Search in sources :

Example 1 with KeyDescriptionValidationException

use of com.webauthn4j.validator.exception.KeyDescriptionValidationException in project webauthn4j by webauthn4j.

the class KeyDescriptionValidator method doValidate.

void doValidate(@NonNull Asn1Container keyDescription, @NonNull byte[] clientDataHash, boolean teeEnforcedOnly) throws IOException {
    // / Verify that the attestationChallenge field in the attestation certificate extension data is identical to clientDataHash.
    byte[] attestationChallenge = keyDescription.getChildren().get(ATTESTATION_CHALLENGE_INDEX).readBodyBytes();
    // there is no need to prevent timing attack and it is OK to use `Arrays.equals` instead of `MessageDigest.isEqual` here.
    if (!Arrays.equals(attestationChallenge, clientDataHash)) {
        throw new KeyDescriptionValidationException("Attestation challenge doesn't match.");
    }
    // / Verify the following using the appropriate authorization list from the attestation certificate extension data:
    // / The AuthorizationList.allApplications field is not present on either authorization list (softwareEnforced nor teeEnforced), since PublicKeyCredential MUST be scoped to the RP ID.
    Asn1Container softwareEnforced = (Asn1Container) keyDescription.getChildren().get(SW_ENFORCED_INDEX);
    Asn1Container teeEnforced = (Asn1Container) keyDescription.getChildren().get(TEE_ENFORCED_INDEX);
    if (findAuthorizationListEntry(softwareEnforced, KM_TAG_ALL_APPLICATIONS) != null || findAuthorizationListEntry(teeEnforced, KM_TAG_ALL_APPLICATIONS) != null) {
        throw new KeyDescriptionValidationException("Key is not scoped properly.");
    }
    validateAuthorizationList(teeEnforcedOnly, softwareEnforced, teeEnforced);
}
Also used : Asn1Container(org.apache.kerby.asn1.parse.Asn1Container) KeyDescriptionValidationException(com.webauthn4j.validator.exception.KeyDescriptionValidationException)

Example 2 with KeyDescriptionValidationException

use of com.webauthn4j.validator.exception.KeyDescriptionValidationException in project webauthn4j by webauthn4j.

the class KeyDescriptionValidator method extractKeyDescription.

@NonNull
Asn1Container extractKeyDescription(@NonNull X509Certificate x509Certificate) throws IOException {
    byte[] attestationExtensionBytes = x509Certificate.getExtensionValue(ATTESTATION_EXTENSION_OID);
    Asn1OctetString envelope = new Asn1OctetString();
    if (attestationExtensionBytes == null) {
        throw new KeyDescriptionValidationException("KeyDescription must not be null");
    }
    envelope.decode(attestationExtensionBytes);
    return (Asn1Container) Asn1Parser.parse(ByteBuffer.wrap(envelope.getValue()));
}
Also used : Asn1Container(org.apache.kerby.asn1.parse.Asn1Container) KeyDescriptionValidationException(com.webauthn4j.validator.exception.KeyDescriptionValidationException) Asn1OctetString(org.apache.kerby.asn1.type.Asn1OctetString) NonNull(org.checkerframework.checker.nullness.qual.NonNull)

Aggregations

KeyDescriptionValidationException (com.webauthn4j.validator.exception.KeyDescriptionValidationException)2 Asn1Container (org.apache.kerby.asn1.parse.Asn1Container)2 Asn1OctetString (org.apache.kerby.asn1.type.Asn1OctetString)1 NonNull (org.checkerframework.checker.nullness.qual.NonNull)1