Search in sources :

Example 1 with BadSignatureException

use of com.webauthn4j.validator.exception.BadSignatureException in project webauthn4j by webauthn4j.

the class PackedAttestationStatementValidator method validateSelfAttestation.

@SuppressWarnings("SameReturnValue")
@NonNull
private AttestationType validateSelfAttestation(@NonNull CoreRegistrationObject registrationObject, @NonNull byte[] sig, @NonNull COSEAlgorithmIdentifier alg, @NonNull byte[] attrToBeSigned) {
    // noinspection ConstantConditions as null check is already done in caller
    COSEKey coseKey = registrationObject.getAttestationObject().getAuthenticatorData().getAttestedCredentialData().getCOSEKey();
    // Validate that alg matches the algorithm of the coseKey in authenticatorData.
    COSEAlgorithmIdentifier credentialPublicKeyAlgorithm = coseKey.getAlgorithm();
    if (!alg.equals(credentialPublicKeyAlgorithm)) {
        throw new BadAlgorithmException("`alg` in attestation statement doesn't match the algorithm of the coseKey in authenticatorData.");
    }
    // noinspection ConstantConditions as null check is already done in caller
    if (!verifySignature(coseKey.getPublicKey(), alg, sig, attrToBeSigned)) {
        throw new BadSignatureException("`sig` in attestation statement is not valid signature over the concatenation of authenticatorData and clientDataHash.");
    }
    // If successful, return attestation type Self and empty attestation trust path.
    return AttestationType.SELF;
}
Also used : BadSignatureException(com.webauthn4j.validator.exception.BadSignatureException) BadAlgorithmException(com.webauthn4j.validator.exception.BadAlgorithmException) COSEKey(com.webauthn4j.data.attestation.authenticator.COSEKey) COSEAlgorithmIdentifier(com.webauthn4j.data.attestation.statement.COSEAlgorithmIdentifier) NonNull(org.checkerframework.checker.nullness.qual.NonNull)

Example 2 with BadSignatureException

use of com.webauthn4j.validator.exception.BadSignatureException in project webauthn4j by webauthn4j.

the class FIDOU2FAttestationStatementValidator method validateSignature.

private void validateSignature(@NonNull CoreRegistrationObject registrationObject) {
    FIDOU2FAttestationStatement attestationStatement = (FIDOU2FAttestationStatement) registrationObject.getAttestationObject().getAttestationStatement();
    byte[] signedData = getSignedData(registrationObject);
    byte[] signature = attestationStatement.getSig();
    PublicKey publicKey = getPublicKey(attestationStatement);
    try {
        Signature verifier = Signature.getInstance("SHA256withECDSA");
        verifier.initVerify(publicKey);
        verifier.update(signedData);
        if (verifier.verify(signature)) {
            return;
        }
        throw new BadSignatureException("`sig` in attestation statement is not valid signature. Please refer U2F Raw Message Formats. https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html");
    } catch (NoSuchAlgorithmException | SignatureException | InvalidKeyException e) {
        throw new BadSignatureException("`sig` in attestation statement is not valid signature. Please refer U2F Raw Message Formats. https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html");
    }
}
Also used : BadSignatureException(com.webauthn4j.validator.exception.BadSignatureException) ECPublicKey(java.security.interfaces.ECPublicKey) FIDOU2FAttestationStatement(com.webauthn4j.data.attestation.statement.FIDOU2FAttestationStatement) BadSignatureException(com.webauthn4j.validator.exception.BadSignatureException)

Example 3 with BadSignatureException

use of com.webauthn4j.validator.exception.BadSignatureException in project webauthn4j by webauthn4j.

the class PackedAttestationStatementValidator method validateX5c.

