Search in sources :

Example 1 with Asn1OctetString

use of org.apache.kerby.asn1.type.Asn1OctetString in project webauthn4j by webauthn4j.

the class PackedAttestationStatementValidator method extractAAGUIDFromAttestationCertificate.

@NonNull
AAGUID extractAAGUIDFromAttestationCertificate(@NonNull X509Certificate certificate) {
    byte[] extensionValue = certificate.getExtensionValue(ID_FIDO_GEN_CE_AAGUID);
    if (extensionValue == null) {
        return AAGUID.NULL;
    }
    try {
        Asn1OctetString envelope = new Asn1OctetString();
        envelope.decode(extensionValue);
        Asn1OctetString innerEnvelope = new Asn1OctetString();
        innerEnvelope.decode(envelope.getValue());
        return new AAGUID(UUIDUtil.fromBytes(innerEnvelope.getValue()));
    } catch (IOException e) {
        throw new UncheckedIOException(e);
    }
}
Also used : AAGUID(com.webauthn4j.data.attestation.authenticator.AAGUID) UncheckedIOException(java.io.UncheckedIOException) IOException(java.io.IOException) UncheckedIOException(java.io.UncheckedIOException) Asn1OctetString(org.apache.kerby.asn1.type.Asn1OctetString) NonNull(org.checkerframework.checker.nullness.qual.NonNull)

Example 2 with Asn1OctetString

use of org.apache.kerby.asn1.type.Asn1OctetString in project jans by JanssenProject.

the class AppleAttestationProcessor method getExtension.

/*-
	[
	   {
	       "type": "OBJECT_IDENTIFIER",
	       "data": "1.2.840.113635.100.8.2"
	   },
	   {
	       "type": "OCTET_STRING",
	       "data": [
	           {
	               "type": "SEQUENCE",
	               "data": [
	                   {
	                       "type": "[1]",
	                       "data": [
	                           {
	                               "type": "OCTET_STRING",
	                               "data": {
	                                   "type": "Buffer",
	                                   "data": [92, 219, 157, 144, 115, 64, 69, 91, 99, 115, 230, 117, 43, 115, 252, 54, 132, 83, 96, 34, 21, 250, 234, 187, 124, 22, 95, 11, 173, 172, 7, 204]
	                               }
	                           }
	                       ]
	                   }
	               ]
	           }
	       ]
	   }
	]
	*/
public byte[] getExtension(X509Certificate attestationCert) {
    byte[] extensionValue = attestationCert.getExtensionValue(KEY_DESCRIPTION_OID);
    byte[] extracted;
    try {
        Asn1OctetString extensionEnvelope = new Asn1OctetString();
        extensionEnvelope.decode(extensionValue);
        extensionEnvelope.getValue();
        byte[] extensionEnvelopeValue = extensionEnvelope.getValue();
        Asn1Container container = (Asn1Container) Asn1Parser.parse(ByteBuffer.wrap(extensionEnvelopeValue));
        Asn1ParseResult firstElement = container.getChildren().get(0);
        Asn1OctetString octetString = new Asn1OctetString();
        octetString.decode(firstElement);
        extracted = octetString.getValue();
        return extracted;
    } catch (IOException | RuntimeException e) {
        throw new AttestationException("Failed to extract nonce from Apple anonymous attestation statement.");
    }
}
Also used : Asn1ParseResult(org.apache.kerby.asn1.parse.Asn1ParseResult) AttestationException(io.jans.fido2.exception.AttestationException) Asn1Container(org.apache.kerby.asn1.parse.Asn1Container) IOException(java.io.IOException) Asn1OctetString(org.apache.kerby.asn1.type.Asn1OctetString)

Example 3 with Asn1OctetString

use of org.apache.kerby.asn1.type.Asn1OctetString in project webauthn4j by webauthn4j.

the class KeyDescriptionValidator method extractKeyDescription.

@NonNull
Asn1Container extractKeyDescription(@NonNull X509Certificate x509Certificate) throws IOException {
    byte[] attestationExtensionBytes = x509Certificate.getExtensionValue(ATTESTATION_EXTENSION_OID);
    Asn1OctetString envelope = new Asn1OctetString();
    if (attestationExtensionBytes == null) {
        throw new KeyDescriptionValidationException("KeyDescription must not be null");
    }
    envelope.decode(attestationExtensionBytes);
    return (Asn1Container) Asn1Parser.parse(ByteBuffer.wrap(envelope.getValue()));
}
Also used : Asn1Container(org.apache.kerby.asn1.parse.Asn1Container) KeyDescriptionValidationException(com.webauthn4j.validator.exception.KeyDescriptionValidationException) Asn1OctetString(org.apache.kerby.asn1.type.Asn1OctetString) NonNull(org.checkerframework.checker.nullness.qual.NonNull)

