use of com.webauthn4j.data.attestation.statement.AttestationType in project webauthn4j by webauthn4j.
the class AttestationValidator method validate.
public void validate(@NonNull CoreRegistrationObject registrationObject) {
AssertUtil.notNull(registrationObject, "registrationObject must not be null");
AttestationObject attestationObject = registrationObject.getAttestationObject();
// spec| Step18
// spec| Determine the attestation statement format by performing a USASCII case-sensitive match on fmt against
// spec| the set of supported WebAuthn Attestation Statement Format Identifier values.
// spec| An up-to-date list of registered WebAuthn Attestation Statement Format Identifier values is maintained in
// spec| the IANA "WebAuthn Attestation Statement Format Identifiers" registry [IANA-WebAuthn-Registries] established by [RFC8809].
// spec| Step19
// spec| Verify that attStmt is a correct attestation statement, conveying a valid attestation signature,
// spec| by using the attestation statement format fmt’s verification procedure given attStmt, authData and hash.
AttestationType attestationType = validateAttestationStatement(registrationObject);
validateAAGUID(attestationObject);
// spec| Step20
// spec| If validation is successful, obtain a list of acceptable trust anchors (i.e. attestation root certificates)
// spec| for that attestation type and attestation statement format fmt, from a trusted source or from policy.
// spec| For example, the FIDO Metadata Service [FIDOMetadataService] provides one way to obtain such information,
// spec| using the aaguid in the attestedCredentialData in authData.
// spec| Step21
// spec| Assess the attestation trustworthiness using the outputs of the verification procedure in step 19, as follows:
// spec| If no attestation was provided, verify that None attestation is acceptable under Relying Party policy.
// (This is already done in validateAttestationStatement method)
AttestationStatement attestationStatement = attestationObject.getAttestationStatement();
switch(attestationType) {
// spec| If self attestation was used, check if self attestation is acceptable under Relying Party policy.
case SELF:
if (attestationStatement instanceof CertificateBaseAttestationStatement) {
CertificateBaseAttestationStatement certificateBaseAttestationStatement = (CertificateBaseAttestationStatement) attestationStatement;
selfAttestationTrustworthinessValidator.validate(certificateBaseAttestationStatement);
} else {
throw new IllegalStateException();
}
break;
// spec| or is itself an acceptable certificate (i.e., it and the root certificate obtained in Step 20 may be the same).
case BASIC:
case ATT_CA:
if (attestationStatement instanceof CertificateBaseAttestationStatement) {
CertificateBaseAttestationStatement certificateBaseAttestationStatement = (CertificateBaseAttestationStatement) attestationStatement;
// noinspection ConstantConditions as null check is already done in caller
AAGUID aaguid = attestationObject.getAuthenticatorData().getAttestedCredentialData().getAaguid();
certPathTrustworthinessValidator.validate(aaguid, certificateBaseAttestationStatement, registrationObject.getTimestamp());
} else {
throw new IllegalStateException();
}
break;
case NONE:
// nop
break;
default:
throw new IllegalStateException();
}
}
Aggregations