jans ProjectPasskeys: fix(jans-fido2): Major FIDO2 / Passkeys upgrade

This PR completely revamps jans-fido2, to enable support for passkeys, and bring the server up to spec.

So far changes:

Added support for ED25519, RS384, RS512, ES384, ES512 #9086
Refactoring of the assertions and attestation requests/responses to Jackson ObjectMapper #9023
Removed legacy Android Safetynet and Keystore attestations #8901

Aug 05 '24 17:08 maduvena

DryRun Security Summary

The pull request covers various updates and improvements to the FIDO2 authentication implementation in the Janssen application, focusing on enhancing security, configurability, logging, and monitoring of the FIDO2 functionality.

Expand for full summary

Summary:

The code changes in this pull request cover various updates and improvements to the FIDO2 (Fast Identity Online) authentication implementation in the Janssen (Jans) application. The changes focus on enhancing the security and configurability of the FIDO2 functionality, with a particular emphasis on the following areas:

Metadata Service Validation: The changes introduce the ability to disable or monitor the metadata service validation during the FIDO2 attestation process. This is an important security consideration, as disabling metadata validation could potentially introduce risks if untrusted authenticators are allowed.
FIDO Algorithm Configuration: The changes rename the "requested credential types" parameter to "enabled FIDO algorithms", allowing for better control and visibility over the supported cryptographic algorithms used in the FIDO2 implementation.
Relying Party (RP) Configuration: The changes update the Relying Party configuration, including renaming fields and simplifying the structure. This helps to ensure that the RP information is correctly configured and aligned with the expected deployment environment.
User Auto-Enrollment: The changes suggest a move away from automatically enrolling users in the FIDO2 authentication process, which is a positive security enhancement, as it requires explicit user consent for enrollment.
Logging and Monitoring: The changes introduce new configuration options related to logging and metrics, which can improve the overall visibility and monitoring of the FIDO2 implementation.

Files Changed:

docker-jans-fido2/scripts/upgrade.py: This file contains changes to the FIDO2 dynamic configuration, including the modification of the "attestationMode" parameter, which should be carefully reviewed to ensure that it does not introduce any security vulnerabilities.
docs/janssen-server/fido/logs.md, docs/janssen-server/config-guide/fido2-config/janssen-fido2-configuration.md, docs/janssen-server/fido/config.md, docs/janssen-server/reference/json/properties/fido2-properties.md: These documentation files have been updated to reflect the changes in the FIDO2 configuration, including the renaming of parameters, the addition of new configuration options, and the changes to the metadata service validation.
docs/script-catalog/person_authentication/fido2-external-authenticator/Fido2ExternalAuthenticator.py: This file contains changes to the FIDO2 authentication process, including the removal of the platformAuthenticatorAvailable parameter and improvements to the logging and error handling.
docs/janssen-server/fido/vendor-metadata.md: This file discusses the handling of vendor-specific metadata in the FIDO2 implementation and the implications of disabling metadata validation.
jans-auth-server/server/src/main/webapp/auth/fido2/passkeys.xhtml: This file contains changes to the FIDO2 credential registration and authentication processes, including the addition of an alert message for debugging purposes.

Overall, the changes in this pull request appear to be focused on improving the security and configurability of the FIDO2 implementation in the Janssen application. As an application security engineer, it is important to thoroughly review these changes and ensure that the FIDO2 implementation continues to adhere to best practices and industry standards for secure authentication.