Search in sources :

Example 1 with AttestationType

use of com.webauthn4j.data.attestation.statement.AttestationType in project webauthn4j by webauthn4j.

the class AttestationValidator method validate.

public void validate(@NonNull CoreRegistrationObject registrationObject) {
    AssertUtil.notNull(registrationObject, "registrationObject must not be null");
    AttestationObject attestationObject = registrationObject.getAttestationObject();
    // spec| Step18
    // spec| Determine the attestation statement format by performing a USASCII case-sensitive match on fmt against
    // spec| the set of supported WebAuthn Attestation Statement Format Identifier values.
    // spec| An up-to-date list of registered WebAuthn Attestation Statement Format Identifier values is maintained in
    // spec| the IANA "WebAuthn Attestation Statement Format Identifiers" registry [IANA-WebAuthn-Registries] established by [RFC8809].
    // spec| Step19
    // spec| Verify that attStmt is a correct attestation statement, conveying a valid attestation signature,
    // spec| by using the attestation statement format fmt’s verification procedure given attStmt, authData and hash.
    AttestationType attestationType = validateAttestationStatement(registrationObject);
    validateAAGUID(attestationObject);
    // spec| Step20
    // spec| If validation is successful, obtain a list of acceptable trust anchors (i.e. attestation root certificates)
    // spec| for that attestation type and attestation statement format fmt, from a trusted source or from policy.
    // spec| For example, the FIDO Metadata Service [FIDOMetadataService] provides one way to obtain such information,
    // spec| using the aaguid in the attestedCredentialData in authData.
    // spec| Step21
    // spec| Assess the attestation trustworthiness using the outputs of the verification procedure in step 19, as follows:
    // spec| If no attestation was provided, verify that None attestation is acceptable under Relying Party policy.
    // (This is already done in validateAttestationStatement method)
    AttestationStatement attestationStatement = attestationObject.getAttestationStatement();
    switch(attestationType) {
        // spec| If self attestation was used, check if self attestation is acceptable under Relying Party policy.
        case SELF:
            if (attestationStatement instanceof CertificateBaseAttestationStatement) {
                CertificateBaseAttestationStatement certificateBaseAttestationStatement = (CertificateBaseAttestationStatement) attestationStatement;
                selfAttestationTrustworthinessValidator.validate(certificateBaseAttestationStatement);
            } else {
                throw new IllegalStateException();
            }
            break;
        // spec| or is itself an acceptable certificate (i.e., it and the root certificate obtained in Step 20 may be the same).
        case BASIC:
        case ATT_CA:
            if (attestationStatement instanceof CertificateBaseAttestationStatement) {
                CertificateBaseAttestationStatement certificateBaseAttestationStatement = (CertificateBaseAttestationStatement) attestationStatement;
                // noinspection ConstantConditions as null check is already done in caller
                AAGUID aaguid = attestationObject.getAuthenticatorData().getAttestedCredentialData().getAaguid();
                certPathTrustworthinessValidator.validate(aaguid, certificateBaseAttestationStatement, registrationObject.getTimestamp());
            } else {
                throw new IllegalStateException();
            }
            break;
        case NONE:
            // nop
            break;
        default:
            throw new IllegalStateException();
    }
}
Also used : CertificateBaseAttestationStatement(com.webauthn4j.data.attestation.statement.CertificateBaseAttestationStatement) AttestationObject(com.webauthn4j.data.attestation.AttestationObject) AttestationType(com.webauthn4j.data.attestation.statement.AttestationType) AAGUID(com.webauthn4j.data.attestation.authenticator.AAGUID) FIDOU2FAttestationStatement(com.webauthn4j.data.attestation.statement.FIDOU2FAttestationStatement) AttestationStatement(com.webauthn4j.data.attestation.statement.AttestationStatement) CertificateBaseAttestationStatement(com.webauthn4j.data.attestation.statement.CertificateBaseAttestationStatement)

Aggregations

AttestationObject (com.webauthn4j.data.attestation.AttestationObject)1 AAGUID (com.webauthn4j.data.attestation.authenticator.AAGUID)1 AttestationStatement (com.webauthn4j.data.attestation.statement.AttestationStatement)1 AttestationType (com.webauthn4j.data.attestation.statement.AttestationType)1 CertificateBaseAttestationStatement (com.webauthn4j.data.attestation.statement.CertificateBaseAttestationStatement)1 FIDOU2FAttestationStatement (com.webauthn4j.data.attestation.statement.FIDOU2FAttestationStatement)1