Fixes and Changes in SKFS 4.4.3
|
# |
Explanation |
|
DEV-1952 |
Add MetaDataService (MDS) Functionality The MDS Service is governed by Mutable Configuration properties. SKFS attempts to download the MDS every day and checks if there is an update. If there is an update, then it parses the full MDS and loads all the statements in memory. SKFS Policies contain an MDS section that defines authenticator status behaviors. When checking, SKFS looks for the authenticator status object from the MDS; based on the status, it will check the current FIDO policy and act accordingly. It can either ignore, deny, or accept the request. Currently it is configured to work only with the packed attestation. |
|
DEV-1976 |
Add Cross-origin support. Level 2 of WebAuthn specification has introduced a new parameter "crossOrigin" in the ClientData object. This boolean value indicates whether the origin inside the clientdata is the same origin that was used to create the signature or not. If crossOrigin is set to true, then the signature is not for the same origin inside the clientdata and has been generated by a different RP. The FIDO server has been modified to not check if the origin matches if this value is set to true. |
|
DEV-1977 |
Add length checks to preauthorize/authorize web service. Two new parameters have been introduced in the preauthorize and authorize web services.
There was no upper limit set on these parameters; SKFS has been modified to set upper limits of 256 the for txid and 10000 for txpayload. |
|
DEV-1978 |
Modify JWT body. The current JWT: {
"rpid": "fidotest.strongkey.com",
"iat": "Tue Sep 07 16:39:50 -0700 2021",
"exp": "Tue Sep 07 17:09:50 -0700 2021",
"cip": "173.164.132.242",
"uname": "johndoe",
"agent": "Strong%20Key%20FIDO2%20Demo%20iOS/1 CFNetwork/1312 Darwin/21.0.0"
}
To comply with the RFC the FIDO server is changing the body content: uname -> sub
Time will be changed from strings to number value (seconds). |
|
DEV-1979 |
Modify JWT header FIDO Server generates a JWT on a successful authentication and has the algorithm defined as below: "alg": "SHA256withECDSA"
This value has been changed to: "alg": "ES256"
|
|
DEV-1985 |
When no System Options are specified, the default behavior should be to enforce higher constraints. If the policy is restricted and no FIDO Policy Options (e.g., userVerification, attachment, conveyance, residentKey) are sent, SKFS will require higher constraints to be defined in the policy options. userVerification
attachment
conveyance
residentKey
|
|
DEV-1986 |
Create and define LDAP web service groups. The following are the new groups for web service authentication stored in LDAP:
Permissions for each group are described under Service Credentials ⇒ Authorization. The manageSKFSUser.sh script updated to add and delete users from these groups. |
|
DEV-1987 |
Sample applications need randomID changed to keyID. For the API calls getKeysInfo and deregister, the randomid parameter has been renamed to keyid. This has been updated for the Tutorial, POC, and SACL apps. |