Merge branch 'release/2.4.0' into merge/release/2.4.0

AndroidDemo/build.gradle

@@ -59,7 +59,7 @@ dependencies {
     implementation 'org.jetbrains.kotlinx:kotlinx-coroutines-android:1.7.1'
 
     implementation 'androidx.core:core-ktx:1.12.0'
-    implementation 'androidx.fragment:fragment-ktx:1.6.1'
+    implementation 'androidx.fragment:fragment-ktx:1.6.2'
     implementation 'androidx.appcompat:appcompat:1.6.1'
     implementation 'androidx.legacy:legacy-support-v4:1.0.0'
     implementation 'androidx.recyclerview:recyclerview:1.3.2'
@@ -71,7 +71,7 @@ dependencies {
     implementation "androidx.lifecycle:lifecycle-extensions:2.2.0"
 
     // Navigation
-    def nav_version = '2.7.4'
+    def nav_version = '2.7.5'
     implementation "androidx.navigation:navigation-fragment-ktx:$nav_version"
     implementation "androidx.navigation:navigation-ui-ktx:$nav_version"
     implementation "androidx.navigation:navigation-dynamic-features-fragment:$nav_version"

NEWS

@@ -1,93 +1,101 @@
+* Version 2.4.0 (released 2023-11-21)
+ ** fido module (new):
+  - support for WebAuthn Level 2
+  - support for CTAP2.1 features: Credential Management, Client PIN, Config, Enterprise Attestation
+ ** openpgp module (new):
+  - PIN operations: (un)verification, user and admin password management
+  - key operations: import/generate, sign/verify, encrypt/decrypt
+ ** android module:
+  - targetSdk is now 34 (Android 14)
+ ** core module:
+  - added support for Le in APDU
+  - added PublicKeyValues and PrivateKeyValues classes for unified handling of asymmetric keys
+ ** PIV module:
+  - deprecated classes: InvalidPinException, Padding
+  - deprecated methods: SlotMetadata.getPublicKey(), PivSession.generateKey(), PivSession.putKey()
+
 * Version 2.4.0-beta01 (released 2023-09-01)
  ** core module:
- *** added support for Le in APDU
- *** added PublicKeyValues and PrivateKeyValues classes for unified handling of asymmetric keys
+  - added support for Le in APDU
+  - added PublicKeyValues and PrivateKeyValues classes for unified handling of asymmetric keys
  ** PIV module:
- *** deprecated classes: InvalidPinException, Padding
- *** deprecated methods: SlotMetadata.getPublicKey(), PivSession.generateKey(), PivSession.putKey()
- ** fido module:
- *** added support for WebAuthn and CTAP2
+  - deprecated classes: InvalidPinException, Padding
+  - deprecated methods: SlotMetadata.getPublicKey(), PivSession.generateKey(), PivSession.putKey()
+ ** fido module (new):
+  - added initial support for WebAuthn and CTAP2
 
 * Version 2.3.0 (released 2023-05-29)
  ** core module:
- *** deprecated `com.yubico.yubikit.core.Logger`
- *** added `YubiKeyDevice.openConnection()` to public API
+  - deprecated `com.yubico.yubikit.core.Logger`
+  - added `YubiKeyDevice.openConnection()` to public API
  ** android module:
- *** updated code to support Android 14 behavior changes
+  - updated code to support Android 14 behavior changes
  ** PIV module:
- *** implemented support for compressed certificates
+  - implemented support for compressed certificates
  ** general updates:
- *** adapted for use with slf4j logging system
- *** added support for building with Java 17
- *** updated build dependencies and libraries
+  - adapted for use with slf4j logging system
+  - added support for building with Java 17
+  - updated build dependencies and libraries
 
 * Version 2.2.0 (released 2023-01-17)
  ** core module:
- *** Added a public class containing YubiKey smartcard application ids (core.smartcard.AppId)
+  - Added a public class containing YubiKey smartcard application ids (core.smartcard.AppId)
  ** android module:
- *** Added SmartCardConnection.getAtr() and USB and NFC implementations for getting ATR and ATS
- *** Updated dependency versions, compile and build with latest SDKs
- *** Bug fixes related to Android 13
- *** Bug fixes related to communication over NFC
- *** All library resources are now prefixed with 'yubikit_' prefix (thanks to @ajarl for contribution)
- *** Library resources which are available to override by clients are explicitly marked as public
+  - Added SmartCardConnection.getAtr() and USB and NFC implementations for getting ATR and ATS
+  - Updated dependency versions, compile and build with latest SDKs
+  - Bug fixes related to Android 13
+  - Bug fixes related to communication over NFC
+  - All library resources are now prefixed with 'yubikit_' prefix (thanks to @ajarl for contribution)
+  - Library resources which are available to override by clients are explicitly marked as public
  ** support module:
- *** Added a helper method NfcYubiKeyDevice.isYubiKey() for probing NFC devices
- *** Updated DeviceUtil.getName() to supports additional hardware security keys by Yubico
+  - Added a helper method NfcYubiKeyDevice.isYubiKey() for probing NFC devices
+  - Updated DeviceUtil.getName() to supports additional hardware security keys by Yubico
  ** AndroidDemo module:
- *** bug fixes and improvements
+  - bug fixes and improvements
 
