Search in sources :

Example 6 with CertificateBaseAttestationStatement

use of com.webauthn4j.data.attestation.statement.CertificateBaseAttestationStatement in project webauthn4j by webauthn4j.

the class TrustAnchorCertPathTrustworthinessValidatorTest method validate_with_empty_trustAnchors_test.

@Test
void validate_with_empty_trustAnchors_test() {
    Set<TrustAnchor> trustAnchors = Collections.emptySet();
    when(trustAnchorsResolver.resolve(aaguid)).thenReturn(trustAnchors);
    CertificateBaseAttestationStatement attestationStatement = TestAttestationStatementUtil.createFIDOU2FAttestationStatement(TestAttestationUtil.load2tierTestAttestationCertificatePath());
    assertThrows(TrustAnchorNotFoundException.class, () -> target.validate(aaguid, attestationStatement));
}
Also used : CertificateBaseAttestationStatement(com.webauthn4j.data.attestation.statement.CertificateBaseAttestationStatement) TrustAnchor(java.security.cert.TrustAnchor) Test(org.junit.jupiter.api.Test)

Example 7 with CertificateBaseAttestationStatement

use of com.webauthn4j.data.attestation.statement.CertificateBaseAttestationStatement in project webauthn4j by webauthn4j.

the class TrustAnchorCertPathTrustworthinessValidatorTest method validate_full_chain_test.

@Test
void validate_full_chain_test() {
    Set<TrustAnchor> trustAnchors = CertificateUtil.generateTrustAnchors(Collections.singletonList(TestAttestationUtil.load3tierTestRootCACertificate()));
    when(trustAnchorsResolver.resolve(aaguid)).thenReturn(trustAnchors);
    AttestationCertificatePath attestationCertificatePath = new AttestationCertificatePath(Arrays.asList(TestAttestationUtil.load3tierTestAuthenticatorAttestationCertificate(), TestAttestationUtil.load3tierTestIntermediateCACertificate(), TestAttestationUtil.load3tierTestRootCACertificate()));
    CertificateBaseAttestationStatement attestationStatement = TestAttestationStatementUtil.createFIDOU2FAttestationStatement(attestationCertificatePath);
    target.setFullChainProhibited(true);
    assertThrows(CertificateException.class, () -> target.validate(aaguid, attestationStatement));
}
Also used : CertificateBaseAttestationStatement(com.webauthn4j.data.attestation.statement.CertificateBaseAttestationStatement) AttestationCertificatePath(com.webauthn4j.data.attestation.statement.AttestationCertificatePath) TrustAnchor(java.security.cert.TrustAnchor) Test(org.junit.jupiter.api.Test)

Example 8 with CertificateBaseAttestationStatement

use of com.webauthn4j.data.attestation.statement.CertificateBaseAttestationStatement in project webauthn4j by webauthn4j.

the class AttestationValidator method validate.

