resources =
- AttestationResolver.class.getClassLoader().getResources("META-INF/MANIFEST.MF");
+ FidoMetadataService.class.getClassLoader().getResources("META-INF/MANIFEST.MF");
while (resources.hasMoreElements()) {
final URL resource = resources.nextElement();
diff --git a/test-dependent-projects/java-dep-webauthn-server-core-minimal/build.gradle.kts b/test-dependent-projects/java-dep-webauthn-server-core-and-bouncycastle/build.gradle.kts
similarity index 51%
rename from test-dependent-projects/java-dep-webauthn-server-core-minimal/build.gradle.kts
rename to test-dependent-projects/java-dep-webauthn-server-core-and-bouncycastle/build.gradle.kts
index 37512414a..f558ba389 100644
--- a/test-dependent-projects/java-dep-webauthn-server-core-minimal/build.gradle.kts
+++ b/test-dependent-projects/java-dep-webauthn-server-core-and-bouncycastle/build.gradle.kts
@@ -2,18 +2,21 @@ plugins {
`java-library`
}
-val coreTestsOutput = project(":webauthn-server-core-minimal").extensions.getByType(SourceSetContainer::class).test.get().output
+val coreTestsOutput = project(":webauthn-server-core").extensions.getByType(SourceSetContainer::class).test.get().output
dependencies {
- implementation(project(":webauthn-server-core-minimal"))
+ implementation(project(":webauthn-server-core"))
+ implementation("org.bouncycastle:bcprov-jdk15on:[1.62,2)")
testImplementation(coreTestsOutput)
testImplementation("junit:junit:4.12")
testImplementation("org.mockito:mockito-core:[2.27.0,3)")
- // Runtime-only internal dependency of webauthn-server-core-minimal
+ // Runtime-only internal dependency of webauthn-server-core
testImplementation("com.augustcellars.cose:cose-java:[1.0.0,2)")
+ testRuntimeOnly("ch.qos.logback:logback-classic:[1.2.3,2)")
+
// Transitive dependencies from coreTestOutput
testImplementation("org.scala-lang:scala-library:[2.13.1,3)")
}
diff --git a/test-dependent-projects/java-dep-webauthn-server-core-and-bouncycastle/src/test/java/com/yubico/webauthn/BouncyCastleProviderPresenceTest.java b/test-dependent-projects/java-dep-webauthn-server-core-and-bouncycastle/src/test/java/com/yubico/webauthn/BouncyCastleProviderPresenceTest.java
new file mode 100644
index 000000000..e38997392
--- /dev/null
+++ b/test-dependent-projects/java-dep-webauthn-server-core-and-bouncycastle/src/test/java/com/yubico/webauthn/BouncyCastleProviderPresenceTest.java
@@ -0,0 +1,108 @@
+package com.yubico.webauthn;
+
+import static org.junit.Assert.assertTrue;
+
+import COSE.CoseException;
+import com.yubico.webauthn.data.AttestationObject;
+import com.yubico.webauthn.data.RelyingPartyIdentity;
+import java.io.IOException;
+import java.security.NoSuchAlgorithmException;
+import java.security.Provider;
+import java.security.Security;
+import java.security.spec.InvalidKeySpecException;
+import java.util.Arrays;
+import java.util.List;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mockito;
+
+/**
+ * Test that the BouncyCastle provider is not loaded by default.
+ *
+ * Motivation: https://github.com/Yubico/java-webauthn-server/issues/97
+ */
+public class BouncyCastleProviderPresenceTest {
+
+ private List providersBefore;
+
+ @Before
+ public void setUp() {
+ providersBefore = Stream.of(Security.getProviders()).collect(Collectors.toList());
+ }
+
+ @After
+ public void tearDown() {
+ for (Provider prov : Security.getProviders()) {
+ Security.removeProvider(prov.getName());
+ }
+ providersBefore.forEach(Security::addProvider);
+ }
+
+ private static boolean isNamedBouncyCastle(Provider prov) {
+ return prov.getName().equals("BC") || prov.getClass().getCanonicalName().contains("bouncy");
+ }
+
+ @Test
+ public void bouncyCastleProviderIsInClasspath() {
+ new BouncyCastleProvider();
+ }
+
+ @Test
+ public void bouncyCastleProviderIsNotLoadedByDefault() {
+ assertTrue(
+ Arrays.stream(Security.getProviders())
+ .noneMatch(BouncyCastleProviderPresenceTest::isNamedBouncyCastle));
+ }
+
+ @Test
+ public void bouncyCastleProviderIsNotLoadedAfterInstantiatingRelyingParty() {
+ RelyingParty.builder()
+ .identity(RelyingPartyIdentity.builder().id("foo").name("foo").build())
+ .credentialRepository(Mockito.mock(CredentialRepository.class))
+ .build();
+
+ assertTrue(
+ Arrays.stream(Security.getProviders())
+ .noneMatch(BouncyCastleProviderPresenceTest::isNamedBouncyCastle));
+ }
+
+ @Test
+ public void bouncyCastleProviderIsNotLoadedAfterAttemptingToLoadEddsaKey()
+ throws IOException, CoseException, InvalidKeySpecException {
+ try {
+ WebAuthnCodecs.importCosePublicKey(
+ new AttestationObject(
+ RegistrationTestData.Packed$.MODULE$.BasicAttestationEdDsa().attestationObject())
+ .getAuthenticatorData()
+ .getAttestedCredentialData()
+ .get()
+ .getCredentialPublicKey());
+ } catch (NoSuchAlgorithmException e) {
+ // OK
+ }
+
+ assertTrue(
+ Arrays.stream(Security.getProviders())
+ .noneMatch(BouncyCastleProviderPresenceTest::isNamedBouncyCastle));
+ }
+
+ @Test(expected = NoSuchAlgorithmException.class)
+ public void doesNotFallBackToBouncyCastleAutomatically()
+ throws IOException, CoseException, InvalidKeySpecException, NoSuchAlgorithmException {
+ for (Provider prov : Security.getProviders()) {
+ Security.removeProvider(prov.getName());
+ }
+
+ WebAuthnCodecs.importCosePublicKey(
+ new AttestationObject(
+ RegistrationTestData.Packed$.MODULE$.BasicAttestationEdDsa().attestationObject())
+ .getAuthenticatorData()
+ .getAttestedCredentialData()
+ .get()
+ .getCredentialPublicKey());
+ }
+}
diff --git a/test-dependent-projects/java-dep-webauthn-server-core-and-bouncycastle/src/test/java/com/yubico/webauthn/CryptoAlgorithmsTest.java b/test-dependent-projects/java-dep-webauthn-server-core-and-bouncycastle/src/test/java/com/yubico/webauthn/CryptoAlgorithmsTest.java
new file mode 100644
index 000000000..78201c6a2
--- /dev/null
+++ b/test-dependent-projects/java-dep-webauthn-server-core-and-bouncycastle/src/test/java/com/yubico/webauthn/CryptoAlgorithmsTest.java
@@ -0,0 +1,91 @@
+package com.yubico.webauthn;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import COSE.CoseException;
+import com.yubico.webauthn.data.AttestationObject;
+import com.yubico.webauthn.data.RelyingPartyIdentity;
+import java.io.IOException;
+import java.security.NoSuchAlgorithmException;
+import java.security.Provider;
+import java.security.PublicKey;
+import java.security.Security;
+import java.security.spec.InvalidKeySpecException;
+import java.util.List;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mockito;
+
+public class CryptoAlgorithmsTest {
+
+ private List providersBefore;
+
+ @Before
+ public void setUp() {
+ providersBefore = Stream.of(Security.getProviders()).collect(Collectors.toList());
+
+ Security.addProvider(new BouncyCastleProvider());
+
+ RelyingParty.builder()
+ .identity(RelyingPartyIdentity.builder().id("foo").name("foo").build())
+ .credentialRepository(Mockito.mock(CredentialRepository.class))
+ .build();
+ }
+
+ @After
+ public void tearDown() {
+ for (Provider prov : Security.getProviders()) {
+ Security.removeProvider(prov.getName());
+ }
+ providersBefore.forEach(Security::addProvider);
+ }
+
+ @Test
+ public void importRsa()
+ throws IOException, CoseException, NoSuchAlgorithmException, InvalidKeySpecException {
+ PublicKey key =
+ WebAuthnCodecs.importCosePublicKey(
+ new AttestationObject(
+ RegistrationTestData.Packed$.MODULE$.BasicAttestationRsa().attestationObject())
+ .getAuthenticatorData()
+ .getAttestedCredentialData()
+ .get()
+ .getCredentialPublicKey());
+ assertEquals(key.getAlgorithm(), "RSA");
+ }
+
+ @Test
+ public void importEcdsa()
+ throws IOException, CoseException, NoSuchAlgorithmException, InvalidKeySpecException {
+ PublicKey key =
+ WebAuthnCodecs.importCosePublicKey(
+ new AttestationObject(
+ RegistrationTestData.Packed$.MODULE$.BasicAttestation().attestationObject())
+ .getAuthenticatorData()
+ .getAttestedCredentialData()
+ .get()
+ .getCredentialPublicKey());
+ assertEquals(key.getAlgorithm(), "EC");
+ }
+
+ @Test
+ public void importEddsa()
+ throws IOException, CoseException, NoSuchAlgorithmException, InvalidKeySpecException {
+ PublicKey key =
+ WebAuthnCodecs.importCosePublicKey(
+ new AttestationObject(
+ RegistrationTestData.Packed$.MODULE$
+ .BasicAttestationEdDsa()
+ .attestationObject())
+ .getAuthenticatorData()
+ .getAttestedCredentialData()
+ .get()
+ .getCredentialPublicKey());
+ assertTrue("EdDSA".equals(key.getAlgorithm()) || "Ed25519".equals(key.getAlgorithm()));
+ }
+}
diff --git a/test-dependent-projects/java-dep-webauthn-server-core/build.gradle.kts b/test-dependent-projects/java-dep-webauthn-server-core/build.gradle.kts
index 41166dddf..1e8977835 100644
--- a/test-dependent-projects/java-dep-webauthn-server-core/build.gradle.kts
+++ b/test-dependent-projects/java-dep-webauthn-server-core/build.gradle.kts
@@ -2,22 +2,18 @@ plugins {
`java-library`
}
-val coreTestsOutput = project(":webauthn-server-core-minimal").extensions.getByType(SourceSetContainer::class).test.get().output
+val coreTestsOutput = project(":webauthn-server-core").extensions.getByType(SourceSetContainer::class).test.get().output
dependencies {
implementation(project(":webauthn-server-core"))
- testCompileOnly("org.bouncycastle:bcprov-jdk15on:[1.62,2)")
-
testImplementation(coreTestsOutput)
testImplementation("junit:junit:4.12")
testImplementation("org.mockito:mockito-core:[2.27.0,3)")
- // Runtime-only internal dependency of webauthn-server-core-minimal
+ // Runtime-only internal dependency of webauthn-server-core
testImplementation("com.augustcellars.cose:cose-java:[1.0.0,2)")
- testRuntimeOnly("ch.qos.logback:logback-classic:[1.2.3,2)")
-
// Transitive dependencies from coreTestOutput
testImplementation("org.scala-lang:scala-library:[2.13.1,3)")
}
diff --git a/test-dependent-projects/java-dep-webauthn-server-core/src/main/java/com/yubico/test/compilability/ThisShouldCompile.java b/test-dependent-projects/java-dep-webauthn-server-core/src/main/java/com/yubico/test/compilability/ThisShouldCompile.java
index 5201a6409..bc6da998b 100644
--- a/test-dependent-projects/java-dep-webauthn-server-core/src/main/java/com/yubico/test/compilability/ThisShouldCompile.java
+++ b/test-dependent-projects/java-dep-webauthn-server-core/src/main/java/com/yubico/test/compilability/ThisShouldCompile.java
@@ -55,7 +55,7 @@ public ByteArray getByteArray() {
public PublicKeyCredentialType getPublicKeyCredentialType() {
PublicKeyCredentialType a = PublicKeyCredentialType.PUBLIC_KEY;
- String b = a.toJsonString();
+ String b = a.getId();
return a;
}
}
diff --git a/test-dependent-projects/java-dep-webauthn-server-core-minimal/src/test/java/com/yubico/webauthn/BouncyCastleProviderPresenceTest.java b/test-dependent-projects/java-dep-webauthn-server-core/src/test/java/com/yubico/webauthn/BouncyCastleProviderPresenceTest.java
similarity index 69%
rename from test-dependent-projects/java-dep-webauthn-server-core-minimal/src/test/java/com/yubico/webauthn/BouncyCastleProviderPresenceTest.java
rename to test-dependent-projects/java-dep-webauthn-server-core/src/test/java/com/yubico/webauthn/BouncyCastleProviderPresenceTest.java
index e3dc68d5a..6ce756bbc 100644
--- a/test-dependent-projects/java-dep-webauthn-server-core-minimal/src/test/java/com/yubico/webauthn/BouncyCastleProviderPresenceTest.java
+++ b/test-dependent-projects/java-dep-webauthn-server-core/src/test/java/com/yubico/webauthn/BouncyCastleProviderPresenceTest.java
@@ -7,6 +7,7 @@
import com.yubico.webauthn.data.RelyingPartyIdentity;
import java.io.IOException;
import java.security.NoSuchAlgorithmException;
+import java.security.Provider;
import java.security.Security;
import java.security.spec.InvalidKeySpecException;
import java.util.Arrays;
@@ -14,13 +15,16 @@
import org.mockito.Mockito;
/**
- * Test that the BouncyCastle provider is not loaded by default when depending on the
- * webauthn-server-core-minimal package.
+ * Test that the BouncyCastle provider is not loaded by default.
*
* Motivation: https://github.com/Yubico/java-webauthn-server/issues/97
*/
public class BouncyCastleProviderPresenceTest {
+ private static boolean isNamedBouncyCastle(Provider prov) {
+ return prov.getName().equals("BC") || prov.getClass().getCanonicalName().contains("bouncy");
+ }
+
@Test(expected = ClassNotFoundException.class)
public void bouncyCastleProviderIsNotInClasspath() throws ClassNotFoundException {
Class.forName("org.bouncycastle.jce.provider.BouncyCastleProvider");
@@ -30,13 +34,11 @@ public void bouncyCastleProviderIsNotInClasspath() throws ClassNotFoundException
public void bouncyCastleProviderIsNotLoadedByDefault() {
assertTrue(
Arrays.stream(Security.getProviders())
- .noneMatch(prov -> prov.getName().toLowerCase().contains("bouncy")));
+ .noneMatch(BouncyCastleProviderPresenceTest::isNamedBouncyCastle));
}
@Test
public void bouncyCastleProviderIsNotLoadedAfterInstantiatingRelyingParty() {
- // The RelyingParty constructor has the possible side-effect of loading the BouncyCastle
- // provider
RelyingParty.builder()
.identity(RelyingPartyIdentity.builder().id("foo").name("foo").build())
.credentialRepository(Mockito.mock(CredentialRepository.class))
@@ -44,15 +46,12 @@ public void bouncyCastleProviderIsNotLoadedAfterInstantiatingRelyingParty() {
assertTrue(
Arrays.stream(Security.getProviders())
- .noneMatch(
- prov ->
- prov.getName().equals("BC")
- || prov.getClass().getCanonicalName().contains("bouncy")));
+ .noneMatch(BouncyCastleProviderPresenceTest::isNamedBouncyCastle));
}
@Test
public void bouncyCastleProviderIsNotLoadedAfterAttemptingToLoadEddsaKey()
- throws IOException, CoseException, NoSuchAlgorithmException, InvalidKeySpecException {
+ throws IOException, CoseException, InvalidKeySpecException {
try {
WebAuthnCodecs.importCosePublicKey(
new AttestationObject(
@@ -67,9 +66,6 @@ public void bouncyCastleProviderIsNotLoadedAfterAttemptingToLoadEddsaKey()
assertTrue(
Arrays.stream(Security.getProviders())
- .noneMatch(
- prov ->
- prov.getName().equals("BC")
- || prov.getClass().getCanonicalName().contains("bouncy")));
+ .noneMatch(BouncyCastleProviderPresenceTest::isNamedBouncyCastle));
}
}
diff --git a/test-dependent-projects/java-dep-webauthn-server-core/src/test/java/com/yubico/webauthn/CryptoAlgorithmsTest.java b/test-dependent-projects/java-dep-webauthn-server-core/src/test/java/com/yubico/webauthn/CryptoAlgorithmsTest.java
index d3b38f338..f35ce43ae 100644
--- a/test-dependent-projects/java-dep-webauthn-server-core/src/test/java/com/yubico/webauthn/CryptoAlgorithmsTest.java
+++ b/test-dependent-projects/java-dep-webauthn-server-core/src/test/java/com/yubico/webauthn/CryptoAlgorithmsTest.java
@@ -1,7 +1,6 @@
package com.yubico.webauthn;
import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
import COSE.CoseException;
import com.yubico.webauthn.data.AttestationObject;
@@ -71,20 +70,4 @@ public void importEcdsa()
.getCredentialPublicKey());
assertEquals(key.getAlgorithm(), "EC");
}
-
- @Test
- public void importEddsa()
- throws IOException, CoseException, NoSuchAlgorithmException, InvalidKeySpecException {
- PublicKey key =
- WebAuthnCodecs.importCosePublicKey(
- new AttestationObject(
- RegistrationTestData.Packed$.MODULE$
- .BasicAttestationEdDsa()
- .attestationObject())
- .getAuthenticatorData()
- .getAttestedCredentialData()
- .get()
- .getCredentialPublicKey());
- assertTrue("EdDSA".equals(key.getAlgorithm()) || "Ed25519".equals(key.getAlgorithm()));
- }
}
diff --git a/webauthn-server-attestation/README.adoc b/webauthn-server-attestation/README.adoc
new file mode 100644
index 000000000..5eee6ddc0
--- /dev/null
+++ b/webauthn-server-attestation/README.adoc
@@ -0,0 +1,314 @@
+= webauthn-server-attestation
+:toc:
+:toc-placement: macro
+:toc-title:
+
+An optional module which extends link:../[`webauthn-server-core`]
+with a trust root source for verifying
+https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#sctn-attestation[attestation statements],
+by interfacing with the https://fidoalliance.org/metadata/[FIDO Metadata Service].
+
+
+toc::[]
+
+== Features
+
+This module does four things:
+
+- Download, verify and cache metadata BLOBs from the FIDO Metadata Service.
+- Re-download the metadata BLOB when out of date or invalid.
+- Provide utilities for selecting trusted metadata entries and authenticators.
+- Integrate with the
+ link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core-minimal/latest/com/yubico/webauthn/RelyingParty.html[`RelyingParty`]
+ class in the base library, to provide trust root certificates
+ for verifying attestation statements during credential registrations.
+
+Notable *non-features* include:
+
+- *Scheduled BLOB downloads.*
++
+The `FidoMetadataDownloader`
+class will attempt to download a new BLOB only when its `loadCachedBlob()` is executed,
+and then only if the cache is empty or if the cached BLOB is invalid or out of date.
+`FidoMetadataService`
+will never re-download a new BLOB once instantiated.
++
+You should use some external scheduling mechanism to re-run `loadCachedBlob()` periodically
+and rebuild new `FidoMetadataService` instances with the updated metadata contents.
+You can do this with minimal disruption since the `FidoMetadataService` and `RelyingParty`
+classes keep no internal mutable state.
+
+- *Revocation of already-registered credentials*
++
+The FIDO Metadata Service may from time to time report security issues with particular authenticator models.
+The `FidoMetadataService` class can be configured with a filter for which authenticators to trust,
+and untrusted authenticators can be rejected during registration by setting `.allowUntrustedAttestation(false)` on `RelyingParty`,
+but this will not affect any credentials already registered.
+
+
+== Before you start
+
+It is important to be aware that *requiring attestation is an invasive policy*,
+especially when used to restrict users' choice of authenticator.
+For some applications this is necessary; for most it is not.
+Similarly, *attestation does not automatically make your users more secure*.
+Attestation gives you information, but you have to know what to do with that information
+in order to get a security benefit from it; it is a powerful tool but does very little on its own.
+This library can help retrieve and verify additional information about an authenticator,
+and enforce some very basic policy based on it,
+but it is your responsibility to further leverage that information into improved security.
+
+When in doubt, err towards being more permissive, because _using WebAuthn is more secure than not using WebAuthn_.
+It may still be useful to request and store attestation information for future reference -
+for example, to warn users if security issues are discovered in their authenticators -
+but we recommend that you do not _require_ a trusted attestation unless you have specific reason to do so.
+
+
+== Migrating from version `1.x`
+
+See link:doc/Migrating_from_v1.adoc[the migration guide].
+
+
+== Getting started
+
+Using this module consists of 4 major steps:
+
+ 1. Create a
+ `FidoMetadataDownloader`
+ instance to download and cache metadata BLOBs,
+ and a
+ `FidoMetadataService`
+ instance to make use of the downloaded BLOB.
+ See the JavaDoc for these classes for details on how to construct them.
++
+[WARNING]
+=====
+Unlike other classes in this module and the core library,
+`FidoMetadataDownloader` is NOT THREAD SAFE since its `loadCachedBlob()` method reads and writes caches.
+`FidoMetadataService`, on the other hand, is thread safe,
+and `FidoMetadataDownloader` instances can be reused for subsequent `loadCachedBlob()` calls
+as long as only one `loadCachedBlob()` call executes at a time.
+=====
++
+[source,java]
+----------
+FidoMetadataDownloader downloader = FidoMetadataDownloader.builder()
+ .expectLegalHeader("Lorem ipsum dolor sit amet")
+ .useDefaultTrustRoot()
+ .useTrustRootCacheFile(new File("/var/cache/webauthn-server/fido-mds-trust-root.bin"))
+ .useDefaultBlob()
+ .useBlobCacheFile(new File("/var/cache/webauthn-server/fido-mds-blob.bin"))
+ .build();
+
+FidoMetadataService mds = FidoMetadataService.builder()
+ .useBlob(downloader.loadCachedBlob())
+ .build();
+----------
+
+ 2. Set the `FidoMetadataService` as the `attestationTrustSource` on your
+ link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core-minimal/latest/com/yubico/webauthn/RelyingParty.html[`RelyingParty`]
+ instance,
+ and set `attestationConveyancePreference(AttestationConveyancePreference.DIRECT)` on `RelyingParty`
+ to request an attestation statement for new registrations.
+ Optionally also set `.allowUntrustedAttestation(false)` on `RelyingParty` to require trusted attestation for new registrations.
++
+[source,java]
+----------
+RelyingParty rp = RelyingParty.builder()
+ .identity(/* ... */)
+ .credentialRepository(/* ... */)
+ .attestationTrustSource(mds)
+ .attestationConveyancePreference(AttestationConveyancePreference.DIRECT)
+ .allowUntrustedAttestation(true) // Optional step: set to true (default) or false
+ .build();
+----------
+
+ 3. After performing registrations, inspect the `isAttestationTrusted()` result in
+ link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core-minimal/latest/com/yubico/webauthn/RelyingParty.html[`RelyingParty`]
+ to determine whether the authenticator presented an attestation statement that could be verified
+ by any of the trusted attestation certificates in the FIDO Metadata Service.
++
+[source,java]
+----------
+RelyingParty rp = /* ... */;
+RegistrationResult result = rp.finishRegistration(/* ... */);
+
+if (result.isAttestationTrusted()) {
+ // Do something...
+} else {
+ // Do something else...
+}
+----------
+
+ 4. If needed, use the `findEntries` methods of `FidoMetadataService` to retrieve additional authenticator metadata for new registrations.
++
+[source,java]
+----------
+RelyingParty rp = /* ... */;
+RegistrationResult result = rp.finishRegistration(/* ... */);
+
+Set metadata = mds.findEntries(result);
+----------
+
+By default, `FidoMetadataDownloader` will probably use the SUN provider for the `PKIX` certificate path validation algorithm.
+This requires the `com.sun.security.enableCRLDP` system property set to `true` in order to verify the BLOB signature.
+For example, this can be done on the JVM command line using a `-Dcom.sun.security.enableCRLDP=true` option.
+See the https://docs.oracle.com/javase/9/security/java-pki-programmers-guide.htm#JSSEC-GUID-EB250086-0AC1-4D60-AE2A-FC7461374746[Java PKI Programmers Guide]
+for details.
+
+
+== Selecting trusted authenticators
+
+The
+`FidoMetadataService`
+class can be configured with filters for which authenticators to trust.
+When the `FidoMetadataService` is used as the `.attestationTrustSource()` in `RelyingParty`,
+this will be reflected in the `.isAttestationTrusted()` result in
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core-minimal/latest/com/yubico/webauthn/RegistrationResult.html[`RegistrationResult`].
+Any authenticators not trusted will also be rejected for new registrations if you set `.allowUntrustedAttestation(false)` on `RelyingParty`.
+
+The filter has two stages: a "prefilter" which selects metadata entries to include in the data source,
+and a registration-time filter which decides whether to associate a metadata entry
+with a particular authenticator.
+The prefilter executes only once (per metadata entry):
+when the `FidoMetadataService` instance is constructed.
+The registration-time filter takes effect during credential registration
+and in the `findEntries()` methods of `FidoMetadataService`.
+The following figure illustrates where each filter appears in the data flows:
+
+[source]
+----------
+ +----------+
+ | FIDO MDS |
+ +----------+
+ |
+ | Metadata BLOB
+ |
++--------------------------------------------------------------------------+
+| | FidoMetadataService |
+| v =================== |
+| +-----------+ |
+| | Prefilter | |
+| +-----------+ |
+| | |
+| | Selected metadata entries |
+| v Matching |
+| +-----------------------------+ metadata +-------------------+ |
+| | Search by AAGUID & | entries | Registration-time | |
+| | Attestation certificate key |------------------->| filter | |
+| +-----------------------------+ +-------------------+ |
+| ^ (1) ^ (2) | (1) (2) | |
+| | (internal) | findEntries() | | |
++--------------------------------------------------------------------------+
+ | | | |
+ | `-------------------------|--. |
+ | Get trust roots | | v
+ | Matched | | Matched
+ +-----------------------------------+ trust roots | | metadata entries
+ | RelyingParty.finishRegistration() |<----------------' |
+ +-----------------------------------+ |
+ ^ | |
+ | | Verify signature |
+ | PublicKeyCredential | Validate contents | Retrieve matching
+ | | Evaluate trust | metadata entries
+ | v |
+ +-------------+ +-----------------------------------+
+ | Registering | | RegistrationResult |
+ | user | | - getAaguid(): ByteArray |
+ +-------------+ | - getAttestationTrustPath(): List |
+ | - isAttestationTrusted(): boolean |
+ | - getPublicKeyCose(): ByteArray |
+ +-----------------------------------+
+----------
+
+The default prefilter excludes any authenticator with any `REVOKED`
+link:https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html#dom-metadatablobpayloadentry-statusreports[status report]
+entry,
+and the default registration-time filter excludes any authenticator
+with a matching `ATTESTATION_KEY_COMPROMISE` status report entry.
+To customize the filters, configure the `.prefilter(Predicate)` and `.filter(Predicate)` settings
+in the `FidoMetadataService` builder.
+The filters are predicate functions;
+each metadata entry will be trusted if and only if the prefilter predicate returns `true` for that entry.
+Similarly during registration or metadata lookup, the authenticator will be matched with each metadata entry
+only if the registration-time filter returns `true` for that pair of authenticator and metadata entry.
+You can also use the `FidoMetadataService.Filters.allOf()` combinator to merge several predicates into one.
+
+[NOTE]
+=====
+Setting a custom filter will replace the default filter.
+This is true for both the prefilter and the registration-time filter.
+If you want to maintain the default filter in addition to the new behaviour,
+you must include the default condition in the new filter.
+For example, you can use `FidoMetadataService.Filters.allOf()` to combine a predefined filter with a custom one.
+The default filters are available via static functions in `FidoMetadataService.Filters`.
+=====
+
+
+=== A note on "allow-lists" vs "deny-lists"
+
+The filtering functionality described above essentially expresses an "allow-list" policy.
+Any metadata entry that satisfies the filters is eligible as a trust root;
+any attestation statement that can be verified by one of those trust roots is trusted,
+and any that cannot is not trusted.
+There is no complementary "deny-list" option to reject some specific authenticators
+and implicitly trust everything else even with unknown trust roots.
+This is because you cannot use such a deny list to enforce an attestation policy.
+
+If unknown attestation trust roots were permitted,
+then a deny list could be easily circumvented by making up an attestation that is not on the deny list.
+Since it will have an unknown trust root, it would then be implicitly trusted.
+This is why any enforceable attestation policy must disallow unknown trust roots.
+
+Note that unknown and untrusted attestation is allowed by default,
+but can be disallowed by explicitly configuring `RelyingParty` with `.allowUntrustedAttestation(false)`.
+
+
+== Alignment with FIDO MDS spec
+
+The FIDO Metadata Service specification defines
+link:https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html#metadata-blob-object-processing-rules[processing rules for servers].
+The library implements these as closely as possible, but with some slight departures from the spec:
+
+* Processing rules steps 1-7 are implemented as specified, by the `FidoMetadataDownloader` class.
+ All "SHOULD" clauses are also respected, with some caveats:
+
+ ** Step 3 states "The `nextUpdate` field of the Metadata BLOB specifies a date when the download SHOULD occur at latest".
+ `FidoMetadataDownloader` does not automatically re-download the BLOB.
+ Instead, each time its `.loadCachedBlob()` method is executed it checks whether a new BLOB should be downloaded.
++
+If no BLOB exists in cache, or the cached BLOB is invalid, or if the current date is greater than or equal to `nextUpdate`,
+then a new BLOB is downloaded.
+If the new BLOB is valid, has a correct signature, and has a `no` field greater than the cached BLOB,
+then the new BLOB replaces the cached one;
+otherwise, the new BLOB is discarded and the cached one is kept until the next execution of `.loadCachedBlob()`.
+
+* Metadata entries are not stored or cached individually, instead the BLOB is cached as a whole.
+ In processing rules step 8, neither `FidoMetadataDownloader` nor `FidoMetadataService`
+ performs any comparison between versions of a metadata entry.
+ Policy for ignoring metadata entries can be configured via the filter settings in `FidoMetadataService`.
+ See above for details.
+
+There are also some other requirements throughout the spec, which may not be obvious:
+
+* The
+ link:https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html#info-statuses[AuthenticatorStatus section]
+ states that "The Relying party MUST reject the Metadata Statement if the `authenticatorVersion` has not increased"
+ in an `UPDATE_AVAILABLE` status report.
+ Thus, `FidoMetadataService` silently ignores any `MetadataBLOBPayloadEntry`
+ whose `metadataStatement.authenticatorVersion` is present and not greater than or equal to
+ the `authenticatorVersion` in the respective status report.
+ Again, no comparison is made between metadata entries from different BLOB versions.
+
+* The
+ link:https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html#info-statuses[AuthenticatorStatus section]
+ states that "FIDO Servers MUST silently ignore all unknown AuthenticatorStatus values".
+ Thus any unknown status valus will be parsed as `AuthenticatorStatus.UNKNOWN`,
+ and `MetadataBLOBPayloadEntry` will silently ignore any status report with that status.
+
+
+== Overriding certificate path validation
+
+The `FidoMetadataDownloader` class uses `CertPathValidator.getInstance("PKIX")` to retrieve a `CertPathValidator` instance.
+If you need to override any aspect of certificate path validation,
+such as CRL retrieval or OCSP, you may provide a custom `CertPathValidator` provider for the `"PKIX"` algorithm.
diff --git a/webauthn-server-attestation/build.gradle b/webauthn-server-attestation/build.gradle
index df8dfff19..7fe728b33 100644
--- a/webauthn-server-attestation/build.gradle
+++ b/webauthn-server-attestation/build.gradle
@@ -3,6 +3,7 @@ plugins {
id 'scala'
id 'maven-publish'
id 'signing'
+ id 'info.solidsoft.pitest'
id 'io.github.cosmicsilence.scalafix'
}
@@ -13,13 +14,25 @@ project.ext.publishMe = true
sourceCompatibility = 1.8
targetCompatibility = 1.8
-evaluationDependsOn(':webauthn-server-core-minimal')
+evaluationDependsOn(':webauthn-server-core')
+
+sourceSets {
+ integrationTest {
+ compileClasspath += sourceSets.main.output
+ runtimeClasspath += sourceSets.main.output
+ }
+}
+
+configurations {
+ integrationTestImplementation.extendsFrom testImplementation
+ integrationTestRuntimeOnly.extendsFrom testRuntimeOnly
+}
dependencies {
api(platform(rootProject))
api(
- project(':webauthn-server-core-minimal'),
+ project(':webauthn-server-core'),
)
implementation(
@@ -31,21 +44,38 @@ dependencies {
)
testImplementation(
- project(':webauthn-server-core-minimal').sourceSets.test.output,
+ project(':webauthn-server-core').sourceSets.test.output,
project(':yubico-util-scala'),
+ 'com.fasterxml.jackson.datatype:jackson-datatype-jdk8',
'junit:junit',
+ 'org.bouncycastle:bcpkix-jdk15on',
+ 'org.eclipse.jetty:jetty-server:[9.4.9.v20180320,10)',
'org.mockito:mockito-core',
'org.scala-lang:scala-library',
'org.scalacheck:scalacheck_2.13',
'org.scalatest:scalatest_2.13',
+ 'uk.org.lidalia:slf4j-test',
)
- testRuntimeOnly(
- // Transitive dependency from :webauthn-server-core:test
- 'org.bouncycastle:bcpkix-jdk15on',
- )
+ testImplementation('org.slf4j:slf4j-api') {
+ version {
+ strictly '[1.7.25,1.8-a)' // Pre-1.8 version required by slf4j-test
+ }
+ }
}
+tasks.register('integrationTest', Test) {
+ description = 'Runs integration tests.'
+ group = 'verification'
+
+ testClassesDirs = sourceSets.integrationTest.output.classesDirs
+ classpath = sourceSets.integrationTest.runtimeClasspath
+ shouldRunAfter test
+ check.dependsOn it
+
+ // Required for processing CRL distribution points extension
+ systemProperty 'com.sun.security.enableCRLDP', 'true'
+}
jar {
manifest {
@@ -59,3 +89,17 @@ jar {
}
}
+pitest {
+ pitestVersion = '1.4.11'
+
+ timestampedReports = false
+ outputFormats = ['XML', 'HTML']
+
+ avoidCallsTo = [
+ 'java.util.logging',
+ 'org.apache.log4j',
+ 'org.slf4j',
+ 'org.apache.commons.logging',
+ 'com.google.common.io.Closeables',
+ ]
+}
diff --git a/webauthn-server-attestation/doc/Migrating_from_v1.adoc b/webauthn-server-attestation/doc/Migrating_from_v1.adoc
new file mode 100644
index 000000000..cf0f035b7
--- /dev/null
+++ b/webauthn-server-attestation/doc/Migrating_from_v1.adoc
@@ -0,0 +1,148 @@
+= v1.x to v2.0 migration guide
+
+The `2.0` release of the `webauthn-server-attestation` module
+makes lots of breaking changes compared to the `1.x` versions.
+This guide aims to help migrating between versions.
+
+If you find this migration guide to be incomplete, incorrect,
+or otherwise difficult to follow, please
+link:https://github.com/Yubico/java-webauthn-server/issues/new[let us know!]
+
+Here is a high-level outline of what needs to be updated:
+
+- Replace uses of `StandardMetadataService` and its related classes
+ with `FidoMetadataService` and `FidoMetadataDownloader`.
+- Update the name of the `RelyingParty` integration point
+ from `metadataService` to `attestationTrustSource`.
+- `RegistrationResult` no longer includes attestation metadata,
+ instead you'll need to retrieve it separately after a successful registration.
+- Replace uses of the `Attestation` result type with `MetadataBLOBPayloadEntry`.
+
+
+== Replace `StandardMetadataService`
+
+`StandardMetadataService` and its constituent classes have been removed
+in favour of `FidoMetadataService` and `FidoMetadataDownloader`.
+See the link:../#getting-started[Getting started] documentation
+for details on how to configure and construct them.
+
+Example `1.x` code:
+
+[source,java]
+----------
+MetadataService metadataService =
+ new StandardMetadataService(
+ StandardMetadataService.createDefaultAttestationResolver(
+ StandardMetadataService.createDefaultTrustResolver()
+ ));
+----------
+
+Example `2.0` code:
+
+[source,java]
+----------
+FidoMetadataService metadataService = FidoMetadataService.builder()
+ .useBlob(FidoMetadataDownloader.builder()
+ .expectLegalHeader("Retrieval and use of this BLOB indicates acceptance of the appropriate agreement located at https://fidoalliance.org/metadata/metadata-legal-terms/")
+ .useDefaultTrustRoot()
+ .useTrustRootCacheFile(new File("fido-mds-trust-root-cache.bin"))
+ .useDefaultBlob()
+ .useBlobCacheFile(new File("fido-mds-blob-cache.bin"))
+ .build()
+ .loadBlob()
+ )
+ .build();
+----------
+
+You may also need to add external logic to occasionally re-run `loadBlob()`
+and reconstruct the `FidoMetadataService`,
+as `FidoMetadataService` will not automatically update the BLOB on its own.
+
+
+== Update `RelyingParty` integration point
+
+`FidoMetadataService` integrates with `RelyingParty` in much the same way as `StandardMetadataService`,
+although the name of the setting has changed.
+
+Example `1.x` code:
+
+[source,diff]
+----------
+ RelyingParty rp = RelyingParty.builder()
+ .identity(rpIdentity)
+ .credentialRepository(credentialRepo)
+ .attestationConveyancePreference(AttestationConveyancePreference.DIRECT)
+- .metadataService(metadataService))
+ .allowUntrustedAttestation(true)
+ .build();
+----------
+
+Example `2.0` code:
+
+[source,diff]
+----------
+ RelyingParty rp = RelyingParty.builder()
+ .identity(rpIdentity)
+ .credentialRepository(credentialRepo)
+ .attestationConveyancePreference(AttestationConveyancePreference.DIRECT)
++ .attestationTrustSource(metadataService)
+ .allowUntrustedAttestation(true)
+ .build();
+----------
+
+
+== Retrieve attestation metadata separately
+
+In `1.x`, `RegistrationResult` could include an `Attestation` object with attestation metadata,
+if a metadata service was configured and the authenticator matched anything in the metadata service.
+In order to keep `RelyingParty` and the new `AttestationTrustSource` interface
+decoupled from any particular format of attestation metadata, this result field has been removed.
+Instead, use the `findEntries` methods of `FidoMetadataService`
+to retrieve attestation metadata after a successful registration, if needed.
+
+Example `1.x` code:
+
+[source,java]
+----------
+RegistrationResult result = rp.finishRegistration(/* ... */);
+Optional authenticatorName = result.getAttestationMetadata()
+ .flatMap(Attestation::getDeviceProperties)
+ .map(deviceProps -> deviceProps.get("description"));
+----------
+
+Example `2.0` code:
+
+[source,java]
+----------
+FidoMetadataService mds = /* ... */;
+RegistrationResult result = rp.finishRegistration(/* ... */);
+Optional authenticatorName = mds.findEntries(result)
+ .stream()
+ .findAny()
+ .flatMap(MetadataBLOBPayloadEntry::getMetadataStatement)
+ .flatMap(MetadataStatement::getDescription);
+----------
+
+
+== Replace `Attestation` with `MetadataBLOBPayloadEntry`
+
+This ties in with the previous step, and much of it will likely be done already.
+However if your front-end accesses and/or displays contents of an `Attestation` object,
+it will need to be updated to work with `MetadataBLOBPayloadEntry` or similar types instead.
+
+
+Example `1.x` code:
+
+[source,diff]
+----------
+ var registrationResult = fetch(/* ... */).then(response => response.json());
+-var authenticatorName = registrationResult.attestationMetadata?.deviceProperties?.description;
+----------
+
+Example `2.0` code:
+
+[source,diff]
+----------
+ var registrationResult = fetch(/* ... */).then(response => response.json());
++var authenticatorName = registrationResult.attestationMetadata?.metadataStatement?.description;
+----------
diff --git a/webauthn-server-attestation/src/integrationTest/scala/com/yubico/fido/metadata/FidoMetadataDownloaderIntegrationTest.scala b/webauthn-server-attestation/src/integrationTest/scala/com/yubico/fido/metadata/FidoMetadataDownloaderIntegrationTest.scala
new file mode 100644
index 000000000..26100a559
--- /dev/null
+++ b/webauthn-server-attestation/src/integrationTest/scala/com/yubico/fido/metadata/FidoMetadataDownloaderIntegrationTest.scala
@@ -0,0 +1,44 @@
+package com.yubico.fido.metadata
+
+import org.junit.runner.RunWith
+import org.scalatest.BeforeAndAfter
+import org.scalatest.FunSpec
+import org.scalatest.Matchers
+import org.scalatest.tags.Network
+import org.scalatest.tags.Slow
+import org.scalatestplus.junit.JUnitRunner
+
+import java.util.Optional
+import scala.util.Success
+import scala.util.Try
+
+@Slow
+@Network
+@RunWith(classOf[JUnitRunner])
+class FidoMetadataDownloaderIntegrationTest
+ extends FunSpec
+ with Matchers
+ with BeforeAndAfter {
+
+ describe("FidoMetadataDownloader with default settings") {
+ val downloader =
+ FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader(
+ "Retrieval and use of this BLOB indicates acceptance of the appropriate agreement located at https://fidoalliance.org/metadata/metadata-legal-terms/"
+ )
+ .useDefaultTrustRoot()
+ .useTrustRootCache(() => Optional.empty(), _ => {})
+ .useDefaultBlob()
+ .useBlobCache(() => Optional.empty(), _ => {})
+ .build()
+
+ it("downloads and verifies the root cert and BLOB successfully.") {
+ // This test requires the system property com.sun.security.enableCRLDP=true
+ val blob = Try(downloader.loadCachedBlob)
+ blob shouldBe a[Success[_]]
+ blob.get should not be null
+ }
+ }
+
+}
diff --git a/webauthn-server-attestation/src/integrationTest/scala/com/yubico/fido/metadata/FidoMetadataServiceIntegrationTest.scala b/webauthn-server-attestation/src/integrationTest/scala/com/yubico/fido/metadata/FidoMetadataServiceIntegrationTest.scala
new file mode 100644
index 000000000..399c8ceb8
--- /dev/null
+++ b/webauthn-server-attestation/src/integrationTest/scala/com/yubico/fido/metadata/FidoMetadataServiceIntegrationTest.scala
@@ -0,0 +1,242 @@
+package com.yubico.fido.metadata
+
+import com.fasterxml.jackson.databind.JsonNode
+import com.yubico.fido.metadata.AttachmentHint.ATTACHMENT_HINT_EXTERNAL
+import com.yubico.fido.metadata.AttachmentHint.ATTACHMENT_HINT_NFC
+import com.yubico.fido.metadata.AttachmentHint.ATTACHMENT_HINT_WIRED
+import com.yubico.fido.metadata.AttachmentHint.ATTACHMENT_HINT_WIRELESS
+import com.yubico.internal.util.CertificateParser
+import com.yubico.webauthn.data.AttestationObject
+import com.yubico.webauthn.test.RealExamples
+import org.junit.runner.RunWith
+import org.scalatest.BeforeAndAfter
+import org.scalatest.FunSpec
+import org.scalatest.Matchers
+import org.scalatest.tags.Network
+import org.scalatest.tags.Slow
+import org.scalatestplus.junit.JUnitRunner
+
+import java.io.IOException
+import java.security.cert.X509Certificate
+import java.util
+import java.util.Optional
+import scala.jdk.CollectionConverters.IteratorHasAsScala
+import scala.jdk.CollectionConverters.SetHasAsScala
+import scala.jdk.OptionConverters.RichOption
+import scala.jdk.OptionConverters.RichOptional
+import scala.util.Try
+
+@Slow
+@Network
+@RunWith(classOf[JUnitRunner])
+class FidoMetadataServiceIntegrationTest
+ extends FunSpec
+ with Matchers
+ with BeforeAndAfter {
+
+ describe("FidoMetadataService") {
+
+ describe("downloaded with default settings") {
+ val downloader = FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader(
+ "Retrieval and use of this BLOB indicates acceptance of the appropriate agreement located at https://fidoalliance.org/metadata/metadata-legal-terms/"
+ )
+ .useDefaultTrustRoot()
+ .useTrustRootCache(() => Optional.empty(), _ => {})
+ .useDefaultBlob()
+ .useBlobCache(() => Optional.empty(), _ => {})
+ .build()
+ val fidoMds =
+ Try(
+ FidoMetadataService
+ .builder()
+ .useBlob(downloader.loadCachedBlob())
+ .build()
+ )
+
+ val attachmentHintsUsb =
+ Set(ATTACHMENT_HINT_EXTERNAL, ATTACHMENT_HINT_WIRED)
+ val attachmentHintsNfc =
+ attachmentHintsUsb ++ Set(ATTACHMENT_HINT_WIRELESS, ATTACHMENT_HINT_NFC)
+
+ describe("by AAGUID") {
+ describe("correctly identifies") {}
+ }
+
+ describe("correctly identifies") {
+ def check(
+ expectedDescriptionRegex: String,
+ testData: RealExamples.Example,
+ attachmentHints: Set[AttachmentHint],
+ ): Unit = {
+
+ def getAttestationTrustPath(
+ attestationObject: AttestationObject
+ ): Option[util.List[X509Certificate]] = {
+ val x5cNode: JsonNode = getX5cArray(attestationObject)
+ if (x5cNode != null && x5cNode.isArray) {
+ val certs: util.List[X509Certificate] =
+ new util.ArrayList[X509Certificate](x5cNode.size)
+ for (binary <- x5cNode.elements().asScala) {
+ if (binary.isBinary)
+ try certs.add(
+ CertificateParser.parseDer(binary.binaryValue)
+ )
+ catch {
+ case e: IOException =>
+ throw new RuntimeException(
+ "binary.isBinary() was true but binary.binaryValue() failed",
+ e,
+ )
+ }
+ else
+ throw new IllegalArgumentException(
+ String.format(
+ "Each element of \"x5c\" property of attestation statement must be a binary value, was: %s",
+ binary.getNodeType,
+ )
+ )
+ }
+ Some(certs)
+ } else None
+ }
+
+ def getX5cArray(attestationObject: AttestationObject): JsonNode =
+ attestationObject.getAttestationStatement.get("x5c")
+
+ val entries = fidoMds.get
+ .findEntries(
+ getAttestationTrustPath(
+ testData.attestation.attestationObject
+ ).get,
+ Some(
+ new AAGUID(
+ testData.attestation.attestationObject.getAuthenticatorData.getAttestedCredentialData.get.getAaguid
+ )
+ ).toJava,
+ )
+ .asScala
+ entries should not be empty
+ val metadataStatements =
+ entries.flatMap(_.getMetadataStatement.toScala)
+
+ val descriptions =
+ metadataStatements.flatMap(_.getDescription.toScala).toSet
+ for { desc <- descriptions } {
+ desc should (fullyMatch regex expectedDescriptionRegex)
+ }
+
+ metadataStatements
+ .flatMap(_.getAttachmentHint.toScala.map(_.asScala))
+ .flatten
+ .toSet should equal(attachmentHints)
+ }
+
+ ignore("a YubiKey NEO.") { // TODO: Investigate why this fails
+ check("YubiKey NEO", RealExamples.YubiKeyNeo, attachmentHintsNfc)
+ }
+
+ it("a YubiKey 4.") {
+ check(
+ "YK4 Series Key by Yubico",
+ RealExamples.YubiKey4,
+ attachmentHintsUsb,
+ )
+ }
+
+ it("a YubiKey 5 NFC.") {
+ check(
+ "YubiKey 5 Series with NFC",
+ RealExamples.YubiKey5,
+ attachmentHintsNfc,
+ )
+ }
+
+ it("an early YubiKey 5 NFC.") {
+ check(
+ "YubiKey 5 Series with NFC",
+ RealExamples.YubiKey5Nfc,
+ attachmentHintsNfc,
+ )
+ }
+
+ it("a newer YubiKey 5 NFC.") {
+ check(
+ "YubiKey 5 Series with NFC",
+ RealExamples.YubiKey5NfcPost5cNfc,
+ attachmentHintsNfc,
+ )
+ }
+
+ it("a YubiKey 5C NFC.") {
+ check(
+ "YubiKey 5 Series with NFC",
+ RealExamples.YubiKey5cNfc,
+ attachmentHintsNfc,
+ )
+ }
+
+ it("a YubiKey 5 Nano.") {
+ check(
+ "YubiKey ?5 Series",
+ RealExamples.YubiKey5Nano,
+ attachmentHintsUsb,
+ )
+ }
+
+ it("a YubiKey 5Ci.") {
+ check("YubiKey 5Ci", RealExamples.YubiKey5Ci, attachmentHintsUsb)
+ }
+
+ ignore("a Security Key by Yubico.") { // TODO: Investigate why this fails
+ check(
+ "Security Key by Yubico",
+ RealExamples.SecurityKey,
+ attachmentHintsUsb,
+ )
+ }
+
+ it("a Security Key 2 by Yubico.") {
+ check(
+ "Security Key by Yubico",
+ RealExamples.SecurityKey2,
+ attachmentHintsUsb,
+ )
+ }
+
+ ignore("a Security Key NFC by Yubico.") { // TODO: Investigate why this fails
+ check(
+ "Security Key NFC by Yubico",
+ RealExamples.SecurityKeyNfc,
+ attachmentHintsNfc,
+ )
+ }
+
+ it("a YubiKey 5.4 NFC FIPS.") {
+ check(
+ "YubiKey 5 FIPS Series with NFC",
+ RealExamples.YubikeyFips5Nfc,
+ attachmentHintsNfc,
+ )
+ }
+
+ it("a YubiKey 5.4 Ci FIPS.") {
+ check(
+ "YubiKey 5Ci FIPS",
+ RealExamples.Yubikey5ciFips,
+ attachmentHintsUsb,
+ )
+ }
+
+ it("a YubiKey Bio.") {
+ check(
+ "YubiKey Bio Series",
+ RealExamples.YubikeyBio_5_5_5,
+ attachmentHintsUsb,
+ )
+ }
+ }
+ }
+ }
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/AAGUID.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/AAGUID.java
new file mode 100644
index 000000000..3ef4524cf
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/AAGUID.java
@@ -0,0 +1,126 @@
+package com.yubico.fido.metadata;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonValue;
+import com.yubico.internal.util.ExceptionUtil;
+import com.yubico.webauthn.data.ByteArray;
+import com.yubico.webauthn.data.exception.HexException;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import lombok.AccessLevel;
+import lombok.Getter;
+import lombok.ToString;
+import lombok.Value;
+
+/**
+ * Some authenticators have an AAGUID, which is a 128-bit identifier that indicates the type (e.g.
