FinishRegistrationOptions.java

// Copyright (c) 2018, Yubico AB
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are met:
//
// 1. Redistributions of source code must retain the above copyright notice, this
//    list of conditions and the following disclaimer.
//
// 2. Redistributions in binary form must reproduce the above copyright notice,
//    this list of conditions and the following disclaimer in the documentation
//    and/or other materials provided with the distribution.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

package com.yubico.webauthn;

import com.yubico.webauthn.data.AuthenticatorAttestationResponse;
import com.yubico.webauthn.data.ByteArray;
import com.yubico.webauthn.data.ClientRegistrationExtensionOutputs;
import com.yubico.webauthn.data.PublicKeyCredential;
import com.yubico.webauthn.data.PublicKeyCredentialCreationOptions;
import java.util.Optional;
import lombok.Builder;
import lombok.NonNull;
import lombok.Value;

/** Parameters for {@link RelyingParty#finishRegistration(FinishRegistrationOptions)}. */
@Value
@Builder(toBuilder = true)
public class FinishRegistrationOptions {

  /** The request that the {@link #getResponse() response} is a response to. */
  @NonNull private final PublicKeyCredentialCreationOptions request;

  /**
   * The client's response to the {@link #getRequest() request}.
   *
   * <p><a
   * href="https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#sctn-createCredential">navigator.credentials.create()</a>
   */
  @NonNull
  private final PublicKeyCredential<
          AuthenticatorAttestationResponse, ClientRegistrationExtensionOutputs>
      response;

  /**
   * The <a href="https://tools.ietf.org/html/rfc8471#section-3.2">token binding ID</a> of the
   * connection to the client, if any.
   *
   * @see <a href="https://tools.ietf.org/html/rfc8471">The Token Binding Protocol Version 1.0</a>
   */
  private final ByteArray callerTokenBindingId;

  /**
   * If <code>true</code>, then user presence (UP) will not be required during registration
   * verification. This is needed for <a
   * href="https://www.w3.org/TR/2025/WD-webauthn-3-20250127/#dom-clientcapability-conditionalcreate">conditional
   * create</a> operations.
   *
   * <p>The default is <code>false</code> (UP is required).
   *
   * @deprecated EXPERIMENTAL: This feature is from a not yet mature standard; it could change as
   *     the standard matures.
   * @since 2.7.0
   * @see <a
   *     href="https://www.w3.org/TR/2025/WD-webauthn-3-20250127/#dom-clientcapability-conditionalcreate">
   *     <code>conditionalCreate</code> client capability</a>.
   * @see <a href="https://www.w3.org/TR/2025/WD-webauthn-3-20250127/#authdata-flags-up"><code>UP
   *     </code> flag in authenticator data</a>.
   */
  @Deprecated @Builder.Default private final boolean isConditionalCreate = false;

  /**
   * The <a href="https://tools.ietf.org/html/rfc8471#section-3.2">token binding ID</a> of the
   * connection to the client, if any.
   *
   * @see <a href="https://tools.ietf.org/html/rfc8471">The Token Binding Protocol Version 1.0</a>
   */
  public Optional<ByteArray> getCallerTokenBindingId() {
    return Optional.ofNullable(callerTokenBindingId);
  }

  public static FinishRegistrationOptionsBuilder.MandatoryStages builder() {
    return new FinishRegistrationOptionsBuilder.MandatoryStages();
  }

  public static class FinishRegistrationOptionsBuilder {
    private ByteArray callerTokenBindingId = null;

    public static class MandatoryStages {
      private final FinishRegistrationOptionsBuilder builder =
          new FinishRegistrationOptionsBuilder();