Example 4 with Asn1OctetString

use of org.apache.kerby.asn1.type.Asn1OctetString in project webauthn4j by webauthn4j.

the class AppleAnonymousAttestationStatementValidator method validateNonce.

private void validateNonce(@NonNull CoreRegistrationObject registrationObject) {
    AppleAnonymousAttestationStatement attestationStatement = (AppleAnonymousAttestationStatement) registrationObject.getAttestationObject().getAttestationStatement();
    byte[] nonce = getNonce(registrationObject);
    byte[] extensionValue = attestationStatement.getX5c().getEndEntityAttestationCertificate().getCertificate().getExtensionValue("1.2.840.113635.100.8.2");
    byte[] extracted;
    try {
        Asn1OctetString extensionEnvelope = new Asn1OctetString();
        extensionEnvelope.decode(extensionValue);
        extensionEnvelope.getValue();
        byte[] extensionEnvelopeValue = extensionEnvelope.getValue();
        Asn1Container container = (Asn1Container) Asn1Parser.parse(ByteBuffer.wrap(extensionEnvelopeValue));
        Asn1ParseResult firstElement = container.getChildren().get(0);
        Asn1OctetString octetString = new Asn1OctetString();
        octetString.decode(firstElement);
        extracted = octetString.getValue();
    } catch (IOException | RuntimeException e) {
        throw new BadAttestationStatementException("Failed to extract nonce from Apple anonymous attestation statement.", e);
    }
    // there is no need to prevent timing attack and it is OK to use `Arrays.equals` instead of `MessageDigest.isEqual` here.
    if (!Arrays.equals(extracted, nonce)) {
        throw new BadAttestationStatementException("nonce doesn't match.");
    }
}
Also used : Asn1ParseResult(org.apache.kerby.asn1.parse.Asn1ParseResult) Asn1Container(org.apache.kerby.asn1.parse.Asn1Container) BadAttestationStatementException(com.webauthn4j.validator.exception.BadAttestationStatementException) IOException(java.io.IOException) Asn1OctetString(org.apache.kerby.asn1.type.Asn1OctetString) AppleAnonymousAttestationStatement(com.webauthn4j.data.attestation.statement.AppleAnonymousAttestationStatement)

Example 5 with Asn1OctetString

use of org.apache.kerby.asn1.type.Asn1OctetString in project webauthn4j by webauthn4j.

the class AppleAppAttestAttestationStatementValidator method extractNonce.

byte[] extractNonce(X509Certificate attestationCertificate) {
    byte[] attestationExtensionBytes = attestationCertificate.getExtensionValue(APPLE_CRED_CERT_EXTENSION_OID);
    if (attestationExtensionBytes == null) {
        throw new BadAttestationStatementException("Apple X.509 extension not found");
    }
    Asn1OctetString envelope = new Asn1OctetString();
    try {
        envelope.decode(attestationExtensionBytes);
        Asn1Container container = (Asn1Container) Asn1Parser.parse(ByteBuffer.wrap(envelope.getValue()));
        Asn1OctetString subEnvelop = new Asn1OctetString();
        subEnvelop.decode(container.getChildren().get(0));
        return subEnvelop.getValue();
    } catch (IOException e) {
        throw new UncheckedIOException(e);
    }
}
Also used : BadAttestationStatementException(com.webauthn4j.validator.exception.BadAttestationStatementException) Asn1Container(org.apache.kerby.asn1.parse.Asn1Container) UncheckedIOException(java.io.UncheckedIOException) IOException(java.io.IOException) UncheckedIOException(java.io.UncheckedIOException) Asn1OctetString(org.apache.kerby.asn1.type.Asn1OctetString)

Aggregations

Asn1OctetString (org.apache.kerby.asn1.type.Asn1OctetString)5 IOException (java.io.IOException)4 Asn1Container (org.apache.kerby.asn1.parse.Asn1Container)4 BadAttestationStatementException (com.webauthn4j.validator.exception.BadAttestationStatementException)2 UncheckedIOException (java.io.UncheckedIOException)2 Asn1ParseResult (org.apache.kerby.asn1.parse.Asn1ParseResult)2 NonNull (org.checkerframework.checker.nullness.qual.NonNull)2 AAGUID (com.webauthn4j.data.attestation.authenticator.AAGUID)1 AppleAnonymousAttestationStatement (com.webauthn4j.data.attestation.statement.AppleAnonymousAttestationStatement)1 KeyDescriptionValidationException (com.webauthn4j.validator.exception.KeyDescriptionValidationException)1 AttestationException (io.jans.fido2.exception.AttestationException)1