+ * make and model) of the authenticator. The AAGUID MUST be chosen by the manufacturer to be
+ * identical across all substantially identical authenticators made by that manufacturer, and
+ * different (with probability 1-2-128 or greater) from the AAGUIDs of all other types of
+ * authenticators.
+ *
+ * The AAGUID is represented as a string (e.g. "7a98c250-6808-11cf-b73b-00aa00b677a7") consisting
+ * of 5 hex strings separated by a dash ("-"), see [RFC4122].
+ *
+ * @see FIDO
+ * Metadata Statement §3.1. Authenticator Attestation GUID (AAGUID) typedef
+ * @see RFC 4122: A Universally Unique IDentifier
+ * (UUID) URN Namespace
+ */
+@Value
+@Getter(AccessLevel.NONE)
+@ToString(includeFieldNames = false, onlyExplicitlyIncluded = true)
+public class AAGUID {
+
+ private static final Pattern AAGUID_PATTERN =
+ Pattern.compile(
+ "^([0-9a-fA-F]{8})-?([0-9a-fA-F]{4})-?([0-9a-fA-F]{4})-?([0-9a-fA-F]{4})-?([0-9a-fA-F]{12})$");
+
+ private static final ByteArray ZERO =
+ new ByteArray(new byte[] {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0});
+
+ ByteArray value;
+
+ /**
+ * Construct an AAGUID from its raw binary representation.
+ *
+ *
This is the inverse of {@link #asBytes()}.
+ *
+ * @param value a {@link ByteArray} of length exactly 16.
+ */
+ public AAGUID(ByteArray value) {
+ ExceptionUtil.assure(
+ value.size() == 16,
+ "AAGUID as bytes must be exactly 16 bytes long, was %d: %s",
+ value.size(),
+ value);
+ this.value = value;
+ }
+
+ /**
+ * The 16-byte binary representation of this AAGUID, for example
+ * 7a98c250680811cfb73b00aa00b677a7 when hex-encoded.
+ *
+ *
This is the inverse of {@link #AAGUID(ByteArray)}.
+ */
+ public ByteArray asBytes() {
+ return value;
+ }
+
+ /**
+ * The 32-character hexadecimal representation of this AAGUID, for example
+ * "7a98c250680811cfb73b00aa00b677a7".
+ */
+ public String asHexString() {
+ return value.getHex();
+ }
+
+ /**
+ * The 36-character string representation of this AAGUID, for example
+ * "7a98c250-6808-11cf-b73b-00aa00b677a7".
+ */
+ @JsonValue
+ @ToString.Include
+ public String asGuidString() {
+ final String hex = value.getHex();
+ return String.format(
+ "%s-%s-%s-%s-%s",
+ hex.substring(0, 8),
+ hex.substring(8, 8 + 4),
+ hex.substring(8 + 4, 8 + 4 + 4),
+ hex.substring(8 + 4 + 4, 8 + 4 + 4 + 4),
+ hex.substring(8 + 4 + 4 + 4, 8 + 4 + 4 + 4 + 12));
+ }
+
+ /**
+ * true if and only if this {@link AAGUID} consists of all zeroes. This typically
+ * indicates that an authenticator has no AAGUID, or that the AAGUID has been redacted.
+ */
+ public boolean isZero() {
+ return ZERO.equals(value);
+ }
+
+ private static ByteArray parse(String value) {
+ Matcher matcher = AAGUID_PATTERN.matcher(value);
+ if (matcher.find()) {
+ try {
+ return ByteArray.fromHex(matcher.group(1))
+ .concat(ByteArray.fromHex(matcher.group(2)))
+ .concat(ByteArray.fromHex(matcher.group(3)))
+ .concat(ByteArray.fromHex(matcher.group(4)))
+ .concat(ByteArray.fromHex(matcher.group(5)));
+ } catch (HexException e) {
+ throw new RuntimeException(
+ "This exception should be impossible, please file a bug report.", e);
+ }
+ } else {
+ throw new IllegalArgumentException("Value does not match AAGUID pattern: " + value);
+ }
+ }
+
+ @JsonCreator
+ private static AAGUID fromString(String aaguid) {
+ return new AAGUID(parse(aaguid));
+ }
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/AAID.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/AAID.java
new file mode 100644
index 000000000..686fd6eb2
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/AAID.java
@@ -0,0 +1,73 @@
+package com.yubico.fido.metadata;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonValue;
+import java.util.regex.Pattern;
+import lombok.Value;
+
+/**
+ * Each UAF authenticator MUST have an AAID to identify UAF enabled authenticator models globally.
+ * The AAID MUST uniquely identify a specific authenticator model within the range of all
+ * UAF-enabled authenticator models made by all authenticator vendors, where authenticators of a
+ * specific model must share identical security characteristics within the model (see Security
+ * Considerations).
+ *
+ *
The AAID is a string with format "V#M", where
+ *
+ *
+ * # is a separator
+ * V indicates the authenticator Vendor Code. This code consists of 4 hexadecimal
+ * digits.
+ * M indicates the authenticator Model Code. This code consists of 4 hexadecimal
+ * digits.
+ *
+ *
+ * @see FIDO
+ * UAF Protocol Specification §3.1.4 Authenticator Attestation ID (AAID) typedef
+ */
+@Value
+public class AAID {
+
+ private static final Pattern AAID_PATTERN = Pattern.compile("^[0-9a-fA-F]{4}#[0-9a-fA-F]{4}$");
+
+ /**
+ * The underlying string value of this AAID.
+ *
+ * The AAID is a string with format "V#M", where
+ *
+ *
+ * # is a separator
+ * V indicates the authenticator Vendor Code. This code consists of 4
+ * hexadecimal digits.
+ * M indicates the authenticator Model Code. This code consists of 4
+ * hexadecimal digits.
+ *
+ *
+ * @see Authenticator
+ * Attestation ID (AAID) typedef
+ */
+ @JsonValue String value;
+
+ /**
+ * Construct an {@link AAID} from its String representation.
+ *
+ * This is the inverse of {@link #getValue()}.
+ *
+ * @param value a {@link String} conforming to the rules specified in the {@link AAID} type.
+ */
+ @JsonCreator
+ public AAID(String value) {
+ this.value = validate(value);
+ }
+
+ private String validate(String value) {
+ if (AAID_PATTERN.matcher(value).matches()) {
+ return value;
+ } else {
+ throw new IllegalArgumentException(
+ String.format("Value does not satisfy AAID format: %s", value));
+ }
+ }
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/AlternativeDescriptions.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/AlternativeDescriptions.java
new file mode 100644
index 000000000..8dd82dc67
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/AlternativeDescriptions.java
@@ -0,0 +1,49 @@
+package com.yubico.fido.metadata;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonValue;
+import java.util.Map;
+import java.util.Optional;
+import lombok.AccessLevel;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.Value;
+
+/**
+ * See:
+ * https://fidoalliance.org/specs/mds/fido-metadata-statement-v3.0-ps-20210518.html#alternativedescriptions-dictionary
+ *
+ * @see FIDO
+ * Metadata Statement §3.11. AlternativeDescriptions dictionary
+ */
+@Value
+@AllArgsConstructor(onConstructor_ = {@JsonCreator})
+public class AlternativeDescriptions {
+
+ @JsonValue
+ @Getter(AccessLevel.NONE)
+ Map values;
+
+ /**
+ * Get a map entry in accordance with the rules defined in AlternativeDescriptions
+ * dictionary.
+ *
+ * @see AlternativeDescriptions
+ * dictionary.
+ */
+ public Optional get(String languageCode) {
+ if (values.containsKey(languageCode)) {
+ return Optional.of(values.get(languageCode));
+ } else {
+ final String[] splits = languageCode.split("-");
+ if (splits.length > 1 && values.containsKey(splits[0])) {
+ return Optional.of(values.get(splits[0]));
+ } else {
+ return Optional.empty();
+ }
+ }
+ }
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/AttachmentHint.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/AttachmentHint.java
new file mode 100644
index 000000000..6cbd675e7
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/AttachmentHint.java
@@ -0,0 +1,142 @@
+package com.yubico.fido.metadata;
+
+import com.fasterxml.jackson.annotation.JsonValue;
+
+/**
+ * The ATTACHMENT_HINT constants are flags in a bit field represented as a 32 bit long. They
+ * describe the method FIDO authenticators use to communicate with the FIDO User Device. These
+ * constants are reported and queried through the UAF Discovery APIs [UAFAppAPIAndTransport], and
+ * used to form Authenticator policies in UAF protocol messages. Because the connection state and
+ * topology of an authenticator may be transient, these values are only hints that can be used by
+ * server-supplied policy to guide the user experience, e.g. to prefer a device that is connected
+ * and ready for authenticating or confirming a low-value transaction, rather than one that is more
+ * secure but requires more user effort. Each constant has a case-sensitive string representation
+ * (in quotes), which is used in the authoritative metadata for FIDO authenticators. Note
+ *
+ * These flags are not a mandatory part of authenticator metadata and, when present, only
+ * indicate possible states that may be reported during authenticator discovery.
+ *
+ * @see FIDO
+ * Registry of Predefined Values §3.4 Authenticator Attachment Hints
+ */
+public enum AttachmentHint {
+
+ /**
+ * This flag MAY be set to indicate that the authenticator is permanently attached to the FIDO
+ * User Device.
+ *
+ *
A device such as a smartphone may have authenticator functionality that is able to be used
+ * both locally and remotely. In such a case, the FIDO client MUST filter and exclusively report
+ * only the relevant bit during Discovery and when performing policy matching.
+ *
+ *
This flag cannot be combined with any other {@link AttachmentHint} flags.
+ *
+ * @see FIDO
+ * Registry of Predefined Values §3.4 Authenticator Attachment Hints
+ */
+ ATTACHMENT_HINT_INTERNAL(0x0001, "internal"),
+
+ /**
+ * This flag MAY be set to indicate, for a hardware-based authenticator, that it is removable or
+ * remote from the FIDO User Device.
+ *
+ *
A device such as a smartphone may have authenticator functionality that is able to be used
+ * both locally and remotely. In such a case, the FIDO UAF Client MUST filter and exclusively
+ * report only the relevant bit during discovery and when performing policy matching. This flag
+ * MUST be combined with one or more other {@link AttachmentHint} flag(s).
+ *
+ * @see FIDO
+ * Registry of Predefined Values §3.4 Authenticator Attachment Hints
+ */
+ ATTACHMENT_HINT_EXTERNAL(0x0002, "external"),
+
+ /**
+ * This flag MAY be set to indicate that an external authenticator currently has an exclusive
+ * wired connection, e.g. through USB, Firewire or similar, to the FIDO User Device.
+ *
+ * @see FIDO
+ * Registry of Predefined Values §3.4 Authenticator Attachment Hints
+ */
+ ATTACHMENT_HINT_WIRED(0x0004, "wired"),
+
+ /**
+ * This flag MAY be set to indicate that an external authenticator communicates with the FIDO User
+ * Device through a personal area or otherwise non-routed wireless protocol, such as Bluetooth or
+ * NFC.
+ *
+ * @see FIDO
+ * Registry of Predefined Values §3.4 Authenticator Attachment Hints
+ */
+ ATTACHMENT_HINT_WIRELESS(0x0008, "wireless"),
+
+ /**
+ * This flag MAY be set to indicate that an external authenticator is able to communicate by NFC
+ * to the FIDO User Device. As part of authenticator metadata, or when reporting characteristics
+ * through discovery, if this flag is set, the {@link #ATTACHMENT_HINT_WIRELESS} flag SHOULD also
+ * be set as well.
+ *
+ * @see FIDO
+ * Registry of Predefined Values §3.4 Authenticator Attachment Hints
+ */
+ ATTACHMENT_HINT_NFC(0x0010, "nfc"),
+
+ /**
+ * This flag MAY be set to indicate that an external authenticator is able to communicate using
+ * Bluetooth with the FIDO User Device. As part of authenticator metadata, or when reporting
+ * characteristics through discovery, if this flag is set, the {@link #ATTACHMENT_HINT_WIRELESS}
+ * flag SHOULD also be set.
+ *
+ * @see FIDO
+ * Registry of Predefined Values §3.4 Authenticator Attachment Hints
+ */
+ ATTACHMENT_HINT_BLUETOOTH(0x0020, "bluetooth"),
+
+ /**
+ * This flag MAY be set to indicate that the authenticator is connected to the FIDO User Device
+ * over a non-exclusive network (e.g. over a TCP/IP LAN or WAN, as opposed to a PAN or
+ * point-to-point connection).
+ *
+ * @see FIDO
+ * Registry of Predefined Values §3.4 Authenticator Attachment Hints
+ */
+ ATTACHMENT_HINT_NETWORK(0x0040, "network"),
+
+ /**
+ * This flag MAY be set to indicate that an external authenticator is in a "ready" state. This
+ * flag is set by the ASM at its discretion.
+ *
+ * @see FIDO
+ * Registry of Predefined Values §3.4 Authenticator Attachment Hints
+ */
+ ATTACHMENT_HINT_READY(0x0080, "ready"),
+
+ /**
+ * This flag MAY be set to indicate that an external authenticator is able to communicate using
+ * WiFi Direct with the FIDO User Device. As part of authenticator metadata and when reporting
+ * characteristics through discovery, if this flag is set, the {@link #ATTACHMENT_HINT_WIRELESS}
+ * flag SHOULD also be set.
+ *
+ * @see FIDO
+ * Registry of Predefined Values §3.4 Authenticator Attachment Hints
+ */
+ ATTACHMENT_HINT_WIFI_DIRECT(0x0100, "wifi_direct");
+
+ private final int value;
+
+ @JsonValue private final String name;
+
+ AttachmentHint(int value, String name) {
+ this.value = value;
+ this.name = name;
+ }
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/AuthenticationAlgorithm.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/AuthenticationAlgorithm.java
new file mode 100644
index 000000000..166645ea9
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/AuthenticationAlgorithm.java
@@ -0,0 +1,152 @@
+package com.yubico.fido.metadata;
+
+import com.fasterxml.jackson.annotation.JsonValue;
+
+/**
+ * The ALG_SIGN constants are 16 bit long integers indicating the specific signature
+ * algorithm and encoding.
+ *
+ *
Each constant has a case-sensitive string representation (in quotes), which is used in the
+ * authoritative metadata for FIDO authenticators.
+ *
+ * @see FIDO
+ * Registry of Predefined Values §3.6.1 Authentication Algorithms
+ */
+public enum AuthenticationAlgorithm {
+
+ /**
+ * @see FIDO
+ * Registry of Predefined Values §3.6.1 Authentication Algorithms
+ */
+ ALG_SIGN_SECP256R1_ECDSA_SHA256_RAW(0x0001, "secp256r1_ecdsa_sha256_raw"),
+
+ /**
+ * @see FIDO
+ * Registry of Predefined Values §3.6.1 Authentication Algorithms
+ */
+ ALG_SIGN_SECP256R1_ECDSA_SHA256_DER(0x0002, "secp256r1_ecdsa_sha256_der"),
+
+ /**
+ * @see FIDO
+ * Registry of Predefined Values §3.6.1 Authentication Algorithms
+ */
+ ALG_SIGN_RSASSA_PSS_SHA256_RAW(0x0003, "rsassa_pss_sha256_raw"),
+
+ /**
+ * @see FIDO
+ * Registry of Predefined Values §3.6.1 Authentication Algorithms
+ */
+ ALG_SIGN_RSASSA_PSS_SHA256_DER(0x0004, "rsassa_pss_sha256_der"),
+
+ /**
+ * @see FIDO
+ * Registry of Predefined Values §3.6.1 Authentication Algorithms
+ */
+ ALG_SIGN_SECP256K1_ECDSA_SHA256_RAW(0x0005, "secp256k1_ecdsa_sha256_raw"),
+
+ /**
+ * @see FIDO
+ * Registry of Predefined Values §3.6.1 Authentication Algorithms
+ */
+ ALG_SIGN_SECP256K1_ECDSA_SHA256_DER(0x0006, "secp256k1_ecdsa_sha256_der"),
+
+ /**
+ * @see FIDO
+ * Registry of Predefined Values §3.6.1 Authentication Algorithms
+ */
+ ALG_SIGN_RSA_EMSA_PKCS1_SHA256_RAW(0x0008, "rsa_emsa_pkcs1_sha256_raw"),
+
+ /**
+ * @see FIDO
+ * Registry of Predefined Values §3.6.1 Authentication Algorithms
+ */
+ ALG_SIGN_RSA_EMSA_PKCS1_SHA256_DER(0x0009, "rsa_emsa_pkcs1_sha256_der"),
+
+ /**
+ * @see FIDO
+ * Registry of Predefined Values §3.6.1 Authentication Algorithms
+ */
+ ALG_SIGN_RSASSA_PSS_SHA384_RAW(0x000A, "rsassa_pss_sha384_raw"),
+
+ /**
+ * @see FIDO
+ * Registry of Predefined Values §3.6.1 Authentication Algorithms
+ */
+ ALG_SIGN_RSASSA_PSS_SHA512_RAW(0x000B, "rsassa_pss_sha512_raw"),
+
+ /**
+ * @see FIDO
+ * Registry of Predefined Values §3.6.1 Authentication Algorithms
+ */
+ ALG_SIGN_RSASSA_PKCSV15_SHA256_RAW(0x000C, "rsassa_pkcsv15_sha256_raw"),
+
+ /**
+ * @see FIDO
+ * Registry of Predefined Values §3.6.1 Authentication Algorithms
+ */
+ ALG_SIGN_RSASSA_PKCSV15_SHA384_RAW(0x000D, "rsassa_pkcsv15_sha384_raw"),
+
+ /**
+ * @see FIDO
+ * Registry of Predefined Values §3.6.1 Authentication Algorithms
+ */
+ ALG_SIGN_RSASSA_PKCSV15_SHA512_RAW(0x000E, "rsassa_pkcsv15_sha512_raw"),
+
+ /**
+ * @see FIDO
+ * Registry of Predefined Values §3.6.1 Authentication Algorithms
+ */
+ ALG_SIGN_RSASSA_PKCSV15_SHA1_RAW(0x000F, "rsassa_pkcsv15_sha1_raw"),
+
+ /**
+ * @see FIDO
+ * Registry of Predefined Values §3.6.1 Authentication Algorithms
+ */
+ ALG_SIGN_SECP384R1_ECDSA_SHA384_RAW(0x0010, "secp384r1_ecdsa_sha384_raw"),
+
+ /**
+ * @see FIDO
+ * Registry of Predefined Values §3.6.1 Authentication Algorithms
+ */
+ ALG_SIGN_SECP521R1_ECDSA_SHA512_RAW(0x0011, "secp521r1_ecdsa_sha512_raw"),
+
+ /**
+ * @see FIDO
+ * Registry of Predefined Values §3.6.1 Authentication Algorithms
+ */
+ ALG_SIGN_ED25519_EDDSA_SHA512_RAW(0x0012, "ed25519_eddsa_sha512_raw"),
+
+ /**
+ * @see FIDO
+ * Registry of Predefined Values §3.6.1 Authentication Algorithms
+ */
+ ALG_SIGN_ED448_EDDSA_SHA512_RAW(0x0013, "ed448_eddsa_sha512_raw");
+
+ private final int value;
+
+ @JsonValue private final String name;
+
+ AuthenticationAlgorithm(int value, String name) {
+ this.value = value;
+ this.name = name;
+ }
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/AuthenticatorAttestationType.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/AuthenticatorAttestationType.java
new file mode 100644
index 000000000..6612fbfdd
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/AuthenticatorAttestationType.java
@@ -0,0 +1,92 @@
+package com.yubico.fido.metadata;
+
+import com.fasterxml.jackson.annotation.JsonValue;
+
+/**
+ * The ATTESTATION constants are 16 bit long integers indicating the specific attestation that
+ * authenticator supports.
+ *
+ *
Each constant has a case-sensitive string representation (in quotes), which is used in the
+ * authoritative metadata for FIDO authenticators. *
+ *
+ * @see FIDO
+ * Registry of Predefined Values §3.7 Authenticator Attestation Types
+ */
+public enum AuthenticatorAttestationType {
+
+ /**
+ * Indicates full basic attestation, based on an attestation private key shared among a class of
+ * authenticators (e.g. same model). Authenticators must provide its attestation signature during
+ * the registration process for the same reason. The attestation trust anchor is shared with FIDO
+ * Servers out of band (as part of the Metadata). This sharing process should be done according to
+ * [FIDOMetadataService].
+ *
+ * @see FIDO
+ * Registry of Predefined Values §3.7 Authenticator Attestation Types
+ */
+ ATTESTATION_BASIC_FULL(0x3E07, "basic_full"),
+
+ /**
+ * Just syntactically a Basic Attestation. The attestation object self-signed, i.e. it is signed
+ * using the UAuth.priv key, i.e. the key corresponding to the UAuth.pub key included in the
+ * attestation object. As a consequence it does not provide a cryptographic proof of the security
+ * characteristics. But it is the best thing we can do if the authenticator is not able to have an
+ * attestation private key.
+ *
+ * @see FIDO
+ * Registry of Predefined Values §3.7 Authenticator Attestation Types
+ */
+ ATTESTATION_BASIC_SURROGATE(0x3E08, "basic_surrogate"),
+
+ /**
+ * Indicates use of elliptic curve based direct anonymous attestation as defined in [FIDOEcdaaAlgorithm].
+ * Support for this attestation type is optional at this time. It might be required by FIDO
+ * Certification.
+ *
+ * @see FIDO
+ * Registry of Predefined Values §3.7 Authenticator Attestation Types
+ */
+ ATTESTATION_ECDAA(0x3E09, "ecdaa"),
+
+ /**
+ * Indicates PrivacyCA attestation as defined in [TCG-CMCProfile-AIKCertEnroll].
+ * Support for this attestation type is optional at this time. It might be required by FIDO
+ * Certification.
+ *
+ * @see FIDO
+ * Registry of Predefined Values §3.7 Authenticator Attestation Types
+ */
+ ATTESTATION_ATTCA(0x3E0A, "attca"),
+
+ /**
+ * In this case, the authenticator uses an Anonymization CA which dynamically generates
+ * per-credential attestation certificates such that the attestation statements presented to
+ * Relying Parties do not provide uniquely identifiable information, e.g., that might be used for
+ * tracking purposes. The applicable [WebAuthn]
+ * attestation formats "fmt" are Google SafetyNet Attestation "android-safetynet", Android
+ * Keystore Attestation "android-key", Apple Anonymous Attestation "apple", and Apple Application
+ * Attestation "apple-appattest".
+ */
+ ATTESTATION_ANONCA(0x3E0C, "anonca"),
+
+ /** Indicates absence of attestation. */
+ ATTESTATION_NONE(0x3E0B, "none");
+
+ private final int value;
+
+ @JsonValue private final String name;
+
+ AuthenticatorAttestationType(int value, String name) {
+ this.value = value;
+ this.name = name;
+ }
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/AuthenticatorGetInfo.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/AuthenticatorGetInfo.java
new file mode 100644
index 000000000..78cefbd64
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/AuthenticatorGetInfo.java
@@ -0,0 +1,381 @@
+package com.yubico.fido.metadata;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.core.JacksonException;
+import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.databind.DeserializationContext;
+import com.fasterxml.jackson.databind.JsonDeserializer;
+import com.fasterxml.jackson.databind.JsonSerializer;
+import com.fasterxml.jackson.databind.SerializerProvider;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import com.yubico.webauthn.data.AuthenticatorTransport;
+import com.yubico.webauthn.data.PublicKeyCredentialParameters;
+import com.yubico.webauthn.extension.uvm.UserVerificationMethod;
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Set;
+import java.util.stream.Collectors;
+import lombok.Builder;
+import lombok.NonNull;
+import lombok.Value;
+import lombok.extern.jackson.Jacksonized;
+
+/**
+ * This dictionary describes supported versions, extensions, AAGUID of the device and its
+ * capabilities.
+ *
+ *
See: Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ *
+ * @see FIDO
+ * Metadata Statement §3.12. AuthenticatorGetInfo dictionary
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+@Value
+@Builder(toBuilder = true)
+@Jacksonized
+@JsonIgnoreProperties({
+ "maxAuthenticatorConfigLength",
+ "defaultCredProtect"
+}) // Present in example but not defined
+public class AuthenticatorGetInfo {
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ @NonNull Set versions;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ Set extensions;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ AAGUID aaguid;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ SupportedCtapOptions options;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ Integer maxMsgSize;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ Set pinUvAuthProtocols;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ Integer maxCredentialCountInList;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ Integer maxCredentialIdLength;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ Set transports;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ List algorithms;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ Integer maxSerializedLargeBlobArray;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ Boolean forcePINChange;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ Integer minPINLength;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ Integer firmwareVersion;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ Integer maxCredBlobLength;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ Integer maxRPIDsForSetMinPINLength;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ Integer preferredPlatformUvAttempts;
+
+ @JsonDeserialize(using = SetFromIntJsonDeserializer.class)
+ @JsonSerialize(contentUsing = IntFromSetJsonSerializer.class)
+ Set uvModality;
+
+ Map certifications;
+ Integer remainingDiscoverableCredentials;
+ Set vendorPrototypeConfigCommands;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ public Optional> getExtensions() {
+ return Optional.ofNullable(extensions);
+ }
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ public Optional getAaguid() {
+ return Optional.ofNullable(aaguid);
+ }
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ public Optional getOptions() {
+ return Optional.ofNullable(options);
+ }
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ public Optional getMaxMsgSize() {
+ return Optional.ofNullable(maxMsgSize);
+ }
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ public Optional> getPinUvAuthProtocols() {
+ return Optional.ofNullable(pinUvAuthProtocols);
+ }
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ public Optional getMaxCredentialCountInList() {
+ return Optional.ofNullable(maxCredentialCountInList);
+ }
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ public Optional getMaxCredentialIdLength() {
+ return Optional.ofNullable(maxCredentialIdLength);
+ }
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ public Optional> getTransports() {
+ return Optional.ofNullable(transports);
+ }
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ public Optional> getAlgorithms() {
+ return Optional.ofNullable(algorithms);
+ }
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ public Optional getMaxSerializedLargeBlobArray() {
+ return Optional.ofNullable(maxSerializedLargeBlobArray);
+ }
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ public Optional getForcePINChange() {
+ return Optional.ofNullable(forcePINChange);
+ }
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ public Optional getMinPINLength() {
+ return Optional.ofNullable(minPINLength);
+ }
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ public Optional getFirmwareVersion() {
+ return Optional.ofNullable(firmwareVersion);
+ }
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ public Optional getMaxCredBlobLength() {
+ return Optional.ofNullable(maxCredBlobLength);
+ }
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ public Optional getMaxRPIDsForSetMinPINLength() {
+ return Optional.ofNullable(maxRPIDsForSetMinPINLength);
+ }
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ public Optional getPreferredPlatformUvAttempts() {
+ return Optional.ofNullable(preferredPlatformUvAttempts);
+ }
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ public Optional> getUvModality() {
+ return Optional.ofNullable(uvModality);
+ }
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ public Optional> getCertifications() {
+ return Optional.ofNullable(certifications);
+ }
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ public Optional getRemainingDiscoverableCredentials() {
+ return Optional.ofNullable(remainingDiscoverableCredentials);
+ }
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ public Optional> getVendorPrototypeConfigCommands() {
+ return Optional.ofNullable(vendorPrototypeConfigCommands);
+ }
+
+ private static class SetFromIntJsonDeserializer
+ extends JsonDeserializer> {
+ @Override
+ public Set deserialize(JsonParser p, DeserializationContext ctxt)
+ throws IOException, JacksonException {
+ final int bitset = p.getNumberValue().intValue();
+ return Arrays.stream(UserVerificationMethod.values())
+ .filter(uvm -> (uvm.getValue() & bitset) != 0)
+ .collect(Collectors.toSet());
+ }
+ }
+
+ private static class IntFromSetJsonSerializer
+ extends JsonSerializer> {
+ @Override
+ public void serialize(
+ Set value, JsonGenerator gen, SerializerProvider serializers)
+ throws IOException {
+ gen.writeNumber(
+ value.stream().reduce(0, (acc, next) -> acc | next.getValue(), (a, b) -> a | b));
+ }
+ }
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/AuthenticatorStatus.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/AuthenticatorStatus.java
new file mode 100644
index 000000000..49c66572c
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/AuthenticatorStatus.java
@@ -0,0 +1,189 @@
+package com.yubico.fido.metadata;
+
+import com.fasterxml.jackson.annotation.JsonEnumDefaultValue;
+
+/**
+ * This enumeration describes the status of an authenticator model as identified by its AAID/AAGUID
+ * or attestationCertificateKeyIdentifiers and potentially some additional information (such as a
+ * specific attestation key).
+ *
+ * @see FIDO
+ * Metadata Service §3.1.4. AuthenticatorStatus enum
+ */
+public enum AuthenticatorStatus {
+ /** (NOT DEFINED IN SPEC) Placeholder for any unknown {@link AuthenticatorStatus} value. */
+ @JsonEnumDefaultValue
+ UNKNOWN(0),
+
+ /**
+ * This authenticator is not FIDO certified.
+ *
+ * @see FIDO
+ * Metadata Service §3.1.4. AuthenticatorStatus enum
+ */
+ NOT_FIDO_CERTIFIED(0),
+
+ /**
+ * This authenticator has passed FIDO functional certification. This certification scheme is
+ * phased out and will be replaced by {@link #FIDO_CERTIFIED_L1}.
+ *
+ * @see FIDO
+ * Metadata Service §3.1.4. AuthenticatorStatus enum
+ */
+ FIDO_CERTIFIED(10),
+
+ /**
+ * Indicates that malware is able to bypass the user verification. This means that the
+ * authenticator could be used without the user’s consent and potentially even without the user’s
+ * knowledge.
+ *
+ * @see FIDO
+ * Metadata Service §3.1.4. AuthenticatorStatus enum
+ */
+ USER_VERIFICATION_BYPASS(0),
+
+ /**
+ * Indicates that an attestation key for this authenticator is known to be compromised. The
+ * relying party SHOULD check the certificate field and use it to identify the compromised
+ * authenticator batch. If the certificate field is not set, the relying party should reject all
+ * new registrations of the compromised authenticator. The Authenticator manufacturer should set
+ * the date to the date when compromise has occurred.
+ *
+ * @see FIDO
+ * Metadata Service §3.1.4. AuthenticatorStatus enum
+ */
+ ATTESTATION_KEY_COMPROMISE(0),
+
+ /**
+ * This authenticator has identified weaknesses that allow registered keys to be compromised and
+ * should not be trusted. This would include both, e.g. weak entropy that causes predictable keys
+ * to be generated or side channels that allow keys or signatures to be forged, guessed or
+ * extracted.
+ *
+ * @see FIDO
+ * Metadata Service §3.1.4. AuthenticatorStatus enum
+ */
+ USER_KEY_REMOTE_COMPROMISE(0),
+
+ /**
+ * This authenticator has known weaknesses in its key protection mechanism(s) that allow user keys
+ * to be extracted by an adversary in physical possession of the device.
+ *
+ * @see FIDO
+ * Metadata Service §3.1.4. AuthenticatorStatus enum
+ */
+ USER_KEY_PHYSICAL_COMPROMISE(0),
+
+ /**
+ * A software or firmware update is available for the device. The Authenticator manufacturer
+ * should set the url to the URL where users can obtain an update and the date the update was
+ * published. When this status code is used, then the field authenticatorVersion in the
+ * authenticator Metadata Statement [FIDOMetadataStatement]
+ * MUST be updated, if the update fixes severe security issues, e.g. the ones reported by
+ * preceding StatusReport entries with status code {@link #USER_VERIFICATION_BYPASS}, {@link
+ * #ATTESTATION_KEY_COMPROMISE}, {@link #USER_KEY_REMOTE_COMPROMISE}, {@link
+ * #USER_KEY_PHYSICAL_COMPROMISE}, {@link #REVOKED}. The Relying party MUST reject the Metadata
+ * Statement if the authenticatorVersion has not increased
+ *
+ * @see FIDO
+ * Metadata Service §3.1.4. AuthenticatorStatus enum
+ */
+ UPDATE_AVAILABLE(0),
+
+ /**
+ * The FIDO Alliance has determined that this authenticator should not be trusted for any reason.
+ * For example if it is known to be a fraudulent product or contain a deliberate backdoor. Relying
+ * parties SHOULD reject any future registration of this authenticator model.
+ *
+ * @see FIDO
+ * Metadata Service §3.1.4. AuthenticatorStatus enum
+ */
+ REVOKED(0),
+
+ /**
+ * The authenticator vendor has completed and submitted the self-certification checklist to the
+ * FIDO Alliance. If this completed checklist is publicly available, the URL will be specified in
+ * url.
+ *
+ * @see FIDO
+ * Metadata Service §3.1.4. AuthenticatorStatus enum
+ */
+ SELF_ASSERTION_SUBMITTED(0),
+
+ /**
+ * The authenticator has passed FIDO Authenticator certification at level 1. This level is the
+ * more strict successor of {@link #FIDO_CERTIFIED}.
+ *
+ * @see FIDO
+ * Metadata Service §3.1.4. AuthenticatorStatus enum
+ */
+ FIDO_CERTIFIED_L1(10),
+
+ /**
+ * The authenticator has passed FIDO Authenticator certification at level 1+. This level is the
+ * more than level 1.
+ *
+ * @see FIDO
+ * Metadata Service §3.1.4. AuthenticatorStatus enum
+ */
+ FIDO_CERTIFIED_L1plus(11),
+
+ /**
+ * The authenticator has passed FIDO Authenticator certification at level 2. This level is more
+ * strict than level 1+.
+ *
+ * @see FIDO
+ * Metadata Service §3.1.4. AuthenticatorStatus enum
+ */
+ FIDO_CERTIFIED_L2(20),
+
+ /**
+ * The authenticator has passed FIDO Authenticator certification at level 2+. This level is more
+ * strict than level 2.
+ *
+ * @see FIDO
+ * Metadata Service §3.1.4. AuthenticatorStatus enum
+ */
+ FIDO_CERTIFIED_L2plus(21),
+
+ /**
+ * The authenticator has passed FIDO Authenticator certification at level 3. This level is more
+ * strict than level 2+.
+ *
+ * @see FIDO
+ * Metadata Service §3.1.4. AuthenticatorStatus enum
+ */
+ FIDO_CERTIFIED_L3(30),
+
+ /**
+ * The authenticator has passed FIDO Authenticator certification at level 3+. This level is more
+ * strict than level 3.
+ *
+ * @see FIDO
+ * Metadata Service §3.1.4. AuthenticatorStatus enum
+ */
+ FIDO_CERTIFIED_L3plus(31);
+
+ int certificationLevel;
+
+ AuthenticatorStatus(int certificationLevel) {
+ this.certificationLevel = certificationLevel;
+ }
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/BiometricAccuracyDescriptor.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/BiometricAccuracyDescriptor.java
new file mode 100644
index 000000000..c16f7a23a
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/BiometricAccuracyDescriptor.java
@@ -0,0 +1,75 @@
+package com.yubico.fido.metadata;
+
+import java.util.Optional;
+import lombok.Builder;
+import lombok.Value;
+import lombok.extern.jackson.Jacksonized;
+
+/**
+ * The BiometricAccuracyDescriptor describes relevant accuracy/complexity aspects in the case of a
+ * biometric user verification method, see [FIDOBiometricsRequirements].
+ *
+ * At least one of the values MUST be set. If the vendor doesn’t want to specify such values,
+ * then {@link VerificationMethodDescriptor#getBaDesc()} MUST be omitted.
+ *
+ * @see FIDO
+ * Metadata Statement §3.3. BiometricAccuracyDescriptor dictionary
+ */
+@Value
+@Builder(toBuilder = true)
+@Jacksonized
+public class BiometricAccuracyDescriptor {
+
+ Double selfAttestedFRR;
+ Double selfAttestedFAR;
+ Integer maxTemplates;
+ Integer maxRetries;
+ Integer blockSlowdown;
+
+ /**
+ * @see FIDO
+ * Metadata Statement §3.3. BiometricAccuracyDescriptor dictionary
+ */
+ public Optional getSelfAttestedFRR() {
+ return Optional.ofNullable(selfAttestedFRR);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Statement §3.3. BiometricAccuracyDescriptor dictionary
+ */
+ public Optional getSelfAttestedFAR() {
+ return Optional.ofNullable(selfAttestedFAR);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Statement §3.3. BiometricAccuracyDescriptor dictionary
+ */
+ public Optional getMaxTemplates() {
+ return Optional.ofNullable(maxTemplates);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Statement §3.3. BiometricAccuracyDescriptor dictionary
+ */
+ public Optional getMaxRetries() {
+ return Optional.ofNullable(maxRetries);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Statement §3.3. BiometricAccuracyDescriptor dictionary
+ */
+ public Optional getBlockSlowdown() {
+ return Optional.ofNullable(blockSlowdown);
+ }
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/BiometricStatusReport.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/BiometricStatusReport.java
new file mode 100644
index 000000000..8ff687969
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/BiometricStatusReport.java
@@ -0,0 +1,87 @@
+package com.yubico.fido.metadata;
+
+import com.yubico.webauthn.extension.uvm.UserVerificationMethod;
+import java.time.LocalDate;
+import java.util.Optional;
+import lombok.Builder;
+import lombok.NonNull;
+import lombok.Value;
+import lombok.extern.jackson.Jacksonized;
+
+/**
+ * Contains the current BiometricStatusReport of one of the authenticator’s biometric component.
+ *
+ * @see FIDO
+ * Metadata Service §3.1.2. BiometricStatusReport dictionary
+ */
+@Value
+@Builder(toBuilder = true)
+@Jacksonized
+public class BiometricStatusReport {
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.2. BiometricStatusReport dictionary
+ */
+ int certLevel;
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.2. BiometricStatusReport dictionary
+ */
+ @NonNull UserVerificationMethod modality;
+
+ LocalDate effectiveDate;
+ String certificationDescriptor;
+ String certificateNumber;
+ String certificationPolicyVersion;
+ String certificationRequirementsVersion;
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.2. BiometricStatusReport dictionary
+ */
+ public Optional getEffectiveDate() {
+ return Optional.ofNullable(effectiveDate);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.2. BiometricStatusReport dictionary
+ */
+ public Optional getCertificationDescriptor() {
+ return Optional.ofNullable(certificationDescriptor);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.2. BiometricStatusReport dictionary
+ */
+ public Optional getCertificateNumber() {
+ return Optional.ofNullable(certificateNumber);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.2. BiometricStatusReport dictionary
+ */
+ public Optional getCertificationPolicyVersion() {
+ return Optional.ofNullable(certificationPolicyVersion);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.2. BiometricStatusReport dictionary
+ */
+ public Optional getCertificationRequirementsVersion() {
+ return Optional.ofNullable(certificationRequirementsVersion);
+ }
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/CertFromBase64Converter.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/CertFromBase64Converter.java
new file mode 100644
index 000000000..32c83e78b
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/CertFromBase64Converter.java
@@ -0,0 +1,31 @@
+package com.yubico.fido.metadata;
+
+import com.fasterxml.jackson.databind.JavaType;
+import com.fasterxml.jackson.databind.type.TypeFactory;
+import com.fasterxml.jackson.databind.util.Converter;
+import com.yubico.internal.util.CertificateParser;
+import com.yubico.webauthn.data.ByteArray;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+
+class CertFromBase64Converter implements Converter {
+ @Override
+ public X509Certificate convert(String value) {
+ try {
+ return CertificateParser.parseDer(
+ ByteArray.fromBase64(value.replaceAll("\\s+", "")).getBytes());
+ } catch (CertificateException e) {
+ throw new RuntimeException(e);
+ }
+ }
+
+ @Override
+ public JavaType getInputType(TypeFactory typeFactory) {
+ return typeFactory.constructType(String.class);
+ }
+
+ @Override
+ public JavaType getOutputType(TypeFactory typeFactory) {
+ return typeFactory.constructType(X509Certificate.class);
+ }
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/CertToBase64Converter.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/CertToBase64Converter.java
new file mode 100644
index 000000000..a80e746e0
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/CertToBase64Converter.java
@@ -0,0 +1,29 @@
+package com.yubico.fido.metadata;
+
+import com.fasterxml.jackson.databind.JavaType;
+import com.fasterxml.jackson.databind.type.TypeFactory;
+import com.fasterxml.jackson.databind.util.Converter;
+import com.yubico.webauthn.data.ByteArray;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+
+class CertToBase64Converter implements Converter {
+ @Override
+ public String convert(X509Certificate value) {
+ try {
+ return new ByteArray(value.getEncoded()).getBase64();
+ } catch (CertificateEncodingException e) {
+ throw new RuntimeException(e);
+ }
+ }
+
+ @Override
+ public JavaType getInputType(TypeFactory typeFactory) {
+ return typeFactory.constructType(X509Certificate.class);
+ }
+
+ @Override
+ public JavaType getOutputType(TypeFactory typeFactory) {
+ return typeFactory.constructType(String.class);
+ }
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/CodeAccuracyDescriptor.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/CodeAccuracyDescriptor.java
new file mode 100644
index 000000000..30908626c
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/CodeAccuracyDescriptor.java
@@ -0,0 +1,55 @@
+package com.yubico.fido.metadata;
+
+import java.util.Optional;
+import lombok.Builder;
+import lombok.Value;
+import lombok.extern.jackson.Jacksonized;
+
+/**
+ * The CodeAccuracyDescriptor describes the relevant accuracy/complexity aspects of passcode user
+ * verification methods.
+ *
+ * @see FIDO
+ * Metadata Statement §3.2. CodeAccuracyDescriptor dictionary
+ */
+@Value
+@Builder(toBuilder = true)
+@Jacksonized
+public class CodeAccuracyDescriptor {
+
+ /**
+ * @see FIDO
+ * Metadata Statement §3.2. CodeAccuracyDescriptor dictionary
+ */
+ int base;
+
+ /**
+ * @see FIDO
+ * Metadata Statement §3.2. CodeAccuracyDescriptor dictionary
+ */
+ int minLength;
+
+ Integer maxRetries;
+ Integer blockSlowdown;
+
+ /**
+ * @see FIDO
+ * Metadata Statement §3.2. CodeAccuracyDescriptor dictionary
+ */
+ public Optional getMaxRetries() {
+ return Optional.ofNullable(maxRetries);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Statement §3.2. CodeAccuracyDescriptor dictionary
+ */
+ public Optional getBlockSlowdown() {
+ return Optional.ofNullable(blockSlowdown);
+ }
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/CtapCertificationId.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/CtapCertificationId.java
new file mode 100644
index 000000000..0357fcb81
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/CtapCertificationId.java
@@ -0,0 +1,65 @@
+package com.yubico.fido.metadata;
+
+import com.fasterxml.jackson.annotation.JsonValue;
+
+/**
+ * The {@link AuthenticatorGetInfo#getCertifications()} member provides a hint to the platform with
+ * additional information about certifications that the authenticator has received. Certification
+ * programs may revoke certification of specific devices at any time. Relying partys are responsible
+ * for validating attestations and AAGUID via appropriate methods. Platforms may alter their
+ * behaviour based on these hints such as selecting a PIN protocol or credProtect level.
+ *
+ * @see Client
+ * to Authenticator Protocol (CTAP) §7.3. Authenticator Certifications
+ */
+public enum CtapCertificationId {
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §7.3. Authenticator Certifications
+ */
+ FIPS_CMVP_2("FIPS-CMVP-2"),
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §7.3. Authenticator Certifications
+ */
+ FIPS_CMVP_3("FIPS-CMVP-3"),
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §7.3. Authenticator Certifications
+ */
+ FIPS_CMVP_2_PHY("FIPS-CMVP-2-PHY"),
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §7.3. Authenticator Certifications
+ */
+ FIPS_CMVP_3_PHY("FIPS-CMVP-3-PHY"),
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §7.3. Authenticator Certifications
+ */
+ CC_EAL("CC-EAL"),
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §7.3. Authenticator Certifications
+ */
+ FIDO("FIDO");
+
+ @JsonValue private String id;
+
+ CtapCertificationId(String id) {
+ this.id = id;
+ }
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/CtapPinUvAuthProtocolVersion.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/CtapPinUvAuthProtocolVersion.java
new file mode 100644
index 000000000..254c2a823
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/CtapPinUvAuthProtocolVersion.java
@@ -0,0 +1,37 @@
+package com.yubico.fido.metadata;
+
+import com.fasterxml.jackson.annotation.JsonValue;
+
+/**
+ * Enumeration of valid PIN/UV auth protocol version identifiers.
+ *
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.5. authenticatorClientPIN (0x06)
+ */
+public enum CtapPinUvAuthProtocolVersion {
+
+ /**
+ * Represents PIN/UV Auth Protocol One.
+ *
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.5.6. PIN/UV Auth Protocol One
+ */
+ ONE(1),
+
+ /**
+ * Represents PIN/UV Auth Protocol Two.
+ *
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.5.7. PIN/UV Auth Protocol Two
+ */
+ TWO(2);
+
+ @JsonValue private int value;
+
+ CtapPinUvAuthProtocolVersion(int value) {
+ this.value = value;
+ }
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/CtapVersion.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/CtapVersion.java
new file mode 100644
index 000000000..978beee13
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/CtapVersion.java
@@ -0,0 +1,39 @@
+package com.yubico.fido.metadata;
+
+/**
+ * Enumeration of CTAP versions.