      /**
       * {@link FinishRegistrationOptionsBuilder#request(PublicKeyCredentialCreationOptions)
       * request} is a required parameter.
       *
       * @see FinishRegistrationOptionsBuilder#request(PublicKeyCredentialCreationOptions)
       */
      public Step2 request(PublicKeyCredentialCreationOptions request) {
        builder.request(request);
        return new Step2();
      }

      public class Step2 {
        /**
         * {@link FinishRegistrationOptionsBuilder#response(PublicKeyCredential) response} is a
         * required parameter.
         *
         * @see FinishRegistrationOptionsBuilder#response(PublicKeyCredential)
         */
        public FinishRegistrationOptionsBuilder response(
            PublicKeyCredential<
                    AuthenticatorAttestationResponse, ClientRegistrationExtensionOutputs>
                response) {
          return builder.response(response);
        }
      }
    }

    /**
     * The <a href="https://tools.ietf.org/html/rfc8471#section-3.2">token binding ID</a> of the
     * connection to the client, if any.
     *
     * @see <a href="https://tools.ietf.org/html/rfc8471">The Token Binding Protocol Version 1.0</a>
     */
    public FinishRegistrationOptionsBuilder callerTokenBindingId(
        @NonNull Optional<ByteArray> callerTokenBindingId) {
      this.callerTokenBindingId = callerTokenBindingId.orElse(null);
      return this;
    }

    /**
     * The <a href="https://tools.ietf.org/html/rfc8471#section-3.2">token binding ID</a> of the
     * connection to the client, if any.
     *
     * @see <a href="https://tools.ietf.org/html/rfc8471">The Token Binding Protocol Version 1.0</a>
     */
    public FinishRegistrationOptionsBuilder callerTokenBindingId(
        @NonNull ByteArray callerTokenBindingId) {
      return this.callerTokenBindingId(Optional.of(callerTokenBindingId));
    }
  }
}










Active mutators

CONDITIONALS_BOUNDARY
EMPTY_RETURNS
FALSE_RETURNS
INCREMENTS
INVERT_NEGS
MATH
NEGATE_CONDITIONALS
NULL_RETURNS
PRIMITIVE_RETURNS
TRUE_RETURNS
VOID_METHOD_CALLS

Tests examined

com.yubico.webauthn.RelyingPartyCeremoniesSpec (508 ms)
com.yubico.webauthn.AppleAttestationStatementVerifierSpec (1137 ms)
com.yubico.webauthn.RelyingPartyRegistrationSpec (11805 ms)
com.yubico.webauthn.FinishRegistrationOptionsTest.itHasANonOptionalCallerTokenBindingIdMethod(com.yubico.webauthn.FinishRegistrationOptionsTest) (0 ms)

