From 91431f110712c60e90aee5a82c0d74ffbab648da Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Thu, 31 Oct 2019 16:14:00 +0100
Subject: [PATCH 01/24] Fix @Builder.Default bug in RegistrationResult

The attestationMetadata field was always null.

This bug was introduced in commit
871c4e2fde9d38194781c9f039a7214cb00511fe.
---
 NEWS                                                      | 8 ++++++++
 .../main/java/com/yubico/webauthn/RegistrationResult.java | 3 +--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index 168e729fd..26657e612 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,11 @@
+== Version 1.5.1 (unreleased) ==
+
+Bug fixes:
+
+- Fixed bug introduced in 1.4.0, which caused
+  `RegistrationResult.attestationMetadata` to always be empty.
+
+
 == Version 1.5.0 ==
 
 Changes:
diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/RegistrationResult.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/RegistrationResult.java
index 285f014bf..be98fdeac 100644
--- a/webauthn-server-core/src/main/java/com/yubico/webauthn/RegistrationResult.java
+++ b/webauthn-server-core/src/main/java/com/yubico/webauthn/RegistrationResult.java
@@ -112,9 +112,8 @@ public class RegistrationResult {
      * @see <a href="https://www.w3.org/TR/2019/PR-webauthn-20190117/#sctn-attestation">§6.4. Attestation</a>
      * @see com.yubico.webauthn.RelyingParty.RelyingPartyBuilder#metadataService(Optional)
      */
-    @Builder.Default
     @Builder.ObtainVia(method = "getAttestationMetadata")
-    private final Attestation attestationMetadata = null;
+    private final Attestation attestationMetadata;
 
     @JsonCreator
     private RegistrationResult(

From 06b1831584eac7b4d3c56787b95c80b5fcbfafb8 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Wed, 30 Oct 2019 19:10:12 +0100
Subject: [PATCH 02/24] Add tests of attestation and
 registration/authentication with real data

---
 .../DeviceIdentificationSpec.scala            | 154 ++++++++++++++++
 .../webauthn/RelyingPartyCeremoniesSpec.scala | 152 ++++++++++++++++
 .../yubico/webauthn/test/RealExamples.scala   | 171 ++++++++++++++++++
 3 files changed, 477 insertions(+)
 create mode 100644 webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala
 create mode 100644 webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyCeremoniesSpec.scala
 create mode 100644 webauthn-server-core/src/test/scala/com/yubico/webauthn/test/RealExamples.scala