 * Version 2.1.0 (released 2022-07-25)
- ** Added a new support module with utility functions for getting device
-    information/metadata.
+ ** Added a new support module with utility functions for getting device information/metadata.
  ** PIV:
- *** Added a JCA Provider implementation.
- *** Added Slot getStringAlias and fromStringAlias methods.
+  - Added a JCA Provider implementation.
+  - Added Slot getStringAlias and fromStringAlias methods.
  ** OATH:
- *** Fixed OathSession.calculateCodes so that it never triggers touch.
+  - Fixed OathSession.calculateCodes so that it never triggers touch.
  ** Management:
- *** DeviceInfo now provides isFips and isSky properties.
+  - DeviceInfo now provides isFips and isSky properties.
  ** Deprecations (will be removed in 3.0.0):
- *** PivSession.sign has been deprecated in favor of using the JCA Provider.
- *** OathSession.hasAccessKey has been deprecated and replaced with
-     OathSession.isAccessKeySet.
- *** UsbInterface in the management module has been deprecated, replaced with
-     UsbInterface in the core module.
+  - PivSession.sign has been deprecated in favor of using the JCA Provider.
+  - OathSession.hasAccessKey has been deprecated and replaced with OathSession.isAccessKeySet.
+  - UsbInterface in the management module has been deprecated, replaced with UsbInterface in
+    the core module.
  ** Added testing-android module which can run tests on physical devices
- *** currently Piv and Piv Jca tests are implemented
+  - currently Piv and Piv Jca tests are implemented
  ** Bug fixes and improvements
 
-
 * Version 2.1.0-alpha.1 (released 2022-06-01)
  ** Public preview of 2.1.0
 
-
 * Version 2.0.0 (released 2021-04-01)
  ** BACKWARDS INCOMPATIBLE: Major structural overhaul from 1.0.
  ** The yubikit module is replaced by the core and android modules.
  ** The otp module had been renamed to yubiotp.
  ** Several classes have been renamed and/or moved.
  ** Connection handling is now asynchronous.
 
-
 * Version 2.0.0-beta02 (released 2021-02-24)
  ** Connection handling is now asynchronous.
  ** YubiKitManager listeners have been replaced with more generic Callbacks.
  ** Release artifacts are compiled to run on Java 8.
 
-
 * Version 2.0.0-beta01 (released 2020-12-07)
  ** Public preview of 2.0.0, a major restructuring of modules.
 
-
 * Version 1.0.0 (released 2020-06-10)
  ** Documentation improvements.
  ** Removal of unused code and properties.
  ** Dependencies updated.
  ** yubikit: ATR is read upon opening an Iso7816Connection (USB).
  ** otp: The KeyListener interface is no longer public.
 
-
 * Version 1.0.0-beta06 (released 2020-05-08)
  ** Various naming changes to classes and methods to better represent what they do.
  ** Various additional refactorings and minor changes to improve readability and consistency.
@@ -99,7 +107,6 @@
  ** FIDO2 module removed.
  ** 'Smartcard demo' removed.
 
-
 * Version 1.0.0-beta05 (released 2020-03-31)
  ** yubikit: Provides callback to users on whether permissions (for USB plug-in device) from user were accepted or denied.
  ** yubikit: Provides configurations mechanism for NFC discovery (e.g. play sound, read NDEF tag, etc.).
@@ -109,21 +116,17 @@
  ** piv: Fixing PIV signing (issue with RSA PKCS1.15 padding).
  ** fido: Allow launching of FIDO intents from fragment as well as from activity.
 
-
 * Version 1.0.0-beta04 (released 2020-02-06)
  ** Added YubiKey configuration capabilities, programming OTP slots.
  ** HMAC-SHA1 challenge-response.
 
