use of com.webauthn4j.validator.exception.BadSignatureException in project webauthn4j by webauthn4j.
the class PackedAttestationStatementValidator method validateSelfAttestation.
@SuppressWarnings("SameReturnValue")
@NonNull
private AttestationType validateSelfAttestation(@NonNull CoreRegistrationObject registrationObject, @NonNull byte[] sig, @NonNull COSEAlgorithmIdentifier alg, @NonNull byte[] attrToBeSigned) {
// noinspection ConstantConditions as null check is already done in caller
COSEKey coseKey = registrationObject.getAttestationObject().getAuthenticatorData().getAttestedCredentialData().getCOSEKey();
// Validate that alg matches the algorithm of the coseKey in authenticatorData.
COSEAlgorithmIdentifier credentialPublicKeyAlgorithm = coseKey.getAlgorithm();
if (!alg.equals(credentialPublicKeyAlgorithm)) {
throw new BadAlgorithmException("`alg` in attestation statement doesn't match the algorithm of the coseKey in authenticatorData.");
}
// noinspection ConstantConditions as null check is already done in caller
if (!verifySignature(coseKey.getPublicKey(), alg, sig, attrToBeSigned)) {
throw new BadSignatureException("`sig` in attestation statement is not valid signature over the concatenation of authenticatorData and clientDataHash.");
}
// If successful, return attestation type Self and empty attestation trust path.
return AttestationType.SELF;
}
use of com.webauthn4j.validator.exception.BadSignatureException in project webauthn4j by webauthn4j.
the class FIDOU2FAttestationStatementValidator method validateSignature.
private void validateSignature(@NonNull CoreRegistrationObject registrationObject) {
FIDOU2FAttestationStatement attestationStatement = (FIDOU2FAttestationStatement) registrationObject.getAttestationObject().getAttestationStatement();
byte[] signedData = getSignedData(registrationObject);
byte[] signature = attestationStatement.getSig();
PublicKey publicKey = getPublicKey(attestationStatement);
try {
Signature verifier = Signature.getInstance("SHA256withECDSA");
verifier.initVerify(publicKey);
verifier.update(signedData);
if (verifier.verify(signature)) {
return;
}
throw new BadSignatureException("`sig` in attestation statement is not valid signature. Please refer U2F Raw Message Formats. https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html");
} catch (NoSuchAlgorithmException | SignatureException | InvalidKeyException e) {
throw new BadSignatureException("`sig` in attestation statement is not valid signature. Please refer U2F Raw Message Formats. https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html");
}
}
use of com.webauthn4j.validator.exception.BadSignatureException in project webauthn4j by webauthn4j.
the class PackedAttestationStatementValidator method validateX5c.
@SuppressWarnings("SameReturnValue")
@NonNull
private AttestationType validateX5c(@NonNull CoreRegistrationObject registrationObject, @NonNull PackedAttestationStatement attestationStatement, @NonNull byte[] sig, @NonNull COSEAlgorithmIdentifier alg, @NonNull byte[] attrToBeSigned) {
if (attestationStatement.getX5c() == null || attestationStatement.getX5c().isEmpty()) {
throw new BadAttestationStatementException("No attestation certificate is found in packed attestation statement.");
}
// using the attestation public key in x5c with the algorithm specified in alg.
if (!verifySignature(attestationStatement.getX5c().getEndEntityAttestationCertificate().getCertificate().getPublicKey(), alg, sig, attrToBeSigned)) {
throw new BadSignatureException("`sig` in attestation statement is not valid signature over the concatenation of authenticatorData and clientDataHash.");
}
// Verify that x5c meets the requirements in ยง8.2.1 Packed attestation statement certificate requirements.
attestationStatement.getX5c().getEndEntityAttestationCertificate().validate();
// If x5c contains an extension with OID 1.3.6.1.4.1.45724.1.1.4 (id-fido-gen-ce-aaguid) verify that
// the value of this extension matches the aaguid in authenticatorData.
X509Certificate attestationCertificate = attestationStatement.getX5c().getEndEntityAttestationCertificate().getCertificate();
AAGUID aaguidInCertificate = extractAAGUIDFromAttestationCertificate(attestationCertificate);
// noinspection ConstantConditions as null check is already done in caller
AAGUID aaguid = registrationObject.getAttestationObject().getAuthenticatorData().getAttestedCredentialData().getAaguid();
if (aaguidInCertificate != AAGUID.NULL && !Objects.equals(aaguidInCertificate, aaguid)) {
throw new BadAttestationStatementException("AAGUID in attestation certificate doesn't match the AAGUID in authenticatorData.");
}
// If successful, return attestation type BASIC and attestation trust path x5c.
return AttestationType.BASIC;
}
use of com.webauthn4j.validator.exception.BadSignatureException in project webauthn4j by webauthn4j.
the class AndroidKeyAttestationStatementValidator method validateSignature.
private void validateSignature(@NonNull CoreRegistrationObject registrationObject) {
AndroidKeyAttestationStatement attestationStatement = (AndroidKeyAttestationStatement) registrationObject.getAttestationObject().getAttestationStatement();
byte[] signedData = getSignedData(registrationObject);
byte[] signature = attestationStatement.getSig();
PublicKey publicKey = getPublicKey(attestationStatement);
try {
String jcaName;
jcaName = getJcaName(attestationStatement.getAlg());
Signature verifier = SignatureUtil.createSignature(jcaName);
verifier.initVerify(publicKey);
verifier.update(signedData);
if (verifier.verify(signature)) {
return;
}
throw new BadSignatureException("`sig` in attestation statement is not valid signature over the concatenation of authenticatorData and clientDataHash.");
} catch (SignatureException | InvalidKeyException e) {
throw new BadSignatureException("`sig` in attestation statement is not valid signature over the concatenation of authenticatorData and clientDataHash.", e);
}
}
Aggregations