diff --git a/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala b/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala
new file mode 100644
index 000000000..f9d7aaf16
--- /dev/null
+++ b/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala
@@ -0,0 +1,154 @@
+// Copyright (c) 2018, Yubico AB
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are met:
+//
+// 1. Redistributions of source code must retain the above copyright notice, this
+//    list of conditions and the following disclaimer.
+//
+// 2. Redistributions in binary form must reproduce the above copyright notice,
+//    this list of conditions and the following disclaimer in the documentation
+//    and/or other materials provided with the distribution.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+package com.yubico.webauthn.attestation
+
+import java.util.Collections
+import java.util.Optional
+
+import com.yubico.internal.util.scala.JavaConverters._
+import com.yubico.internal.util.CertificateParser
+import com.yubico.internal.util.JacksonCodecs
+import com.yubico.webauthn.attestation.resolver.SimpleAttestationResolver
+import com.yubico.webauthn.attestation.resolver.SimpleTrustResolver
+import com.yubico.webauthn.test.RealExamples
+import com.yubico.webauthn.CredentialRepository
+import com.yubico.webauthn.RelyingParty
+import com.yubico.webauthn.data.ByteArray
+import com.yubico.webauthn.data.PublicKeyCredentialDescriptor
+import com.yubico.webauthn.FinishRegistrationOptions
+import com.yubico.webauthn.RegisteredCredential
+import com.yubico.webauthn.data.PublicKeyCredentialCreationOptions
+import com.yubico.webauthn.data.PublicKeyCredentialParameters
+import org.junit.runner.RunWith
+import org.scalatest.FunSpec
+import org.scalatest.Matchers
+import org.scalatest.junit.JUnitRunner
+
+import scala.collection.JavaConverters._
+
+
+@RunWith(classOf[JUnitRunner])
+class DeviceIdentificationSpec extends FunSpec with Matchers {
+
+  def metadataService(metadataJson: String): StandardMetadataService = {
+    val metadata = Collections.singleton(JacksonCodecs.json().readValue(metadataJson, classOf[MetadataObject]))
+    new StandardMetadataService(
+      new SimpleAttestationResolver(metadata, SimpleTrustResolver.fromMetadata(metadata))
+    )
+  }
+
+  private val emptyCredentialRepository = new CredentialRepository {
+    override def getCredentialIdsForUsername(username: String): java.util.Set[PublicKeyCredentialDescriptor] = Set.empty.asJava
+    override def getUserHandleForUsername(username: String): Optional[ByteArray] = None.asJava
+    override def getUsernameForUserHandle(userHandle: ByteArray): Optional[String] = None.asJava
+    override def lookup(credentialId: ByteArray, userHandle: ByteArray): Optional[RegisteredCredential] = None.asJava
+    override def lookupAll(credentialId: ByteArray): java.util.Set[RegisteredCredential] = Set.empty.asJava
+  }
+
+  describe("A RelyingParty with the default StandardMetadataService") {
+
+    describe("correctly identifies") {
+      def check(expectedName: String, testData: RealExamples.Example) {
+        val rp = RelyingParty.builder()
+          .identity(testData.rp)
+          .credentialRepository(emptyCredentialRepository)
+          .metadataService(new StandardMetadataService())
+          .build()
+
+        val result = rp.finishRegistration(FinishRegistrationOptions.builder()
+          .request(PublicKeyCredentialCreationOptions.builder()
+            .rp(testData.rp)
+            .user(testData.user)
+            .challenge(testData.attestation.challenge)
+            .pubKeyCredParams(List(PublicKeyCredentialParameters.ES256).asJava)
+            .build())
+          .response(testData.attestation.credential)
+          .build());
+
+        result.isAttestationTrusted should be (true)
+        result.getAttestationMetadata should not be empty
+        result.getAttestationMetadata.get.getDeviceProperties should not be empty
+        result.getAttestationMetadata.get.getDeviceProperties.get().get("displayName") should equal (expectedName)
+      }
+
+      it("a YubiKey NEO.") {
+        check("YubiKey NEO/NEO-n", RealExamples.YubiKeyNeo)
+      }
+      it("a YubiKey 4.") {
+        check("YubiKey 4/YubiKey 4 Nano", RealExamples.YubiKey4)
+      }
+      it("a YubiKey 5 NFC.") {
+        check("YubiKey 5 NFC", RealExamples.YubiKey5)
+      }
+      it("a YubiKey 5 Nano.") {
+        check("YubiKey 5 Series security key", RealExamples.YubiKey5Nano)
+      }
+      it("a Security Key by Yubico.") {
+        check("Security Key by Yubico", RealExamples.SecurityKey)
+      }
+      it("a Security Key 2 by Yubico.") {
+        check("Security Key by Yubico", RealExamples.SecurityKey2)
+      }
+      it("a Security Key NFC by Yubico.") {
+        check("Security Key NFC by Yubico", RealExamples.SecurityKeyNfc)
+      }
+    }
+  }
+
+  describe("The default AttestationResolver") {
+    describe("successfully identifies") {
+      def check(expectedName: String, testData: RealExamples.Example) {
+        val cert = CertificateParser.parseDer(testData.attestationCert.getBytes)
+        val resolved = StandardMetadataService.createDefaultAttestationResolver().resolve(cert)
+        resolved should not be empty
+        resolved.get.getDeviceProperties should not be empty
+        resolved.get.getDeviceProperties.get.get("displayName") should equal (expectedName)
+      }
+
+      it("a YubiKey NEO.") {
+        check("YubiKey NEO/NEO-n", RealExamples.YubiKeyNeo)
+      }
+      it("a YubiKey 4.") {
+        check("YubiKey 4/YubiKey 4 Nano", RealExamples.YubiKey4)
+      }
+      it("a YubiKey 5 NFC.") {
+        check("YubiKey 5 NFC", RealExamples.YubiKey5)
+      }
+      it("a YubiKey 5 Nano.") {
+        check("YubiKey 5 Series security key", RealExamples.YubiKey5Nano)
+      }
+      it("a Security Key by Yubico.") {
+        check("Security Key by Yubico", RealExamples.SecurityKey)
+      }
+      it("a Security Key 2 by Yubico.") {
+        check("Security Key by Yubico", RealExamples.SecurityKey2)
+      }
+      it("a Security Key NFC by Yubico.") {
+        check("Security Key NFC by Yubico", RealExamples.SecurityKeyNfc)
+      }
+    }
+  }
+
+}
diff --git a/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyCeremoniesSpec.scala b/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyCeremoniesSpec.scala
new file mode 100644
index 000000000..20057196b
--- /dev/null
+++ b/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyCeremoniesSpec.scala
@@ -0,0 +1,152 @@
+// Copyright (c) 2018, Yubico AB
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are met:
+//
+// 1. Redistributions of source code must retain the above copyright notice, this
+//    list of conditions and the following disclaimer.
+//
+// 2. Redistributions in binary form must reproduce the above copyright notice,
+//    this list of conditions and the following disclaimer in the documentation
+//    and/or other materials provided with the distribution.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+package com.yubico.webauthn
+
+import java.util.Optional
+
+import com.yubico.internal.util.scala.JavaConverters._
+import com.yubico.webauthn.data.ByteArray
+import com.yubico.webauthn.data.PublicKeyCredentialCreationOptions
+import com.yubico.webauthn.data.PublicKeyCredentialDescriptor
+import com.yubico.webauthn.data.PublicKeyCredentialParameters
+import com.yubico.webauthn.data.PublicKeyCredentialRequestOptions
+import com.yubico.webauthn.test.RealExamples
+import org.junit.runner.RunWith
+import org.scalatest.FunSpec
+import org.scalatest.Matchers
+import org.scalatest.junit.JUnitRunner
+
+import scala.collection.JavaConverters._
+
+
+@RunWith(classOf[JUnitRunner])
+class RelyingPartyCeremoniesSpec extends FunSpec with Matchers {
+
+  private def newRp(testData: RealExamples.Example, credentialRepo: CredentialRepository): RelyingParty =
+    RelyingParty.builder()
+      .identity(testData.rp)
+      .credentialRepository(credentialRepo)
+      .build()
+
+  private val emptyCredentialRepository = new CredentialRepository {
+    override def getCredentialIdsForUsername(username: String): java.util.Set[PublicKeyCredentialDescriptor] = Set.empty.asJava
+    override def getUserHandleForUsername(username: String): Optional[ByteArray] = None.asJava
+    override def getUsernameForUserHandle(userHandle: ByteArray): Optional[String] = None.asJava
+    override def lookup(credentialId: ByteArray, userHandle: ByteArray): Optional[RegisteredCredential] = None.asJava
+    override def lookupAll(credentialId: ByteArray): java.util.Set[RegisteredCredential] = Set.empty.asJava
+  }
+
+  private def credentialRepoWithUser(testData: RealExamples.Example, reg: RegistrationResult): CredentialRepository = new CredentialRepository {
+    override def getCredentialIdsForUsername(username: String): java.util.Set[PublicKeyCredentialDescriptor] =
+      if (username == testData.user.getName)
+        Set(PublicKeyCredentialDescriptor.builder().id(reg.getKeyId.getId).build()).asJava
+      else Set.empty.asJava
+    override def getUserHandleForUsername(username: String): Optional[ByteArray] =
+      if (username == testData.user.getName)
+        Some(testData.user.getId).asJava
+      else None.asJava
+    override def getUsernameForUserHandle(userHandle: ByteArray): Optional[String] =
+      if (userHandle == testData.user.getId)
+        Some(testData.user.getName).asJava
+      else None.asJava
+    override def lookup(credentialId: ByteArray, userHandle: ByteArray): Optional[RegisteredCredential] =
+      if (credentialId == reg.getKeyId.getId && userHandle == testData.user.getId)
+        Some(RegisteredCredential.builder()
+          .credentialId(reg.getKeyId.getId)
+          .userHandle(testData.user.getId)
+          .publicKeyCose(reg.getPublicKeyCose)
+          .build()).asJava
+      else None.asJava
+    override def lookupAll(credentialId: ByteArray): java.util.Set[RegisteredCredential] =
+      if (credentialId == reg.getKeyId.getId)
+        Set(lookup(credentialId, testData.user.getId).get()).asJava
+      else Set.empty.asJava
+  }
+
+  describe("The default RelyingParty settings") {
+
+    describe("can register and then authenticate") {
+      def check(testData: RealExamples.Example) {
+        val registrationRp = newRp(testData, emptyCredentialRepository)
+
+        val registrationResult = registrationRp.finishRegistration(FinishRegistrationOptions.builder()
+          .request(PublicKeyCredentialCreationOptions.builder()
+            .rp(testData.rp)
+            .user(testData.user)
+            .challenge(testData.attestation.challenge)
+            .pubKeyCredParams(List(PublicKeyCredentialParameters.ES256).asJava)
+            .build())
+          .response(testData.attestation.credential)
+          .build());
+
+        registrationResult.getKeyId.getId should equal (testData.attestation.credential.getId)
+        registrationResult.isAttestationTrusted should be (false)
+        registrationResult.getAttestationMetadata shouldBe empty
+
+        val assertionRp = newRp(testData, credentialRepoWithUser(testData, registrationResult))
+
+        val assertionResult = assertionRp.finishAssertion(FinishAssertionOptions.builder()
+          .request(AssertionRequest.builder()
+            .publicKeyCredentialRequestOptions(PublicKeyCredentialRequestOptions.builder()
+              .challenge(testData.assertion.challenge)
+              .allowCredentials(List(PublicKeyCredentialDescriptor.builder().id(testData.assertion.id).build()).asJava)
+              .build())
+            .username(testData.user.getName)
+            .build())
+          .response(testData.assertion.credential)
+          .build())
+
+        assertionResult.isSuccess should be (true)
+        assertionResult.getCredentialId should equal (testData.assertion.id)
+        assertionResult.getUserHandle should equal (testData.user.getId)
+        assertionResult.getUsername should equal (testData.user.getName)
+        assertionResult.getSignatureCount should be >= testData.attestation.authenticatorData.getSignatureCounter
+        assertionResult.isSignatureCounterValid should be (true)
+      }
+
+      it("a YubiKey NEO.") {
+        check(RealExamples.YubiKeyNeo)
+      }
+      it("a YubiKey 4.") {
+        check(RealExamples.YubiKey4)
+      }
+      it("a YubiKey 5 NFC.") {
+        check(RealExamples.YubiKey5)
+      }
+      it("a YubiKey 5 Nano.") {
+        check(RealExamples.YubiKey5Nano)
+      }
+      it("a Security Key by Yubico.") {
+        check(RealExamples.SecurityKey)
+      }
+      it("a Security Key 2 by Yubico.") {
+        check(RealExamples.SecurityKey2)
+      }
+      it("a Security Key NFC by Yubico.") {
+        check(RealExamples.SecurityKeyNfc)
+      }
+    }
+  }
+}
diff --git a/webauthn-server-core/src/test/scala/com/yubico/webauthn/test/RealExamples.scala b/webauthn-server-core/src/test/scala/com/yubico/webauthn/test/RealExamples.scala
new file mode 100644
index 000000000..8799b7e9c
--- /dev/null
+++ b/webauthn-server-core/src/test/scala/com/yubico/webauthn/test/RealExamples.scala
@@ -0,0 +1,171 @@
+package com.yubico.webauthn.test
+
+import java.nio.charset.StandardCharsets
+
+import com.yubico.internal.util.JacksonCodecs
+import com.yubico.webauthn.data.AttestationObject
+import com.yubico.webauthn.data.AuthenticatorAssertionResponse
+import com.yubico.webauthn.data.AuthenticatorAttestationResponse
+import com.yubico.webauthn.data.AuthenticatorData
+import com.yubico.webauthn.data.ByteArray
+import com.yubico.webauthn.data.ClientAssertionExtensionOutputs
+import com.yubico.webauthn.data.ClientRegistrationExtensionOutputs
+import com.yubico.webauthn.data.PublicKeyCredential
+import com.yubico.webauthn.data.RelyingPartyIdentity
+import com.yubico.webauthn.data.UserIdentity
+
+
+sealed trait HasClientData {
+  def clientData: String
+  def clientDataJSON: ByteArray = new ByteArray(clientData.getBytes(StandardCharsets.UTF_8))
+  def challenge: ByteArray = ByteArray.fromBase64Url(JacksonCodecs.json().readTree(clientData).get("challenge").textValue())
+}
+
+object RealExamples {
+
+  case class AttestationExample(clientData: String, attestationObjectBytes: ByteArray) extends HasClientData {
+    def attestationObject: AttestationObject = new AttestationObject(attestationObjectBytes)
+    def authenticatorData: AuthenticatorData = attestationObject.getAuthenticatorData
+    def credential: PublicKeyCredential[AuthenticatorAttestationResponse, ClientRegistrationExtensionOutputs] =
+      PublicKeyCredential.parseRegistrationResponseJson(s"""{
+        "type": "public-key",
+        "id": "${authenticatorData.getAttestedCredentialData.get.getCredentialId.getBase64Url}",
+        "response": {
+          "clientDataJSON": "${clientDataJSON.getBase64Url}",
+          "attestationObject": "${attestationObjectBytes.getBase64Url}"
+        },
+        "clientExtensionResults": {}
+      }""")
+  }
+
+  case class AssertionExample(id: ByteArray, `type`: String = "public-key", clientData: String, authDataBytes: ByteArray, sig: ByteArray) extends HasClientData {
+    def authenticatorData: AuthenticatorData = new AuthenticatorData(authDataBytes)
+    def credential: PublicKeyCredential[AuthenticatorAssertionResponse, ClientAssertionExtensionOutputs] =
+      PublicKeyCredential.parseAssertionResponseJson(s"""{
+        "type": "public-key",
+        "id": "${id.getBase64Url}",
+        "response": {
+          "clientDataJSON": "${clientDataJSON.getBase64Url}",
+          "authenticatorData": "${authDataBytes.getBase64Url}",
+          "signature": "${sig.getBase64Url}"
+        },
+        "clientExtensionResults": {}
+      }""")
+  }
+
+  case class Example(
+    rp: RelyingPartyIdentity,
+    user: UserIdentity,
+    attestation: AttestationExample,
+    assertion: AssertionExample
+  ) {
+    def attestationCert: ByteArray =
+      new ByteArray(attestation.attestationObject.getAttestationStatement.get("x5c").get(0).binaryValue())
+  }
+
+  val YubiKeyNeo = Example(
+    RelyingPartyIdentity.builder().id("example.com").name("Example RP").build(),
+    UserIdentity.builder().name("test@example.org").displayName("A. User").id(ByteArray.fromBase64Url("dXNlcl9pZA==")).build(),
+    AttestationExample(
+      """{"type": "webauthn.create", "clientExtensions": {}, "challenge": "Y2hhbGxlbmdl", "origin": "https://example.com"}""",
+      ByteArray.fromBase64Url("o2NmbXRoZmlkby11MmZnYXR0U3RtdKJjc2lnWEcwRQIgZAIktn1uQmeCpXkStM74_oaFdb0MH0-J0k4ZXmIXM18CIQDZgPvwVDPBsTfreHAqoWa6n7v5bRS3cn0rcthSLAmDaGN4NWOBWQJTMIICTzCCATegAwIBAgIEWzpHQjANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZdWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAwMDBaGA8yMDUwMDkwNDAwMDAwMFowMTEvMC0GA1UEAwwmWXViaWNvIFUyRiBFRSBTZXJpYWwgMjM5MjU3MzUzMjgyMDQ2MTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR-OFbId0OQrrorm-5x_bGglxHhfuEK-vP9tO3JRNO_gvmSTfgvjtZPYIlQ4Cr6gRt_Hfn6WDjT-Xt0Q14pfb20ozswOTAiBgkrBgEEAYLECgIEFTEuMy42LjEuNC4xLjQxNDgyLjEuMjATBgsrBgEEAYLlHAIBAQQEAwIFIDANBgkqhkiG9w0BAQsFAAOCAQEAa27ZcXkZ-pa1ywtQqWf1MeHFNxSGUDwpKBAUC7zCfgd8pINbK_1VHhbp3Q6tDiH-PO0wZnqE-oDQGi4KxFUFYyDjJszYL4HoVwUSORHeu8zCpO_zVoqUOR8OSeuDwZgububzfPu3NlaWDBkgUhhYoZDyCtFdGPyqT2foxk3iDpjzlG8zfU-t2pYIIAF9Q_LJv-XEkYqNGsAEZMxKMeNoB3n6p5mWxULriqoJPiajFYInzu9Kk7OiznJJ01-xovAGvtVeiFOZZljUkLCVa5eX7INYzdaa9L3LAHW81IdsoE7yFL2OPNcPR0kOiqsMoiJ6sgYy4MRTuxIu2ke-lIH5UWhhdXRoRGF0YVjEo3mm9u6vuaVeN4wRgDTidR5oL6ufLTCrE9ISVYbOGUdBAAAAAAAAAAAAAAAAAAAAAAAAAAAAQBeSCzJvnCNSyal5T2DPO0ypt2760sLlwynV_0Id2WiXWiq-Rv0MY1BfwD4QFJpryrRUHDgKt-T8ztr-DQfIKT2lAQIDJiABIVggOclPu93GlKkl5vhlfGaRbP6EzQIi7fzygbIfXNw0eSMiWCDWsNICHP4XJKb-geNWjE_64zkpghajCvwYwLl18uKokQ==")
+    ),
+    AssertionExample(
+      id = ByteArray.fromBase64Url("F5ILMm-cI1LJqXlPYM87TKm3bvrSwuXDKdX_Qh3ZaJdaKr5G_QxjUF_APhAUmmvKtFQcOAq35PzO2v4NB8gpPQ=="),
+      clientData = """{"type": "webauthn.get", "clientExtensions": {}, "challenge": "Q0hBTExFTkdF", "origin": "https://example.com"}""",
+      authDataBytes = ByteArray.fromBase64Url("o3mm9u6vuaVeN4wRgDTidR5oL6ufLTCrE9ISVYbOGUcBAAAAAQ=="),
+      sig = ByteArray.fromBase64Url("MEUCIFEYoFCb4DZmBWm_5ho_0RpLQfZIvS3sU-HQi5O85BiuAiEAmj7_8Kr--lGm7YhM6-4FvFEIGzKlzFt7F6SxHVhmNfo="),
+    )
+  )
+
+  val YubiKey4 = Example(
+    RelyingPartyIdentity.builder().id("example.com").name("Example RP").build(),
+    UserIdentity.builder().name("test@example.org").displayName("A. User").id(ByteArray.fromBase64Url("dXNlcl9pZA==")).build(),
+    AttestationExample(
+      """{"type": "webauthn.create", "clientExtensions": {}, "challenge": "Y2hhbGxlbmdl", "origin": "https://example.com"}""",
+      ByteArray.fromBase64Url("o2NmbXRoZmlkby11MmZnYXR0U3RtdKJjc2lnWEcwRQIgMMS3Sk-YpRfKh7lGev4vNApGpQD0Md6l2bwWGsQIXWUCIQD9Krgg7JQVL5jLZhqHE-n7auwBcDdQvqpQ4VddgKR9S2N4NWOBWQJTMIICTzCCATegAwIBAgIEPGgpTTANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZdWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAwMDBaGA8yMDUwMDkwNDAwMDAwMFowMTEvMC0GA1UEAwwmWXViaWNvIFUyRiBFRSBTZXJpYWwgMjM5MjU3MzQ4MTExMTc5MDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS932eT23eUw1Axce0sTUVK2XNmdRpIuqXZ-bVqOiCBeWtO3yvNe5J6FJMQ-8RoR2_8V5KpfbYvoChrxqMgAg5jozswOTAiBgkrBgEEAYLECgIEFTEuMy42LjEuNC4xLjQxNDgyLjEuNTATBgsrBgEEAYLlHAIBAQQEAwIFIDANBgkqhkiG9w0BAQsFAAOCAQEAqsANUQl-7BWkhrN5vMSDQPhn05cuzmpn-6Rw42DGRFnwrThC0_8IHnHqiVOXGyP5JcCtAMJHMRhSBvCzqRkp-5G3ZrU_4TNSKoNYuNEgtKv7f-jvJHtk_8amIUrB2b5zNv3g86gYP5NLUhh19eP3iYCvlwpbHgQqOHbXS6i-7-kt0uNzzGRByJStfNmk9H2tPaT-r0eRmEdT41oInOTL49PINurQoqfOpWFa1-RIEIbDd7NmRNL7mWu84pshrbiV95OC7sVJPk7BM8IWfwdx9ZkxcxIP8o1T6IGol0DBMs88NGgsu89OXb3B4IAiH4dSmYFB3RSW1w86sD8sW8B_rWhhdXRoRGF0YVjEo3mm9u6vuaVeN4wRgDTidR5oL6ufLTCrE9ISVYbOGUdBAAAAAAAAAAAAAAAAAAAAAAAAAAAAQEZ3ZpSx4x3b5ta9SnTMyCNtIAkzgZwfRff5n251aUcLfadvNqYhCylFC1FdfljBSHxcibx2oD45K2HSE3sCGfSlAQIDJiABIVggREuYlwMvN1mWVAPf8QrgB-cUNJYyS8vwZtr2tAWnoCQiWCAFm1_ct7jy-C_IQr73ChoiLZKkEAOnCJ_F5rf3wlOT5Q==")
+    ),
+    AssertionExample(
+      id = ByteArray.fromBase64Url("RndmlLHjHdvm1r1KdMzII20gCTOBnB9F9_mfbnVpRwt9p282piELKUULUV1-WMFIfFyJvHagPjkrYdITewIZ9A=="),
+      clientData = """{"type": "webauthn.get", "clientExtensions": {}, "challenge": "Q0hBTExFTkdF", "origin": "https://example.com"}""",
+      authDataBytes = ByteArray.fromBase64Url("o3mm9u6vuaVeN4wRgDTidR5oL6ufLTCrE9ISVYbOGUcBAAAAAA=="),
+      sig = ByteArray.fromBase64Url("MEQCIDniM0szLdfVU1CtXMjUmbYmAU3cL5F8umwXbIhqmTFfAiBHxk-ZOxTzXIMd0ghIFVpaJBWG-6lNJP6DOrkufJVx_Q=="),
+    )
+  )
+
+  val YubiKey5 = Example(
+    RelyingPartyIdentity.builder().id("example.com").name("Example RP").build(),
+    UserIdentity.builder().name("test@example.org").displayName("A. User").id(ByteArray.fromBase64Url("dXNlcl9pZA==")).build(),
+    AttestationExample(
+      """{"type": "webauthn.create", "clientExtensions": {}, "challenge": "Y2hhbGxlbmdl", "origin": "https://example.com"}""",
+      ByteArray.fromBase64Url("o2NmbXRmcGFja2VkZ2F0dFN0bXSjY2FsZyZjc2lnWEcwRQIgCrcg9FJhbV35puNRlN36gSO9_YNWweirVdB2n3Ojez0CIQDOvSCusMldIS57ittkKJ9cne9RYQS6a--ivsKFYWrAIWN4NWOBWQLAMIICvDCCAaSgAwIBAgIEA63wEjANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZdWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAwMDBaGA8yMDUwMDkwNDAwMDAwMFowbTELMAkGA1UEBhMCU0UxEjAQBgNVBAoMCVl1YmljbyBBQjEiMCAGA1UECwwZQXV0aGVudGljYXRvciBBdHRlc3RhdGlvbjEmMCQGA1UEAwwdWXViaWNvIFUyRiBFRSBTZXJpYWwgNjE3MzA4MzQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQZnoecFi233DnuSkKgRhalswn-ygkvdr4JSPltbpXK5MxlzVSgWc-9x8mzGysdbBhEecLAYfQYqpVLWWosHPoXo2wwajAiBgkrBgEEAYLECgIEFTEuMy42LjEuNC4xLjQxNDgyLjEuNzATBgsrBgEEAYLlHAIBAQQEAwIEMDAhBgsrBgEEAYLlHAEBBAQSBBD6K5ncnjlCV4-SSjDSPEEYMAwGA1UdEwEB_wQCMAAwDQYJKoZIhvcNAQELBQADggEBACjrs2f-0djw4onryp_22AdXxg6a5XyxcoybHDjKu72E2SN9qDGsIZSfDy38DDFr_bF1s25joiu7WA6tylKA0HmEDloeJXJiWjv7h2Az2_siqWnJOLic4XE1lAChJS2XAqkSk9VFGelg3SLOiifrBet-ebdQwAL-2QFrcR7JrXRQG9kUy76O2VcSgbdPROsHfOYeywarhalyVSZ-6OOYK_Q_DLIaOC0jXrnkzm2ymMQFQlBAIysrYeEM1wxiFbwDt-lAcbcOEtHEf5ZlWi75nUzlWn8bSx_5FO4TbZ5hIEcUiGRpiIBEMRZlOIm4ZIbZycn_vJOFRTVps0V0S4ygtDdoYXV0aERhdGFYxKN5pvbur7mlXjeMEYA04nUeaC-rny0wqxPSElWGzhlHQQAAAAv6K5ncnjlCV4-SSjDSPEEYAED94RxjDuKGTpu5usg0Vcee9gqqhDVGw1__eyvx3YUhH7gba6zYjbwI1e1CZa78jZq8167iUIHbM_kNbyXIHSNhpQECAyYgASFYIIIyZu4ct876xj7sKSV90mbX0PpGLuRIRGu6IxnWUhD9Ilggw2qT1jtmMhn-X9raOZxqjWkzfdF8aJqFpvp3QXI-vNY=")
+    ),
+    AssertionExample(
+      id = ByteArray.fromBase64Url("_eEcYw7ihk6bubrINFXHnvYKqoQ1RsNf_3sr8d2FIR-4G2us2I28CNXtQmWu_I2avNeu4lCB2zP5DW8lyB0jYQ=="),
+      clientData = """{"type": "webauthn.get", "clientExtensions": {}, "challenge": "Q0hBTExFTkdF", "origin": "https://example.com"}""",
+      authDataBytes = ByteArray.fromBase64Url("o3mm9u6vuaVeN4wRgDTidR5oL6ufLTCrE9ISVYbOGUcBAAAADA=="),
+      sig = ByteArray.fromBase64Url("MEQCIE5k9IsMKGNpn6l29eIuoXkkuyZmSTePbQRKrWUaF5IxAiA-3veAkhDgW06BA-L_TLNw8KZDzHzU5zaw6Guqk-_J5Q=="),
+    )
+  )
+
+  val YubiKey5Nano = Example(
+    RelyingPartyIdentity.builder().id("example.com").name("Example RP").build(),
+    UserIdentity.builder().name("test@example.org").displayName("A. User").id(ByteArray.fromBase64Url("dXNlcl9pZA==")).build(),
+    AttestationExample(
+      """{"type": "webauthn.create", "clientExtensions": {}, "challenge": "Y2hhbGxlbmdl", "origin": "https://example.com"}""",
+      ByteArray.fromBase64Url("o2NmbXRmcGFja2VkZ2F0dFN0bXSjY2FsZyZjc2lnWEgwRgIhAMw3heLnLh7oOq4gwxQRviDPT0_VDxys8Kq2MFOfTZBzAiEAtL3D6ZqtiupoAMqntqi07OrEl5RJGJkoZ7bLwepVJQBjeDVjgVkCwTCCAr0wggGloAMCAQICBBisRsAwDQYJKoZIhvcNAQELBQAwLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwIBcNMTQwODAxMDAwMDAwWhgPMjA1MDA5MDQwMDAwMDBaMG4xCzAJBgNVBAYTAlNFMRIwEAYDVQQKDAlZdWJpY28gQUIxIjAgBgNVBAsMGUF1dGhlbnRpY2F0b3IgQXR0ZXN0YXRpb24xJzAlBgNVBAMMHll1YmljbyBVMkYgRUUgU2VyaWFsIDQxMzk0MzQ4ODBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHnqOyx8SXAQYiMM0j_rYOUpMXHUg_EAvoWdaw-DlwMBtUbN1G7PyuPj8w-B6e1ivSaNTB69N7O8vpKowq7rTjqjbDBqMCIGCSsGAQQBgsQKAgQVMS4zLjYuMS40LjEuNDE0ODIuMS43MBMGCysGAQQBguUcAgEBBAQDAgUgMCEGCysGAQQBguUcAQEEBBIEEMtpSB6P90A5k-wKJymhVKgwDAYDVR0TAQH_BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAl50Dl9hg-C7hXTEceW66-yL6p-CE2bq0xhu7V_PmtMGKSDe4XDxO2-SDQ_TWpdmxztqK4f7UkSkhcwWOXuHL3WvawHVXxqDo02gluhWef7WtjNr4BIaM-Q6PH4rqF8AWtVwqetSXyJT7cddT15uaSEtsN21yO5mNLh1DBr8QM7Wu-Myly7JWi2kkIm0io1irfYfkrF8uCRqnFXnzpWkJSX1y9U4GusHDtEE7ul6vlMO2TzT566Qay2rig3dtNkZTeEj-6IS93fWxuleYVM_9zrrDRAWVJ-Vt1Zj49WZxWr5DAd0ZETDmufDGQDkSU-IpgD867ydL7b_eP8u9QurWeWhhdXRoRGF0YVjEo3mm9u6vuaVeN4wRgDTidR5oL6ufLTCrE9ISVYbOGUdFAAAAyMtpSB6P90A5k-wKJymhVKgAQApDelLpYd9AP-NbX7v8lJelMv5xVvJq1u4va8qaLTf2e4Tf7QL7F4nkZZnfTVBv74xF0i8794sPbpK--e0N8-SlAQIDJiABIVggXaCve37FWbdyNEXiSmuDUdsc0K-UDHnYEQ-Sc3PHxcAiWCD7VMEBw6F_IOsfg7DISuN8aT70W14W1NQCX0xjQSUnsw==")
+    ),
+    AssertionExample(
+      id = ByteArray.fromBase64Url("CkN6Uulh30A_41tfu_yUl6Uy_nFW8mrW7i9rypotN_Z7hN_tAvsXieRlmd9NUG_vjEXSLzv3iw9ukr757Q3z5A=="),
+      clientData = """{"type": "webauthn.get", "clientExtensions": {}, "challenge": "Q0hBTExFTkdF", "origin": "https://example.com"}""",
+      authDataBytes = ByteArray.fromBase64Url("o3mm9u6vuaVeN4wRgDTidR5oL6ufLTCrE9ISVYbOGUcFAAAAyQ=="),
+      sig = ByteArray.fromBase64Url("MEYCIQCUeExQH6ZbZxoyiYEqFdmMyIeu-klCkyREiB1ekfBItgIhAKcsV2cK-PXubj96AYk5DWU_qE-M6ZmH8AQBYW9RF56P"),
+    )
+  )
+
+  val SecurityKey = Example(
+    RelyingPartyIdentity.builder().id("example.com").name("Example RP").build(),
+    UserIdentity.builder().name("test@example.org").displayName("A. User").id(ByteArray.fromBase64Url("dXNlcl9pZA==")).build(),
+    AttestationExample(
+      """{"type": "webauthn.create", "clientExtensions": {}, "challenge": "Y2hhbGxlbmdl", "origin": "https://example.com"}""",
+      ByteArray.fromBase64Url("o2NmbXRoZmlkby11MmZnYXR0U3RtdKJjc2lnWEcwRQIhAM_R8LLPIBxj07Cimg1QVoFD2Y3xqQvbEYEdkbJLsQgiAiAEVIoe5lvTKHK9vCJBHJXS1uWBxFNEFv7im0cs2CjhcWN4NWOBWQIgMIICHDCCAQagAwIBAgIEOGbfdTALBgkqhkiG9w0BAQswLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwIBcNMTQwODAxMDAwMDAwWhgPMjA1MDA5MDQwMDAwMDBaMCsxKTAnBgNVBAMMIFl1YmljbyBVMkYgRUUgU2VyaWFsIDEzODMxMTY3ODYxMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEN438dAxzm5RyTtPVI7m4doEGVsE96G-vrs842Q9V4sgKG_4LMNxTs13n0EW5bcuPK_lPqOC5AxY8f27cLkh7caMSMBAwDgYKKwYBBAGCxAoBAQQAMAsGCSqGSIb3DQEBCwOCAQECGkdkygCJz5KtuH-oSFOOcsw-_bs0eSlDBHuCFqk5uvTBE1YqNFthR1l5aXlHvOZxqmp8Bnlu1OuxuP1gJxm3Hes89kLpjbHZZm_wHm23T0WveWfARtbm_0tOCaMUGDS2mvFkZczezzoKgJwKpJp7GUP1vU49rjvcz95qcTpJJp6s-z-c7eC6eca7-6deYRjiDw-VfqYe7VJogibKtC33kQN-l-2l4t9gKdK7f8Mn50Xn-fWGK-0psGjLlyo2yGUi3rLHGWUzM13frri2-g21AmrKhFQZBhqk0XwHDpj6L9Zx1KzQwpDkdKG0eD7CRuD4mpiHwKTXqFxmKRm6JOp7nGhhdXRoRGF0YVjEo3mm9u6vuaVeN4wRgDTidR5oL6ufLTCrE9ISVYbOGUdBAAAAAAAAAAAAAAAAAAAAAAAAAAAAQCdfKS1ueJ9oKJVudbjt1UiNbDssecI5S-KjmJiG0i5OGGd4oF9xDvrXC4wfLalyG8CZyOC0yWGRdxOHY2zlreylAQIDJiABIVggZ2eg0SmeEp6vayyOWFQIsY8WaYPde8QgyNVLRcHVWmoiWCBxXpYVrCowr7PGNQlz7iFTUWQ1z8R1cPxRfHlm6DvZRw==")
+    ),
+    AssertionExample(
+      id = ByteArray.fromBase64Url("J18pLW54n2golW51uO3VSI1sOyx5wjlL4qOYmIbSLk4YZ3igX3EO-tcLjB8tqXIbwJnI4LTJYZF3E4djbOWt7A=="),
+      clientData = """{"type": "webauthn.get", "clientExtensions": {}, "challenge": "Q0hBTExFTkdF", "origin": "https://example.com"}""",
+      authDataBytes = ByteArray.fromBase64Url("o3mm9u6vuaVeN4wRgDTidR5oL6ufLTCrE9ISVYbOGUcBAAAAtw=="),
+      sig = ByteArray.fromBase64Url("MEUCIHgLEzmn8hKOXC0qBXDFBZ7a2GLrwho8uqyd1ZqwV9YCAiEA-3Y8g4ifwTxT1ROtA4uBmVzzfzlh9o0ijY9eEhGJEkg="),
+    )
+  )
+
+  val SecurityKey2 = Example(
+    RelyingPartyIdentity.builder().id("example.com").name("Example RP").build(),
+    UserIdentity.builder().name("test@example.org").displayName("A. User").id(ByteArray.fromBase64Url("dXNlcl9pZA==")).build(),
+    AttestationExample(
+      """{"type": "webauthn.create", "clientExtensions": {}, "challenge": "Y2hhbGxlbmdl", "origin": "https://example.com"}""",
+      ByteArray.fromBase64Url("o2NmbXRmcGFja2VkZ2F0dFN0bXSjY2FsZyZjc2lnWEYwRAIgMPJLGsBqS-rEdPOtwv50McRd8TLeMUBdqCdN9BQlqjoCICh5colw68TfL2QTa9OXPkpobZrePGqlfOzv4bzY9fffY3g1Y4FZAsIwggK-MIIBpqADAgECAgR0hv3CMA0GCSqGSIb3DQEBCwUAMC4xLDAqBgNVBAMTI1l1YmljbyBVMkYgUm9vdCBDQSBTZXJpYWwgNDU3MjAwNjMxMCAXDTE0MDgwMTAwMDAwMFoYDzIwNTAwOTA0MDAwMDAwWjBvMQswCQYDVQQGEwJTRTESMBAGA1UECgwJWXViaWNvIEFCMSIwIAYDVQQLDBlBdXRoZW50aWNhdG9yIEF0dGVzdGF0aW9uMSgwJgYDVQQDDB9ZdWJpY28gVTJGIEVFIFNlcmlhbCAxOTU1MDAzODQyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElV3zrfckfTF17_2cxPMaToeOuuGBCVZhUPs4iy5fZSe_V0CapYGlDQrFLxhEXAoTVIoTU8ik5ZpwTlI7wE3r7aNsMGowIgYJKwYBBAGCxAoCBBUxLjMuNi4xLjQuMS40MTQ4Mi4xLjEwEwYLKwYBBAGC5RwCAQEEBAMCBSAwIQYLKwYBBAGC5RwBAQQEEgQQ-KAR84wKTRWABhcRH57cfTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQAxXEiA5ppSfjhmib1p_Qqob0nrnk6FRUFVb6rQCzoAih3cAflsdvZoNhqR4jLIEKecYwdMm256RusdtdhcREifhop2Q9IqXIYuwD8D5YSL44B9es1V-OGuHuITrHOrSyDj-9UmjLB7h4AnHR9L4OXdrHNNOliXvU1zun81fqIIyZ2KTSkC5gl6AFxNyQTcChgSDgr30Az8lpoohuWxsWHz7cvGd6Z41_tTA5zNoYa-NLpTMZUjQ51_2Upw8jBiG5PEzkJo0xdNlDvGrj_JN8LeQ9a0TiEVPfhQkl-VkGIuvEbg6xjGQfD-fm8qCamykHcZ9i5hNaGQMqITwJi3KDzuaGF1dGhEYXRhWMSjeab27q-5pV43jBGANOJ1Hmgvq58tMKsT0hJVhs4ZR0EAAAAA-KAR84wKTRWABhcRH57cfQBAc17o2YwQc1hkrTX_Plsl34A6_rK5Fa6pJGIgkkTgVx3lEF_fnOa-M13COp5hgPrVVuDIGv5HI9gJH9JbOoxJS6UBAgMmIAEhWCDNva3Ohd7wYRZlfmu6V0J8Iy8sdGOLTG_dAlDxvRdSjyJYILal-lroy3ltDP4McgzBN5hKd9OSVn6dMgRBVjDWBtsN")
+    ),
+    AssertionExample(
+      id = ByteArray.fromBase64Url("c17o2YwQc1hkrTX_Plsl34A6_rK5Fa6pJGIgkkTgVx3lEF_fnOa-M13COp5hgPrVVuDIGv5HI9gJH9JbOoxJSw=="),
+      clientData = """{"type": "webauthn.get", "clientExtensions": {}, "challenge": "Q0hBTExFTkdF", "origin": "https://example.com"}""",
+      authDataBytes = ByteArray.fromBase64Url("o3mm9u6vuaVeN4wRgDTidR5oL6ufLTCrE9ISVYbOGUcBAAAAAQ=="),
+      sig = ByteArray.fromBase64Url("MEUCIQC68JtgAd_DEc6UZYjn3eskqVGpIu64yQlXKx25HDXniwIgDQH8uK-md90SHKWbjj8qvqmgdmc4M7ZanCFLmQZRTCI="),
+    )
+  )
+
+  val SecurityKeyNfc = Example(
+    RelyingPartyIdentity.builder().id("example.com").name("Example RP").build(),
+    UserIdentity.builder().name("test@example.org").displayName("A. User").id(ByteArray.fromBase64Url("dXNlcl9pZA==")).build(),
+    AttestationExample(
+      """{"type": "webauthn.create", "clientExtensions": {}, "challenge": "Y2hhbGxlbmdl", "origin": "https://example.com"}""",
+      ByteArray.fromBase64Url("o2NmbXRoZmlkby11MmZnYXR0U3RtdKJjc2lnWEcwRQIhAJKRPuYlfW8dZZlsJrJiwA-BvAyOvIe1TScv5qlek1SQAiAnglgs-nRjA7kpc61PewQ4VULjdlzLmReI7-MJT1TLrGN4NWOBWQLBMIICvTCCAaWgAwIBAgIEMAIspTANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZdWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAwMDBaGA8yMDUwMDkwNDAwMDAwMFowbjELMAkGA1UEBhMCU0UxEjAQBgNVBAoMCVl1YmljbyBBQjEiMCAGA1UECwwZQXV0aGVudGljYXRvciBBdHRlc3RhdGlvbjEnMCUGA1UEAwweWXViaWNvIFUyRiBFRSBTZXJpYWwgODA1NDQ4ODY5MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE-66HSEytO3plXno3zPhH1k-zFwWxESIdrTbQp4HSEuzFum1Mwpy8itoOosBQksnIrefLHkTRNUtV8jIrFKAvbaNsMGowIgYJKwYBBAGCxAoCBBUxLjMuNi4xLjQuMS40MTQ4Mi4xLjEwEwYLKwYBBAGC5RwCAQEEBAMCBDAwIQYLKwYBBAGC5RwBAQQEEgQQbUS6m_bsLkm5MAyP6SDLczAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBlZXnJy-X3fJfNdlIdIQlFpO5-A5uM41jJ2XgdRag_8rSxXCz98t_jyoWth5FQF9As96Ags3p-Lyaqb1bpEc9RfmkxiiqwDzDI56Sj4HKlANF2tddm-ew29H9yaNbpU5y6aleCeH2rR4t1cFgcBRAV84IndIH0cYASRnyrFbHjI80vlPNR0z4j-_W9vYEWBpLeS_wrdKPVW7C7wyuc4bobauCyhElBPZUwblR_Ll0iovmfazD17VLCBMA4p_SVVTwSXpKyZjMiCotj8mDhQ1ymhvCepkK82EwnrBMJIzCi_joxAXqxLPMs6yJrz_hFUkZaloa1ZS6f7aGAmAKhRNO2aGF1dGhEYXRhWMSjeab27q-5pV43jBGANOJ1Hmgvq58tMKsT0hJVhs4ZR0EAAAAAAAAAAAAAAAAAAAAAAAAAAABAJT086Ym5LhLsK6MRwYRSdjVn9jVYVtwiGwgq_bDPpVuI3aaOW7UQfqGWdos-kVwHnQccbDRnQDvQmCDqy6QdSaUBAgMmIAEhWCCRGd2Bo0vIj-suQxM-cOCXovv1Ag6azqHn8PE31Fcu4iJYIOiLha_PR9JwOhCw4SC2Xq7cOackGAMsq4UUJ_IRCCcq")
+    ),
+    AssertionExample(
+      id = ByteArray.fromBase64Url("JT086Ym5LhLsK6MRwYRSdjVn9jVYVtwiGwgq_bDPpVuI3aaOW7UQfqGWdos-kVwHnQccbDRnQDvQmCDqy6QdSQ=="),
+      clientData = """{"type": "webauthn.get", "clientExtensions": {}, "challenge": "Q0hBTExFTkdF", "origin": "https://example.com"}""",
+      authDataBytes = ByteArray.fromBase64Url("o3mm9u6vuaVeN4wRgDTidR5oL6ufLTCrE9ISVYbOGUcBAAAADA=="),
+      sig = ByteArray.fromBase64Url("MEYCIQD8tVtVU-esAvCSNVR4JLfW0MKf2C_Rb1Xn4UBBS4jbmwIhAM5AfKuhVrHcMfcNwVDYQ4q7qU_a6avSWgdydnunVaq7"),
+    )
+  )
+
+}

From 7530c698079a85e402e976aca726c0fed97ebd26 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Sat, 14 Sep 2019 01:11:46 +0200
Subject: [PATCH 03/24] Extract function finishCeremony