-
 * Version 1.0.0-beta03 (released 2019-10-15)
  ** Making QR/play-services-vision dependency optional for OATH module.
 
-
 * Version 1.0.0-beta02 (released 2019-10-04)
  ** Smart Card functionality based on the Personal Identity Verification (PIV) interface.
  ** Management API to enable/disable interfaces on YubiKey.
 
-
 * Version 1.0.0-beta01 (released 2019-08-06)
  ** Supports raw APDU communication with YubiKey over NFC and USB.
  ** Provides high level API for OATH applet.

README.adoc

@@ -36,7 +36,7 @@ This module provides concrete implementations for the interfaces in *core*, the
 various reusable UI elements.
 
 link:./fido/[Fido]::
-This module adds FIDO2 support. Current implementation supports Webauthn Level 2 and CTAP 2.0 for managing FIDO credentials on YubiKeys.
+This module adds FIDO2 support. Current implementation supports Webauthn Level 2 and CTAP 2.1 for managing FIDO credentials on YubiKeys.
 
 link:./management/[Management]::
 This module provides the ability to read out metadata from a YubiKey, such as
@@ -48,6 +48,10 @@ This module lets you configure the YubiOTP application. This includes
 configuring the two "keyboard slots", and using the Challenge-Response
 functionality.
 
+link:./openpgp/[OpenPGP]::
+This module lets you use the OpenPGP smart card application on a YubiKey and execute operations such as OpenPGP PIN management,
+key import and generation (including RSA4096, ECDSA and Curve25519 on supported YubiKeys), encryption, decryption, signature and signature verification.
+
 link:./oath/[OATH]::
 This module lets you configure and use the OATH application on a YubiKey. It can
 store and use up to 32 OATH (TOTP or HOTP) credentials.

android/build.gradle

@@ -37,12 +37,12 @@ dependencies {
     api project(':core')
 
     compileOnly 'androidx.annotation:annotation:1.7.0'
-    compileOnly 'com.github.spotbugs:spotbugs-annotations:4.7.3'
+    compileOnly 'com.github.spotbugs:spotbugs-annotations:4.8.0'
 
     testImplementation project(':testing')
     testImplementation 'androidx.test.ext:junit:1.1.5'
     testImplementation 'org.robolectric:robolectric:4.10.3'
-    testImplementation 'org.mockito:mockito-core:5.6.0'
+    testImplementation 'org.mockito:mockito-core:5.7.0'
 
     androidTestImplementation 'androidx.test.ext:junit:1.1.5'
     androidTestImplementation 'androidx.test:runner:1.5.2'

build.gradle

@@ -9,7 +9,7 @@ buildscript {
         google()
     }
     dependencies {
-        classpath 'com.android.tools.build:gradle:8.1.2'
+        classpath 'com.android.tools.build:gradle:8.1.4'
         classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:$kotlin_version"
     }
 }
@@ -35,7 +35,7 @@ allprojects {
 }
 
 subprojects {
-    version = '2.4.0-SNAPSHOT'
+    version = '2.4.0'
     ext.pomName = "Yubico YubiKit ${project.name.capitalize()}"
 
 

buildSrc/src/main/groovy/project-convention-logging.gradle

@@ -1,3 +1,3 @@
 dependencies {
-    implementation 'org.slf4j:slf4j-api:2.0.7'
+    implementation 'org.slf4j:slf4j-api:2.0.9'
 }

core/build.gradle

@@ -1,7 +1,7 @@
 apply plugin: 'yubikit-java-library'
 
 dependencies {
-    api 'org.slf4j:slf4j-api:2.0.7'
+    api 'org.slf4j:slf4j-api:2.0.9'
 }
 
 description = "The core module is the base library, with common interfaces and utilities used throughout the rest of the modules."

core/src/main/java/com/yubico/yubikit/core/internal/codec/Base64.java

@@ -41,7 +41,7 @@ public class Base64 {
      * @param data date to encode
      * @return Encoded data in Base64 URL safe format
      */
-    public static String encode(byte[] data) {
+    public static String toUrlSafeString(byte[] data) {
         return base64Codec.toUrlSafeString(data);
     }
 