+ *
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+public enum CtapVersion {
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ U2F_V2,
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ FIDO_2_0,
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ FIDO_2_1_PRE,
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ FIDO_2_1;
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/DisplayPNGCharacteristicsDescriptor.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/DisplayPNGCharacteristicsDescriptor.java
new file mode 100644
index 000000000..b1dff5599
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/DisplayPNGCharacteristicsDescriptor.java
@@ -0,0 +1,78 @@
+package com.yubico.fido.metadata;
+
+import java.util.List;
+import lombok.Builder;
+import lombok.Value;
+import lombok.extern.jackson.Jacksonized;
+
+/**
+ * The DisplayPNGCharacteristicsDescriptor describes a PNG image characteristics as defined in the
+ * PNG [PNG]
+ * spec for IHDR (image header) and PLTE (palette table).
+ *
+ * @see FIDO
+ * Metadata Statement §3.8. DisplayPNGCharacteristicsDescriptor dictionary
+ */
+@Value
+@Builder(toBuilder = true)
+@Jacksonized
+public class DisplayPNGCharacteristicsDescriptor {
+
+ /**
+ * @see FIDO
+ * Metadata Statement §3.8. DisplayPNGCharacteristicsDescriptor dictionary
+ */
+ long width;
+
+ /**
+ * @see FIDO
+ * Metadata Statement §3.8. DisplayPNGCharacteristicsDescriptor dictionary
+ */
+ long height;
+
+ /**
+ * @see FIDO
+ * Metadata Statement §3.8. DisplayPNGCharacteristicsDescriptor dictionary
+ */
+ short bitDepth;
+
+ /**
+ * @see FIDO
+ * Metadata Statement §3.8. DisplayPNGCharacteristicsDescriptor dictionary
+ */
+ short colorType;
+
+ /**
+ * @see FIDO
+ * Metadata Statement §3.8. DisplayPNGCharacteristicsDescriptor dictionary
+ */
+ short compression;
+
+ /**
+ * @see FIDO
+ * Metadata Statement §3.8. DisplayPNGCharacteristicsDescriptor dictionary
+ */
+ short filter;
+
+ /**
+ * @see FIDO
+ * Metadata Statement §3.8. DisplayPNGCharacteristicsDescriptor dictionary
+ */
+ short interlace;
+
+ /**
+ * @see FIDO
+ * Metadata Statement §3.8. DisplayPNGCharacteristicsDescriptor dictionary
+ */
+ List plte;
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/ExtensionDescriptor.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/ExtensionDescriptor.java
new file mode 100644
index 000000000..e2efdab4f
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/ExtensionDescriptor.java
@@ -0,0 +1,49 @@
+package com.yubico.fido.metadata;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import lombok.Builder;
+import lombok.NonNull;
+import lombok.Value;
+import lombok.extern.jackson.Jacksonized;
+
+/**
+ * This descriptor contains an extension supported by the authenticator.
+ *
+ * @see FIDO
+ * Metadata Statement §3.10. ExtensionDescriptor dictionary
+ */
+@Value
+@Builder(toBuilder = true)
+@Jacksonized
+public class ExtensionDescriptor {
+
+ /**
+ * @see FIDO
+ * Metadata Statement §3.10. ExtensionDescriptor dictionary
+ */
+ @NonNull String id;
+
+ /**
+ * @see FIDO
+ * Metadata Statement §3.10. ExtensionDescriptor dictionary
+ */
+ Integer tag;
+
+ /**
+ * @see FIDO
+ * Metadata Statement §3.10. ExtensionDescriptor dictionary
+ */
+ String data;
+
+ /**
+ * @see FIDO
+ * Metadata Statement §3.10. ExtensionDescriptor dictionary
+ */
+ @JsonProperty("fail_if_unknown")
+ boolean failIfUnknown;
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/FidoMetadataDownloader.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/FidoMetadataDownloader.java
new file mode 100644
index 000000000..d9261251c
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/FidoMetadataDownloader.java
@@ -0,0 +1,991 @@
+// Copyright (c) 2015-2021, Yubico AB
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are met:
+//
+// 1. Redistributions of source code must retain the above copyright notice, this
+// list of conditions and the following disclaimer.
+//
+// 2. Redistributions in binary form must reproduce the above copyright notice,
+// this list of conditions and the following disclaimer in the documentation
+// and/or other materials provided with the distribution.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+package com.yubico.fido.metadata;
+
+import com.fasterxml.jackson.core.Base64Variants;
+import com.fasterxml.jackson.databind.DeserializationFeature;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.yubico.fido.metadata.FidoMetadataDownloaderException.Reason;
+import com.yubico.internal.util.BinaryUtil;
+import com.yubico.internal.util.CertificateParser;
+import com.yubico.webauthn.data.ByteArray;
+import com.yubico.webauthn.data.exception.Base64UrlException;
+import com.yubico.webauthn.data.exception.HexException;
+import java.io.ByteArrayInputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.net.URLConnection;
+import java.nio.charset.StandardCharsets;
+import java.security.DigestException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.Signature;
+import java.security.SignatureException;
+import java.security.cert.CRL;
+import java.security.cert.CertPath;
+import java.security.cert.CertPathValidator;
+import java.security.cert.CertPathValidatorException;
+import java.security.cert.CertStore;
+import java.security.cert.CertStoreParameters;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.CollectionCertStoreParameters;
+import java.security.cert.PKIXParameters;
+import java.security.cert.TrustAnchor;
+import java.security.cert.X509Certificate;
+import java.time.Clock;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Date;
+import java.util.List;
+import java.util.Optional;
+import java.util.Scanner;
+import java.util.Set;
+import java.util.UUID;
+import java.util.function.Consumer;
+import java.util.function.Supplier;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManagerFactory;
+import lombok.AccessLevel;
+import lombok.AllArgsConstructor;
+import lombok.NonNull;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+
+/**
+ * Utility for downloading, caching and verifying Fido Metadata Service BLOBs and associated
+ * certificates.
+ *
+ * This class is NOT THREAD SAFE since it reads and writes caches. However, it has no internal
+ * mutable state, so instances MAY be reused in single-threaded or externally synchronized contexts.
+ * See also the {@link #loadCachedBlob()} method.
+ *
+ *
Use the {@link #builder() builder} to configure settings, then use the {@link
+ * #loadCachedBlob()} method to load the metadata BLOB.
+ */
+@Slf4j
+@AllArgsConstructor(access = AccessLevel.PRIVATE)
+public final class FidoMetadataDownloader {
+
+ @NonNull private final Set expectedLegalHeaders;
+ private final X509Certificate trustRootCertificate;
+ private final URL trustRootUrl;
+ private final Set trustRootSha256;
+ private final File trustRootCacheFile;
+ private final Supplier> trustRootCacheSupplier;
+ private final Consumer trustRootCacheConsumer;
+ private final String blobJwt;
+ private final URL blobUrl;
+ private final File blobCacheFile;
+ private final Supplier> blobCacheSupplier;
+ private final Consumer blobCacheConsumer;
+ private final CertStore certStore;
+ @NonNull private final Clock clock;
+ private final KeyStore httpsTrustStore;
+
+ /**
+ * Begin configuring a {@link FidoMetadataDownloader} instance. See the {@link
+ * FidoMetadataDownloaderBuilder.Step1 Step1} type.
+ *
+ * @see FidoMetadataDownloaderBuilder.Step1
+ */
+ public static FidoMetadataDownloaderBuilder.Step1 builder() {
+ return new FidoMetadataDownloaderBuilder.Step1();
+ }
+
+ @RequiredArgsConstructor(access = AccessLevel.PRIVATE)
+ public static class FidoMetadataDownloaderBuilder {
+ @NonNull private final Set expectedLegalHeaders;
+ private final X509Certificate trustRootCertificate;
+ private final URL trustRootUrl;
+ private final Set trustRootSha256;
+ private final File trustRootCacheFile;
+ private final Supplier> trustRootCacheSupplier;
+ private final Consumer trustRootCacheConsumer;
+ private final String blobJwt;
+ private final URL blobUrl;
+ private final File blobCacheFile;
+ private final Supplier> blobCacheSupplier;
+ private final Consumer blobCacheConsumer;
+
+ private CertStore certStore = null;
+ @NonNull private Clock clock = Clock.systemUTC();
+ private KeyStore httpsTrustStore = null;
+
+ public FidoMetadataDownloader build() {
+ return new FidoMetadataDownloader(
+ expectedLegalHeaders,
+ trustRootCertificate,
+ trustRootUrl,
+ trustRootSha256,
+ trustRootCacheFile,
+ trustRootCacheSupplier,
+ trustRootCacheConsumer,
+ blobJwt,
+ blobUrl,
+ blobCacheFile,
+ blobCacheSupplier,
+ blobCacheConsumer,
+ certStore,
+ clock,
+ httpsTrustStore);
+ }
+
+ /**
+ * Step 1: Set the legal header to expect from the FIDO Metadata Service.
+ *
+ * By using the FIDO Metadata Service, you will be subject to its terms of service. This step
+ * serves two purposes:
+ *
+ *
+ * - To remind you and any code reviewers that you need to read those terms of service
+ * before using this feature.
+ *
- To help you detect if the legal header changes, so you can take appropriate action.
+ *
+ *
+ * See {@link Step1#expectLegalHeader(String...)}.
+ *
+ * @see Step1#expectLegalHeader(String...)
+ */
+ @AllArgsConstructor(access = AccessLevel.PRIVATE)
+ public static class Step1 {
+
+ /**
+ * Set legal headers expected in the metadata BLOB.
+ *
+ *
By using the FIDO Metadata Service, you will be subject to its terms of service. This
+ * builder step serves two purposes:
+ *
+ *
+ * - To remind you and any code reviewers that you need to read those terms of service
+ * before using this feature.
+ *
- To help you detect if the legal header changes, so you can take appropriate action.
+ *
+ *
+ * If the legal header in the downloaded BLOB does not equal any of the
+ * expectedLegalHeaders, an {@link UnexpectedLegalHeader} exception will be thrown in
+ * the finalizing builder step.
+ *
+ *
Note that this library makes no guarantee that a change to the FIDO Metadata Service
+ * terms of service will also cause a change to the legal header in the BLOB.
+ *
+ *
At the time of this library release, the current legal header is
+ * "Retrieval and use of this BLOB indicates acceptance of the appropriate agreement located at https://fidoalliance.org/metadata/metadata-legal-terms/"
+ * .
+ *
+ * @param expectedLegalHeaders the set of BLOB legal headers you expect in the metadata BLOB
+ * payload.
+ */
+ public Step2 expectLegalHeader(@NonNull String... expectedLegalHeaders) {
+ return new Step2(Stream.of(expectedLegalHeaders).collect(Collectors.toSet()));
+ }
+ }
+
+ /**
+ * Step 2: Configure how to retrieve the FIDO Metadata Service trust root certificate when
+ * necessary.
+ *
+ *
This step offers three mutually exclusive options:
+ *
+ *
+ * - Use the default download URL and certificate hash. This is the main intended use case.
+ * See {@link #useDefaultTrustRoot()}.
+ *
- Use a custom download URL and certificate hash. This is for future-proofing in case the
+ * trust root certificate changes and there is no new release of this library. See {@link
+ * #downloadTrustRoot(URL, Set)}.
+ *
- Use a pre-retrieved trust root certificate. It is up to you to perform any integrity
+ * checks and cache it as desired. See {@link #useTrustRoot(X509Certificate)}.
+ *
+ */
+ @AllArgsConstructor(access = AccessLevel.PRIVATE)
+ public static class Step2 {
+
+ @NonNull private final Set expectedLegalHeaders;
+
+ /**
+ * Download the trust root certificate from a hard-coded URL and verify it against a
+ * hard-coded SHA-256 hash.
+ *
+ * This is an alias of:
+ *
+ *
+ * downloadTrustRoot(
+ * new URL("https://secure.globalsign.com/cacert/root-r3.crt"),
+ * Collections.singleton(ByteArray.fromHex("cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b"))
+ * )
+ *
+ *
+ * This is the current FIDO Metadata Service trust root certificate at the time of this
+ * library release.
+ *
+ * @see #downloadTrustRoot(URL, Set)
+ */
+ public Step3 useDefaultTrustRoot() {
+ try {
+ return downloadTrustRoot(
+ new URL("https://secure.globalsign.com/cacert/root-r3.crt"),
+ Collections.singleton(
+ ByteArray.fromHex(
+ "cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b")));
+ } catch (MalformedURLException e) {
+ throw new RuntimeException(
+ "Bad hard-coded trust root certificate URL. Please file a bug report.", e);
+ } catch (HexException e) {
+ throw new RuntimeException(
+ "Bad hard-coded trust root certificate hash. Please file a bug report.", e);
+ }
+ }
+
+ /**
+ * Download the trust root certificate from the given HTTPS url and verify its
+ * SHA-256 hash against acceptedCertSha256.
+ *
+ * The certificate will be downloaded if it does not exist in the cache, or if the cached
+ * certificate is not currently valid.
+ *
+ *
If the cert is downloaded, it is also written to the cache {@link File} or {@link
+ * Consumer} configured in the {@link Step3 next step}.
+ *
+ * @param url the HTTP URL to download. It MUST use the https: scheme.
+ * @param acceptedCertSha256 a set of SHA-256 hashes to verify the downloaded certificate
+ * against. The downloaded certificate MUST match at least one of these hashes.
+ * @throws IllegalArgumentException if url is not a HTTPS URL.
+ */
+ public Step3 downloadTrustRoot(@NonNull URL url, @NonNull Set acceptedCertSha256) {
+ if (!"https".equals(url.getProtocol())) {
+ throw new IllegalArgumentException("Trust certificate download URL must be a HTTPS URL.");
+ }
+ return new Step3(this, null, url, acceptedCertSha256);
+ }
+
+ /**
+ * Use the given trust root certificate. It is the caller's responsibility to perform any
+ * integrity checks and/or caching logic.
+ *
+ * @param trustRootCertificate the certificate to use as the FIDO Metadata Service trust root.
+ */
+ public Step4 useTrustRoot(@NonNull X509Certificate trustRootCertificate) {
+ return new Step4(new Step3(this, trustRootCertificate, null, null), null, null, null);
+ }
+ }
+
+ /**
+ * Step 3: Configure how to cache the trust root certificate.
+ *
+ * This step offers two mutually exclusive options:
+ *
+ *
+ * - Cache the trust root certificate in a {@link File}. See {@link
+ * Step3#useTrustRootCacheFile(File)}.
+ *
- Cache the trust root certificate using a {@link Supplier} to read the cache and a
+ * {@link Consumer} to write the cache. See {@link Step3#useTrustRootCache(Supplier,
+ * Consumer)}.
+ *
+ */
+ @AllArgsConstructor(access = AccessLevel.PRIVATE)
+ public static class Step3 {
+ @NonNull private final Step2 step2;
+ private final X509Certificate trustRootCertificate;
+ private final URL trustRootUrl;
+ private final Set trustRootSha256;
+
+ /**
+ * Cache the trust root certificate in the file cacheFile.
+ *
+ * If cacheFile exists, is a normal file, is readable, matches one of the
+ * SHA-256 hashes configured in the previous step, and contains a currently valid X.509
+ * certificate, then it will be used as the trust root for the FIDO Metadata Service blob.
+ *
+ *
Otherwise, the trust root certificate will be downloaded and written to this file.
+ */
+ public Step4 useTrustRootCacheFile(@NonNull File cacheFile) {
+ return new Step4(this, cacheFile, null, null);
+ }
+
+ /**
+ * Cache the trust root certificate using a {@link Supplier} to read the cache, and using a
+ * {@link Consumer} to write the cache.
+ *
+ *
If getCachedTrustRootCert returns non-empty, the value matches one of the
+ * SHA-256 hashes configured in the previous step, and is a currently valid X.509 certificate,
+ * then it will be used as the trust root for the FIDO Metadata Service blob.
+ *
+ *
Otherwise, the trust root certificate will be downloaded and written to
+ * writeCachedTrustRootCert.
+ *
+ * @param getCachedTrustRootCert a {@link Supplier} that fetches the cached trust root
+ * certificate if it exists. The returned value, if any, should be the trust root
+ * certificate in X.509 DER format.
+ * @param writeCachedTrustRootCert a {@link Consumer} that accepts the trust root certificate
+ * in X.509 DER format and writes it to the cache.
+ */
+ public Step4 useTrustRootCache(
+ @NonNull Supplier> getCachedTrustRootCert,
+ @NonNull Consumer writeCachedTrustRootCert) {
+ return new Step4(this, null, getCachedTrustRootCert, writeCachedTrustRootCert);
+ }
+ }
+
+ /**
+ * Step 4: Configure how to fetch the FIDO Metadata Service metadata BLOB.
+ *
+ * This step offers three mutually exclusive options:
+ *
+ *
+ * - Use the default download URL. This is the main intended use case. See {@link
+ * #useDefaultBlob()}.
+ *
- Use a custom download URL. This is for future-proofing in case the BLOB download URL
+ * changes and there is no new release of this library. See {@link #downloadBlob(URL)}.
+ *
- Use a pre-retrieved BLOB. The signature will still be verified, but it is up to you to
+ * renew it when appropriate and perform any caching as desired. See {@link
+ * #useBlob(String)}.
+ *
+ */
+ @AllArgsConstructor(access = AccessLevel.PRIVATE)
+ public static class Step4 {
+ @NonNull private final Step3 step3;
+ private final File trustRootCacheFile;
+ private final Supplier> trustRootCacheSupplier;
+ private final Consumer trustRootCacheConsumer;
+
+ /**
+ * Download the metadata BLOB from a hard-coded URL.
+ *
+ * This is an alias of downloadBlob(new URL("https://mds.fidoalliance.org/")).
+ *
+ *
This is the current FIDO Metadata Service BLOB download URL at the time of this library
+ * release.
+ *
+ * @see #downloadBlob(URL)
+ */
+ public Step5 useDefaultBlob() {
+ try {
+ return downloadBlob(new URL("https://mds.fidoalliance.org/"));
+ } catch (MalformedURLException e) {
+ throw new RuntimeException(
+ "Bad hard-coded trust root certificate URL. Please file a bug report.", e);
+ }
+ }
+
+ /**
+ * Download the metadata BLOB from the given HTTPS url.
+ *
+ *
The BLOB will be downloaded if it does not exist in the cache, or if the
+ * nextUpdate property of the cached BLOB is the current date or earlier.
+ *
+ *
If the BLOB is downloaded, it is also written to the cache {@link File} or {@link
+ * Consumer} configured in the previous step.
+ *
+ * @param url the HTTP URL to download. It MUST use the https: scheme.
+ */
+ public Step5 downloadBlob(@NonNull URL url) {
+ return new Step5(this, null, url);
+ }
+
+ /**
+ * Use the given metadata BLOB; never download it.
+ *
+ *
The blob signature and trust chain will still be verified, but it is the caller's
+ * responsibility to renew the metadata BLOB according to the FIDO
+ * Metadata Service specification.
+ *
+ * @param blobJwt the Metadata BLOB in JWT format as defined in FIDO
+ * Metadata Service §3.1.7. Metadata BLOB. The byte array should not be
+ * Base64-decoded.
+ * @see FIDO
+ * Metadata Service §3.1.7. Metadata BLOB
+ * @see FIDO
+ * Metadata Service §3.2. Metadata BLOB object processing rules
+ */
+ public FidoMetadataDownloaderBuilder useBlob(@NonNull String blobJwt) {
+ return finishRequiredSteps(new Step5(this, blobJwt, null), null, null, null);
+ }
+ }
+
+ /**
+ * Step 5: Configure how to cache the metadata BLOB.
+ *
+ *
This step offers two mutually exclusive options:
+ *
+ *
+ * - Cache the metadata BLOB in a {@link File}. See {@link Step5#useBlobCacheFile(File)}.
+ *
- Cache the metadata BLOB using a {@link Supplier} to read the cache and a {@link
+ * Consumer} to write the cache. See {@link Step5#useBlobCache(Supplier, Consumer)}.
+ *
+ */
+ @AllArgsConstructor(access = AccessLevel.PRIVATE)
+ public static class Step5 {
+ @NonNull private final Step4 step4;
+ private final String blobJwt;
+ private final URL blobUrl;
+
+ /**
+ * Cache metadata BLOB in the file cacheFile.
+ *
+ * If cacheFile exists, is a normal file, is readable, and is not out of date,
+ * then it will be used as the FIDO Metadata Service BLOB.
+ *
+ *
Otherwise, the metadata BLOB will be downloaded and written to this file.
+ *
+ * @param cacheFile a {@link File} which may or may not exist. If it exists, it should contain
+ * the metadata BLOB in JWS compact serialization format [RFC7515].
+ */
+ public FidoMetadataDownloaderBuilder useBlobCacheFile(@NonNull File cacheFile) {
+ return finishRequiredSteps(this, cacheFile, null, null);
+ }
+
+ /**
+ * Cache the metadata BLOB using a {@link Supplier} to read the cache, and using a {@link
+ * Consumer} to write the cache.
+ *
+ *
If getCachedBlob returns non-empty and the content is not out of date, then
+ * it will be used as the FIDO Metadata Service BLOB.
+ *
+ *
Otherwise, the metadata BLOB will be downloaded and written to writeCachedBlob
+ * .
+ *
+ * @param getCachedBlob a {@link Supplier} that fetches the cached metadata BLOB if it exists.
+ * The returned value, if any, should be in JWS compact serialization format [RFC7515].
+ * @param writeCachedBlob a {@link Consumer} that accepts the metadata BLOB in JWS compact
+ * serialization format [RFC7515] and
+ * writes it to the cache.
+ */
+ public FidoMetadataDownloaderBuilder useBlobCache(
+ @NonNull Supplier> getCachedBlob,
+ @NonNull Consumer writeCachedBlob) {
+ return finishRequiredSteps(this, null, getCachedBlob, writeCachedBlob);
+ }
+ }
+
+ private static FidoMetadataDownloaderBuilder finishRequiredSteps(
+ FidoMetadataDownloaderBuilder.Step5 step5,
+ File blobCacheFile,
+ Supplier> blobCacheSupplier,
+ Consumer blobCacheConsumer) {
+ return new FidoMetadataDownloaderBuilder(
+ step5.step4.step3.step2.expectedLegalHeaders,
+ step5.step4.step3.trustRootCertificate,
+ step5.step4.step3.trustRootUrl,
+ step5.step4.step3.trustRootSha256,
+ step5.step4.trustRootCacheFile,
+ step5.step4.trustRootCacheSupplier,
+ step5.step4.trustRootCacheConsumer,
+ step5.blobJwt,
+ step5.blobUrl,
+ blobCacheFile,
+ blobCacheSupplier,
+ blobCacheConsumer);
+ }
+
+ /**
+ * Use clock as the source of the current time for some application-level logic.
+ *
+ * This is primarily intended for testing.
+ *
+ *
The default is {@link Clock#systemUTC()}.
+ *
+ * @param clock a {@link Clock} which the finished {@link FidoMetadataDownloader} will use to
+ * tell the time.
+ */
+ public FidoMetadataDownloaderBuilder clock(@NonNull Clock clock) {
+ this.clock = clock;
+ return this;
+ }
+
+ /**
+ * Use the provided CRLs.
+ *
+ *
CRLs will also be downloaded from distribution points if the
+ * com.sun.security.enableCRLDP system property is set to true (assuming the
+ * use of the {@link CertPathValidator} implementation from the SUN provider).
+ *
+ * @throws InvalidAlgorithmParameterException if {@link CertStore#getInstance(String,
+ * CertStoreParameters)} does.
+ * @throws NoSuchAlgorithmException if a "Collection" type {@link CertStore}
+ * provider is not available.
+ * @see #useCrls(CertStore)
+ */
+ public FidoMetadataDownloaderBuilder useCrls(@NonNull Collection crls)
+ throws InvalidAlgorithmParameterException, NoSuchAlgorithmException {
+ return useCrls(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crls)));
+ }
+
+ /**
+ * Use CRLs in the provided {@link CertStore}.
+ *
+ * CRLs will also be downloaded from distribution points if the
+ * com.sun.security.enableCRLDP system property is set to true (assuming the
+ * use of the {@link CertPathValidator} implementation from the SUN provider).
+ *
+ * @see #useCrls(Collection)
+ */
+ public FidoMetadataDownloaderBuilder useCrls(CertStore certStore) {
+ this.certStore = certStore;
+ return this;
+ }
+
+ /**
+ * Use the provided {@link X509Certificate}s as trust roots for HTTPS downloads.
+ *
+ *
This is primarily useful when setting {@link Step2#downloadTrustRoot(URL, Set)
+ * downloadTrustRoot} and/or {@link Step4#downloadBlob(URL) downloadBlob} to download from
+ * custom servers instead of the defaults.
+ *
+ *
If provided, these will be used for downloading
+ *
+ *
+ * - the trust root certificate for the BLOB signature chain, and
+ *
- the metadata BLOB.
+ *
+ *
+ * If not set, the system default certificate store will be used.
+ */
+ public FidoMetadataDownloaderBuilder trustHttpsCerts(@NonNull X509Certificate... certificates) {
+ final KeyStore trustStore;
+ try {
+ trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
+ trustStore.load(null);
+ } catch (KeyStoreException
+ | IOException
+ | NoSuchAlgorithmException
+ | CertificateException e) {
+ throw new RuntimeException(
+ "Failed to instantiate or initialize KeyStore. This should not be possible, please file a bug report.",
+ e);
+ }
+ for (X509Certificate cert : certificates) {
+ try {
+ trustStore.setCertificateEntry(UUID.randomUUID().toString(), cert);
+ } catch (KeyStoreException e) {
+ throw new RuntimeException(
+ "Failed to import HTTPS cert into KeyStore. This should not be possible, please file a bug report.",
+ e);
+ }
+ }
+ this.httpsTrustStore = trustStore;
+
+ return this;
+ }
+ }
+
+ /**
+ * Load the metadata BLOB from cache, or download a fresh one if necessary.
+ *
+ * This method is NOT THREAD SAFE since it reads and writes caches.
+ *
+ *
On each execution this will, in order:
+ *
+ *
+ * - Download the trust root certificate, if necessary: if the cache is empty, the cache fails
+ * to load, or the cached cert is not valid at the current time (as determined by the {@link
+ * FidoMetadataDownloaderBuilder#clock(Clock) clock} setting).
+ *
- If downloaded, cache the trust root certificate using the configured {@link File} or
+ * {@link Consumer} (see {@link FidoMetadataDownloaderBuilder.Step3})
+ *
- Download the metadata BLOB, if necessary: if the cache is empty, the cache fails to load,
+ * or the
"nextUpdate" property in the cached BLOB is the current date (as
+ * determined by the {@link FidoMetadataDownloaderBuilder#clock(Clock) clock} setting) or
+ * earlier.
+ * - Check the
"no" property of the downloaded BLOB, if any, and compare it with
+ * the "no" of the cached BLOB, if any. The one with a greater "no"
+ * overrides the other, even if its "nextUpdate" is in the past.
+ * - If a BLOB with a newer
"no" was downloaded, verify that the value of its
+ * "legalHeader" appears in the configured {@link
+ * FidoMetadataDownloaderBuilder.Step1#expectLegalHeader(String...) expectLegalHeader}
+ * setting. If not, throw an {@link UnexpectedLegalHeader} exception containing the cached
+ * BLOB, if any, and the downloaded BLOB.
+ * - If a BLOB with a newer
"no" was downloaded and had an expected
+ * "legalHeader", cache the new BLOB using the configured {@link File} or {@link
+ * Consumer} (see {@link FidoMetadataDownloaderBuilder.Step5}).
+ *
+ *
+ * No internal mutable state is maintained between invocations of loadBlob(); each
+ * invocation will reload/rewrite caches, perform downloads and check the "legalHeader"
+ * as necessary. You may therefore reuse a {@link FidoMetadataDownloader} instance and,
+ * for example, call loadBlob() periodically to refresh the BLOB when appropriate.
+ * Each call will return a new {@link MetadataBLOB} instance; ones already returned will not be
+ * updated by subsequent loadBlob() calls.
+ *
+ * @return the successfully retrieved and validated metadata BLOB.
+ * @throws Base64UrlException if the metadata BLOB is not a well-formed JWT in compact
+ * serialization.
+ * @throws CertPathValidatorException if the downloaded or explicitly configured BLOB fails
+ * certificate path validation.
+ * @throws CertificateException if the trust root certificate was downloaded and passed the
+ * SHA-256 integrity check, but does not contain a currently valid X.509 DER certificate; or
+ * if the BLOB signing certificate chain fails to parse.
+ * @throws DigestException if the trust root certificate was downloaded but failed the SHA-256
+ * integrity check.
+ * @throws FidoMetadataDownloaderException if the explicitly configured BLOB (if any) has a bad
+ * signature.
+ * @throws IOException if any of the following fails: downloading the trust root certificate,
+ * downloading the BLOB, reading or writing any cache file (if any), or parsing the BLOB
+ * contents.
+ * @throws InvalidAlgorithmParameterException if certificate path validation fails.
+ * @throws InvalidKeyException if signature verification fails.
+ * @throws NoSuchAlgorithmException if signature verification fails, or if the SHA-256 algorithm
+ * is not available.
+ * @throws SignatureException if signature verification fails.
+ * @throws UnexpectedLegalHeader if the downloaded BLOB (if any) contains a "legalHeader"
+ * value not configured in {@link
+ * FidoMetadataDownloaderBuilder.Step1#expectLegalHeader(String...)
+ * expectLegalHeader(String...)} but is otherwise valid. The downloaded BLOB will not be
+ * written to cache in this case.
+ */
+ public MetadataBLOB loadCachedBlob()
+ throws CertPathValidatorException, InvalidAlgorithmParameterException, Base64UrlException,
+ CertificateException, IOException, NoSuchAlgorithmException, SignatureException,
+ InvalidKeyException, UnexpectedLegalHeader, DigestException,
+ FidoMetadataDownloaderException {
+ X509Certificate trustRoot = retrieveTrustRootCert();
+ return retrieveBlob(trustRoot);
+ }
+
+ /**
+ * @throws CertificateException if the trust root certificate was downloaded and passed the
+ * SHA-256 integrity check, but does not contain a currently valid X.509 DER certificate.
+ * @throws DigestException if the trust root certificate was downloaded but failed the SHA-256
+ * integrity check.
+ * @throws IOException if the trust root certificate download failed, or if reading or writing the
+ * cache file (if any) failed.
+ * @throws NoSuchAlgorithmException if the SHA-256 algorithm is not available.
+ */
+ private X509Certificate retrieveTrustRootCert()
+ throws CertificateException, DigestException, IOException, NoSuchAlgorithmException {
+
+ if (trustRootCertificate != null) {
+ return trustRootCertificate;
+
+ } else {
+ final Optional cachedContents;
+ if (trustRootCacheFile != null) {
+ cachedContents = readCacheFile(trustRootCacheFile);
+ } else {
+ cachedContents = trustRootCacheSupplier.get();
+ }
+
+ X509Certificate cert = null;
+ if (cachedContents.isPresent()) {
+ try {
+ final X509Certificate cachedCert =
+ CertificateParser.parseDer(cachedContents.get().getBytes());
+ cachedCert.checkValidity(Date.from(clock.instant()));
+ cert = cachedCert;
+ } catch (CertificateException e) {
+ // Fall through
+ }
+ }
+
+ if (cert == null) {
+ final ByteArray downloaded = verifyHash(download(trustRootUrl), trustRootSha256);
+ if (downloaded == null) {
+ throw new DigestException(
+ "Downloaded trust root certificate matches none of the acceptable hashes.");
+ }
+
+ cert = CertificateParser.parseDer(downloaded.getBytes());
+ cert.checkValidity(Date.from(clock.instant()));
+
+ if (trustRootCacheFile != null) {
+ new FileOutputStream(trustRootCacheFile).write(downloaded.getBytes());
+ }
+
+ if (trustRootCacheConsumer != null) {
+ trustRootCacheConsumer.accept(downloaded);
+ }
+ }
+
+ return cert;
+ }
+ }
+
+ /**
+ * @throws Base64UrlException if the metadata BLOB is not a well-formed JWT in compact
+ * serialization.
+ * @throws CertPathValidatorException if the downloaded or explicitly configured BLOB fails
+ * certificate path validation.
+ * @throws CertificateException if the BLOB signing certificate chain fails to parse.
+ * @throws IOException if any of the following fails: downloading the BLOB, reading or writing the
+ * cache file (if any), or parsing the BLOB contents.
+ * @throws InvalidAlgorithmParameterException if certificate path validation fails.
+ * @throws InvalidKeyException if signature verification fails.
+ * @throws UnexpectedLegalHeader if the downloaded BLOB (if any) contains a "legalHeader"
+ * value not configured in {@link
+ * FidoMetadataDownloaderBuilder.Step1#expectLegalHeader(String...)
+ * expectLegalHeader(String...)} but is otherwise valid. The downloaded BLOB will not be
+ * written to cache in this case.
+ * @throws NoSuchAlgorithmException if signature verification fails.
+ * @throws SignatureException if signature verification fails.
+ * @throws FidoMetadataDownloaderException if the explicitly configured BLOB (if any) has a bad
+ * signature.
+ */
+ private MetadataBLOB retrieveBlob(X509Certificate trustRootCertificate)
+ throws Base64UrlException, CertPathValidatorException, CertificateException, IOException,
+ InvalidAlgorithmParameterException, InvalidKeyException, UnexpectedLegalHeader,
+ NoSuchAlgorithmException, SignatureException, FidoMetadataDownloaderException {
+ if (blobJwt != null) {
+ return parseAndVerifyBlob(
+ new ByteArray(blobJwt.getBytes(StandardCharsets.UTF_8)), trustRootCertificate);
+
+ } else {
+
+ final Optional cachedContents;
+ if (blobCacheFile != null) {
+ cachedContents = readCacheFile(blobCacheFile);
+ } else {
+ cachedContents = blobCacheSupplier.get();
+ }
+
+ final MetadataBLOB cachedBlob =
+ cachedContents
+ .map(
+ cached -> {
+ try {
+ return parseAndVerifyBlob(cached, trustRootCertificate);
+ } catch (Exception e) {
+ return null;
+ }
+ })
+ .orElse(null);
+
+ if (cachedBlob != null
+ && cachedBlob
+ .getPayload()
+ .getNextUpdate()
+ .atStartOfDay()
+ .atZone(clock.getZone())
+ .isAfter(clock.instant().atZone(clock.getZone()))) {
+ return cachedBlob;
+
+ } else {
+ final ByteArray downloaded = download(blobUrl);
+ try {
+ final MetadataBLOB downloadedBlob = parseAndVerifyBlob(downloaded, trustRootCertificate);
+
+ if (cachedBlob == null
+ || downloadedBlob.getPayload().getNo() > cachedBlob.getPayload().getNo()) {
+ if (expectedLegalHeaders.contains(downloadedBlob.getPayload().getLegalHeader())) {
+ if (blobCacheFile != null) {
+ new FileOutputStream(blobCacheFile).write(downloaded.getBytes());
+ }
+
+ if (blobCacheConsumer != null) {
+ blobCacheConsumer.accept(downloaded);
+ }
+
+ return downloadedBlob;
+ } else {
+ throw new UnexpectedLegalHeader(cachedBlob, downloadedBlob);
+ }
+
+ } else {
+ return cachedBlob;
+ }
+ } catch (FidoMetadataDownloaderException e) {
+ if (e.getReason() == FidoMetadataDownloaderException.Reason.BAD_SIGNATURE
+ && cachedBlob != null) {
+ return cachedBlob;
+ } else {
+ throw e;
+ }
+ }
+ }
+ }
+ }
+
+ private Optional readCacheFile(File cacheFile) throws IOException {
+ if (cacheFile.exists() && cacheFile.canRead() && cacheFile.isFile()) {
+ try {
+ return Optional.of(readAll(new FileInputStream(cacheFile)));
+ } catch (FileNotFoundException e) {
+ throw new RuntimeException(
+ "This exception should be impossible, please file a bug report.", e);
+ }
+ } else {
+ return Optional.empty();
+ }
+ }
+
+ private ByteArray download(URL url) throws IOException {
+ URLConnection conn = url.openConnection();
+
+ if (conn instanceof HttpsURLConnection) {
+ HttpsURLConnection httpsConn = (HttpsURLConnection) conn;
+ if (httpsTrustStore != null) {
+ try {
+ TrustManagerFactory trustMan =
+ TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+ trustMan.init(httpsTrustStore);
+ SSLContext sslContext = SSLContext.getInstance("TLS");
+ sslContext.init(null, trustMan.getTrustManagers(), null);
+
+ httpsConn.setSSLSocketFactory(sslContext.getSocketFactory());
+ } catch (NoSuchAlgorithmException | KeyStoreException | KeyManagementException e) {
+ throw new RuntimeException(
+ "Failed to initialize HTTPS trust store. This should be impossible, please file a bug report.",
+ e);
+ }
+ }
+ httpsConn.setRequestMethod("GET");
+ }
+
+ return readAll(conn.getInputStream());
+ }
+
+ private MetadataBLOB parseAndVerifyBlob(ByteArray jwt, X509Certificate trustRootCertificate)
+ throws CertPathValidatorException, InvalidAlgorithmParameterException, CertificateException,
+ IOException, NoSuchAlgorithmException, SignatureException, InvalidKeyException,
+ Base64UrlException, FidoMetadataDownloaderException {
+ Scanner s = new Scanner(new ByteArrayInputStream(jwt.getBytes())).useDelimiter("\\.");
+ final ByteArray header = ByteArray.fromBase64Url(s.next());
+ final ByteArray payload = ByteArray.fromBase64Url(s.next());
+ final ByteArray signature = ByteArray.fromBase64Url(s.next());
+ return verifyBlob(header, payload, signature, trustRootCertificate);
+ }
+
+ private MetadataBLOB verifyBlob(
+ ByteArray jwtHeader,
+ ByteArray jwtPayload,
+ ByteArray jwtSignature,
+ X509Certificate trustRootCertificate)
+ throws IOException, CertificateException, NoSuchAlgorithmException, InvalidKeyException,
+ SignatureException, CertPathValidatorException, InvalidAlgorithmParameterException,
+ FidoMetadataDownloaderException {
+ final ObjectMapper headerJsonMapper =
+ com.yubico.internal.util.JacksonCodecs.json()
+ .configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, true)
+ .setBase64Variant(Base64Variants.MIME_NO_LINEFEEDS);
+ final MetadataBLOBHeader header =
+ headerJsonMapper.readValue(jwtHeader.getBytes(), MetadataBLOBHeader.class);
+
+ final List certChain;
+ if (header.getX5u().isPresent()) {
+ final URL x5u = header.getX5u().get();
+ if (blobUrl != null
+ && (!(x5u.getHost().equals(blobUrl.getHost())
+ && x5u.getProtocol().equals(blobUrl.getProtocol())
+ && x5u.getPort() == blobUrl.getPort()))) {
+ throw new IllegalArgumentException(
+ String.format(
+ "x5u in BLOB header must have same origin as the URL the BLOB was downloaded from. Expected origin of: %s ; found: %s",
+ blobUrl, x5u));
+ }
+ List certs = new ArrayList<>();
+ for (String pem :
+ new String(download(x5u).getBytes(), StandardCharsets.UTF_8)
+ .trim()
+ .split("\\n+-----END CERTIFICATE-----\\n+-----BEGIN CERTIFICATE-----\\n+")) {
+ X509Certificate x509Certificate = CertificateParser.parsePem(pem);
+ certs.add(x509Certificate);
+ }
+ certChain = certs;
+ } else if (header.getX5c().isPresent()) {
+ certChain = header.getX5c().get();
+ } else {
+ certChain = Collections.singletonList(trustRootCertificate);
+ }
+
+ final X509Certificate leafCert = certChain.get(0);
+
+ final Signature signature;
+ switch (header.getAlg()) {
+ case "RS256":
+ signature = Signature.getInstance("SHA256withRSA");
+ break;
+
+ case "ES256":
+ signature = Signature.getInstance("SHA256withECDSA");
+ break;
+
+ default:
+ throw new UnsupportedOperationException(
+ "Unimplemented JWT verification algorithm: " + header.getAlg());
+ }
+
+ signature.initVerify(leafCert.getPublicKey());
+ signature.update(
+ (jwtHeader.getBase64Url() + "." + jwtPayload.getBase64Url())
+ .getBytes(StandardCharsets.UTF_8));
+ if (!signature.verify(jwtSignature.getBytes())) {
+ throw new FidoMetadataDownloaderException(Reason.BAD_SIGNATURE);
+ }
+
+ final CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
+ final CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
+ final CertPath blobCertPath = certFactory.generateCertPath(certChain);
+ final PKIXParameters pathParams =
+ new PKIXParameters(Collections.singleton(new TrustAnchor(trustRootCertificate, null)));
+ if (certStore != null) {
+ pathParams.addCertStore(certStore);
+ }
+ pathParams.setDate(Date.from(clock.instant()));
+ cpv.validate(blobCertPath, pathParams);
+
+ return new MetadataBLOB(
+ header,
+ JacksonCodecs.jsonWithDefaultEnums()
+ .readValue(jwtPayload.getBytes(), MetadataBLOBPayload.class));
+ }
+
+ private static ByteArray readAll(InputStream is) throws IOException {
+ return new ByteArray(BinaryUtil.readAll(is));
+ }
+
+ /**
+ * @return contents if its SHA-256 hash matches any element of
+ * acceptedCertSha256, otherwise null.
+ */
+ private static ByteArray verifyHash(ByteArray contents, Set acceptedCertSha256)
+ throws NoSuchAlgorithmException {
+ MessageDigest digest = MessageDigest.getInstance("SHA-256");
+ final ByteArray hash = new ByteArray(digest.digest(contents.getBytes()));
+ if (acceptedCertSha256.stream().anyMatch(acceptableHash -> acceptableHash.equals(hash))) {
+ return contents;
+ } else {
+ return null;
+ }
+ }
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/FidoMetadataDownloaderException.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/FidoMetadataDownloaderException.java
new file mode 100644
index 000000000..59f7d3711
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/FidoMetadataDownloaderException.java
@@ -0,0 +1,39 @@
+package com.yubico.fido.metadata;
+
+import lombok.NonNull;
+import lombok.Value;
+
+@Value
+public class FidoMetadataDownloaderException extends Exception {
+
+ public enum Reason {
+ BAD_SIGNATURE("Bad JWT signature.");
+
+ private final String message;
+
+ Reason(String message) {
+ this.message = message;
+ }
+ }
+
+ @NonNull
+ /** The reason why this exception was thrown. */
+ private final Reason reason;
+
+ /** A {@link Throwable} that caused this exception. May be null. */
+ private final Throwable cause;
+
+ FidoMetadataDownloaderException(Reason reason, Throwable cause) {
+ this.reason = reason;
+ this.cause = cause;
+ }
+
+ FidoMetadataDownloaderException(Reason reason) {
+ this(reason, null);
+ }
+
+ @Override
+ public String getMessage() {
+ return reason.message;
+ }
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/FidoMetadataService.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/FidoMetadataService.java
new file mode 100644
index 000000000..388c515d7
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/FidoMetadataService.java
@@ -0,0 +1,619 @@
+// Copyright (c) 2015-2021, Yubico AB
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are met:
+//
+// 1. Redistributions of source code must retain the above copyright notice, this
+// list of conditions and the following disclaimer.
+//
+// 2. Redistributions in binary form must reproduce the above copyright notice,
+// this list of conditions and the following disclaimer in the documentation
+// and/or other materials provided with the distribution.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+package com.yubico.fido.metadata;
+
+import com.yubico.fido.metadata.FidoMetadataService.Filters.AuthenticatorToBeFiltered;
+import com.yubico.internal.util.CertificateParser;
+import com.yubico.webauthn.RegistrationResult;
+import com.yubico.webauthn.RelyingParty;
+import com.yubico.webauthn.RelyingParty.RelyingPartyBuilder;
+import com.yubico.webauthn.attestation.AttestationTrustSource;
+import com.yubico.webauthn.data.ByteArray;
+import com.yubico.webauthn.data.exception.Base64UrlException;
+import java.io.IOException;
+import java.security.DigestException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.SignatureException;
+import java.security.cert.CertPathValidatorException;
+import java.security.cert.CertStore;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Set;
+import java.util.function.Consumer;
+import java.util.function.Predicate;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+import lombok.AccessLevel;
+import lombok.AllArgsConstructor;
+import lombok.NonNull;
+import lombok.RequiredArgsConstructor;
+import lombok.Value;
+import lombok.extern.slf4j.Slf4j;
+
+/**
+ * Utility for filtering and querying Fido
+ * Metadata Service BLOB entries.
+ *
+ * This class implements {@link AttestationTrustSource}, so it can be configured as the {@link
+ * RelyingPartyBuilder#attestationTrustSource(AttestationTrustSource) attestationTrustSource}
+ * setting in {@link RelyingParty}.
+ *
+ *
The metadata service may be configured with a two stages of filters to select trusted
+ * authenticators. The first stage is the {@link FidoMetadataServiceBuilder#prefilter(Predicate)
+ * prefilter} setting, which is executed once when the {@link FidoMetadataService} instance is
+ * constructed. The second stage is the {@link FidoMetadataServiceBuilder#filter(Predicate) filter}
+ * setting, which is executed whenever metadata or trust roots are to be looked up for a given
+ * authenticator. Any metadata entry that satisfies both filters will be considered trusted.
+ *
+ *
Use the {@link #builder() builder} to configure settings, then use the {@link
+ * #findEntries(List, AAGUID)} method or its overloads to retrieve metadata entries.
+ */
+@Slf4j
+public final class FidoMetadataService implements AttestationTrustSource {
+
+ private final HashMap>
+ prefilteredEntriesByCertificateKeyIdentifier;
+ private final HashMap> prefilteredEntriesByAaguid;
+ private final HashSet prefilteredUnindexedEntries;
+
+ private final Predicate filter;
+ private final CertStore certStore;
+
+ private FidoMetadataService(
+ @NonNull MetadataBLOBPayload blob,
+ @NonNull Predicate prefilter,
+ @NonNull Predicate filter,
+ CertStore certStore) {
+ final List prefilteredEntries =
+ blob.getEntries().stream()
+ .filter(FidoMetadataService::ignoreInvalidUpdateAvailableAuthenticatorVersion)
+ .filter(prefilter)
+ .collect(Collectors.toList());
+
+ this.prefilteredEntriesByCertificateKeyIdentifier = buildCkiMap(prefilteredEntries);
+ this.prefilteredEntriesByAaguid = buildAaguidMap(prefilteredEntries);
+
+ this.prefilteredUnindexedEntries = new HashSet<>(prefilteredEntries);
+ for (HashSet byAaguid : prefilteredEntriesByAaguid.values()) {
+ prefilteredUnindexedEntries.removeAll(byAaguid);
+ }
+ for (HashSet byCski :
+ prefilteredEntriesByCertificateKeyIdentifier.values()) {
+ prefilteredUnindexedEntries.removeAll(byCski);
+ }
+
+ this.filter = filter;
+ this.certStore = certStore;
+ }
+
+ private static boolean ignoreInvalidUpdateAvailableAuthenticatorVersion(
+ MetadataBLOBPayloadEntry metadataBLOBPayloadEntry) {
+ return metadataBLOBPayloadEntry
+ .getMetadataStatement()
+ .map(MetadataStatement::getAuthenticatorVersion)
+ .map(
+ authenticatorVersion ->
+ metadataBLOBPayloadEntry.getStatusReports().stream()
+ .filter(
+ statusReport ->
+ AuthenticatorStatus.UPDATE_AVAILABLE.equals(statusReport.getStatus()))
+ .noneMatch(
+ statusReport ->
+ statusReport
+ .getAuthenticatorVersion()
+ .map(av -> av > authenticatorVersion)
+ .orElse(false)))
+ .orElse(true);
+ }
+
+ private static HashMap> buildCkiMap(
+ @NonNull List entries) {
+
+ return entries.stream()
+ .collect(
+ HashMap::new,
+ (result, metadataBLOBPayloadEntry) -> {
+ for (String acki :
+ metadataBLOBPayloadEntry.getAttestationCertificateKeyIdentifiers()) {
+ result.computeIfAbsent(acki, o -> new HashSet<>()).add(metadataBLOBPayloadEntry);
+ }
+ for (String acki :
+ metadataBLOBPayloadEntry
+ .getMetadataStatement()
+ .map(MetadataStatement::getAttestationCertificateKeyIdentifiers)
+ .orElseGet(Collections::emptySet)) {
+ result.computeIfAbsent(acki, o -> new HashSet<>()).add(metadataBLOBPayloadEntry);
+ }
+ },
+ (mapA, mapB) -> {
+ for (Map.Entry> e : mapB.entrySet()) {
+ mapA.merge(
+ e.getKey(),
+ e.getValue(),
+ (entriesA, entriesB) -> {
+ entriesA.addAll(entriesB);
+ return entriesA;
+ });
+ }
+ });
+ }
+
+ private static HashMap> buildAaguidMap(
+ @NonNull List entries) {
+
+ return entries.stream()
+ .collect(
+ HashMap::new,
+ (result, metadataBLOBPayloadEntry) -> {
+ final Consumer appendToAaguidEntry =
+ aaguid ->
+ result
+ .computeIfAbsent(aaguid, o -> new HashSet<>())
+ .add(metadataBLOBPayloadEntry);
+ metadataBLOBPayloadEntry
+ .getAaguid()
+ .filter(aaguid -> !aaguid.isZero())
+ .ifPresent(appendToAaguidEntry);
+ metadataBLOBPayloadEntry
+ .getMetadataStatement()
+ .flatMap(MetadataStatement::getAaguid)
+ .filter(aaguid -> !aaguid.isZero())
+ .ifPresent(appendToAaguidEntry);
+ },
+ (mapA, mapB) -> {
+ for (Map.Entry> e : mapB.entrySet()) {
+ mapA.merge(
+ e.getKey(),
+ e.getValue(),
+ (entriesA, entriesB) -> {
+ entriesA.addAll(entriesB);
+ return entriesA;
+ });
+ }
+ });
+ }
+
+ public static FidoMetadataServiceBuilder.Step1 builder() {
+ return new FidoMetadataServiceBuilder.Step1();
+ }
+
+ @RequiredArgsConstructor(access = AccessLevel.PRIVATE)
+ public static class FidoMetadataServiceBuilder {
+ @NonNull private final MetadataBLOBPayload blob;
+
+ private Predicate prefilter = Filters.notRevoked();
+ private Predicate filter = Filters.noAttestationKeyCompromise();
+ private CertStore certStore = null;
+
+ public static class Step1 {
+ /**
+ * Use payload of the given blob as the data source.