---
 .../src/main/webapp/index.html                | 46 +++++++++++--------
 1 file changed, 27 insertions(+), 19 deletions(-)

diff --git a/webauthn-server-demo/src/main/webapp/index.html b/webauthn-server-demo/src/main/webapp/index.html
index f93be695d..07777227b 100644
--- a/webauthn-server-demo/src/main/webapp/index.html
+++ b/webauthn-server-demo/src/main/webapp/index.html
@@ -59,6 +59,8 @@
 
   <script>
 
+let ceremonyState = {};
+
 function extend(obj, more) {
   return Object.assign({}, obj, more);
 }
@@ -276,28 +278,35 @@
         callbacks.authenticatorRequest({ request, urls });
       }
       showRequest(request);
+      ceremonyState = {
+        callbacks,
+        request,
+        statusStrings,
+        urls,
+        useU2f,
+      };
       return executeRequest(request)
-        .then(webauthn.responseToObject)
-        .then(response => ({
-          request,
-          urls,
-          response,
-        }));
+        .then(webauthn.responseToObject);
     })
+    .then(finishCeremony)
 
-    .then((params) => {
-      const urls = params.urls;
-      const request = params.request;
-      const response = params.response;
+  ;
+}
 
-      setStatus(statusStrings.serverRequest || 'Sending response to server...');
-      if (callbacks.serverRequest) {
-        callbacks.serverRequest({ urls, request, response });
-      }
-      showAuthenticatorResponse(response);
-      return submitResponse(useU2f ? urls.finishU2f : urls.finish, request.requestId, response);
-    })
+function finishCeremony(response) {
+  const callbacks = ceremonyState.callbacks;
+  const request = ceremonyState.request;
+  const statusStrings = ceremonyState.statusStrings;
+  const urls = ceremonyState.urls;
+  const useU2f = ceremonyState.useU2f;
+
+  setStatus(statusStrings.serverRequest || 'Sending response to server...');
+  if (callbacks.serverRequest) {
+    callbacks.serverRequest({ urls, request, response });
+  }
+  showAuthenticatorResponse(response);
 
+  return submitResponse(useU2f ? urls.finishU2f : urls.finish, request.requestId, response)
     .then(data => {
       if (data && data.success) {
         setStatus(statusStrings.success);
@@ -306,8 +315,7 @@
       }
       showServerResponse(data);
       return data;
-    })
-  ;
+    });
 }
 
 function registerResidentKey() {

From 78f82cc202dd5acdaa2a927f92709d11a1f49ded Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Fri, 27 Sep 2019 17:39:07 +0200
Subject: [PATCH 04/24] Unpack URLs inside getIndexActions()

---
 webauthn-server-demo/src/main/webapp/index.html | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/webauthn-server-demo/src/main/webapp/index.html b/webauthn-server-demo/src/main/webapp/index.html
index 07777227b..2f5314dc8 100644
--- a/webauthn-server-demo/src/main/webapp/index.html
+++ b/webauthn-server-demo/src/main/webapp/index.html
@@ -138,7 +138,9 @@
 
 function getIndexActions() {
   return fetch('api/v1/')
-    .then(response => response.json());
+    .then(response => response.json())
+    .then(data => data.actions)
+  ;
 }
 
 function getRegisterRequest(urls, username, displayName, credentialNickname, requireResidentKey = false) {
@@ -260,8 +262,6 @@
   resetDisplays();
 
   return getIndexActions()
-    .then(data => data.actions)
-
     .then(urls => {
       setStatus(statusStrings.int);
       if (callbacks.init) {

From 241d775cb68b404c6984f2aaf3ad168417355d28 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Tue, 17 Sep 2019 15:36:58 +0200
Subject: [PATCH 05/24] Don't use mock in WebAuthnServerSpec

---
 .../demo/webauthn/WebAuthnServerSpec.scala    | 49 ++++++++++++-------
 1 file changed, 31 insertions(+), 18 deletions(-)

diff --git a/webauthn-server-demo/src/test/scala/demo/webauthn/WebAuthnServerSpec.scala b/webauthn-server-demo/src/test/scala/demo/webauthn/WebAuthnServerSpec.scala
index 0d158e9ee..715ca4329 100644
--- a/webauthn-server-demo/src/test/scala/demo/webauthn/WebAuthnServerSpec.scala
+++ b/webauthn-server-demo/src/test/scala/demo/webauthn/WebAuthnServerSpec.scala
@@ -40,17 +40,17 @@ import com.yubico.webauthn.RegistrationTestData
 import com.yubico.webauthn.TestAuthenticator
 import com.yubico.webauthn.data.ByteArray
 import com.yubico.webauthn.data.CollectedClientData
+import com.yubico.webauthn.data.PublicKeyCredentialDescriptor
 import com.yubico.webauthn.data.PublicKeyCredentialRequestOptions
 import com.yubico.webauthn.data.RelyingPartyIdentity
 import com.yubico.webauthn.extension.appid.AppId
+import com.yubico.webauthn.AssertionResult
 import com.yubico.webauthn.WebAuthnTestCodecs
 import demo.webauthn.data.AssertionRequestWrapper
 import demo.webauthn.data.CredentialRegistration
 import demo.webauthn.data.RegistrationRequest
 import demo.webauthn.data.RegistrationResponse
 import org.junit.runner.RunWith
-import org.mockito.Mockito.mock
-import org.mockito.Mockito.when
 import org.scalatest.FunSpec
 import org.scalatest.Matchers
 import org.scalatest.junit.JUnitRunner
@@ -157,16 +157,7 @@ class WebAuthnServerSpec extends FunSpec with Matchers {
               .build()
         ))
 
-        val userStorage = makeUserStorage(testData)
-        when(userStorage.getUserHandleForUsername(testData.userId.getName)).thenReturn(Some(testData.userId.getId).asJava)
-        when(userStorage.lookup(testData.response.getId, testData.userId.getId)).thenReturn(Some(RegisteredCredential.builder()
-          .credentialId(testData.response.getId)
-          .userHandle(testData.userId.getId)
-          .publicKeyCose(WebAuthnTestCodecs.ecPublicKeyToCose(credentialKey.getPublic.asInstanceOf[ECPublicKey]))
-          .signatureCount(0)
-          .build()
-        ).asJava)
-
+        val userStorage = makeUserStorage(testData, credentialPubkey = Some(WebAuthnTestCodecs.ecPublicKeyToCose(credentialKey.getPublic.asInstanceOf[ECPublicKey])))
         new WebAuthnServer(userStorage, newCache(), assertionRequests, rpId, origins, appId)
       }
     }
@@ -181,9 +172,10 @@ class WebAuthnServerSpec extends FunSpec with Matchers {
     new WebAuthnServer(userStorage, newCache(), newCache(), rpId, origins, appId)
   }
 
-  private def makeUserStorage(testData: RegistrationTestData) = {
-    val userStorage = mock(classOf[RegistrationStorage])
-
+  private def makeUserStorage(
+    testData: RegistrationTestData,
+    credentialPubkey: Option[ByteArray] = None
+  ) = {
     val registrations = util.Arrays.asList(CredentialRegistration.builder()
       .signatureCount(testData.response.getResponse.getAttestation.getAuthenticatorData.getSignatureCounter)
       .userIdentity(testData.request.getUser)
@@ -197,9 +189,30 @@ class WebAuthnServerSpec extends FunSpec with Matchers {
       )
       .build())
 
-    when(userStorage.getRegistrationsByUsername(testData.userId.getName)).thenReturn(registrations)
-
-    userStorage
+    new RegistrationStorage {
+      override def addRegistrationByUsername(username: String, reg: CredentialRegistration): Boolean = ???
+      override def getRegistrationsByUsername(username: String): java.util.Collection[CredentialRegistration] =
+        if (username == testData.userId.getName) registrations else Nil.asJava
+      override def getRegistrationByUsernameAndCredentialId(username: String, credentialId: ByteArray): Optional[CredentialRegistration] = ???
+      override def getRegistrationsByUserHandle(userHandle: ByteArray): java.util.Collection[CredentialRegistration] = ???
+      override def removeRegistrationByUsername(username: String, credentialRegistration: CredentialRegistration): Boolean = ???
+      override def removeAllRegistrations(username: String): Boolean = ???
+      override def updateSignatureCount(result: AssertionResult): Unit = {}
+      override def getCredentialIdsForUsername(username: String): java.util.Set[PublicKeyCredentialDescriptor] = Set.empty.asJava
+      override def getUserHandleForUsername(username: String): Optional[ByteArray] =
+        if (username == testData.userId.getName) Optional.of(testData.userId.getId) else Optional.empty()
+      override def getUsernameForUserHandle(userHandle: ByteArray): Optional[String] = ???
+      override def lookup(credentialId: ByteArray, userHandle: ByteArray): Optional[RegisteredCredential] =
+        if ((credentialId, userHandle) == (testData.response.getId, testData.userId.getId))
+          Optional.of(RegisteredCredential.builder()
+            .credentialId(testData.response.getId)
+            .userHandle(testData.userId.getId)
+            .publicKeyCose(credentialPubkey getOrElse testData.response.getResponse.getAttestation.getAuthenticatorData.getAttestedCredentialData.get.getCredentialPublicKey)
+            .signatureCount(0)
+            .build())
+        else Optional.empty()
+      override def lookupAll(credentialId: ByteArray): java.util.Set[RegisteredCredential] = ???
+    }
   }
 
   private def newServerWithRegistrationRequest(testData: RegistrationTestData) = {

From 6aea0fbbeaf1b60a74fc6753439834e84b57552e Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Tue, 17 Sep 2019 15:13:20 +0200
Subject: [PATCH 06/24] Extract method RegistrationSTorage.userExists

---
 .../java/demo/webauthn/RegistrationStorage.java   |  4 ++++
 .../main/java/demo/webauthn/WebAuthnServer.java   | 15 ++++++++++++---
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/webauthn-server-demo/src/main/java/demo/webauthn/RegistrationStorage.java b/webauthn-server-demo/src/main/java/demo/webauthn/RegistrationStorage.java
index 47a7a2c02..e0fb64718 100644
--- a/webauthn-server-demo/src/main/java/demo/webauthn/RegistrationStorage.java
+++ b/webauthn-server-demo/src/main/java/demo/webauthn/RegistrationStorage.java
@@ -39,6 +39,10 @@ public interface RegistrationStorage extends CredentialRepository {
     Optional<CredentialRegistration> getRegistrationByUsernameAndCredentialId(String username, ByteArray credentialId);
     Collection<CredentialRegistration> getRegistrationsByUserHandle(ByteArray userHandle);
 
+    default boolean userExists(String username) {
+        return !getRegistrationsByUsername(username).isEmpty();
+    }
+
     boolean removeRegistrationByUsername(String username, CredentialRegistration credentialRegistration);
     boolean removeAllRegistrations(String username);
 
diff --git a/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnServer.java b/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnServer.java
index ef5aa8a16..d713ea931 100644
--- a/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnServer.java
+++ b/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnServer.java
@@ -209,7 +209,16 @@ public Either<String, RegistrationRequest> startRegistration(
     ) {
         logger.trace("startRegistration username: {}, credentialNickname: {}", username, credentialNickname);
 
-        if (userStorage.getRegistrationsByUsername(username).isEmpty()) {
+        final ByteArray userHandle;
+        final boolean userExists = userStorage.userExists(username);
+
+        if (userExists) {
+            userHandle = userStorage.getUserHandleForUsername(username).get();
+        } else {
+            userHandle = generateRandom(32);
+        }
+
+        if (!userExists) {
             RegistrationRequest request = new RegistrationRequest(
                 username,
                 credentialNickname,
@@ -219,7 +228,7 @@ public Either<String, RegistrationRequest> startRegistration(
                         .user(UserIdentity.builder()
                             .name(username)
                             .displayName(displayName)
-                            .id(generateRandom(32))
+                            .id(userHandle)
                             .build()
                         )
                         .authenticatorSelection(AuthenticatorSelectionCriteria.builder()
@@ -461,7 +470,7 @@ public Either<List<String>, SuccessfulU2fRegistrationResult> finishU2fRegistrati
     public Either<List<String>, AssertionRequestWrapper> startAuthentication(Optional<String> username) {
         logger.trace("startAuthentication username: {}", username);
 
-        if (username.isPresent() && userStorage.getRegistrationsByUsername(username.get()).isEmpty()) {
+        if (username.isPresent() && !userStorage.userExists(username.get())) {
             return Either.left(Collections.singletonList("The username \"" + username.get() + "\" is not registered."));
         } else {
             AssertionRequestWrapper request = new AssertionRequestWrapper(

From fbbc9050a822b95c67fe24ff6e123d4a21a23ddf Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Fri, 27 Sep 2019 13:26:56 +0200
Subject: [PATCH 07/24] Add session management

---
 .../java/demo/webauthn/SessionManager.java    | 56 +++++++++++++++
 .../demo/webauthn/WebAuthnRestResource.java   | 19 +++--
 .../java/demo/webauthn/WebAuthnServer.java    | 70 ++++++++++++++++---
 .../demo/webauthn/data/AssertionResponse.java |  3 +-
 .../webauthn/data/RegistrationRequest.java    |  1 +
 .../webauthn/data/RegistrationResponse.java   |  7 +-
 .../data/U2fRegistrationResponse.java         |  6 +-
 .../src/main/webapp/index.html                | 49 +++++++++++--
 .../demo/webauthn/WebAuthnServerSpec.scala    |  8 ++-
 9 files changed, 193 insertions(+), 26 deletions(-)
 create mode 100644 webauthn-server-demo/src/main/java/demo/webauthn/SessionManager.java

diff --git a/webauthn-server-demo/src/main/java/demo/webauthn/SessionManager.java b/webauthn-server-demo/src/main/java/demo/webauthn/SessionManager.java
new file mode 100644
index 000000000..dccc7088a
--- /dev/null
+++ b/webauthn-server-demo/src/main/java/demo/webauthn/SessionManager.java
@@ -0,0 +1,56 @@
+package demo.webauthn;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.yubico.webauthn.data.ByteArray;
+import java.security.SecureRandom;
+import java.util.Optional;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+import lombok.NonNull;
+
+public class SessionManager {
+
+    private final SecureRandom random = new SecureRandom();
+
+    private final Cache<ByteArray, ByteArray> sessionIdsToUsers = newCache();
+    private final Cache<ByteArray, ByteArray> usersToSessionIds = newCache();
+
+    private static <K, V> Cache<K, V> newCache() {
+        return CacheBuilder.newBuilder()
+            .maximumSize(100)
+            .expireAfterAccess(5, TimeUnit.MINUTES)
+            .build();
+    }
+
+    /**
+     * @return Create a new session for the given user, or return the existing one.
+     */
+    public ByteArray createSession(@NonNull ByteArray userHandle) throws ExecutionException {
+        ByteArray sessionId = usersToSessionIds.get(userHandle, () -> generateRandom(32));
+        sessionIdsToUsers.put(sessionId, userHandle);
+        return sessionId;
+    }
+
+    /**
+     * @return the user handle of the given session, if any.
+     */
+    public Optional<ByteArray> getSession(@NonNull ByteArray token) {
+        return Optional.ofNullable(sessionIdsToUsers.getIfPresent(token));
+    }
+
+    public boolean isSessionForUser(@NonNull ByteArray claimedUserHandle, @NonNull ByteArray token) {
+        return getSession(token).map(claimedUserHandle::equals).orElse(false);
+    }
+
+    public boolean isSessionForUser(@NonNull ByteArray claimedUserHandle, @NonNull Optional<ByteArray> token) {
+        return token.map(t -> isSessionForUser(claimedUserHandle, t)).orElse(false);
+    }
+
+    private ByteArray generateRandom(int length) {
+        byte[] bytes = new byte[length];
+        random.nextBytes(bytes);
+        return new ByteArray(bytes);
+    }
+
+}
diff --git a/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnRestResource.java b/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnRestResource.java
index df64a38c9..c93673536 100644
--- a/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnRestResource.java
+++ b/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnRestResource.java
@@ -59,6 +59,7 @@
 import java.util.Arrays;
 import java.util.List;
 import java.util.Optional;
+import java.util.concurrent.ExecutionException;
 import java.util.stream.Collectors;
 import lombok.NonNull;
 import org.slf4j.Logger;
@@ -151,14 +152,22 @@ public Response startRegistration(
         @NonNull @FormParam("username") String username,
         @NonNull @FormParam("displayName") String displayName,
         @FormParam("credentialNickname") String credentialNickname,
-        @FormParam("requireResidentKey") @DefaultValue("false") boolean requireResidentKey
-    ) throws MalformedURLException {
+        @FormParam("requireResidentKey") @DefaultValue("false") boolean requireResidentKey,
+        @FormParam("sessionToken") String sessionTokenBase64
+    ) throws MalformedURLException, ExecutionException {
         logger.trace("startRegistration username: {}, displayName: {}, credentialNickname: {}, requireResidentKey: {}", username, displayName, credentialNickname, requireResidentKey);
         Either<String, RegistrationRequest> result = server.startRegistration(
             username,
             displayName,
             Optional.ofNullable(credentialNickname),
-            requireResidentKey
+            requireResidentKey,
+            Optional.ofNullable(sessionTokenBase64).map(base64 -> {
+                try {
+                    return ByteArray.fromBase64Url(base64);
+                } catch (Base64UrlException e) {
+                    throw new RuntimeException(e);
+                }
+            })
         );
 
         if (result.isRight()) {
@@ -186,7 +195,7 @@ public Response finishRegistration(@NonNull String responseJson) {
 
     @Path("register/finish-u2f")
     @POST
-    public Response finishU2fRegistration(@NonNull String responseJson) {
+    public Response finishU2fRegistration(@NonNull String responseJson) throws ExecutionException {
         logger.trace("finishRegistration responseJson: {}", responseJson);
         Either<List<String>, WebAuthnServer.SuccessfulU2fRegistrationResult> result = server.finishU2fRegistration(responseJson);
         return finishResponse(
@@ -307,7 +316,7 @@ public Response finishAddCredential(@NonNull String responseJson) {
 
     @Path("action/add-credential/finish/finish-u2f")
     @POST
-    public Response finishU2fAddCredential(@NonNull String responseJson) {
+    public Response finishU2fAddCredential(@NonNull String responseJson) throws ExecutionException {
         return finishU2fRegistration(responseJson);
     }
 
diff --git a/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnServer.java b/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnServer.java
index d713ea931..8e9fa1bf1 100644
--- a/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnServer.java
+++ b/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnServer.java
@@ -91,6 +91,7 @@
 import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
+import java.util.concurrent.ExecutionException;
 import java.util.concurrent.TimeUnit;
 import java.util.function.Function;
 import java.util.function.Supplier;
@@ -110,6 +111,7 @@ public class WebAuthnServer {
     private final Cache<ByteArray, RegistrationRequest> registerRequestStorage;
     private final RegistrationStorage userStorage;
     private final Cache<AssertionRequestWrapper, AuthenticatedAction> authenticatedActions = newCache();
+    private final SessionManager sessions = new SessionManager();
 
 
     private final TrustResolver trustResolver = new CompositeTrustResolver(Arrays.asList(
@@ -205,8 +207,9 @@ public Either<String, RegistrationRequest> startRegistration(
         @NonNull String username,
         @NonNull String displayName,
         Optional<String> credentialNickname,
-        boolean requireResidentKey
-    ) {
+        boolean requireResidentKey,
+        Optional<ByteArray> sessionToken
+    ) throws ExecutionException {
         logger.trace("startRegistration username: {}, credentialNickname: {}", username, credentialNickname);
 
         final ByteArray userHandle;
@@ -236,7 +239,8 @@ public Either<String, RegistrationRequest> startRegistration(
                             .build()
                         )
                         .build()
-                )
+                ),
+                Optional.of(sessions.createSession(userHandle))
             );
             registerRequestStorage.put(request.getRequestId(), request);
             return Either.right(request);
@@ -265,6 +269,13 @@ public <T> Either<List<String>, AssertionRequestWrapper> startAddCredential(
             final UserIdentity existingUser = registrations.stream().findAny().get().getUserIdentity();
 
             AuthenticatedAction<T> action = (SuccessfulAuthenticationResult result) -> {
+                final ByteArray sessionToken;
+                try {
+                    sessionToken = sessions.createSession(existingUser.getId());
+                } catch (ExecutionException e) {
+                    throw new RuntimeException(e);
+                }
+
                 RegistrationRequest request = new RegistrationRequest(
                     username,
                     credentialNickname,
@@ -277,7 +288,8 @@ public <T> Either<List<String>, AssertionRequestWrapper> startAddCredential(
                                 .build()
                             )
                             .build()
-                    )
+                    ),
+                    Optional.of(sessionToken)
                 );
                 registerRequestStorage.put(request.getRequestId(), request);
 
@@ -298,8 +310,10 @@ public static class SuccessfulRegistrationResult {
         Optional<AttestationCertInfo> attestationCert;
         @JsonSerialize(using = AuthDataSerializer.class)
         AuthenticatorData authData;
+        String username;
+        ByteArray sessionToken;
 
-        public SuccessfulRegistrationResult(RegistrationRequest request, RegistrationResponse response, CredentialRegistration registration, boolean attestationTrusted) {
+        public SuccessfulRegistrationResult(RegistrationRequest request, RegistrationResponse response, CredentialRegistration registration, boolean attestationTrusted, ByteArray sessionToken) {
             this.request = request;
             this.response = response;
             this.registration = registration;
@@ -317,6 +331,8 @@ public SuccessfulRegistrationResult(RegistrationRequest request, RegistrationRes
             })
             .map(AttestationCertInfo::new);
             this.authData = response.getCredential().getResponse().getParsedAuthenticatorData();
+            this.username = request.getUsername();
+            this.sessionToken = sessionToken;
         }
 
     }
@@ -329,6 +345,8 @@ public class SuccessfulU2fRegistrationResult {
         final CredentialRegistration registration;
         boolean attestationTrusted;
         Optional<AttestationCertInfo> attestationCert;
+        final String username;
+        final ByteArray sessionToken;
     }
 
     @Value
@@ -376,6 +394,31 @@ public Either<List<String>, SuccessfulRegistrationResult> finishRegistration(Str
                         .build()
                 );
 
+                if (userStorage.userExists(request.getUsername())) {
+                    boolean permissionGranted = false;
+
+                    final boolean isValidSession = request.getSessionToken().map(token ->
+                        sessions.isSessionForUser(request.getPublicKeyCredentialCreationOptions().getUser().getId(), token)
+                    ).orElse(false);
+
+                    logger.debug("Session token: {}", request.getSessionToken());
+                    logger.debug("Valid session: {}", isValidSession);
+
+                    if (isValidSession) {
+                        permissionGranted = true;
+                        logger.info("Session token accepted for user {}", request.getPublicKeyCredentialCreationOptions().getUser().getId());
+                    }
+
+                    logger.debug("permissionGranted: {}", permissionGranted);
+
+                    if (!permissionGranted) {
+                        throw new RegistrationFailedException(new IllegalArgumentException(String.format(
+                            "User %s already exists",
+                            request.getUsername()
+                        )));
+                    }
+                }
+
                 return Either.right(
                     new SuccessfulRegistrationResult(
                         request,
@@ -386,7 +429,8 @@ public Either<List<String>, SuccessfulRegistrationResult> finishRegistration(Str
                             response,
                             registration
                         ),
-                        registration.isAttestationTrusted()
+                        registration.isAttestationTrusted(),
+                        sessions.createSession(request.getPublicKeyCredentialCreationOptions().getUser().getId())
                     )
                 );
             } catch (RegistrationFailedException e) {
@@ -399,7 +443,7 @@ public Either<List<String>, SuccessfulRegistrationResult> finishRegistration(Str
         }
     }
 