@@ -52,7 +52,7 @@ public static String encode(byte[] data) {
      * @param data data to decode in Base64 URL safe format
      * @return decoded data
      */
-    public static byte[] decode(String data) {
+    public static byte[] fromUrlSafeString(String data) {
         return base64Codec.fromUrlSafeString(data);
     }
 

core/src/test/java/com/yubico/yubikit/core/keys/PrivateKeyValuesTest.java

@@ -24,17 +24,17 @@
 public class PrivateKeyValuesTest {
     @Test
     public void testParsePkcs8RsaKeyValues() {
-        PrivateKeyValues.Rsa.parsePkcs8RsaKeyValues(Base64.decode("MIICdQIBADANBgkqhkiG9w0BAQEFA" +
-                "ASCAl8wggJbAgEAAoGBALWeZ0E5O2l_iHfck9mokf1iWH2eZDWQoJoQKUOAeVoKUecNp250J5tL3EHO" +
-                "NqWoF6VLO-B-6jTET4Iz97BeUj7gOJHmEw-nqFfguTVmNeeiZ711TNYNpF7kwW7yWghWG-Q7iQEoMXf" +
-                "Y3x4BL33H2gKRWtMHK66GJViL1l9s3qDXAgMBAAECgYBO753pFzrfS3LAxbns6_snqcrULjdXoJhs3Y" +
-                "FRuVEE9V9LkP-oXguoz3vXjgzqSvib-ur3U7HvZTM5X-TTXutXdQ5CyORLLtXEZcyCKQI9ihH5fSNJR" +
-                "WRbJ3xe-xi5NANRkRDkro7tm4a5ZD4PYvO4r29yVB5PXlMkOTLoxNSwwQJBAN5lW93Agi9Ge5B2-B2E" +
-                "nKSlUvj0-jJBkHYAFTiHyTZVEj6baeHBvJklhVczpWvTXb6Nr8cjAKVshFbdQoBwHmkCQQDRD7djZGI" +
-                "WH1Lz0rkL01nDj4z4QYMgUs3AQhnrXPBjEgNzphtJ2u7QrCSOBQQHlmAPBDJ_MTxFJMzDIJGDA10_Ak" +
-                "ATJjEZz_ilr3D2SHgmuoNuXdneG-HrL-ALeQhavL5jkkGm6GTejnr5yNRJZOYKecGppbOL9wSYOdbPT" +
-                "-_o9T55AkATXCY6cRBYRhxTcf8q5i6Y2pFOaBqxgpmFJVnrHtcwBXoGWqqKQ1j8QAS-lh5SaY2JtnTK" +
-                "rI-NQ6Qmqbxv6n7XAkBkhLO7pplInVh2WjqXOV4ZAoOAAJlfpG5-z6mWzCZ9-286OJQLr6OVVQMcYEx" +
-                "UO9yVocZQX-4XqEIF0qAB7m31"));
+        PrivateKeyValues.Rsa.parsePkcs8RsaKeyValues(Base64.fromUrlSafeString("MIICdQIBADANBgkqhk" +
+                "iG9w0BAQEFAASCAl8wggJbAgEAAoGBALWeZ0E5O2l_iHfck9mokf1iWH2eZDWQoJoQKUOAeVoKUecNp" +
+                "250J5tL3EHONqWoF6VLO-B-6jTET4Iz97BeUj7gOJHmEw-nqFfguTVmNeeiZ711TNYNpF7kwW7yWghW" +
+                "G-Q7iQEoMXfY3x4BL33H2gKRWtMHK66GJViL1l9s3qDXAgMBAAECgYBO753pFzrfS3LAxbns6_snqcr" +
+                "ULjdXoJhs3YFRuVEE9V9LkP-oXguoz3vXjgzqSvib-ur3U7HvZTM5X-TTXutXdQ5CyORLLtXEZcyCKQ" +
+                "I9ihH5fSNJRWRbJ3xe-xi5NANRkRDkro7tm4a5ZD4PYvO4r29yVB5PXlMkOTLoxNSwwQJBAN5lW93Ag" +
+                "i9Ge5B2-B2EnKSlUvj0-jJBkHYAFTiHyTZVEj6baeHBvJklhVczpWvTXb6Nr8cjAKVshFbdQoBwHmkC" +
+                "QQDRD7djZGIWH1Lz0rkL01nDj4z4QYMgUs3AQhnrXPBjEgNzphtJ2u7QrCSOBQQHlmAPBDJ_MTxFJMz" +
+                "DIJGDA10_AkATJjEZz_ilr3D2SHgmuoNuXdneG-HrL-ALeQhavL5jkkGm6GTejnr5yNRJZOYKecGppb" +
+                "OL9wSYOdbPT-_o9T55AkATXCY6cRBYRhxTcf8q5i6Y2pFOaBqxgpmFJVnrHtcwBXoGWqqKQ1j8QAS-l" +
+                "h5SaY2JtnTKrI-NQ6Qmqbxv6n7XAkBkhLO7pplInVh2WjqXOV4ZAoOAAJlfpG5-z6mWzCZ9-286OJQL" +
+                "r6OVVQMcYExUO9yVocZQX-4XqEIF0qAB7m31"));
     }
 }

fido/src/main/java/com/yubico/yubikit/fido/Cose.java

@@ -69,7 +69,7 @@ public static PublicKey getPublicKey(@Nullable Map<Integer, ?> cosePublicKey)
                 throw new IllegalArgumentException("Unsupported key type: " + kty);
         }
 
