use of com.webauthn4j.data.attestation.statement.CertificateBaseAttestationStatement in project webauthn4j by webauthn4j.
the class TrustAnchorCertPathTrustworthinessValidatorTest method validate_with_empty_trustAnchors_test.
@Test
void validate_with_empty_trustAnchors_test() {
Set<TrustAnchor> trustAnchors = Collections.emptySet();
when(trustAnchorsResolver.resolve(aaguid)).thenReturn(trustAnchors);
CertificateBaseAttestationStatement attestationStatement = TestAttestationStatementUtil.createFIDOU2FAttestationStatement(TestAttestationUtil.load2tierTestAttestationCertificatePath());
assertThrows(TrustAnchorNotFoundException.class, () -> target.validate(aaguid, attestationStatement));
}
use of com.webauthn4j.data.attestation.statement.CertificateBaseAttestationStatement in project webauthn4j by webauthn4j.
the class TrustAnchorCertPathTrustworthinessValidatorTest method validate_full_chain_test.
@Test
void validate_full_chain_test() {
Set<TrustAnchor> trustAnchors = CertificateUtil.generateTrustAnchors(Collections.singletonList(TestAttestationUtil.load3tierTestRootCACertificate()));
when(trustAnchorsResolver.resolve(aaguid)).thenReturn(trustAnchors);
AttestationCertificatePath attestationCertificatePath = new AttestationCertificatePath(Arrays.asList(TestAttestationUtil.load3tierTestAuthenticatorAttestationCertificate(), TestAttestationUtil.load3tierTestIntermediateCACertificate(), TestAttestationUtil.load3tierTestRootCACertificate()));
CertificateBaseAttestationStatement attestationStatement = TestAttestationStatementUtil.createFIDOU2FAttestationStatement(attestationCertificatePath);
target.setFullChainProhibited(true);
assertThrows(CertificateException.class, () -> target.validate(aaguid, attestationStatement));
}
use of com.webauthn4j.data.attestation.statement.CertificateBaseAttestationStatement in project webauthn4j by webauthn4j.
the class AttestationValidator method validate.
public void validate(@NonNull CoreRegistrationObject registrationObject) {
AssertUtil.notNull(registrationObject, "registrationObject must not be null");
AttestationObject attestationObject = registrationObject.getAttestationObject();
// spec| Step18
// spec| Determine the attestation statement format by performing a USASCII case-sensitive match on fmt against
// spec| the set of supported WebAuthn Attestation Statement Format Identifier values.
// spec| An up-to-date list of registered WebAuthn Attestation Statement Format Identifier values is maintained in
// spec| the IANA "WebAuthn Attestation Statement Format Identifiers" registry [IANA-WebAuthn-Registries] established by [RFC8809].
// spec| Step19
// spec| Verify that attStmt is a correct attestation statement, conveying a valid attestation signature,
// spec| by using the attestation statement format fmt’s verification procedure given attStmt, authData and hash.
AttestationType attestationType = validateAttestationStatement(registrationObject);
validateAAGUID(attestationObject);
// spec| Step20
// spec| If validation is successful, obtain a list of acceptable trust anchors (i.e. attestation root certificates)
// spec| for that attestation type and attestation statement format fmt, from a trusted source or from policy.
// spec| For example, the FIDO Metadata Service [FIDOMetadataService] provides one way to obtain such information,
// spec| using the aaguid in the attestedCredentialData in authData.
// spec| Step21
// spec| Assess the attestation trustworthiness using the outputs of the verification procedure in step 19, as follows:
// spec| If no attestation was provided, verify that None attestation is acceptable under Relying Party policy.
// (This is already done in validateAttestationStatement method)
AttestationStatement attestationStatement = attestationObject.getAttestationStatement();
switch(attestationType) {
// spec| If self attestation was used, check if self attestation is acceptable under Relying Party policy.
case SELF:
if (attestationStatement instanceof CertificateBaseAttestationStatement) {
CertificateBaseAttestationStatement certificateBaseAttestationStatement = (CertificateBaseAttestationStatement) attestationStatement;
selfAttestationTrustworthinessValidator.validate(certificateBaseAttestationStatement);
} else {
throw new IllegalStateException();
}
break;
// spec| or is itself an acceptable certificate (i.e., it and the root certificate obtained in Step 20 may be the same).
case BASIC:
case ATT_CA:
if (attestationStatement instanceof CertificateBaseAttestationStatement) {
CertificateBaseAttestationStatement certificateBaseAttestationStatement = (CertificateBaseAttestationStatement) attestationStatement;
// noinspection ConstantConditions as null check is already done in caller
AAGUID aaguid = attestationObject.getAuthenticatorData().getAttestedCredentialData().getAaguid();
certPathTrustworthinessValidator.validate(aaguid, certificateBaseAttestationStatement, registrationObject.getTimestamp());
} else {
throw new IllegalStateException();
}
break;
case NONE:
// nop
break;
default:
throw new IllegalStateException();
}
}
use of com.webauthn4j.data.attestation.statement.CertificateBaseAttestationStatement in project webauthn4j by webauthn4j.
the class DefaultCertPathTrustworthinessValidatorTest method validate_packed_test.
@Test
void validate_packed_test() {
Set<TrustAnchor> trustAnchors = CertificateUtil.generateTrustAnchors(Collections.singletonList(TestAttestationUtil.load3tierTestRootCACertificate()));
when(trustAnchorRepository.find((AAGUID) any())).thenReturn(trustAnchors);
CertificateBaseAttestationStatement attestationStatement = TestAttestationStatementUtil.createBasicPackedAttestationStatement(TestAttestationUtil.load3tierTestAttestationCertificatePath());
target.validate(aaguid, attestationStatement);
}
Aggregations