-    public Either<List<String>, SuccessfulU2fRegistrationResult> finishU2fRegistration(String responseJson) {
+    public Either<List<String>, SuccessfulU2fRegistrationResult> finishU2fRegistration(String responseJson) throws ExecutionException {
         logger.trace("finishU2fRegistration responseJson: {}", responseJson);
         U2fRegistrationResponse response = null;
         try {
@@ -461,7 +505,9 @@ public Either<List<String>, SuccessfulU2fRegistrationResult> finishU2fRegistrati
                         result
                     ),
                     result.isAttestationTrusted(),
-                    Optional.of(new AttestationCertInfo(response.getCredential().getU2fResponse().getAttestationCertAndSignature()))
+                    Optional.of(new AttestationCertInfo(response.getCredential().getU2fResponse().getAttestationCertAndSignature())),
+                    request.getUsername(),
+                    sessions.createSession(request.getPublicKeyCredentialCreationOptions().getUser().getId())
                 )
             );
         }
@@ -496,14 +542,18 @@ public static final class SuccessfulAuthenticationResult {
         private final AssertionResponse response;
         private final Collection<CredentialRegistration> registrations;
         @JsonSerialize(using = AuthDataSerializer.class) AuthenticatorData authData;
+        private final String username;
+        private final ByteArray sessionToken;
         private final List<String> warnings;
 
-        public SuccessfulAuthenticationResult(AssertionRequestWrapper request, AssertionResponse response, Collection<CredentialRegistration> registrations, List<String> warnings) {
+        public SuccessfulAuthenticationResult(AssertionRequestWrapper request, AssertionResponse response, Collection<CredentialRegistration> registrations, String username, ByteArray sessionToken, List<String> warnings) {
             this(
                 request,
                 response,
                 registrations,
                 response.getCredential().getResponse().getParsedAuthenticatorData(),
+                username,
+                sessionToken,
                 warnings
             );
         }
@@ -551,6 +601,8 @@ public Either<List<String>, SuccessfulAuthenticationResult> finishAuthentication
                             request,
                             response,
                             userStorage.getRegistrationsByUsername(result.getUsername()),
+                            result.getUsername(),
+                            sessions.createSession(result.getUserHandle()),
                             result.getWarnings()
                         )
                     );
diff --git a/webauthn-server-demo/src/main/java/demo/webauthn/data/AssertionResponse.java b/webauthn-server-demo/src/main/java/demo/webauthn/data/AssertionResponse.java
index 39f985402..e9b8abf9a 100644
--- a/webauthn-server-demo/src/main/java/demo/webauthn/data/AssertionResponse.java
+++ b/webauthn-server-demo/src/main/java/demo/webauthn/data/AssertionResponse.java
@@ -24,6 +24,7 @@
 
 package demo.webauthn.data;
 
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.yubico.webauthn.data.AuthenticatorAssertionResponse;
 import com.yubico.webauthn.data.ByteArray;
@@ -32,10 +33,10 @@
 import lombok.Value;
 
 @Value
+@JsonIgnoreProperties({ "sessionToken" })
 public class AssertionResponse {
 
     private final ByteArray requestId;
-
     private final PublicKeyCredential<AuthenticatorAssertionResponse, ClientAssertionExtensionOutputs> credential;
 
     public AssertionResponse(
diff --git a/webauthn-server-demo/src/main/java/demo/webauthn/data/RegistrationRequest.java b/webauthn-server-demo/src/main/java/demo/webauthn/data/RegistrationRequest.java
index b3ea1c39e..ffd50958f 100644
--- a/webauthn-server-demo/src/main/java/demo/webauthn/data/RegistrationRequest.java
+++ b/webauthn-server-demo/src/main/java/demo/webauthn/data/RegistrationRequest.java
@@ -38,5 +38,6 @@ public class RegistrationRequest {
     Optional<String> credentialNickname;
     ByteArray requestId;
     PublicKeyCredentialCreationOptions publicKeyCredentialCreationOptions;
+    Optional<ByteArray> sessionToken;
 
 }
diff --git a/webauthn-server-demo/src/main/java/demo/webauthn/data/RegistrationResponse.java b/webauthn-server-demo/src/main/java/demo/webauthn/data/RegistrationResponse.java
index 1b616be64..fd2f8668f 100644
--- a/webauthn-server-demo/src/main/java/demo/webauthn/data/RegistrationResponse.java
+++ b/webauthn-server-demo/src/main/java/demo/webauthn/data/RegistrationResponse.java
@@ -30,6 +30,7 @@
 import com.yubico.webauthn.data.ByteArray;
 import com.yubico.webauthn.data.ClientRegistrationExtensionOutputs;
 import com.yubico.webauthn.data.PublicKeyCredential;
+import java.util.Optional;
 import lombok.Value;
 
 @Value
@@ -39,13 +40,17 @@ public class RegistrationResponse {
 
     private final PublicKeyCredential<AuthenticatorAttestationResponse, ClientRegistrationExtensionOutputs> credential;
 
+    private final Optional<ByteArray> sessionToken;
+
     @JsonCreator
     public RegistrationResponse(
         @JsonProperty("requestId") ByteArray requestId,
-        @JsonProperty("credential") PublicKeyCredential<AuthenticatorAttestationResponse, ClientRegistrationExtensionOutputs> credential
+        @JsonProperty("credential") PublicKeyCredential<AuthenticatorAttestationResponse, ClientRegistrationExtensionOutputs> credential,
+        @JsonProperty("sessionToken") Optional<ByteArray> sessionToken
     ) {
         this.requestId = requestId;
         this.credential = credential;
+        this.sessionToken = sessionToken;
     }
 
 }
diff --git a/webauthn-server-demo/src/main/java/demo/webauthn/data/U2fRegistrationResponse.java b/webauthn-server-demo/src/main/java/demo/webauthn/data/U2fRegistrationResponse.java
index ed839b05f..36fe7e1ab 100644
--- a/webauthn-server-demo/src/main/java/demo/webauthn/data/U2fRegistrationResponse.java
+++ b/webauthn-server-demo/src/main/java/demo/webauthn/data/U2fRegistrationResponse.java
@@ -27,6 +27,7 @@
 import com.fasterxml.jackson.annotation.JsonCreator;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.yubico.webauthn.data.ByteArray;
+import java.util.Optional;
 import lombok.NonNull;
 import lombok.Value;
 
@@ -35,14 +36,17 @@ public class U2fRegistrationResponse {
 
     private final ByteArray requestId;
     private final U2fCredential credential;
+    private final Optional<ByteArray> sessionToken;
 
     @JsonCreator
     public U2fRegistrationResponse(
         @NonNull @JsonProperty("requestId") ByteArray requestId,
-        @NonNull @JsonProperty("credential") U2fCredential credential
+        @NonNull @JsonProperty("credential") U2fCredential credential,
+        @NonNull @JsonProperty("sessionToken") Optional<ByteArray> sessionToken
     ) {
         this.requestId = requestId;
         this.credential = credential;
+        this.sessionToken = sessionToken;
     }
 
 }
diff --git a/webauthn-server-demo/src/main/webapp/index.html b/webauthn-server-demo/src/main/webapp/index.html
index 2f5314dc8..f1553db7b 100644
--- a/webauthn-server-demo/src/main/webapp/index.html
+++ b/webauthn-server-demo/src/main/webapp/index.html
@@ -60,6 +60,8 @@
   <script>
 
 let ceremonyState = {};
+let session = {
+};
 
 function extend(obj, more) {
   return Object.assign({}, obj, more);
@@ -73,6 +75,32 @@
   }
 }
 
+function updateSession(response) {
+  if (response.sessionToken) {
+     session.sessionToken = response.sessionToken;
+  }
+  if (response.username) {
+    session.username = response.username;
+  }
+  updateSessionBox();
+  return response;
+}
+
+function logout() {
+  session = {};
+  updateSession({});
+}
+
+function updateSessionBox() {
+  if (session.username) {
+    document.getElementById('session').textContent = `Logged in as ${session.username}`;
+    document.getElementById('logoutButton').disabled = false;
+  } else {
+    document.getElementById('session').textContent = 'Not logged in.';
+    document.getElementById('logoutButton').disabled = true;
+  }
+}
+
 function rejected(err) {
   return new Promise((resolve, reject) => reject(err));
 }
@@ -150,10 +178,12 @@
       displayName,
       credentialNickname,
       requireResidentKey,
+      sessionToken: session.sessionToken || null,
     }),
     method: 'POST',
   })
     .then(response => response.json())
+    .then(updateSession)
     .then(rejectIfNotSuccess)
   ;
 }
@@ -234,18 +264,21 @@
   });
 }
 
-function submitResponse(url, requestId, response) {
-  console.log('submitResponse', url, requestId, response);
+function submitResponse(url, request, response) {
+  console.log('submitResponse', url, request, response);
 
   const body = {
-    requestId,
+    requestId: request.requestId,
     credential: response,
+    sessionToken: request.sessionToken || session.sessionToken || null,
   };
 
   return fetch(url, {
     method: 'POST',
     body: JSON.stringify(body),
-  }).then(response => response.json());
+  })
+    .then(response => response.json())
+    .then(updateSession)
   ;
 }
 
@@ -289,7 +322,6 @@
         .then(webauthn.responseToObject);
     })
     .then(finishCeremony)
-
   ;
 }
 
@@ -306,7 +338,7 @@
   }
   showAuthenticatorResponse(response);
 
-  return submitResponse(useU2f ? urls.finishU2f : urls.finish, request.requestId, response)
+  return submitResponse(useU2f ? urls.finishU2f : urls.finish, request, response)
     .then(data => {
       if (data && data.success) {
         setStatus(statusStrings.success);
@@ -392,6 +424,7 @@
     method: 'POST',
   })
     .then(response => response.json())
+    .then(updateSession)
     .then(rejectIfNotSuccess)
   ;
 }
@@ -401,10 +434,12 @@
     body: new URLSearchParams({
       username,
       credentialId,
+      sessionToken: session.sessionToken,
     }),
     method: 'POST',
   })
     .then(response => response.json())
+    .then(updateSession)
     .then(rejectIfNotSuccess)
   ;
 }
@@ -605,6 +640,8 @@ <h1> Test your WebAuthn device </h1>
     </form>
 
 
+    <p id="session">Not logged in.</p>
+    <button id="logoutButton" disabled="disabled" onClick="javascript:logout()">Log out</button>
     <p id="status"></p>
     <div id="messages"></div>
 
diff --git a/webauthn-server-demo/src/test/scala/demo/webauthn/WebAuthnServerSpec.scala b/webauthn-server-demo/src/test/scala/demo/webauthn/WebAuthnServerSpec.scala
index 715ca4329..fb6db5e0f 100644
--- a/webauthn-server-demo/src/test/scala/demo/webauthn/WebAuthnServerSpec.scala
+++ b/webauthn-server-demo/src/test/scala/demo/webauthn/WebAuthnServerSpec.scala
@@ -77,7 +77,7 @@ class WebAuthnServerSpec extends FunSpec with Matchers {
 
       it("has a start method whose output can be serialized to JSON.") {
         val server = newServer
-        val request = server.startRegistration(username, displayName, credentialNickname, requireResidentKey)
+        val request = server.startRegistration(username, displayName, credentialNickname, requireResidentKey, Optional.empty())
         val json = jsonMapper.writeValueAsString(request.right.get)
 
         json should not be null
@@ -90,7 +90,8 @@ class WebAuthnServerSpec extends FunSpec with Matchers {
 
         val response = new RegistrationResponse(
           requestId,
-          RegistrationTestData.FidoU2f.BasicAttestation.response
+          RegistrationTestData.FidoU2f.BasicAttestation.response,
+          Optional.empty()
         )
 
         val authenticationAttestationResponseJson = """{"attestationObject":"v2hhdXRoRGF0YVikSZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2NBAAAFOQABAgMEBQYHCAkKCwwNDg8AIIjjhj6nH3qL2QF3tkUogilFykuaXjJTw35O4m-0NSX0pSJYIA5Nt8eYkLco-NQfKPXaA6dD9UfX_SHaYo-L-YQb78HsAyYBAiFYIOuzRl1o1Hem2jVRYhjkbSeIydhqLln9iltAgsDYjXRTIAFjZm10aGZpZG8tdTJmZ2F0dFN0bXS_Y3g1Y59ZAekwggHlMIIBjKADAgECAgIFOTAKBggqhkjOPQQDAjBqMSYwJAYDVQQDDB1ZdWJpY28gV2ViQXV0aG4gdW5pdCB0ZXN0cyBDQTEPMA0GA1UECgwGWXViaWNvMSIwIAYDVQQLDBlBdXRoZW50aWNhdG9yIEF0dGVzdGF0aW9uMQswCQYDVQQGEwJTRTAeFw0xODA5MDYxNzQyMDBaFw0xODA5MDYxNzQyMDBaMGcxIzAhBgNVBAMMGll1YmljbyBXZWJBdXRobiB1bml0IHRlc3RzMQ8wDQYDVQQKDAZZdWJpY28xIjAgBgNVBAsMGUF1dGhlbnRpY2F0b3IgQXR0ZXN0YXRpb24xCzAJBgNVBAYTAlNFMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJ-8bFED9TnFhaArujgB0foNaV4gQIulP1mC5DO1wvSByw4eOyXujpPHkTw9y5e5J2J3N9coSReZJgBRpvFzYD6MlMCMwIQYLKwYBBAGC5RwBAQQEEgQQAAECAwQFBgcICQoLDA0ODzAKBggqhkjOPQQDAgNHADBEAiB4bL25EH06vPBOVnReObXrS910ARVOLJPPnKNoZbe64gIgX1Rg5oydH45zEMEVDjNPStwv6Z3nE_isMeY-szlQhv3_Y3NpZ1hHMEUCIQDBs1nbSuuKQ6yoHMQoRp8eCT_HZvR45F_aVP6qFX_wKgIgMCL58bv-crkLwTwiEL9ibCV4nDYM-DZuW5_BFCJbcxn__w","clientDataJSON":"eyJjaGFsbGVuZ2UiOiJBQUVCQWdNRkNBMFZJamRaRUdsNVlscyIsIm9yaWdpbiI6ImxvY2FsaG9zdCIsInR5cGUiOiJ3ZWJhdXRobi5jcmVhdGUiLCJ0b2tlbkJpbmRpbmciOnsic3RhdHVzIjoic3VwcG9ydGVkIn19"}"""
@@ -222,7 +223,8 @@ class WebAuthnServerSpec extends FunSpec with Matchers {
       testData.userId.getName,
       credentialNickname,
       requestId,
-      testData.request
+      testData.request,
+      Optional.empty()
     ))
 
     new WebAuthnServer(new InMemoryRegistrationStorage, registrationRequests, newCache(), rpId, origins, appId)

From f03c149d9ee5fa362a6f460d426bb6f815f2f822 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Fri, 27 Sep 2019 16:54:31 +0200
Subject: [PATCH 08/24] Merge add credential flow into logged-in registration
 flow

---
 .../demo/webauthn/WebAuthnRestResource.java   | 44 +---------
 .../java/demo/webauthn/WebAuthnServer.java    | 87 ++++---------------
 .../src/main/webapp/index.html                | 52 +++--------
 .../demo/webauthn/WebAuthnServerSpec.scala    |  2 +-
 4 files changed, 34 insertions(+), 151 deletions(-)

diff --git a/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnRestResource.java b/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnRestResource.java
index c93673536..5768b109e 100644
--- a/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnRestResource.java
+++ b/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnRestResource.java
@@ -92,7 +92,6 @@ private IndexResponse() throws MalformedURLException {
         }
     }
     private final class Index {
-        public final URL addCredential;
         public final URL authenticate;
         public final URL deleteAccount;
         public final URL deregister;
@@ -100,7 +99,6 @@ private final class Index {
 
 
         public Index() throws MalformedURLException {
-            addCredential = uriInfo.getAbsolutePathBuilder().path("action").path("add-credential").build().toURL();
             authenticate = uriInfo.getAbsolutePathBuilder().path("authenticate").build().toURL();
             deleteAccount = uriInfo.getAbsolutePathBuilder().path("delete-account").build().toURL();
             deregister = uriInfo.getAbsolutePathBuilder().path("action").path("deregister").build().toURL();
@@ -158,7 +156,7 @@ public Response startRegistration(
         logger.trace("startRegistration username: {}, displayName: {}, credentialNickname: {}, requireResidentKey: {}", username, displayName, credentialNickname, requireResidentKey);
         Either<String, RegistrationRequest> result = server.startRegistration(
             username,
-            displayName,
+            Optional.of(displayName),
             Optional.ofNullable(credentialNickname),
             requireResidentKey,
             Optional.ofNullable(sessionTokenBase64).map(base64 -> {
@@ -280,46 +278,6 @@ private StartAuthenticatedActionActions() throws MalformedURLException {
         }
     }
 
-    @Path("action/add-credential")
-    @POST
-    public Response addCredential(
-        @NonNull @FormParam("username") String username,
-        @FormParam("credentialNickname") String credentialNickname,
-        @FormParam("requireResidentKey") @DefaultValue("false") boolean requireResidentKey
-    ) throws MalformedURLException {
-        logger.trace("addCredential username: {}, credentialNickname: {}, requireResidentKey: {}", username, credentialNickname, requireResidentKey);
-
-        Either<List<String>, AssertionRequestWrapper> result = server.startAddCredential(username, Optional.ofNullable(credentialNickname), requireResidentKey, (RegistrationRequest request) -> {
-            try {
-                return Either.right(new StartRegistrationResponse(request));
-            } catch (MalformedURLException e) {
-                logger.error("Failed to construct registration response", e);
-                return Either.left(Arrays.asList("Failed to construct response. This is probably a bug in the server."));
-            }
-        });
-
-        if (result.isRight()) {
-            return startResponse("addCredential", new StartAuthenticatedActionResponse(result.right().get()));
-        } else {
-            return messagesJson(
-                Response.status(Status.BAD_REQUEST),
-                result.left().get()
-            );
-        }
-    }
-
-    @Path("action/add-credential/finish/finish")
-    @POST
-    public Response finishAddCredential(@NonNull String responseJson) {
-        return finishRegistration(responseJson);
-    }
-
-    @Path("action/add-credential/finish/finish-u2f")
-    @POST
-    public Response finishU2fAddCredential(@NonNull String responseJson) throws ExecutionException {
-        return finishU2fRegistration(responseJson);
-    }
-
     @Path("action/deregister")
     @POST
     public Response deregisterCredential(
diff --git a/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnServer.java b/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnServer.java
index 8e9fa1bf1..ca0aa366a 100644
--- a/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnServer.java
+++ b/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnServer.java
@@ -205,42 +205,44 @@ private static <K, V> Cache<K, V> newCache() {
 
     public Either<String, RegistrationRequest> startRegistration(
         @NonNull String username,
-        @NonNull String displayName,
+        Optional<String> displayName,
         Optional<String> credentialNickname,
         boolean requireResidentKey,
         Optional<ByteArray> sessionToken
     ) throws ExecutionException {
         logger.trace("startRegistration username: {}, credentialNickname: {}", username, credentialNickname);
 
-        final ByteArray userHandle;
-        final boolean userExists = userStorage.userExists(username);
-
-        if (userExists) {
-            userHandle = userStorage.getUserHandleForUsername(username).get();
-        } else {
-            userHandle = generateRandom(32);
-        }
+        final Collection<CredentialRegistration> registrations = userStorage.getRegistrationsByUsername(username);
+        final Optional<UserIdentity> existingUser =
+            registrations.stream().findAny().map(CredentialRegistration::getUserIdentity);
+        final boolean permissionGranted = existingUser
+            .map(userIdentity ->
+                sessions.isSessionForUser(userIdentity.getId(), sessionToken))
+            .orElse(true);
+
+        if (permissionGranted) {
+            final UserIdentity registrationUserId = existingUser.orElseGet(() ->
+                UserIdentity.builder()
+                    .name(username)
+                    .displayName(displayName.get())
+                    .id(generateRandom(32))
+                    .build()
+            );
 
-        if (!userExists) {
             RegistrationRequest request = new RegistrationRequest(
                 username,
                 credentialNickname,
                 generateRandom(32),
                 rp.startRegistration(
                     StartRegistrationOptions.builder()
-                        .user(UserIdentity.builder()
-                            .name(username)
-                            .displayName(displayName)
-                            .id(userHandle)
-                            .build()
-                        )
+                        .user(registrationUserId)
                         .authenticatorSelection(AuthenticatorSelectionCriteria.builder()
                             .requireResidentKey(requireResidentKey)
                             .build()
                         )
                         .build()
                 ),
-                Optional.of(sessions.createSession(userHandle))
+                Optional.of(sessions.createSession(registrationUserId.getId()))
             );
             registerRequestStorage.put(request.getRequestId(), request);
             return Either.right(request);
@@ -249,57 +251,6 @@ public Either<String, RegistrationRequest> startRegistration(
         }
     }
 
-    public <T> Either<List<String>, AssertionRequestWrapper> startAddCredential(
-        @NonNull String username,
-        Optional<String> credentialNickname,
-        boolean requireResidentKey,
-        Function<RegistrationRequest, Either<List<String>, T>> whenAuthenticated
-    ) {
-        logger.trace("startAddCredential username: {}, credentialNickname: {}, requireResidentKey: {}", username, credentialNickname, requireResidentKey);
-
-        if (username == null || username.isEmpty()) {
-            return Either.left(Collections.singletonList("username must not be empty."));
-        }
-
-        Collection<CredentialRegistration> registrations = userStorage.getRegistrationsByUsername(username);
-
-        if (registrations.isEmpty()) {
-            return Either.left(Collections.singletonList("The username \"" + username + "\" is not registered."));
-        } else {
-            final UserIdentity existingUser = registrations.stream().findAny().get().getUserIdentity();
-
-            AuthenticatedAction<T> action = (SuccessfulAuthenticationResult result) -> {
-                final ByteArray sessionToken;
-                try {
-                    sessionToken = sessions.createSession(existingUser.getId());
-                } catch (ExecutionException e) {
-                    throw new RuntimeException(e);
-                }
-
-                RegistrationRequest request = new RegistrationRequest(
-                    username,
-                    credentialNickname,
-                    generateRandom(32),
-                    rp.startRegistration(
-                        StartRegistrationOptions.builder()
-                            .user(existingUser)
-                            .authenticatorSelection(AuthenticatorSelectionCriteria.builder()
-                                .requireResidentKey(requireResidentKey)
-                                .build()
-                            )
-                            .build()
-                    ),
-                    Optional.of(sessionToken)
-                );
-                registerRequestStorage.put(request.getRequestId(), request);
-
-                return whenAuthenticated.apply(request);
-            };
-
-            return startAuthenticatedAction(Optional.of(username), action);
-        }
-    }
-
     @Value
     public static class SuccessfulRegistrationResult {
         final boolean success = true;
diff --git a/webauthn-server-demo/src/main/webapp/index.html b/webauthn-server-demo/src/main/webapp/index.html
index f1553db7b..d866e3921 100644
--- a/webauthn-server-demo/src/main/webapp/index.html
+++ b/webauthn-server-demo/src/main/webapp/index.html
@@ -83,6 +83,7 @@
     session.username = response.username;
   }
   updateSessionBox();
+  updateRegisterButtons();
   return response;
 }
 
@@ -101,6 +102,16 @@
   }
 }
 
+function updateRegisterButtons() {
+  if (session.sessionToken) {
+     document.getElementById('registerButton').textContent = 'Add credential';
+     document.getElementById('registerRkButton').textContent = 'Add resident credential';
+  } else {
+     document.getElementById('registerButton').textContent = 'Register new account';
+     document.getElementById('registerRkButton').textContent = 'Register new account with resident credential';
+  }
+}
+
 function rejected(err) {
   return new Promise((resolve, reject) => reject(err));
 }
@@ -519,33 +530,6 @@
     });
 }
 