Report generated by PIT 1.15.0

1		// Copyright (c) 2018, Yubico AB
2		// All rights reserved.
3		//
4		// Redistribution and use in source and binary forms, with or without
5		// modification, are permitted provided that the following conditions are met:
6		//
7		// 1. Redistributions of source code must retain the above copyright notice, this
8		// list of conditions and the following disclaimer.
9		//
10		// 2. Redistributions in binary form must reproduce the above copyright notice,
11		// this list of conditions and the following disclaimer in the documentation
12		// and/or other materials provided with the distribution.
13		//
14		// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
15		// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16		// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
17		// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
18		// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19		// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
20		// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
21		// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
22		// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23		// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24
25		package com.yubico.webauthn;
26
27		import com.yubico.webauthn.data.AuthenticatorAttestationResponse;
28		import com.yubico.webauthn.data.ByteArray;
29		import com.yubico.webauthn.data.ClientRegistrationExtensionOutputs;
30		import com.yubico.webauthn.data.PublicKeyCredential;
31		import com.yubico.webauthn.data.PublicKeyCredentialCreationOptions;
32		import java.util.Optional;
33		import lombok.Builder;
34		import lombok.NonNull;
35		import lombok.Value;
36
37		/** Parameters for {@link RelyingParty#finishRegistration(FinishRegistrationOptions)}. */
38		@Value
39		@Builder(toBuilder = true)
40		public class FinishRegistrationOptions {
41
42		/** The request that the {@link #getResponse() response} is a response to. */
43		@NonNull private final PublicKeyCredentialCreationOptions request;
44
45		/**
46		* The client's response to the {@link #getRequest() request}.
47		*
48		* <p><a
49		* href="https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#sctn-createCredential">navigator.credentials.create()</a>
50		*/
51		@NonNull
52		private final PublicKeyCredential<
53		AuthenticatorAttestationResponse, ClientRegistrationExtensionOutputs>
54		response;
55
56		/**
57		* The <a href="https://tools.ietf.org/html/rfc8471#section-3.2">token binding ID</a> of the
58		* connection to the client, if any.
59		*
60		* @see <a href="https://tools.ietf.org/html/rfc8471">The Token Binding Protocol Version 1.0</a>
61		*/
62		private final ByteArray callerTokenBindingId;
63
64		/**
65		* If <code>true</code>, then user presence (UP) will not be required during registration
66		* verification. This is needed for <a
67		* href="https://www.w3.org/TR/2025/WD-webauthn-3-20250127/#dom-clientcapability-conditionalcreate">conditional
68		* create</a> operations.
69		*
70		* <p>The default is <code>false</code> (UP is required).
71		*
72		* @deprecated EXPERIMENTAL: This feature is from a not yet mature standard; it could change as
73		* the standard matures.
74		* @since 2.7.0
75		* @see <a
76		* href="https://www.w3.org/TR/2025/WD-webauthn-3-20250127/#dom-clientcapability-conditionalcreate">
77		* <code>conditionalCreate</code> client capability</a>.
78		* @see <a href="https://www.w3.org/TR/2025/WD-webauthn-3-20250127/#authdata-flags-up"><code>UP
79		* </code> flag in authenticator data</a>.
80		*/
81		@Deprecated @Builder.Default private final boolean isConditionalCreate = false;
82
83		/**
84		* The <a href="https://tools.ietf.org/html/rfc8471#section-3.2">token binding ID</a> of the
85		* connection to the client, if any.
86		*
87		* @see <a href="https://tools.ietf.org/html/rfc8471">The Token Binding Protocol Version 1.0</a>
88		*/
89		public Optional<ByteArray> getCallerTokenBindingId() {
90	1 1. getCallerTokenBindingId : replaced return value with Optional.empty for com/yubico/webauthn/FinishRegistrationOptions::getCallerTokenBindingId → KILLED	return Optional.ofNullable(callerTokenBindingId);
91		}
92
93		public static FinishRegistrationOptionsBuilder.MandatoryStages builder() {
94	1 1. builder : replaced return value with null for com/yubico/webauthn/FinishRegistrationOptions::builder → KILLED	return new FinishRegistrationOptionsBuilder.MandatoryStages();
95		}
96
97		public static class FinishRegistrationOptionsBuilder {