+ *
+ * The {@link FidoMetadataDownloader#loadCachedBlob()} method returns a value suitable for
+ * use here.
+ *
+ *
This is an alias of useBlob(blob.getPayload().
+ *
+ * @see FidoMetadataDownloader#loadCachedBlob()
+ * @see #useBlob(MetadataBLOBPayload)
+ */
+ public FidoMetadataServiceBuilder useBlob(@NonNull MetadataBLOB blob) {
+ return useBlob(blob.getPayload());
+ }
+
+ /**
+ * Use the given blobPayload as the data source.
+ *
+ *
The {@link FidoMetadataDownloader#loadCachedBlob()} method returns a value whose {@link
+ * MetadataBLOB#getPayload() .getPayload()} result is suitable for use here.
+ *
+ * @see FidoMetadataDownloader#loadCachedBlob()
+ * @see #useBlob(MetadataBLOB)
+ */
+ public FidoMetadataServiceBuilder useBlob(@NonNull MetadataBLOBPayload blobPayload) {
+ return new FidoMetadataServiceBuilder(blobPayload);
+ }
+ }
+
+ /**
+ * Set a first-stage filter for which metadata entries to include in the data source.
+ *
+ *
This prefilter is executed once for each metadata entry during initial construction of a
+ * {@link FidoMetadataService} instance.
+ *
+ *
The default is {@link Filters#notRevoked() Filters.notRevoked()}. Setting a different
+ * filter overrides this default; to preserve the "not revoked" condition in addition to the new
+ * filter, you must explicitly include the condition in the few filter. For example, by using
+ * {@link Filters#allOf(Predicate[]) Filters.allOf(Predicate...)}.
+ *
+ * @param prefilter a {@link Predicate} which returns true for metadata entries to
+ * include in the data source.
+ * @see #filter
+ * @see Filters#allOf(Predicate[])
+ */
+ public FidoMetadataServiceBuilder prefilter(
+ @NonNull Predicate prefilter) {
+ this.prefilter = prefilter;
+ return this;
+ }
+
+ /**
+ * Set a filter for which metadata entries to allow for a given authenticator during credential
+ * registration and metadata lookup.
+ *
+ * This filter is executed during each execution of {@link #findEntries(List, AAGUID)}, its
+ * overloads, and {@link #findTrustRoots(List, Optional)}.
+ *
+ *
The default is {@link Filters#noAttestationKeyCompromise()
+ * Filters.noAttestationKeyCompromise()}. Setting a different filter overrides this default; to
+ * preserve this condition in addition to the new filter, you must explicitly include the
+ * condition in the few filter. For example, by using {@link Filters#allOf(Predicate[])
+ * Filters.allOf(Predicate...)}.
+ *
+ *
Note: Returning true in the filter predicate does not automatically make the
+ * authenticator trusted, as its attestation certificate must also correctly chain to a trusted
+ * attestation root. Rather, returning true in the filter predicate allows the
+ * corresponding metadata entry to be used for further trust assessment for that authenticator,
+ * while returning false eliminates the metadata entry (and thus any associated
+ * trust roots) for the ongoing query.
+ *
+ * @param filter a {@link Predicate} which returns true for metadata entries to
+ * allow for the corresponding authenticator during credential registration and metadata
+ * lookup.
+ * @see #prefilter(Predicate)
+ * @see AuthenticatorToBeFiltered
+ * @see Filters#allOf(Predicate[])
+ */
+ public FidoMetadataServiceBuilder filter(
+ @NonNull Predicate filter) {
+ this.filter = filter;
+ return this;
+ }
+
+ /**
+ * Set a {@link CertStore} of additional CRLs and/or intermediate certificates to use while
+ * validating attestation certificate paths.
+ *
+ * This setting is most likely useful for tests.
+ *
+ * @param certStore a {@link CertStore} of additional CRLs and/or intermediate certificates to
+ * use while validating attestation certificate paths.
+ */
+ public FidoMetadataServiceBuilder certStore(@NonNull CertStore certStore) {
+ this.certStore = certStore;
+ return this;
+ }
+
+ public FidoMetadataService build()
+ throws CertPathValidatorException, InvalidAlgorithmParameterException, Base64UrlException,
+ DigestException, FidoMetadataDownloaderException, CertificateException,
+ UnexpectedLegalHeader, IOException, NoSuchAlgorithmException, SignatureException,
+ InvalidKeyException {
+ return new FidoMetadataService(blob, prefilter, filter, certStore);
+ }
+ }
+
+ /**
+ * Preconfigured filters and utilities for combining filters. See the {@link
+ * FidoMetadataServiceBuilder#prefilter(Predicate) filter} setting.
+ *
+ * @see FidoMetadataServiceBuilder#prefilter(Predicate)
+ */
+ public static class Filters {
+
+ /**
+ * Combine a set of filters into a filter that requires inputs to satisfy ALL of those filters.
+ *
+ *
If filters is empty, then all inputs will satisfy the resulting filter.
+ *
+ * @param filters A set of filters.
+ * @return A filter which only accepts inputs that satisfy ALL of the given
+ * filters.
+ */
+ public static Predicate allOf(Predicate... filters) {
+ return (entry) -> Stream.of(filters).allMatch(filter -> filter.test(entry));
+ }
+
+ /**
+ * Include any metadata entry whose {@link MetadataBLOBPayloadEntry#getStatusReports()
+ * statusReports} array contains no entry with {@link AuthenticatorStatus#REVOKED REVOKED}
+ * status.
+ *
+ * @see AuthenticatorStatus#REVOKED
+ */
+ public static Predicate notRevoked() {
+ return (entry) ->
+ entry.getStatusReports().stream()
+ .noneMatch(
+ statusReport -> AuthenticatorStatus.REVOKED.equals(statusReport.getStatus()));
+ }
+
+ /**
+ * Accept any authenticator whose matched metadata entry does NOT indicate a compromised
+ * attestation key.
+ *
+ * A metadata entry indicates a compromised attestation key if any of its {@link
+ * MetadataBLOBPayloadEntry#getStatusReports() statusReports} entries has {@link
+ * AuthenticatorStatus#ATTESTATION_KEY_COMPROMISE ATTESTATION_KEY_COMPROMISE} status and either
+ * an empty {@link StatusReport#getCertificate() certificate} field or a {@link
+ * StatusReport#getCertificate() certificate} whose public key appears in the authenticator's
+ * {@link AuthenticatorToBeFiltered#getAttestationCertificateChain() attestation certificate
+ * chain}.
+ *
+ * @see AuthenticatorStatus#ATTESTATION_KEY_COMPROMISE
+ */
+ public static Predicate noAttestationKeyCompromise() {
+ return (params) ->
+ params.getMetadataEntry().getStatusReports().stream()
+ .filter(
+ statusReport ->
+ AuthenticatorStatus.ATTESTATION_KEY_COMPROMISE.equals(
+ statusReport.getStatus()))
+ .noneMatch(
+ statusReport ->
+ !statusReport.getCertificate().isPresent()
+ || (params.getAttestationCertificateChain().stream()
+ .anyMatch(
+ cert ->
+ Arrays.equals(
+ statusReport
+ .getCertificate()
+ .get()
+ .getPublicKey()
+ .getEncoded(),
+ cert.getPublicKey().getEncoded()))));
+ }
+
+ /**
+ * This class encapsulates parameters for filtering authenticators in the {@link
+ * FidoMetadataServiceBuilder#filter(Predicate) filter} setting of {@link FidoMetadataService}.
+ */
+ @Value
+ @AllArgsConstructor(access = AccessLevel.PRIVATE)
+ public static class AuthenticatorToBeFiltered {
+
+ /**
+ * The attestation certificate chain from the attestation
+ * statement from an authenticator about ot be registered.
+ */
+ @NonNull List attestationCertificateChain;
+
+ /**
+ * A metadata BLOB entry that matches the {@link #getAttestationCertificateChain()} and {@link
+ * #getAaguid()} in this same {@link AuthenticatorToBeFiltered} object.
+ */
+ @NonNull MetadataBLOBPayloadEntry metadataEntry;
+
+ AAGUID aaguid;
+
+ /**
+ * The AAGUID from the attested
+ * credential data of a credential about ot be registered.
+ */
+ public Optional getAaguid() {
+ return Optional.ofNullable(aaguid);
+ }
+ }
+ }
+
+ /**
+ * Look up metadata entries matching a given attestation certificate chain or AAGUID.
+ *
+ * @param attestationCertificateChain an attestation certificate chain, presumably from a WebAuthn
+ * attestation statement.
+ * @param aaguid the AAGUID of the authenticator to look up, if available.
+ * @return All metadata entries which satisfy ALL of the following:
+ *
+ * - It satisfies the {@link FidoMetadataServiceBuilder#prefilter(Predicate) prefilter}.
+ *
- It satisfies AT LEAST ONE of the following:
+ *
+ * aaguid is present and equals the {@link
+ * MetadataBLOBPayloadEntry#getAaguid() AAGUID} of the metadata entry.
+ * aaguid is present and equals the {@link
+ * MetadataBLOBPayloadEntry#getAaguid() AAGUID} of the {@link
+ * MetadataBLOBPayloadEntry#getMetadataStatement() metadata statement}, if any, in
+ * the metadata entry.
+ * - The certificate subject key identifier of any certificate in
+ * attestationCertificateChain matches any element of {@link
+ * MetadataBLOBPayloadEntry#getAttestationCertificateKeyIdentifiers()
+ * attestationCertificateKeyIdentifiers} in the metadata entry.
+ * - The certificate subject key identifier of any certificate in
+ * attestationCertificateChain matches any element of {@link
+ * MetadataStatement#getAttestationCertificateKeyIdentifiers()
+ * attestationCertificateKeyIdentifiers} in the {@link
+ * MetadataBLOBPayloadEntry#getMetadataStatement() metadata statement}, if any, in
+ * the metadata entry.
+ *
+ * - It satisfies the {@link FidoMetadataServiceBuilder#filter(Predicate) filter} together
+ * with
attestationCertificateChain and aaguid.
+ *
+ *
+ * @see #findEntries(List)
+ * @see #findEntries(List, AAGUID)
+ */
+ public Set findEntries(
+ @NonNull List attestationCertificateChain,
+ @NonNull Optional aaguid) {
+
+ final Set certSubjectKeyIdentifiers =
+ attestationCertificateChain.stream()
+ .map(
+ cert -> {
+ try {
+ return new ByteArray(CertificateParser.computeSubjectKeyIdentifier(cert))
+ .getHex();
+ } catch (NoSuchAlgorithmException e) {
+ throw new RuntimeException(
+ "SHA-1 hash algorithm is not available in JCA context.", e);
+ }
+ })
+ .collect(Collectors.toSet());
+
+ final Optional nonzeroAaguid = aaguid.filter(a -> !a.isZero());
+
+ log.debug(
+ "findEntries(certSubjectKeyIdentifiers = {}, aaguid = {})",
+ certSubjectKeyIdentifiers,
+ aaguid);
+
+ if (!nonzeroAaguid.isPresent()) {
+ log.debug("findEntries: ignoring zero AAGUID");
+ }
+
+ final Set result =
+ Stream.concat(
+ nonzeroAaguid
+ .map(prefilteredEntriesByAaguid::get)
+ .map(Collection::stream)
+ .orElseGet(Stream::empty),
+ certSubjectKeyIdentifiers.stream()
+ .flatMap(
+ cski ->
+ Optional.ofNullable(
+ prefilteredEntriesByCertificateKeyIdentifier.get(cski))
+ .map(Collection::stream)
+ .orElseGet(Stream::empty)))
+ .filter(
+ metadataBLOBPayloadEntry ->
+ this.filter.test(
+ new AuthenticatorToBeFiltered(
+ attestationCertificateChain,
+ metadataBLOBPayloadEntry,
+ aaguid.orElse(null))))
+ .collect(Collectors.toSet());
+
+ log.debug(
+ "findEntries(certSubjectKeyIdentifiers = {}, aaguid = {}) => {} matches",
+ certSubjectKeyIdentifiers,
+ aaguid,
+ result.size());
+ return result;
+ }
+
+ /**
+ * Alias of findEntries(attestationCertificateChain, Optional.empty()).
+ *
+ * @see #findEntries(List, Optional)
+ */
+ public Set findEntries(
+ @NonNull List attestationCertificateChain) {
+ return findEntries(attestationCertificateChain, Optional.empty());
+ }
+
+ /**
+ * Alias of findEntries(attestationCertificateChain, Optional.of(aaguid)).
+ *
+ * @see #findEntries(List, Optional)
+ */
+ public Set findEntries(
+ @NonNull List attestationCertificateChain, @NonNull AAGUID aaguid) {
+ return findEntries(attestationCertificateChain, Optional.of(aaguid));
+ }
+
+ /**
+ * Find metadata entries matching the credential represented by registrationResult.
+ *
+ * This is an alias of:
+ *
+ *
+ * registrationResult.getAttestationTrustPath()
+ * .map(atp -> this.findEntries(atp, new AAGUID(registrationResult.getAaguid())))
+ * .orElseGet(Collections::emptySet)
+ *
+ *
+ * @see #findEntries(List, Optional)
+ */
+ public Set findEntries(@NonNull RegistrationResult registrationResult) {
+ return registrationResult
+ .getAttestationTrustPath()
+ .map(atp -> findEntries(atp, new AAGUID(registrationResult.getAaguid())))
+ .orElseGet(Collections::emptySet);
+ }
+
+ /**
+ * Find metadata entries matching the given AAGUID.
+ *
+ * @see #findEntries(List, Optional)
+ */
+ public Set findEntries(@NonNull AAGUID aaguid) {
+ return findEntries(Collections.emptyList(), aaguid);
+ }
+
+ /**
+ * Retrieve metadata entries matching the given filter.
+ *
+ * Note: The result MAY include fewer results than the number of times the filter
+ * returned true, because of possible duplication in the underlying data store.
+ *
+ * @param filter a {@link Predicate} which returns true for metadata entries to
+ * include in the result.
+ * @return All metadata entries which which satisfy the {@link
+ * FidoMetadataServiceBuilder#prefilter(Predicate) prefilter} AND for which the filter
+ * returns true.
+ * @see #findEntries(List, Optional)
+ */
+ public Set findEntries(
+ @NonNull Predicate filter) {
+ return Stream.concat(
+ Stream.concat(
+ prefilteredEntriesByAaguid.values().stream().flatMap(Collection::stream),
+ prefilteredEntriesByCertificateKeyIdentifier.values().stream()
+ .flatMap(Collection::stream)),
+ prefilteredUnindexedEntries.stream())
+ .filter(filter)
+ .collect(Collectors.toSet());
+ }
+
+ @Override
+ public TrustRootsResult findTrustRoots(
+ List attestationCertificateChain, Optional aaguid) {
+ return TrustRootsResult.builder()
+ .trustRoots(
+ findEntries(attestationCertificateChain, aaguid.map(AAGUID::new)).stream()
+ .map(MetadataBLOBPayloadEntry::getMetadataStatement)
+ .filter(Optional::isPresent)
+ .map(Optional::get)
+ .flatMap(
+ metadataStatement ->
+ metadataStatement.getAttestationRootCertificates().stream())
+ .collect(Collectors.toSet()))
+ .certStore(certStore)
+ .enableRevocationChecking(false)
+ .build();
+ }
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/JacksonCodecs.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/JacksonCodecs.java
new file mode 100644
index 000000000..2d16b1820
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/JacksonCodecs.java
@@ -0,0 +1,12 @@
+package com.yubico.fido.metadata;
+
+import com.fasterxml.jackson.databind.DeserializationFeature;
+import com.fasterxml.jackson.databind.ObjectMapper;
+
+class JacksonCodecs {
+
+ static ObjectMapper jsonWithDefaultEnums() {
+ return com.yubico.internal.util.JacksonCodecs.json()
+ .configure(DeserializationFeature.READ_UNKNOWN_ENUM_VALUES_USING_DEFAULT_VALUE, true);
+ }
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/MetadataBLOB.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/MetadataBLOB.java
new file mode 100644
index 000000000..93e457b98
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/MetadataBLOB.java
@@ -0,0 +1,37 @@
+package com.yubico.fido.metadata;
+
+import lombok.Value;
+
+/**
+ * The header and payload of a FIDO Metadata Service BLOB.
+ *
+ * This does not include the JWT signature.
+ *
+ * @see FIDO
+ * Metadata Service §3.1.7. Metadata BLOB
+ */
+@Value
+public class MetadataBLOB {
+
+ /**
+ * The JWT header of the FIDO Metadata Service BLOB.
+ *
+ * @see FIDO
+ * Metadata Service §3.1.7. Metadata BLOB
+ */
+ MetadataBLOBHeader header;
+
+ /**
+ * The payload of the Metadata Service BLOB.
+ *
+ * @see FIDO
+ * Metadata Service §3.1.7. Metadata BLOB
+ * @see FIDO
+ * Metadata Service §3.1.6. Metadata BLOB Payload dictionary
+ */
+ MetadataBLOBPayload payload;
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/MetadataBLOBHeader.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/MetadataBLOBHeader.java
new file mode 100644
index 000000000..116095dc7
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/MetadataBLOBHeader.java
@@ -0,0 +1,92 @@
+package com.yubico.fido.metadata;
+
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import java.net.URL;
+import java.security.cert.X509Certificate;
+import java.util.List;
+import java.util.Optional;
+import lombok.Builder;
+import lombok.NonNull;
+import lombok.Value;
+import lombok.extern.jackson.Jacksonized;
+
+/**
+ * The metadata BLOB is a JSON Web Token (see [JWT]
+ * and [JWS]).
+ *
+ *
This type represents the contents of the JWT header.
+ *
+ * @see FIDO
+ * Metadata Service §3.1.7. Metadata BLOB
+ * @see RFC 7519: JSON Web Token (JWT)
+ */
+@Value
+@Builder(toBuilder = true)
+@Jacksonized
+public class MetadataBLOBHeader {
+
+ /**
+ * @see RFC 7519 §5.1. "typ"
+ * (Type) Header Parameter
+ */
+ String typ;
+
+ /**
+ * @see RFC 7515 §4.1.1.
+ * "alg" (Algorithm) Header Parameter
+ */
+ @NonNull String alg;
+
+ /**
+ * @see RFC 7515 §4.1.5.
+ * "x5u" (X.509 URL) Header Parameter
+ */
+ URL x5u;
+
+ /**
+ * @see RFC 7515 §4.1.6.
+ * "x5c" (X.509 Certificate Chain) Header Parameter
+ */
+ @JsonDeserialize(contentConverter = CertFromBase64Converter.class)
+ @JsonSerialize(contentConverter = CertToBase64Converter.class)
+ List x5c;
+
+ private MetadataBLOBHeader(String typ, @NonNull String alg, URL x5u, List x5c) {
+ this.typ = typ;
+ this.alg = alg;
+ this.x5u = x5u;
+ this.x5c = x5c;
+
+ if (typ != null && !typ.equals("JWT")) {
+ throw new IllegalArgumentException("Unsupported JWT type: " + typ);
+ }
+ }
+
+ /**
+ * @see RFC 7519 §5.1. "typ"
+ * (Type) Header Parameter
+ */
+ public Optional getTyp() {
+ return Optional.ofNullable(typ);
+ }
+
+ /**
+ * @see RFC 7515 §4.1.5.
+ * "x5u" (X.509 URL) Header Parameter
+ */
+ public Optional getX5u() {
+ return Optional.ofNullable(x5u);
+ }
+
+ /**
+ * @see RFC 7515 §4.1.6.
+ * "x5c" (X.509 Certificate Chain) Header Parameter
+ */
+ public Optional> getX5c() {
+ return Optional.ofNullable(x5c);
+ }
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/MetadataBLOBPayload.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/MetadataBLOBPayload.java
new file mode 100644
index 000000000..605e4964a
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/MetadataBLOBPayload.java
@@ -0,0 +1,68 @@
+package com.yubico.fido.metadata;
+
+import java.time.LocalDate;
+import java.util.Set;
+import lombok.Builder;
+import lombok.NonNull;
+import lombok.Value;
+import lombok.extern.jackson.Jacksonized;
+
+/**
+ * The metadata BLOB is a JSON Web Token (see [JWT]
+ * and [JWS]).
+ *
+ * This type represents the contents of the JWT payload.
+ *
+ * @see FIDO
+ * Metadata Service §3.1.7. Metadata BLOB
+ * @see FIDO
+ * Metadata Service §3.1.6. Metadata BLOB Payload dictionary
+ */
+@Value
+@Builder(toBuilder = true)
+@Jacksonized
+public class MetadataBLOBPayload {
+
+ /**
+ * The legalHeader, which MUST be in each BLOB, is an indication of the acceptance of the relevant
+ * legal agreement for using the MDS.
+ *
+ * @see FIDO
+ * Metadata Service §3.1.6. Metadata BLOB Payload dictionary
+ */
+ String legalHeader;
+
+ /**
+ * The serial number of this Metadata BLOB Payload. Serial numbers MUST be consecutive and
+ * strictly monotonic, i.e. the successor BLOB will have a no value exactly
+ * incremented by one.
+ *
+ * @see FIDO
+ * Metadata Service §3.1.6. Metadata BLOB Payload dictionary
+ */
+ int no;
+
+ /**
+ * ISO-8601 formatted date when the next update will be provided at latest.
+ *
+ * @see FIDO
+ * Metadata Service §3.1.6. Metadata BLOB Payload dictionary
+ */
+ @NonNull LocalDate nextUpdate;
+
+ /**
+ * Zero or more {@link MetadataBLOBPayloadEntry} objects.
+ *
+ * @see FIDO
+ * Metadata Service §3.1.6. Metadata BLOB Payload dictionary
+ */
+ @NonNull Set entries;
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/MetadataBLOBPayloadEntry.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/MetadataBLOBPayloadEntry.java
new file mode 100644
index 000000000..56d4346b7
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/MetadataBLOBPayloadEntry.java
@@ -0,0 +1,172 @@
+package com.yubico.fido.metadata;
+
+import com.yubico.internal.util.CollectionUtil;
+import com.yubico.webauthn.data.ByteArray;
+import java.net.URL;
+import java.time.LocalDate;
+import java.util.Collections;
+import java.util.List;
+import java.util.Optional;
+import java.util.Set;
+import java.util.stream.Collectors;
+import lombok.Builder;
+import lombok.NonNull;
+import lombok.Value;
+import lombok.extern.jackson.Jacksonized;
+
+/**
+ * An element of {@link MetadataBLOBPayload#getEntries() entries} in a {@link MetadataBLOBPayload}.
+ *
+ * @see FIDO
+ * Metadata Service §3.1.1. Metadata BLOB Payload Entry dictionary
+ */
+@Value
+@Builder(toBuilder = true)
+@Jacksonized
+public class MetadataBLOBPayloadEntry {
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.1. Metadata BLOB Payload Entry dictionary
+ */
+ AAID aaid;
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.1. Metadata BLOB Payload Entry dictionary
+ */
+ AAGUID aaguid;
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.1. Metadata BLOB Payload Entry dictionary
+ */
+ Set attestationCertificateKeyIdentifiers;
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.1. Metadata BLOB Payload Entry dictionary
+ */
+ MetadataStatement metadataStatement;
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.1. Metadata BLOB Payload Entry dictionary
+ */
+ List biometricStatusReports;
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.1. Metadata BLOB Payload Entry dictionary
+ */
+ @NonNull List statusReports;
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.1. Metadata BLOB Payload Entry dictionary
+ */
+ @NonNull LocalDate timeOfLastStatusChange;
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.1. Metadata BLOB Payload Entry dictionary
+ */
+ URL rogueListURL;
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.1. Metadata BLOB Payload Entry dictionary
+ */
+ ByteArray rogueListHash;
+
+ private MetadataBLOBPayloadEntry(
+ AAID aaid,
+ AAGUID aaguid,
+ Set attestationCertificateKeyIdentifiers,
+ MetadataStatement metadataStatement,
+ List biometricStatusReports,
+ @NonNull List statusReports,
+ @NonNull LocalDate timeOfLastStatusChange,
+ URL rogueListURL,
+ ByteArray rogueListHash) {
+ this.aaid = aaid;
+ this.aaguid = aaguid;
+ this.attestationCertificateKeyIdentifiers =
+ CollectionUtil.immutableSetOrEmpty(attestationCertificateKeyIdentifiers);
+ this.metadataStatement = metadataStatement;
+ this.biometricStatusReports = CollectionUtil.immutableListOrEmpty(biometricStatusReports);
+ this.statusReports =
+ Collections.unmodifiableList(
+ statusReports.stream()
+ .filter(
+ statusReport -> !statusReport.getStatus().equals(AuthenticatorStatus.UNKNOWN))
+ .collect(Collectors.toList()));
+ this.timeOfLastStatusChange = timeOfLastStatusChange;
+ this.rogueListURL = rogueListURL;
+ this.rogueListHash = rogueListHash;
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.1. Metadata BLOB Payload Entry dictionary
+ */
+ public Optional getAaid() {
+ return Optional.ofNullable(this.aaid);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.1. Metadata BLOB Payload Entry dictionary
+ */
+ public Optional getAaguid() {
+ return Optional.ofNullable(this.aaguid);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.1. Metadata BLOB Payload Entry dictionary
+ */
+ public Optional getMetadataStatement() {
+ return Optional.ofNullable(this.metadataStatement);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.1. Metadata BLOB Payload Entry dictionary
+ */
+ public Optional getTimeOfLastStatusChange() {
+ return Optional.of(this.timeOfLastStatusChange);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.1. Metadata BLOB Payload Entry dictionary
+ */
+ public Optional getRogueListURL() {
+ return Optional.ofNullable(this.rogueListURL);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.1. Metadata BLOB Payload Entry dictionary
+ */
+ public Optional getRogueListHash() {
+ return Optional.ofNullable(this.rogueListHash);
+ }
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/MetadataStatement.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/MetadataStatement.java
new file mode 100644
index 000000000..51910fe5c
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/MetadataStatement.java
@@ -0,0 +1,410 @@
+package com.yubico.fido.metadata;
+
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import com.yubico.internal.util.CollectionUtil;
+import com.yubico.webauthn.extension.uvm.KeyProtectionType;
+import com.yubico.webauthn.extension.uvm.MatcherProtectionType;
+import java.security.cert.X509Certificate;
+import java.util.List;
+import java.util.Optional;
+import java.util.Set;
+import lombok.Builder;
+import lombok.NonNull;
+import lombok.Value;
+import lombok.extern.jackson.Jacksonized;
+
+/**
+ * Relying Parties can learn a subset of verifiable information for authenticators certified by the
+ * FIDO Alliance with an Authenticator Metadata statement. The Metadata statement can be acquired
+ * from the Metadata BLOB that is hosted on the Metadata Service [FIDOMetadataService].
+ *
+ * This class does not include the field ecdaaTrustAnchors since ECDAA is deprecated
+ * in WebAuthn Level 2.
+ *
+ * @see FIDO
+ * Metadata Statement
+ */
+@Value
+@Builder(toBuilder = true)
+@Jacksonized
+public class MetadataStatement {
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ String legalHeader;
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ AAID aaid;
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ AAGUID aaguid;
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ Set attestationCertificateKeyIdentifiers;
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ String description;
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ AlternativeDescriptions alternativeDescriptions;
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ long authenticatorVersion;
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ @NonNull ProtocolFamily protocolFamily;
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ int schema;
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ @NonNull Set upv;
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ @NonNull Set authenticationAlgorithms;
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ @NonNull Set publicKeyAlgAndEncodings;
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ @NonNull Set attestationTypes;
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ @NonNull Set> userVerificationDetails;
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ @NonNull Set keyProtection;
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ Boolean isKeyRestricted;
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ Boolean isFreshUserVerificationRequired;
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ @NonNull Set matcherProtection;
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ Integer cryptoStrength;
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ Set attachmentHint;
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ @NonNull Set tcDisplay;
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ String tcDisplayContentType;
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ List tcDisplayPNGCharacteristics;
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ @NonNull
+ @JsonDeserialize(contentConverter = CertFromBase64Converter.class)
+ @JsonSerialize(contentConverter = CertToBase64Converter.class)
+ Set attestationRootCertificates;
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ String icon;
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ Set supportedExtensions;
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ AuthenticatorGetInfo authenticatorGetInfo;
+
+ public MetadataStatement(
+ String legalHeader,
+ AAID aaid,
+ AAGUID aaguid,
+ Set attestationCertificateKeyIdentifiers,
+ String description,
+ AlternativeDescriptions alternativeDescriptions,
+ long authenticatorVersion,
+ @NonNull ProtocolFamily protocolFamily,
+ int schema,
+ @NonNull Set upv,
+ @NonNull Set authenticationAlgorithms,
+ @NonNull Set publicKeyAlgAndEncodings,
+ @NonNull Set attestationTypes,
+ @NonNull Set> userVerificationDetails,
+ @NonNull Set keyProtection,
+ Boolean isKeyRestricted,
+ Boolean isFreshUserVerificationRequired,
+ @NonNull Set matcherProtection,
+ Integer cryptoStrength,
+ Set attachmentHint,
+ @NonNull Set tcDisplay,
+ String tcDisplayContentType,
+ List tcDisplayPNGCharacteristics,
+ @NonNull Set attestationRootCertificates,
+ String icon,
+ Set supportedExtensions,
+ AuthenticatorGetInfo authenticatorGetInfo) {
+ this.legalHeader = legalHeader;
+ this.aaid = aaid;
+ this.aaguid = aaguid;
+ this.attestationCertificateKeyIdentifiers =
+ CollectionUtil.immutableSetOrEmpty(attestationCertificateKeyIdentifiers);
+ this.description = description;
+ this.alternativeDescriptions = alternativeDescriptions;
+ this.authenticatorVersion = authenticatorVersion;
+ this.protocolFamily = protocolFamily;
+ this.schema = schema;
+ this.upv = upv;
+ this.authenticationAlgorithms = authenticationAlgorithms;
+ this.publicKeyAlgAndEncodings = publicKeyAlgAndEncodings;
+ this.attestationTypes = attestationTypes;
+ this.userVerificationDetails = userVerificationDetails;
+ this.keyProtection = keyProtection;
+ this.isKeyRestricted = isKeyRestricted;
+ this.isFreshUserVerificationRequired = isFreshUserVerificationRequired;
+ this.matcherProtection = matcherProtection;
+ this.cryptoStrength = cryptoStrength;
+ this.attachmentHint = attachmentHint;
+ this.tcDisplay = tcDisplay;
+ this.tcDisplayContentType = tcDisplayContentType;
+ this.tcDisplayPNGCharacteristics = tcDisplayPNGCharacteristics;
+ this.attestationRootCertificates = attestationRootCertificates;
+ this.icon = icon;
+ this.supportedExtensions = supportedExtensions;
+ this.authenticatorGetInfo = authenticatorGetInfo;
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ public Optional getLegalHeader() {
+ return Optional.ofNullable(this.legalHeader);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ public Optional getAaid() {
+ return Optional.ofNullable(this.aaid);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ public Optional getAaguid() {
+ return Optional.ofNullable(this.aaguid);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ public Optional getDescription() {
+ return Optional.ofNullable(this.description);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ public Optional getAlternativeDescriptions() {
+ return Optional.ofNullable(this.alternativeDescriptions);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ public Optional getIsKeyRestricted() {
+ return Optional.ofNullable(this.isKeyRestricted);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ public Optional getIsFreshUserVerificationRequired() {
+ return Optional.ofNullable(this.isFreshUserVerificationRequired);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ public Optional getCryptoStrength() {
+ return Optional.ofNullable(this.cryptoStrength);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ public Optional> getAttachmentHint() {
+ return Optional.ofNullable(this.attachmentHint);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ public Optional getTcDisplayContentType() {
+ return Optional.ofNullable(this.tcDisplayContentType);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ public Optional> getTcDisplayPNGCharacteristics() {
+ return Optional.ofNullable(this.tcDisplayPNGCharacteristics);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ public Optional getIcon() {
+ return Optional.ofNullable(this.icon);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ public Optional> getSupportedExtensions() {
+ return Optional.ofNullable(this.supportedExtensions);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Statement
+ */
+ public Optional getAuthenticatorGetInfo() {
+ return Optional.ofNullable(this.authenticatorGetInfo);
+ }
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/PatternAccuracyDescriptor.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/PatternAccuracyDescriptor.java
new file mode 100644
index 000000000..3b094c514
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/PatternAccuracyDescriptor.java
@@ -0,0 +1,59 @@
+package com.yubico.fido.metadata;
+
+import java.util.Optional;
+import lombok.Builder;
+import lombok.Value;
+import lombok.extern.jackson.Jacksonized;
+
+/**
+ * The {@link PatternAccuracyDescriptor} describes relevant accuracy/complexity aspects in the case
+ * that a pattern is used as the user verification method.
+ *
+ * @see FIDO
+ * Metadata Statement §3.4. PatternAccuracyDescriptor dictionary
+ */
+@Value
+@Builder(toBuilder = true)
+@Jacksonized
+public class PatternAccuracyDescriptor {
+
+ /**
+ * @see FIDO
+ * Metadata Statement §3.4. PatternAccuracyDescriptor dictionary
+ */
+ long minComplexity;
+
+ /**
+ * @see FIDO
+ * Metadata Statement §3.4. PatternAccuracyDescriptor dictionary
+ */
+ Integer maxRetries;
+
+ /**
+ * @see FIDO
+ * Metadata Statement §3.4. PatternAccuracyDescriptor dictionary
+ */
+ Integer blockSlowdown;
+
+ /**
+ * @see FIDO
+ * Metadata Statement §3.4. PatternAccuracyDescriptor dictionary
+ */
+ public Optional getMaxRetries() {
+ return Optional.ofNullable(maxRetries);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Statement §3.4. PatternAccuracyDescriptor dictionary
+ */
+ public Optional getBlockSlowdown() {
+ return Optional.ofNullable(blockSlowdown);
+ }
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/ProtocolFamily.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/ProtocolFamily.java
new file mode 100644
index 000000000..a41a4b104
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/ProtocolFamily.java
@@ -0,0 +1,40 @@
+package com.yubico.fido.metadata;
+
+import com.fasterxml.jackson.annotation.JsonValue;
+
+/**
+ * Enumeration of valid values for {@link MetadataStatement#getProtocolFamily()}.
+ *
+ * @see FIDO
+ * Metadata Statement §4. Metadata Keys
+ */
+public enum ProtocolFamily {
+
+ /**
+ * @see FIDO
+ * Metadata Statement §4. Metadata Keys
+ */
+ UAF("uaf"),
+
+ /**
+ * @see FIDO
+ * Metadata Statement §4. Metadata Keys
+ */
+ U2F("u2f"),
+
+ /**
+ * @see FIDO
+ * Metadata Statement §4. Metadata Keys
+ */
+ FIDO2("fido2");
+
+ @JsonValue private final String value;
+
+ ProtocolFamily(String value) {
+ this.value = value;
+ }
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/PublicKeyRepresentationFormat.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/PublicKeyRepresentationFormat.java
new file mode 100644
index 000000000..6e0bd2ee3
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/PublicKeyRepresentationFormat.java
@@ -0,0 +1,61 @@
+package com.yubico.fido.metadata;
+
+import com.fasterxml.jackson.annotation.JsonValue;
+
+/**
+ * The ALG_KEY constants are 16 bit long integers indicating the specific Public Key algorithm and
+ * encoding.
+ *
+ * Each constant has a case-sensitive string representation (in quotes), which is used in the
+ * authoritative metadata for FIDO authenticators.
+ *
+ * @see FIDO
+ * Registry of Predefined Values §3.6.2 Public Key Representation Formats
+ */
+public enum PublicKeyRepresentationFormat {
+
+ /**
+ * @see FIDO
+ * Registry of Predefined Values §3.6.2 Public Key Representation Formats
+ */
+ ALG_KEY_ECC_X962_RAW(0x0100, "ecc_x962_raw"),
+
+ /**
+ * @see FIDO
+ * Registry of Predefined Values §3.6.2 Public Key Representation Formats
+ */
+ ALG_KEY_ECC_X962_DER(0x0101, "ecc_x962_der"),
+
+ /**
+ * @see FIDO
+ * Registry of Predefined Values §3.6.2 Public Key Representation Formats
+ */
+ ALG_KEY_RSA_2048_RAW(0x0102, "rsa_2048_raw"),
+
+ /**
+ * @see FIDO
+ * Registry of Predefined Values §3.6.2 Public Key Representation Formats
+ */
+ ALG_KEY_RSA_2048_DER(0x0103, "rsa_2048_der"),
+
+ /**
+ * @see FIDO
+ * Registry of Predefined Values §3.6.2 Public Key Representation Formats
+ */
+ ALG_KEY_COSE(0x0104, "cose");
+
+ private final int value;
+
+ @JsonValue private final String name;
+
+ PublicKeyRepresentationFormat(int value, String name) {
+ this.value = value;
+ this.name = name;
+ }
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/RgbPaletteEntry.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/RgbPaletteEntry.java
new file mode 100644
index 000000000..e5f5cbeb5
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/RgbPaletteEntry.java
@@ -0,0 +1,28 @@
+package com.yubico.fido.metadata;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import lombok.Value;
+
+/**
+ * The rgbPaletteEntry is an RGB three-sample tuple palette entry.
+ *
+ *
FIDO
+ * Metadata Statement §3.7. rgbPaletteEntry dictionary
+ */
+@Value
+public class RgbPaletteEntry {
+
+ int r;
+ int g;
+ int b;
+
+ @JsonCreator
+ public RgbPaletteEntry(
+ @JsonProperty("r") int r, @JsonProperty("g") int g, @JsonProperty("b") int b) {
+ this.r = r;
+ this.g = g;
+ this.b = b;
+ }
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/StatusReport.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/StatusReport.java
new file mode 100644
index 000000000..c0d852eb5
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/StatusReport.java
@@ -0,0 +1,189 @@
+package com.yubico.fido.metadata;
+
+import com.fasterxml.jackson.annotation.JsonIgnore;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.security.cert.X509Certificate;
+import java.time.LocalDate;
+import java.util.Optional;
+import lombok.AccessLevel;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.Getter;
+import lombok.NonNull;
+import lombok.Value;
+import lombok.extern.jackson.Jacksonized;
+
+/**
+ * Contains an {@link AuthenticatorStatus} and additional data associated with it, if any.
+ *
+ * @see FIDO
+ * Metadata Service §3.1.3. StatusReport dictionary
+ */
+@Value
+@Builder
+@Jacksonized
+@AllArgsConstructor(access = AccessLevel.PRIVATE)
+public class StatusReport {
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.3. StatusReport dictionary
+ */
+ @NonNull AuthenticatorStatus status;
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.3. StatusReport dictionary
+ */
+ LocalDate effectiveDate;
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.3. StatusReport dictionary
+ */
+ Long authenticatorVersion;
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.3. StatusReport dictionary
+ */
+ @JsonDeserialize(converter = CertFromBase64Converter.class)
+ @JsonSerialize(converter = CertToBase64Converter.class)
+ X509Certificate certificate;
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.3. StatusReport dictionary
+ */
+ @JsonProperty("url")
+ @Getter(AccessLevel.NONE)
+ String url;
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.3. StatusReport dictionary
+ */
+ String certificationDescriptor;
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.3. StatusReport dictionary
+ */
+ String certificateNumber;
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.3. StatusReport dictionary
+ */
+ String certificationPolicyVersion;
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.3. StatusReport dictionary
+ */
+ String certificationRequirementsVersion;
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.3. StatusReport dictionary
+ */
+ public Optional getEffectiveDate() {
+ return Optional.ofNullable(effectiveDate);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.3. StatusReport dictionary
+ */
+ public Optional getAuthenticatorVersion() {
+ return Optional.ofNullable(authenticatorVersion);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.3. StatusReport dictionary
+ */
+ @JsonIgnore
+ public Optional getCertificate() {
+ return Optional.ofNullable(this.certificate);
+ }
+
+ /**
+ * Attempt to parse the {@link #getUrlAsString() url} property, if any, as a {@link URL}.
+ *
+ * @return A present value if and only if {@link #getUrlAsString()} is present and a valid URL.
+ */
+ public Optional getUrl() {
+ try {
+ return Optional.of(new URL(url));
+ } catch (MalformedURLException e) {
+ return Optional.empty();
+ }
+ }
+
+ /**
+ * Get the raw url property of this {@link StatusReport} object. This may or may not
+ * be a valid URL.
+ *
+ * @see FIDO
+ * Metadata Service §3.1.3. StatusReport dictionary
+ */
+ @JsonIgnore
+ public Optional getUrlAsString() {
+ return Optional.ofNullable(this.url);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.3. StatusReport dictionary
+ */
+ public Optional getCertificationDescriptor() {
+ return Optional.ofNullable(this.certificationDescriptor);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.3. StatusReport dictionary
+ */
+ public Optional getCertificateNumber() {
+ return Optional.ofNullable(this.certificateNumber);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.3. StatusReport dictionary
+ */
+ public Optional getCertificationPolicyVersion() {
+ return Optional.ofNullable(this.certificationPolicyVersion);
+ }
+
+ /**
+ * @see FIDO
+ * Metadata Service §3.1.3. StatusReport dictionary
+ */
+ public Optional getCertificationRequirementsVersion() {
+ return Optional.ofNullable(this.certificationRequirementsVersion);
+ }
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/SupportedCtapOptions.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/SupportedCtapOptions.java
new file mode 100644
index 000000000..cda8898e9
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/SupportedCtapOptions.java
@@ -0,0 +1,160 @@
+package com.yubico.fido.metadata;
+
+import com.fasterxml.jackson.annotation.JsonAlias;
+import lombok.AccessLevel;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.Value;
+import lombok.extern.jackson.Jacksonized;
+
+/**
+ * A fixed-keys map of CTAP2 option names to Boolean values representing whether an authenticator
+ * supports the respective option.
+ *
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+@Value
+@Builder
+@Jacksonized
+@AllArgsConstructor(access = AccessLevel.PRIVATE)
+public class SupportedCtapOptions {
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ @Builder.Default boolean plat = false;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ @Builder.Default boolean rk = false;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ @Builder.Default boolean clientPin = false;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ @Builder.Default boolean up = false;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ @Builder.Default boolean uv = false;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ @JsonAlias("uvToken")
+ @Builder.Default
+ boolean pinUvAuthToken = false;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ @Builder.Default boolean noMcGaPermissionsWithClientPin = false;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ @Builder.Default boolean largeBlobs = false;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ @Builder.Default boolean ep = false;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ @Builder.Default boolean bioEnroll = false;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ @Builder.Default boolean userVerificationMgmtPreview = false;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ @Builder.Default boolean uvBioEnroll = false;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ @JsonAlias("config")
+ @Builder.Default
+ boolean authnrCfg = false;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ @Builder.Default boolean uvAcfg = false;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ @Builder.Default boolean credMgmt = false;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ @Builder.Default boolean credentialMgmtPreview = false;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ @Builder.Default boolean setMinPINLength = false;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ @Builder.Default boolean makeCredUvNotRqd = false;
+
+ /**
+ * @see Client
+ * to Authenticator Protocol (CTAP) §6.4. authenticatorGetInfo (0x04)
+ */
+ @Builder.Default boolean alwaysUv = false;
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/TransactionConfirmationDisplayType.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/TransactionConfirmationDisplayType.java
new file mode 100644
index 000000000..e62a5fe44
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/TransactionConfirmationDisplayType.java
@@ -0,0 +1,64 @@
+package com.yubico.fido.metadata;
+
+import com.fasterxml.jackson.annotation.JsonValue;
+
+/**
+ * The TRANSACTION_CONFIRMATION_DISPLAY constants are flags in a bit field represented as a 16 bit
+ * long integer. They describe the availability and implementation of a transaction confirmation
+ * display capability required for the transaction confirmation operation. These constants are
+ * reported and queried through the UAF Discovery APIs and used to form authenticator policies in
+ * UAF protocol messages. Each constant has a case-sensitive string representation (in quotes),
+ * which is used in the authoritative metadata for FIDO authenticators. Refer to [UAFAuthnrCommands]
+ * for more details on the security aspects of TransactionConfirmation Display.
+ *
+ * @see FIDO
+ * Registry of Predefined Values §3.5 Transaction Confirmation Display Types
+ */
+public enum TransactionConfirmationDisplayType {
+
+ /**
+ * @see FIDO
+ * Registry of Predefined Values §3.5 Transaction Confirmation Display Types
+ */
+ TRANSACTION_CONFIRMATION_DISPLAY_ANY(0x0001, "any"),
+
+ /**
+ * @see FIDO
+ * Registry of Predefined Values §3.5 Transaction Confirmation Display Types
+ */
+ TRANSACTION_CONFIRMATION_DISPLAY_PRIVILEGED_SOFTWARE(0x0002, "privileged_software"),
+
+ /**
+ * @see FIDO
+ * Registry of Predefined Values §3.5 Transaction Confirmation Display Types
+ */
+ TRANSACTION_CONFIRMATION_DISPLAY_TEE(0x0004, "tee"),
+
+ /**
+ * @see FIDO
+ * Registry of Predefined Values §3.5 Transaction Confirmation Display Types
+ */
+ TRANSACTION_CONFIRMATION_DISPLAY_HARDWARE(0x0008, "hardware"),
+
+ /**
+ * @see FIDO
+ * Registry of Predefined Values §3.5 Transaction Confirmation Display Types
+ */
+ TRANSACTION_CONFIRMATION_DISPLAY_REMOTE(0x0010, "remote");
+
+ private final int value;
+
+ @JsonValue private final String name;
+
+ TransactionConfirmationDisplayType(int value, String name) {
+ this.value = value;
+ this.name = name;
+ }
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/UnexpectedLegalHeader.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/UnexpectedLegalHeader.java
new file mode 100644
index 000000000..b28a94349
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/UnexpectedLegalHeader.java
@@ -0,0 +1,39 @@
+package com.yubico.fido.metadata;
+
+import java.util.Optional;
+import lombok.AccessLevel;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.NonNull;
+
+/**
+ * A FIDO Metadata Service metadata BLOB was successfully downloaded and validated, but contained an
+ * unexpected legal header.
+ *
+ * This exception contains the offending downloaded metadata BLOB as well as the cached metadata
+ * BLOB, if any (see {@link #getCachedBlob()}). This enables applications to gracefully fall back to
+ * the cached blob when possible, while notifying maintainers that action is required for the new
+ * legal header.