-function getAddCredentialRequest(url, username, credentialNickname) {
-  return fetch(url, {
-    body: new URLSearchParams({
-      username,
-      credentialNickname,
-    }),
-    method: 'POST',
-  }).then(response => response.json());
-}
-
-function addCredential(useU2f = false) {
-  const username = document.getElementById('username').value;
-  const credentialNickname = document.getElementById('credentialNickname').value;
-
-  return authenticate(
-    username,
-    urls => getAddCredentialRequest(urls.addCredential, username, credentialNickname)
-  )
-    .then(data =>
-      register(
-        username,
-        () => data
-      )
-    )
-  ;
-}
-
 function init() {
   hideDeviceInfo();
   return false;
@@ -583,12 +567,12 @@ <h1> Test your WebAuthn device </h1>
         <label for="credentialNickname">Credential nickname:</label>
         <div><input type="text" id="credentialNickname"/></div>
         <div>
-          <button type="button" onClick="javascript:register()">
+          <button type="button" id="registerButton" onClick="javascript:register()">
             Register new account
           </button>
         </div>
         <div>
-          <button type="button" onClick="javascript:registerResidentKey()">
+          <button type="button" id="registerRkButton" onClick="javascript:registerResidentKey()">
             Register new account with resident credential
           </button>
         </div>
@@ -609,16 +593,6 @@ <h1> Test your WebAuthn device </h1>
         </div>
       </div>
 
-      <div class="row">
-        <div></div>
-        <div></div>
-        <div>
-          <button type="button" onClick="javascript:addCredential()">
-            Register additional credential
-          </button>
-        </div>
-      </div>
-
       <div class="row">
         <div></div>
         <div></div>
diff --git a/webauthn-server-demo/src/test/scala/demo/webauthn/WebAuthnServerSpec.scala b/webauthn-server-demo/src/test/scala/demo/webauthn/WebAuthnServerSpec.scala
index fb6db5e0f..429584575 100644
--- a/webauthn-server-demo/src/test/scala/demo/webauthn/WebAuthnServerSpec.scala
+++ b/webauthn-server-demo/src/test/scala/demo/webauthn/WebAuthnServerSpec.scala
@@ -77,7 +77,7 @@ class WebAuthnServerSpec extends FunSpec with Matchers {
 
       it("has a start method whose output can be serialized to JSON.") {
         val server = newServer
-        val request = server.startRegistration(username, displayName, credentialNickname, requireResidentKey, Optional.empty())
+        val request = server.startRegistration(username, Optional.of(displayName), credentialNickname, requireResidentKey, Optional.empty())
         val json = jsonMapper.writeValueAsString(request.right.get)
 
         json should not be null

From 62e06a7f6e6d053bdfce4eabdf9113d138ccc065 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Fri, 27 Sep 2019 17:38:51 +0200
Subject: [PATCH 09/24] Authenticate deregisterCredential using session instead
 of authenticated action

---
 .../demo/webauthn/WebAuthnRestResource.java   | 32 +++++++++------
 .../java/demo/webauthn/WebAuthnServer.java    | 36 ++++++++++-------
 .../src/main/webapp/index.html                | 40 +++++++------------
 3 files changed, 55 insertions(+), 53 deletions(-)

diff --git a/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnRestResource.java b/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnRestResource.java
index 5768b109e..a1234b572 100644
--- a/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnRestResource.java
+++ b/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnRestResource.java
@@ -51,6 +51,7 @@
 import com.yubico.webauthn.extension.appid.InvalidAppIdException;
 import com.yubico.webauthn.meta.VersionInfo;
 import demo.webauthn.data.AssertionRequestWrapper;
+import demo.webauthn.data.CredentialRegistration;
 import demo.webauthn.data.RegistrationRequest;
 import java.io.IOException;
 import java.net.MalformedURLException;
@@ -281,10 +282,10 @@ private StartAuthenticatedActionActions() throws MalformedURLException {
     @Path("action/deregister")
     @POST
     public Response deregisterCredential(
-        @NonNull @FormParam("username") String username,
+        @NonNull @FormParam("sessionToken") String sessionTokenBase64,
         @NonNull @FormParam("credentialId") String credentialIdBase64
-    ) throws MalformedURLException {
-        logger.trace("deregisterCredential username: {}, credentialId: {}", username, credentialIdBase64);
+    ) throws MalformedURLException, Base64UrlException {
+        logger.trace("deregisterCredential sesion: {}, credentialId: {}", sessionTokenBase64, credentialIdBase64);
 
         final ByteArray credentialId;
         try {
@@ -296,20 +297,27 @@ public Response deregisterCredential(
             );
         }
 
-        Either<List<String>, AssertionRequestWrapper> result = server.deregisterCredential(username, credentialId, (credentialRegistration -> {
+        Either<List<String>, CredentialRegistration> result = server.deregisterCredential(
+            ByteArray.fromBase64Url(sessionTokenBase64),
+            credentialId
+        );
+
+        if (result.isRight()) {
             try {
-                return ((ObjectNode) jsonFactory.objectNode()
-                        .set("success", jsonFactory.booleanNode(true)))
-                        .set("droppedRegistration", jsonMapper.readTree(writeJson(credentialRegistration)))
-                ;
+                JsonNode jsonResult = ((ObjectNode) jsonFactory.objectNode()
+                    .set("success", jsonFactory.booleanNode(true)))
+                    .set("droppedRegistration", jsonMapper.readTree(writeJson(result.right().get())));
+
+                return finishResponse(
+                    Either.right(jsonResult),
+                    "Failed to deregister credential; further error message(s) were unfortunately lost to an internal server error.",
+                    "deregisterCredential",
+                    ""
+                );
             } catch (IOException e) {
                 logger.error("Failed to write response as JSON", e);
                 throw new RuntimeException(e);
             }
-        }));
-
-        if (result.isRight()) {
-            return startResponse("deregisterCredential", new StartAuthenticatedActionResponse(result.right().get()));
         } else {
             return messagesJson(
                 Response.status(Status.BAD_REQUEST),
diff --git a/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnServer.java b/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnServer.java
index ca0aa366a..cde87573f 100644
--- a/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnServer.java
+++ b/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnServer.java
@@ -595,29 +595,35 @@ public Either<List<String>, AssertionRequestWrapper> startAuthenticatedAction(Op
             });
     }
 
-    public <T> Either<List<String>, AssertionRequestWrapper> deregisterCredential(String username, ByteArray credentialId, Function<CredentialRegistration, T> resultMapper) {
-        logger.trace("deregisterCredential username: {}, credentialId: {}", username, credentialId);
-
-        if (username == null || username.isEmpty()) {
-            return Either.left(Collections.singletonList("Username must not be empty."));
-        }
+    public Either<List<String>, CredentialRegistration> deregisterCredential(
+        @NonNull ByteArray sessionToken,
+        ByteArray credentialId
+    ) {
+        logger.trace("deregisterCredential session: {}, credentialId: {}", sessionToken, credentialId);
 
         if (credentialId == null || credentialId.getBytes().length == 0) {
             return Either.left(Collections.singletonList("Credential ID must not be empty."));
         }
 
-        AuthenticatedAction<T> action = (SuccessfulAuthenticationResult result) -> {
-            Optional<CredentialRegistration> credReg = userStorage.getRegistrationByUsernameAndCredentialId(username, credentialId);
+        Optional<ByteArray> session = sessions.getSession(sessionToken);
+        if (session.isPresent()) {
+            ByteArray userHandle = session.get();
+            Optional<String> username = userStorage.getUsernameForUserHandle(userHandle);
 
-            if (credReg.isPresent()) {
-                userStorage.removeRegistrationByUsername(username, credReg.get());
-                return Either.right(resultMapper.apply(credReg.get()));
+            if (username.isPresent()) {
+                Optional<CredentialRegistration> credReg = userStorage.getRegistrationByUsernameAndCredentialId(username.get(), credentialId);
+                if (credReg.isPresent()) {
+                    userStorage.removeRegistrationByUsername(username.get(), credReg.get());
+                    return Either.right(credReg.get());
+                } else {
+                    return Either.left(Collections.singletonList("Credential ID not registered:" + credentialId));
+                }
             } else {
-                return Either.left(Collections.singletonList("Credential ID not registered:" + credentialId));
+                return Either.left(Collections.singletonList("Invalid user handle"));
             }
-        };
-
-        return startAuthenticatedAction(Optional.of(username), action);
+        } else {
+            return Either.left(Collections.singletonList("Invalid session"));
+        }
     }
 
     public <T> Either<List<String>, T> deleteAccount(String username, Supplier<T> onSuccess) {
diff --git a/webauthn-server-demo/src/main/webapp/index.html b/webauthn-server-demo/src/main/webapp/index.html
index d866e3921..40c7cd789 100644
--- a/webauthn-server-demo/src/main/webapp/index.html
+++ b/webauthn-server-demo/src/main/webapp/index.html
@@ -440,21 +440,6 @@
   ;
 }
 
-function getDeregisterRequest(urls, username, credentialId) {
-  return fetch(urls.deregister, {
-    body: new URLSearchParams({
-      username,
-      credentialId,
-      sessionToken: session.sessionToken,
-    }),
-    method: 'POST',
-  })
-    .then(response => response.json())
-    .then(updateSession)
-    .then(rejectIfNotSuccess)
-  ;
-}
-
 function executeAuthenticateRequest(request) {
   console.log('executeAuthenticateRequest', request);
 
@@ -494,19 +479,22 @@
 }
 
 function deregister() {
-  const username = document.getElementById('username').value;
   const credentialId = document.getElementById('deregisterCredentialId').value;
+  addMessage('Deregistering credential...');
 
-  return performCeremony({
-    getIndexActions,
-    getRequest: urls => getDeregisterRequest(urls, username, credentialId),
-    statusStrings: {
-      init: 'Initiating authentication ceremony with server...',
-      authenticatorRequest: 'Asking authenticators to perform assertion...',
-      success: 'Authentication successful!',
-    },
-    executeRequest: executeAuthenticateRequest,
-  })
+  return getIndexActions()
+    .then(urls =>
+      fetch(urls.deregister, {
+       body: new URLSearchParams({
+         credentialId,
+         sessionToken: session.sessionToken || null,
+       }),
+       method: 'POST',
+     })
+    )
+    .then(response => response.json())
+    .then(updateSession)
+    .then(rejectIfNotSuccess)
     .then(data => {
       if (data.success) {
         if (data.droppedRegistration) {

From 1fc7bc8a173bb6d4e361ad91c00c6fb7400a4c15 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Fri, 27 Sep 2019 17:45:36 +0200
Subject: [PATCH 10/24] Delete authenticated actions framework

---
 webauthn-server-demo/README                   |  4 +--
 .../demo/webauthn/AuthenticatedAction.java    | 33 -------------------
 .../demo/webauthn/WebAuthnRestResource.java   | 32 ------------------
 .../java/demo/webauthn/WebAuthnServer.java    | 27 ---------------
 4 files changed, 2 insertions(+), 94 deletions(-)
 delete mode 100644 webauthn-server-demo/src/main/java/demo/webauthn/AuthenticatedAction.java

diff --git a/webauthn-server-demo/README b/webauthn-server-demo/README
index d76e29327..6462d65da 100644
--- a/webauthn-server-demo/README
+++ b/webauthn-server-demo/README
@@ -3,8 +3,8 @@
 A simple self-contained demo server supporting multiple authenticators per user.
 It illustrates how to use the required integration points, the most important of
 which is the user and credential registration storage, and also illustrates how
-one can build on API to enable advanced features like *authenticated actions*,
-such as adding an additional authenticator or deregistering a credential.
+one can perform auxiliary actions such as adding an additional authenticator or
+deregistering a credential.
 
 The central part is the
 https://github.com/Yubico/java-webauthn-server/blob/master/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnServer.java[WebAuthnServer]
diff --git a/webauthn-server-demo/src/main/java/demo/webauthn/AuthenticatedAction.java b/webauthn-server-demo/src/main/java/demo/webauthn/AuthenticatedAction.java
deleted file mode 100644
index 51b010354..000000000
--- a/webauthn-server-demo/src/main/java/demo/webauthn/AuthenticatedAction.java
+++ /dev/null
@@ -1,33 +0,0 @@
-// Copyright (c) 2018, Yubico AB
-// All rights reserved.
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are met:
-//
-// 1. Redistributions of source code must retain the above copyright notice, this
-//    list of conditions and the following disclaimer.
-//
-// 2. Redistributions in binary form must reproduce the above copyright notice,
-//    this list of conditions and the following disclaimer in the documentation
-//    and/or other materials provided with the distribution.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-package demo.webauthn;
-
-import com.yubico.util.Either;
-import demo.webauthn.WebAuthnServer.SuccessfulAuthenticationResult;
-import java.util.List;
-import java.util.function.Function;
-
-public interface AuthenticatedAction<T> extends Function<SuccessfulAuthenticationResult, Either<List<String>, T>> {
-}
diff --git a/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnRestResource.java b/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnRestResource.java
index a1234b572..49fd48eab 100644
--- a/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnRestResource.java
+++ b/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnRestResource.java
@@ -247,38 +247,6 @@ public Response finishAuthentication(@NonNull String responseJson) {
         );
     }
 
-    @Path("action/{action}/finish")
-    @POST
-    public Response finishAuthenticatedAction(
-        @NonNull @PathParam("action") String action,
-        @NonNull String responseJson
-    ) {
-        logger.trace("finishAuthenticatedAction: {}, responseJson: {}", action, responseJson);
-        Either<List<String>, ?> mappedResult = server.finishAuthenticatedAction(responseJson);
-
-        return finishResponse(
-            mappedResult,
-            "Action succeeded; further error message(s) were unfortunately lost to an internal server error.",
-            "finishAuthenticatedAction",
-            responseJson
-        );
-    }
-
-    private final class StartAuthenticatedActionResponse {
-        public final boolean success = true;
-        public final AssertionRequestWrapper request;
-        public final StartAuthenticatedActionActions actions = new StartAuthenticatedActionActions();
-        private StartAuthenticatedActionResponse(AssertionRequestWrapper request) throws MalformedURLException {
-            this.request = request;
-        }
-    }
-    private final class StartAuthenticatedActionActions {
-        public final URL finish = uriInfo.getAbsolutePathBuilder().path("finish").build().toURL();
-        public final URL finishU2f = uriInfo.getAbsolutePathBuilder().path("finish-u2f").build().toURL();
-        private StartAuthenticatedActionActions() throws MalformedURLException {
-        }
-    }
-
     @Path("action/deregister")
     @POST
     public Response deregisterCredential(
diff --git a/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnServer.java b/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnServer.java
index cde87573f..9edbd3824 100644
--- a/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnServer.java
+++ b/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnServer.java
@@ -93,7 +93,6 @@
 import java.util.Set;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.TimeUnit;
-import java.util.function.Function;
 import java.util.function.Supplier;
 import lombok.AllArgsConstructor;
 import lombok.NonNull;
@@ -110,7 +109,6 @@ public class WebAuthnServer {
     private final Cache<ByteArray, AssertionRequestWrapper> assertRequestStorage;
     private final Cache<ByteArray, RegistrationRequest> registerRequestStorage;
     private final RegistrationStorage userStorage;
-    private final Cache<AssertionRequestWrapper, AuthenticatedAction> authenticatedActions = newCache();
     private final SessionManager sessions = new SessionManager();
 
 
@@ -570,31 +568,6 @@ public Either<List<String>, SuccessfulAuthenticationResult> finishAuthentication
         }
     }
 
-    public Either<List<String>, AssertionRequestWrapper> startAuthenticatedAction(Optional<String> username, AuthenticatedAction<?> action) {
-        return startAuthentication(username)
-            .map(request -> {
-                synchronized (authenticatedActions) {
-                    authenticatedActions.put(request, action);
-                }
-                return request;
-            });
-    }
-
-    public Either<List<String>, ?> finishAuthenticatedAction(String responseJson) {
-        return finishAuthentication(responseJson)
-            .flatMap(result -> {
-                AuthenticatedAction<?> action = authenticatedActions.getIfPresent(result.request);
-                authenticatedActions.invalidate(result.request);
-                if (action == null) {
-                    return Either.left(Collections.singletonList(
-                        "No action was associated with assertion request ID: " + result.getRequest().getRequestId()
-                    ));
-                } else {
-                    return action.apply(result);
-                }
-            });
-    }
-
     public Either<List<String>, CredentialRegistration> deregisterCredential(
         @NonNull ByteArray sessionToken,
         ByteArray credentialId

From 86615a5e7fe7b056a31b9033cfd8a16fedd83fd3 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Fri, 27 Sep 2019 17:59:10 +0200
Subject: [PATCH 11/24] Indicate when deregistering the last credential deletes
 the account

---
 .../demo/webauthn/WebAuthnRestResource.java   | 24 +++++++------------
 .../java/demo/webauthn/WebAuthnServer.java    | 15 ++++++++++--
 .../src/main/webapp/index.html                |  4 ++++
 3 files changed, 25 insertions(+), 18 deletions(-)

diff --git a/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnRestResource.java b/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnRestResource.java
index 49fd48eab..f23adf83c 100644
--- a/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnRestResource.java
+++ b/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnRestResource.java
@@ -50,6 +50,7 @@
 import com.yubico.webauthn.data.exception.Base64UrlException;
 import com.yubico.webauthn.extension.appid.InvalidAppIdException;
 import com.yubico.webauthn.meta.VersionInfo;
+import demo.webauthn.WebAuthnServer.DeregisterCredentialResult;
 import demo.webauthn.data.AssertionRequestWrapper;
 import demo.webauthn.data.CredentialRegistration;
 import demo.webauthn.data.RegistrationRequest;
@@ -265,27 +266,18 @@ public Response deregisterCredential(
             );
         }
 
-        Either<List<String>, CredentialRegistration> result = server.deregisterCredential(
+        Either<List<String>, DeregisterCredentialResult> result = server.deregisterCredential(
             ByteArray.fromBase64Url(sessionTokenBase64),
             credentialId
         );
 
         if (result.isRight()) {
-            try {
-                JsonNode jsonResult = ((ObjectNode) jsonFactory.objectNode()
-                    .set("success", jsonFactory.booleanNode(true)))
-                    .set("droppedRegistration", jsonMapper.readTree(writeJson(result.right().get())));
-
-                return finishResponse(
-                    Either.right(jsonResult),
-                    "Failed to deregister credential; further error message(s) were unfortunately lost to an internal server error.",
-                    "deregisterCredential",
-                    ""
-                );
-            } catch (IOException e) {
-                logger.error("Failed to write response as JSON", e);
-                throw new RuntimeException(e);
-            }
+            return finishResponse(
+                result,
+                "Failed to deregister credential; further error message(s) were unfortunately lost to an internal server error.",
+                "deregisterCredential",
+                ""
+            );
         } else {
             return messagesJson(
                 Response.status(Status.BAD_REQUEST),
diff --git a/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnServer.java b/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnServer.java
index 9edbd3824..050b880bc 100644
--- a/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnServer.java
+++ b/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnServer.java
@@ -568,7 +568,14 @@ public Either<List<String>, SuccessfulAuthenticationResult> finishAuthentication
         }
     }
 
-    public Either<List<String>, CredentialRegistration> deregisterCredential(
+    @Value
+    public static final class DeregisterCredentialResult {
+        boolean success = true;
+        CredentialRegistration droppedRegistration;
+        boolean accountDeleted;
+    }
+
+    public Either<List<String>, DeregisterCredentialResult> deregisterCredential(
         @NonNull ByteArray sessionToken,
         ByteArray credentialId
     ) {
@@ -587,7 +594,11 @@ public Either<List<String>, CredentialRegistration> deregisterCredential(
                 Optional<CredentialRegistration> credReg = userStorage.getRegistrationByUsernameAndCredentialId(username.get(), credentialId);
                 if (credReg.isPresent()) {
                     userStorage.removeRegistrationByUsername(username.get(), credReg.get());
-                    return Either.right(credReg.get());
+
+                    return Either.right(new DeregisterCredentialResult(
+                        credReg.get(),
+                        !userStorage.userExists(username.get())
+                    ));
                 } else {
                     return Either.left(Collections.singletonList("Credential ID not registered:" + credentialId));
                 }
diff --git a/webauthn-server-demo/src/main/webapp/index.html b/webauthn-server-demo/src/main/webapp/index.html
index 40c7cd789..6b953d501 100644
--- a/webauthn-server-demo/src/main/webapp/index.html
+++ b/webauthn-server-demo/src/main/webapp/index.html
@@ -502,6 +502,10 @@
         } else {
           addMessage(`Successfully deregistered credential: ${credentialId}`);
         }
+        if (data.accountDeleted) {
+          addMessage('No credentials remain - account deleted.');
+          logout();
+        }
       } else {
         addMessage('Credential deregistration failed.');
       }

From 5a68fcb46670b98a4c146be2d9dab6e4483279d0 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Fri, 1 Nov 2019 17:36:18 +0100
Subject: [PATCH 12/24] Fix tests in Java 8

---
 .../webauthn/attestation/DeviceIdentificationSpec.scala   | 8 ++++----
 .../com/yubico/webauthn/RelyingPartyCeremoniesSpec.scala  | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala b/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala
index f9d7aaf16..61ad91034 100644
--- a/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala
+++ b/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala
@@ -88,8 +88,8 @@ class DeviceIdentificationSpec extends FunSpec with Matchers {
           .build());
 
         result.isAttestationTrusted should be (true)
-        result.getAttestationMetadata should not be empty
-        result.getAttestationMetadata.get.getDeviceProperties should not be empty
+        result.getAttestationMetadata.isPresent should be (true)
+        result.getAttestationMetadata.get.getDeviceProperties.isPresent should be (true)
         result.getAttestationMetadata.get.getDeviceProperties.get().get("displayName") should equal (expectedName)
       }
 
@@ -122,8 +122,8 @@ class DeviceIdentificationSpec extends FunSpec with Matchers {
       def check(expectedName: String, testData: RealExamples.Example) {
         val cert = CertificateParser.parseDer(testData.attestationCert.getBytes)
         val resolved = StandardMetadataService.createDefaultAttestationResolver().resolve(cert)
-        resolved should not be empty
-        resolved.get.getDeviceProperties should not be empty
+        resolved.isPresent should be (true)
+        resolved.get.getDeviceProperties.isPresent should be (true)
         resolved.get.getDeviceProperties.get.get("displayName") should equal (expectedName)
       }
 
diff --git a/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyCeremoniesSpec.scala b/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyCeremoniesSpec.scala
index 20057196b..cd18ba2b2 100644
--- a/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyCeremoniesSpec.scala
+++ b/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyCeremoniesSpec.scala
@@ -103,7 +103,7 @@ class RelyingPartyCeremoniesSpec extends FunSpec with Matchers {
 
         registrationResult.getKeyId.getId should equal (testData.attestation.credential.getId)
         registrationResult.isAttestationTrusted should be (false)
-        registrationResult.getAttestationMetadata shouldBe empty
+        registrationResult.getAttestationMetadata.isPresent should be (false)
 
         val assertionRp = newRp(testData, credentialRepoWithUser(testData, registrationResult))
 

From 7c15d1cdcaaa782263aaf3ba54fdba81bf436dcb Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Fri, 1 Nov 2019 17:21:47 +0100
Subject: [PATCH 13/24] Fix imageUrl for YubiKey Preview

---
 webauthn-server-demo/src/main/resources/preview-metadata.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/webauthn-server-demo/src/main/resources/preview-metadata.json b/webauthn-server-demo/src/main/resources/preview-metadata.json
index 00edcee49..9bbb63ae4 100644
--- a/webauthn-server-demo/src/main/resources/preview-metadata.json
+++ b/webauthn-server-demo/src/main/resources/preview-metadata.json
@@ -1,6 +1,6 @@
 {
   "identifier": "ccb72cf9-a408-4f0a-8fa1-3cf9f7029d01",
-  "version": 1,
+  "version": 2,
   "vendorInfo": {
     "url": "https://yubico.com",
     "imageUrl": "https://developers.yubico.com/U2F/Images/yubico.png",
@@ -15,7 +15,7 @@
       "deviceId": "1.3.6.1.4.1.41482.1.6",
       "displayName": "YubiKey Preview",
       "transports": 4,
-      "imageUrl": "https://demo.yubico.com/img/YKE.png",
+      "imageUrl": "https://developers.yubico.com/U2F/Images/YK5.png",
       "selectors": [
         {
           "type": "x509Extension",

