use of com.webauthn4j.data.attestation.statement.AttestationCertificate in project webauthn4j by webauthn4j.
the class AndroidSafetyNetAttestationStatementValidator method validate.
@SuppressWarnings("ConstantConditions")
@Override
@NonNull
public AttestationType validate(@NonNull CoreRegistrationObject registrationObject) {
AssertUtil.notNull(registrationObject, "registrationObject must not be null");
if (!supports(registrationObject)) {
throw new IllegalArgumentException("Specified format is not supported by " + this.getClass().getName());
}
AndroidSafetyNetAttestationStatement attestationStatement = (AndroidSafetyNetAttestationStatement) registrationObject.getAttestationObject().getAttestationStatement();
validateAttestationStatementNotNull(attestationStatement);
if (attestationStatement.getX5c().isEmpty()) {
throw new BadAttestationStatementException("No attestation certificate is found in android safetynet attestation statement.");
}
// / Given the verification procedure inputs attStmt, authenticatorData and clientDataHash,
// the verification procedure is as follows:
// / Verify that attStmt is valid CBOR conforming to the syntax defined above and perform CBOR decoding on it
// to extract the contained fields.
// / Verify that response is a valid SafetyNet response of version ver.
versionValidator.validate(attestationStatement.getVer());
// / Verify that the nonce in the response is identical to the Base64url encoding of the SHA-256 hash of the concatenation of authenticatorData and clientDataHash.
Response response = attestationStatement.getResponse().getPayload();
String nonce = response.getNonce();
byte[] authenticatorData = registrationObject.getAuthenticatorDataBytes();
validateNonce(nonce, authenticatorData, registrationObject.getClientDataHash());
// / Let attestationCert be the attestation certificate.
// / Verify that attestationCert is issued to the hostname "attest.android.com" (see SafetyNet online documentation).
AttestationCertificate attestationCertificate = attestationStatement.getX5c().getEndEntityAttestationCertificate();
if (!Objects.equals(attestationCertificate.getSubjectCommonName(), "attest.android.com")) {
throw new BadAttestationStatementException("The attestation certificate is not issued to 'attest.android.com'.");
}
// / Verify that the ctsProfileMatch attribute in the payload of response is true.
if (!Objects.equals(response.getCtsProfileMatch(), true)) {
throw new BadAttestationStatementException("The profile of the device doesn't match the profile of a device that has passed Android Compatibility Test Suite.");
}
if (response.getTimestampMs() == null) {
throw new BadAttestationStatementException("timestampMs is null.");
}
// Verify the timestampMs doesn't violate backwardThreshold
if (Instant.ofEpochMilli(response.getTimestampMs()).isBefore(registrationObject.getTimestamp().minus(Duration.ofSeconds(backwardThreshold)))) {
throw new BadAttestationStatementException("timestampMs violates backwardThreshold.");
}
// Verify the timestampMs doesn't violate forwardThreshold
if (Instant.ofEpochMilli(response.getTimestampMs()).isAfter(registrationObject.getTimestamp().plus(Duration.ofSeconds(forwardThreshold)))) {
throw new BadAttestationStatementException("timestampMs violates forwardThreshold.");
}
if (!attestationStatement.getResponse().isValidSignature()) {
throw new BadAttestationStatementException("Android safetynet response in the attestation statement doesn't have a valid signature.");
}
// / If successful, return implementation-specific values representing attestation type Basic and attestation trust path attestationCert.
return AttestationType.BASIC;
}
Aggregations