+ */
+@AllArgsConstructor(access = AccessLevel.PACKAGE)
+public class UnexpectedLegalHeader extends Exception {
+
+ /** The cached metadata BLOB, if any, which is assumed to have an expected legal header. */
+ private final MetadataBLOB cachedBlob;
+
+ /**
+ * The newly downloaded metadata BLOB, which has an unexpected legal header.
+ *
+ *
The unexpected legal header can be retrieved via the {@link MetadataBLOB#getPayload()
+ * getPayload()}.{@link MetadataBLOBPayload#getLegalHeader() getLegalHeader()} methods.
+ *
+ * @see MetadataBLOB#getPayload()
+ * @see MetadataBLOBPayload#getLegalHeader()
+ */
+ @Getter @NonNull private final MetadataBLOB downloadedBlob;
+
+ /** The cached metadata BLOB, if any. */
+ public Optional getCachedBlob() {
+ return Optional.ofNullable(cachedBlob);
+ }
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/VerificationMethodDescriptor.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/VerificationMethodDescriptor.java
new file mode 100644
index 000000000..8a8016645
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/VerificationMethodDescriptor.java
@@ -0,0 +1,48 @@
+package com.yubico.fido.metadata;
+
+import com.yubico.webauthn.extension.uvm.UserVerificationMethod;
+import lombok.Builder;
+import lombok.Value;
+import lombok.extern.jackson.Jacksonized;
+
+/**
+ * A descriptor for a specific base user verification method as implemented by the
+ * authenticator.
+ *
+ * @see FIDO
+ * Metadata Statement §3.5. VerificationMethodDescriptor dictionary
+ */
+@Value
+@Builder(toBuilder = true)
+@Jacksonized
+public class VerificationMethodDescriptor {
+
+ /**
+ * @see FIDO
+ * Metadata Statement §3.5. VerificationMethodDescriptor dictionary
+ */
+ UserVerificationMethod userVerificationMethod;
+
+ /**
+ * @see FIDO
+ * Metadata Statement §3.5. VerificationMethodDescriptor dictionary
+ */
+ CodeAccuracyDescriptor caDesc;
+
+ /**
+ * @see FIDO
+ * Metadata Statement §3.5. VerificationMethodDescriptor dictionary
+ */
+ BiometricAccuracyDescriptor baDesc;
+
+ /**
+ * @see FIDO
+ * Metadata Statement §3.5. VerificationMethodDescriptor dictionary
+ */
+ PatternAccuracyDescriptor paDesc;
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/Version.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/Version.java
new file mode 100644
index 000000000..d5f05a58f
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/Version.java
@@ -0,0 +1,41 @@
+package com.yubico.fido.metadata;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import lombok.Value;
+
+/**
+ * Represents a generic version with major and minor fields.
+ *
+ * @see FIDO
+ * UAF Protocol Specification §3.1.1 Version Interface
+ */
+@Value
+public class Version {
+
+ /**
+ * @see FIDO
+ * UAF Protocol Specification §3.1.1 Version Interface
+ */
+ int major;
+
+ /**
+ * @see FIDO
+ * UAF Protocol Specification §3.1.1 Version Interface
+ */
+ int minor;
+
+ /**
+ * @see FIDO
+ * UAF Protocol Specification §3.1.1 Version Interface
+ */
+ @JsonCreator
+ public Version(@JsonProperty("major") int major, @JsonProperty("minor") int minor) {
+ this.major = major;
+ this.minor = minor;
+ }
+}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/AttestationResolver.java b/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/AttestationResolver.java
deleted file mode 100644
index 69a08efad..000000000
--- a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/AttestationResolver.java
+++ /dev/null
@@ -1,43 +0,0 @@
-// Copyright (c) 2015-2018, Yubico AB
-// All rights reserved.
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are met:
-//
-// 1. Redistributions of source code must retain the above copyright notice, this
-// list of conditions and the following disclaimer.
-//
-// 2. Redistributions in binary form must reproduce the above copyright notice,
-// this list of conditions and the following disclaimer in the documentation
-// and/or other materials provided with the distribution.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-package com.yubico.webauthn.attestation;
-
-import java.security.cert.X509Certificate;
-import java.util.Collections;
-import java.util.List;
-import java.util.Optional;
-
-public interface AttestationResolver {
-
- /** Alias of resolve(attestationCertificate, Collections.emptyList()). */
- default Optional resolve(X509Certificate attestationCertificate) {
- return resolve(attestationCertificate, Collections.emptyList());
- }
-
- Optional resolve(
- X509Certificate attestationCertificate, List certificateChain);
-
- Attestation untrustedFromCertificate(X509Certificate attestationCertificate);
-}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/StandardMetadataService.java b/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/StandardMetadataService.java
deleted file mode 100644
index 501b09eb5..000000000
--- a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/StandardMetadataService.java
+++ /dev/null
@@ -1,134 +0,0 @@
-// Copyright (c) 2015-2018, Yubico AB
-// All rights reserved.
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are met:
-//
-// 1. Redistributions of source code must retain the above copyright notice, this
-// list of conditions and the following disclaimer.
-//
-// 2. Redistributions in binary form must reproduce the above copyright notice,
-// this list of conditions and the following disclaimer in the documentation
-// and/or other materials provided with the distribution.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-package com.yubico.webauthn.attestation;
-
-import com.google.common.cache.Cache;
-import com.google.common.cache.CacheBuilder;
-import com.google.common.hash.Hashing;
-import com.yubico.internal.util.ExceptionUtil;
-import com.yubico.webauthn.attestation.resolver.SimpleAttestationResolver;
-import com.yubico.webauthn.attestation.resolver.SimpleTrustResolver;
-import java.security.cert.CertificateEncodingException;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-import java.util.Collections;
-import java.util.List;
-import java.util.concurrent.ExecutionException;
-import lombok.NonNull;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-public final class StandardMetadataService implements MetadataService {
- private static final Logger logger = LoggerFactory.getLogger(StandardMetadataService.class);
-
- private final Attestation unknownAttestation = Attestation.empty();
- private final AttestationResolver attestationResolver;
- private final Cache cache;
-
- private StandardMetadataService(
- @NonNull AttestationResolver attestationResolver, @NonNull Cache cache) {
- this.attestationResolver = attestationResolver;
- this.cache = cache;
- }
-
- public StandardMetadataService(AttestationResolver attestationResolver) {
- this(attestationResolver, CacheBuilder.newBuilder().build());
- }
-
- public StandardMetadataService() throws CertificateException {
- this(createDefaultAttestationResolver());
- }
-
- public static TrustResolver createDefaultTrustResolver() throws CertificateException {
- return SimpleTrustResolver.fromMetadata(Collections.singleton(MetadataObject.readDefault()));
- }
-
- public static AttestationResolver createDefaultAttestationResolver(TrustResolver trustResolver)
- throws CertificateException {
- return new SimpleAttestationResolver(
- Collections.singleton(MetadataObject.readDefault()), trustResolver);
- }
-
- public static AttestationResolver createDefaultAttestationResolver() throws CertificateException {
- return createDefaultAttestationResolver(createDefaultTrustResolver());
- }
-
- public Attestation getCachedAttestation(String attestationCertificateFingerprint) {
- return cache.getIfPresent(attestationCertificateFingerprint);
- }
-
- /**
- * Attempt to look up attestation for a chain of certificates
- *
- * If there is a signature path from any trusted certificate to the first certificate in
- * attestationCertificateChain, then the first certificate in
- * attestationCertificateChain is matched against the metadata registry to look up metadata
- * for the device.
- *
- *
If the certificate chain is trusted but no metadata exists in the registry, the method
- * returns a trusted attestation populated with information found embedded in the attestation
- * certificate.
- *
- *
If the certificate chain is not trusted, the method returns an untrusted attestation
- * populated with {@link Attestation#getTransports() transports} information found embedded in the
- * attestation certificate.
- *
- *
If the certificate chain is empty, an untrusted empty attestation is returned.
- *
- * @param attestationCertificateChain a certificate chain, where each certificate in the list
- * should be signed by the following certificate.
- * @throws CertificateEncodingException if computation of the fingerprint fails for any element of
- * attestationCertificateChain that needs to be inspected
- * @return An attestation as described above.
- */
- @Override
- public Attestation getAttestation(@NonNull List attestationCertificateChain)
- throws CertificateEncodingException {
- if (attestationCertificateChain.isEmpty()) {
- return unknownAttestation;
- }
-
- X509Certificate attestationCertificate = attestationCertificateChain.get(0);
- List certificateChain =
- attestationCertificateChain.subList(1, attestationCertificateChain.size());
-
- try {
- final String fingerprint =
- Hashing.sha1().hashBytes(attestationCertificate.getEncoded()).toString();
- return cache.get(
- fingerprint,
- () ->
- attestationResolver
- .resolve(attestationCertificate, certificateChain)
- .orElseGet(
- () -> attestationResolver.untrustedFromCertificate(attestationCertificate)));
- } catch (ExecutionException e) {
- throw ExceptionUtil.wrapAndLog(
- logger,
- "Failed to look up attestation information for certificate: " + attestationCertificate,
- e);
- }
- }
-}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/TrustResolver.java b/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/TrustResolver.java
deleted file mode 100644
index 803d879a2..000000000
--- a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/TrustResolver.java
+++ /dev/null
@@ -1,55 +0,0 @@
-// Copyright (c) 2018, Yubico AB
-// All rights reserved.
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are met:
-//
-// 1. Redistributions of source code must retain the above copyright notice, this
-// list of conditions and the following disclaimer.
-//
-// 2. Redistributions in binary form must reproduce the above copyright notice,
-// this list of conditions and the following disclaimer in the documentation
-// and/or other materials provided with the distribution.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-package com.yubico.webauthn.attestation;
-
-import java.security.cert.X509Certificate;
-import java.util.Collections;
-import java.util.List;
-import java.util.Optional;
-
-public interface TrustResolver {
-
- /**
- * Alias of resolveTrustAnchor(attestationCertificate, Collections.emptyList()).
- *
- * @see #resolveTrustAnchor(X509Certificate, List)
- */
- default Optional resolveTrustAnchor(X509Certificate attestationCertificate) {
- return resolveTrustAnchor(attestationCertificate, Collections.emptyList());
- }
-
- /**
- * Resolve a trusted root anchor for the given attestation certificate and certificate chain
- *
- * @param attestationCertificate The attestation certificate
- * @param caCertificateChain Zero or more certificates, of which the first has signed
- * attestationCertificate and each of the remaining certificates has signed the
- * certificate preceding it.
- * @return A trusted root certificate from which there is a signature path to
- * attestationCertificate, if one exists.
- */
- Optional resolveTrustAnchor(
- X509Certificate attestationCertificate, List caCertificateChain);
-}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/resolver/CompositeAttestationResolver.java b/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/resolver/CompositeAttestationResolver.java
deleted file mode 100644
index 85ff4a367..000000000
--- a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/resolver/CompositeAttestationResolver.java
+++ /dev/null
@@ -1,68 +0,0 @@
-// Copyright (c) 2018, Yubico AB
-// All rights reserved.
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are met:
-//
-// 1. Redistributions of source code must retain the above copyright notice, this
-// list of conditions and the following disclaimer.
-//
-// 2. Redistributions in binary form must reproduce the above copyright notice,
-// this list of conditions and the following disclaimer in the documentation
-// and/or other materials provided with the distribution.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-package com.yubico.webauthn.attestation.resolver;
-
-import com.yubico.internal.util.CollectionUtil;
-import com.yubico.webauthn.attestation.Attestation;
-import com.yubico.webauthn.attestation.AttestationResolver;
-import java.security.cert.X509Certificate;
-import java.util.List;
-import java.util.Optional;
-
-/**
- * An {@link AttestationResolver} whose {@link #resolve(X509Certificate, List)} method calls {@link
- * AttestationResolver#resolve(X509Certificate, List)} on each of the subordinate {@link
- * AttestationResolver}s in turn, and returns the first non-null result.
- */
-public final class CompositeAttestationResolver implements AttestationResolver {
-
- private final List resolvers;
-
- public CompositeAttestationResolver(List resolvers) {
- this.resolvers = CollectionUtil.immutableList(resolvers);
- }
-
- @Override
- public Optional resolve(
- X509Certificate attestationCertificate, List certificateChain) {
- for (AttestationResolver resolver : resolvers) {
- Optional result = resolver.resolve(attestationCertificate, certificateChain);
- if (result.isPresent()) {
- return result;
- }
- }
- return Optional.empty();
- }
-
- /** Delegates to the first subordinate resolver, or throws an exception if there is none. */
- @Override
- public Attestation untrustedFromCertificate(X509Certificate attestationCertificate) {
- if (resolvers.isEmpty()) {
- throw new UnsupportedOperationException("Cannot do this without any sub-resolver.");
- } else {
- return resolvers.get(0).untrustedFromCertificate(attestationCertificate);
- }
- }
-}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/resolver/CompositeTrustResolver.java b/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/resolver/CompositeTrustResolver.java
deleted file mode 100644
index 4578f29ea..000000000
--- a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/resolver/CompositeTrustResolver.java
+++ /dev/null
@@ -1,58 +0,0 @@
-// Copyright (c) 2018, Yubico AB
-// All rights reserved.
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are met:
-//
-// 1. Redistributions of source code must retain the above copyright notice, this
-// list of conditions and the following disclaimer.
-//
-// 2. Redistributions in binary form must reproduce the above copyright notice,
-// this list of conditions and the following disclaimer in the documentation
-// and/or other materials provided with the distribution.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-package com.yubico.webauthn.attestation.resolver;
-
-import com.yubico.internal.util.CollectionUtil;
-import com.yubico.webauthn.attestation.TrustResolver;
-import java.security.cert.X509Certificate;
-import java.util.List;
-import java.util.Optional;
-
-/**
- * A {@link TrustResolver} whose {@link #resolveTrustAnchor(X509Certificate, List)} method calls
- * {@link TrustResolver#resolveTrustAnchor(X509Certificate, List)} on each of the subordinate {@link
- * TrustResolver}s in turn, and returns the first non-null result.
- */
-public final class CompositeTrustResolver implements TrustResolver {
-
- private final List resolvers;
-
- public CompositeTrustResolver(List resolvers) {
- this.resolvers = CollectionUtil.immutableList(resolvers);
- }
-
- @Override
- public Optional resolveTrustAnchor(
- X509Certificate attestationCertificate, List certificateChain) {
- for (TrustResolver resolver : resolvers) {
- Optional result =
- resolver.resolveTrustAnchor(attestationCertificate, certificateChain);
- if (result.isPresent()) {
- return result;
- }
- }
- return Optional.empty();
- }
-}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/resolver/SimpleTrustResolver.java b/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/resolver/SimpleTrustResolver.java
deleted file mode 100644
index e7552a7cb..000000000
--- a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/resolver/SimpleTrustResolver.java
+++ /dev/null
@@ -1,142 +0,0 @@
-// Copyright (c) 2018, Yubico AB
-// All rights reserved.
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are met:
-//
-// 1. Redistributions of source code must retain the above copyright notice, this
-// list of conditions and the following disclaimer.
-//
-// 2. Redistributions in binary form must reproduce the above copyright notice,
-// this list of conditions and the following disclaimer in the documentation
-// and/or other materials provided with the distribution.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-package com.yubico.webauthn.attestation.resolver;
-
-import com.google.common.collect.ArrayListMultimap;
-import com.google.common.collect.Multimap;
-import com.yubico.internal.util.CertificateParser;
-import com.yubico.internal.util.JacksonCodecs;
-import com.yubico.webauthn.attestation.MetadataObject;
-import com.yubico.webauthn.attestation.TrustResolver;
-import java.io.IOException;
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
-import java.security.SignatureException;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Optional;
-import java.util.Set;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-/**
- * Assesses whether an argument certificate can be trusted, and if so, by what trusted root
- * certificate.
- */
-public final class SimpleTrustResolver implements TrustResolver {
-
- private static final Logger logger = LoggerFactory.getLogger(SimpleTrustResolver.class);
-
- private final Multimap trustedCerts = ArrayListMultimap.create();
-
- public SimpleTrustResolver(Iterable trustedCertificates) {
- for (X509Certificate cert : trustedCertificates) {
- trustedCerts.put(cert.getSubjectDN().getName(), cert);
- }
- }
-
- public static SimpleTrustResolver fromMetadata(Iterable metadataObjects)
- throws CertificateException {
- Set certs = new HashSet<>();
- for (MetadataObject metadata : metadataObjects) {
- for (String encodedCert : metadata.getTrustedCertificates()) {
- certs.add(CertificateParser.parsePem(encodedCert));
- }
- }
- return new SimpleTrustResolver(certs);
- }
-
- public static SimpleTrustResolver fromMetadataJson(String metadataObjectJson)
- throws IOException, CertificateException {
- return fromMetadata(
- Collections.singleton(
- JacksonCodecs.json().readValue(metadataObjectJson, MetadataObject.class)));
- }
-
- @Override
- public Optional resolveTrustAnchor(
- X509Certificate attestationCertificate, List caCertificateChain) {
- final List certChain = new ArrayList<>();
- certChain.add(attestationCertificate);
- certChain.addAll(caCertificateChain);
-
- X509Certificate lastTriedCert = null;
-
- for (X509Certificate untrustedCert : certChain) {
- if (lastTriedCert != null) {
- logger.trace(
- "No trusted certificate has signed certificate [{}] - trying next element in certificate chain.",
- lastTriedCert);
-
- try {
- lastTriedCert.verify(untrustedCert.getPublicKey());
- } catch (CertificateException
- | NoSuchAlgorithmException
- | InvalidKeyException
- | NoSuchProviderException e) {
- logger.error(
- "Failed to verify that certificate [{}] was signed by [{}]",
- lastTriedCert,
- untrustedCert,
- e);
- throw new RuntimeException("Resolve failed", e);
- } catch (SignatureException e) {
- logger.debug(
- "Certificate chain broken - certificate [{}] was not signed by certificate [{}]",
- lastTriedCert,
- untrustedCert);
- return Optional.empty();
- }
- }
-
- final String issuer = untrustedCert.getIssuerDN().getName();
- for (X509Certificate trustedCert : trustedCerts.get(issuer)) {
- try {
- untrustedCert.verify(trustedCert.getPublicKey());
- logger.debug("Found signature from trusted certificate [{}]", trustedCert);
- return Optional.of(trustedCert);
- } catch (CertificateException
- | NoSuchAlgorithmException
- | InvalidKeyException
- | NoSuchProviderException e) {
- logger.error("Resolve failed", e);
- throw new RuntimeException("Resolve failed", e);
- } catch (SignatureException e) {
- // Not signed by the trusted cert
- }
- }
-
- lastTriedCert = untrustedCert;
- }
-
- logger.debug("No trusted certificate has signed certificate chain {}", certChain);
- return Optional.empty();
- }
-}
diff --git a/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/MetadataObjectTest.java b/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/MetadataObjectTest.java
deleted file mode 100644
index 445dced2c..000000000
--- a/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/MetadataObjectTest.java
+++ /dev/null
@@ -1,73 +0,0 @@
-// Copyright (c) 2018, Yubico AB
-// All rights reserved.
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are met:
-//
-// 1. Redistributions of source code must retain the above copyright notice, this
-// list of conditions and the following disclaimer.
-//
-// 2. Redistributions in binary form must reproduce the above copyright notice,
-// this list of conditions and the following disclaimer in the documentation
-// and/or other materials provided with the distribution.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-package com.yubico.webauthn.attestation;
-
-import static org.junit.Assert.assertEquals;
-
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.yubico.internal.util.JacksonCodecs;
-import org.junit.Test;
-
-public class MetadataObjectTest {
- public static final String JSON =
- "{"
- + "\"identifier\":\"foobar\","
- + "\"version\":1,"
- + "\"vendorInfo\":{\"name\":\"Yubico\",\"url\":\"https://yubico.com\",\"imageUrl\":\"https://developers.yubico.com/U2F/Images/yubico.png\"},"
- + "\"trustedCertificates\":[\"-----BEGIN CERTIFICATE-----\\nMIIDHjCCAgagAwIBAgIEG1BT9zANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZ\\ndWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAw\\nMDBaGA8yMDUwMDkwNDAwMDAwMFowLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290\\nIENBIFNlcmlhbCA0NTcyMDA2MzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\\nAoIBAQC/jwYuhBVlqaiYWEMsrWFisgJ+PtM91eSrpI4TK7U53mwCIawSDHy8vUmk\\n5N2KAj9abvT9NP5SMS1hQi3usxoYGonXQgfO6ZXyUA9a+KAkqdFnBnlyugSeCOep\\n8EdZFfsaRFtMjkwz5Gcz2Py4vIYvCdMHPtwaz0bVuzneueIEz6TnQjE63Rdt2zbw\\nnebwTG5ZybeWSwbzy+BJ34ZHcUhPAY89yJQXuE0IzMZFcEBbPNRbWECRKgjq//qT\\n9nmDOFVlSRCt2wiqPSzluwn+v+suQEBsUjTGMEd25tKXXTkNW21wIWbxeSyUoTXw\\nLvGS6xlwQSgNpk2qXYwf8iXg7VWZAgMBAAGjQjBAMB0GA1UdDgQWBBQgIvz0bNGJ\\nhjgpToksyKpP9xv9oDAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAN\\nBgkqhkiG9w0BAQsFAAOCAQEAjvjuOMDSa+JXFCLyBKsycXtBVZsJ4Ue3LbaEsPY4\\nMYN/hIQ5ZM5p7EjfcnMG4CtYkNsfNHc0AhBLdq45rnT87q/6O3vUEtNMafbhU6kt\\nhX7Y+9XFN9NpmYxr+ekVY5xOxi8h9JDIgoMP4VB1uS0aunL1IGqrNooL9mmFnL2k\\nLVVee6/VR6C5+KSTCMCWppMuJIZII2v9o4dkoZ8Y7QRjQlLfYzd3qGtKbw7xaF1U\\nsG/5xUb/Btwb2X2g4InpiB/yt/3CpQXpiWX/K4mBvUKiGn05ZsqeY1gx4g0xLBqc\\nU9psmyPzK+Vsgw2jeRQ5JlKDyqE0hebfC1tvFu0CCrJFcw==\\n-----END CERTIFICATE-----\"],"
- + "\"devices\":[{"
- + "\"deviceId\":\"1.3.6.1.4.1.41482.1.2\","
- + "\"deviceUrl\":\"https://www.yubico.com/products/yubikey-hardware/yubikey-neo/\","
- + "\"displayName\":\"YubiKey NEO/NEO-n\","
- + "\"imageUrl\":\"https://developers.yubico.com/U2F/Images/NEO.png\","
- + "\"selectors\":[{"
- + "\"type\":\"x509Extension\","
- + "\"parameters\":{"
- + "\"key\":\"1.3.6.1.4.1.41482.1.2\""
- + "}"
- + "}]"
- + "}]"
- + "}";
-
- private final ObjectMapper objectMapper = JacksonCodecs.json();
-
- @Test
- public void testToAndFromJson() throws Exception {
- MetadataObject metadata = objectMapper.readValue(JSON, MetadataObject.class);
- ObjectMapper objectMapper = new ObjectMapper();
- MetadataObject metadata2 =
- objectMapper.readValue(objectMapper.writeValueAsString(metadata), MetadataObject.class);
-
- assertEquals("foobar", metadata.getIdentifier());
- assertEquals(1, metadata.getVersion());
- assertEquals(1, metadata.getTrustedCertificates().size());
-
- assertEquals("Yubico", metadata.getVendorInfo().get("name"));
- assertEquals("1.3.6.1.4.1.41482.1.2", metadata.getDevices().get(0).get("deviceId").asText());
-
- assertEquals(metadata, metadata2);
- assertEquals(JSON, objectMapper.writeValueAsString(metadata));
- }
-}
diff --git a/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/StandardMetadataServiceTest.java b/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/StandardMetadataServiceTest.java
deleted file mode 100644
index df57edccf..000000000
--- a/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/StandardMetadataServiceTest.java
+++ /dev/null
@@ -1,111 +0,0 @@
-// Copyright (c) 2018, Yubico AB
-// All rights reserved.
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are met:
-//
-// 1. Redistributions of source code must retain the above copyright notice, this
-// list of conditions and the following disclaimer.
-//
-// 2. Redistributions in binary form must reproduce the above copyright notice,
-// this list of conditions and the following disclaimer in the documentation
-// and/or other materials provided with the distribution.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-package com.yubico.webauthn.attestation;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNull;
-import static org.junit.Assert.assertTrue;
-
-import com.google.common.hash.Hashing;
-import com.yubico.internal.util.CertificateParser;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-import java.util.Collections;
-import java.util.EnumSet;
-import java.util.Optional;
-import org.junit.Test;
-
-public class StandardMetadataServiceTest {
- private static final String ATTESTATION_CERT =
- "MIICGzCCAQWgAwIBAgIEdaP2dTALBgkqhkiG9w0BAQswLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwIBcNMTQwODAxMDAwMDAwWhgPMjA1MDA5MDQwMDAwMDBaMCoxKDAmBgNVBAMMH1l1YmljbyBVMkYgRUUgU2VyaWFsIDE5NzM2Nzk3MzMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQZo35Damtpl81YdmcbhEuXKAr7xDcQzAy5n3ftAAhtBbu8EeGU4ynfSgLonckqX6J2uXLBppTNE3v2bt+Yf8MLoxIwEDAOBgorBgEEAYLECgECBAAwCwYJKoZIhvcNAQELA4IBAQG9LbiNPgs0sQYOHAJcg+lMk+HCsiWRlYVnbT4I/5lnqU907vY17XYAORd432bU3Nnhsbkvjz76kQJGXeNAF4DPANGGlz8JU+LNEVE2PWPGgEM0GXgB7mZN5Sinfy1AoOdO+3c3bfdJQuXlUxHbo+nDpxxKpzq9gr++RbokF1+0JBkMbaA/qLYL4WdhY5NvaOyMvYpO3sBxlzn6FcP67hlotGH1wU7qhCeh+uur7zDeAWVh7c4QtJOXHkLJQfV3Z7ZMvhkIA6jZJAX99hisABU/SSa5DtgX7AfsHwa04h69AAAWDUzSk3HgOXbUd1FaSOPdlVFkG2N2JllFHykyO3zO";
- private static final String ATTESTATION_CERT2 =
- "MIICLzCCARmgAwIBAgIEQvUaTTALBgkqhkiG9w0BAQswLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwIBcNMTQwODAxMDAwMDAwWhgPMjA1MDA5MDQwMDAwMDBaMCoxKDAmBgNVBAMMH1l1YmljbyBVMkYgRUUgU2VyaWFsIDExMjMzNTkzMDkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQphQ+PJYiZjZEVHtrx5QGE3/LE1+OytZPTwzrpWBKywji/3qmg22mwmVFl32PO269TxY+yVN4jbfVf5uX0EWJWoyYwJDAiBgkrBgEEAYLECgIEFTEuMy42LjEuNC4xLjQxNDgyLjEuNDALBgkqhkiG9w0BAQsDggEBALSc3YwTRbLwXhePj/imdBOhWiqh6ssS2ONgp5tphJCHR5Agjg2VstLBRsJzyJnLgy7bGZ0QbPOyh/J0hsvgBfvjByXOu1AwCW+tcoJ+pfxESojDLDn8hrFph6eWZoCtBsWMDh6vMqPENeP6grEAECWx4fTpBL9Bm7F+0Rp/d1/l66g4IhF/ZvuRFhY+BUK94BfivuBHpEkMwxKENTas7VkxvlVstUvPqhPHGYOq7RdF1D/THsbNY8+tgCTgvTziEG+bfDeY6zIz5h7bxb1rpajNVTpUDWtVYL7/w44e1KCoErqdS+kEbmmkmm7KvDE8kuyg42Fmb5DTMsbY2jxMlMU=";
- private static final String ATTESTATION_CERT_WITH_TRANSPORTS =
- "MIICIjCCAQygAwIBAgIEIHHwozALBgkqhkiG9w0BAQswDzENMAsGA1UEAxMEdGVzdDAeFw0xNTA4MTEwOTAwMzNaFw0xNjA4MTAwOTAwMzNaMCkxJzAlBgNVBAMTHll1YmljbyBVMkYgRUUgU2VyaWFsIDU0NDMzODA4MzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPdFG1pBjBBQVhLrD39Qg1vKjuR2kRdBZnwLI/zgzztQpf4ffpkrkB/3E0TXj5zg8gN9sgMkX48geBe+tBEpvMmjOzA5MCIGCSsGAQQBgsQKAgQVMS4zLjYuMS40LjEuNDE0ODIuMS4yMBMGCysGAQQBguUcAgEBBAQDAgQwMAsGCSqGSIb3DQEBCwOCAQEAb3YpnmHHduNuWEXlLqlnww9034ZeZaojhPAYSLR8d5NPk9gc0hkjQKmIaaBM7DsaHbcHMKpXoMGTQSC++NCZTcKvZ0Lt12mp5HRnM1NNBPol8Hte5fLmvW4tQ9EzLl4gkz7LSlORxTuwTbae1eQqNdxdeB+0ilMFCEUc+3NGCNM0RWd+sP5+gzMXBDQAI1Sc9XaPIg8t3du5JChAl1ifpu/uERZ2WQgtxeBDO6z1Xoa5qz4svf5oURjPZjxS0WUKht48Z2rIjk5lZzERSaY3RrX3UtrnZEIzCmInXOrcRPeAD4ZutpiwuHe62ABsjuMRnKbATbOUiLdknNyPYYQz2g==";
-
- @Test
- public void testGetAttestation_x509extension_key() throws Exception {
- StandardMetadataService service = new StandardMetadataService();
-
- X509Certificate attestationCert = CertificateParser.parsePem(ATTESTATION_CERT);
- Attestation attestation = service.getAttestation(Collections.singletonList(attestationCert));
-
- assertTrue(attestation.isTrusted());
- assertEquals("Yubico", attestation.getVendorProperties().get().get("name"));
- assertEquals("1.3.6.1.4.1.41482.1.2", attestation.getDeviceProperties().get().get("deviceId"));
- }
-
- @Test
- public void testGetAttestation_x509extension_key_value() throws Exception {
- StandardMetadataService service = new StandardMetadataService();
-
- X509Certificate attestationCert = CertificateParser.parsePem(ATTESTATION_CERT2);
- Attestation attestation = service.getAttestation(Collections.singletonList(attestationCert));
-
- assertTrue(attestation.isTrusted());
- assertEquals("Yubico", attestation.getVendorProperties().get().get("name"));
- assertEquals("1.3.6.1.4.1.41482.1.4", attestation.getDeviceProperties().get().get("deviceId"));
- }
-
- @Test
- public void testGetTransportsFromCertificate() throws CertificateException {
- StandardMetadataService service = new StandardMetadataService();
-
- X509Certificate attestationCert = CertificateParser.parsePem(ATTESTATION_CERT_WITH_TRANSPORTS);
- Attestation attestation = service.getAttestation(Collections.singletonList(attestationCert));
-
- assertEquals(
- Optional.of(EnumSet.of(Transport.USB, Transport.NFC)), attestation.getTransports());
- }
-
- @Test
- public void testGetTransportsFromMetadata() throws CertificateException {
- StandardMetadataService service = new StandardMetadataService();
-
- X509Certificate attestationCert = CertificateParser.parsePem(ATTESTATION_CERT2);
- Attestation attestation = service.getAttestation(Collections.singletonList(attestationCert));
-
- assertEquals(Optional.of(EnumSet.of(Transport.USB)), attestation.getTransports());
- }
-
- @Test
- public void getCachedAttestationReturnsCertIfPresent() throws Exception {
- StandardMetadataService service = new StandardMetadataService();
-
- final X509Certificate attestationCert = CertificateParser.parsePem(ATTESTATION_CERT);
- final String certFingerprint =
- Hashing.sha1().hashBytes(attestationCert.getEncoded()).toString();
-
- assertNull(service.getCachedAttestation(certFingerprint));
-
- service.getAttestation(Collections.singletonList(attestationCert));
-
- Attestation attestation = service.getCachedAttestation(certFingerprint);
-
- assertTrue(attestation.isTrusted());
- assertEquals("Yubico", attestation.getVendorProperties().get().get("name"));
- assertEquals("1.3.6.1.4.1.41482.1.2", attestation.getDeviceProperties().get().get("deviceId"));
- }
-}
diff --git a/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/matcher/FingerprintMatcherTest.java b/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/matcher/FingerprintMatcherTest.java
deleted file mode 100644
index 3e9fea7cf..000000000
--- a/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/matcher/FingerprintMatcherTest.java
+++ /dev/null
@@ -1,84 +0,0 @@
-// Copyright (c) 2018, Yubico AB
-// All rights reserved.
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are met:
-//
-// 1. Redistributions of source code must retain the above copyright notice, this
-// list of conditions and the following disclaimer.
-//
-// 2. Redistributions in binary form must reproduce the above copyright notice,
-// this list of conditions and the following disclaimer in the documentation
-// and/or other materials provided with the distribution.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-package com.yubico.webauthn.attestation.matcher;
-
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
-
-import com.fasterxml.jackson.databind.JsonNode;
-import com.fasterxml.jackson.databind.node.ArrayNode;
-import com.fasterxml.jackson.databind.node.BooleanNode;
-import com.fasterxml.jackson.databind.node.JsonNodeFactory;
-import com.fasterxml.jackson.databind.node.TextNode;
-import com.google.common.hash.Hashing;
-import com.yubico.internal.util.CertificateParser;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-import org.junit.Test;
-
-public class FingerprintMatcherTest {
-
- private static final String ATTESTATION_CERT =
- "MIICGzCCAQWgAwIBAgIEdaP2dTALBgkqhkiG9w0BAQswLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwIBcNMTQwODAxMDAwMDAwWhgPMjA1MDA5MDQwMDAwMDBaMCoxKDAmBgNVBAMMH1l1YmljbyBVMkYgRUUgU2VyaWFsIDE5NzM2Nzk3MzMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQZo35Damtpl81YdmcbhEuXKAr7xDcQzAy5n3ftAAhtBbu8EeGU4ynfSgLonckqX6J2uXLBppTNE3v2bt+Yf8MLoxIwEDAOBgorBgEEAYLECgECBAAwCwYJKoZIhvcNAQELA4IBAQG9LbiNPgs0sQYOHAJcg+lMk+HCsiWRlYVnbT4I/5lnqU907vY17XYAORd432bU3Nnhsbkvjz76kQJGXeNAF4DPANGGlz8JU+LNEVE2PWPGgEM0GXgB7mZN5Sinfy1AoOdO+3c3bfdJQuXlUxHbo+nDpxxKpzq9gr++RbokF1+0JBkMbaA/qLYL4WdhY5NvaOyMvYpO3sBxlzn6FcP67hlotGH1wU7qhCeh+uur7zDeAWVh7c4QtJOXHkLJQfV3Z7ZMvhkIA6jZJAX99hisABU/SSa5DtgX7AfsHwa04h69AAAWDUzSk3HgOXbUd1FaSOPdlVFkG2N2JllFHykyO3zO";
-
- @Test
- public void matchesIsFalseForNonArrayFingerprints() {
- JsonNode parameters = mock(JsonNode.class);
- when(parameters.get("fingerprints")).thenReturn(BooleanNode.TRUE);
-
- assertFalse(new FingerprintMatcher().matches(mock(X509Certificate.class), parameters));
- }
-
- @Test
- public void matchesIsFalseIfNoFingerprintMatches() throws CertificateException {
- final X509Certificate cert = CertificateParser.parsePem(ATTESTATION_CERT);
-
- ArrayNode fingerprints = new ArrayNode(JsonNodeFactory.instance);
- fingerprints.add(new TextNode("foo"));
- fingerprints.add(new TextNode("bar"));
-
- JsonNode parameters = mock(JsonNode.class);
- when(parameters.get("fingerprints")).thenReturn(fingerprints);
-
- assertFalse(new FingerprintMatcher().matches(cert, parameters));
- }
-
- @Test
- public void matchesIsTrueIfSomeFingerprintMatches() throws CertificateException {
- final X509Certificate cert = CertificateParser.parsePem(ATTESTATION_CERT);
- final String fingerprint = Hashing.sha1().hashBytes(cert.getEncoded()).toString().toLowerCase();
-
- ArrayNode fingerprints = new ArrayNode(JsonNodeFactory.instance);
- fingerprints.add(new TextNode("foo"));
- fingerprints.add(new TextNode(fingerprint));
-
- JsonNode parameters = mock(JsonNode.class);
- when(parameters.get("fingerprints")).thenReturn(fingerprints);
-
- assertTrue(new FingerprintMatcher().matches(cert, parameters));
- }
-}
diff --git a/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/resolver/SimpleAttestationResolverTest.java b/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/resolver/SimpleAttestationResolverTest.java
deleted file mode 100644
index 8f74df544..000000000
--- a/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/resolver/SimpleAttestationResolverTest.java
+++ /dev/null
@@ -1,80 +0,0 @@
-// Copyright (c) 2018, Yubico AB
-// All rights reserved.
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are met:
-//
-// 1. Redistributions of source code must retain the above copyright notice, this
-// list of conditions and the following disclaimer.
-//
-// 2. Redistributions in binary form must reproduce the above copyright notice,
-// this list of conditions and the following disclaimer in the documentation
-// and/or other materials provided with the distribution.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-package com.yubico.webauthn.attestation.resolver;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNotNull;
-
-import com.yubico.internal.util.CertificateParser;
-import com.yubico.internal.util.JacksonCodecs;
-import com.yubico.webauthn.attestation.Attestation;
-import com.yubico.webauthn.attestation.MetadataObject;
-import java.io.IOException;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-import java.util.Collections;
-import java.util.Optional;
-import org.junit.Test;
-
-public class SimpleAttestationResolverTest {
-
- private static final String METADATA_JSON =
- "{\"identifier\":\"foobar\",\"version\":1,\"trustedCertificates\":[\"-----BEGIN CERTIFICATE-----\\nMIIDHjCCAgagAwIBAgIEG1BT9zANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZ\\ndWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAw\\nMDBaGA8yMDUwMDkwNDAwMDAwMFowLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290\\nIENBIFNlcmlhbCA0NTcyMDA2MzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\\nAoIBAQC/jwYuhBVlqaiYWEMsrWFisgJ+PtM91eSrpI4TK7U53mwCIawSDHy8vUmk\\n5N2KAj9abvT9NP5SMS1hQi3usxoYGonXQgfO6ZXyUA9a+KAkqdFnBnlyugSeCOep\\n8EdZFfsaRFtMjkwz5Gcz2Py4vIYvCdMHPtwaz0bVuzneueIEz6TnQjE63Rdt2zbw\\nnebwTG5ZybeWSwbzy+BJ34ZHcUhPAY89yJQXuE0IzMZFcEBbPNRbWECRKgjq//qT\\n9nmDOFVlSRCt2wiqPSzluwn+v+suQEBsUjTGMEd25tKXXTkNW21wIWbxeSyUoTXw\\nLvGS6xlwQSgNpk2qXYwf8iXg7VWZAgMBAAGjQjBAMB0GA1UdDgQWBBQgIvz0bNGJ\\nhjgpToksyKpP9xv9oDAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAN\\nBgkqhkiG9w0BAQsFAAOCAQEAjvjuOMDSa+JXFCLyBKsycXtBVZsJ4Ue3LbaEsPY4\\nMYN/hIQ5ZM5p7EjfcnMG4CtYkNsfNHc0AhBLdq45rnT87q/6O3vUEtNMafbhU6kt\\nhX7Y+9XFN9NpmYxr+ekVY5xOxi8h9JDIgoMP4VB1uS0aunL1IGqrNooL9mmFnL2k\\nLVVee6/VR6C5+KSTCMCWppMuJIZII2v9o4dkoZ8Y7QRjQlLfYzd3qGtKbw7xaF1U\\nsG/5xUb/Btwb2X2g4InpiB/yt/3CpQXpiWX/K4mBvUKiGn05ZsqeY1gx4g0xLBqc\\nU9psmyPzK+Vsgw2jeRQ5JlKDyqE0hebfC1tvFu0CCrJFcw==\\n-----END CERTIFICATE-----\"],\"vendorInfo\":{\"name\":\"Yubico\",\"url\":\"https://yubico.com\",\"imageUrl\":\"https://developers.yubico.com/U2F/Images/yubico.png\"},\"devices\":[{\"displayName\":\"YubiKey NEO/NEO-n\",\"deviceId\":\"1.3.6.1.4.1.41482.1.2\",\"deviceUrl\":\"https://www.yubico.com/products/yubikey-hardware/yubikey-neo/\",\"imageUrl\":\"https://developers.yubico.com/U2F/Images/NEO.png\",\"selectors\":[{\"type\":\"x509Extension\",\"parameters\":{\"key\":\"1.3.6.1.4.1.41482.1.2\"}}]}] }";
- private static final String ATTESTATION_CERT =
- "MIICGzCCAQWgAwIBAgIEdaP2dTALBgkqhkiG9w0BAQswLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwIBcNMTQwODAxMDAwMDAwWhgPMjA1MDA5MDQwMDAwMDBaMCoxKDAmBgNVBAMMH1l1YmljbyBVMkYgRUUgU2VyaWFsIDE5NzM2Nzk3MzMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQZo35Damtpl81YdmcbhEuXKAr7xDcQzAy5n3ftAAhtBbu8EeGU4ynfSgLonckqX6J2uXLBppTNE3v2bt+Yf8MLoxIwEDAOBgorBgEEAYLECgECBAAwCwYJKoZIhvcNAQELA4IBAQG9LbiNPgs0sQYOHAJcg+lMk+HCsiWRlYVnbT4I/5lnqU907vY17XYAORd432bU3Nnhsbkvjz76kQJGXeNAF4DPANGGlz8JU+LNEVE2PWPGgEM0GXgB7mZN5Sinfy1AoOdO+3c3bfdJQuXlUxHbo+nDpxxKpzq9gr++RbokF1+0JBkMbaA/qLYL4WdhY5NvaOyMvYpO3sBxlzn6FcP67hlotGH1wU7qhCeh+uur7zDeAWVh7c4QtJOXHkLJQfV3Z7ZMvhkIA6jZJAX99hisABU/SSa5DtgX7AfsHwa04h69AAAWDUzSk3HgOXbUd1FaSOPdlVFkG2N2JllFHykyO3zO";
-
- private final MetadataObject metadata =
- JacksonCodecs.json().readValue(METADATA_JSON, MetadataObject.class);
- private final X509Certificate attestationCertificate =
- CertificateParser.parseDer(ATTESTATION_CERT);
-
- public SimpleAttestationResolverTest() throws IOException, CertificateException {}
-
- private static SimpleAttestationResolver createAttestationResolver(MetadataObject metadata)
- throws CertificateException {
- return new SimpleAttestationResolver(
- Collections.singleton(metadata),
- SimpleTrustResolver.fromMetadata(Collections.singleton(metadata)));
- }
-
- @Test
- public void testResolve() throws Exception {
- final SimpleAttestationResolver resolver = createAttestationResolver(metadata);
- Attestation metadata = resolver.resolve(attestationCertificate).orElse(null);
-
- assertNotNull(metadata);
- assertEquals("foobar", metadata.getMetadataIdentifier().get());
- }
-
- @Test
- public void resolveReturnsEmptyOnUntrustedSignature() throws Exception {
- final SimpleAttestationResolver resolver =
- new SimpleAttestationResolver(
- Collections.singletonList(metadata),
- SimpleTrustResolver.fromMetadata(Collections.emptyList()));
-
- assertEquals(Optional.empty(), resolver.resolve(attestationCertificate));
- }
-}
diff --git a/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/resolver/SimpleTrustResolverTest.java b/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/resolver/SimpleTrustResolverTest.java
deleted file mode 100644
index e2e4570ad..000000000
--- a/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/resolver/SimpleTrustResolverTest.java
+++ /dev/null
@@ -1,108 +0,0 @@
-// Copyright (c) 2018, Yubico AB
-// All rights reserved.
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are met:
-//
-// 1. Redistributions of source code must retain the above copyright notice, this
-// list of conditions and the following disclaimer.