From 265852439f00477d6bebadd210f08c7a979b6478 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Fri, 1 Nov 2019 19:09:15 +0100
Subject: [PATCH 14/24] Use function credRepoWithUser where appropriate

---
 .../webauthn/RelyingPartyAssertionSpec.scala  | 118 +++++-------------
 1 file changed, 33 insertions(+), 85 deletions(-)

diff --git a/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyAssertionSpec.scala b/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyAssertionSpec.scala
index 8b693385e..e2ec604ae 100644
--- a/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyAssertionSpec.scala
+++ b/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyAssertionSpec.scala
@@ -98,6 +98,7 @@ class RelyingPartyAssertionSpec extends FunSpec with Matchers with GeneratorDriv
     // These values are not signed over
     val username: String = "foo-user"
     val userHandle: ByteArray = ByteArray.fromHex("6d8972d9603ce4f3fa5d520ce6d024bf")
+    val user: UserIdentity = UserIdentity.builder().name(username).displayName("Test user").id(userHandle).build()
 
     // These values are defined by the attestationObject and clientDataJson above
     val clientDataJsonBytes: ByteArray = new ByteArray(clientDataJson.getBytes("UTF-8"))
@@ -406,20 +407,17 @@ class RelyingPartyAssertionSpec extends FunSpec with Matchers with GeneratorDriv
         }
 
         it("Succeeds if the credential ID is known.") {
-          val steps = finishAssertion(credentialRepository = Some(new CredentialRepository {
-            override def lookup(id: ByteArray, uh: ByteArray) = Some(
+          val steps = finishAssertion(
+            credentialRepository = Some(credRepoWithUser(
+              Defaults.user,
               RegisteredCredential.builder()
-                .credentialId(id)
-                .userHandle(uh)
+                .credentialId(Defaults.credentialId)
+                .userHandle(Defaults.userHandle)
                 .publicKeyCose(getPublicKeyBytes(Defaults.credentialKey))
                 .signatureCount(0)
                 .build()
-            ).asJava
-            override def lookupAll(id: ByteArray) = ???
-            override def getCredentialIdsForUsername(username: String) = ???
-            override def getUserHandleForUsername(username: String): Optional[ByteArray] = getUserHandleIfDefault(username)
-            override def getUsernameForUserHandle(userHandle: ByteArray): Optional[String] = getUsernameIfDefault(userHandle)
-          }))
+            ))
+          )
           val step: FinishAssertionSteps#Step3 = steps.begin.next.next.next
 
           step.validations shouldBe a [Success[_]]
@@ -1146,20 +1144,15 @@ class RelyingPartyAssertionSpec extends FunSpec with Matchers with GeneratorDriv
       describe("17. If the signature counter value authData.signCount is nonzero or the value stored in conjunction with credential’s id attribute is nonzero, then run the following sub-step:") {
         describe("If the signature counter value authData.signCount is") {
           def credentialRepository(signatureCount: Long) =
-            new CredentialRepository {
-              override def lookup(id: ByteArray, uh: ByteArray) = Some(
-                RegisteredCredential.builder()
-                  .credentialId(id)
-                  .userHandle(uh)
-                  .publicKeyCose(getPublicKeyBytes(Defaults.credentialKey))
-                  .signatureCount(signatureCount)
-                  .build()
-              ).asJava
-              override def lookupAll(id: ByteArray) = ???
-              override def getCredentialIdsForUsername(username: String) = ???
-              override def getUserHandleForUsername(username: String): Optional[ByteArray] = getUserHandleIfDefault(username)
-              override def getUsernameForUserHandle(userHandle: ByteArray): Optional[String] = getUsernameIfDefault(userHandle)
-            }
+            credRepoWithUser(
+              Defaults.user,
+              RegisteredCredential.builder()
+                .credentialId(Defaults.credentialId)
+                .userHandle(Defaults.userHandle)
+                .publicKeyCose(getPublicKeyBytes(Defaults.credentialKey))
+                .signatureCount(signatureCount)
+                .build()
+            )
 
           describe("zero, then the stored signature counter value must also be zero.") {
             val authenticatorData = new ByteArray(Defaults.authenticatorData.getBytes.updated(33, 0: Byte).updated(34, 0: Byte).updated(35, 0: Byte).updated(36, 0: Byte))
@@ -1311,36 +1304,14 @@ class RelyingPartyAssertionSpec extends FunSpec with Matchers with GeneratorDriv
         new TypeReference[PublicKeyCredential[AuthenticatorAssertionResponse, ClientAssertionExtensionOutputs]](){}
       )
 
-      val credRepo = new CredentialRepository {
-        override def getCredentialIdsForUsername(username: String): java.util.Set[PublicKeyCredentialDescriptor] =
-          if (username == testData.userId.getName)
-            Set(PublicKeyCredentialDescriptor.builder().id(credId).build()).asJava
-          else Set.empty.asJava
-        override def getUserHandleForUsername(username: String): Optional[ByteArray] =
-          if (username == testData.userId.getName)
-            Some(testData.userId.getId).asJava
-          else None.asJava
-        override def getUsernameForUserHandle(userHandle: ByteArray): Optional[String] =
-          if (userHandle == testData.userId.getId)
-            Some(testData.userId.getName).asJava
-          else None.asJava
-        override def lookup(credentialId: ByteArray, userHandle: ByteArray): Optional[RegisteredCredential] =
-          if (credentialId == credId && userHandle == testData.userId.getId)
-            Some(RegisteredCredential.builder()
-              .credentialId(credId)
-              .userHandle(testData.userId.getId)
-              .publicKeyCose(publicKeyBytes)
-              .build()).asJava
-          else None.asJava
-        override def lookupAll(credentialId: ByteArray): java.util.Set[RegisteredCredential] =
-          if (credentialId == credId)
-            Set(RegisteredCredential.builder()
-              .credentialId(credId)
-              .userHandle(testData.userId.getId)
-              .publicKeyCose(publicKeyBytes)
-              .build()).asJava
-          else Set.empty.asJava
-      }
+      val credRepo = credRepoWithUser(
+        testData.userId,
+        RegisteredCredential.builder()
+          .credentialId(testData.response.getId)
+          .userHandle(testData.userId.getId)
+          .publicKeyCose(publicKeyBytes)
+          .build()
+      )
 
       val rp = RelyingParty.builder()
         .identity(RelyingPartyIdentity.builder().id("demo3.yubico.test").name("Yubico WebAuthn demo").build())
@@ -1348,7 +1319,6 @@ class RelyingPartyAssertionSpec extends FunSpec with Matchers with GeneratorDriv
         .origins(Set("https://demo3.yubico.test:8443").asJava)
         .build()
 
-
       val result = rp.finishAssertion(FinishAssertionOptions.builder()
         .request(request)
         .response(response)
@@ -1443,36 +1413,14 @@ class RelyingPartyAssertionSpec extends FunSpec with Matchers with GeneratorDriv
       val credId: ByteArray = credData.getCredentialId
       val publicKeyBytes: ByteArray = credData.getCredentialPublicKey
 
-      val credRepo = new CredentialRepository {
-        override def getCredentialIdsForUsername(username: String): java.util.Set[PublicKeyCredentialDescriptor] =
-          if (username == registrationRequest.getUser.getName)
-            Set(PublicKeyCredentialDescriptor.builder().id(credId).build()).asJava
-          else Set.empty.asJava
-        override def getUserHandleForUsername(username: String): Optional[ByteArray] =
-          if (username == registrationRequest.getUser.getName)
-            Some(registrationRequest.getUser.getId).asJava
-          else None.asJava
-        override def getUsernameForUserHandle(userHandle: ByteArray): Optional[String] =
-          if (userHandle == registrationRequest.getUser.getId)
-            Some(registrationRequest.getUser.getName).asJava
-          else None.asJava
-        override def lookup(credentialId: ByteArray, userHandle: ByteArray): Optional[RegisteredCredential] =
-          if (credentialId == credId && userHandle == registrationRequest.getUser.getId)
-            Some(RegisteredCredential.builder()
-              .credentialId(credId)
-              .userHandle(registrationRequest.getUser.getId)
-              .publicKeyCose(publicKeyBytes)
-              .build()).asJava
-          else None.asJava
-        override def lookupAll(credentialId: ByteArray): java.util.Set[RegisteredCredential] =
-          if (credentialId == credId)
-            Set(RegisteredCredential.builder()
-              .credentialId(credId)
-              .userHandle(registrationRequest.getUser.getId)
-              .publicKeyCose(publicKeyBytes)
-              .build()).asJava
-          else Set.empty.asJava
-      }
+      val credRepo = credRepoWithUser(
+        registrationRequest.getUser,
+        RegisteredCredential.builder()
+          .credentialId(registrationResponse.getId)
+          .userHandle(registrationRequest.getUser.getId)
+          .publicKeyCose(publicKeyBytes)
+          .build()
+      )
 
       val rp = RelyingParty.builder()
         .identity(RelyingPartyIdentity.builder().id("demo3.yubico.test").name("Yubico WebAuthn demo").build())

From 8e6cddcd3feef9ddfb500bd5dfecadb9e806a1e2 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Fri, 1 Nov 2019 19:13:29 +0100
Subject: [PATCH 15/24] Add credRepoWithUser to RelyingPartyRegistrationSpec

---
 .../RelyingPartyRegistrationSpec.scala        | 68 +++++++++----------
 1 file changed, 33 insertions(+), 35 deletions(-)

diff --git a/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyRegistrationSpec.scala b/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyRegistrationSpec.scala
index afe70789d..e76f4d7c2 100644
--- a/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyRegistrationSpec.scala
+++ b/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyRegistrationSpec.scala
@@ -106,6 +106,29 @@ class RelyingPartyRegistrationSpec extends FunSpec with Matchers with GeneratorD
     override def lookupAll(credentialId: ByteArray): java.util.Set[RegisteredCredential] = ???
   }
 
+  private def credRepoWithUser(user: UserIdentity, credential: RegisteredCredential): CredentialRepository = new CredentialRepository {
+    override def getCredentialIdsForUsername(username: String): java.util.Set[PublicKeyCredentialDescriptor] =
+      if (username == user.getName)
+        Set(PublicKeyCredentialDescriptor.builder().id(credential.getCredentialId).build()).asJava
+      else Set.empty.asJava
+    override def getUserHandleForUsername(username: String): Optional[ByteArray] =
+      if (username == user.getName)
+        Some(user.getId).asJava
+      else None.asJava
+    override def getUsernameForUserHandle(userHandle: ByteArray): Optional[String] =
+      if (userHandle == user.getId)
+        Some(user.getName).asJava
+      else None.asJava
+    override def lookup(credentialId: ByteArray, userHandle: ByteArray): Optional[RegisteredCredential] =
+      if (credentialId == credential.getCredentialId && userHandle == user.getId)
+        Some(credential).asJava
+      else None.asJava
+    override def lookupAll(credentialId: ByteArray): java.util.Set[RegisteredCredential] =
+      if (credentialId == credential.getCredentialId)
+        Set(credential).asJava
+      else Set.empty.asJava
+  }
+
   private def finishRegistration(
     allowOriginPort: Boolean = false,
     allowOriginSubdomain: Boolean = false,
@@ -1792,32 +1815,15 @@ class RelyingPartyRegistrationSpec extends FunSpec with Matchers with GeneratorD
         val testData = RegistrationTestData.FidoU2f.SelfAttestation
 
         it("Registration is aborted if the given credential ID is already registered.") {
-          val credentialRepository = new CredentialRepository {
-            override def lookup(id: ByteArray, uh: ByteArray) = Some(
-              RegisteredCredential.builder()
-                .credentialId(id)
-                .userHandle(uh)
-                .publicKeyCose(testData.response.getResponse.getAttestation.getAuthenticatorData.getAttestedCredentialData.get.getCredentialPublicKey)
-                .signatureCount(1337)
-                .build()
-            ).asJava
-
-            override def lookupAll(id: ByteArray) = id match {
-              case id if id == testData.response.getResponse.getAttestation.getAuthenticatorData.getAttestedCredentialData.get.getCredentialId =>
-                Set(
-                  RegisteredCredential.builder()
-                    .credentialId(id)
-                    .userHandle(testData.request.getUser.getId)
-                    .publicKeyCose(testData.response.getResponse.getAttestation.getAuthenticatorData.getAttestedCredentialData.get.getCredentialPublicKey)
-                    .signatureCount(1337)
-                    .build()
-                ).asJava
-              case _ => Set.empty.asJava
-            }
-            override def getCredentialIdsForUsername(username: String) = ???
-            override def getUserHandleForUsername(username: String): Optional[ByteArray] = ???
-            override def getUsernameForUserHandle(userHandle: ByteArray): Optional[String] = ???
-          }
+          val credentialRepository = credRepoWithUser(
+            testData.userId,
+            RegisteredCredential.builder()
+              .credentialId(testData.response.getId)
+              .userHandle(testData.userId.getId)
+              .publicKeyCose(testData.response.getResponse.getAttestation.getAuthenticatorData.getAttestedCredentialData.get.getCredentialPublicKey)
+              .signatureCount(1337)
+              .build()
+          )
 
           val steps = finishRegistration(
             allowUntrustedAttestation = true,
@@ -1832,18 +1838,10 @@ class RelyingPartyRegistrationSpec extends FunSpec with Matchers with GeneratorD
         }
 
         it("Registration proceeds if the given credential ID is not already registered.") {
-          val credentialRepository = new CredentialRepository {
-            override def lookup(id: ByteArray, uh: ByteArray) = None.asJava
-            override def lookupAll(id: ByteArray) = Set.empty.asJava
-            override def getCredentialIdsForUsername(username: String) = ???
-            override def getUserHandleForUsername(username: String): Optional[ByteArray] = ???
-            override def getUsernameForUserHandle(userHandle: ByteArray): Optional[String] = ???
-          }
-
           val steps = finishRegistration(
             allowUntrustedAttestation = true,
             testData = testData,
-            credentialRepository = credentialRepository
+            credentialRepository = emptyCredentialRepository
           )
           val step: FinishRegistrationSteps#Step17 = steps.begin.next.next.next.next.next.next.next.next.next.next.next.next.next.next.next.next
 

From adecca04b9af423365addb3670cd9a1c5e093a64 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Fri, 1 Nov 2019 19:27:58 +0100
Subject: [PATCH 16/24] Extract test utility object Helpers

---
 .../DeviceIdentificationSpec.scala            | 19 +----
 .../webauthn/RelyingPartyAssertionSpec.scala  | 50 +++----------
 .../webauthn/RelyingPartyCeremoniesSpec.scala | 50 +++----------
 .../RelyingPartyRegistrationSpec.scala        | 70 ++++---------------
 .../com/yubico/webauthn/test/Helpers.scala    | 65 +++++++++++++++++
 5 files changed, 101 insertions(+), 153 deletions(-)
 create mode 100644 webauthn-server-core/src/test/scala/com/yubico/webauthn/test/Helpers.scala

diff --git a/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala b/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala
index 61ad91034..993e7d410 100644
--- a/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala
+++ b/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala
@@ -25,22 +25,17 @@
 package com.yubico.webauthn.attestation
 
 import java.util.Collections
-import java.util.Optional
 
-import com.yubico.internal.util.scala.JavaConverters._
 import com.yubico.internal.util.CertificateParser
 import com.yubico.internal.util.JacksonCodecs
 import com.yubico.webauthn.attestation.resolver.SimpleAttestationResolver
 import com.yubico.webauthn.attestation.resolver.SimpleTrustResolver
 import com.yubico.webauthn.test.RealExamples
-import com.yubico.webauthn.CredentialRepository
-import com.yubico.webauthn.RelyingParty
-import com.yubico.webauthn.data.ByteArray
-import com.yubico.webauthn.data.PublicKeyCredentialDescriptor
 import com.yubico.webauthn.FinishRegistrationOptions
-import com.yubico.webauthn.RegisteredCredential
+import com.yubico.webauthn.RelyingParty
 import com.yubico.webauthn.data.PublicKeyCredentialCreationOptions
 import com.yubico.webauthn.data.PublicKeyCredentialParameters
+import com.yubico.webauthn.test.Helpers
 import org.junit.runner.RunWith
 import org.scalatest.FunSpec
 import org.scalatest.Matchers
@@ -59,21 +54,13 @@ class DeviceIdentificationSpec extends FunSpec with Matchers {
     )
   }
 
-  private val emptyCredentialRepository = new CredentialRepository {
-    override def getCredentialIdsForUsername(username: String): java.util.Set[PublicKeyCredentialDescriptor] = Set.empty.asJava
-    override def getUserHandleForUsername(username: String): Optional[ByteArray] = None.asJava
-    override def getUsernameForUserHandle(userHandle: ByteArray): Optional[String] = None.asJava
-    override def lookup(credentialId: ByteArray, userHandle: ByteArray): Optional[RegisteredCredential] = None.asJava
-    override def lookupAll(credentialId: ByteArray): java.util.Set[RegisteredCredential] = Set.empty.asJava
-  }
-
   describe("A RelyingParty with the default StandardMetadataService") {
 
     describe("correctly identifies") {
       def check(expectedName: String, testData: RealExamples.Example) {
         val rp = RelyingParty.builder()
           .identity(testData.rp)
-          .credentialRepository(emptyCredentialRepository)
+          .credentialRepository(Helpers.CredentialRepository.empty)
           .metadataService(new StandardMetadataService())
           .build()
 
diff --git a/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyAssertionSpec.scala b/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyAssertionSpec.scala
index e2ec604ae..882c1b2e0 100644
--- a/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyAssertionSpec.scala
+++ b/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyAssertionSpec.scala
@@ -51,6 +51,7 @@ import com.yubico.webauthn.data.UserIdentity
 import com.yubico.webauthn.data.UserVerificationRequirement
 import com.yubico.webauthn.exception.InvalidSignatureCountException
 import com.yubico.webauthn.extension.appid.AppId
+import com.yubico.webauthn.test.Helpers
 import com.yubico.webauthn.test.Util.toStepWithUtilities
 import org.junit.runner.RunWith
 import org.scalacheck.Gen
@@ -73,14 +74,6 @@ class RelyingPartyAssertionSpec extends FunSpec with Matchers with GeneratorDriv
   private def sha256(bytes: ByteArray): ByteArray = crypto.hash(bytes)
   private def sha256(data: String): ByteArray = sha256(new ByteArray(data.getBytes(Charset.forName("UTF-8"))))
 
-  private val emptyCredentialRepository = new CredentialRepository {
-    override def getCredentialIdsForUsername(username: String): java.util.Set[PublicKeyCredentialDescriptor] = Set.empty.asJava
-    override def getUserHandleForUsername(username: String): Optional[ByteArray] = None.asJava
-    override def getUsernameForUserHandle(userHandle: ByteArray): Optional[String] = None.asJava
-    override def lookup(credentialId: ByteArray, userHandle: ByteArray): Optional[RegisteredCredential] = None.asJava
-    override def lookupAll(credentialId: ByteArray): java.util.Set[RegisteredCredential] = Set.empty.asJava
-  }
-
   private object Defaults {
 
     val rpId = RelyingPartyIdentity.builder().id("localhost").name("Test party").build()
@@ -123,29 +116,6 @@ class RelyingPartyAssertionSpec extends FunSpec with Matchers with GeneratorDriv
 
   private def getPublicKeyBytes(credentialKey: KeyPair): ByteArray = WebAuthnTestCodecs.ecPublicKeyToCose(credentialKey.getPublic.asInstanceOf[ECPublicKey])
 
-  private def credRepoWithUser(user: UserIdentity, credential: RegisteredCredential): CredentialRepository = new CredentialRepository {
-    override def getCredentialIdsForUsername(username: String): java.util.Set[PublicKeyCredentialDescriptor] =
-      if (username == user.getName)
-        Set(PublicKeyCredentialDescriptor.builder().id(credential.getCredentialId).build()).asJava
-      else Set.empty.asJava
-    override def getUserHandleForUsername(username: String): Optional[ByteArray] =
-      if (username == user.getName)
-        Some(user.getId).asJava
-      else None.asJava
-    override def getUsernameForUserHandle(userHandle: ByteArray): Optional[String] =
-      if (userHandle == user.getId)
-        Some(user.getName).asJava
-      else None.asJava
-    override def lookup(credentialId: ByteArray, userHandle: ByteArray): Optional[RegisteredCredential] =
-      if (credentialId == credential.getCredentialId && userHandle == user.getId)
-        Some(credential).asJava
-      else None.asJava
-    override def lookupAll(credentialId: ByteArray): java.util.Set[RegisteredCredential] =
-      if (credentialId == credential.getCredentialId)
-        Set(credential).asJava
-      else Set.empty.asJava
-  }
-
   def finishAssertion(
     allowCredentials: Option[java.util.List[PublicKeyCredentialDescriptor]] = Some(List(PublicKeyCredentialDescriptor.builder().id(Defaults.credentialId).build()).asJava),
     allowOriginPort: Boolean = false,
@@ -242,7 +212,7 @@ class RelyingPartyAssertionSpec extends FunSpec with Matchers with GeneratorDriv
       it(s"If the parameter is not set, or set to empty, the default of ${default} is used.") {
         val rp = RelyingParty.builder()
           .identity(Defaults.rpId)
-          .credentialRepository(emptyCredentialRepository)
+          .credentialRepository(Helpers.CredentialRepository.empty)
           .build()
         val request1 = rp.startAssertion(StartAssertionOptions.builder().build())
         val request2 = rp.startAssertion(StartAssertionOptions.builder().userVerification(Optional.empty[UserVerificationRequirement]).build())
@@ -254,7 +224,7 @@ class RelyingPartyAssertionSpec extends FunSpec with Matchers with GeneratorDriv
       it(s"If the parameter is set, that value is used.") {
         val rp = RelyingParty.builder()
           .identity(Defaults.rpId)
-          .credentialRepository(emptyCredentialRepository)
+          .credentialRepository(Helpers.CredentialRepository.empty)
           .build()
 
         forAll { uv: UserVerificationRequirement =>
@@ -397,7 +367,7 @@ class RelyingPartyAssertionSpec extends FunSpec with Matchers with GeneratorDriv
       describe("3. Using credential’s id attribute (or the corresponding rawId, if base64url encoding is inappropriate for your use case), look up the corresponding credential public key.") {
         it("Fails if the credential ID is unknown.") {
           val steps = finishAssertion(
-            credentialRepository = Some(emptyCredentialRepository)
+            credentialRepository = Some(Helpers.CredentialRepository.empty)
           )
           val step: steps.Step3 = new steps.Step3(Defaults.username, Defaults.userHandle, Nil.asJava)
 
@@ -408,7 +378,7 @@ class RelyingPartyAssertionSpec extends FunSpec with Matchers with GeneratorDriv
 
         it("Succeeds if the credential ID is known.") {
           val steps = finishAssertion(
-            credentialRepository = Some(credRepoWithUser(
+            credentialRepository = Some(Helpers.CredentialRepository.withUser(
               Defaults.user,
               RegisteredCredential.builder()
                 .credentialId(Defaults.credentialId)
@@ -1144,7 +1114,7 @@ class RelyingPartyAssertionSpec extends FunSpec with Matchers with GeneratorDriv
       describe("17. If the signature counter value authData.signCount is nonzero or the value stored in conjunction with credential’s id attribute is nonzero, then run the following sub-step:") {
         describe("If the signature counter value authData.signCount is") {
           def credentialRepository(signatureCount: Long) =
-            credRepoWithUser(
+            Helpers.CredentialRepository.withUser(
               Defaults.user,
               RegisteredCredential.builder()
                 .credentialId(Defaults.credentialId)
@@ -1304,7 +1274,7 @@ class RelyingPartyAssertionSpec extends FunSpec with Matchers with GeneratorDriv
         new TypeReference[PublicKeyCredential[AuthenticatorAssertionResponse, ClientAssertionExtensionOutputs]](){}
       )
 
