use of com.webauthn4j.data.attestation.statement.AndroidSafetyNetAttestationStatement in project webauthn4j by webauthn4j.
the class AndroidSafetyNetAttestationStatementValidator method validate.
@SuppressWarnings("ConstantConditions")
@Override
@NonNull
public AttestationType validate(@NonNull CoreRegistrationObject registrationObject) {
AssertUtil.notNull(registrationObject, "registrationObject must not be null");
if (!supports(registrationObject)) {
throw new IllegalArgumentException("Specified format is not supported by " + this.getClass().getName());
}
AndroidSafetyNetAttestationStatement attestationStatement = (AndroidSafetyNetAttestationStatement) registrationObject.getAttestationObject().getAttestationStatement();
validateAttestationStatementNotNull(attestationStatement);
if (attestationStatement.getX5c().isEmpty()) {
throw new BadAttestationStatementException("No attestation certificate is found in android safetynet attestation statement.");
}
// / Given the verification procedure inputs attStmt, authenticatorData and clientDataHash,
// the verification procedure is as follows:
// / Verify that attStmt is valid CBOR conforming to the syntax defined above and perform CBOR decoding on it
// to extract the contained fields.
// / Verify that response is a valid SafetyNet response of version ver.
versionValidator.validate(attestationStatement.getVer());
// / Verify that the nonce in the response is identical to the Base64url encoding of the SHA-256 hash of the concatenation of authenticatorData and clientDataHash.
Response response = attestationStatement.getResponse().getPayload();
String nonce = response.getNonce();
byte[] authenticatorData = registrationObject.getAuthenticatorDataBytes();
validateNonce(nonce, authenticatorData, registrationObject.getClientDataHash());
// / Let attestationCert be the attestation certificate.
// / Verify that attestationCert is issued to the hostname "attest.android.com" (see SafetyNet online documentation).
AttestationCertificate attestationCertificate = attestationStatement.getX5c().getEndEntityAttestationCertificate();
if (!Objects.equals(attestationCertificate.getSubjectCommonName(), "attest.android.com")) {
throw new BadAttestationStatementException("The attestation certificate is not issued to 'attest.android.com'.");
}
// / Verify that the ctsProfileMatch attribute in the payload of response is true.
if (!Objects.equals(response.getCtsProfileMatch(), true)) {
throw new BadAttestationStatementException("The profile of the device doesn't match the profile of a device that has passed Android Compatibility Test Suite.");
}
if (response.getTimestampMs() == null) {
throw new BadAttestationStatementException("timestampMs is null.");
}
// Verify the timestampMs doesn't violate backwardThreshold
if (Instant.ofEpochMilli(response.getTimestampMs()).isBefore(registrationObject.getTimestamp().minus(Duration.ofSeconds(backwardThreshold)))) {
throw new BadAttestationStatementException("timestampMs violates backwardThreshold.");
}
// Verify the timestampMs doesn't violate forwardThreshold
if (Instant.ofEpochMilli(response.getTimestampMs()).isAfter(registrationObject.getTimestamp().plus(Duration.ofSeconds(forwardThreshold)))) {
throw new BadAttestationStatementException("timestampMs violates forwardThreshold.");
}
if (!attestationStatement.getResponse().isValidSignature()) {
throw new BadAttestationStatementException("Android safetynet response in the attestation statement doesn't have a valid signature.");
}
// / If successful, return implementation-specific values representing attestation type Basic and attestation trust path attestationCert.
return AttestationType.BASIC;
}
use of com.webauthn4j.data.attestation.statement.AndroidSafetyNetAttestationStatement in project webauthn4j by webauthn4j.
the class AndroidSafetyNetAuthenticator method createAttestationStatement.
@Override
public AttestationStatement createAttestationStatement(AttestationStatementRequest attestationStatementRequest, RegistrationEmulationOption registrationEmulationOption) {
AttestationOption attestationOption = registrationEmulationOption.getAttestationOption() == null ? new AndroidSafetyNetAttestationOption() : registrationEmulationOption.getAttestationOption();
X509Certificate attestationCertificate = getAttestationCertificate(attestationStatementRequest, attestationOption);
List<X509Certificate> certificates = new ArrayList<>();
certificates.add(attestationCertificate);
certificates.addAll(this.getCACertificatePath());
CertPath certPath = CertificateUtil.generateCertPath(certificates);
JWSHeader jwsHeader = new JWSHeader(JWAIdentifier.ES256, certPath);
String nonce = Base64Util.encodeToString(MessageDigestUtil.createSHA256().digest(attestationStatementRequest.getSignedData()));
long timestampMs = Instant.now().toEpochMilli();
String apkPackageName = "com.android.keystore.androidkeystoredemo";
String[] apkCertificateDigestSha256 = new String[] { "bsb4/WQdaaOWYCd/j9OJiQpg7b0iwFgAc/zzA1tCfwE=" };
String apkDigestSha256 = "dM/LUHSI9SkQhZHHpQWRnzJ3MvvB2ANSauqYAAbS2Jg=";
boolean ctsProfileMatch = true;
boolean basicIntegrity = true;
String advice = null;
Response response = new Response(nonce, timestampMs, apkPackageName, apkCertificateDigestSha256, apkDigestSha256, ctsProfileMatch, basicIntegrity, advice);
String ver = "12685023";
JWS<Response> jws = getJwsFactory().create(jwsHeader, response, this.getAttestationKeyPair().getPrivate());
if (registrationEmulationOption.isSignatureOverrideEnabled()) {
jws = getJwsFactory().create(jws.getHeader(), jws.getPayload(), registrationEmulationOption.getSignature());
}
return new AndroidSafetyNetAttestationStatement(ver, jws);
}
use of com.webauthn4j.data.attestation.statement.AndroidSafetyNetAttestationStatement in project webauthn4j by webauthn4j.
the class AndroidSafetyNetAttestationStatementValidatorTest method validateAttestationStatementNotNull_test.
@Test
void validateAttestationStatementNotNull_test() {
String ver = "12685023";
String nonce = "nonce";
long timestampMs = Instant.now().toEpochMilli();
String apkPackageName = "com.android.keystore.androidkeystoredemo";
String[] apkCertificateDigestSha256 = new String[] { "bsb4/WQdaaOWYCd/j9OJiQpg7b0iwFgAc/zzA1tCfwE=" };
String apkDigestSha256 = "dM/LUHSI9SkQhZHHpQWRnzJ3MvvB2ANSauqYAAbS2Jg=";
boolean ctsProfileMatch = true;
boolean basicIntegrity = true;
String advice = null;
Response response = new Response(nonce, timestampMs, apkPackageName, apkCertificateDigestSha256, apkDigestSha256, ctsProfileMatch, basicIntegrity, advice);
JWS<Response> jws = new JWSFactory().create(new JWSHeader(JWAIdentifier.ES256, CertificateUtil.generateCertPath(Collections.emptyList())), response, new byte[32]);
AndroidSafetyNetAttestationStatement attestationStatement = new AndroidSafetyNetAttestationStatement(ver, jws);
target.validateAttestationStatementNotNull(attestationStatement);
}
Aggregations