-//
-// 2. Redistributions in binary form must reproduce the above copyright notice,
-// this list of conditions and the following disclaimer in the documentation
-// and/or other materials provided with the distribution.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-package com.yubico.webauthn.attestation.resolver;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import static org.mockito.Mockito.doThrow;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
-
-import com.yubico.internal.util.CertificateParser;
-import java.io.IOException;
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
-import java.security.Principal;
-import java.security.SignatureException;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-import java.util.Optional;
-import org.junit.Test;
-import org.mockito.ArgumentMatchers;
-
-public class SimpleTrustResolverTest {
-
- private static final String METADATA_JSON =
- "{\"identifier\":\"foobar\",\"version\":1,\"trustedCertificates\":[\"-----BEGIN CERTIFICATE-----\\nMIIDHjCCAgagAwIBAgIEG1BT9zANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZ\\ndWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAw\\nMDBaGA8yMDUwMDkwNDAwMDAwMFowLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290\\nIENBIFNlcmlhbCA0NTcyMDA2MzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\\nAoIBAQC/jwYuhBVlqaiYWEMsrWFisgJ+PtM91eSrpI4TK7U53mwCIawSDHy8vUmk\\n5N2KAj9abvT9NP5SMS1hQi3usxoYGonXQgfO6ZXyUA9a+KAkqdFnBnlyugSeCOep\\n8EdZFfsaRFtMjkwz5Gcz2Py4vIYvCdMHPtwaz0bVuzneueIEz6TnQjE63Rdt2zbw\\nnebwTG5ZybeWSwbzy+BJ34ZHcUhPAY89yJQXuE0IzMZFcEBbPNRbWECRKgjq//qT\\n9nmDOFVlSRCt2wiqPSzluwn+v+suQEBsUjTGMEd25tKXXTkNW21wIWbxeSyUoTXw\\nLvGS6xlwQSgNpk2qXYwf8iXg7VWZAgMBAAGjQjBAMB0GA1UdDgQWBBQgIvz0bNGJ\\nhjgpToksyKpP9xv9oDAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAN\\nBgkqhkiG9w0BAQsFAAOCAQEAjvjuOMDSa+JXFCLyBKsycXtBVZsJ4Ue3LbaEsPY4\\nMYN/hIQ5ZM5p7EjfcnMG4CtYkNsfNHc0AhBLdq45rnT87q/6O3vUEtNMafbhU6kt\\nhX7Y+9XFN9NpmYxr+ekVY5xOxi8h9JDIgoMP4VB1uS0aunL1IGqrNooL9mmFnL2k\\nLVVee6/VR6C5+KSTCMCWppMuJIZII2v9o4dkoZ8Y7QRjQlLfYzd3qGtKbw7xaF1U\\nsG/5xUb/Btwb2X2g4InpiB/yt/3CpQXpiWX/K4mBvUKiGn05ZsqeY1gx4g0xLBqc\\nU9psmyPzK+Vsgw2jeRQ5JlKDyqE0hebfC1tvFu0CCrJFcw==\\n-----END CERTIFICATE-----\"],\"vendorInfo\":{\"name\":\"Yubico\",\"url\":\"https://yubico.com\",\"imageUrl\":\"https://developers.yubico.com/U2F/Images/yubico.png\"},\"devices\":[{\"displayName\":\"YubiKey NEO/NEO-n\",\"deviceId\":\"1.3.6.1.4.1.41482.1.2\",\"deviceUrl\":\"https://www.yubico.com/products/yubikey-hardware/yubikey-neo/\",\"imageUrl\":\"https://developers.yubico.com/U2F/Images/NEO.png\",\"selectors\":[{\"type\":\"x509Extension\",\"parameters\":{\"key\":\"1.3.6.1.4.1.41482.1.2\"}}]}] }";
- private static final String ATTESTATION_CERT =
- "MIICGzCCAQWgAwIBAgIEdaP2dTALBgkqhkiG9w0BAQswLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwIBcNMTQwODAxMDAwMDAwWhgPMjA1MDA5MDQwMDAwMDBaMCoxKDAmBgNVBAMMH1l1YmljbyBVMkYgRUUgU2VyaWFsIDE5NzM2Nzk3MzMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQZo35Damtpl81YdmcbhEuXKAr7xDcQzAy5n3ftAAhtBbu8EeGU4ynfSgLonckqX6J2uXLBppTNE3v2bt+Yf8MLoxIwEDAOBgorBgEEAYLECgECBAAwCwYJKoZIhvcNAQELA4IBAQG9LbiNPgs0sQYOHAJcg+lMk+HCsiWRlYVnbT4I/5lnqU907vY17XYAORd432bU3Nnhsbkvjz76kQJGXeNAF4DPANGGlz8JU+LNEVE2PWPGgEM0GXgB7mZN5Sinfy1AoOdO+3c3bfdJQuXlUxHbo+nDpxxKpzq9gr++RbokF1+0JBkMbaA/qLYL4WdhY5NvaOyMvYpO3sBxlzn6FcP67hlotGH1wU7qhCeh+uur7zDeAWVh7c4QtJOXHkLJQfV3Z7ZMvhkIA6jZJAX99hisABU/SSa5DtgX7AfsHwa04h69AAAWDUzSk3HgOXbUd1FaSOPdlVFkG2N2JllFHykyO3zO";
-
- private final SimpleTrustResolver resolver = SimpleTrustResolver.fromMetadataJson(METADATA_JSON);
-
- public SimpleTrustResolverTest() throws IOException, CertificateException {}
-
- @Test
- public void testResolve() throws Exception {
- X509Certificate certificate = CertificateParser.parseDer(ATTESTATION_CERT);
-
- Optional trustAnchor = resolver.resolveTrustAnchor(certificate);
-
- assertTrue(trustAnchor.isPresent());
- assertEquals(
- "CN=Yubico U2F Root CA Serial 457200631", trustAnchor.get().getSubjectDN().getName());
- }
-
- @Test
- public void resolveReturnsEmptyOnUntrustedSignature() throws Exception {
- X509Certificate cert = mock(X509Certificate.class);
- doThrow(new SignatureException("Forced failure")).when(cert).verify(ArgumentMatchers.any());
- Principal issuerDN = mock(Principal.class);
- when(issuerDN.getName()).thenReturn("CN=Yubico U2F Root CA Serial 457200631");
- when(cert.getIssuerDN()).thenReturn(issuerDN);
-
- assertEquals(Optional.empty(), resolver.resolveTrustAnchor(cert));
- }
-
- private void resolveThrowsExceptionOnUnexpectedError(Exception thrownException) throws Exception {
- X509Certificate cert = mock(X509Certificate.class);
- doThrow(thrownException).when(cert).verify(ArgumentMatchers.any());
- Principal issuerDN = mock(Principal.class);
- when(issuerDN.getName()).thenReturn("CN=Yubico U2F Root CA Serial 457200631");
- when(cert.getIssuerDN()).thenReturn(issuerDN);
-
- resolver.resolveTrustAnchor(cert);
- }
-
- @Test(expected = RuntimeException.class)
- public void resolveThrowsExceptionOnCertificateException() throws Exception {
- resolveThrowsExceptionOnUnexpectedError(new CertificateException("Forced failure"));
- }
-
- @Test(expected = RuntimeException.class)
- public void resolveThrowsExceptionOnNoSuchAlgorithmException() throws Exception {
- resolveThrowsExceptionOnUnexpectedError(new NoSuchAlgorithmException("Forced failure"));
- }
-
- @Test(expected = RuntimeException.class)
- public void resolveThrowsExceptionOnInvalidKeyException() throws Exception {
- resolveThrowsExceptionOnUnexpectedError(new InvalidKeyException("Forced failure"));
- }
-
- @Test(expected = RuntimeException.class)
- public void resolveThrowsExceptionOnNoSuchProviderException() throws Exception {
- resolveThrowsExceptionOnUnexpectedError(new NoSuchProviderException("Forced failure"));
- }
-}
diff --git a/webauthn-server-attestation/src/test/resources/slf4jtest.properties b/webauthn-server-attestation/src/test/resources/slf4jtest.properties
new file mode 100644
index 000000000..eacb68e5f
--- /dev/null
+++ b/webauthn-server-attestation/src/test/resources/slf4jtest.properties
@@ -0,0 +1 @@
+print.level=DEBUG
diff --git a/webauthn-server-attestation/src/test/scala/com/yubico/fido/metadata/FidoMds3Examples.scala b/webauthn-server-attestation/src/test/scala/com/yubico/fido/metadata/FidoMds3Examples.scala
new file mode 100644
index 000000000..2fe8fb519
--- /dev/null
+++ b/webauthn-server-attestation/src/test/scala/com/yubico/fido/metadata/FidoMds3Examples.scala
@@ -0,0 +1,469 @@
+package com.yubico.fido.metadata
+
+object FidoMds3Examples {
+
+ /** Example 1
+ *
+ * @see
+ * FIDO
+ * Metadata Service §3.1. Metadata BLOB Format
+ */
+ val BlobPayloadJson: String =
+ """{
+ | "no": 1234,
+ | "nextUpdate": "2014-03-31",
+ | "entries": [
+ | {
+ | "aaid": "1234#5678",
+ | "metadataStatement": "Metadata Statement object as defined in Metadata Statement spec.",
+ | "statusReports": [
+ | {
+ | "status": "FIDO_CERTIFIED",
+ | "effectiveDate": "2014-01-04"
+ | }
+ | ],
+ | "timeOfLastStatusChange": "2014-01-04"
+ | },
+ | {
+ | "attestationCertificateKeyIdentifiers": [
+ | "7c0903708b87115b0b422def3138c3c864e44573"
+ | ],
+ | "metadataStatement": "Metadata Statement object as defined in Metadata Statement spec.",
+ | "statusReports": [
+ | {
+ | "status": "FIDO_CERTIFIED",
+ | "effectiveDate": "2014-01-07"
+ | },
+ | {
+ | "status": "UPDATE_AVAILABLE",
+ | "effectiveDate": "2014-02-19",
+ | "url": "https://example.com/update1234"
+ | }
+ | ],
+ | "timeOfLastStatusChange": "2014-02-19"
+ | }
+ | ]
+ |}""".stripMargin
+
+ /** Example: Encoded Metadata BLOB
+ *
+ * @see
+ * FIDO
+ * Metadata Service §3.1.7.1. Metadata BLOB Examples
+ */
+ val BlobPayloadBase64url: String =
+ """
+ |ewoJImxlZ2FsSGVhZGVyIjogIlJldHJpZXZhbCBhbmQgdXNlIG9mIHRoaXMgQkxPQiBpbmRpY2F0ZXMg
+ |YWNjZXB0YW5jZSBvZiB0aGUgYXBwcm9wcmlhdGUgYWdyZWVtZW50IGxvY2F0ZWQgYXQgaHR0cHM6Ly9m
+ |aWRvYWxsaWFuY2Uub3JnL21ldGFkYXRhL21ldGFkYXRhLWxlZ2FsLXRlcm1zLyIsCgkibm8iOiAxNSwK
+ |CSJuZXh0VXBkYXRlIjogIjIwMjAtMDMtMzAiLAoJImVudHJpZXMiOiBbewoJCQkiYWFpZCI6ICIxMjM0
+ |IzU2NzgiLAoJCQkibWV0YWRhdGFTdGF0ZW1lbnQiOiB7CgkJCQkibGVnYWxIZWFkZXIiOiAiaHR0cHM6
+ |Ly9maWRvYWxsaWFuY2Uub3JnL21ldGFkYXRhL21ldGFkYXRhLXN0YXRlbWVudC1sZWdhbC1oZWFkZXIv
+ |IiwKCQkJCSJkZXNjcmlwdGlvbiI6ICJGSURPIEFsbGlhbmNlIFNhbXBsZSBVQUYgQXV0aGVudGljYXRv
+ |ciIsCgkJCQkiYWFpZCI6ICIxMjM0IzU2NzgiLAoJCQkJImFsdGVybmF0aXZlRGVzY3JpcHRpb25zIjog
+ |ewoJCQkJCSJydS1SVSI6ICLQn9GA0LjQvNC10YAgVUFGINCw0YPRgtC10L3RgtC40YTQuNC60LDRgtC-
+ |0YDQsCDQvtGCIEZJRE8gQWxsaWFuY2UiLAoJCQkJCSJmci1GUiI6ICJFeGVtcGxlIFVBRiBhdXRoZW50
+ |aWNhdG9yIGRlIEZJRE8gQWxsaWFuY2UiCgkJCQl9LAoJCQkJImF1dGhlbnRpY2F0b3JWZXJzaW9uIjog
+ |MiwKCQkJCSJwcm90b2NvbEZhbWlseSI6ICJ1YWYiLAoJCQkJInNjaGVtYSI6IDMsCgkJCQkidXB2Ijog
+ |W3sKCQkJCQkJIm1ham9yIjogMSwKCQkJCQkJIm1pbm9yIjogMAoJCQkJCX0sCgkJCQkJewoJCQkJCQki
+ |bWFqb3IiOiAxLAoJCQkJCQkibWlub3IiOiAxCgkJCQkJfQoJCQkJXSwKCQkJCSJhdXRoZW50aWNhdGlv
+ |bkFsZ29yaXRobXMiOiBbInNlY3AyNTZyMV9lY2RzYV9zaGEyNTZfcmF3Il0sCgkJCQkicHVibGljS2V5
+ |QWxnQW5kRW5jb2RpbmdzIjogWyJlY2NfeDk2Ml9yYXciXSwKCQkJCSJhdHRlc3RhdGlvblR5cGVzIjog
+ |WyJiYXNpY19mdWxsIl0sCgkJCQkidXNlclZlcmlmaWNhdGlvbkRldGFpbHMiOiBbCgkJCQkJW3sKCQkJ
+ |CQkJInVzZXJWZXJpZmljYXRpb25NZXRob2QiOiAiZmluZ2VycHJpbnRfaW50ZXJuYWwiLAoJCQkJCQki
+ |YmFEZXNjIjogewoJCQkJCQkJInNlbGZBdHRlc3RlZEZBUiI6IDAuMDAwMDIsCgkJCQkJCQkibWF4UmV0
+ |cmllcyI6IDUsCgkJCQkJCQkiYmxvY2tTbG93ZG93biI6IDMwLAoJCQkJCQkJIm1heFRlbXBsYXRlcyI6
+ |IDUKCQkJCQkJfQoJCQkJCX1dCgkJCQldLAoJCQkJImtleVByb3RlY3Rpb24iOiBbImhhcmR3YXJlIiwg
+ |InRlZSJdLAoJCQkJImlzS2V5UmVzdHJpY3RlZCI6IHRydWUsCgkJCQkibWF0Y2hlclByb3RlY3Rpb24i
+ |OiBbInRlZSJdLAoJCQkJImNyeXB0b1N0cmVuZ3RoIjogMTI4LAoJCQkJImF0dGFjaG1lbnRIaW50Ijog
+ |WyJpbnRlcm5hbCJdLAoJCQkJInRjRGlzcGxheSI6IFsiYW55IiwgInRlZSJdLAoJCQkJInRjRGlzcGxh
+ |eUNvbnRlbnRUeXBlIjogImltYWdlL3BuZyIsCgkJCQkidGNEaXNwbGF5UE5HQ2hhcmFjdGVyaXN0aWNz
+ |IjogW3sKCQkJCQkid2lkdGgiOiAzMjAsCgkJCQkJImhlaWdodCI6IDQ4MCwKCQkJCQkiYml0RGVwdGgi
+ |OiAxNiwKCQkJCQkiY29sb3JUeXBlIjogMiwKCQkJCQkiY29tcHJlc3Npb24iOiAwLAoJCQkJCSJmaWx0
+ |ZXIiOiAwLAoJCQkJCSJpbnRlcmxhY2UiOiAwCgkJCQl9XSwKCQkJCSJhdHRlc3RhdGlvblJvb3RDZXJ0
+ |aWZpY2F0ZXMiOiBbCgkJCQkJIk1JSUNQVENDQWVPZ0F3SUJBZ0lKQU91ZXh2VTNPeTJ3TUFvR0NDcUdT
+ |TTQ5QkFNQ01Ic3hJREFlQmdOVkJBTU1GMU5oYlhCc1pTQkJkSFJsYzNSaGRHbHZiaUJTYjI5ME1SWXdG
+ |QVlEVlFRS0RBMUdTVVJQSUVGc2JHbGhibU5sTVJFd0R3WURWUVFMREFoVlFVWWdWRmRITERFU01CQUdB
+ |MVVFQnd3SlVHRnNieUJCYkhSdk1Rc3dDUVlEVlFRSURBSkRRVEVMTUFrR0ExVUVCaE1DVlZNd0hoY05N
+ |VFF3TmpFNE1UTXpNek15V2hjTk5ERXhNVEF6TVRNek16TXlXakI3TVNBd0hnWURWUVFEREJkVFlXMXdi
+ |R1VnUVhSMFpYTjBZWFJwYjI0Z1VtOXZkREVXTUJRR0ExVUVDZ3dOUmtsRVR5QkJiR3hwWVc1alpURVJN
+ |QThHQTFVRUN3d0lWVUZHSUZSWFJ5d3hFakFRQmdOVkJBY01DVkJoYkc4Z1FXeDBiekVMTUFrR0ExVUVD
+ |QXdDUTBFeEN6QUpCZ05WQkFZVEFsVlRNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVI
+ |OGh2MkQwSFhhNTkvQm1wUTdSWmVoTC9GTUd6RmQxUUJnOXZBVXBPWjNham51UTk0UFI3YU16SDMzblVT
+ |QnI4ZkhZRHJxT0JiNThweEdxSEpSeVgvNk5RTUU0d0hRWURWUjBPQkJZRUZQb0hBM0NMaHhGYkMwSXQ3
+ |ekU0dzhoazVFSi9NQjhHQTFVZEl3UVlNQmFBRlBvSEEzQ0xoeEZiQzBJdDd6RTR3OGhrNUVKL01Bd0dB
+ |MVVkRXdRRk1BTUJBZjh3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUloQUowNlFTWHQ5aWhJYkVLWUtJanNQ
+ |a3JpVmRMSWd0ZnNiRFN1N0VySmZ6cjRBaUJxb1lDWmYwK3pJNTVhUWVBSGpJekE5WG02M3JydUF4Qlo5
+ |cHM5ejJYTmxRPT0iCgkJCQldLAoJCQkJImljb24iOiAiZGF0YTppbWFnZS9wbmc7YmFzZTY0LGlWQk9S
+ |dzBLR2dvQUFBQU5TVWhFVWdBQUFFOEFBQUF2Q0FZQUFBQ2l3SmZjQUFBQUFYTlNSMElBcnM0YzZRQUFB
+ |QVJuUVUxQkFBQ3hqd3Y4WVFVQUFBQUpjRWhaY3dBQURzTUFBQTdEQWNkdnFHUUFBQWFoU1VSQlZHaEQ3
+ |WnI1YnhSbEdNZjlLelRCOEFNL1lFaEUyVzdwUVpjV0tLQmNsU3BIQVRsRUxBUkU3a05FQ0NBM0ZrV0sw
+ |Q0tLU0NGSXNLQmNnVkNEV0dORVNkQVlpZHdnZ2dKQmlSaU1oRmMvNHd5ODg4NHp1OU5kbG5HVGZaSlAy
+ |bjNuTysrODg5MzNmdmVCQngrUHFDekprVFV2QmJMbXBVRFd2QlRJbXBjQ1NadlhMQ2RYOVIwNVNrMTli
+ |YjVhdGY1OTlmRysvZXJBNTQxcTQ3YVAxTExWYTlTSXlWTlVpOElpOGQ1a0dUc2kzME5GdjdhaTluN1Fa
+ |UE13YmR5czJlclUyWE1xVWR5OCtaY2FObUdpbUU4eVhOM1JVZDNhMThuRjBmVWxvdlorMENUeldwZDJW
+ |aitlT20xYkV5eTZEeDRpNXBVTUdXdmVvNTA2cTIyN2R0dVdCSXVmZnI2b1dwVjBGUE5MaG93MTc1MU5t
+ |MjFMdlBIM3JWdFdqZno2NkxmcWw4dFg3RlJsOVlGU1hzbVNzZWI5Y2VPR2JZazdNTlVjR1BnOFpzYk1l
+ |OXJmUVVhYVYvSk1YOXNxZHpEQ1N2cDBrWkhtVFpnOXg3YkxIY01uVGhiMTZlSittVmZRcTh5YVVaUU5H
+ |NjRpWForMC9rcTZ1T1pGTzBRdGF0ZFdLZlhuUlE5OUJqOTFSNU9JRm5rNTRqTjBta1VpcWxPM1hEVytN
+ |bCs5OG1LQjZ0VzdyV3BaY1BjKzB6ZzR0THJZbFVjODZFNmVHRGpJTXViVnBjdXNlYXJmZ0lZR1JrNmJy
+ |aFpWci9KY0h6b29MNzU1MGplZExFeG9wV2NBcGkyWlVxaHU3Skx2clZzUVU4MXprek9QZWVtTVJZdlZ1
+ |UXNYN1BiaURRWTVKdlpvbmZ0SysxVlk4SDl1dHg1MzBoMG9iK2ptUllxajZvdWFZdkVlblcvV2xZanA4
+ |Y3diTW02ODJ0UHdxVzFSNHRqLzJTSDEzSVJKWWw0bW9adlhwaVNxRHI3ZFh0UUh4YS9QSzMvK0JXc0sx
+ |ZFRnSHU2Vjh0UUozYndGa3dwRnJVT1E1MHMxcjNsZXZtOHpaY3ExNytCQmF3N0s4bEVLNXF6a1llYXJr
+ |OUE4cDdQM0d6REsrbmQzRFFvdys2VUM4U1ZOODJpdXYzOGltN050YVh0VjFDVnE2Umd3NHBrc21iZGkz
+ |YnUyRGU3WWZhQkJ4Y3FmdnFQclVqRlFOVFEyMmxmZFVWVlQ2OHJUSktGNURuU21VamdkcWc0bVNTOXBt
+ |c2ZESlIzRzZUb0gwaVc5YVY3TFdMSFlYS2xsVER0MExUQXRrWUlhYW1wMVFqVnYrK3V5R1V4VmRKMERO
+ |VlhTbStiMXFSeHBsODRkZGZYMUxwMU8vZDY5dHNvZDB2czVoR3JlOXh1OG8rZnBMUjFjR2hOVEQ2WjU3
+ |QzlLTVdYZWZKZE9aOTRiYjlvcWQxUk9uUzdxSVRUekhpbU1xaXZiTzNnMERkVnlrM1dRQmhCenRLMzVZ
+ |S05kT25jOE8zYWNTNmZEWkZnS2FYTHNFSnA1cmRybGlCcXA4OWNKY3MvbTdUdnMwcmtqR2ZONGIwa1Bv
+ |Wm4zVUp1SU9ybloyMnlQMWZtdlV4K081Z1NxZWJWMW0relN1WU5WaHE3VFdiRGlMVnZsanBsTGxvcDZD
+ |TFhQKzJxdHZHTElMLzF2aW1JU2RNQmd6U29GWnl1NlRxZCtqenhnc1BhVjlCQ3FlZS9OallrNnY2bEs5
+ |Y3dpVWMvU1R0ZjFIRHBNM2I1OTJ5N2gzVGh4NW96SzY5SExwWVd1QXdhcVM1Y3YyNnE3Y2ViOGVmVllh
+ |UmVQM2lGVTh6ajFrblN3WlhITW1uQ2pZME9nYWxvN1VRZlNDTTNxUVFyMkgvWEZQN3NzWHg0NVlsOTFC
+ |eWVDZXA0bW9ab0grMWZHM3hENHRUN3g4a3d5ajhud2I5ZXYyNlYwQjZkKzdINHpLdnVkQUg1MzdGanF5
+ |ek9IZEpuSEV1em1YcS9XanhPYnZOTWJ2N25oeXdzWDJhVnNXdEM4KzQ4YUxlYXBFN3A1d0taaTBBMkFR
+ |UlY1bnZSNEUrdUpjK2I2MWtBcHFJbnhCZ21kLzRWNVFQL210MThIREM3c1JIZnRtZXU1bG1oVjBybi9B
+ |TFgyMzJicWQ0QkZuRHg3VmkxY1dTMnVmZjBJYkI0N3FleHhtVWo5UXV0WWp1cGQzdFlENmFiV0JCTXJo
+ |K2FwTmJPS3JORjErdWdDYTRyaVhHZndNUFB0VmlhdmhVM1lNT0FBbnVVYi9SMDdMMHlPU2VPYWRFODhB
+ |cHNYRkdmZjMweW5obEpnTTUxQ1U2dk45RXpnbnB2SEJGVXlpVnJhZVBpd0o1M0RGNVpUWm5vbUVOZzg1
+ |a05VZDJvSmkyV3ByNE9tbWtmTjR4NHpIZmlWRmM4RHY4Tnp1aE5xT2lkaWxHdkE2REd1ZVp3Tzc4QUFR
+ |bjZjaUVrNitydzVWY3ZqdnFORFlQT29JVXdhS1NocnhBdVhMbGtINGFZdUdmTVlEYzEwV0Y1VGEzMWhQ
+ |Sk9mY1VoclUvSmxJTmk2YzZlbFJZZEJwbzYrK1lmang2MWxHTmZSbTRNRDVySjFqM0ZvR0huakRTQk5h
+ |cllVZ01MeU1zektwYjd0WHBvSGZQczhoM1dwMUx6TmZOazU0WHhDMXdER1VtWXpYWWVmaDZ6L2NLdFZt
+ |NEVCeGE5VlFHRHpZcjNMclVNUmpIRUtrazd6YUZLWVFBMmhHUVUxeis4NU5GV3BYRHJrejN2eDEwR3F4
+ |UTZCemVOYm9CazVuOGs0bmViUmgrazFoV2Z4VEYwRDFFeVdVczVuditkZ1FxS2F4enVDZEUwaXNIbDAy
+ |TlE4YWgwbVhyMTJMYTNtMGY5d2lrOSt3TE5UTVkvODZNUG84eWkzMU9meG1UNlBXb3FHOStEWnVrWW5h
+ |NTZtU1p0NVdXU3k1cVZBMXJ3VXlKcVhBbG56a2lhaS9nSFNEN1JrVHlpaG9nQUFBQUJKUlU1RXJrSmdn
+ |Zz09IgoJCQl9LAoJCQkic3RhdHVzUmVwb3J0cyI6IFt7CgkJCQkic3RhdHVzIjogIkZJRE9fQ0VSVElG
+ |SUVEIiwKCQkJCSJlZmZlY3RpdmVEYXRlIjogIjIwMTQtMDEtMDQiCgkJCX1dLAoJCQkidGltZU9mTGFz
+ |dFN0YXR1c0NoYW5nZSI6ICIyMDE0LTAxLTA0IgoJCX0sCgkJewoJCQkiYWFndWlkIjogIjAxMzJkMTEw
+ |LWJmNGUtNDIwOC1hNDAzLWFiNGY1ZjEyZWZlNSIsCgkJCSJtZXRhZGF0YVN0YXRlbWVudCI6IHsKCQkJ
+ |CSJsZWdhbEhlYWRlciI6ICJodHRwczovL2ZpZG9hbGxpYW5jZS5vcmcvbWV0YWRhdGEvbWV0YWRhdGEt
+ |c3RhdGVtZW50LWxlZ2FsLWhlYWRlci8iLAoJCQkJImRlc2NyaXB0aW9uIjogIkZJRE8gQWxsaWFuY2Ug
+ |U2FtcGxlIEZJRE8yIEF1dGhlbnRpY2F0b3IiLAoJCQkJImFhZ3VpZCI6ICIwMTMyZDExMC1iZjRlLTQy
+ |MDgtYTQwMy1hYjRmNWYxMmVmZTUiLAoJCQkJImFsdGVybmF0aXZlRGVzY3JpcHRpb25zIjogewoJCQkJ
+ |CSJydS1SVSI6ICLQn9GA0LjQvNC10YAgRklETzIg0LDRg9GC0LXQvdGC0LjRhNC40LrQsNGC0L7RgNCw
+ |INC-0YIgRklETyBBbGxpYW5jZSIsCgkJCQkJImZyLUZSIjogIkV4ZW1wbGUgRklETzIgYXV0aGVudGlj
+ |YXRvciBkZSBGSURPIEFsbGlhbmNlIiwKCQkJCQkiemgtQ04iOiAi5L6G6IeqRklETyBBbGxpYW5jZeea
+ |hOekuuS-i0ZJRE8y6Lqr5Lu96amX6K2J5ZmoIgoJCQkJfSwKCQkJCSJwcm90b2NvbEZhbWlseSI6ICJm
+ |aWRvMiIsCgkJCQkic2NoZW1hIjogMywKCQkJCSJhdXRoZW50aWNhdG9yVmVyc2lvbiI6IDUsCgkJCQki
+ |dXB2IjogW3sKCQkJCQkibWFqb3IiOiAxLAoJCQkJCSJtaW5vciI6IDAKCQkJCX1dLAoJCQkJImF1dGhl
+ |bnRpY2F0aW9uQWxnb3JpdGhtcyI6IFsic2VjcDI1NnIxX2VjZHNhX3NoYTI1Nl9yYXciLCAicnNhc3Nh
+ |X3BrY3N2MTVfc2hhMjU2X3JhdyJdLAoJCQkJInB1YmxpY0tleUFsZ0FuZEVuY29kaW5ncyI6IFsiY29z
+ |ZSJdLAoJCQkJImF0dGVzdGF0aW9uVHlwZXMiOiBbImJhc2ljX2Z1bGwiXSwKCQkJCSJ1c2VyVmVyaWZp
+ |Y2F0aW9uRGV0YWlscyI6IFsKCQkJCQlbewoJCQkJCQkidXNlclZlcmlmaWNhdGlvbk1ldGhvZCI6ICJu
+ |b25lIgoJCQkJCX1dLAoJCQkJCVt7CgkJCQkJCSJ1c2VyVmVyaWZpY2F0aW9uTWV0aG9kIjogInByZXNl
+ |bmNlX2ludGVybmFsIgoJCQkJCX1dLAoJCQkJCVt7CgkJCQkJCSJ1c2VyVmVyaWZpY2F0aW9uTWV0aG9k
+ |IjogInBhc3Njb2RlX2V4dGVybmFsIiwKCQkJCQkJImNhRGVzYyI6IHsKCQkJCQkJCSJiYXNlIjogMTAs
+ |CgkJCQkJCQkibWluTGVuZ3RoIjogNAoJCQkJCQl9CgkJCQkJfV0sCgkJCQkJW3sKCQkJCQkJCSJ1c2Vy
+ |VmVyaWZpY2F0aW9uTWV0aG9kIjogInBhc3Njb2RlX2V4dGVybmFsIiwKCQkJCQkJCSJjYURlc2MiOiB7
+ |CgkJCQkJCQkJImJhc2UiOiAxMCwKCQkJCQkJCQkibWluTGVuZ3RoIjogNAoJCQkJCQkJfQoJCQkJCQl9
+ |LAoJCQkJCQl7CgkJCQkJCQkidXNlclZlcmlmaWNhdGlvbk1ldGhvZCI6ICJwcmVzZW5jZV9pbnRlcm5h
+ |bCIKCQkJCQkJfQoJCQkJCV0KCQkJCV0sCgkJCQkia2V5UHJvdGVjdGlvbiI6IFsiaGFyZHdhcmUiLCAi
+ |c2VjdXJlX2VsZW1lbnQiXSwKCQkJCSJtYXRjaGVyUHJvdGVjdGlvbiI6IFsib25fY2hpcCJdLAoJCQkJ
+ |ImNyeXB0b1N0cmVuZ3RoIjogMTI4LAoJCQkJImF0dGFjaG1lbnRIaW50IjogWyJleHRlcm5hbCIsICJ3
+ |aXJlZCIsICJ3aXJlbGVzcyIsICJuZmMiXSwKCQkJCSJ0Y0Rpc3BsYXkiOiBbXSwKCQkJCSJhdHRlc3Rh
+ |dGlvblJvb3RDZXJ0aWZpY2F0ZXMiOiBbCgkJCQkJIk1JSUNQVENDQWVPZ0F3SUJBZ0lKQU91ZXh2VTNP
+ |eTJ3TUFvR0NDcUdTTTQ5QkFNQ01Ic3hJREFlQmdOVkJBTU1GMU5oYlhCc1pTQkJkSFJsYzNSaGRHbHZi
+ |aUJTYjI5ME1SWXdGQVlEVlFRS0RBMUdTVVJQSUVGc2JHbGhibU5sTVJFd0R3WURWUVFMREFoVlFVWWdW
+ |RmRITERFU01CQUdBMVVFQnd3SlVHRnNieUJCYkhSdk1Rc3dDUVlEVlFRSURBSkRRVEVMTUFrR0ExVUVC
+ |aE1DVlZNd0hoY05NVFF3TmpFNE1UTXpNek15V2hjTk5ERXhNVEF6TVRNek16TXlXakI3TVNBd0hnWURW
+ |UVFEREJkVFlXMXdiR1VnUVhSMFpYTjBZWFJwYjI0Z1VtOXZkREVXTUJRR0ExVUVDZ3dOUmtsRVR5QkJi
+ |R3hwWVc1alpURVJNQThHQTFVRUN3d0lWVUZHSUZSWFJ5d3hFakFRQmdOVkJBY01DVkJoYkc4Z1FXeDBi
+ |ekVMTUFrR0ExVUVDQXdDUTBFeEN6QUpCZ05WQkFZVEFsVlRNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6
+ |ajBEQVFjRFFnQUVIOGh2MkQwSFhhNTkvQm1wUTdSWmVoTC9GTUd6RmQxUUJnOXZBVXBPWjNham51UTk0
+ |UFI3YU16SDMzblVTQnI4ZkhZRHJxT0JiNThweEdxSEpSeVgvNk5RTUU0d0hRWURWUjBPQkJZRUZQb0hB
+ |M0NMaHhGYkMwSXQ3ekU0dzhoazVFSi9NQjhHQTFVZEl3UVlNQmFBRlBvSEEzQ0xoeEZiQzBJdDd6RTR3
+ |OGhrNUVKL01Bd0dBMVVkRXdRRk1BTUJBZjh3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUloQUowNlFTWHQ5
+ |aWhJYkVLWUtJanNQa3JpVmRMSWd0ZnNiRFN1N0VySmZ6cjRBaUJxb1lDWmYwK3pJNTVhUWVBSGpJekE5
+ |WG02M3JydUF4Qlo5cHM5ejJYTmxRPT0iCgkJCQldLAoJCQkJImljb24iOiAiZGF0YTppbWFnZS9wbmc7
+ |YmFzZTY0LGlWQk9SdzBLR2dvQUFBQU5TVWhFVWdBQUFFOEFBQUF2Q0FZQUFBQ2l3SmZjQUFBQUFYTlNS
+ |MElBcnM0YzZRQUFBQVJuUVUxQkFBQ3hqd3Y4WVFVQUFBQUpjRWhaY3dBQURzTUFBQTdEQWNkdnFHUUFB
+ |QWFoU1VSQlZHaEQ3WnI1YnhSbEdNZjlLelRCOEFNL1lFaEUyVzdwUVpjV0tLQmNsU3BIQVRsRUxBUkU3
+ |a05FQ0NBM0ZrV0swQ0tLU0NGSXNLQmNnVkNEV0dORVNkQVlpZHdnZ2dKQmlSaU1oRmMvNHd5ODg4NHp1
+ |OU5kbG5HVGZaSlAybjNuTysrODg5MzNmdmVCQngrUHFDekprVFV2QmJMbXBVRFd2QlRJbXBjQ1NadlhM
+ |Q2RYOVIwNVNrMTliYjVhdGY1OTlmRysvZXJBNTQxcTQ3YVAxTExWYTlTSXlWTlVpOElpOGQ1a0dUc2kz
+ |ME5GdjdhaTluN1FaUE13YmR5czJlclUyWE1xVWR5OCtaY2FObUdpbUU4eVhOM1JVZDNhMThuRjBmVWxv
+ |dlorMENUeldwZDJWaitlT20xYkV5eTZEeDRpNXBVTUdXdmVvNTA2cTIyN2R0dVdCSXVmZnI2b1dwVjBG
+ |UE5MaG93MTc1MU5tMjFMdlBIM3JWdFdqZno2NkxmcWw4dFg3RlJsOVlGU1hzbVNzZWI5Y2VPR2JZazdN
+ |TlVjR1BnOFpzYk1lOXJmUVVhYVYvSk1YOXNxZHpEQ1N2cDBrWkhtVFpnOXg3YkxIY01uVGhiMTZlSitt
+ |VmZRcTh5YVVaUU5HNjRpWForMC9rcTZ1T1pGTzBRdGF0ZFdLZlhuUlE5OUJqOTFSNU9JRm5rNTRqTjBt
+ |a1VpcWxPM1hEVytNbCs5OG1LQjZ0VzdyV3BaY1BjKzB6ZzR0THJZbFVjODZFNmVHRGpJTXViVnBjdXNl
+ |YXJmZ0lZR1JrNmJyaFpWci9KY0h6b29MNzU1MGplZExFeG9wV2NBcGkyWlVxaHU3Skx2clZzUVU4MXpr
+ |ek9QZWVtTVJZdlZ1UXNYN1BiaURRWTVKdlpvbmZ0SysxVlk4SDl1dHg1MzBoMG9iK2ptUllxajZvdWFZ
+ |dkVlblcvV2xZanA4Y3diTW02ODJ0UHdxVzFSNHRqLzJTSDEzSVJKWWw0bW9adlhwaVNxRHI3ZFh0UUh4
+ |YS9QSzMvK0JXc0sxZFRnSHU2Vjh0UUozYndGa3dwRnJVT1E1MHMxcjNsZXZtOHpaY3ExNytCQmF3N0s4
+ |bEVLNXF6a1llYXJrOUE4cDdQM0d6REsrbmQzRFFvdys2VUM4U1ZOODJpdXYzOGltN050YVh0VjFDVnE2
+ |Umd3NHBrc21iZGkzYnUyRGU3WWZhQkJ4Y3FmdnFQclVqRlFOVFEyMmxmZFVWVlQ2OHJUSktGNURuU21V
+ |amdkcWc0bVNTOXBtc2ZESlIzRzZUb0gwaVc5YVY3TFdMSFlYS2xsVER0MExUQXRrWUlhYW1wMVFqVnYr
+ |K3V5R1V4VmRKMEROVlhTbStiMXFSeHBsODRkZGZYMUxwMU8vZDY5dHNvZDB2czVoR3JlOXh1OG8rZnBM
+ |UjFjR2hOVEQ2WjU3QzlLTVdYZWZKZE9aOTRiYjlvcWQxUk9uUzdxSVRUekhpbU1xaXZiTzNnMERkVnlr
+ |M1dRQmhCenRLMzVZS05kT25jOE8zYWNTNmZEWkZnS2FYTHNFSnA1cmRybGlCcXA4OWNKY3MvbTdUdnMw
+ |cmtqR2ZONGIwa1BvWm4zVUp1SU9ybloyMnlQMWZtdlV4K081Z1NxZWJWMW0relN1WU5WaHE3VFdiRGlM
+ |VnZsanBsTGxvcDZDTFhQKzJxdHZHTElMLzF2aW1JU2RNQmd6U29GWnl1NlRxZCtqenhnc1BhVjlCQ3Fl
+ |ZS9OallrNnY2bEs5Y3dpVWMvU1R0ZjFIRHBNM2I1OTJ5N2gzVGh4NW96SzY5SExwWVd1QXdhcVM1Y3Yy
+ |NnE3Y2ViOGVmVllhUmVQM2lGVTh6ajFrblN3WlhITW1uQ2pZME9nYWxvN1VRZlNDTTNxUVFyMkgvWEZQ
+ |N3NzWHg0NVlsOTFCeWVDZXA0bW9ab0grMWZHM3hENHRUN3g4a3d5ajhud2I5ZXYyNlYwQjZkKzdINHpL
+ |dnVkQUg1MzdGanF5ek9IZEpuSEV1em1YcS9XanhPYnZOTWJ2N25oeXdzWDJhVnNXdEM4KzQ4YUxlYXBF
+ |N3A1d0taaTBBMkFRUlY1bnZSNEUrdUpjK2I2MWtBcHFJbnhCZ21kLzRWNVFQL210MThIREM3c1JIZnRt
+ |ZXU1bG1oVjBybi9BTFgyMzJicWQ0QkZuRHg3VmkxY1dTMnVmZjBJYkI0N3FleHhtVWo5UXV0WWp1cGQz
+ |dFlENmFiV0JCTXJoK2FwTmJPS3JORjErdWdDYTRyaVhHZndNUFB0VmlhdmhVM1lNT0FBbnVVYi9SMDdM
+ |MHlPU2VPYWRFODhBcHNYRkdmZjMweW5obEpnTTUxQ1U2dk45RXpnbnB2SEJGVXlpVnJhZVBpd0o1M0RG
+ |NVpUWm5vbUVOZzg1a05VZDJvSmkyV3ByNE9tbWtmTjR4NHpIZmlWRmM4RHY4Tnp1aE5xT2lkaWxHdkE2
+ |REd1ZVp3Tzc4QUFRbjZjaUVrNitydzVWY3ZqdnFORFlQT29JVXdhS1NocnhBdVhMbGtINGFZdUdmTVlE
+ |YzEwV0Y1VGEzMWhQSk9mY1VoclUvSmxJTmk2YzZlbFJZZEJwbzYrK1lmang2MWxHTmZSbTRNRDVySjFq
+ |M0ZvR0huakRTQk5hcllVZ01MeU1zektwYjd0WHBvSGZQczhoM1dwMUx6TmZOazU0WHhDMXdER1VtWXpY
+ |WWVmaDZ6L2NLdFZtNEVCeGE5VlFHRHpZcjNMclVNUmpIRUtrazd6YUZLWVFBMmhHUVUxeis4NU5GV3BY
+ |RHJrejN2eDEwR3F4UTZCemVOYm9CazVuOGs0bmViUmgrazFoV2Z4VEYwRDFFeVdVczVuditkZ1FxS2F4
+ |enVDZEUwaXNIbDAyTlE4YWgwbVhyMTJMYTNtMGY5d2lrOSt3TE5UTVkvODZNUG84eWkzMU9meG1UNlBX
+ |b3FHOStEWnVrWW5hNTZtU1p0NVdXU3k1cVZBMXJ3VXlKcVhBbG56a2lhaS9nSFNEN1JrVHlpaG9nQUFB
+ |QUJKUlU1RXJrSmdnZz09IiwKCQkJCSJzdXBwb3J0ZWRFeHRlbnNpb25zIjogW3sKCQkJCQkJImlkIjog
+ |ImhtYWMtc2VjcmV0IiwKCQkJCQkJImZhaWxfaWZfdW5rbm93biI6IGZhbHNlCgkJCQkJfSwKCQkJCQl7
+ |CgkJCQkJCSJpZCI6ICJjcmVkUHJvdGVjdCIsCgkJCQkJCSJmYWlsX2lmX3Vua25vd24iOiBmYWxzZQoJ
+ |CQkJCX0KCQkJCV0sCgkJCQkiYXV0aGVudGljYXRvckdldEluZm8iOiB7CgkJCQkJInZlcnNpb25zIjog
+ |WyJVMkZfVjIiLCAiRklET18yXzAiXSwKCQkJCQkiZXh0ZW5zaW9ucyI6IFsiY3JlZFByb3RlY3QiLCAi
+ |aG1hYy1zZWNyZXQiXSwKCQkJCQkiYWFndWlkIjogIjAxMzJkMTEwYmY0ZTQyMDhhNDAzYWI0ZjVmMTJl
+ |ZmU1IiwKCQkJCQkib3B0aW9ucyI6IHsKCQkJCQkJInBsYXQiOiAiZmFsc2UiLAoJCQkJCQkicmsiOiAi
+ |dHJ1ZSIsCgkJCQkJCSJjbGllbnRQaW4iOiAidHJ1ZSIsCgkJCQkJCSJ1cCI6ICJ0cnVlIiwKCQkJCQkJ
+ |InV2IjogInRydWUiLAoJCQkJCQkidXZUb2tlbiI6ICJmYWxzZSIsCgkJCQkJCSJjb25maWciOiAiZmFs
+ |c2UiCgkJCQkJfSwKCQkJCQkibWF4TXNnU2l6ZSI6IDEyMDAsCgkJCQkJInBpblV2QXV0aFByb3RvY29s
+ |cyI6IFsxXSwKCQkJCQkibWF4Q3JlZGVudGlhbENvdW50SW5MaXN0IjogMTYsCgkJCQkJIm1heENyZWRl
+ |bnRpYWxJZExlbmd0aCI6IDEyOCwKCQkJCQkidHJhbnNwb3J0cyI6IFsidXNiIiwgIm5mYyJdLAoJCQkJ
+ |CSJhbGdvcml0aG1zIjogW3sKCQkJCQkJCSJ0eXBlIjogInB1YmxpYy1rZXkiLAoJCQkJCQkJImFsZyI6
+ |IC03CgkJCQkJCX0sCgkJCQkJCXsKCQkJCQkJCSJ0eXBlIjogInB1YmxpYy1rZXkiLAoJCQkJCQkJImFs
+ |ZyI6IC0yNTcKCQkJCQkJfQoJCQkJCV0sCgkJCQkJIm1heEF1dGhlbnRpY2F0b3JDb25maWdMZW5ndGgi