-      val credRepo = credRepoWithUser(
+      val credRepo = Helpers.CredentialRepository.withUser(
         testData.userId,
         RegisteredCredential.builder()
           .credentialId(testData.response.getId)
@@ -1413,7 +1383,7 @@ class RelyingPartyAssertionSpec extends FunSpec with Matchers with GeneratorDriv
       val credId: ByteArray = credData.getCredentialId
       val publicKeyBytes: ByteArray = credData.getCredentialPublicKey
 
-      val credRepo = credRepoWithUser(
+      val credRepo = Helpers.CredentialRepository.withUser(
         registrationRequest.getUser,
         RegisteredCredential.builder()
           .credentialId(registrationResponse.getId)
@@ -1448,7 +1418,7 @@ class RelyingPartyAssertionSpec extends FunSpec with Matchers with GeneratorDriv
 
       val rp = RelyingParty.builder()
         .identity(RelyingPartyIdentity.builder().id("localhost").name("Test RP").build())
-        .credentialRepository(credRepoWithUser(registrationTestData.userId, RegisteredCredential.builder()
+        .credentialRepository(Helpers.CredentialRepository.withUser(registrationTestData.userId, RegisteredCredential.builder()
           .credentialId(registrationTestData.response.getId)
           .userHandle(registrationTestData.userId.getId)
           .publicKeyCose(registrationTestData.response.getResponse.getParsedAuthenticatorData.getAttestedCredentialData.get.getCredentialPublicKey)
@@ -1474,7 +1444,7 @@ class RelyingPartyAssertionSpec extends FunSpec with Matchers with GeneratorDriv
 
         val rp = RelyingParty.builder()
           .identity(RelyingPartyIdentity.builder().id("localhost").name("Test RP").build())
-          .credentialRepository(credRepoWithUser(registrationTestData.userId, RegisteredCredential.builder()
+          .credentialRepository(Helpers.CredentialRepository.withUser(registrationTestData.userId, RegisteredCredential.builder()
             .credentialId(registrationTestData.response.getId)
             .userHandle(registrationTestData.userId.getId)
             .publicKeyCose(registrationTestData.response.getResponse.getParsedAuthenticatorData.getAttestedCredentialData.get.getCredentialPublicKey)
diff --git a/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyCeremoniesSpec.scala b/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyCeremoniesSpec.scala
index cd18ba2b2..b60fa676e 100644
--- a/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyCeremoniesSpec.scala
+++ b/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyCeremoniesSpec.scala
@@ -24,14 +24,11 @@
 
 package com.yubico.webauthn
 
-import java.util.Optional
-
-import com.yubico.internal.util.scala.JavaConverters._
-import com.yubico.webauthn.data.ByteArray
 import com.yubico.webauthn.data.PublicKeyCredentialCreationOptions
 import com.yubico.webauthn.data.PublicKeyCredentialDescriptor
 import com.yubico.webauthn.data.PublicKeyCredentialParameters
 import com.yubico.webauthn.data.PublicKeyCredentialRequestOptions
+import com.yubico.webauthn.test.Helpers
 import com.yubico.webauthn.test.RealExamples
 import org.junit.runner.RunWith
 import org.scalatest.FunSpec
@@ -50,46 +47,11 @@ class RelyingPartyCeremoniesSpec extends FunSpec with Matchers {
       .credentialRepository(credentialRepo)
       .build()
 
-  private val emptyCredentialRepository = new CredentialRepository {
-    override def getCredentialIdsForUsername(username: String): java.util.Set[PublicKeyCredentialDescriptor] = Set.empty.asJava
-    override def getUserHandleForUsername(username: String): Optional[ByteArray] = None.asJava
-    override def getUsernameForUserHandle(userHandle: ByteArray): Optional[String] = None.asJava
-    override def lookup(credentialId: ByteArray, userHandle: ByteArray): Optional[RegisteredCredential] = None.asJava
-    override def lookupAll(credentialId: ByteArray): java.util.Set[RegisteredCredential] = Set.empty.asJava
-  }
-
-  private def credentialRepoWithUser(testData: RealExamples.Example, reg: RegistrationResult): CredentialRepository = new CredentialRepository {
-    override def getCredentialIdsForUsername(username: String): java.util.Set[PublicKeyCredentialDescriptor] =
-      if (username == testData.user.getName)
-        Set(PublicKeyCredentialDescriptor.builder().id(reg.getKeyId.getId).build()).asJava
-      else Set.empty.asJava
-    override def getUserHandleForUsername(username: String): Optional[ByteArray] =
-      if (username == testData.user.getName)
-        Some(testData.user.getId).asJava
-      else None.asJava
-    override def getUsernameForUserHandle(userHandle: ByteArray): Optional[String] =
-      if (userHandle == testData.user.getId)
-        Some(testData.user.getName).asJava
-      else None.asJava
-    override def lookup(credentialId: ByteArray, userHandle: ByteArray): Optional[RegisteredCredential] =
-      if (credentialId == reg.getKeyId.getId && userHandle == testData.user.getId)
-        Some(RegisteredCredential.builder()
-          .credentialId(reg.getKeyId.getId)
-          .userHandle(testData.user.getId)
-          .publicKeyCose(reg.getPublicKeyCose)
-          .build()).asJava
-      else None.asJava
-    override def lookupAll(credentialId: ByteArray): java.util.Set[RegisteredCredential] =
-      if (credentialId == reg.getKeyId.getId)
-        Set(lookup(credentialId, testData.user.getId).get()).asJava
-      else Set.empty.asJava
-  }
-
   describe("The default RelyingParty settings") {
 
     describe("can register and then authenticate") {
       def check(testData: RealExamples.Example) {
-        val registrationRp = newRp(testData, emptyCredentialRepository)
+        val registrationRp = newRp(testData, Helpers.CredentialRepository.empty)
 
         val registrationResult = registrationRp.finishRegistration(FinishRegistrationOptions.builder()
           .request(PublicKeyCredentialCreationOptions.builder()
@@ -105,7 +67,13 @@ class RelyingPartyCeremoniesSpec extends FunSpec with Matchers {
         registrationResult.isAttestationTrusted should be (false)
         registrationResult.getAttestationMetadata.isPresent should be (false)
 
-        val assertionRp = newRp(testData, credentialRepoWithUser(testData, registrationResult))
+        val assertionRp = newRp(
+          testData,
+          Helpers.CredentialRepository.withUser(
+            testData.user,
+            Helpers.toRegisteredCredential(testData.user, registrationResult)
+          )
+        )
 
         val assertionResult = assertionRp.finishAssertion(FinishAssertionOptions.builder()
           .request(AssertionRequest.builder()
diff --git a/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyRegistrationSpec.scala b/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyRegistrationSpec.scala
index e76f4d7c2..464afedd1 100644
--- a/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyRegistrationSpec.scala
+++ b/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyRegistrationSpec.scala
@@ -32,7 +32,6 @@ import java.security.PrivateKey
 import java.security.SignatureException
 import java.security.cert.X509Certificate
 import java.security.interfaces.RSAPublicKey
-import java.util.Optional
 
 import com.fasterxml.jackson.databind.JsonNode
 import com.fasterxml.jackson.databind.node.JsonNodeFactory
@@ -50,17 +49,15 @@ import com.yubico.webauthn.data.ByteArray
 import com.yubico.webauthn.data.CollectedClientData
 import com.yubico.webauthn.data.COSEAlgorithmIdentifier
 import com.yubico.webauthn.data.Generators._
-import com.yubico.webauthn.data.PublicKeyCredentialDescriptor
-import com.yubico.webauthn.data.PublicKeyCredentialParameters
 import com.yubico.webauthn.data.RegistrationExtensionInputs
 import com.yubico.webauthn.data.RelyingPartyIdentity
 import com.yubico.webauthn.data.UserIdentity
 import com.yubico.webauthn.data.UserVerificationRequirement
-import com.yubico.webauthn.exception.RegistrationFailedException
 import com.yubico.webauthn.test.Util.toStepWithUtilities
 import com.yubico.webauthn.TestAuthenticator.AttestationCert
 import com.yubico.webauthn.TestAuthenticator.AttestationMaker
 import com.yubico.webauthn.data.PublicKeyCredentialParameters
+import com.yubico.webauthn.test.Helpers
 import javax.security.auth.x500.X500Principal
 import org.bouncycastle.asn1.DEROctetString
 import org.bouncycastle.asn1.x500.X500Name
@@ -90,52 +87,13 @@ class RelyingPartyRegistrationSpec extends FunSpec with Matchers with GeneratorD
   def flipByte(index: Int, bytes: ByteArray): ByteArray = editByte(bytes, index, b => (0xff ^ b).toByte)
   def editByte(bytes: ByteArray, index: Int, updater: Byte => Byte): ByteArray = new ByteArray(bytes.getBytes.updated(index, updater(bytes.getBytes()(index))))
 
-  private val emptyCredentialRepository = new CredentialRepository {
-    override def getCredentialIdsForUsername(username: String): java.util.Set[PublicKeyCredentialDescriptor] = Set.empty.asJava
-    override def getUserHandleForUsername(username: String): Optional[ByteArray] = None.asJava
-    override def getUsernameForUserHandle(userHandle: ByteArray): Optional[String] = None.asJava
-    override def lookup(credentialId: ByteArray, userHandle: ByteArray): Optional[RegisteredCredential] = None.asJava
-    override def lookupAll(credentialId: ByteArray): java.util.Set[RegisteredCredential] = Set.empty.asJava
-  }
-
-  private val unimplementedCredentialRepository = new CredentialRepository {
-    override def getCredentialIdsForUsername(username: String): java.util.Set[PublicKeyCredentialDescriptor] = ???
-    override def getUserHandleForUsername(username: String): Optional[ByteArray] = ???
-    override def getUsernameForUserHandle(userHandleBase64: ByteArray): Optional[String] = ???
-    override def lookup(credentialId: ByteArray, userHandle: ByteArray): Optional[RegisteredCredential] = ???
-    override def lookupAll(credentialId: ByteArray): java.util.Set[RegisteredCredential] = ???
-  }
-
-  private def credRepoWithUser(user: UserIdentity, credential: RegisteredCredential): CredentialRepository = new CredentialRepository {
-    override def getCredentialIdsForUsername(username: String): java.util.Set[PublicKeyCredentialDescriptor] =
-      if (username == user.getName)
-        Set(PublicKeyCredentialDescriptor.builder().id(credential.getCredentialId).build()).asJava
-      else Set.empty.asJava
-    override def getUserHandleForUsername(username: String): Optional[ByteArray] =
-      if (username == user.getName)
-        Some(user.getId).asJava
-      else None.asJava
-    override def getUsernameForUserHandle(userHandle: ByteArray): Optional[String] =
-      if (userHandle == user.getId)
-        Some(user.getName).asJava
-      else None.asJava
-    override def lookup(credentialId: ByteArray, userHandle: ByteArray): Optional[RegisteredCredential] =
-      if (credentialId == credential.getCredentialId && userHandle == user.getId)
-        Some(credential).asJava
-      else None.asJava
-    override def lookupAll(credentialId: ByteArray): java.util.Set[RegisteredCredential] =
-      if (credentialId == credential.getCredentialId)
-        Set(credential).asJava
-      else Set.empty.asJava
-  }
-
   private def finishRegistration(
     allowOriginPort: Boolean = false,
     allowOriginSubdomain: Boolean = false,
     allowUntrustedAttestation: Boolean = false,
     callerTokenBindingId: Option[ByteArray] = None,
     credentialId: Option[ByteArray] = None,
-    credentialRepository: CredentialRepository = unimplementedCredentialRepository,
+    credentialRepository: CredentialRepository = Helpers.CredentialRepository.unimplemented,
     metadataService: Option[MetadataService] = None,
     origins: Option[Set[String]] = None,
     preferredPubkeyParams: List[PublicKeyCredentialParameters] = Nil,
@@ -1815,7 +1773,7 @@ class RelyingPartyRegistrationSpec extends FunSpec with Matchers with GeneratorD
         val testData = RegistrationTestData.FidoU2f.SelfAttestation
 
         it("Registration is aborted if the given credential ID is already registered.") {
-          val credentialRepository = credRepoWithUser(
+          val credentialRepository = com.yubico.webauthn.test.Helpers.CredentialRepository.withUser(
             testData.userId,
             RegisteredCredential.builder()
               .credentialId(testData.response.getId)
@@ -1841,7 +1799,7 @@ class RelyingPartyRegistrationSpec extends FunSpec with Matchers with GeneratorD
           val steps = finishRegistration(
             allowUntrustedAttestation = true,
             testData = testData,
-            credentialRepository = emptyCredentialRepository
+            credentialRepository = Helpers.CredentialRepository.empty
           )
           val step: FinishRegistrationSteps#Step17 = steps.begin.next.next.next.next.next.next.next.next.next.next.next.next.next.next.next.next
 
@@ -1856,7 +1814,7 @@ class RelyingPartyRegistrationSpec extends FunSpec with Matchers with GeneratorD
           val steps = finishRegistration(
             testData = testData,
             metadataService = Some(new TestMetadataService(Some(Attestation.builder().trusted(true).build()))),
-            credentialRepository = emptyCredentialRepository
+            credentialRepository = Helpers.CredentialRepository.empty
           )
           steps.run.getKeyId.getId should be (testData.response.getId)
           steps.run.isAttestationTrusted should be (true)
@@ -1869,7 +1827,7 @@ class RelyingPartyRegistrationSpec extends FunSpec with Matchers with GeneratorD
           val steps = finishRegistration(
             testData = testData,
             allowUntrustedAttestation = true,
-            credentialRepository = emptyCredentialRepository
+            credentialRepository = Helpers.CredentialRepository.empty
           )
           steps.run.getKeyId.getId should be (testData.response.getId)
           steps.run.isAttestationTrusted should be (false)
@@ -1880,7 +1838,7 @@ class RelyingPartyRegistrationSpec extends FunSpec with Matchers with GeneratorD
           val steps = finishRegistration(
             testData = testData,
             allowUntrustedAttestation = true,
-            credentialRepository = emptyCredentialRepository
+            credentialRepository = Helpers.CredentialRepository.empty
           )
           val result = Try(steps.run)
           result.failed.get shouldBe an [IllegalArgumentException]
@@ -1898,7 +1856,7 @@ class RelyingPartyRegistrationSpec extends FunSpec with Matchers with GeneratorD
               testData = testData,
               metadataService = None,
               allowUntrustedAttestation = true,
-              credentialRepository = emptyCredentialRepository
+              credentialRepository = Helpers.CredentialRepository.empty
             )
             steps.run.getKeyId.getId should be (testData.response.getId)
             steps.run.isAttestationTrusted should be (false)
@@ -1931,7 +1889,7 @@ class RelyingPartyRegistrationSpec extends FunSpec with Matchers with GeneratorD
 
         val rp = RelyingParty.builder()
           .identity(RelyingPartyIdentity.builder().id("localhost").name("Test party").build())
-          .credentialRepository(emptyCredentialRepository)
+          .credentialRepository(Helpers.CredentialRepository.empty)
           .build()
 
         val request = rp.startRegistration(StartRegistrationOptions.builder()
@@ -1980,7 +1938,7 @@ class RelyingPartyRegistrationSpec extends FunSpec with Matchers with GeneratorD
               val rp = {
                 val builder = RelyingParty.builder()
                   .identity(testData.rpId)
-                  .credentialRepository(emptyCredentialRepository)
+                  .credentialRepository(Helpers.CredentialRepository.empty)
                 testData.origin.foreach({ o => builder.origins(Set(o).asJava) })
                 builder.build()
               }
@@ -1999,7 +1957,7 @@ class RelyingPartyRegistrationSpec extends FunSpec with Matchers with GeneratorD
         describe("generate pubKeyCredParams which") {
           val rp = RelyingParty.builder()
             .identity(RelyingPartyIdentity.builder().id("localhost").name("Test RP").build())
-            .credentialRepository(emptyCredentialRepository)
+            .credentialRepository(Helpers.CredentialRepository.empty)
             .build()
           val pkcco = rp.startRegistration(StartRegistrationOptions.builder()
             .user(UserIdentity.builder()
@@ -2041,7 +1999,7 @@ class RelyingPartyRegistrationSpec extends FunSpec with Matchers with GeneratorD
         it("a real packed attestation with an RSA key.") {
           val rp = RelyingParty.builder()
             .identity(RelyingPartyIdentity.builder().id("demo3.yubico.test").name("Yubico WebAuthn demo").build())
-            .credentialRepository(emptyCredentialRepository)
+            .credentialRepository(Helpers.CredentialRepository.empty)
             .origins(Set("https://demo3.yubico.test:8443").asJava)
             .build()
 
@@ -2068,7 +2026,7 @@ class RelyingPartyRegistrationSpec extends FunSpec with Matchers with GeneratorD
         val testData = RegistrationTestData.FidoU2f.BasicAttestation
         val result = finishRegistration(
           testData = testData,
-          credentialRepository = emptyCredentialRepository,
+          credentialRepository = Helpers.CredentialRepository.empty,
           allowUntrustedAttestation = true
         ).run
 
@@ -2085,7 +2043,7 @@ class RelyingPartyRegistrationSpec extends FunSpec with Matchers with GeneratorD
               .build()
             )
           ),
-          credentialRepository = emptyCredentialRepository,
+          credentialRepository = Helpers.CredentialRepository.empty,
           allowUntrustedAttestation = true
         ).run)
 
diff --git a/webauthn-server-core/src/test/scala/com/yubico/webauthn/test/Helpers.scala b/webauthn-server-core/src/test/scala/com/yubico/webauthn/test/Helpers.scala
new file mode 100644
index 000000000..f8792fd91
--- /dev/null
+++ b/webauthn-server-core/src/test/scala/com/yubico/webauthn/test/Helpers.scala
@@ -0,0 +1,65 @@
+package com.yubico.webauthn.test
+
+import java.util.Optional
+
+import com.yubico.internal.util.scala.JavaConverters._
+import com.yubico.webauthn.data.ByteArray
+import com.yubico.webauthn.RegisteredCredential
+import com.yubico.webauthn.data.PublicKeyCredentialDescriptor
+import com.yubico.webauthn.data.UserIdentity
+import com.yubico.webauthn.CredentialRepository
+import com.yubico.webauthn.RegistrationResult
+
+import scala.collection.JavaConverters._
+
+
+object Helpers {
+
+  object CredentialRepository {
+    val empty = new CredentialRepository {
+      override def getCredentialIdsForUsername(username: String): java.util.Set[PublicKeyCredentialDescriptor] = Set.empty.asJava
+      override def getUserHandleForUsername(username: String): Optional[ByteArray] = None.asJava
+      override def getUsernameForUserHandle(userHandle: ByteArray): Optional[String] = None.asJava
+      override def lookup(credentialId: ByteArray, userHandle: ByteArray): Optional[RegisteredCredential] = None.asJava
+      override def lookupAll(credentialId: ByteArray): java.util.Set[RegisteredCredential] = Set.empty.asJava
+    }
+    val unimplemented = new CredentialRepository {
+      override def getCredentialIdsForUsername(username: String): java.util.Set[PublicKeyCredentialDescriptor] = ???
+      override def getUserHandleForUsername(username: String): Optional[ByteArray] = ???
+      override def getUsernameForUserHandle(userHandleBase64: ByteArray): Optional[String] = ???
+      override def lookup(credentialId: ByteArray, userHandle: ByteArray): Optional[RegisteredCredential] = ???
+      override def lookupAll(credentialId: ByteArray): java.util.Set[RegisteredCredential] = ???
+    }
+
+    def withUser(user: UserIdentity, credential: RegisteredCredential): CredentialRepository = new CredentialRepository {
+      override def getCredentialIdsForUsername(username: String): java.util.Set[PublicKeyCredentialDescriptor] =
+        if (username == user.getName)
+          Set(PublicKeyCredentialDescriptor.builder().id(credential.getCredentialId).build()).asJava
+        else Set.empty.asJava
+      override def getUserHandleForUsername(username: String): Optional[ByteArray] =
+        if (username == user.getName)
+          Some(user.getId).asJava
+        else None.asJava
+      override def getUsernameForUserHandle(userHandle: ByteArray): Optional[String] =
+        if (userHandle == user.getId)
+          Some(user.getName).asJava
+        else None.asJava
+      override def lookup(credentialId: ByteArray, userHandle: ByteArray): Optional[RegisteredCredential] =
+        if (credentialId == credential.getCredentialId && userHandle == user.getId)
+          Some(credential).asJava
+        else None.asJava
+      override def lookupAll(credentialId: ByteArray): java.util.Set[RegisteredCredential] =
+        if (credentialId == credential.getCredentialId)
+          Set(credential).asJava
+        else Set.empty.asJava
+    }
+  }
+
+  def toRegisteredCredential(user: UserIdentity, result: RegistrationResult): RegisteredCredential =
+    RegisteredCredential.builder()
+    .credentialId(result.getKeyId.getId)
+    .userHandle(user.getId)
+    .publicKeyCose(result.getPublicKeyCose)
+    .build()
+
+}

From a57853bef22df7659c93ea872f80e64c1578874f Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Tue, 29 Oct 2019 11:08:36 +0100
Subject: [PATCH 17/24] Update metadata.json to agree with
 developers.yubico.com copy

---
 NEWS                                          | 10 +++++
 .../src/main/resources/metadata.json          | 37 ++++++++++++++-----
 2 files changed, 38 insertions(+), 9 deletions(-)

diff --git a/NEWS b/NEWS
index 26657e612..44a26243a 100644
--- a/NEWS
+++ b/NEWS
@@ -1,11 +1,21 @@
 == Version 1.5.1 (unreleased) ==
 
+`webauthn-server-core`:
+
 Bug fixes:
 
 - Fixed bug introduced in 1.4.0, which caused
   `RegistrationResult.attestationMetadata` to always be empty.
 
