Search in sources :

Example 1 with FIDOU2FAttestationStatement

use of com.webauthn4j.data.attestation.statement.FIDOU2FAttestationStatement in project webauthn4j by webauthn4j.

the class FIDOU2FAuthenticatorAdaptor method register.

@Override
public CredentialCreationResponse register(PublicKeyCredentialCreationOptions publicKeyCredentialCreationOptions, CollectedClientData collectedClientData, RegistrationEmulationOption registrationEmulationOption, AttestationOption attestationOption) {
    String rpId = publicKeyCredentialCreationOptions.getRp().getId();
    byte[] rpIdHash = MessageDigestUtil.createSHA256().digest(rpId.getBytes(StandardCharsets.UTF_8));
    byte[] challengeParameter = MessageDigestUtil.createSHA256().digest(collectedClientDataConverter.convertToBytes(collectedClientData));
    // noinspection UnnecessaryLocalVariable
    byte[] applicationParameter = rpIdHash;
    RegistrationRequest registrationRequest = new RegistrationRequest(challengeParameter, applicationParameter);
    RegistrationResponse registrationResponse = fidoU2FAuthenticator.register(registrationRequest, registrationEmulationOption);
    AttestationStatement attestationStatement = new FIDOU2FAttestationStatement(new AttestationCertificatePath(Collections.singletonList(registrationResponse.getAttestationCertificate())), registrationResponse.getSignature());
    EC2COSEKey ec2CredentialPublicKey = EC2COSEKey.createFromUncompressedECCKey(registrationResponse.getUserPublicKey());
    // zero-filled 16bytes(128bits) array
    AAGUID aaguid = AAGUID.ZERO;
    AttestedCredentialData attestedCredentialData = new AttestedCredentialData(aaguid, registrationResponse.getKeyHandle(), ec2CredentialPublicKey);
    byte flag = BIT_AT | BIT_UP;
    AuthenticatorData<RegistrationExtensionAuthenticatorOutput> authenticatorData = new AuthenticatorData<>(rpIdHash, flag, 0, attestedCredentialData);
    AttestationObject attestationObject = new AttestationObject(authenticatorData, attestationStatement);
    return new CredentialCreationResponse(attestationObject);
}
Also used : AttestationCertificatePath(com.webauthn4j.data.attestation.statement.AttestationCertificatePath) AAGUID(com.webauthn4j.data.attestation.authenticator.AAGUID) RegistrationExtensionAuthenticatorOutput(com.webauthn4j.data.extension.authenticator.RegistrationExtensionAuthenticatorOutput) AttestedCredentialData(com.webauthn4j.data.attestation.authenticator.AttestedCredentialData) AuthenticatorData(com.webauthn4j.data.attestation.authenticator.AuthenticatorData) AttestationObject(com.webauthn4j.data.attestation.AttestationObject) FIDOU2FAttestationStatement(com.webauthn4j.data.attestation.statement.FIDOU2FAttestationStatement) AttestationStatement(com.webauthn4j.data.attestation.statement.AttestationStatement) FIDOU2FAttestationStatement(com.webauthn4j.data.attestation.statement.FIDOU2FAttestationStatement) EC2COSEKey(com.webauthn4j.data.attestation.authenticator.EC2COSEKey) CredentialCreationResponse(com.webauthn4j.test.authenticator.CredentialCreationResponse)

Example 2 with FIDOU2FAttestationStatement

use of com.webauthn4j.data.attestation.statement.FIDOU2FAttestationStatement in project webauthn4j by webauthn4j.

the class FIDOU2FAttestationStatementValidatorTest method validateAttestationStatement_test.

@Test
void validateAttestationStatement_test() {
    FIDOU2FAttestationStatement attestationStatement = mock(FIDOU2FAttestationStatement.class);
    when(attestationStatement.getX5c()).thenReturn(new AttestationCertificatePath(Arrays.asList(TestAttestationUtil.load3tierTestAuthenticatorAttestationCertificate(), TestAttestationUtil.load3tierTestIntermediateCACertificate())));
    assertThrows(BadAttestationStatementException.class, () -> target.validateAttestationStatement(attestationStatement));
}
Also used : AttestationCertificatePath(com.webauthn4j.data.attestation.statement.AttestationCertificatePath) FIDOU2FAttestationStatement(com.webauthn4j.data.attestation.statement.FIDOU2FAttestationStatement) Test(org.junit.jupiter.api.Test)

Example 3 with FIDOU2FAttestationStatement

use of com.webauthn4j.data.attestation.statement.FIDOU2FAttestationStatement in project webauthn4j by webauthn4j.

the class FIDOU2FAttestationStatementValidator method validate.

