use of com.webauthn4j.data.attestation.statement.FIDOU2FAttestationStatement in project webauthn4j by webauthn4j.
the class FIDOU2FAuthenticatorAdaptor method register.
@Override
public CredentialCreationResponse register(PublicKeyCredentialCreationOptions publicKeyCredentialCreationOptions, CollectedClientData collectedClientData, RegistrationEmulationOption registrationEmulationOption, AttestationOption attestationOption) {
String rpId = publicKeyCredentialCreationOptions.getRp().getId();
byte[] rpIdHash = MessageDigestUtil.createSHA256().digest(rpId.getBytes(StandardCharsets.UTF_8));
byte[] challengeParameter = MessageDigestUtil.createSHA256().digest(collectedClientDataConverter.convertToBytes(collectedClientData));
// noinspection UnnecessaryLocalVariable
byte[] applicationParameter = rpIdHash;
RegistrationRequest registrationRequest = new RegistrationRequest(challengeParameter, applicationParameter);
RegistrationResponse registrationResponse = fidoU2FAuthenticator.register(registrationRequest, registrationEmulationOption);
AttestationStatement attestationStatement = new FIDOU2FAttestationStatement(new AttestationCertificatePath(Collections.singletonList(registrationResponse.getAttestationCertificate())), registrationResponse.getSignature());
EC2COSEKey ec2CredentialPublicKey = EC2COSEKey.createFromUncompressedECCKey(registrationResponse.getUserPublicKey());
// zero-filled 16bytes(128bits) array
AAGUID aaguid = AAGUID.ZERO;
AttestedCredentialData attestedCredentialData = new AttestedCredentialData(aaguid, registrationResponse.getKeyHandle(), ec2CredentialPublicKey);
byte flag = BIT_AT | BIT_UP;
AuthenticatorData<RegistrationExtensionAuthenticatorOutput> authenticatorData = new AuthenticatorData<>(rpIdHash, flag, 0, attestedCredentialData);
AttestationObject attestationObject = new AttestationObject(authenticatorData, attestationStatement);
return new CredentialCreationResponse(attestationObject);
}
use of com.webauthn4j.data.attestation.statement.FIDOU2FAttestationStatement in project webauthn4j by webauthn4j.
the class FIDOU2FAttestationStatementValidatorTest method validateAttestationStatement_test.
@Test
void validateAttestationStatement_test() {
FIDOU2FAttestationStatement attestationStatement = mock(FIDOU2FAttestationStatement.class);
when(attestationStatement.getX5c()).thenReturn(new AttestationCertificatePath(Arrays.asList(TestAttestationUtil.load3tierTestAuthenticatorAttestationCertificate(), TestAttestationUtil.load3tierTestIntermediateCACertificate())));
assertThrows(BadAttestationStatementException.class, () -> target.validateAttestationStatement(attestationStatement));
}
use of com.webauthn4j.data.attestation.statement.FIDOU2FAttestationStatement in project webauthn4j by webauthn4j.
the class FIDOU2FAttestationStatementValidator method validate.
/**
* {@link AttestationType}.BASIC is always returned as RP cannot differentiate between BASIC and Attestation CA from the attestation data,
*
* @return AttestationType.BASIC
*/
@Override
@NonNull
public AttestationType validate(@NonNull CoreRegistrationObject registrationObject) {
AssertUtil.notNull(registrationObject, "registrationObject must not be null");
if (!supports(registrationObject)) {
throw new IllegalArgumentException("Specified format is not supported by " + this.getClass().getName());
}
FIDOU2FAttestationStatement attestationStatement = (FIDOU2FAttestationStatement) registrationObject.getAttestationObject().getAttestationStatement();
validateAttestationStatementNotNull(attestationStatement);
validateAttestationStatement(attestationStatement);
validateSignature(registrationObject);
return AttestationType.BASIC;
}
use of com.webauthn4j.data.attestation.statement.FIDOU2FAttestationStatement in project webauthn4j by webauthn4j.
the class FIDOU2FAttestationStatementValidator method validateSignature.
private void validateSignature(@NonNull CoreRegistrationObject registrationObject) {
FIDOU2FAttestationStatement attestationStatement = (FIDOU2FAttestationStatement) registrationObject.getAttestationObject().getAttestationStatement();
byte[] signedData = getSignedData(registrationObject);
byte[] signature = attestationStatement.getSig();
PublicKey publicKey = getPublicKey(attestationStatement);
try {
Signature verifier = Signature.getInstance("SHA256withECDSA");
verifier.initVerify(publicKey);
verifier.update(signedData);
if (verifier.verify(signature)) {
return;
}
throw new BadSignatureException("`sig` in attestation statement is not valid signature. Please refer U2F Raw Message Formats. https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html");
} catch (NoSuchAlgorithmException | SignatureException | InvalidKeyException e) {
throw new BadSignatureException("`sig` in attestation statement is not valid signature. Please refer U2F Raw Message Formats. https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html");
}
}
use of com.webauthn4j.data.attestation.statement.FIDOU2FAttestationStatement in project webauthn4j by webauthn4j.
the class DefaultCertPathTrustworthinessValidator method validate.
@Override
public void validate(@NonNull AAGUID aaguid, @NonNull CertificateBaseAttestationStatement attestationStatement, @NonNull Instant timestamp) {
AssertUtil.notNull(aaguid, "aaguid must not be null");
AssertUtil.notNull(aaguid, "attestationStatement must not be null");
AssertUtil.notNull(aaguid, "timestamp must not be null");
// noinspection ConstantConditions as null check is already done in caller
CertPath certPath = attestationStatement.getX5c().createCertPath();
Set<TrustAnchor> trustAnchors;
if (attestationStatement instanceof FIDOU2FAttestationStatement) {
FIDOU2FAttestationStatement fidou2fAttestationStatement = (FIDOU2FAttestationStatement) attestationStatement;
byte[] subjectKeyIdentifier = CertificateUtil.extractSubjectKeyIdentifier(fidou2fAttestationStatement.getX5c().getEndEntityAttestationCertificate().getCertificate());
trustAnchors = trustAnchorRepository.find(subjectKeyIdentifier);
} else {
trustAnchors = trustAnchorRepository.find(aaguid);
}
validateCertPath(certPath, trustAnchors, timestamp);
}
Aggregations