Search in sources :

Example 1 with AppleAnonymousAttestationStatement

use of com.webauthn4j.data.attestation.statement.AppleAnonymousAttestationStatement in project webauthn4j by webauthn4j.

the class AppleAnonymousAttestationStatementValidator method validate.

// ~ Instance fields
// ================================================================================================
@Override
@NonNull
public AttestationType validate(@NonNull CoreRegistrationObject registrationObject) {
    AssertUtil.notNull(registrationObject, "registrationObject must not be null");
    if (!supports(registrationObject)) {
        throw new IllegalArgumentException(String.format("Specified format '%s' is not supported by %s.", registrationObject.getAttestationObject().getFormat(), this.getClass().getName()));
    }
    AppleAnonymousAttestationStatement attestationStatement = (AppleAnonymousAttestationStatement) registrationObject.getAttestationObject().getAttestationStatement();
    validateAttestationStatementNotNull(attestationStatement);
    validateNonce(registrationObject);
    validatePublicKey(registrationObject, attestationStatement);
    return AttestationType.BASIC;
}
Also used : AppleAnonymousAttestationStatement(com.webauthn4j.data.attestation.statement.AppleAnonymousAttestationStatement) NonNull(org.checkerframework.checker.nullness.qual.NonNull)

Example 2 with AppleAnonymousAttestationStatement

use of com.webauthn4j.data.attestation.statement.AppleAnonymousAttestationStatement in project webauthn4j by webauthn4j.

the class AppleAnonymousAttestationStatementValidator method validateNonce.

private void validateNonce(@NonNull CoreRegistrationObject registrationObject) {
    AppleAnonymousAttestationStatement attestationStatement = (AppleAnonymousAttestationStatement) registrationObject.getAttestationObject().getAttestationStatement();
    byte[] nonce = getNonce(registrationObject);
    byte[] extensionValue = attestationStatement.getX5c().getEndEntityAttestationCertificate().getCertificate().getExtensionValue("1.2.840.113635.100.8.2");
    byte[] extracted;
    try {
        Asn1OctetString extensionEnvelope = new Asn1OctetString();
        extensionEnvelope.decode(extensionValue);
        extensionEnvelope.getValue();
        byte[] extensionEnvelopeValue = extensionEnvelope.getValue();
        Asn1Container container = (Asn1Container) Asn1Parser.parse(ByteBuffer.wrap(extensionEnvelopeValue));
        Asn1ParseResult firstElement = container.getChildren().get(0);
        Asn1OctetString octetString = new Asn1OctetString();
        octetString.decode(firstElement);
        extracted = octetString.getValue();
    } catch (IOException | RuntimeException e) {
        throw new BadAttestationStatementException("Failed to extract nonce from Apple anonymous attestation statement.", e);
    }
    // there is no need to prevent timing attack and it is OK to use `Arrays.equals` instead of `MessageDigest.isEqual` here.
    if (!Arrays.equals(extracted, nonce)) {
        throw new BadAttestationStatementException("nonce doesn't match.");
    }
}
Also used : Asn1ParseResult(org.apache.kerby.asn1.parse.Asn1ParseResult) Asn1Container(org.apache.kerby.asn1.parse.Asn1Container) BadAttestationStatementException(com.webauthn4j.validator.exception.BadAttestationStatementException) IOException(java.io.IOException) Asn1OctetString(org.apache.kerby.asn1.type.Asn1OctetString) AppleAnonymousAttestationStatement(com.webauthn4j.data.attestation.statement.AppleAnonymousAttestationStatement)

Aggregations

AppleAnonymousAttestationStatement (com.webauthn4j.data.attestation.statement.AppleAnonymousAttestationStatement)2 BadAttestationStatementException (com.webauthn4j.validator.exception.BadAttestationStatementException)1 IOException (java.io.IOException)1 Asn1Container (org.apache.kerby.asn1.parse.Asn1Container)1 Asn1ParseResult (org.apache.kerby.asn1.parse.Asn1ParseResult)1 Asn1OctetString (org.apache.kerby.asn1.type.Asn1OctetString)1 NonNull (org.checkerframework.checker.nullness.qual.NonNull)1