98		private ByteArray callerTokenBindingId = null;
99
100		public static class MandatoryStages {
101		private final FinishRegistrationOptionsBuilder builder =
102		new FinishRegistrationOptionsBuilder();
103
104		/**
105		* {@link FinishRegistrationOptionsBuilder#request(PublicKeyCredentialCreationOptions)
106		* request} is a required parameter.
107		*
108		* @see FinishRegistrationOptionsBuilder#request(PublicKeyCredentialCreationOptions)
109		*/
110		public Step2 request(PublicKeyCredentialCreationOptions request) {
111		builder.request(request);
112	1 1. request : replaced return value with null for com/yubico/webauthn/FinishRegistrationOptions$FinishRegistrationOptionsBuilder$MandatoryStages::request → KILLED	return new Step2();
113		}
114
115		public class Step2 {
116		/**
117		* {@link FinishRegistrationOptionsBuilder#response(PublicKeyCredential) response} is a
118		* required parameter.
119		*
120		* @see FinishRegistrationOptionsBuilder#response(PublicKeyCredential)
121		*/
122		public FinishRegistrationOptionsBuilder response(
123		PublicKeyCredential<
124		AuthenticatorAttestationResponse, ClientRegistrationExtensionOutputs>
125		response) {
126	1 1. response : replaced return value with null for com/yubico/webauthn/FinishRegistrationOptions$FinishRegistrationOptionsBuilder$MandatoryStages$Step2::response → KILLED	return builder.response(response);
127		}
128		}
129		}
130
131		/**
132		* The <a href="https://tools.ietf.org/html/rfc8471#section-3.2">token binding ID</a> of the
133		* connection to the client, if any.
134		*
135		* @see <a href="https://tools.ietf.org/html/rfc8471">The Token Binding Protocol Version 1.0</a>
136		*/
137		public FinishRegistrationOptionsBuilder callerTokenBindingId(
138	1 1. callerTokenBindingId : negated conditional → KILLED	@NonNull Optional<ByteArray> callerTokenBindingId) {
139		this.callerTokenBindingId = callerTokenBindingId.orElse(null);
140	1 1. callerTokenBindingId : replaced return value with null for com/yubico/webauthn/FinishRegistrationOptions$FinishRegistrationOptionsBuilder::callerTokenBindingId → KILLED	return this;
141		}
142
143		/**
144		* The <a href="https://tools.ietf.org/html/rfc8471#section-3.2">token binding ID</a> of the
145		* connection to the client, if any.
146		*
147		* @see <a href="https://tools.ietf.org/html/rfc8471">The Token Binding Protocol Version 1.0</a>
148		*/
149		public FinishRegistrationOptionsBuilder callerTokenBindingId(
150	1 1. callerTokenBindingId : negated conditional → NO_COVERAGE	@NonNull ByteArray callerTokenBindingId) {
151	1 1. callerTokenBindingId : replaced return value with null for com/yubico/webauthn/FinishRegistrationOptions$FinishRegistrationOptionsBuilder::callerTokenBindingId → NO_COVERAGE	return this.callerTokenBindingId(Optional.of(callerTokenBindingId));
152		}
153		}
154		}
		Mutations
90		1.1 Location : getCallerTokenBindingId Killed by : com.yubico.webauthn.RelyingPartyRegistrationSpec replaced return value with Optional.empty for com/yubico/webauthn/FinishRegistrationOptions::getCallerTokenBindingId → KILLED
94		1.1 Location : builder Killed by : com.yubico.webauthn.RelyingPartyCeremoniesSpec replaced return value with null for com/yubico/webauthn/FinishRegistrationOptions::builder → KILLED
112		1.1 Location : request Killed by : com.yubico.webauthn.RelyingPartyCeremoniesSpec replaced return value with null for com/yubico/webauthn/FinishRegistrationOptions$FinishRegistrationOptionsBuilder$MandatoryStages::request → KILLED
126		1.1 Location : response Killed by : com.yubico.webauthn.RelyingPartyCeremoniesSpec replaced return value with null for com/yubico/webauthn/FinishRegistrationOptions$FinishRegistrationOptionsBuilder$MandatoryStages$Step2::response → KILLED
138		1.1 Location : callerTokenBindingId Killed by : com.yubico.webauthn.RelyingPartyRegistrationSpec negated conditional → KILLED
140		1.1 Location : callerTokenBindingId Killed by : com.yubico.webauthn.RelyingPartyRegistrationSpec replaced return value with null for com/yubico/webauthn/FinishRegistrationOptions$FinishRegistrationOptionsBuilder::callerTokenBindingId → KILLED
150		1.1 Location : callerTokenBindingId Killed by : none negated conditional → NO_COVERAGE
151		1.1 Location : callerTokenBindingId Killed by : none replaced return value with null for com/yubico/webauthn/FinishRegistrationOptions$FinishRegistrationOptionsBuilder::callerTokenBindingId → NO_COVERAGE

FinishRegistrationOptions.java

Mutations

Active mutators

Tests examined