Example 1 with KeyDescriptionValidationException
use of com.webauthn4j.validator.exception.KeyDescriptionValidationException in project webauthn4j by webauthn4j.
the class KeyDescriptionValidator method doValidate.
void doValidate(@NonNull Asn1Container keyDescription, @NonNull byte[] clientDataHash, boolean teeEnforcedOnly) throws IOException {
// / Verify that the attestationChallenge field in the attestation certificate extension data is identical to clientDataHash.
byte[] attestationChallenge = keyDescription.getChildren().get(ATTESTATION_CHALLENGE_INDEX).readBodyBytes();
// there is no need to prevent timing attack and it is OK to use `Arrays.equals` instead of `MessageDigest.isEqual` here.
if (!Arrays.equals(attestationChallenge, clientDataHash)) {
throw new KeyDescriptionValidationException("Attestation challenge doesn't match.");
}
// / Verify the following using the appropriate authorization list from the attestation certificate extension data:
// / The AuthorizationList.allApplications field is not present on either authorization list (softwareEnforced nor teeEnforced), since PublicKeyCredential MUST be scoped to the RP ID.
Asn1Container softwareEnforced = (Asn1Container) keyDescription.getChildren().get(SW_ENFORCED_INDEX);
Asn1Container teeEnforced = (Asn1Container) keyDescription.getChildren().get(TEE_ENFORCED_INDEX);
if (findAuthorizationListEntry(softwareEnforced, KM_TAG_ALL_APPLICATIONS) != null || findAuthorizationListEntry(teeEnforced, KM_TAG_ALL_APPLICATIONS) != null) {
throw new KeyDescriptionValidationException("Key is not scoped properly.");
}
validateAuthorizationList(teeEnforcedOnly, softwareEnforced, teeEnforced);
}
Also used :
Asn1Container(org.apache.kerby.asn1.parse.Asn1Container)
KeyDescriptionValidationException(com.webauthn4j.validator.exception.KeyDescriptionValidationException)
Example 2 with KeyDescriptionValidationException
use of com.webauthn4j.validator.exception.KeyDescriptionValidationException in project webauthn4j by webauthn4j.
the class KeyDescriptionValidator method extractKeyDescription.
@NonNull
Asn1Container extractKeyDescription(@NonNull X509Certificate x509Certificate) throws IOException {
byte[] attestationExtensionBytes = x509Certificate.getExtensionValue(ATTESTATION_EXTENSION_OID);
Asn1OctetString envelope = new Asn1OctetString();
if (attestationExtensionBytes == null) {
throw new KeyDescriptionValidationException("KeyDescription must not be null");
}
envelope.decode(attestationExtensionBytes);
return (Asn1Container) Asn1Parser.parse(ByteBuffer.wrap(envelope.getValue()));
}
Also used :
Asn1Container(org.apache.kerby.asn1.parse.Asn1Container)
KeyDescriptionValidationException(com.webauthn4j.validator.exception.KeyDescriptionValidationException)
Asn1OctetString(org.apache.kerby.asn1.type.Asn1OctetString)
NonNull(org.checkerframework.checker.nullness.qual.NonNull)
Aggregations
KeyDescriptionValidationException (com.webauthn4j.validator.exception.KeyDescriptionValidationException)2
Asn1Container (org.apache.kerby.asn1.parse.Asn1Container)2
Asn1OctetString (org.apache.kerby.asn1.type.Asn1OctetString)1
NonNull (org.checkerframework.checker.nullness.qual.NonNull)1
