Add RETIRED status to AuthenticatorStatus

[fdennis]

From the latest update to FIDO MDS: https://fidoalliance.org/specs/mds/fido-metadata-service-v3.1.1-rd-20251016.html#enumdef-authenticatorstatus

[github-actions]

Test Results

2 308 tests   2 300 ✅  1m 2s ⏱️
   46 suites      8 💤
   46 files        0 ❌

Results for commit 3825292.

♻️ This comment has been updated with latest results.

[emlun]

Nice! 😄

Reading the description I think it seems appropriate to add a Filters constructor for this status, like notRevoked(): https://github.com/Yubico/java-webauthn-server/blob/main/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/FidoMetadataService.java#L374

I don't think it should be applied by default, but we can mention it in the docs:

diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/FidoMetadataService.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/FidoMetadataService.java
index fdf4b2c9..0b6ce73f 100644
--- a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/FidoMetadataService.java
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/FidoMetadataService.java
@@ -264,7 +264,9 @@ public final class FidoMetadataService implements AttestationTrustSource {
      * <p>The default is {@link Filters#notRevoked() Filters.notRevoked()}. Setting a different
      * filter overrides this default; to preserve the "not revoked" condition in addition to the new
      * filter, you must explicitly include the condition in the few filter. For example, by using
-     * {@link Filters#allOf(Predicate[]) Filters.allOf(Predicate...)}.
+     * {@link Filters#allOf(Predicate[]) Filters.allOf(Predicate...)}. For example, to add the
+     * {@link Filters#notRetired() Filters.notRetired()} filter, use: <code>
+     * .prefilter(Filters.allOf(Filters.notRevoked(), Filters.notRetired()))</code>.
      *
      * @param prefilter a {@link Predicate} which returns <code>true</code> for metadata entries to
      *     include in the data source.
@@ -288,7 +290,9 @@ public final class FidoMetadataService implements AttestationTrustSource {
      * Filters.noAttestationKeyCompromise()}. Setting a different filter overrides this default; to
      * preserve this condition in addition to the new filter, you must explicitly include the
      * condition in the few filter. For example, by using {@link Filters#allOf(Predicate[])
-     * Filters.allOf(Predicate...)}.
+     * Filters.allOf(Predicate...)}. For example, to add the {@link Filters#notRetired()
+     * Filters.notRetired()} filter, use: <code>
+     * .filter(Filters.allOf(Filters.noAttestationKeyCompromise(), Filters.notRetired()))</code>.
      *
      * <p>Note: Returning <code>true</code> in the filter predicate does not automatically make the
      * authenticator trusted, as its attestation certificate must also correctly chain to a trusted

(pipe this into git apply to apply it locally)

And with that, we should also expand these filter tests to cover the new filter:

java-webauthn-server/webauthn-server-attestation/src/test/scala/com/yubico/fido/metadata/FidoMds3Spec.scala

Line 725 in 2584188

describe("The noAttestationKeyCompromise filter") {

[emlun]

I suppose we should also add the FIPS140_CERTIFIED_* statuses, but that can be a separate pull request. I don't think we need premade filter constructors for those either.

[emlun]

Great initiative! 🎉