-        Logger.debug(logger, "publicKey: {}", Base64.encode(publicKey.getEncoded()));
+        Logger.debug(logger, "publicKey: {}", Base64.toUrlSafeString(publicKey.getEncoded()));
 
         return publicKey;
     }
@@ -87,7 +87,7 @@ private static PublicKey importCoseEdDsaPublicKey(Map<Integer, ?> cosePublicKey)
     private static PublicKey importCoseEd25519PublicKey(Map<Integer, ?> cosePublicKey)
             throws InvalidKeySpecException, NoSuchAlgorithmException {
         final byte[] rawKey = (byte[]) Objects.requireNonNull(cosePublicKey.get(-2));
-        Logger.debug(logger, "raw: {}", Base64.encode(rawKey));
+        Logger.debug(logger, "raw: {}", Base64.toUrlSafeString(rawKey));
         return new Cv25519(EllipticCurveValues.Ed25519, rawKey).toPublicKey();
     }
 
@@ -98,8 +98,8 @@ private static PublicKey importCoseEcdsaPublicKey(Map<Integer, ?> cosePublicKey)
         final byte[] y = (byte[]) Objects.requireNonNull(cosePublicKey.get(-3));
 
         Logger.debug(logger, "crv: {}", crv);
-        Logger.debug(logger, "x: {}", Base64.encode(x));
-        Logger.debug(logger, "y: {}", Base64.encode(y));
+        Logger.debug(logger, "x: {}", Base64.toUrlSafeString(x));
+        Logger.debug(logger, "y: {}", Base64.toUrlSafeString(y));
 
         EllipticCurveValues ellipticCurveValues;
 
@@ -127,8 +127,8 @@ private static PublicKey importCoseRsaPublicKey(Map<Integer, ?> cosePublicKey)
             throws NoSuchAlgorithmException, InvalidKeySpecException {
         byte[] n = (byte[]) Objects.requireNonNull(cosePublicKey.get(-1));
         byte[] e = (byte[]) Objects.requireNonNull(cosePublicKey.get(-2));
-        Logger.debug(logger, "n: {}", Base64.encode(n));
-        Logger.debug(logger, "e: {}", Base64.encode(e));
+        Logger.debug(logger, "n: {}", Base64.toUrlSafeString(n));
+        Logger.debug(logger, "e: {}", Base64.toUrlSafeString(e));
         return new Rsa(new BigInteger(1, n), new BigInteger(1, e)).toPublicKey();
     }
 }

fido/src/main/java/com/yubico/yubikit/fido/ctap/Hkdf.java

@@ -61,20 +61,29 @@ byte[] expand(byte[] prk, byte[] info, int length) throws InvalidKeyException {
                     .put(info)
                     .put(i)
                     .array();
-            t = hmacDigest(prk, data);
+            Arrays.fill(t, (byte) 0);
+            byte[] digest = hmacDigest(prk, data);
 
-            okm = ByteBuffer.allocate(okm.length + t.length)
+            byte[] result = ByteBuffer.allocate(okm.length + digest.length)
                     .put(okm)
-                    .put(t)
+                    .put(digest)
                     .array();
+            Arrays.fill(okm, (byte) 0);
+            Arrays.fill(data, (byte) 0);
+            okm = result;
+            t = digest;
         }
 
-        return Arrays.copyOf(okm, length);
+        byte[] result = Arrays.copyOf(okm, length);
+        Arrays.fill(okm, (byte) 0);
+        return result;
     }
 
     byte[] digest(byte[] ikm, byte[] salt, byte[] info, int length)
             throws NoSuchAlgorithmException, InvalidKeyException {
         byte[] prk = extract(salt, ikm);
-        return expand(prk, info, length);
+        byte[] result = expand(prk, info, length);
+        Arrays.fill(prk, (byte) 0);
+        return result;
     }
 }