
+      .useBlobCacheFile(blobCacheFile)
+
+  /** Evaluate <code>expr</code> with an exclusive lock on the test cache. */
+  def cacheSynchronized[A](expr: => A): A = {
+    this.synchronized(expr)
+  }
+
+}

webauthn-server-attestation/src/integrationTest/scala/com/yubico/fido/metadata/FidoMetadataServiceIntegrationTest.scala

@@ -1,5 +1,6 @@
 package com.yubico.fido.metadata;
 
+import com.fasterxml.jackson.annotation.JsonEnumDefaultValue;
 import com.fasterxml.jackson.annotation.JsonValue;
 
 /**
@@ -22,6 +23,14 @@
  */
 public enum AttachmentHint {
 
+  /**
+   * (NOT DEFINED IN SPEC) Placeholder for any unknown {@link AttachmentHint} value.
+   *
+   * @since 2.9.0
+   */
+  @JsonEnumDefaultValue
+  UNKNOWN(0, "UNKNOWN"),
+
   /**
    * This flag MAY be set to indicate that the authenticator is permanently attached to the FIDO
    * User Device.
@@ -129,7 +138,20 @@ public enum AttachmentHint {
    *     href="https://fidoalliance.org/specs/common-specs/fido-registry-v2.2-rd-20210525.html#authenticator-attachment-hints">FIDO
    *     Registry of Predefined Values §3.4 Authenticator Attachment Hints</a>
    */
-  ATTACHMENT_HINT_WIFI_DIRECT(0x0100, "wifi_direct");
+  ATTACHMENT_HINT_WIFI_DIRECT(0x0100, "wifi_direct"),
+
+  /**
+   * This flag MAY be set to indicate that an external authenticator is able to communicate by
+   * ISO7816 messages with the FIDO User Device. As part of authenticator metadata, or when
+   * reporting characteristics through discovery, if this flag is set, the {@link
+   * #ATTACHMENT_HINT_WIRED} flag SHOULD also be set.
+   *
+   * @since 2.9.0
+   * @see <a
+   *     href="https://fidoalliance.org/specs/common-specs/fido-registry-v2.3-rd-20260105.html#authenticator-attachment-hints">FIDO
+   *     Registry of Predefined Values §3.4 Authenticator Attachment Hints</a>
+   */
+  ATTACHMENT_HINT_SMART_CARD(0x0200, "smart-card");
 
   private final int value;
 

webauthn-server-attestation/src/integrationTest/scala/com/yubico/fido/metadata/TestCaches.scala

@@ -1,5 +1,6 @@
 package com.yubico.fido.metadata;
 
+import com.fasterxml.jackson.annotation.JsonEnumDefaultValue;
 import com.fasterxml.jackson.annotation.JsonValue;
 
 /**
@@ -15,6 +16,14 @@
  */
 public enum AuthenticationAlgorithm {
 
+  /**
+   * (NOT DEFINED IN SPEC) Placeholder for any unknown {@link AuthenticationAlgorithm} value.
+   *
+   * @since 2.9.0
+   */
+  @JsonEnumDefaultValue
+  UNKNOWN(0, "UNKNOWN"),
+
   /**
    * @see <a
    *     href="https://fidoalliance.org/specs/common-specs/fido-registry-v2.2-rd-20210525.html#authentication-algorithms">FIDO