Example 1 with AppleAnonymousAttestationStatement
use of com.webauthn4j.data.attestation.statement.AppleAnonymousAttestationStatement in project webauthn4j by webauthn4j.
the class AppleAnonymousAttestationStatementValidator method validate.
// ~ Instance fields
// ================================================================================================
@Override
@NonNull
public AttestationType validate(@NonNull CoreRegistrationObject registrationObject) {
AssertUtil.notNull(registrationObject, "registrationObject must not be null");
if (!supports(registrationObject)) {
throw new IllegalArgumentException(String.format("Specified format '%s' is not supported by %s.", registrationObject.getAttestationObject().getFormat(), this.getClass().getName()));
}
AppleAnonymousAttestationStatement attestationStatement = (AppleAnonymousAttestationStatement) registrationObject.getAttestationObject().getAttestationStatement();
validateAttestationStatementNotNull(attestationStatement);
validateNonce(registrationObject);
validatePublicKey(registrationObject, attestationStatement);
return AttestationType.BASIC;
}
Also used :
AppleAnonymousAttestationStatement(com.webauthn4j.data.attestation.statement.AppleAnonymousAttestationStatement)
NonNull(org.checkerframework.checker.nullness.qual.NonNull)
Example 2 with AppleAnonymousAttestationStatement
use of com.webauthn4j.data.attestation.statement.AppleAnonymousAttestationStatement in project webauthn4j by webauthn4j.
the class AppleAnonymousAttestationStatementValidator method validateNonce.
private void validateNonce(@NonNull CoreRegistrationObject registrationObject) {
AppleAnonymousAttestationStatement attestationStatement = (AppleAnonymousAttestationStatement) registrationObject.getAttestationObject().getAttestationStatement();
byte[] nonce = getNonce(registrationObject);
byte[] extensionValue = attestationStatement.getX5c().getEndEntityAttestationCertificate().getCertificate().getExtensionValue("1.2.840.113635.100.8.2");
byte[] extracted;
try {
Asn1OctetString extensionEnvelope = new Asn1OctetString();
extensionEnvelope.decode(extensionValue);
extensionEnvelope.getValue();
byte[] extensionEnvelopeValue = extensionEnvelope.getValue();
Asn1Container container = (Asn1Container) Asn1Parser.parse(ByteBuffer.wrap(extensionEnvelopeValue));
Asn1ParseResult firstElement = container.getChildren().get(0);
Asn1OctetString octetString = new Asn1OctetString();
octetString.decode(firstElement);
extracted = octetString.getValue();
} catch (IOException | RuntimeException e) {
throw new BadAttestationStatementException("Failed to extract nonce from Apple anonymous attestation statement.", e);
}
// there is no need to prevent timing attack and it is OK to use `Arrays.equals` instead of `MessageDigest.isEqual` here.
if (!Arrays.equals(extracted, nonce)) {
throw new BadAttestationStatementException("nonce doesn't match.");
}
}
Also used :
Asn1ParseResult(org.apache.kerby.asn1.parse.Asn1ParseResult)
Asn1Container(org.apache.kerby.asn1.parse.Asn1Container)
BadAttestationStatementException(com.webauthn4j.validator.exception.BadAttestationStatementException)
IOException(java.io.IOException)
Asn1OctetString(org.apache.kerby.asn1.type.Asn1OctetString)
AppleAnonymousAttestationStatement(com.webauthn4j.data.attestation.statement.AppleAnonymousAttestationStatement)
Aggregations
AppleAnonymousAttestationStatement (com.webauthn4j.data.attestation.statement.AppleAnonymousAttestationStatement)2
BadAttestationStatementException (com.webauthn4j.validator.exception.BadAttestationStatementException)1
IOException (java.io.IOException)1
Asn1Container (org.apache.kerby.asn1.parse.Asn1Container)1
Asn1ParseResult (org.apache.kerby.asn1.parse.Asn1ParseResult)1
Asn1OctetString (org.apache.kerby.asn1.type.Asn1OctetString)1
NonNull (org.checkerframework.checker.nullness.qual.NonNull)1
