warn about incompatible/invalid parameters

Yubico · Nov 21, 2023 · 94b28c3 · 94b28c3
1 parent 488a2a9
commit 94b28c3
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 5 deletions.
diff --git a/fido/src/main/java/com/yubico/yubikit/fido/client/BasicWebAuthnClient.java b/fido/src/main/java/com/yubico/yubikit/fido/client/BasicWebAuthnClient.java
@@ -19,6 +19,7 @@
 import com.yubico.yubikit.core.application.CommandException;
 import com.yubico.yubikit.core.application.CommandState;
 import com.yubico.yubikit.core.fido.CtapException;
+import com.yubico.yubikit.core.internal.Logger;
 import com.yubico.yubikit.fido.ctap.ClientPin;
 import com.yubico.yubikit.fido.ctap.CredentialManagement;
 import com.yubico.yubikit.fido.ctap.Ctap2Session;
@@ -449,12 +450,22 @@ protected Ctap2Session.CredentialData ctapMakeCredential(
             }
 
             @Nullable Integer validatedEnterpriseAttestation = null;
-            if (isEnterpriseAttestationSupported() &&
+            boolean enterpriseAttestationSupported = isEnterpriseAttestationSupported();
+
+            if (!enterpriseAttestationSupported && enterpriseAttestation != null) {
+                Logger.warn(logger, "Ignoring provided enterpriseAttestation parameter because" +
+                        " the authenticator does not support enterprise attestation.");
+            }
+
+            if (enterpriseAttestationSupported &&
                     AttestationConveyancePreference.ENTERPRISE.equals(options.getAttestation()) &&
-                    userAgentConfiguration.supportsEpForRpId(rpId) &&
-                    enterpriseAttestation != null &&
-                    (enterpriseAttestation == 1 || enterpriseAttestation == 2)) {
-                validatedEnterpriseAttestation = enterpriseAttestation;
+                    userAgentConfiguration.supportsEpForRpId(rpId)) {
+                if (enterpriseAttestation == null ||
+                        (enterpriseAttestation != 1 && enterpriseAttestation != 2)) {
+                    Logger.warn(logger, "Invalid value for enterpriseAttestation parameter.");
+                } else {
+                    validatedEnterpriseAttestation = enterpriseAttestation;
+                }
             }
 
             return ctap.makeCredential(

diff --git a/fido/src/main/java/com/yubico/yubikit/fido/ctap/ClientPin.java b/fido/src/main/java/com/yubico/yubikit/fido/ctap/ClientPin.java
@@ -175,6 +175,11 @@ public byte[] getPinToken(char[] pin,
                     ? CMD_GET_PIN_TOKEN_USING_PIN_WITH_PERMISSIONS
                     : CMD_GET_PIN_TOKEN;
 
+            if (!tokenSupported && (permissions != null || permissionsRpId != null)) {
+                Logger.warn(logger, "Ignoring permissions/permissionsRpId parameters as the " +
+                        " authenticator does not support PIN U/V Token");
+            }
+
             Map<Integer, ?> result = ctap.clientPin(
                     pinUvAuth.getVersion(),
                     subCommand,