+ |OiAxMDI0LAoJCQkJCSJkZWZhdWx0Q3JlZFByb3RlY3QiOiAyLAoJCQkJCSJmaXJtd2FyZVZlcnNpb24i
+ |OiA1CgkJCQl9CgkJCX0sCgkJCSJzdGF0dXNSZXBvcnRzIjogW3sKCQkJCQkic3RhdHVzIjogIkZJRE9f
+ |Q0VSVElGSUVEIiwKCQkJCQkiZWZmZWN0aXZlRGF0ZSI6ICIyMDE5LTAxLTA0IgoJCQkJfSwKCQkJCXsK
+ |CQkJCQkic3RhdHVzIjogIkZJRE9fQ0VSVElGSUVEX0wxIiwKCQkJCQkiZWZmZWN0aXZlRGF0ZSI6ICIy
+ |MDIwLTExLTE5IiwKCQkJCQkiY2VydGlmaWNhdGlvbkRlc2NyaXB0b3IiOiAiRklETyBBbGxpYW5jZSBT
+ |YW1wbGUgRklETzIgQXV0aGVudGljYXRvciIsCgkJCQkJImNlcnRpZmljYXRlTnVtYmVyIjogIkZJRE8y
+ |MTAwMDIwMTUxMjIxMDAxIiwKCQkJCQkiY2VydGlmaWNhdGlvblBvbGljeVZlcnNpb24iOiAiMS4wLjEi
+ |LAoJCQkJCSJjZXJ0aWZpY2F0aW9uUmVxdWlyZW1lbnRzVmVyc2lvbiI6ICIxLjAuMSIKCQkJCX0KCQkJ
+ |XSwKCQkJInRpbWVPZkxhc3RTdGF0dXNDaGFuZ2UiOiAiMjAxOS0wMS0wNCIKCQl9CgldCn0
+ |""".stripMargin.replaceAll(raw"[ \n]+", "")
+
+ /** Example: JWT
+ *
+ * @see
+ * FIDO
+ * Metadata Service §3.1.7.1. Metadata BLOB Examples
+ */
+ val BlobJwt: String =
+ """
+ |eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDWlRDQ0FndWdBd0lCQWdJQkFUQUtC
+ |Z2dxaGtqT1BRUURBakNCb3pFbk1DVUdBMVVFQXd3ZVJWaEJUVkJNUlNCTlJGTXpJRlJGVTFRZ1NVNVVS
+ |VkpOUlVSSlFWUkZNU0l3SUFZSktvWklodmNOQVFrQkZoTmxlR0Z0Y0d4bFFHVjRZVzF3YkdVdVkyOXRN
+ |UlF3RWdZRFZRUUtEQXRGZUdGdGNHeGxJRTlTUnpFUU1BNEdBMVVFQ3d3SFJYaGhiWEJzWlRFTE1Ba0dB
+ |MVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ01BazFaTVJJd0VBWURWUVFIREFsWFlXdGxabWxsYkdRd0hoY05N
+ |akV3TkRFNU1URXpOVEEzV2hjTk16RXdOREUzTVRFek5UQTNXakNCcFRFcE1DY0dBMVVFQXd3Z1JWaEJU
+ |VkJNUlNCTlJGTXpJRk5KUjA1SlRrY2dRMFZTVkVsR1NVTkJWRVV4SWpBZ0Jna3Foa2lHOXcwQkNRRVdF
+ |MlY0WVcxd2JHVkFaWGhoYlhCc1pTNWpiMjB4RkRBU0JnTlZCQW9NQzBWNFlXMXdiR1VnVDFKSE1SQXdE
+ |Z1lEVlFRTERBZEZlR0Z0Y0d4bE1Rc3dDUVlEVlFRR0V3SlZVekVMTUFrR0ExVUVDQXdDVFZreEVqQVFC
+ |Z05WQkFjTUNWZGhhMlZtYVdWc1pEQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJOUUpz
+ |NndUcWl4YytTK1ZEQWFqRmxQTmF0MTBLRVdKRTVqY1dPdm02cXBPOVNEQUFNWnZiNEhIcnZzK1A1WVJw
+ |SHJTbFVQZHZLK3VFUWJkV2czMVA5dWpMREFxTUFrR0ExVWRFd1FDTUFBd0hRWURWUjBPQkJZRUZMcXNh
+ |cGNYVjRab1ZIQW5ScFBad1FlN1l5MjBNQW9HQ0NxR1NNNDlCQU1DQTBnQU1FVUNJUUM2N3phOEVJdXlS
+ |aUtnTkRYSVAxczFhTHIzanpIOVdWWGZIeDRiSit6Q3NnSWdHL3RWQnV0T0pVVSt2dm9ISW8vb3RBVUFj
+ |SDViTkhQM3VJemlEUytQVFVjPSIsIk1JSUVIekNDQWdlZ0F3SUJBZ0lCQWpBTkJna3Foa2lHOXcwQkFR
+ |c0ZBRENCbXpFZk1CMEdBMVVFQXd3V1JWaEJUVkJNUlNCTlJGTXpJRlJGVTFRZ1VrOVBWREVpTUNBR0NT
+ |cUdTSWIzRFFFSkFSWVRaWGhoYlhCc1pVQmxlR0Z0Y0d4bExtTnZiVEVVTUJJR0ExVUVDZ3dMUlhoaGJY
+ |QnNaU0JQVWtjeEVEQU9CZ05WQkFzTUIwVjRZVzF3YkdVeEN6QUpCZ05WQkFZVEFsVlRNUXN3Q1FZRFZR
+ |UUlEQUpOV1RFU01CQUdBMVVFQnd3SlYyRnJaV1pwWld4a01CNFhEVEl4TURReE9URXhNelV3TjFvWERU
+ |UTRNRGt3TkRFeE16VXdOMW93Z2FNeEp6QWxCZ05WQkFNTUhrVllRVTFRVEVVZ1RVUlRNeUJVUlZOVUlF
+ |bE9WRVZTVFVWRVNVRlVSVEVpTUNBR0NTcUdTSWIzRFFFSkFSWVRaWGhoYlhCc1pVQmxlR0Z0Y0d4bExt
+ |TnZiVEVVTUJJR0ExVUVDZ3dMUlhoaGJYQnNaU0JQVWtjeEVEQU9CZ05WQkFzTUIwVjRZVzF3YkdVeEN6
+ |QUpCZ05WQkFZVEFsVlRNUXN3Q1FZRFZRUUlEQUpOV1RFU01CQUdBMVVFQnd3SlYyRnJaV1pwWld4a01G
+ |a3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRU5HdW1CYlluRlFuVGpQMVJTZmM3MGhzaGdi
+ |aUkxWnRwd1E1bjZ4UkxBL1dxMFBTQ2ZMbDVxUStyN2RsY0sxZDNyM3ZMYSt2bTZHNnZLSEdDUEVlVXpx
+ |TXZNQzB3REFZRFZSMFRCQVV3QXdFQi96QWRCZ05WSFE0RUZnUVVOazZGNFJKbkdHVkZlKzAvY2Jad2Zy
+ |WmQ3WlV3RFFZSktvWklodmNOQVFFTEJRQURnZ0lCQUNucDFmbTBGS2xXbVV0VHBsTHVZZzdtcHM0eFAv
+ |Q091OGRuYjM4dTFuTURWdU9UNCtDWmFpTTlBR3ozMTNHRDIyaGpMR3JtUHVZbjg2d0dPS0kzSE9yRXBz
+ |R2RNbWZ5N3RUbUtYL2VNL2VTM0ZFRFhabkU4MlBuNW9GSXlCVC9mOHNHdVh5T3NGWnFXQnZWZEJJSURs
+ |ZENwRDRteE1RWlpPWnRUcmx2M1d2QlFNQy9kc2ljT3hlM1FLWHZXSGk2UWIvUmh1YWlwM3JQbXdNZis0
+ |SnBuSk8rSk1QcUFhVTFjQUg4SFZzZnJMQU1vS3MxNDhqMitjdmJwYVdtc1Q1cklvSC9lelZyUGFHL01P
+ |aUlncTc5dy9lZnV2U2k1QVg4SitrRG9MU0VmM2Q1d09na0pZQXFVcWNSeFhURUV0S0l6RE02aHphQlFG
+ |aUFXdlRuOUlsVldnbnRRYW1TWHZIK3R4YVRGOWlFbEh4VWY1SU5ZRlZjaUNwenRTcnlkZUh2L09DTlJm
+ |Ny9MVnJpY01TbG84UmgrTzN5UDlWKzJ1TmYzWDhzUUpOdHVmclFOYXFxMTh3aVhsaVRMdWZTbjAyL2cr
+ |bWtoSVVpTktmVE9KcHZDaktlQ25DRmN4UVUyL1hUM0toM0c4Z0RKd3NPNkVWUmpNVUp0NEFZS3plL2hF
+ |VUN3RjU1SUYybTNqSElvQ3U4alZmajI0Q2VFWDVkbmZ2U3IrU1Z2TjVRQjB1WjA1TTRybXlaWHlxQm0w
+ |ekszZlIraUUwL1pwSW51d0xDN1grVzgyelhsbk1rcGxJM1ErSnhkN2pmUTE1U1lORTJLNnJ2UklUMDF3
+ |MFA5WnF5REY3a25HS3BSbHA3T3F4ZDM3YkQvVlViV3BRN2dJQWZzSk5INUtCTG93SEpGRmpXIl19.eyJ
+ |sZWdhbEhlYWRlciI6IlJldHJpZXZhbCBhbmQgdXNlIG9mIHRoaXMgQkxPQiBpbmRpY2F0ZXMgYWNjZXB
+ |0YW5jZSBvZiB0aGUgYXBwcm9wcmlhdGUgYWdyZWVtZW50IGxvY2F0ZWQgYXQgaHR0cHM6Ly9maWRvYWx
+ |saWFuY2Uub3JnL21ldGFkYXRhL21ldGFkYXRhLWxlZ2FsLXRlcm1zLyIsIm5vIjoxNSwibmV4dFVwZGF
+ |0ZSI6IjIwMjAtMDMtMzAiLCJlbnRyaWVzIjpbeyJhYWlkIjoiMTIzNCM1Njc4IiwibWV0YWRhdGFTdGF
+ |0ZW1lbnQiOnsibGVnYWxIZWFkZXIiOiJodHRwczovL2ZpZG9hbGxpYW5jZS5vcmcvbWV0YWRhdGEvbWV
+ |0YWRhdGEtc3RhdGVtZW50LWxlZ2FsLWhlYWRlci8iLCJkZXNjcmlwdGlvbiI6IkZJRE8gQWxsaWFuY2U
+ |gU2FtcGxlIFVBRiBBdXRoZW50aWNhdG9yIiwiYWFpZCI6IjEyMzQjNTY3OCIsImFsdGVybmF0aXZlRGV
+ |zY3JpcHRpb25zIjp7InJ1LVJVIjoi0J_RgNC40LzQtdGAIFVBRiDQsNGD0YLQtdC90YLQuNGE0LjQutC
+ |w0YLQvtGA0LAg0L7RgiBGSURPIEFsbGlhbmNlIiwiZnItRlIiOiJFeGVtcGxlIFVBRiBhdXRoZW50aWN
+ |hdG9yIGRlIEZJRE8gQWxsaWFuY2UifSwiYXV0aGVudGljYXRvclZlcnNpb24iOjIsInByb3RvY29sRmF
+ |taWx5IjoidWFmIiwic2NoZW1hIjozLCJ1cHYiOlt7Im1ham9yIjoxLCJtaW5vciI6MH0seyJtYWpvciI
+ |6MSwibWlub3IiOjF9XSwiYXV0aGVudGljYXRpb25BbGdvcml0aG1zIjpbInNlY3AyNTZyMV9lY2RzYV9
+ |zaGEyNTZfcmF3Il0sInB1YmxpY0tleUFsZ0FuZEVuY29kaW5ncyI6WyJlY2NfeDk2Ml9yYXciXSwiYXR
+ |0ZXN0YXRpb25UeXBlcyI6WyJiYXNpY19mdWxsIl0sInVzZXJWZXJpZmljYXRpb25EZXRhaWxzIjpbW3s
+ |idXNlclZlcmlmaWNhdGlvbk1ldGhvZCI6ImZpbmdlcnByaW50X2ludGVybmFsIiwiYmFEZXNjIjp7InN
+ |lbGZBdHRlc3RlZEZBUiI6MC4wMDAwMiwibWF4UmV0cmllcyI6NSwiYmxvY2tTbG93ZG93biI6MzAsIm1
+ |heFRlbXBsYXRlcyI6NX19XV0sImtleVByb3RlY3Rpb24iOlsiaGFyZHdhcmUiLCJ0ZWUiXSwiaXNLZXl
+ |SZXN0cmljdGVkIjp0cnVlLCJtYXRjaGVyUHJvdGVjdGlvbiI6WyJ0ZWUiXSwiY3J5cHRvU3RyZW5ndGg
+ |iOjEyOCwiYXR0YWNobWVudEhpbnQiOlsiaW50ZXJuYWwiXSwidGNEaXNwbGF5IjpbImFueSIsInRlZSJ
+ |dLCJ0Y0Rpc3BsYXlDb250ZW50VHlwZSI6ImltYWdlL3BuZyIsInRjRGlzcGxheVBOR0NoYXJhY3Rlcml
+ |zdGljcyI6W3sid2lkdGgiOjMyMCwiaGVpZ2h0Ijo0ODAsImJpdERlcHRoIjoxNiwiY29sb3JUeXBlIjo
+ |yLCJjb21wcmVzc2lvbiI6MCwiZmlsdGVyIjowLCJpbnRlcmxhY2UiOjB9XSwiYXR0ZXN0YXRpb25Sb29
+ |0Q2VydGlmaWNhdGVzIjpbIk1JSUNQVENDQWVPZ0F3SUJBZ0lKQU91ZXh2VTNPeTJ3TUFvR0NDcUdTTTQ
+ |5QkFNQ01Ic3hJREFlQmdOVkJBTU1GMU5oYlhCc1pTQkJkSFJsYzNSaGRHbHZiaUJTYjI5ME1SWXdGQVl
+ |EVlFRS0RBMUdTVVJQSUVGc2JHbGhibU5sTVJFd0R3WURWUVFMREFoVlFVWWdWRmRITERFU01CQUdBMVV
+ |FQnd3SlVHRnNieUJCYkhSdk1Rc3dDUVlEVlFRSURBSkRRVEVMTUFrR0ExVUVCaE1DVlZNd0hoY05NVFF
+ |3TmpFNE1UTXpNek15V2hjTk5ERXhNVEF6TVRNek16TXlXakI3TVNBd0hnWURWUVFEREJkVFlXMXdiR1V
+ |nUVhSMFpYTjBZWFJwYjI0Z1VtOXZkREVXTUJRR0ExVUVDZ3dOUmtsRVR5QkJiR3hwWVc1alpURVJNQTh
+ |HQTFVRUN3d0lWVUZHSUZSWFJ5d3hFakFRQmdOVkJBY01DVkJoYkc4Z1FXeDBiekVMTUFrR0ExVUVDQXd
+ |DUTBFeEN6QUpCZ05WQkFZVEFsVlRNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVIOGh
+ |2MkQwSFhhNTkvQm1wUTdSWmVoTC9GTUd6RmQxUUJnOXZBVXBPWjNham51UTk0UFI3YU16SDMzblVTQnI
+ |4ZkhZRHJxT0JiNThweEdxSEpSeVgvNk5RTUU0d0hRWURWUjBPQkJZRUZQb0hBM0NMaHhGYkMwSXQ3ekU
+ |0dzhoazVFSi9NQjhHQTFVZEl3UVlNQmFBRlBvSEEzQ0xoeEZiQzBJdDd6RTR3OGhrNUVKL01Bd0dBMVV
+ |kRXdRRk1BTUJBZjh3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUloQUowNlFTWHQ5aWhJYkVLWUtJanNQa3J
+ |pVmRMSWd0ZnNiRFN1N0VySmZ6cjRBaUJxb1lDWmYwK3pJNTVhUWVBSGpJekE5WG02M3JydUF4Qlo5cHM
+ |5ejJYTmxRPT0iXSwiaWNvbiI6ImRhdGE6aW1hZ2UvcG5nO2Jhc2U2NCxpVkJPUncwS0dnb0FBQUFOU1V
+ |oRVVnQUFBRThBQUFBdkNBWUFBQUNpd0pmY0FBQUFBWE5TUjBJQXJzNGM2UUFBQUFSblFVMUJBQUN4and
+ |2OFlRVUFBQUFKY0VoWmN3QUFEc01BQUE3REFjZHZxR1FBQUFhaFNVUkJWR2hEN1pyNWJ4UmxHTWY5S3p
+ |UQjhBTS9ZRWhFMlc3cFFaY1dLS0JjbFNwSEFUbEVMQVJFN2tORUNDQTNGa1dLMENLS1NDRklzS0JjZ1Z
+ |DRFdHTkVTZEFZaWR3Z2dnSkJpUmlNaEZjLzR3eTg4ODR6dTlOZGxuR1RmWkpQMm4zbk8rKzg4OTMzZnZ
+ |lQkJ4K1BxQ3pKa1RVdkJiTG1wVURXdkJUSW1wY0NTWnZYTENkWDlSMDVTazE5YmI1YXRmNTk5ZkcrL2V
+ |yQTU0MXE0N2FQMUxMVmE5U0l5Vk5VaThJaThkNWtHVHNpMzBORnY3YWk5bjdRWlBNd2JkeXMyZXJVMlh
+ |NcVVkeTgrWmNhTm1HaW1FOHlYTjNSVWQzYTE4bkYwZlVsb3ZaKzBDVHpXcGQyVmorZU9tMWJFeXk2RHg
+ |0aTVwVU1HV3ZlbzUwNnEyMjdkdHVXQkl1ZmZyNm9XcFYwRlBOTGhvdzE3NTFObTIxTHZQSDNyVnRXamZ
+ |6NjZMZnFsOHRYN0ZSbDlZRlNYc21Tc2ViOWNlT0diWWs3TU5VY0dQZzhac2JNZTlyZlFVYWFWL0pNWDl
+ |zcWR6RENTdnAwa1pIbVRaZzl4N2JMSGNNblRoYjE2ZUorbVZmUXE4eWFVWlFORzY0aVhaKzAva3E2dU9
+ |aRk8wUXRhdGRXS2ZYblJROTlCajkxUjVPSUZuazU0ak4wbWtVaXFsTzNYRFcrTWwrOThtS0I2dFc3cld
+ |wWmNQYyswemc0dExyWWxVYzg2RTZlR0RqSU11YlZwY3VzZWFyZmdJWUdSazZicmhaVnIvSmNIem9vTDc
+ |1NTBqZWRMRXhvcFdjQXBpMlpVcWh1N0pMdnJWc1FVODF6a3pPUGVlbU1SWXZWdVFzWDdQYmlEUVk1SnZ
+ |ab25mdEsrMVZZOEg5dXR4NTMwaDBvYitqbVJZcWo2b3VhWXZFZW5XL1dsWWpwOGN3Yk1tNjgydFB3cVc
+ |xUjR0ai8yU0gxM0lSSllsNG1vWnZYcGlTcURyN2RYdFFIeGEvUEszLytCV3NLMWRUZ0h1NlY4dFFKM2J
+ |3Rmt3cEZyVU9RNTBzMXIzbGV2bTh6WmNxMTcrQkJhdzdLOGxFSzVxemtZZWFyazlBOHA3UDNHekRLK25
+ |kM0RRb3crNlVDOFNWTjgyaXV2MzhpbTdOdGFYdFYxQ1ZxNlJndzRwa3NtYmRpM2J1MkRlN1lmYUJCeGN
+ |xZnZxUHJVakZRTlRRMjJsZmRVVlZUNjhyVEpLRjVEblNtVWpnZHFnNG1TUzlwbXNmREpSM0c2VG9IMGl
+ |XOWFWN0xXTEhZWEtsbFREdDBMVEF0a1lJYWFtcDFRalZ2Kyt1eUdVeFZkSjBETlZYU20rYjFxUnhwbDg
+ |0ZGRmWDFMcDFPL2Q2OXRzb2QwdnM1aEdyZTl4dThvK2ZwTFIxY0doTlRENlo1N0M5S01XWGVmSmRPWjk
+ |0YmI5b3FkMVJPblM3cUlUVHpIaW1NcWl2Yk8zZzBEZFZ5azNXUUJoQnp0SzM1WUtOZE9uYzhPM2FjUzZ
+ |mRFpGZ0thWExzRUpwNXJkcmxpQnFwODljSmNzL203VHZzMHJrakdmTjRiMGtQb1puM1VKdUlPcm5aMjJ
+ |5UDFmbXZVeCtPNWdTcWViVjFtK3pTdVlOVmhxN1RXYkRpTFZ2bGpwbExsb3A2Q0xYUCsycXR2R0xJTC8
+ |xdmltSVNkTUJnelNvRlp5dTZUcWQranp4Z3NQYVY5QkNxZWUvTmpZazZ2NmxLOWN3aVVjL1NUdGYxSER
+ |wTTNiNTkyeTdoM1RoeDVveks2OUhMcFlXdUF3YXFTNWN2MjZxN2NlYjhlZlZZYVJlUDNpRlU4emoxa25
+ |Td1pYSE1tbkNqWTBPZ2FsbzdVUWZTQ00zcVFRcjJIL1hGUDdzc1h4NDVZbDkxQnllQ2VwNG1vWm9IKzF
+ |mRzN4RDR0VDd4OGt3eWo4bndiOWV2MjZWMEI2ZCs3SDR6S3Z1ZEFINTM3RmpxeXpPSGRKbkhFdXptWHE
+ |vV2p4T2J2Tk1idjduaHl3c1gyYVZzV3RDOCs0OGFMZWFwRTdwNXdLWmkwQTJBUVJWNW52UjRFK3VKYyt
+ |iNjFrQXBxSW54QmdtZC80VjVRUC9tdDE4SERDN3NSSGZ0bWV1NWxtaFYwcm4vQUxYMjMyYnFkNEJGbkR
+ |4N1ZpMWNXUzJ1ZmYwSWJCNDdxZXh4bVVqOVF1dFlqdXBkM3RZRDZhYldCQk1yaCthcE5iT0tyTkYxK3V
+ |nQ2E0cmlYR2Z3TVBQdFZpYXZoVTNZTU9BQW51VWIvUjA3TDB5T1NlT2FkRTg4QXBzWEZHZmYzMHluaGx
+ |KZ001MUNVNnZOOUV6Z25wdkhCRlV5aVZyYWVQaXdKNTNERjVaVFpub21FTmc4NWtOVWQyb0ppMldwcjR
+ |PbW1rZk40eDR6SGZpVkZjOER2OE56dWhOcU9pZGlsR3ZBNkRHdWVad083OEFBUW42Y2lFazYrcnc1VmN
+ |2anZxTkRZUE9vSVV3YUtTaHJ4QXVYTGxrSDRhWXVHZk1ZRGMxMFdGNVRhMzFoUEpPZmNVaHJVL0psSU5
+ |pNmM2ZWxSWWRCcG82KytZZmp4NjFsR05mUm00TUQ1ckoxajNGb0dIbmpEU0JOYXJZVWdNTHlNc3pLcGI
+ |3dFhwb0hmUHM4aDNXcDFMek5mTms1NFh4QzF3REdVbVl6WFllZmg2ei9jS3RWbTRFQnhhOVZRR0R6WXI
+ |zTHJVTVJqSEVLa2s3emFGS1lRQTJoR1FVMXorODVORldwWERya3ozdngxMEdxeFE2QnplTmJvQms1bjh
+ |rNG5lYlJoK2sxaFdmeFRGMEQxRXlXVXM1bnYrZGdRcUtheHp1Q2RFMGlzSGwwMk5ROGFoMG1YcjEyTGE
+ |zbTBmOXdpazkrd0xOVE1ZLzg2TVBvOHlpMzFPZnhtVDZQV29xRzkrRFp1a1luYTU2bVNadDVXV1N5NXF
+ |WQTFyd1V5SnFYQWxuemtpYWkvZ0hTRDdSa1R5aWhvZ0FBQUFCSlJVNUVya0pnZ2c9PSJ9LCJzdGF0dXN
+ |SZXBvcnRzIjpbeyJzdGF0dXMiOiJGSURPX0NFUlRJRklFRCIsImVmZmVjdGl2ZURhdGUiOiIyMDE0LTA
+ |xLTA0In1dLCJ0aW1lT2ZMYXN0U3RhdHVzQ2hhbmdlIjoiMjAxNC0wMS0wNCJ9LHsiYWFndWlkIjoiMDE
+ |zMmQxMTAtYmY0ZS00MjA4LWE0MDMtYWI0ZjVmMTJlZmU1IiwibWV0YWRhdGFTdGF0ZW1lbnQiOnsibGV
+ |nYWxIZWFkZXIiOiJodHRwczovL2ZpZG9hbGxpYW5jZS5vcmcvbWV0YWRhdGEvbWV0YWRhdGEtc3RhdGV
+ |tZW50LWxlZ2FsLWhlYWRlci8iLCJkZXNjcmlwdGlvbiI6IkZJRE8gQWxsaWFuY2UgU2FtcGxlIEZJRE8
+ |yIEF1dGhlbnRpY2F0b3IiLCJhYWd1aWQiOiIwMTMyZDExMC1iZjRlLTQyMDgtYTQwMy1hYjRmNWYxMmV
+ |mZTUiLCJhbHRlcm5hdGl2ZURlc2NyaXB0aW9ucyI6eyJydS1SVSI6ItCf0YDQuNC80LXRgCBGSURPMiD
+ |QsNGD0YLQtdC90YLQuNGE0LjQutCw0YLQvtGA0LAg0L7RgiBGSURPIEFsbGlhbmNlIiwiZnItRlIiOiJ
+ |FeGVtcGxlIEZJRE8yIGF1dGhlbnRpY2F0b3IgZGUgRklETyBBbGxpYW5jZSIsInpoLUNOIjoi5L6G6Ie
+ |qRklETyBBbGxpYW5jZeeahOekuuS-i0ZJRE8y6Lqr5Lu96amX6K2J5ZmoIn0sInByb3RvY29sRmFtaWx
+ |5IjoiZmlkbzIiLCJzY2hlbWEiOjMsImF1dGhlbnRpY2F0b3JWZXJzaW9uIjo1LCJ1cHYiOlt7Im1ham9
+ |yIjoxLCJtaW5vciI6MH1dLCJhdXRoZW50aWNhdGlvbkFsZ29yaXRobXMiOlsic2VjcDI1NnIxX2VjZHN
+ |hX3NoYTI1Nl9yYXciLCJyc2Fzc2FfcGtjc3YxNV9zaGEyNTZfcmF3Il0sInB1YmxpY0tleUFsZ0FuZEV
+ |uY29kaW5ncyI6WyJjb3NlIl0sImF0dGVzdGF0aW9uVHlwZXMiOlsiYmFzaWNfZnVsbCJdLCJ1c2VyVmV
+ |yaWZpY2F0aW9uRGV0YWlscyI6W1t7InVzZXJWZXJpZmljYXRpb25NZXRob2QiOiJub25lIn1dLFt7InV
+ |zZXJWZXJpZmljYXRpb25NZXRob2QiOiJwcmVzZW5jZV9pbnRlcm5hbCJ9XSxbeyJ1c2VyVmVyaWZpY2F
+ |0aW9uTWV0aG9kIjoicGFzc2NvZGVfZXh0ZXJuYWwiLCJjYURlc2MiOnsiYmFzZSI6MTAsIm1pbkxlbmd
+ |0aCI6NH19XSxbeyJ1c2VyVmVyaWZpY2F0aW9uTWV0aG9kIjoicGFzc2NvZGVfZXh0ZXJuYWwiLCJjYUR
+ |lc2MiOnsiYmFzZSI6MTAsIm1pbkxlbmd0aCI6NH19LHsidXNlclZlcmlmaWNhdGlvbk1ldGhvZCI6InB
+ |yZXNlbmNlX2ludGVybmFsIn1dXSwia2V5UHJvdGVjdGlvbiI6WyJoYXJkd2FyZSIsInNlY3VyZV9lbGV
+ |tZW50Il0sIm1hdGNoZXJQcm90ZWN0aW9uIjpbIm9uX2NoaXAiXSwiY3J5cHRvU3RyZW5ndGgiOjEyOCw
+ |iYXR0YWNobWVudEhpbnQiOlsiZXh0ZXJuYWwiLCJ3aXJlZCIsIndpcmVsZXNzIiwibmZjIl0sInRjRGl
+ |zcGxheSI6W10sImF0dGVzdGF0aW9uUm9vdENlcnRpZmljYXRlcyI6WyJNSUlDUFRDQ0FlT2dBd0lCQWd
+ |JSkFPdWV4dlUzT3kyd01Bb0dDQ3FHU000OUJBTUNNSHN4SURBZUJnTlZCQU1NRjFOaGJYQnNaU0JCZEh
+ |SbGMzUmhkR2x2YmlCU2IyOTBNUll3RkFZRFZRUUtEQTFHU1VSUElFRnNiR2xoYm1ObE1SRXdEd1lEVlF
+ |RTERBaFZRVVlnVkZkSExERVNNQkFHQTFVRUJ3d0pVR0ZzYnlCQmJIUnZNUXN3Q1FZRFZRUUlEQUpEUVR
+ |FTE1Ba0dBMVVFQmhNQ1ZWTXdIaGNOTVRRd05qRTRNVE16TXpNeVdoY05OREV4TVRBek1UTXpNek15V2p
+ |CN01TQXdIZ1lEVlFRRERCZFRZVzF3YkdVZ1FYUjBaWE4wWVhScGIyNGdVbTl2ZERFV01CUUdBMVVFQ2d
+ |3TlJrbEVUeUJCYkd4cFlXNWpaVEVSTUE4R0ExVUVDd3dJVlVGR0lGUlhSeXd4RWpBUUJnTlZCQWNNQ1Z
+ |CaGJHOGdRV3gwYnpFTE1Ba0dBMVVFQ0F3Q1EwRXhDekFKQmdOVkJBWVRBbFZUTUZrd0V3WUhLb1pJemo
+ |wQ0FRWUlLb1pJemowREFRY0RRZ0FFSDhodjJEMEhYYTU5L0JtcFE3UlplaEwvRk1HekZkMVFCZzl2QVV
+ |wT1ozYWpudVE5NFBSN2FNekgzM25VU0JyOGZIWURycU9CYjU4cHhHcUhKUnlYLzZOUU1FNHdIUVlEVlI
+ |wT0JCWUVGUG9IQTNDTGh4RmJDMEl0N3pFNHc4aGs1RUovTUI4R0ExVWRJd1FZTUJhQUZQb0hBM0NMaHh
+ |GYkMwSXQ3ekU0dzhoazVFSi9NQXdHQTFVZEV3UUZNQU1CQWY4d0NnWUlLb1pJemowRUF3SURTQUF3UlF
+ |JaEFKMDZRU1h0OWloSWJFS1lLSWpzUGtyaVZkTElndGZzYkRTdTdFckpmenI0QWlCcW9ZQ1pmMCt6STU
+ |1YVFlQUhqSXpBOVhtNjNycnVBeEJaOXBzOXoyWE5sUT09Il0sImljb24iOiJkYXRhOmltYWdlL3BuZzt
+ |iYXNlNjQsaVZCT1J3MEtHZ29BQUFBTlNVaEVVZ0FBQUU4QUFBQXZDQVlBQUFDaXdKZmNBQUFBQVhOU1I
+ |wSUFyczRjNlFBQUFBUm5RVTFCQUFDeGp3djhZUVVBQUFBSmNFaFpjd0FBRHNNQUFBN0RBY2R2cUdRQUF
+ |BYWhTVVJCVkdoRDdacjVieFJsR01mOUt6VEI4QU0vWUVoRTJXN3BRWmNXS0tCY2xTcEhBVGxFTEFSRTd
+ |rTkVDQ0EzRmtXSzBDS0tTQ0ZJc0tCY2dWQ0RXR05FU2RBWWlkd2dnZ0pCaVJpTWhGYy80d3k4ODg0enU
+ |5TmRsbkdUZlpKUDJuM25PKys4ODkzM2Z2ZUJCeCtQcUN6SmtUVXZCYkxtcFVEV3ZCVEltcGNDU1p2WEx
+ |DZFg5UjA1U2sxOWJiNWF0ZjU5OWZHKy9lckE1NDFxNDdhUDFMTFZhOVNJeVZOVWk4SWk4ZDVrR1RzaTM
+ |wTkZ2N2FpOW43UVpQTXdiZHlzMmVyVTJYTXFVZHk4K1pjYU5tR2ltRTh5WE4zUlVkM2ExOG5GMGZVbG9
+ |2WiswQ1R6V3BkMlZqK2VPbTFiRXl5NkR4NGk1cFVNR1d2ZW81MDZxMjI3ZHR1V0JJdWZmcjZvV3BWMEZ
+ |QTkxob3cxNzUxTm0yMUx2UEgzclZ0V2pmejY2TGZxbDh0WDdGUmw5WUZTWHNtU3NlYjljZU9HYllrN01
+ |OVWNHUGc4WnNiTWU5cmZRVWFhVi9KTVg5c3FkekRDU3ZwMGtaSG1UWmc5eDdiTEhjTW5UaGIxNmVKK21
+ |WZlFxOHlhVVpRTkc2NGlYWiswL2txNnVPWkZPMFF0YXRkV0tmWG5SUTk5Qmo5MVI1T0lGbms1NGpOMG1
+ |rVWlxbE8zWERXK01sKzk4bUtCNnRXN3JXcFpjUGMrMHpnNHRMcllsVWM4NkU2ZUdEaklNdWJWcGN1c2V
+ |hcmZnSVlHUms2YnJoWlZyL0pjSHpvb0w3NTUwamVkTEV4b3BXY0FwaTJaVXFodTdKTHZyVnNRVTgxemt
+ |6T1BlZW1NUll2VnVRc1g3UGJpRFFZNUp2Wm9uZnRLKzFWWThIOXV0eDUzMGgwb2Iram1SWXFqNm91YVl
+ |2RWVuVy9XbFlqcDhjd2JNbTY4MnRQd3FXMVI0dGovMlNIMTNJUkpZbDRtb1p2WHBpU3FEcjdkWHRRSHh
+ |hL1BLMy8rQldzSzFkVGdIdTZWOHRRSjNid0Zrd3BGclVPUTUwczFyM2xldm04elpjcTE3K0JCYXc3Szh
+ |sRUs1cXprWWVhcms5QThwN1AzR3pESytuZDNEUW93KzZVQzhTVk44Mml1djM4aW03TnRhWHRWMUNWcTZ
+ |SZ3c0cGtzbWJkaTNidTJEZTdZZmFCQnhjcWZ2cVByVWpGUU5UUTIybGZkVVZWVDY4clRKS0Y1RG5TbVV
+ |qZ2RxZzRtU1M5cG1zZkRKUjNHNlRvSDBpVzlhVjdMV0xIWVhLbGxURHQwTFRBdGtZSWFhbXAxUWpWdis
+ |rdXlHVXhWZEowRE5WWFNtK2IxcVJ4cGw4NGRkZlgxTHAxTy9kNjl0c29kMHZzNWhHcmU5eHU4bytmcEx
+ |SMWNHaE5URDZaNTdDOUtNV1hlZkpkT1o5NGJiOW9xZDFST25TN3FJVFR6SGltTXFpdmJPM2cwRGRWeWs
+ |zV1FCaEJ6dEszNVlLTmRPbmM4TzNhY1M2ZkRaRmdLYVhMc0VKcDVyZHJsaUJxcDg5Y0pjcy9tN1R2czB
+ |ya2pHZk40YjBrUG9abjNVSnVJT3JuWjIyeVAxZm12VXgrTzVnU3FlYlYxbSt6U3VZTlZocTdUV2JEaUx
+ |WdmxqcGxMbG9wNkNMWFArMnF0dkdMSUwvMXZpbUlTZE1CZ3pTb0ZaeXU2VHFkK2p6eGdzUGFWOUJDcWV
+ |lL05qWWs2djZsSzljd2lVYy9TVHRmMUhEcE0zYjU5Mnk3aDNUaHg1b3pLNjlITHBZV3VBd2FxUzVjdjI
+ |2cTdjZWI4ZWZWWWFSZVAzaUZVOHpqMWtuU3daWEhNbW5DalkwT2dhbG83VVFmU0NNM3FRUXIySC9YRlA
+ |3c3NYeDQ1WWw5MUJ5ZUNlcDRtb1pvSCsxZkczeEQ0dFQ3eDhrd3lqOG53YjlldjI2VjBCNmQrN0g0ekt
+ |2dWRBSDUzN0ZqcXl6T0hkSm5IRXV6bVhxL1dqeE9idk5NYnY3bmh5d3NYMmFWc1d0QzgrNDhhTGVhcEU
+ |3cDV3S1ppMEEyQVFSVjVudlI0RSt1SmMrYjYxa0FwcUlueEJnbWQvNFY1UVAvbXQxOEhEQzdzUkhmdG1
+ |ldTVsbWhWMHJuL0FMWDIzMmJxZDRCRm5EeDdWaTFjV1MydWZmMEliQjQ3cWV4eG1VajlRdXRZanVwZDN
+ |0WUQ2YWJXQkJNcmgrYXBOYk9Lck5GMSt1Z0NhNHJpWEdmd01QUHRWaWF2aFUzWU1PQUFudVViL1IwN0w
+ |weU9TZU9hZEU4OEFwc1hGR2ZmMzB5bmhsSmdNNTFDVTZ2TjlFemducHZIQkZVeWlWcmFlUGl3SjUzREY
+ |1WlRabm9tRU5nODVrTlVkMm9KaTJXcHI0T21ta2ZONHg0ekhmaVZGYzhEdjhOenVoTnFPaWRpbEd2QTZ
+ |ER3VlWndPNzhBQVFuNmNpRWs2K3J3NVZjdmp2cU5EWVBPb0lVd2FLU2hyeEF1WExsa0g0YVl1R2ZNWUR
+ |jMTBXRjVUYTMxaFBKT2ZjVWhyVS9KbElOaTZjNmVsUllkQnBvNisrWWZqeDYxbEdOZlJtNE1ENXJKMWo
+ |zRm9HSG5qRFNCTmFyWVVnTUx5TXN6S3BiN3RYcG9IZlBzOGgzV3AxTHpOZk5rNTRYeEMxd0RHVW1Zelh
+ |ZZWZoNnovY0t0Vm00RUJ4YTlWUUdEellyM0xyVU1SakhFS2trN3phRktZUUEyaEdRVTF6Kzg1TkZXcFh
+ |Ecmt6M3Z4MTBHcXhRNkJ6ZU5ib0JrNW44azRuZWJSaCtrMWhXZnhURjBEMUV5V1VzNW52K2RnUXFLYXh
+ |6dUNkRTBpc0hsMDJOUThhaDBtWHIxMkxhM20wZjl3aWs5K3dMTlRNWS84Nk1Qbzh5aTMxT2Z4bVQ2UFd
+ |vcUc5K0RadWtZbmE1Nm1TWnQ1V1dTeTVxVkExcndVeUpxWEFsbnpraWFpL2dIU0Q3UmtUeWlob2dBQUF
+ |BQkpSVTVFcmtKZ2dnPT0iLCJzdXBwb3J0ZWRFeHRlbnNpb25zIjpbeyJpZCI6ImhtYWMtc2VjcmV0Iiw
+ |iZmFpbF9pZl91bmtub3duIjpmYWxzZX0seyJpZCI6ImNyZWRQcm90ZWN0IiwiZmFpbF9pZl91bmtub3d
+ |uIjpmYWxzZX1dLCJhdXRoZW50aWNhdG9yR2V0SW5mbyI6eyJ2ZXJzaW9ucyI6WyJVMkZfVjIiLCJGSUR
+ |PXzJfMCJdLCJleHRlbnNpb25zIjpbImNyZWRQcm90ZWN0IiwiaG1hYy1zZWNyZXQiXSwiYWFndWlkIjo
+ |iMDEzMmQxMTBiZjRlNDIwOGE0MDNhYjRmNWYxMmVmZTUiLCJvcHRpb25zIjp7InBsYXQiOiJmYWxzZSI
+ |sInJrIjoidHJ1ZSIsImNsaWVudFBpbiI6InRydWUiLCJ1cCI6InRydWUiLCJ1diI6InRydWUiLCJ1dlR
+ |va2VuIjoiZmFsc2UiLCJjb25maWciOiJmYWxzZSJ9LCJtYXhNc2dTaXplIjoxMjAwLCJwaW5VdkF1dGh
+ |Qcm90b2NvbHMiOlsxXSwibWF4Q3JlZGVudGlhbENvdW50SW5MaXN0IjoxNiwibWF4Q3JlZGVudGlhbEl
+ |kTGVuZ3RoIjoxMjgsInRyYW5zcG9ydHMiOlsidXNiIiwibmZjIl0sImFsZ29yaXRobXMiOlt7InR5cGU
+ |iOiJwdWJsaWMta2V5IiwiYWxnIjotN30seyJ0eXBlIjoicHVibGljLWtleSIsImFsZyI6LTI1N31dLCJ
+ |tYXhBdXRoZW50aWNhdG9yQ29uZmlnTGVuZ3RoIjoxMDI0LCJkZWZhdWx0Q3JlZFByb3RlY3QiOjIsImZ
+ |pcm13YXJlVmVyc2lvbiI6NX19LCJzdGF0dXNSZXBvcnRzIjpbeyJzdGF0dXMiOiJGSURPX0NFUlRJRkl
+ |FRCIsImVmZmVjdGl2ZURhdGUiOiIyMDE5LTAxLTA0In0seyJzdGF0dXMiOiJGSURPX0NFUlRJRklFRF9
+ |MMSIsImVmZmVjdGl2ZURhdGUiOiIyMDIwLTExLTE5IiwiY2VydGlmaWNhdGlvbkRlc2NyaXB0b3IiOiJ
+ |GSURPIEFsbGlhbmNlIFNhbXBsZSBGSURPMiBBdXRoZW50aWNhdG9yIiwiY2VydGlmaWNhdGVOdW1iZXI
+ |iOiJGSURPMjEwMDAyMDE1MTIyMTAwMSIsImNlcnRpZmljYXRpb25Qb2xpY3lWZXJzaW9uIjoiMS4wLjE
+ |iLCJjZXJ0aWZpY2F0aW9uUmVxdWlyZW1lbnRzVmVyc2lvbiI6IjEuMC4xIn1dLCJ0aW1lT2ZMYXN0U3R
+ |hdHVzQ2hhbmdlIjoiMjAxOS0wMS0wNCJ9XX0.-kc1wrorJA16bxLXXzeDkFEOCsbKAy2WDEzoCY-Aej_
+ |N0bWIOAmhpHGxSa3CXgmwFwgAuy230Eq_BHTO_RshsA
+ |""".stripMargin.replaceAll(raw"[ \n]+", "")
+
+}
diff --git a/webauthn-server-attestation/src/test/scala/com/yubico/fido/metadata/FidoMds3Spec.scala b/webauthn-server-attestation/src/test/scala/com/yubico/fido/metadata/FidoMds3Spec.scala
new file mode 100644
index 000000000..9b8417814
--- /dev/null
+++ b/webauthn-server-attestation/src/test/scala/com/yubico/fido/metadata/FidoMds3Spec.scala
@@ -0,0 +1,925 @@
+package com.yubico.fido.metadata
+
+import com.fasterxml.jackson.databind.JsonNode
+import com.fasterxml.jackson.databind.node.ArrayNode
+import com.fasterxml.jackson.databind.node.JsonNodeFactory
+import com.fasterxml.jackson.databind.node.ObjectNode
+import com.fasterxml.jackson.databind.node.TextNode
+import com.yubico.internal.util.CertificateParser
+import com.yubico.webauthn.FinishRegistrationOptions
+import com.yubico.webauthn.RegistrationResult
+import com.yubico.webauthn.RelyingParty
+import com.yubico.webauthn.TestAuthenticator
+import com.yubico.webauthn.TestAuthenticator.AttestationMaker
+import com.yubico.webauthn.TestAuthenticator.AttestationSigner
+import com.yubico.webauthn.data.ByteArray
+import com.yubico.webauthn.data.COSEAlgorithmIdentifier
+import com.yubico.webauthn.data.PublicKeyCredentialCreationOptions
+import com.yubico.webauthn.data.PublicKeyCredentialParameters
+import com.yubico.webauthn.data.RelyingPartyIdentity
+import com.yubico.webauthn.data.UserIdentity
+import com.yubico.webauthn.test.Helpers
+import org.bouncycastle.asn1.x500.X500Name
+import org.bouncycastle.cert.jcajce.JcaX500NameUtil
+import org.junit.runner.RunWith
+import org.scalatest.FunSpec
+import org.scalatest.Matchers
+import org.scalatest.tags.Network
+import org.scalatest.tags.Slow
+import org.scalatestplus.junit.JUnitRunner
+
+import java.nio.charset.StandardCharsets
+import java.security.KeyPair
+import java.security.cert.CRL
+import java.security.cert.CertStore
+import java.security.cert.CollectionCertStoreParameters
+import java.security.cert.X509Certificate
+import java.time.Clock
+import java.time.Instant
+import java.time.ZoneOffset
+import java.util.Collections
+import scala.collection.mutable
+import scala.jdk.CollectionConverters.SeqHasAsJava
+import scala.jdk.CollectionConverters.SetHasAsJava
+import scala.jdk.CollectionConverters.SetHasAsScala
+import scala.jdk.FunctionConverters.enrichAsJavaPredicate
+import scala.jdk.OptionConverters.RichOption
+import scala.jdk.OptionConverters.RichOptional
+
+@Slow
+@Network
+@RunWith(classOf[JUnitRunner])
+class FidoMds3Spec extends FunSpec with Matchers {
+
+ private val CertValidFrom = Instant.parse("2022-02-15T17:00:00Z")
+ private val CertValidTo = Instant.parse("2022-03-15T17:00:00Z")
+
+ private def makeTrustRootCert(
+ distinguishedName: String =
+ "CN=Yubico java-webauthn-server unit tests, O=Yubico"
+ ): (X509Certificate, KeyPair, X500Name) = {
+ val keypair = TestAuthenticator.generateEcKeypair()
+ val name = new X500Name(distinguishedName)
+ (
+ TestAuthenticator.buildCertificate(
+ publicKey = keypair.getPublic,
+ issuerName = name,
+ subjectName = name,
+ signingKey = keypair.getPrivate,
+ signingAlg = COSEAlgorithmIdentifier.ES256,
+ validFrom = CertValidFrom,
+ validTo = CertValidTo,
+ ),
+ keypair,
+ name,
+ )
+ }
+
+ private def makeBlob(
+ body: String
+ ): (String, X509Certificate, java.util.Set[CRL]) = {
+ val (cert, keypair, certName) = makeTrustRootCert()
+ val header =
+ s"""{"alg":"ES256","x5c": ["${new ByteArray(
+ cert.getEncoded
+ ).getBase64}"]}"""
+ val blobTbs = new ByteArray(
+ header.getBytes(StandardCharsets.UTF_8)
+ ).getBase64Url + "." + new ByteArray(
+ body.getBytes(StandardCharsets.UTF_8)
+ ).getBase64Url
+ val blobSignature = TestAuthenticator.sign(
+ new ByteArray(blobTbs.getBytes(StandardCharsets.UTF_8)),
+ keypair.getPrivate,
+ COSEAlgorithmIdentifier.ES256,
+ )
+ (
+ blobTbs + "." + blobSignature.getBase64Url,
+ cert,
+ Set(
+ TestAuthenticator.buildCrl(
+ certName,
+ keypair.getPrivate,
+ "SHA256withECDSA",
+ CertValidFrom,
+ CertValidTo,
+ )
+ ).asJava,
+ )
+ }
+
+ def makeDownloader(
+ blobTuple: (String, X509Certificate, java.util.Set[CRL])
+ ): FidoMetadataDownloader =
+ blobTuple match {
+ case (
+ blobJwt: String,
+ cert: X509Certificate,
+ blobCrls: java.util.Set[CRL],
+ ) =>
+ FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader(
+ "Kom ihåg att du aldrig får snyta dig i mattan!"
