Product Documents and Release Notes

Fixes and Changes in SKFS 4.5.0

#

Explanation

ADW-1

Add service credentials to FIDO web service logs

The FIDO Servlet prints a received message in the logs for every web service request. SKFS uses service credentials to authenticate and authorize applications that are calling these webservices. The logs did not print the username that was used for these requests.

Code has now been modified to print service credentials for every received request.

Example output:

FIDO-MSG-0001: Received preregister request; Input: [TXID=78-1650498063355]
 did=1
 svcusername=svcfidouser
 protocol=FIDO2_0
 username=johndoe
 displayname=johndoe
 options={}
 extensions={}

ADW-3

Return MDS information as part of response.

There may be a need to retrieve and parse MDS information for the authenticator used during a FIDO transaction. To enable this for Relying party applications, SKFS now has two new configurations that can enable this.

# Property to determine if MDS data should be returned in the JSON response. (Default is false)

skfs.cfg.property.return.MDS=false

This property defines what webservices will return the MDS. It is a comma separated list and can contain only the following Registration (R) , Authentication (A), Getkeys (G)

skfs.cfg.property.return.MDS.webservices=R,A,G

Sample output when MD5 is returned as part of Registration output:

{
    "Response": "Successfully processed registration response",
    "MDSEntry": {
        "aaguid": "6d44ba9b-f6ec-2e49-b930-0c8fe920cb73",
        "metadataStatement": {
            "legalHeader": "https://fidoalliance.org/metadata/metadata-statement-legal-header/",
            "aaguid": "6d44ba9b-f6ec-2e49-b930-0c8fe920cb73",
            "description": "Security Key by Yubico with NFC",
            "authenticatorVersion": 50100,
            "protocolFamily": "fido2",
            "schema": 3,
            "upv": [{
                "major": 1,
                "minor": 0
            }],
            "authenticationAlgorithms": ["ed25519_eddsa_sha512_raw", "secp256r1_ecdsa_sha256_raw"],
            "publicKeyAlgAndEncodings": ["cose"],
            "attestationTypes": ["basic_full"],
            "userVerificationDetails": [
                [{
                    "userVerificationMethod": "presence_internal"
                }, {
                    "userVerificationMethod": "none"
                }, {
                    "userVerificationMethod": "passcode_internal",
