Version 3.0 (December 2023)

The FIDO UAF SDK and FIDO2 SDK library and project files have been renamed and unified.

• For FIDO UAF SDK: fido-sdk.jar has been renamed to uaf-core.jar
• For FIDO2 SDK: fido2-sdk.jar has been renamed to fido2-core.jar

OneSpan FIDO Universal Server SDK now supports FIDO Metadata Service 3.0.

For more information about FIDO metadata, refer to the FIDO Alliance documentation.

When finalizing the registration process, the FIDO2 SDK now validates that the attestation mode (aka Attestation Conveyance Preference) is compatible with the Attestation Statement that the authenticator sends. If the attestation statement is empty, the attestation mode must be NONE. It is not compatible if the attestation statement is empty and the attestation mode is set to DIRECT or INDIRECT.

The FIDO UAF SDK and FIDO2 SDK library and project files have been migrated to support and build with Java 17. The related Docker base images have been updated if applicable. Obsolete dependencies were removed. Furthermore, the security provider for the FIDO UAF SDK was changed to BouncyCastle.

The third-party library dependencies have been updated were applicable, most notably:

• Apache Log4j 2.17  fido2    fido2‑sample 

  This version of Apache Log4j fixes a couple of security vulnerabilities, including CVE-2021-45105, CVE-2021-45046, and CVE-2021-44228.

Description: A couple of scenarios were identified where the authenticator deregistration fails, in particular:

• The deregistration fails if no registrations are found for a user.
• The deregistration fails if a user has multiple registrations for the same Authenticator Attestation ID.

Status: This issue has been fixed.

Description: A couple of inconsistencies in the FIDO UAF server policy related to the MatchCriteria object have been identified.

Status: This issue has been fixed. The MatchCriteria object implementation has been fixed to comply with the FIDO UAF protocol specification.

Description: Two issues were discovered where the authenticator registration fails because of incorrect certificate handling, in particular:

• The registration fails if the Authenticator Attestation GUID is encoded as a certificate extension.
• The registration fails if the subject name of the certificate sent as part of the registration response contains a comma.

Status: This issue has been fixed.

Description: The initialization of a FIDO2 registration/authentication process can take a long time, in some circumstances even longer than 1 minute.

Status: This issue has been fixed.

Description: When a user wants to register a FIDO2 authenticator with attestation mode none, the registration process fails because the FIDO Server attempts to retrieve a metadata statement with an all-zero Authenticator Attestation GUID (AAGUID).

Status: This issue has been fixed. The FIDO2 SDK handles authenticator registrations with attestation type none correctly now.

Description: The finalization of the authentication process can terminate unexpectedly when attempting to use an undefined key algorithm.

Status: This issue has been fixed.

Description: The FIDO Server returns FIDO UAF status code mismatches when the FIDO Conformance Tools are run against the FIDO authentication endpoints in the FIDO UAF SDK.

Status: This issue has been fixed. The UAF status codes have been corrected in the FIDO UAF SDK. For more information about UAF status codes, refer to the FIDO Alliance documentation.

Description: The FIDO Server returns FIDO UAF status code mismatches when the FIDO Conformance Tools are run against the FIDO registration endpoints in the FIDO UAF SDK.

Status: This issue has been fixed. The UAF status codes have been corrected in the FIDO UAF SDK. For more information about UAF status codes, refer to the FIDO Alliance documentation.

Description: A couple of issues were identified during FIDO2 SDK self-validation for FIDO2 specification compliance.

Status: The identified issues have been fixed, including the following changes:

• The implementation of fido2-core was changed to support u2f and get trust anchors for it by attestationCertificateKeyIdentifier.
• Added support to get trust anchors and metadata by attestationCertificateKeyIdentifier.
• Fixed issues for Trusted Platform Module (TPM) attestation.
• The validation of the trust path was enhanced to use the full certificate chain.
• Added implementation for Apple attestation.
• Added implementation for the android-safetynet validator.
• Fixed issues with ServerAuthenticatorAttestationResponse in context of FULL "packed" attestation.