Skip to content

Second snapshot release of FIDO2 support

Pre-release
Pre-release
Compare
Choose a tag to compare
@romanstrobl romanstrobl released this 19 Mar 06:35
· 329 commits to develop since this release
8ab1817

Second snapshot including support of FIDO2 protocol in PowerAuth. Do not deploy to production, the functionality will be included in the 1.7.0 release.

Migration notes since first snapshot PoC for FIDO2 support:

  1. Database migration:
  1. Updated REST API parameters:
  • parameter credentialId is used consistently instead of id or externalId (in AuthenticatorDetail, AuthenticatorParameters, AssertionVerificationRequest, RegistrationResponse)
  • parameter operationType changed to templateName in AssertionChallengeRequest, added optional parameter userId to personalize the request
  • added parameter allowCredentials in AssertionChallengeResponse and related AllowCredentials type
  • update model classes are reflected in OpenDoc: http://[host]:[port]/powerauth-java-server/swagger-ui/index.html
  1. Updated signature types:
  • by default all hardware authenticators use the POSSESSION signature type except Wultra hardware authenticator which uses POSSESSION_KNOWLEDGE signature type
  • signature types can be configured for different authenticators in table pa_fido2_authenticator
  1. Supported authenticator attestations:
  • added Basic Attestation using certificates next to existing Self Attestation
  1. Added configuration of FIDO2 functionality:
  • it is possible to restrict allowed attestation formats using configuration key fido2_attestation_fmt_allowed in table pa_application_config as JSON array of strings, e.g. [ "packed" ]
  • it is possible to restrict authenticator AAGUIDs using configuration key fido2_aaguids_allowed in table pa_application_config as JSON array of strings, e.g. [ "5ad235f4-f1f3-4803-966f-1a1950e0f155", "e9b3c0e3-1f91-4d7a-aed2-8d651851866b" ]
  • it is possible to configure root CA certificates for Basic Attestation using configuration key fido2_root_ca_certs in table pa_application_config as JSON array with certificates in PEM format
  • new configuration property powerauth.service.scheduled.job.fido2AuthenticatorCacheEviction to set eviction period of internal pa_fido2_authenticator cache
  1. Bugfix: parameter externalId in AssertionChallengeRequest is no longer ignored
  2. New validations:
  • multiple registations of same credentialId no longer allowed
  • persistance and checking of assertion verification counter
  • protocol checked in existing PowerAuth services
  • AAGUID and attestation formats are checked in case configured
  1. Added logging and auditing for FIDO2 functionality, updated extras for activations and additionalData for operations