                    "caDesc": {
                        "base": 64,
                        "minLength": 4,
                        "maxRetries": 8,
                        "blockSlowdown": 0
                    }
                }]
            ],
            "keyProtection": ["hardware", "secure_element"],
            "matcherProtection": ["on_chip"],
            "cryptoStrength": 128,
            "attachmentHint": ["external", "wired", "wireless", "nfc"],
            "tcDisplay": [],
            "attestationRootCertificates": ["MIIDHjCCAgagAwIBAgIEG0BT9zANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZdWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAwMDBaGA8yMDUwMDkwNDAwMDAwMFowLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/jwYuhBVlqaiYWEMsrWFisgJ+PtM91eSrpI4TK7U53mwCIawSDHy8vUmk5N2KAj9abvT9NP5SMS1hQi3usxoYGonXQgfO6ZXyUA9a+KAkqdFnBnlyugSeCOep8EdZFfsaRFtMjkwz5Gcz2Py4vIYvCdMHPtwaz0bVuzneueIEz6TnQjE63Rdt2zbwnebwTG5ZybeWSwbzy+BJ34ZHcUhPAY89yJQXuE0IzMZFcEBbPNRbWECRKgjq//qT9nmDOFVlSRCt2wiqPSzluwn+v+suQEBsUjTGMEd25tKXXTkNW21wIWbxeSyUoTXwLvGS6xlwQSgNpk2qXYwf8iXg7VWZAgMBAAGjQjBAMB0GA1UdDgQWBBQgIvz0bNGJhjgpToksyKpP9xv9oDAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAjvjuOMDSa+JXFCLyBKsycXtBVZsJ4Ue3LbaEsPY4MYN/hIQ5ZM5p7EjfcnMG4CtYkNsfNHc0AhBLdq45rnT87q/6O3vUEtNMafbhU6kthX7Y+9XFN9NpmYxr+ekVY5xOxi8h9JDIgoMP4VB1uS0aunL1IGqrNooL9mmFnL2kLVVee6/VR6C5+KSTCMCWppMuJIZII2v9o4dkoZ8Y7QRjQlLfYzd3qGtKbw7xaF1UsG/5xUb/Btwb2X2g4InpiB/yt/3CpQXpiWX/K4mBvUKiGn05ZsqeY1gx4g0xLBqcU9psmyPzK+Vsgw2jeRQ5JlKDyqE0hebfC1tvFu0CCrJFcw=="],
            "icon": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAfCAYAAACGVs+MAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAAHYYAAB2GAV2iE4EAAAbNSURBVFhHpVd7TNV1FD/3d59weQSIgS9AQAXcFLAQZi9fpeVz1tY/WTZr5Wxpc7W5knLa5jI3Z85srS2nM2sjtWwZS7IUH4H4xCnEQx4DAZF74V7us885v9/lInBvVJ/B4Pv9nu/5nu/5nvM556fzA/Qv0Hb/IrX3VFKPo45cnm4inUIWYwLFRmZQUuwjFG/N1iRHh1EZ0NRVRudqt1Bd+2nSKyS/Ohys0+lk3e/3kQ9qvD4ZUta4VVSUuY0eipyiThAfocoORVgDuuw3qKRiAd3rbcEtjTjYIof6WaHsCmzVPWCMx+cgh8tLqWMKaMWsUjLqo2RtJIQ0oOzmerpQu4esZgsONkGxH7d0kdvTT17s4OMU7VI8ZhjgGaM+Aq9iENu8Pif1udz07MwvKWf8GlVoCEY04PC5WdTaXYFbR8vNvL5+3Kgfb5xNMya9RamJiynaMlGTVtFlr6ba9u+pqnEX4uMuRRgjSYEhrN7utFFe6lqal7Nfkw5imAGHynPpbk8VmY0xstnptlFCVCYtzTuBN83QpMLjTtevdPzSUnJ7e8mkjxZ39fXbKDfldZqbvU+TUgGnBVF6fQ2iPHg4W16UWUwvzbk16sMZE+Pn0pvz7JSeuAyes8lcpCmaKuo/p+qWr2UcwIAHWrvP0YEzhXAtLAbssHhp7iGamvyijP8ryqrXUWX9XoowxyAufNBrp43POBFXZlkf8MDRiqcpyowAwpuz2x+fWvz/Dtde9smszygtcR6C1wbdzBl6Olq5WNYY4oGathJMrkTEx0jARSHAVs+5rYkQNXb+QgfPLsQ6gXyInsreQfmpm7RVFYfL86n1fiUOkYvShkUPxvbukzoy6K1ihM1ho3XzW6EvSfXA+dpiWGaWd+doXzLzmGwKYFLCAsRAlPBAhMlCFXU7tBUVPr8HgVcJHWq+F00plr+DMTdrP4zvxY11kNMhxT+SeTGg+d4V5LQJityUGJNB8VFZsjgYBZM/II/XCTkj0qyDOpF2AVQ17CIjUp/DnT1UkL5F5gdj+sS1wg1gE3gigm60fCXzSnPXbyAPbIXv+IDpE16ThaHIS9skyhlmME5F3cfqAKhq2C0E5PH1gYaXaLPDkZG0HDJOnKWHp51I0z5SOux8e1WAuZzdHQrTkp8TmjXoI+la0wGZszubqbO3ifQ6A/W7vVSYsV3mR0JKwkKc4WHiBkmR8I3CCgI87oOL4qzT5P+RUJBejEOgAPK8hYPzatM+eITp2IO9yTQmeromPRxx1qxAcsile/ubSeEbcWQGYECghcLY2HyKjogjH25hMpjpUv1Ougli4eh2eRw0O32bJjkyuCgNzg0vzlYMSiSs0uoo4MG7hMOjCEaX1yFE0nSvjBzuTnEpK86Z8IoqFAIubw8kg9ArEaREWSZI+jH4Xbp6g9E9EnJT3oaRzDN+MUJBQDHn56a8oUmEBusOxBs/N5+tJEbPkAFDj8UGvOs/IWvcSglGBhvS7/FTYfpWGYdDY8fPAxWSA35sTC4p4+Lm4AaqIoPeQtfufK6Jh0ZhxlbsUXOSmXNifD5ZTAkyDofbbcclxnA8WNAqxCbRNykhXxQpaDw67fXUYbsiG0Khtv2oeIvh8rhQMYOcEAqXG/eI+zngOc5yxr8q82IAM1c/FLFOplqu5eFQXrMZzGcVCjYbLWG5I4BT1euRrlbxtNOtMitDDEhLXIIynAAvuOEWE3X3NdAft94VgaG42XIQt0ZX6PeCE/qQFe9rK6Hx7YU50KvH7fW4fS+q7KKBJxsggBX5pSAGh1jIrVh5zQ6w3RfaahBXm/aCbCZTjCUFUTyWZqW9p62MjJPXVqOrPgMO4Nv74Gkf+owftNVBDQnjFJqHSw17pXvhWW5KZqe/Q49N/USTCAVWoQXFIHBHXXe3FPrUDsuGDmtF/hHKTHpekxhiAOPI+SJq6S6HF4I9YWzkBJTo46iUMzWp8Pir/RiduLxKYsSksV8vLlOQvhGX2YlR0OBhBjC+u/gEcvY0ApK7Yk41NxjPSQnWFHTF66UrjgevB8Cu5a+l2vYSRPtuVDo73hhdMSHnUX7tTjsVZGxAl/WptiOIEQ1gnL29mX6/tR1tmlkYj8W4X+CSjWcUDGY1NpS/C7hSKqiMLM/l2QmSWZ73Ddz+gio8BCENYPQ46qnkzwXUbqvBkxjUQsWfZFgbuo3rAf+wN7jOO90+ynx4Pi3L+0nYL1SchDUgAP4gPV/7Id1q+1HShmuGkIqWRPgyxMFqP8HfjTnjXwY5bQfbJct6OIzKgMHotF/He1egsaxHSqG6wfdmQ5x8NyTFFqBcp2iSowHR3yk5+36hF7vXAAAAAElFTkSuQmCC",
            "authenticatorGetInfo": {
                "versions": ["U2F_V2", "FIDO_2_0"],
                "extensions": ["hmac-secret"],
                "aaguid": "6d44ba9bf6ec2e49b9300c8fe920cb73",
                "options": {
                    "plat": false,
                    "rk": true,
                    "clientPin": true,
                    "up": true
                },
                "maxMsgSize": 1200,
                "pinUvAuthProtocols": [1]
            }
        },
        "statusReports": [{
            "status": "FIDO_CERTIFIED_L1",
            "effectiveDate": "2020-05-12",
            "certificationDescriptor": "Security Key by Yubico with NFC",
            "certificateNumber": "FIDO20020180918001",
            "certificationPolicyVersion": "1.1.0",
            "certificationRequirementsVersion": "1.2"
        }],
        "timeOfLastStatusChange": "2020-05-12"
    }
}