public void validate(@NonNull CoreRegistrationObject registrationObject) {
    AssertUtil.notNull(registrationObject, "registrationObject must not be null");
    AttestationObject attestationObject = registrationObject.getAttestationObject();
    // spec| Step18
    // spec| Determine the attestation statement format by performing a USASCII case-sensitive match on fmt against
    // spec| the set of supported WebAuthn Attestation Statement Format Identifier values.
    // spec| An up-to-date list of registered WebAuthn Attestation Statement Format Identifier values is maintained in
    // spec| the IANA "WebAuthn Attestation Statement Format Identifiers" registry [IANA-WebAuthn-Registries] established by [RFC8809].
    // spec| Step19
    // spec| Verify that attStmt is a correct attestation statement, conveying a valid attestation signature,
    // spec| by using the attestation statement format fmt’s verification procedure given attStmt, authData and hash.
    AttestationType attestationType = validateAttestationStatement(registrationObject);
    validateAAGUID(attestationObject);
    // spec| Step20
    // spec| If validation is successful, obtain a list of acceptable trust anchors (i.e. attestation root certificates)
    // spec| for that attestation type and attestation statement format fmt, from a trusted source or from policy.
    // spec| For example, the FIDO Metadata Service [FIDOMetadataService] provides one way to obtain such information,
    // spec| using the aaguid in the attestedCredentialData in authData.
    // spec| Step21
    // spec| Assess the attestation trustworthiness using the outputs of the verification procedure in step 19, as follows:
    // spec| If no attestation was provided, verify that None attestation is acceptable under Relying Party policy.
    // (This is already done in validateAttestationStatement method)
    AttestationStatement attestationStatement = attestationObject.getAttestationStatement();
    switch(attestationType) {
        // spec| If self attestation was used, check if self attestation is acceptable under Relying Party policy.
        case SELF:
            if (attestationStatement instanceof CertificateBaseAttestationStatement) {
                CertificateBaseAttestationStatement certificateBaseAttestationStatement = (CertificateBaseAttestationStatement) attestationStatement;
                selfAttestationTrustworthinessValidator.validate(certificateBaseAttestationStatement);
            } else {
                throw new IllegalStateException();
            }
            break;
        // spec| or is itself an acceptable certificate (i.e., it and the root certificate obtained in Step 20 may be the same).
        case BASIC:
        case ATT_CA:
            if (attestationStatement instanceof CertificateBaseAttestationStatement) {
                CertificateBaseAttestationStatement certificateBaseAttestationStatement = (CertificateBaseAttestationStatement) attestationStatement;
                // noinspection ConstantConditions as null check is already done in caller
                AAGUID aaguid = attestationObject.getAuthenticatorData().getAttestedCredentialData().getAaguid();
                certPathTrustworthinessValidator.validate(aaguid, certificateBaseAttestationStatement, registrationObject.getTimestamp());
            } else {
                throw new IllegalStateException();
            }
            break;
        case NONE:
            // nop
            break;
        default:
            throw new IllegalStateException();
    }
}
Also used : CertificateBaseAttestationStatement(com.webauthn4j.data.attestation.statement.CertificateBaseAttestationStatement) AttestationObject(com.webauthn4j.data.attestation.AttestationObject) AttestationType(com.webauthn4j.data.attestation.statement.AttestationType) AAGUID(com.webauthn4j.data.attestation.authenticator.AAGUID) FIDOU2FAttestationStatement(com.webauthn4j.data.attestation.statement.FIDOU2FAttestationStatement) AttestationStatement(com.webauthn4j.data.attestation.statement.AttestationStatement) CertificateBaseAttestationStatement(com.webauthn4j.data.attestation.statement.CertificateBaseAttestationStatement)

Example 9 with CertificateBaseAttestationStatement

use of com.webauthn4j.data.attestation.statement.CertificateBaseAttestationStatement in project webauthn4j by webauthn4j.

the class DefaultCertPathTrustworthinessValidatorTest method validate_packed_test.

@Test
void validate_packed_test() {
    Set<TrustAnchor> trustAnchors = CertificateUtil.generateTrustAnchors(Collections.singletonList(TestAttestationUtil.load3tierTestRootCACertificate()));
    when(trustAnchorRepository.find((AAGUID) any())).thenReturn(trustAnchors);
    CertificateBaseAttestationStatement attestationStatement = TestAttestationStatementUtil.createBasicPackedAttestationStatement(TestAttestationUtil.load3tierTestAttestationCertificatePath());
    target.validate(aaguid, attestationStatement);
}
Also used : CertificateBaseAttestationStatement(com.webauthn4j.data.attestation.statement.CertificateBaseAttestationStatement) TrustAnchor(java.security.cert.TrustAnchor) Test(org.junit.jupiter.api.Test)

Aggregations

CertificateBaseAttestationStatement (com.webauthn4j.data.attestation.statement.CertificateBaseAttestationStatement)9 TrustAnchor (java.security.cert.TrustAnchor)7 Test (org.junit.jupiter.api.Test)7 AAGUID (com.webauthn4j.data.attestation.authenticator.AAGUID)2 AttestationCertificatePath (com.webauthn4j.data.attestation.statement.AttestationCertificatePath)2 AttestationStatement (com.webauthn4j.data.attestation.statement.AttestationStatement)2 ObjectConverter (com.webauthn4j.converter.util.ObjectConverter)1 AuthenticatorAttestationType (com.webauthn4j.data.AuthenticatorAttestationType)1 AttestationObject (com.webauthn4j.data.attestation.AttestationObject)1 AttestationType (com.webauthn4j.data.attestation.statement.AttestationType)1 FIDOU2FAttestationStatement (com.webauthn4j.data.attestation.statement.FIDOU2FAttestationStatement)1 BadStatusException (com.webauthn4j.metadata.exception.BadStatusException)1 MetadataItem (com.webauthn4j.metadata.legacy.data.MetadataItem)1 AssertUtil (com.webauthn4j.util.AssertUtil)1 CustomRegistrationValidator (com.webauthn4j.validator.CustomRegistrationValidator)1 RegistrationObject (com.webauthn4j.validator.RegistrationObject)1 BadAttestationStatementException (com.webauthn4j.validator.exception.BadAttestationStatementException)1 X509Certificate (java.security.cert.X509Certificate)1 List (java.util.List)1 Set (java.util.Set)1