/**
 * {@link AttestationType}.BASIC is always returned as RP cannot differentiate between BASIC and Attestation CA from the attestation data,
 *
 * @return AttestationType.BASIC
 */
@Override
@NonNull
public AttestationType validate(@NonNull CoreRegistrationObject registrationObject) {
    AssertUtil.notNull(registrationObject, "registrationObject must not be null");
    if (!supports(registrationObject)) {
        throw new IllegalArgumentException("Specified format is not supported by " + this.getClass().getName());
    }
    FIDOU2FAttestationStatement attestationStatement = (FIDOU2FAttestationStatement) registrationObject.getAttestationObject().getAttestationStatement();
    validateAttestationStatementNotNull(attestationStatement);
    validateAttestationStatement(attestationStatement);
    validateSignature(registrationObject);
    return AttestationType.BASIC;
}
Also used : FIDOU2FAttestationStatement(com.webauthn4j.data.attestation.statement.FIDOU2FAttestationStatement) NonNull(org.checkerframework.checker.nullness.qual.NonNull)

Example 4 with FIDOU2FAttestationStatement

use of com.webauthn4j.data.attestation.statement.FIDOU2FAttestationStatement in project webauthn4j by webauthn4j.

the class FIDOU2FAttestationStatementValidator method validateSignature.

private void validateSignature(@NonNull CoreRegistrationObject registrationObject) {
    FIDOU2FAttestationStatement attestationStatement = (FIDOU2FAttestationStatement) registrationObject.getAttestationObject().getAttestationStatement();
    byte[] signedData = getSignedData(registrationObject);
    byte[] signature = attestationStatement.getSig();
    PublicKey publicKey = getPublicKey(attestationStatement);
    try {
        Signature verifier = Signature.getInstance("SHA256withECDSA");
        verifier.initVerify(publicKey);
        verifier.update(signedData);
        if (verifier.verify(signature)) {
            return;
        }
        throw new BadSignatureException("`sig` in attestation statement is not valid signature. Please refer U2F Raw Message Formats. https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html");
    } catch (NoSuchAlgorithmException | SignatureException | InvalidKeyException e) {
        throw new BadSignatureException("`sig` in attestation statement is not valid signature. Please refer U2F Raw Message Formats. https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html");
    }
}
Also used : BadSignatureException(com.webauthn4j.validator.exception.BadSignatureException) ECPublicKey(java.security.interfaces.ECPublicKey) FIDOU2FAttestationStatement(com.webauthn4j.data.attestation.statement.FIDOU2FAttestationStatement) BadSignatureException(com.webauthn4j.validator.exception.BadSignatureException)

Example 5 with FIDOU2FAttestationStatement

use of com.webauthn4j.data.attestation.statement.FIDOU2FAttestationStatement in project webauthn4j by webauthn4j.

the class DefaultCertPathTrustworthinessValidator method validate.

@Override
public void validate(@NonNull AAGUID aaguid, @NonNull CertificateBaseAttestationStatement attestationStatement, @NonNull Instant timestamp) {
    AssertUtil.notNull(aaguid, "aaguid must not be null");
    AssertUtil.notNull(aaguid, "attestationStatement must not be null");
    AssertUtil.notNull(aaguid, "timestamp must not be null");
    // noinspection ConstantConditions as null check is already done in caller
    CertPath certPath = attestationStatement.getX5c().createCertPath();
    Set<TrustAnchor> trustAnchors;
    if (attestationStatement instanceof FIDOU2FAttestationStatement) {
        FIDOU2FAttestationStatement fidou2fAttestationStatement = (FIDOU2FAttestationStatement) attestationStatement;
        byte[] subjectKeyIdentifier = CertificateUtil.extractSubjectKeyIdentifier(fidou2fAttestationStatement.getX5c().getEndEntityAttestationCertificate().getCertificate());
        trustAnchors = trustAnchorRepository.find(subjectKeyIdentifier);
    } else {
        trustAnchors = trustAnchorRepository.find(aaguid);
    }
    validateCertPath(certPath, trustAnchors, timestamp);
}
Also used : FIDOU2FAttestationStatement(com.webauthn4j.data.attestation.statement.FIDOU2FAttestationStatement)

Aggregations

FIDOU2FAttestationStatement (com.webauthn4j.data.attestation.statement.FIDOU2FAttestationStatement)6 AttestationCertificatePath (com.webauthn4j.data.attestation.statement.AttestationCertificatePath)3 Test (org.junit.jupiter.api.Test)2 AttestationObject (com.webauthn4j.data.attestation.AttestationObject)1 AAGUID (com.webauthn4j.data.attestation.authenticator.AAGUID)1 AttestedCredentialData (com.webauthn4j.data.attestation.authenticator.AttestedCredentialData)1 AuthenticatorData (com.webauthn4j.data.attestation.authenticator.AuthenticatorData)1 EC2COSEKey (com.webauthn4j.data.attestation.authenticator.EC2COSEKey)1 AttestationStatement (com.webauthn4j.data.attestation.statement.AttestationStatement)1 RegistrationExtensionAuthenticatorOutput (com.webauthn4j.data.extension.authenticator.RegistrationExtensionAuthenticatorOutput)1 CredentialCreationResponse (com.webauthn4j.test.authenticator.CredentialCreationResponse)1 BadSignatureException (com.webauthn4j.validator.exception.BadSignatureException)1 ECPublicKey (java.security.interfaces.ECPublicKey)1 NonNull (org.checkerframework.checker.nullness.qual.NonNull)1