ADW-4

Add new administrative webservice to return keys for multiple users.

To enable a FIDO administrator to  retrieve keys for multiple registered users, SKFS has added a new webservice under the FIDOAdminServlet "/getuserkeys" (For the first 24 hrs this was called /getUsersKeys but this has been updated to /getuserkeys) that will take in a Json array of usernames and return keys for all those users. 

Sample input:

{
    "svcinfo": {
        "did": 1,
        "protocol": "FIDO2_0",
        "authtype": "PASSWORD",
        "svcusername": "fidoadminuser",
        "svcpassword": "Abcd1234!"
    },
    "payload": {
        "usernames": ["johndoe1", "johndoe2", "johndoe3"]
    }
}

 

Sample output:

[{
    "username": "johndoe1",
    "keys": [{
        "keyid": "2-1-2",
        "fidoProtocol": "FIDO2_0",
        "credentialId": "sM46gl4ZJWcBmFr_ZDVlOFVe3ybif7TJ6NWtLFAYywir2gEWKYzmTfPT7ok8vvv_Wk8TocqM-T93TX6LMsb0S0J_l18qUL3mbl6lvFG_wlB1EKVOyzX76SFrL-whxgTdXv27QPh4UyQuLQ_0EMBOCVa-50Jv64wU4M9UXv17Q8EpvsOZysLICByMq7_c--a1oRs9RvUXP2kZcNWv5vzcYApY4YENmWciPjv0I-hIhCI",
        "createLocation": "Sunnyvale, CA",
        "createDate": 1650907372000,
        "lastusedLocation": "Not used yet",
        "modifyDate": 0,
        "status": "Active",
        "displayName": "johndoe1",
        "attestationFormat": "packed"
    }, {
        "keyid": "2-1-3",
        "fidoProtocol": "FIDO2_0",
        "credentialId": "SrPu4mmBdFV1tK7154rYGVsHi1qjD4uwmY0CuguXy49fi9g9iBGGSeJgesdX4dNL1LCHWiq7Rt9HLe3d3gDGsL9itiSk1FZDVO68YvFnstZjpBDHnN2xKLBz1Dt_nVwi-M-foRIJOdYp6M59I_lqh8p9A5elF6ASBtGq0FvfAEJdtIR7RYJXEKnCr0nIr1W5oB5zafMEJzWxocuMZBVSiBui7rL1VHoqzrOeVIgMdaI",
        "createLocation": "Sunnyvale, CA",
        "createDate": 1650907376000,
        "lastusedLocation": "Not used yet",
        "modifyDate": 0,
        "status": "Active",
        "displayName": "johndoe1",
        "attestationFormat": "packed"
    }]
}, {
    "username": "johndoe2",
    "keys": [{
        "keyid": "2-1-4",
        "fidoProtocol": "FIDO2_0",
        "credentialId": "jZwgO3Gw948VIVLy2rHt_Cyeu4zEZ5B_R8Cz4YfSuCrQwvSGad_G5idpSN89cecgwgPN1jkeqYX_N6PEayq_GL0CtBmqblrzEWeONzNS-UUtqZ4YOZs-9i0vE1k2liNS3rrrfuRxBtbXXCHfi15PNbx9tclnppSs-4qXluV1HvaSDBNzAkWVDwgX6jjU-v9e7vnGo6MLnE_9Nb2atBLgXWZ3fGaaxhx6EZXbunzimp0",
        "createLocation": "Sunnyvale, CA",
        "createDate": 1650907381000,
        "lastusedLocation": "Not used yet",
        "modifyDate": 0,
        "status": "Active",
        "displayName": "johndoe2",
        "attestationFormat": "packed"
    }]
}]

ADW-5

Add a way to read file for MDS instead of a URL.

Current release of FIDO server needs access to the internet to download MDS from fidoalliance.

The code has been modified and a new property has been added that determines if the MDS is downloaded from the web or read from a file:

"skfs.cfg.property.mds.mechanism"

When the value is set to "file", it will try reading the MDSBlob from the location specified in the "skfs.cfg.property.mds.url" and the root ca certificate from the location specified in the "skfs.cfg.property.mds.rootca.url".

Example config:

skfs.cfg.property.mds.mechanism=file
skfs.cfg.property.mds.url=/usr/local/strongkey/skfs/blob.jwt
skfs.cfg.property.mds.rootca.url=/usr/local/strongkey/skfs/root-r3.crt

ADW-8

Perform PKIX validation on digital certificates returned by  Apple anonymous attestation during FIDO registration.

Added PKIX validation code for Apple attestation where the code now extracts the end entitiy certificate and the intermediate certificate from the response and the root apple webauth certificate is provided as a file.

The following property defines the location of the root cert

skfs.cfg.property.apple.rootca.url