@SuppressWarnings("SameReturnValue")
@NonNull
private AttestationType validateX5c(@NonNull CoreRegistrationObject registrationObject, @NonNull PackedAttestationStatement attestationStatement, @NonNull byte[] sig, @NonNull COSEAlgorithmIdentifier alg, @NonNull byte[] attrToBeSigned) {
    if (attestationStatement.getX5c() == null || attestationStatement.getX5c().isEmpty()) {
        throw new BadAttestationStatementException("No attestation certificate is found in packed attestation statement.");
    }
    // using the attestation public key in x5c with the algorithm specified in alg.
    if (!verifySignature(attestationStatement.getX5c().getEndEntityAttestationCertificate().getCertificate().getPublicKey(), alg, sig, attrToBeSigned)) {
        throw new BadSignatureException("`sig` in attestation statement is not valid signature over the concatenation of authenticatorData and clientDataHash.");
    }
    // Verify that x5c meets the requirements in ยง8.2.1 Packed attestation statement certificate requirements.
    attestationStatement.getX5c().getEndEntityAttestationCertificate().validate();
    // If x5c contains an extension with OID 1.3.6.1.4.1.45724.1.1.4 (id-fido-gen-ce-aaguid) verify that
    // the value of this extension matches the aaguid in authenticatorData.
    X509Certificate attestationCertificate = attestationStatement.getX5c().getEndEntityAttestationCertificate().getCertificate();
    AAGUID aaguidInCertificate = extractAAGUIDFromAttestationCertificate(attestationCertificate);
    // noinspection ConstantConditions as null check is already done in caller
    AAGUID aaguid = registrationObject.getAttestationObject().getAuthenticatorData().getAttestedCredentialData().getAaguid();
    if (aaguidInCertificate != AAGUID.NULL && !Objects.equals(aaguidInCertificate, aaguid)) {
        throw new BadAttestationStatementException("AAGUID in attestation certificate doesn't match the AAGUID in authenticatorData.");
    }
    // If successful, return attestation type BASIC and attestation trust path x5c.
    return AttestationType.BASIC;
}
Also used : BadSignatureException(com.webauthn4j.validator.exception.BadSignatureException) BadAttestationStatementException(com.webauthn4j.validator.exception.BadAttestationStatementException) AAGUID(com.webauthn4j.data.attestation.authenticator.AAGUID) X509Certificate(java.security.cert.X509Certificate) NonNull(org.checkerframework.checker.nullness.qual.NonNull)

Example 4 with BadSignatureException

use of com.webauthn4j.validator.exception.BadSignatureException in project webauthn4j by webauthn4j.

the class AndroidKeyAttestationStatementValidator method validateSignature.

private void validateSignature(@NonNull CoreRegistrationObject registrationObject) {
    AndroidKeyAttestationStatement attestationStatement = (AndroidKeyAttestationStatement) registrationObject.getAttestationObject().getAttestationStatement();
    byte[] signedData = getSignedData(registrationObject);
    byte[] signature = attestationStatement.getSig();
    PublicKey publicKey = getPublicKey(attestationStatement);
    try {
        String jcaName;
        jcaName = getJcaName(attestationStatement.getAlg());
        Signature verifier = SignatureUtil.createSignature(jcaName);
        verifier.initVerify(publicKey);
        verifier.update(signedData);
        if (verifier.verify(signature)) {
            return;
        }
        throw new BadSignatureException("`sig` in attestation statement is not valid signature over the concatenation of authenticatorData and clientDataHash.");
    } catch (SignatureException | InvalidKeyException e) {
        throw new BadSignatureException("`sig` in attestation statement is not valid signature over the concatenation of authenticatorData and clientDataHash.", e);
    }
}
Also used : BadSignatureException(com.webauthn4j.validator.exception.BadSignatureException) AndroidKeyAttestationStatement(com.webauthn4j.data.attestation.statement.AndroidKeyAttestationStatement) PublicKey(java.security.PublicKey) Signature(java.security.Signature) BadSignatureException(com.webauthn4j.validator.exception.BadSignatureException) SignatureException(java.security.SignatureException) InvalidKeyException(java.security.InvalidKeyException)

Aggregations

BadSignatureException (com.webauthn4j.validator.exception.BadSignatureException)4 NonNull (org.checkerframework.checker.nullness.qual.NonNull)2 AAGUID (com.webauthn4j.data.attestation.authenticator.AAGUID)1 COSEKey (com.webauthn4j.data.attestation.authenticator.COSEKey)1 AndroidKeyAttestationStatement (com.webauthn4j.data.attestation.statement.AndroidKeyAttestationStatement)1 COSEAlgorithmIdentifier (com.webauthn4j.data.attestation.statement.COSEAlgorithmIdentifier)1 FIDOU2FAttestationStatement (com.webauthn4j.data.attestation.statement.FIDOU2FAttestationStatement)1 BadAlgorithmException (com.webauthn4j.validator.exception.BadAlgorithmException)1 BadAttestationStatementException (com.webauthn4j.validator.exception.BadAttestationStatementException)1 InvalidKeyException (java.security.InvalidKeyException)1 PublicKey (java.security.PublicKey)1 Signature (java.security.Signature)1 SignatureException (java.security.SignatureException)1 X509Certificate (java.security.cert.X509Certificate)1 ECPublicKey (java.security.interfaces.ECPublicKey)1