 
+`webauthn-server-attestation`:
+
+- Fixed transports field of YubiKey NEO/NEO-n in `metadata.json`.
+- Added YubiKey 5Ci to `metadata.json`.
+- Most `deviceUrl` fields in `metadata.json` changed to point to stable
+  addresses in Yubico knowledge base instead of dead redirects in store.
+
+
 == Version 1.5.0 ==
 
 Changes:
diff --git a/webauthn-server-attestation/src/main/resources/metadata.json b/webauthn-server-attestation/src/main/resources/metadata.json
index 889662828..58756d238 100755
--- a/webauthn-server-attestation/src/main/resources/metadata.json
+++ b/webauthn-server-attestation/src/main/resources/metadata.json
@@ -1,6 +1,6 @@
 {
   "identifier": "2fb54029-7613-4f1d-94f1-fb876c14a6fe",
-  "version": 5,
+  "version": 11,
   "vendorInfo": {
     "url": "https://yubico.com",
     "imageUrl": "https://developers.yubico.com/U2F/Images/yubico.png",
@@ -14,7 +14,7 @@
       "deviceId": "1.3.6.1.4.1.41482.1.1",
       "displayName": "Security Key NFC by Yubico",
       "transports": 12,
-      "deviceUrl": "https://www.yubico.com/product/security-key-nfc-by-yubico/",
+      "deviceUrl": "https://support.yubico.com/support/solutions/articles/15000019469-security-key-nfc",
       "imageUrl": "https://developers.yubico.com/U2F/Images/SKY-NFC.png",
       "selectors": [
         {
@@ -34,7 +34,7 @@
       "deviceId": "1.3.6.1.4.1.41482.1.1",
       "displayName": "Security Key by Yubico",
       "transports": 4,
-      "deviceUrl": "https://www.yubico.com/products/yubikey-hardware/fido-u2f-security-key/",
+      "deviceUrl": "https://support.yubico.com/support/solutions/articles/15000006900-security-key-by-yubico",
       "imageUrl": "https://developers.yubico.com/U2F/Images/SKY.png",
       "selectors": [
         {
@@ -55,8 +55,8 @@
     {
       "deviceId": "1.3.6.1.4.1.41482.1.2",
       "displayName": "YubiKey NEO/NEO-n",
-      "transports": 4,
-      "deviceUrl": "https://www.yubico.com/products/yubikey-hardware/yubikey-neo/",
+      "transports": 12,
+      "deviceUrl": "https://support.yubico.com/support/solutions/articles/15000006494-yubikey-neo",
       "imageUrl": "https://developers.yubico.com/U2F/Images/NEO.png",
       "selectors": [
         {
@@ -100,7 +100,7 @@
       "deviceId": "1.3.6.1.4.1.41482.1.4",
       "displayName": "YubiKey Edge",
       "transports": 4,
-      "deviceUrl": "https://www.yubico.com/products/yubikey-hardware/",
+      "deviceUrl": "https://support.yubico.com/support/solutions/articles/15000006492-yubikey-edge",
       "imageUrl": "https://developers.yubico.com/U2F/Images/YKE.png",
       "selectors": [
         {
@@ -116,7 +116,7 @@
       "deviceId": "1.3.6.1.4.1.41482.1.5",
       "displayName": "YubiKey 4/YubiKey 4 Nano",
       "transports": 4,
-      "deviceUrl": "https://www.yubico.com/products/yubikey-hardware/yubikey4/",
+      "deviceUrl": "https://support.yubico.com/support/solutions/articles/15000006486-yubikey-4",
       "imageUrl": "https://developers.yubico.com/U2F/Images/YK4.png",
       "selectors": [
         {
@@ -132,7 +132,7 @@
       "deviceId": "1.3.6.1.4.1.41482.1.7",
       "displayName": "YubiKey 5 NFC",
       "transports": 12,
-      "deviceUrl": "https://www.yubico.com/products/yubikey-5-overview/",
+      "deviceUrl": "https://support.yubico.com/support/solutions/articles/15000014174--yubikey-5-nfc",
       "imageUrl": "https://developers.yubico.com/U2F/Images/YK5.png",
       "selectors": [
         {
@@ -151,7 +151,7 @@
       "deviceId": "1.3.6.1.4.1.41482.1.7",
       "displayName": "YubiKey 5 Series security key",
       "transports": 4,
-      "deviceUrl": "https://www.yubico.com/products/yubikey-5-overview/",
+      "deviceUrl": "https://support.yubico.com/support/solutions/articles/15000014180-yubikey-5c",
       "imageUrl": "https://developers.yubico.com/U2F/Images/YK5-series.png",
       "selectors": [
         {
@@ -165,6 +165,25 @@
           }
         }
       ]
+    },
+    {
+      "deviceId": "1.3.6.1.4.1.41482.1.7",
+      "displayName": "YubiKey 5Ci",
+      "transports": 20,
+      "deviceUrl": "https://support.yubico.com/support/solutions/articles/15000027140-yubikey-5ci",
+      "imageUrl": "https://developers.yubico.com/U2F/Images/YK5Ci.png",
+      "selectors": [
+        {
+          "type": "x509Extension",
+          "parameters": {
+            "key": "1.3.6.1.4.1.45724.1.1.4",
+            "value": {
+              "type": "hex",
+              "value": "c5ef55ffad9a4b9fb580adebafe026d0"
+            }
+          }
+        }
+      ]
     }
   ]
 }

From e3be036d2920f1e7d0b12100888d81fe5c83ea67 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Fri, 1 Nov 2019 17:02:33 +0100
Subject: [PATCH 18/24] Add YubiKey 5Ci tests

---
 .../attestation/DeviceIdentificationSpec.scala    |  6 ++++++
 .../webauthn/RelyingPartyCeremoniesSpec.scala     |  3 +++
 .../com/yubico/webauthn/test/RealExamples.scala   | 15 +++++++++++++++
 3 files changed, 24 insertions(+)

diff --git a/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala b/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala
index 993e7d410..0f740629e 100644
--- a/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala
+++ b/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala
@@ -92,6 +92,9 @@ class DeviceIdentificationSpec extends FunSpec with Matchers {
       it("a YubiKey 5 Nano.") {
         check("YubiKey 5 Series security key", RealExamples.YubiKey5Nano)
       }
+      it("a YubiKey 5Ci.") {
+        check("YubiKey 5Ci", RealExamples.YubiKey5Ci)
+      }
       it("a Security Key by Yubico.") {
         check("Security Key by Yubico", RealExamples.SecurityKey)
       }
@@ -126,6 +129,9 @@ class DeviceIdentificationSpec extends FunSpec with Matchers {
       it("a YubiKey 5 Nano.") {
         check("YubiKey 5 Series security key", RealExamples.YubiKey5Nano)
       }
+      it("a YubiKey 5Ci.") {
+        check("YubiKey 5Ci", RealExamples.YubiKey5Ci)
+      }
       it("a Security Key by Yubico.") {
         check("Security Key by Yubico", RealExamples.SecurityKey)
       }
diff --git a/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyCeremoniesSpec.scala b/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyCeremoniesSpec.scala
index b60fa676e..f0fb3b734 100644
--- a/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyCeremoniesSpec.scala
+++ b/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyCeremoniesSpec.scala
@@ -106,6 +106,9 @@ class RelyingPartyCeremoniesSpec extends FunSpec with Matchers {
       it("a YubiKey 5 Nano.") {
         check(RealExamples.YubiKey5Nano)
       }
+      it("a YubiKey 5Ci.") {
+        check(RealExamples.YubiKey5Ci)
+      }
       it("a Security Key by Yubico.") {
         check(RealExamples.SecurityKey)
       }
diff --git a/webauthn-server-core/src/test/scala/com/yubico/webauthn/test/RealExamples.scala b/webauthn-server-core/src/test/scala/com/yubico/webauthn/test/RealExamples.scala
index 8799b7e9c..f6cc1f45c 100644
--- a/webauthn-server-core/src/test/scala/com/yubico/webauthn/test/RealExamples.scala
+++ b/webauthn-server-core/src/test/scala/com/yubico/webauthn/test/RealExamples.scala
@@ -123,6 +123,21 @@ object RealExamples {
     )
   )
 
+  val YubiKey5Ci = Example(
+    RelyingPartyIdentity.builder().id("example.com").name("Example RP").build(),
+    UserIdentity.builder().name("test@example.org").displayName("A. User").id(ByteArray.fromBase64Url("dXNlcl9pZA==")).build(),
+    AttestationExample(
+      """{"type": "webauthn.create", "clientExtensions": {}, "challenge": "Y2hhbGxlbmdl", "origin": "https://example.com"}""",
+      ByteArray.fromBase64Url("o2NmbXRmcGFja2VkZ2F0dFN0bXSjY2FsZyZjc2lnWEYwRAIgXOZEuIaBrKT5VYJu9_D410HgJRm1SenwlKiXtcQxe0ICIG1_ycPCKHPjEsgRFVr4WdK5IY8K7aCyAc03c1-wnBJCY3g1Y4FZAsEwggK9MIIBpaADAgECAgQr8Xx4MA0GCSqGSIb3DQEBCwUAMC4xLDAqBgNVBAMTI1l1YmljbyBVMkYgUm9vdCBDQSBTZXJpYWwgNDU3MjAwNjMxMCAXDTE0MDgwMTAwMDAwMFoYDzIwNTAwOTA0MDAwMDAwWjBuMQswCQYDVQQGEwJTRTESMBAGA1UECgwJWXViaWNvIEFCMSIwIAYDVQQLDBlBdXRoZW50aWNhdG9yIEF0dGVzdGF0aW9uMScwJQYDVQQDDB5ZdWJpY28gVTJGIEVFIFNlcmlhbCA3MzcyNDYzMjgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR0wseEI8hxLptI8llYZvxwQK5M3wfXd9WFrwSTme36kjy-tJ-XFvn1WnhsNCUfyPNePehbVnBQOMcLoScZYHmLo2wwajAiBgkrBgEEAYLECgIEFTEuMy42LjEuNC4xLjQxNDgyLjEuNzATBgsrBgEEAYLlHAIBAQQEAwICJDAhBgsrBgEEAYLlHAEBBAQSBBDF71X_rZpLn7WAreuv4CbQMAwGA1UdEwEB_wQCMAAwDQYJKoZIhvcNAQELBQADggEBAItuk3adeE1u6dkA0nECf8J35Lgm5mw5udSIucstLQU9ZrTVNjwXugnxsT5oVriRN7o1BB-Lz7KJmtDw34kvh_uA11A9Ksf6veIV3hK-ugN7WNok7gn0t6IWOZF1xVr7lyo0XgbV88Kh-_D1biUqc5u49qSvTH-Jx1WrUxeFh1S1CTpmvmYGdzgWE32qLsNeoscPkbtkVSYbB8hwPb7SbV_WbBBLzJEPn79oMJ_e-63B12iLdyu2K_PKuibBsqSVHioe6cnvksZktkDykn-ZedRDpNOyBGo-89eBA9tLIYx_bP8Mg9tCoIP8GZzh2P2joujOF4F0O1xkICNI9MB3-6JoYXV0aERhdGFYxKN5pvbur7mlXjeMEYA04nUeaC-rny0wqxPSElWGzhlHQQAAAATF71X_rZpLn7WAreuv4CbQAEDDAvEvv-vY_dFxV_gwT7mhKUN9M6PatW8FqDSEjXAaJL4EjL5exyo-FIaoqgH4lfmw-19_6ao6j9zPlFGHBmUOpQECAyYgASFYILUgImoYph7H0FqX_aKS3A4Ph1Aki_Edg9YB6oxw7nrIIlgghBKeVu0Z4cV6-Cya1H2ZTeeWdisBlK6QWDM89ne6794=")
+    ),
+    AssertionExample(
+      id = ByteArray.fromBase64Url("wwLxL7_r2P3RcVf4ME-5oSlDfTOj2rVvBag0hI1wGiS-BIy-XscqPhSGqKoB-JX5sPtff-mqOo_cz5RRhwZlDg=="),
+      clientData = """{"type": "webauthn.get", "clientExtensions": {}, "challenge": "Q0hBTExFTkdF", "origin": "https://example.com"}""",
+      authDataBytes = ByteArray.fromBase64Url("o3mm9u6vuaVeN4wRgDTidR5oL6ufLTCrE9ISVYbOGUcBAAAABw=="),
+      sig = ByteArray.fromBase64Url("MEQCIHqWh09siRtXwUCVOnTrWUTfJfe9zv0_-WYd376qUcBqAiBMdsCPp-LpUEhgSbOz8y6hS1YTKFgpN-nIrpYDTxQhiA=="),
+    )
+  )
+
   val SecurityKey = Example(
     RelyingPartyIdentity.builder().id("example.com").name("Example RP").build(),
     UserIdentity.builder().name("test@example.org").displayName("A. User").id(ByteArray.fromBase64Url("dXNlcl9pZA==")).build(),

From 6ba8b5af968b8f50f094aa227ddfde8652ddeb9e Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Mon, 4 Nov 2019 17:11:49 +0100
Subject: [PATCH 19/24] Test that attestations parse transports correctly

---
 .../DeviceIdentificationSpec.scala            | 42 +++++++++++--------
 1 file changed, 24 insertions(+), 18 deletions(-)

diff --git a/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala b/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala
index 0f740629e..d6170b934 100644
--- a/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala
+++ b/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala
@@ -33,6 +33,8 @@ import com.yubico.webauthn.attestation.resolver.SimpleTrustResolver
 import com.yubico.webauthn.test.RealExamples
 import com.yubico.webauthn.FinishRegistrationOptions
 import com.yubico.webauthn.RelyingParty
+import com.yubico.webauthn.attestation.Transport.NFC
+import com.yubico.webauthn.attestation.Transport.USB
 import com.yubico.webauthn.data.PublicKeyCredentialCreationOptions
 import com.yubico.webauthn.data.PublicKeyCredentialParameters
 import com.yubico.webauthn.test.Helpers
@@ -57,7 +59,7 @@ class DeviceIdentificationSpec extends FunSpec with Matchers {
   describe("A RelyingParty with the default StandardMetadataService") {
 
     describe("correctly identifies") {
-      def check(expectedName: String, testData: RealExamples.Example) {
+      def check(expectedName: String, testData: RealExamples.Example, transports: Set[Transport]) {
         val rp = RelyingParty.builder()
           .identity(testData.rp)
           .credentialRepository(Helpers.CredentialRepository.empty)
@@ -78,68 +80,72 @@ class DeviceIdentificationSpec extends FunSpec with Matchers {
         result.getAttestationMetadata.isPresent should be (true)
         result.getAttestationMetadata.get.getDeviceProperties.isPresent should be (true)
         result.getAttestationMetadata.get.getDeviceProperties.get().get("displayName") should equal (expectedName)
+        result.getAttestationMetadata.get.getTransports.isPresent should be (true)
+        result.getAttestationMetadata.get.getTransports.get.asScala should equal (transports)
       }
 
       it("a YubiKey NEO.") {
-        check("YubiKey NEO/NEO-n", RealExamples.YubiKeyNeo)
+        check("YubiKey NEO/NEO-n", RealExamples.YubiKeyNeo, Set(USB, NFC))
       }
       it("a YubiKey 4.") {
-        check("YubiKey 4/YubiKey 4 Nano", RealExamples.YubiKey4)
+        check("YubiKey 4/YubiKey 4 Nano", RealExamples.YubiKey4, Set(USB))
       }
       it("a YubiKey 5 NFC.") {
-        check("YubiKey 5 NFC", RealExamples.YubiKey5)
+        check("YubiKey 5 NFC", RealExamples.YubiKey5, Set(USB, NFC))
       }
       it("a YubiKey 5 Nano.") {
-        check("YubiKey 5 Series security key", RealExamples.YubiKey5Nano)
+        check("YubiKey 5 Series security key", RealExamples.YubiKey5Nano, Set(USB))
       }
       it("a YubiKey 5Ci.") {
-        check("YubiKey 5Ci", RealExamples.YubiKey5Ci)
+        check("YubiKey 5Ci", RealExamples.YubiKey5Ci, Set(USB))
       }
       it("a Security Key by Yubico.") {
-        check("Security Key by Yubico", RealExamples.SecurityKey)
+        check("Security Key by Yubico", RealExamples.SecurityKey, Set(USB))
       }
       it("a Security Key 2 by Yubico.") {
-        check("Security Key by Yubico", RealExamples.SecurityKey2)
+        check("Security Key by Yubico", RealExamples.SecurityKey2, Set(USB))
       }
       it("a Security Key NFC by Yubico.") {
-        check("Security Key NFC by Yubico", RealExamples.SecurityKeyNfc)
+        check("Security Key NFC by Yubico", RealExamples.SecurityKeyNfc, Set(USB, NFC))
       }
     }
   }
 
   describe("The default AttestationResolver") {
     describe("successfully identifies") {
-      def check(expectedName: String, testData: RealExamples.Example) {
+      def check(expectedName: String, testData: RealExamples.Example, transports: Set[Transport]) {
         val cert = CertificateParser.parseDer(testData.attestationCert.getBytes)
         val resolved = StandardMetadataService.createDefaultAttestationResolver().resolve(cert)
         resolved.isPresent should be (true)
         resolved.get.getDeviceProperties.isPresent should be (true)
         resolved.get.getDeviceProperties.get.get("displayName") should equal (expectedName)
+        resolved.get.getTransports.isPresent should be (true)
+        resolved.get.getTransports.get.asScala should equal (transports)
       }
 
       it("a YubiKey NEO.") {
-        check("YubiKey NEO/NEO-n", RealExamples.YubiKeyNeo)
+        check("YubiKey NEO/NEO-n", RealExamples.YubiKeyNeo, Set(USB, NFC))
       }
       it("a YubiKey 4.") {
-        check("YubiKey 4/YubiKey 4 Nano", RealExamples.YubiKey4)
+        check("YubiKey 4/YubiKey 4 Nano", RealExamples.YubiKey4, Set(USB))
       }
       it("a YubiKey 5 NFC.") {
-        check("YubiKey 5 NFC", RealExamples.YubiKey5)
+        check("YubiKey 5 NFC", RealExamples.YubiKey5, Set(USB, NFC))
       }
       it("a YubiKey 5 Nano.") {
-        check("YubiKey 5 Series security key", RealExamples.YubiKey5Nano)
+        check("YubiKey 5 Series security key", RealExamples.YubiKey5Nano, Set(USB))
       }
       it("a YubiKey 5Ci.") {
-        check("YubiKey 5Ci", RealExamples.YubiKey5Ci)
+        check("YubiKey 5Ci", RealExamples.YubiKey5Ci, Set(USB))
       }
       it("a Security Key by Yubico.") {
-        check("Security Key by Yubico", RealExamples.SecurityKey)
+        check("Security Key by Yubico", RealExamples.SecurityKey, Set(USB))
       }
       it("a Security Key 2 by Yubico.") {
-        check("Security Key by Yubico", RealExamples.SecurityKey2)
+        check("Security Key by Yubico", RealExamples.SecurityKey2, Set(USB))
       }
       it("a Security Key NFC by Yubico.") {
-        check("Security Key NFC by Yubico", RealExamples.SecurityKeyNfc)
+        check("Security Key NFC by Yubico", RealExamples.SecurityKeyNfc, Set(USB, NFC))
       }
     }
   }

From 99582b11c2199cba86b77f32ba88d1794f1b4c13 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Mon, 4 Nov 2019 17:12:12 +0100
Subject: [PATCH 20/24] Add LIGHTNING value to attestation.Transport

---
 NEWS                                                       | 1 +
 .../java/com/yubico/webauthn/attestation/Transport.java    | 7 ++++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index 44a26243a..048e29623 100644
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,7 @@ Bug fixes:
 
 `webauthn-server-attestation`:
 
+- New enum constant `Transport.LIGHTNING`
 - Fixed transports field of YubiKey NEO/NEO-n in `metadata.json`.
 - Added YubiKey 5Ci to `metadata.json`.
 - Most `deviceUrl` fields in `metadata.json` changed to point to stable
diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/attestation/Transport.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/attestation/Transport.java
index 43098e1af..4d34b4c82 100644
--- a/webauthn-server-core/src/main/java/com/yubico/webauthn/attestation/Transport.java
+++ b/webauthn-server-core/src/main/java/com/yubico/webauthn/attestation/Transport.java
@@ -50,7 +50,12 @@ public enum Transport {
     /**
      * The authenticator supports communication via Near Field Communication (NFC).
      */
-    NFC(8);
+    NFC(8),
+
+    /**
+     * The authenticator supports communication via Lightning.
+     */
+    LIGHTNING(16);
 
     private final int bitpos;
 

From 1f29d1e914a71f7f534b52a66ae2a343c7279c81 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Mon, 4 Nov 2019 17:12:44 +0100
Subject: [PATCH 21/24] Fix YubiKey 5Ci transports metadata test

---
 .../webauthn/attestation/DeviceIdentificationSpec.scala      | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala b/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala
index d6170b934..77f1a2971 100644
--- a/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala
+++ b/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala
@@ -33,6 +33,7 @@ import com.yubico.webauthn.attestation.resolver.SimpleTrustResolver
 import com.yubico.webauthn.test.RealExamples
 import com.yubico.webauthn.FinishRegistrationOptions
 import com.yubico.webauthn.RelyingParty
+import com.yubico.webauthn.attestation.Transport.LIGHTNING
 import com.yubico.webauthn.attestation.Transport.NFC
 import com.yubico.webauthn.attestation.Transport.USB
 import com.yubico.webauthn.data.PublicKeyCredentialCreationOptions
@@ -97,7 +98,7 @@ class DeviceIdentificationSpec extends FunSpec with Matchers {
         check("YubiKey 5 Series security key", RealExamples.YubiKey5Nano, Set(USB))
       }
       it("a YubiKey 5Ci.") {
-        check("YubiKey 5Ci", RealExamples.YubiKey5Ci, Set(USB))
+        check("YubiKey 5Ci", RealExamples.YubiKey5Ci, Set(USB, LIGHTNING))
       }
       it("a Security Key by Yubico.") {
         check("Security Key by Yubico", RealExamples.SecurityKey, Set(USB))
@@ -136,7 +137,7 @@ class DeviceIdentificationSpec extends FunSpec with Matchers {
         check("YubiKey 5 Series security key", RealExamples.YubiKey5Nano, Set(USB))
       }
       it("a YubiKey 5Ci.") {
-        check("YubiKey 5Ci", RealExamples.YubiKey5Ci, Set(USB))
+        check("YubiKey 5Ci", RealExamples.YubiKey5Ci, Set(USB, LIGHTNING))
       }
       it("a Security Key by Yubico.") {
         check("Security Key by Yubico", RealExamples.SecurityKey, Set(USB))

From 71665199aa39472cefde25b464c8063398be0bc0 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Tue, 5 Nov 2019 13:51:16 +0100
Subject: [PATCH 22/24] Bump next version number to 1.6.0

---
 NEWS | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index 048e29623..aa20ede57 100644
--- a/NEWS
+++ b/NEWS
@@ -1,4 +1,4 @@
-== Version 1.5.1 (unreleased) ==
+== Version 1.6.0 (unreleased) ==
 
 `webauthn-server-core`:
 

From 709b9cecc476478e0b1aa081dc2d523d9b6df2d9 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Fri, 8 Nov 2019 18:07:33 +0100
Subject: [PATCH 23/24] Bump Jackson dependency version 2.9.10.1

---
 NEWS         | 4 ++++
 build.gradle | 6 +++---
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/NEWS b/NEWS
index 26657e612..ca7b04891 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,9 @@
 == Version 1.5.1 (unreleased) ==
 
+Security fixes:
+
+- Bumped Jackson dependency to version 2.9.10.1 which has patched CVE-2019-16942
+
 Bug fixes:
 
 - Fixed bug introduced in 1.4.0, which caused
diff --git a/build.gradle b/build.gradle
index 5df027eee..8264dadb6 100644
--- a/build.gradle
+++ b/build.gradle
@@ -51,9 +51,9 @@ allprojects {
 Map<String, String> dependencyVersions = [
   'ch.qos.logback:logback-classic:1.2.3',
   'com.augustcellars.cose:cose-java:1.0.0',
-  'com.fasterxml.jackson.core:jackson-databind:2.9.9.3',
-  'com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:2.9.9',
-  'com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.9.9',
+  'com.fasterxml.jackson.core:jackson-databind:2.9.10.1',
+  'com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:2.9.10',
+  'com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.9.10',
   'com.google.guava:guava:19.0',
   'com.upokecenter:cbor:4.0.1',
   'javax.activation:activation:1.1.1',

From 732fe225cd12b9ca9d82eee6499797758efbeef5 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Fri, 8 Nov 2019 19:04:19 +0100
Subject: [PATCH 24/24] Fix deprecation warning on new Integer(_)

---
 .../scala/com/yubico/internal/util/ComparableUtilSpec.scala     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/yubico-util/src/test/scala/com/yubico/internal/util/ComparableUtilSpec.scala b/yubico-util/src/test/scala/com/yubico/internal/util/ComparableUtilSpec.scala
index 072a2dd89..0547c5b65 100644
--- a/yubico-util/src/test/scala/com/yubico/internal/util/ComparableUtilSpec.scala
+++ b/yubico-util/src/test/scala/com/yubico/internal/util/ComparableUtilSpec.scala
@@ -21,7 +21,7 @@ class ComparableUtilSpec extends FunSpec with Matchers with GeneratorDrivenPrope
   } yield (a, b)
 
   def toJava(s: Set[Int]): java.util.SortedSet[Integer] =
-    new java.util.TreeSet[Integer](s.map(new Integer(_)).asJava)
+    new java.util.TreeSet[Integer](s.map(_.asInstanceOf[java.lang.Integer]).asJava)
 
   describe("compareComparableSets") {
     it("sorts differently-sized sets in order of cardinality.") {