+ )
+ .useTrustRoot(cert)
+ .useBlob(blobJwt)
+ .clock(
+ Clock
+ .fixed(
+ Instant.parse("2022-02-22T18:00:00Z"),
+ ZoneOffset.UTC,
+ )
+ )
+ .useCrls(blobCrls)
+ .build()
+ }
+
+ describe("§3.2. Metadata BLOB object processing rules") {
+ describe("8. Iterate through the individual entries (of type MetadataBLOBPayloadEntry). For each entry:") {
+ describe("1. Ignore the entry if the AAID, AAGUID or attestationCertificateKeyIdentifiers is not relevant to the relying party (e.g. not acceptable by any policy)") {
+ val jf: JsonNodeFactory = JsonNodeFactory.instance
+
+ val aaidA = new AAID("aaaa#0000")
+ val aaidB = new AAID("bbbb#1111")
+ val aaidC = new AAID("cccc#2222")
+
+ val aaguidA =
+ new AAGUID(ByteArray.fromHex("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"))
+ val aaguidB =
+ new AAGUID(ByteArray.fromHex("bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"))
+ val aaguidC =
+ new AAGUID(ByteArray.fromHex("cccccccccccccccccccccccccccccccc"))
+
+ val ackiA = Set("aa")
+ val ackiB = Set("bb")
+ val ackiC = Set("cc")
+
+ def makeEntry(
+ aaid: Option[AAID] = None,
+ aaguid: Option[AAGUID] = None,
+ acki: Option[Set[String]] = None,
+ ): String = {
+ val entry = JacksonCodecs
+ .jsonWithDefaultEnums()
+ .readTree(s"""{
+ "metadataStatement": {
+ "authenticatorVersion": 1,
+ "attachmentHint" : ["internal"],
+ "attestationRootCertificates": ["MIIB2DCCAX2gAwIBAgICAaswCgYIKoZIzj0EAwIwajEmMCQGA1UEAwwdWXViaWNvIFdlYkF1dGhuIHVuaXQgdGVzdHMgQ0ExDzANBgNVBAoMBll1YmljbzEiMCAGA1UECwwZQXV0aGVudGljYXRvciBBdHRlc3RhdGlvbjELMAkGA1UEBhMCU0UwHhcNMTgwOTA2MTc0MjAwWhcNMTgwOTEzMTc0MjAwWjBqMSYwJAYDVQQDDB1ZdWJpY28gV2ViQXV0aG4gdW5pdCB0ZXN0cyBDQTEPMA0GA1UECgwGWXViaWNvMSIwIAYDVQQLDBlBdXRoZW50aWNhdG9yIEF0dGVzdGF0aW9uMQswCQYDVQQGEwJTRTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLtJrr5PYSc4KhmUcwBzgZgNadDnCs/ow2oh2jiKYUqq1A6hFcFf1NPfXLQjP2I4fBI36T6/QR2iY9mbqyP5iVejEzARMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANWaM2Tf2HPKc+ibCr8G4cxpQVr9Gib47a0CpqagCSCwAiEA3oKlX/ID94FKzgHvD2gyCKQU6RltAOMShVwoljj/5+E="],
+ "attestationTypes" : ["basic_full"],
+ "authenticationAlgorithms" : ["secp256r1_ecdsa_sha256_raw"],
+ "description" : "Test authenticator",
+ "keyProtection" : ["software"],
+ "matcherProtection" : ["software"],
+ "protocolFamily" : "u2f",
+ "publicKeyAlgAndEncodings" : ["ecc_x962_raw"],
+ "schema" : 3,
+ "tcDisplay" : [],
+ "upv" : [{ "major" : 1, "minor" : 1 }],
+ "userVerificationDetails" : [[{ "userVerificationMethod" : "presence_internal" }]]
+ },
+ "statusReports": [],
+ "timeOfLastStatusChange": "2022-02-21"
+ }""")
+ .asInstanceOf[ObjectNode]
+ aaid.foreach(aaid =>
+ entry.set[ObjectNode]("aaid", new TextNode(aaid.getValue))
+ )
+ aaguid.foreach(aaguid =>
+ entry.set[ObjectNode]("aaguid", new TextNode(aaguid.asGuidString))
+ )
+ acki.foreach(acki =>
+ entry.set[ObjectNode](
+ "attestationCertificateKeyIdentifiers",
+ new ArrayNode(
+ jf,
+ acki.toList.map[JsonNode](new TextNode(_)).asJava,
+ ),
+ )
+ )
+ JacksonCodecs.jsonWithDefaultEnums.writeValueAsString(entry)
+ }
+
+ def makeMds(
+ blobTuple: (String, X509Certificate, java.util.Set[CRL]),
+ attestationCrls: Set[CRL] = Set.empty,
+ )(filter: MetadataBLOBPayloadEntry => Boolean): FidoMetadataService =
+ FidoMetadataService
+ .builder()
+ .useBlob(makeDownloader(blobTuple).loadCachedBlob())
+ .prefilter(filter.asJava)
+ .certStore(
+ CertStore.getInstance(
+ "Collection",
+ new CollectionCertStoreParameters(attestationCrls.asJava),
+ )
+ )
+ .build()
+
+ val blobTuple = makeBlob(s"""{
+ "legalHeader" : "Kom ihåg att du aldrig får snyta dig i mattan!",
+ "nextUpdate" : "2022-12-01",
+ "no" : 0,
+ "entries": [
+ ${makeEntry(aaid = Some(aaidA))},
+ ${makeEntry(aaguid = Some(aaguidA))},
+ ${makeEntry(acki = Some(ackiA))},
+
+ ${makeEntry(aaid = Some(aaidB), aaguid = Some(aaguidB))},
+ ${makeEntry(aaguid = Some(aaguidB), acki = Some(ackiB))},
+ ${makeEntry(aaid = Some(aaidB), acki = Some(ackiB))},
+
+ ${makeEntry(
+ aaid = Some(aaidC),
+ aaguid = Some(aaguidC),
+ acki = Some(ackiC),
+ )}
+ ]
+ }""")
+
+ it("Filtering in getFilteredEntries works as expected.") {
+ def count(filter: MetadataBLOBPayloadEntry => Boolean): Long =
+ makeMds(blobTuple)(filter).findEntries(_ => true).size
+
+ implicit class MetadataBLOBPayloadEntryWithAbbreviatedAttestationCertificateKeyIdentifiers(
+ entry: MetadataBLOBPayloadEntry
+ ) {
+ def getACKI: mutable.Set[String] =
+ entry.getAttestationCertificateKeyIdentifiers.asScala
+ }
+
+ count(_ => false) should be(0)
+ count(_ => true) should be(7)
+
+ count(_.getAaid.toScala.contains(aaidA)) should be(1)
+ count(_.getAaguid.toScala.contains(aaguidA)) should be(1)
+ count(_.getACKI == ackiA) should be(1)
+
+ count(_.getAaid.toScala.contains(aaidB)) should be(2)
+ count(_.getAaguid.toScala.contains(aaguidB)) should be(2)
+ count(_.getACKI == ackiB) should be(2)
+
+ count(_.getAaid.toScala.contains(aaidC)) should be(1)
+ count(_.getAaguid.toScala.contains(aaguidC)) should be(1)
+ count(_.getACKI == ackiC) should be(1)
+
+ count(entry =>
+ entry.getAaid.toScala.contains(aaidA) || entry.getAaguid.toScala
+ .contains(aaguidA) || entry.getACKI == ackiA
+ ) should be(3)
+ count(entry =>
+ entry.getAaid.toScala.contains(aaidB) || entry.getAaguid.toScala
+ .contains(aaguidB) || entry.getACKI == ackiB
+ ) should be(3)
+ count(entry =>
+ entry.getAaid.toScala.contains(aaidC) || entry.getAaguid.toScala
+ .contains(aaguidC) || entry.getACKI == ackiC
+ ) should be(1)
+
+ count(!_.getAaid.toScala.contains(aaidA)) should be(6)
+ count(!_.getAaguid.toScala.contains(aaguidA)) should be(6)
+ count(_.getACKI != ackiA) should be(6)
+
+ count(!_.getAaid.toScala.contains(aaidB)) should be(5)
+ count(!_.getAaguid.toScala.contains(aaguidB)) should be(5)
+ count(_.getACKI != ackiB) should be(5)
+
+ count(!_.getAaid.toScala.contains(aaidC)) should be(6)
+ count(!_.getAaguid.toScala.contains(aaguidC)) should be(6)
+ count(_.getACKI != ackiC) should be(6)
+
+ makeMds(blobTuple)(
+ _.getAaid.toScala.contains(aaidA)
+ ).findEntries(_ => true).forEach(_.getAaid.get should be(aaidA))
+ makeMds(blobTuple)(
+ _.getAaguid.toScala.contains(aaguidB)
+ ).findEntries(_ => true).forEach(_.getAaguid.get should be(aaguidB))
+ makeMds(blobTuple)(
+ _.getACKI == ackiC
+ ).findEntries(_ => true).forEach(_.getAaguid.get should be(aaguidC))
+ }
+
+ it("Filtering correctly impacts the trust verdict in RelyingParty.finishRegistration.") {
+ val rpIdentity = RelyingPartyIdentity
+ .builder()
+ .id(TestAuthenticator.Defaults.rpId)
+ .name("Test RP")
+ .build()
+ val (pkc, _, attestationChain) =
+ TestAuthenticator.createBasicAttestedCredential(
+ aaguid = aaguidA.asBytes,
+ attestationMaker = AttestationMaker.packed(
+ AttestationSigner.ca(
+ COSEAlgorithmIdentifier.ES256,
+ aaguid = aaguidA.asBytes,
+ validFrom = CertValidFrom,
+ validTo = CertValidTo,
+ )
+ ),
+ )
+ val attestationCrls = attestationChain.tail
+ .map({
+ case (cert, key) =>
+ TestAuthenticator.buildCrl(
+ JcaX500NameUtil.getSubject(cert),
+ key,
+ "SHA256withECDSA",
+ CertValidFrom,
+ CertValidTo,
+ )
+ })
+ .toSet
+ val attestationRootBase64 =
+ new ByteArray(attestationChain.last._1.getEncoded).getBase64
+
+ val blobTuple = makeBlob(s"""{
+ "legalHeader" : "Kom ihåg att du aldrig får snyta dig i mattan!",
+ "nextUpdate" : "2022-12-01",
+ "no" : 0,
+ "entries": [{
+ "aaguid": "${aaguidA.asHexString}",
+ "metadataStatement": {
+ "authenticatorVersion": 1,
+ "attachmentHint" : ["internal"],
+ "attestationRootCertificates": ["${attestationRootBase64}"],
+ "attestationTypes" : ["basic_full"],
+ "authenticationAlgorithms" : ["secp256r1_ecdsa_sha256_raw"],
+ "description" : "Test authenticator",
+ "keyProtection" : ["software"],
+ "matcherProtection" : ["software"],
+ "protocolFamily" : "u2f",
+ "publicKeyAlgAndEncodings" : ["ecc_x962_raw"],
+ "schema" : 3,
+ "tcDisplay" : [],
+ "upv" : [{ "major" : 1, "minor" : 1 }],
+ "userVerificationDetails" : [[{ "userVerificationMethod" : "presence_internal" }]]
+ },
+ "statusReports": [],
+ "timeOfLastStatusChange": "2022-02-21"
+ }]
+ }""")
+
+ val finishRegistrationOptions = FinishRegistrationOptions
+ .builder()
+ .request(
+ PublicKeyCredentialCreationOptions
+ .builder()
+ .rp(rpIdentity)
+ .user(
+ UserIdentity
+ .builder()
+ .name("test")
+ .displayName("Test user")
+ .id(ByteArray.fromHex("01020304"))
+ .build()
+ )
+ .challenge(TestAuthenticator.Defaults.challenge)
+ .pubKeyCredParams(
+ Collections.singletonList(PublicKeyCredentialParameters.ES256)
+ )
+ .build()
+ )
+ .response(pkc)
+ .build()
+
+ def finishRegistration(
+ filter: MetadataBLOBPayloadEntry => Boolean
+ ): RegistrationResult = {
+ val mds =
+ makeMds(blobTuple, attestationCrls = attestationCrls)(filter)
+ RelyingParty
+ .builder()
+ .identity(rpIdentity)
+ .credentialRepository(Helpers.CredentialRepository.empty)
+ .attestationTrustSource(mds)
+ .clock(Clock.fixed(CertValidFrom, ZoneOffset.UTC))
+ .build()
+ .finishRegistration(finishRegistrationOptions)
+ }
+
+ finishRegistration(
+ _.getAaguid.toScala.contains(aaguidA)
+ ).isAttestationTrusted should be(true)
+ finishRegistration(
+ _.getAaguid.toScala.contains(aaguidB)
+ ).isAttestationTrusted should be(false)
+ }
+ }
+
+ describe("2.1. Check whether the status report of the authenticator model has changed compared to the cached entry by looking at the fields timeOfLastStatusChange and statusReport.") {
+ it("Nothing to test - cache is implemented on the metadata BLOB as a whole.") {}
+ }
+
+ describe("2.2. Update the status of the cached entry. It is up to the relying party to specify behavior for authenticators with status reports that indicate a lack of certification, or known security issues. However, the status REVOKED indicates significant security issues related to such authenticators.") {
+ it("Nothing to test for caching - cache is implemented on the metadata BLOB as a whole.") {}
+
+ it("REVOKED authenticators are untrusted by default") {
+ val aaguidA =
+ new AAGUID(ByteArray.fromHex("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"))
+ val aaguidB =
+ new AAGUID(ByteArray.fromHex("bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"))
+
+ def makeMds(
+ blobTuple: (String, X509Certificate, java.util.Set[CRL])
+ ): FidoMetadataService =
+ FidoMetadataService
+ .builder()
+ .useBlob(makeDownloader(blobTuple).loadCachedBlob())
+ .build()
+
+ val mds = makeMds(makeBlob(s"""{
+ "legalHeader" : "Kom ihåg att du aldrig får snyta dig i mattan!",
+ "nextUpdate" : "2022-12-01",
+ "no" : 0,
+ "entries": [
+ {
+ "aaguid": "${aaguidA.asGuidString()}",
+ "metadataStatement": {
+ "authenticatorVersion": 1,
+ "attachmentHint" : ["internal"],
+ "attestationRootCertificates": ["MIIB2DCCAX2gAwIBAgICAaswCgYIKoZIzj0EAwIwajEmMCQGA1UEAwwdWXViaWNvIFdlYkF1dGhuIHVuaXQgdGVzdHMgQ0ExDzANBgNVBAoMBll1YmljbzEiMCAGA1UECwwZQXV0aGVudGljYXRvciBBdHRlc3RhdGlvbjELMAkGA1UEBhMCU0UwHhcNMTgwOTA2MTc0MjAwWhcNMTgwOTEzMTc0MjAwWjBqMSYwJAYDVQQDDB1ZdWJpY28gV2ViQXV0aG4gdW5pdCB0ZXN0cyBDQTEPMA0GA1UECgwGWXViaWNvMSIwIAYDVQQLDBlBdXRoZW50aWNhdG9yIEF0dGVzdGF0aW9uMQswCQYDVQQGEwJTRTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLtJrr5PYSc4KhmUcwBzgZgNadDnCs/ow2oh2jiKYUqq1A6hFcFf1NPfXLQjP2I4fBI36T6/QR2iY9mbqyP5iVejEzARMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANWaM2Tf2HPKc+ibCr8G4cxpQVr9Gib47a0CpqagCSCwAiEA3oKlX/ID94FKzgHvD2gyCKQU6RltAOMShVwoljj/5+E="],
+ "attestationTypes" : ["basic_full"],
+ "authenticationAlgorithms" : ["secp256r1_ecdsa_sha256_raw"],
+ "description" : "Test authenticator",
+ "keyProtection" : ["software"],
+ "matcherProtection" : ["software"],
+ "protocolFamily" : "u2f",
+ "publicKeyAlgAndEncodings" : ["ecc_x962_raw"],
+ "schema" : 3,
+ "tcDisplay" : [],
+ "upv" : [{ "major" : 1, "minor" : 1 }],
+ "userVerificationDetails" : [[{ "userVerificationMethod" : "presence_internal" }]]
+ },
+ "statusReports": [],
+ "timeOfLastStatusChange": "2022-02-21"
+ },
+ {
+ "aaguid": "${aaguidB.asGuidString()}",
+ "metadataStatement": {
+ "authenticatorVersion": 1,
+ "attachmentHint" : ["internal"],
+ "attestationRootCertificates": ["MIIB2DCCAX2gAwIBAgICAaswCgYIKoZIzj0EAwIwajEmMCQGA1UEAwwdWXViaWNvIFdlYkF1dGhuIHVuaXQgdGVzdHMgQ0ExDzANBgNVBAoMBll1YmljbzEiMCAGA1UECwwZQXV0aGVudGljYXRvciBBdHRlc3RhdGlvbjELMAkGA1UEBhMCU0UwHhcNMTgwOTA2MTc0MjAwWhcNMTgwOTEzMTc0MjAwWjBqMSYwJAYDVQQDDB1ZdWJpY28gV2ViQXV0aG4gdW5pdCB0ZXN0cyBDQTEPMA0GA1UECgwGWXViaWNvMSIwIAYDVQQLDBlBdXRoZW50aWNhdG9yIEF0dGVzdGF0aW9uMQswCQYDVQQGEwJTRTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLtJrr5PYSc4KhmUcwBzgZgNadDnCs/ow2oh2jiKYUqq1A6hFcFf1NPfXLQjP2I4fBI36T6/QR2iY9mbqyP5iVejEzARMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANWaM2Tf2HPKc+ibCr8G4cxpQVr9Gib47a0CpqagCSCwAiEA3oKlX/ID94FKzgHvD2gyCKQU6RltAOMShVwoljj/5+E="],
+ "attestationTypes" : ["basic_full"],
+ "authenticationAlgorithms" : ["secp256r1_ecdsa_sha256_raw"],
+ "description" : "Test authenticator",
+ "keyProtection" : ["software"],
+ "matcherProtection" : ["software"],
+ "protocolFamily" : "u2f",
+ "publicKeyAlgAndEncodings" : ["ecc_x962_raw"],
+ "schema" : 3,
+ "tcDisplay" : [],
+ "upv" : [{ "major" : 1, "minor" : 1 }],
+ "userVerificationDetails" : [[{ "userVerificationMethod" : "presence_internal" }]]
+ },
+ "statusReports": [{ "status": "REVOKED" }],
+ "timeOfLastStatusChange": "2022-02-21"
+ }
+ ]
+ }"""))
+
+ mds
+ .findEntries(_ => true)
+ .asScala
+ .map(_.getAaguid.toScala) should equal(Set(Some(aaguidA)))
+ }
+ }
+
+ describe("2.3. Note: Authenticators with an unacceptable status should be marked accordingly. This information is required for building registration and authentication policies included in the registration request and the authentication request [UAFProtocol].") {
+ it("Nothing to test - status processing is left for library users to implement.") {}
+ }
+
+ describe("3. Update the cached metadata statement.") {
+ it("Nothing to test - cache is implemented on the metadata BLOB as a whole.") {}
+ }
+ }
+ }
+
+ it("More [AuthenticatorTransport] values might be added in the future. FIDO Servers MUST silently ignore all unknown AuthenticatorStatus values.") {
+ val (blobJwt, cert, crls) = makeBlob("""{
+ "legalHeader" : "Kom ihåg att du aldrig får snyta dig i mattan!",
+ "nextUpdate" : "2022-12-01",
+ "no" : 0,
+ "entries": [
+ {
+ "aaguid": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
+ "statusReports": [
+ {
+ "status": "ARGHABLARGHLER",
+ "effectiveDate": "2022-02-15"
+ },
+ {
+ "status": "NOT_FIDO_CERTIFIED",
+ "effectiveDate": "2022-02-16"
+ }
+ ],
+ "timeOfLastStatusChange": "2022-02-15"
+ }
+ ]
+ }""")
+ val downloader: FidoMetadataDownloader = FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader("Kom ihåg att du aldrig får snyta dig i mattan!")
+ .useTrustRoot(cert)
+ .useBlob(blobJwt)
+ .clock(
+ Clock.fixed(Instant.parse("2022-02-15T18:00:00Z"), ZoneOffset.UTC)
+ )
+ .useCrls(crls)
+ .build()
+ val mds =
+ FidoMetadataService.builder().useBlob(downloader.loadCachedBlob()).build()
+ mds should not be null
+
+ val entries = mds
+ .findEntries(
+ Collections.emptyList(),
+ Some(
+ new AAGUID(ByteArray.fromHex("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"))
+ ).toJava,
+ )
+ .asScala
+ entries should not be empty
+ entries should have size 1
+ entries.head.getStatusReports should have size 1
+ entries.head.getStatusReports.get(0).getStatus should be(
+ AuthenticatorStatus.NOT_FIDO_CERTIFIED
+ )
+ }
+
+ describe("The Relying party MUST reject the Metadata Statement if the authenticatorVersion has not increased [with an UPDATE_AVAILABLE AuthenticatorStatus].") {
+
+ val aaguid =
+ new AAGUID(ByteArray.fromHex("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"))
+
+ def makeStatusReportsBlob(
+ statusReports: String,
+ timeOfLastStatusChange: String,
+ authenticatorVersion: Int = 1,
+ ): (String, X509Certificate, java.util.Set[CRL]) =
+ makeBlob(s"""{
+ "legalHeader" : "Kom ihåg att du aldrig får snyta dig i mattan!",
+ "nextUpdate" : "2022-12-01",
+ "no" : 0,
+ "entries": [
+ {
+ "aaguid": "${aaguid.asGuidString}",
+ "metadataStatement": {
+ "authenticatorVersion": ${authenticatorVersion},
+ "attachmentHint" : ["internal"],
+ "attestationRootCertificates" : ["MIIB2DCCAX2gAwIBAgICAaswCgYIKoZIzj0EAwIwajEmMCQGA1UEAwwdWXViaWNvIFdlYkF1dGhuIHVuaXQgdGVzdHMgQ0ExDzANBgNVBAoMBll1YmljbzEiMCAGA1UECwwZQXV0aGVudGljYXRvciBBdHRlc3RhdGlvbjELMAkGA1UEBhMCU0UwHhcNMTgwOTA2MTc0MjAwWhcNMTgwOTEzMTc0MjAwWjBqMSYwJAYDVQQDDB1ZdWJpY28gV2ViQXV0aG4gdW5pdCB0ZXN0cyBDQTEPMA0GA1UECgwGWXViaWNvMSIwIAYDVQQLDBlBdXRoZW50aWNhdG9yIEF0dGVzdGF0aW9uMQswCQYDVQQGEwJTRTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLtJrr5PYSc4KhmUcwBzgZgNadDnCs/ow2oh2jiKYUqq1A6hFcFf1NPfXLQjP2I4fBI36T6/QR2iY9mbqyP5iVejEzARMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANWaM2Tf2HPKc+ibCr8G4cxpQVr9Gib47a0CpqagCSCwAiEA3oKlX/ID94FKzgHvD2gyCKQU6RltAOMShVwoljj/5+E="],
+ "attestationTypes" : ["basic_full"],
+ "authenticationAlgorithms" : ["secp256r1_ecdsa_sha256_raw"],
+ "description" : "Test authenticator",
+ "keyProtection" : ["software"],
+ "matcherProtection" : ["software"],
+ "protocolFamily" : "u2f",
+ "publicKeyAlgAndEncodings" : ["ecc_x962_raw"],
+ "schema" : 3,
+ "tcDisplay" : [],
+ "upv" : [{ "major" : 1, "minor" : 1 }],
+ "userVerificationDetails" : [[{ "userVerificationMethod" : "presence_internal" }]]
+ },
+ "statusReports": ${statusReports},
+ "timeOfLastStatusChange": "${timeOfLastStatusChange}"
+ }
+ ]
+ }""")
+
+ def makeMds(
+ blobTuple: (String, X509Certificate, java.util.Set[CRL])
+ ): FidoMetadataService =
+ FidoMetadataService
+ .builder()
+ .useBlob(makeDownloader(blobTuple).loadCachedBlob())
+ .build()
+
+ it("A metadata statement with UPDATE_AVAILABLE with authenticatorVersion greater than top-level authenticatorVersion is ignored.") {
+ val mds = makeMds(
+ makeStatusReportsBlob(
+ """[
+ {
+ "status": "UPDATE_AVAILABLE",
+ "effectiveDate": "2022-02-15",
+ "authenticatorVersion": 2
+ }
+ ]""",
+ "2022-02-16",
+ authenticatorVersion = 1,
+ )
+ )
+
+ mds
+ .findEntries(Collections.emptyList(), Some(aaguid).toJava)
+ .asScala shouldBe empty
+ }
+
+ it("A metadata statement with UPDATE_AVAILABLE with authenticatorVersion equal to top-level authenticatorVersion is accepted.") {
+ val mds = makeMds(
+ makeStatusReportsBlob(
+ """[
+ {
+ "status": "UPDATE_AVAILABLE",
+ "effectiveDate": "2022-02-15",
+ "authenticatorVersion": 2
+ }
+ ]""",
+ "2022-02-16",
+ authenticatorVersion = 2,
+ )
+ )
+
+ mds
+ .findEntries(Collections.emptyList(), Some(aaguid).toJava)
+ .asScala should not be empty
+ }
+
+ it("A metadata statement with UPDATE_AVAILABLE with authenticatorVersion less than top-level authenticatorVersion is accepted.") {
+ val mds = makeMds(
+ makeStatusReportsBlob(
+ """[
+ {
+ "status": "UPDATE_AVAILABLE",
+ "effectiveDate": "2022-02-15",
+ "authenticatorVersion": 2
+ }
+ ]""",
+ "2022-02-16",
+ authenticatorVersion = 3,
+ )
+ )
+
+ mds
+ .findEntries(Collections.emptyList(), Some(aaguid).toJava)
+ .asScala should not be empty
+ }
+ }
+
+ describe("The noAttestationKeyCompromise filter") {
+
+ val attestationRoot = TestAuthenticator.generateAttestationCaCertificate()
+ val rootCertBase64 = new ByteArray(attestationRoot._1.getEncoded).getBase64
+
+ val (compromisedCert, _) =
+ TestAuthenticator.generateAttestationCertificate(
+ name = new X500Name("CN=Compromised cert 1"),
+ caCertAndKey = Some(attestationRoot),
+ )
+ val (goodCert, _) = TestAuthenticator.generateAttestationCertificate(
+ name = new X500Name("CN=Good cert"),
+ caCertAndKey = Some(attestationRoot),
+ )
+
+ val (compromisedCert2a, _) =
+ TestAuthenticator.generateAttestationCertificate(
+ name = new X500Name("CN=Compromised cert 2a"),
+ caCertAndKey = Some(attestationRoot),
+ )
+ val (compromisedCert2b, _) =
+ TestAuthenticator.generateAttestationCertificate(
+ name = new X500Name("CN=Compromised cert 2b"),
+ caCertAndKey = Some(attestationRoot),
+ )
+
+ val (unrelatedCert, _) =
+ TestAuthenticator.generateAttestationCertificate(name =
+ new X500Name("CN=Unrelated cert")
+ )
+
+ val compromisedCertKeyIdentifier = new ByteArray(
+ CertificateParser.computeSubjectKeyIdentifier(compromisedCert)
+ ).getHex
+ val compromisedCert2aKeyIdentifier = new ByteArray(
+ CertificateParser.computeSubjectKeyIdentifier(compromisedCert2a)
+ ).getHex
+ val compromisedCert2bKeyIdentifier = new ByteArray(
+ CertificateParser.computeSubjectKeyIdentifier(compromisedCert2b)
+ ).getHex
+ val goodCertKeyIdentifier = new ByteArray(
+ CertificateParser.computeSubjectKeyIdentifier(goodCert)
+ ).getHex
+
+ val aaguidA =
+ new AAGUID(ByteArray.fromHex("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"))
+ val aaguidB =
+ new AAGUID(ByteArray.fromHex("bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"))
+ val aaguidC =
+ new AAGUID(ByteArray.fromHex("cccccccccccccccccccccccccccccccc"))
+
+ val blob: MetadataBLOBPayload =
+ JacksonCodecs.jsonWithDefaultEnums.readValue(
+ s"""{
+ "legalHeader" : "Kom ihåg att du aldrig får snyta dig i mattan!",
+ "nextUpdate" : "2022-12-01",
+ "no" : 0,
+ "entries": [
+ {
+ "aaguid": "${aaguidA.asGuidString()}",
+ "attestationCertificateKeyIdentifiers": ["${goodCertKeyIdentifier}"],
+ "metadataStatement": {
+ "aaguid": "${aaguidA.asGuidString()}",
+ "attestationCertificateKeyIdentifiers": ["${goodCertKeyIdentifier}"],
+ "authenticatorVersion": 1,
+ "attachmentHint" : ["internal"],
+ "attestationRootCertificates": ["${rootCertBase64}"],
+ "attestationTypes" : ["basic_full"],
+ "authenticationAlgorithms" : ["secp256r1_ecdsa_sha256_raw"],
+ "description" : "Test authenticator",
+ "keyProtection" : ["software"],
+ "matcherProtection" : ["software"],
+ "protocolFamily" : "u2f",
+ "publicKeyAlgAndEncodings" : ["ecc_x962_raw"],
+ "schema" : 3,
+ "tcDisplay" : [],
+ "upv" : [{ "major" : 1, "minor" : 1 }],
+ "userVerificationDetails" : [[{ "userVerificationMethod" : "presence_internal" }]]
+ },
+ "statusReports": [],
+ "timeOfLastStatusChange": "2022-02-15"
+ },
+
+ {
+ "aaguid": "${aaguidB.asGuidString()}",
+ "attestationCertificateKeyIdentifiers": ["${compromisedCertKeyIdentifier}"],
+ "metadataStatement": {
+ "aaguid": "${aaguidB.asGuidString()}",
+ "attestationCertificateKeyIdentifiers": ["${compromisedCertKeyIdentifier}"],
+ "authenticatorVersion": 1,
+ "attachmentHint" : ["internal"],
+ "attestationRootCertificates": ["${rootCertBase64}"],
+ "attestationTypes" : ["basic_full"],
+ "authenticationAlgorithms" : ["secp256r1_ecdsa_sha256_raw"],
+ "description" : "Test authenticator",
+ "keyProtection" : ["software"],
+ "matcherProtection" : ["software"],
+ "protocolFamily" : "u2f",
+ "publicKeyAlgAndEncodings" : ["ecc_x962_raw"],
+ "schema" : 3,
+ "tcDisplay" : [],
+ "upv" : [{ "major" : 1, "minor" : 1 }],
+ "userVerificationDetails" : [[{ "userVerificationMethod" : "presence_internal" }]]
+ },
+ "statusReports": [
+ {
+ "status": "ATTESTATION_KEY_COMPROMISE",
+ "certificate": "${new ByteArray(compromisedCert.getEncoded).getBase64}"
+ }
+ ],
+ "timeOfLastStatusChange": "2022-02-15"
+ },
+
+ {
+ "aaguid": "${aaguidC.asGuidString()}",
+ "attestationCertificateKeyIdentifiers": ["${compromisedCert2aKeyIdentifier}"],
+ "metadataStatement": {
+ "aaguid": "${aaguidC.asGuidString()}",
+ "attestationCertificateKeyIdentifiers": ["${compromisedCert2bKeyIdentifier}"],
+ "authenticatorVersion": 1,
+ "attachmentHint" : ["internal"],
+ "attestationRootCertificates": ["${rootCertBase64}"],
+ "attestationTypes" : ["basic_full"],
+ "authenticationAlgorithms" : ["secp256r1_ecdsa_sha256_raw"],
+ "description" : "Test authenticator",
+ "keyProtection" : ["software"],
+ "matcherProtection" : ["software"],
+ "protocolFamily" : "u2f",
+ "publicKeyAlgAndEncodings" : ["ecc_x962_raw"],
+ "schema" : 3,
+ "tcDisplay" : [],
+ "upv" : [{ "major" : 1, "minor" : 1 }],
+ "userVerificationDetails" : [[{ "userVerificationMethod" : "presence_internal" }]]
+ },
+ "statusReports": [
+ { "status": "ATTESTATION_KEY_COMPROMISE" }
+ ],
+ "timeOfLastStatusChange": "2022-02-15"
+ }
+ ]
+ }""".stripMargin,
+ classOf[MetadataBLOBPayload],
+ )
+
+ it("is enabled by default.") {
+ val mds = FidoMetadataService.builder().useBlob(blob).build()
+
+ mds
+ .findTrustRoots(
+ List(unrelatedCert).asJava,
+ Some(aaguidA.asBytes).toJava,
+ )
+ .getTrustRoots
+ .asScala should not be empty
+
+ mds
+ .findTrustRoots(
+ List(goodCert).asJava,
+ None.toJava,
+ )
+ .getTrustRoots
+ .asScala should not be empty
+
+ mds
+ .findTrustRoots(
+ List(compromisedCert).asJava,
+ Some(aaguidB.asBytes).toJava,
+ )
+ .getTrustRoots
+ .asScala shouldBe empty
+
+ mds
+ .findTrustRoots(
+ List(unrelatedCert).asJava,
+ Some(aaguidC.asBytes).toJava,
+ )
+ .getTrustRoots
+ .asScala shouldBe empty
+
+ mds
+ .findTrustRoots(
+ List(compromisedCert).asJava,
+ None.toJava,
+ )
+ .getTrustRoots
+ .asScala shouldBe empty
+
+ mds
+ .findTrustRoots(
+ List(compromisedCert2a).asJava,
+ None.toJava,
+ )
+ .getTrustRoots
+ .asScala shouldBe empty
+
+ mds
+ .findTrustRoots(
+ List(compromisedCert2b).asJava,
+ None.toJava,
+ )
+ .getTrustRoots
+ .asScala shouldBe empty
+ }
+
+ it("can be enabled explicitly.") {
+ val mds = FidoMetadataService
+ .builder()
+ .useBlob(blob)
+ .filter(FidoMetadataService.Filters.noAttestationKeyCompromise())
+ .build()
+
+ mds
+ .findTrustRoots(
+ List(goodCert).asJava,
+ Some(aaguidA.asBytes).toJava,
+ )
+ .getTrustRoots
+ .asScala should not be empty
+
+ mds
+ .findTrustRoots(
+ List(compromisedCert).asJava,
+ Some(aaguidB.asBytes).toJava,
+ )
+ .getTrustRoots
+ .asScala shouldBe empty
+
+ mds
+ .findTrustRoots(
+ List(unrelatedCert).asJava,
+ Some(aaguidC.asBytes).toJava,
+ )
+ .getTrustRoots
+ .asScala shouldBe empty
+ }
+
+ it("can be overridden with a different filter.") {
+ val mds =
+ FidoMetadataService.builder().useBlob(blob).filter(_ => true).build()
+
+ mds
+ .findTrustRoots(
+ List(compromisedCert).asJava,
+ Some(aaguidB.asBytes).toJava,
+ )
+ .getTrustRoots
+ .asScala should not be empty
+
+ mds
+ .findTrustRoots(
+ List(compromisedCert).asJava,
+ Some(aaguidB.asBytes).toJava,
+ )
+ .getTrustRoots
+ .asScala should not be empty
+
+ mds
+ .findTrustRoots(
+ List(unrelatedCert).asJava,
+ Some(aaguidC.asBytes).toJava,
+ )
+ .getTrustRoots
+ .asScala should not be empty
+ }
+
+ }
+
+}
diff --git a/webauthn-server-attestation/src/test/scala/com/yubico/fido/metadata/FidoMetadataDownloaderSpec.scala b/webauthn-server-attestation/src/test/scala/com/yubico/fido/metadata/FidoMetadataDownloaderSpec.scala
new file mode 100644
index 000000000..e23c2b126
--- /dev/null
+++ b/webauthn-server-attestation/src/test/scala/com/yubico/fido/metadata/FidoMetadataDownloaderSpec.scala
@@ -0,0 +1,1850 @@
+package com.yubico.fido.metadata
+
+import com.fasterxml.jackson.databind.node.IntNode
+import com.fasterxml.jackson.databind.node.ObjectNode
+import com.yubico.fido.metadata.FidoMetadataDownloaderException.Reason
+import com.yubico.internal.util.BinaryUtil
+import com.yubico.internal.util.JacksonCodecs
+import com.yubico.webauthn.TestAuthenticator
+import com.yubico.webauthn.data.ByteArray
+import com.yubico.webauthn.data.COSEAlgorithmIdentifier
+import org.bouncycastle.asn1.x500.X500Name
+import org.eclipse.jetty.server.HttpConfiguration
+import org.eclipse.jetty.server.HttpConnectionFactory
+import org.eclipse.jetty.server.Request
+import org.eclipse.jetty.server.SecureRequestCustomizer
+import org.eclipse.jetty.server.Server
+import org.eclipse.jetty.server.ServerConnector
+import org.eclipse.jetty.server.SslConnectionFactory
+import org.eclipse.jetty.server.handler.AbstractHandler
+import org.eclipse.jetty.util.ssl.SslContextFactory
+import org.eclipse.jetty.util.thread.QueuedThreadPool
+import org.junit.runner.RunWith
+import org.scalatest.BeforeAndAfter
+import org.scalatest.FunSpec
+import org.scalatest.Matchers
+import org.scalatest.tags.Network
+import org.scalatestplus.junit.JUnitRunner
+
+import java.io.File
+import java.io.FileInputStream
+import java.io.FileOutputStream
+import java.net.URL
+import java.nio.charset.StandardCharsets
+import java.security.DigestException
+import java.security.KeyPair
+import java.security.KeyStore
+import java.security.SecureRandom
+import java.security.cert.CRL
+import java.security.cert.CertPathValidatorException
+import java.security.cert.CertPathValidatorException.BasicReason
+import java.security.cert.X509Certificate
+import java.time.Clock
+import java.time.Instant
+import java.time.LocalDate
+import java.time.ZoneOffset
+import java.util.Optional
+import javax.servlet.http.HttpServletRequest
+import javax.servlet.http.HttpServletResponse
+import scala.jdk.CollectionConverters.ListHasAsScala
+import scala.jdk.CollectionConverters.SeqHasAsJava
+import scala.jdk.CollectionConverters.SetHasAsJava
+import scala.util.Success
+import scala.util.Try
+
+@Network
+@RunWith(classOf[JUnitRunner])
+class FidoMetadataDownloaderSpec
+ extends FunSpec
+ with Matchers
+ with BeforeAndAfter {
+
+ var httpServer: Option[Server] = None
+ after {
+ for { server <- httpServer } {
+ server.stop()
+ }
+ httpServer = None
+ }
+ private def startServer(server: Server): Unit = {
+ httpServer = Some(server)
+ server.start()
+ }
+
+ val CertValidFrom: Instant = Instant.parse("2022-02-18T12:00:00Z")
+ val CertValidTo: Instant = Instant.parse("2022-03-20T12:00:00Z")
+
+ private def makeTrustRootCert(
+ distinguishedName: String =
+ "CN=Yubico java-webauthn-server unit tests CA, O=Yubico",
+ validFrom: Instant = CertValidFrom,
+ validTo: Instant = CertValidTo,
+ ): (X509Certificate, KeyPair, X500Name) = {
+ val keypair = TestAuthenticator.generateEcKeypair()
+ val name = new X500Name(distinguishedName)
+ (
+ TestAuthenticator.buildCertificate(
+ publicKey = keypair.getPublic,
+ issuerName = name,
+ subjectName = name,
+ signingKey = keypair.getPrivate,
+ signingAlg = COSEAlgorithmIdentifier.ES256,
+ isCa = true,
+ validFrom = validFrom,
+ validTo = validTo,
+ ),
+ keypair,
+ name,
+ )
+ }
+
+ private def makeCert(
+ caKeypair: KeyPair,
+ caName: X500Name,
+ validFrom: Instant = CertValidFrom,
+ validTo: Instant = CertValidTo,
+ isCa: Boolean = false,
+ name: String =
+ "CN=Yubico java-webauthn-server unit tests blob cert, O=Yubico",
+ ): (X509Certificate, KeyPair, X500Name) = {
+ val keypair = TestAuthenticator.generateEcKeypair()
+ val x500Name = new X500Name(name)
+ (
+ TestAuthenticator.buildCertificate(
+ publicKey = keypair.getPublic,
+ issuerName = caName,
+ subjectName = x500Name,
+ signingKey = caKeypair.getPrivate,
+ signingAlg = COSEAlgorithmIdentifier.ES256,
+ isCa = isCa,
+ validFrom = validFrom,
+ validTo = validTo,
+ ),
+ keypair,
+ x500Name,
+ )
+ }
+
+ private def makeCertChain(
+ caKeypair: KeyPair,
+ caName: X500Name,
+ chainLength: Int,
+ validFrom: Instant = CertValidFrom,
+ validTo: Instant = CertValidTo,
+ leafName: String =
+ "CN=Yubico java-webauthn-server unit tests blob cert, O=Yubico",
+ ): List[(X509Certificate, KeyPair, X500Name)] = {
+ var certs: List[(X509Certificate, KeyPair, X500Name)] = Nil
+ var currentKeypair = caKeypair
+ var currentName = caName
+
+ for { i <- 1 to chainLength } {
+ val (cert, keypair, name) = makeCert(
+ currentKeypair,
+ currentName,
+ validFrom = validFrom,
+ validTo = validTo,
+ name =
+ if (i == chainLength) leafName else s"CN=Test intermediate CA ${i}",
+ isCa = i != chainLength,
+ )
+ certs = (cert, keypair, name) +: certs
+ currentKeypair = keypair
+ currentName = name
+ }
+
+ certs
+ }
+
+ private def makeBlob(
+ blobKeypair: KeyPair,
+ header: String,
+ body: String,
+ ): String = {
+ val blobTbs = new ByteArray(
+ header.getBytes(StandardCharsets.UTF_8)
+ ).getBase64Url + "." + new ByteArray(
+ body.getBytes(StandardCharsets.UTF_8)
+ ).getBase64Url
+ val blobSignature = TestAuthenticator.sign(
+ new ByteArray(blobTbs.getBytes(StandardCharsets.UTF_8)),
+ blobKeypair.getPrivate,
+ COSEAlgorithmIdentifier.ES256,
+ )
+ blobTbs + "." + blobSignature.getBase64Url
+ }
+
+ private def makeBlob(
+ certChain: List[X509Certificate],
+ blobKeypair: KeyPair,
+ nextUpdate: LocalDate,
+ legalHeader: String = "Kom ihåg att du aldrig får snyta dig i mattan!",
+ no: Int = 1,
+ ): String = {
+ val blobHeader =
+ s"""{"alg":"ES256","x5c": [${certChain
+ .map(cert => new ByteArray(cert.getEncoded).getBase64)
+ .mkString("\"", "\",\"", "\"")}]}"""
+ val blobBody = s"""{
+ "legalHeader": "${legalHeader}",
+ "no": ${no},
+ "nextUpdate": "${nextUpdate}",
+ "entries": []
+ }"""
+ makeBlob(blobKeypair, blobHeader, blobBody)
+ }
+
+ private def makeHttpServer(
+ path: String,
+ response: String,
+ ): (Server, String, X509Certificate) =
+ makeHttpServer(Map(path -> response.getBytes(StandardCharsets.UTF_8)))
+ private def makeHttpServer(
+ path: String,
+ response: Array[Byte],
+ ): (Server, String, X509Certificate) =
+ makeHttpServer(Map(path -> response))
+ private def makeHttpServer(
+ responses: Map[String, Array[Byte]]
+ ): (Server, String, X509Certificate) = {
+ val tlsKey = TestAuthenticator.generateEcKeypair()
+ val tlsCert = TestAuthenticator.buildCertificate(
+ tlsKey.getPublic,
+ new X500Name("CN=localhost"),
+ new X500Name("CN=localhost"),
+ tlsKey.getPrivate,
+ signingAlg = COSEAlgorithmIdentifier.ES256,
+ )
+ val keystorePassword = "foo"
+ val keyStore = KeyStore.getInstance(KeyStore.getDefaultType)
+ keyStore.load(null)
+ keyStore.setKeyEntry(
+ "default",
+ tlsKey.getPrivate,
+ keystorePassword.toCharArray,
+ Array(tlsCert),
+ )
+
+ val httpConfig = new HttpConfiguration()
+ httpConfig.addCustomizer(new SecureRequestCustomizer())
+ val http11 = new HttpConnectionFactory(httpConfig)
+ val sslContextFactory = new SslContextFactory.Server()
+ sslContextFactory.setKeyStore(keyStore)
+ sslContextFactory.setKeyStorePassword(keystorePassword)
+ val tls = new SslConnectionFactory(sslContextFactory, http11.getProtocol)
+
+ val threadPool = new QueuedThreadPool()
+ threadPool.setName("server")
+ val server = new Server(threadPool)
+ val connector = new ServerConnector(server, tls, http11)
+ val port = 8443
+ connector.setPort(port)
+ server.addConnector(connector)
+ server.setHandler(new AbstractHandler {
+ override def handle(
+ target: String,
+ jettyRequest: Request,
+ request: HttpServletRequest,
+ response: HttpServletResponse,
+ ): Unit = {
+ responses.get(target) match {
+ case Some(responseBody) => {
+ response.getOutputStream.write(responseBody)
+ response.setStatus(200)
+ }
+ case None => response.setStatus(404)
+ }
+
+ jettyRequest.setHandled(true)
+ }
+ })
+
+ (server, s"https://localhost:${port}", tlsCert)
+ }
+
+ describe("§3.2. Metadata BLOB object processing rules") {
+ describe("1. Download and cache the root signing trust anchor from the respective MDS root location e.g. More information can be found at https://fidoalliance.org/metadata/") {
+ it(
+ "The trust root is downloaded and cached if there isn't a supplier-cached one."
+ ) {
+ val random = new SecureRandom()
+ val trustRootDistinguishedName =
+ s"CN=Test trust root ${random.nextInt(10000)}"
+ val (trustRootCert, caKeypair, caName) =
+ makeTrustRootCert(distinguishedName = trustRootDistinguishedName)
+ val (blobCert, blobKeypair, _) = makeCert(caKeypair, caName)
+ val blobJwt =
+ makeBlob(List(blobCert), blobKeypair, LocalDate.now())
+ val crls = List[CRL](
+ TestAuthenticator.buildCrl(
+ caName,
+ caKeypair.getPrivate,
+ "SHA256withECDSA",
+ CertValidFrom,
+ CertValidTo,
+ )
+ )
+
+ var writtenCache: Option[ByteArray] = None
+
+ val (server, serverUrl, httpsCert) =
+ makeHttpServer("/trust-root.der", trustRootCert.getEncoded)
+ startServer(server)
+
+ val blob = FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader("Kom ihåg att du aldrig får snyta dig i mattan!")
+ .downloadTrustRoot(
+ new URL(s"${serverUrl}/trust-root.der"),
+ Set(
+ TestAuthenticator.sha256(new ByteArray(trustRootCert.getEncoded))
+ ).asJava,
+ )
+ .useTrustRootCache(
+ () => Optional.empty(),
+ newCache => { writtenCache = Some(newCache) },
+ )
+ .useBlob(blobJwt)
+ .clock(Clock.fixed(CertValidFrom, ZoneOffset.UTC))
+ .useCrls(crls.asJava)
+ .trustHttpsCerts(httpsCert)
+ .build()
+ .loadCachedBlob
+ blob should not be null
+ blob.getHeader.getX5c.get.asScala.last.getIssuerDN.getName should equal(
+ trustRootDistinguishedName
+ )
+ writtenCache should equal(Some(new ByteArray(trustRootCert.getEncoded)))
+ }
+
+ it("The trust root is downloaded and cached if there's an expired one in supplier-cache.") {
+ val random = new SecureRandom()
+
+ val oldTrustRootDistinguishedName =
+ s"CN=Test trust root ${random.nextInt(10000)}"
+ val newTrustRootDistinguishedName =
+ s"CN=Test trust root ${random.nextInt(10000) + 10000}"
+ val (oldTrustRootCert, _, _) =
+ makeTrustRootCert(
+ distinguishedName = oldTrustRootDistinguishedName,
+ validFrom = CertValidFrom.minusSeconds(600),
+ validTo = CertValidFrom.minusSeconds(1),
+ )
+ val (newTrustRootCert, caKeypair, caName) =
+ makeTrustRootCert(distinguishedName = newTrustRootDistinguishedName)
+
+ val (blobCert, blobKeypair, _) = makeCert(caKeypair, caName)
+ val blobJwt =
+ makeBlob(List(blobCert), blobKeypair, LocalDate.now())
+ val crls = List[CRL](
+ TestAuthenticator.buildCrl(
+ caName,
+ caKeypair.getPrivate,
+ "SHA256withECDSA",
+ CertValidFrom,
+ CertValidTo,
+ )
+ )
+
+ var writtenCache: Option[ByteArray] = None
+
+ val (server, serverUrl, httpsCert) =
+ makeHttpServer("/trust-root.der", newTrustRootCert.getEncoded)
+ startServer(server)
+
+ val blob = FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader("Kom ihåg att du aldrig får snyta dig i mattan!")
+ .downloadTrustRoot(
+ new URL(s"${serverUrl}/trust-root.der"),
+ Set(
+ TestAuthenticator.sha256(
+ new ByteArray(newTrustRootCert.getEncoded)
+ )
+ ).asJava,
+ )
+ .useTrustRootCache(
+ () => Optional.of(new ByteArray(oldTrustRootCert.getEncoded)),
+ newCache => { writtenCache = Some(newCache) },
+ )
+ .useBlob(blobJwt)
+ .clock(Clock.fixed(CertValidFrom, ZoneOffset.UTC))
+ .useCrls(crls.asJava)
+ .trustHttpsCerts(httpsCert)
+ .build()
+ .loadCachedBlob
+ blob should not be null
+ blob.getHeader.getX5c.get.asScala.last.getIssuerDN.getName should equal(
+ newTrustRootDistinguishedName
+ )
+ writtenCache should equal(
+ Some(new ByteArray(newTrustRootCert.getEncoded))
+ )
+ }
+
+ it(
+ "The trust root is not downloaded if there's a valid one in file cache."
+ ) {
+ val random = new SecureRandom()
+ val trustRootDistinguishedName =
+ s"CN=Test trust root ${random.nextInt(10000)}"
+ val (trustRootCert, caKeypair, caName) =
+ makeTrustRootCert(distinguishedName = trustRootDistinguishedName)
+ val (blobCert, blobKeypair, _) = makeCert(caKeypair, caName)
+ val blobJwt =
+ makeBlob(List(blobCert), blobKeypair, LocalDate.now())
+ val crls = List[CRL](
+ TestAuthenticator.buildCrl(
+ caName,
+ caKeypair.getPrivate,
+ "SHA256withECDSA",
+ CertValidFrom,
+ CertValidTo,
+ )
+ )
+
+ val cacheFile = File.createTempFile(
+ s"${getClass.getCanonicalName}_test_cache_",
+ ".tmp",
+ )
+ val f = new FileOutputStream(cacheFile)
+ f.write(trustRootCert.getEncoded)
+ f.close()
+ cacheFile.deleteOnExit()
+
+ val blob = FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader("Kom ihåg att du aldrig får snyta dig i mattan!")
+ .useDefaultTrustRoot()
+ .useTrustRootCacheFile(cacheFile)
+ .useBlob(blobJwt)
+ .clock(Clock.fixed(CertValidFrom, ZoneOffset.UTC))
+ .useCrls(crls.asJava)
+ .build()
+ .loadCachedBlob
+ blob should not be null
+ blob.getHeader.getX5c.get.asScala.last.getIssuerDN.getName should equal(
+ trustRootDistinguishedName
+ )
+ }
+
+ it(
+ "The trust root is downloaded and cached if there isn't a file-cached one."
+ ) {
+ val random = new SecureRandom()
+ val trustRootDistinguishedName =
+ s"CN=Test trust root ${random.nextInt(10000)}"
+ val (trustRootCert, caKeypair, caName) =
+ makeTrustRootCert(distinguishedName = trustRootDistinguishedName)
+ val (blobCert, blobKeypair, _) = makeCert(caKeypair, caName)
+ val blobJwt =
+ makeBlob(List(blobCert), blobKeypair, LocalDate.now())
+ val crls = List[CRL](
+ TestAuthenticator.buildCrl(
+ caName,
+ caKeypair.getPrivate,
+ "SHA256withECDSA",
+ CertValidFrom,
+ CertValidTo,
+ )
+ )
+
+ val (server, serverUrl, httpsCert) =
+ makeHttpServer("/trust-root.der", trustRootCert.getEncoded)
+ startServer(server)
+
+ val cacheFile = File.createTempFile(
+ s"${getClass.getCanonicalName}_test_cache_",
+ ".tmp",
+ )
+ cacheFile.delete()
+ cacheFile.deleteOnExit()
+
+ val blob = FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader("Kom ihåg att du aldrig får snyta dig i mattan!")
+ .downloadTrustRoot(
+ new URL(s"${serverUrl}/trust-root.der"),
+ Set(
+ TestAuthenticator.sha256(new ByteArray(trustRootCert.getEncoded))
+ ).asJava,
+ )
+ .useTrustRootCacheFile(cacheFile)
+ .useBlob(blobJwt)
+ .clock(Clock.fixed(CertValidFrom, ZoneOffset.UTC))
+ .useCrls(crls.asJava)
+ .trustHttpsCerts(httpsCert)
+ .build()
+ .loadCachedBlob
+ blob should not be null
+ blob.getHeader.getX5c.get.asScala.last.getIssuerDN.getName should equal(
+ trustRootDistinguishedName
+ )
+ cacheFile.exists() should be(true)
+ BinaryUtil.readAll(new FileInputStream(cacheFile)) should equal(
+ trustRootCert.getEncoded
+ )
+ }
+
+ it("The trust root is downloaded and cached if there's an expired one in file cache.") {
+ val random = new SecureRandom()
+
+ val oldTrustRootDistinguishedName =
+ s"CN=Test trust root ${random.nextInt(10000)}"
+ val newTrustRootDistinguishedName =
+ s"CN=Test trust root ${random.nextInt(10000) + 10000}"
+ val (oldTrustRootCert, _, _) =
+ makeTrustRootCert(
+ distinguishedName = oldTrustRootDistinguishedName,
+ validFrom = CertValidFrom.minusSeconds(600),
+ validTo = CertValidFrom.minusSeconds(1),
+ )
+ val (newTrustRootCert, caKeypair, caName) =
+ makeTrustRootCert(distinguishedName = newTrustRootDistinguishedName)
+
+ val (blobCert, blobKeypair, _) = makeCert(caKeypair, caName)
+ val blobJwt =
+ makeBlob(List(blobCert), blobKeypair, LocalDate.now())
+ val crls = List[CRL](
+ TestAuthenticator.buildCrl(
+ caName,
+ caKeypair.getPrivate,
+ "SHA256withECDSA",
+ CertValidFrom,
+ CertValidTo,
+ )
+ )
+
+ val (server, serverUrl, httpsCert) =
+ makeHttpServer("/trust-root.der", newTrustRootCert.getEncoded)
+ startServer(server)
+
+ val cacheFile = File.createTempFile(
+ s"${getClass.getCanonicalName}_test_cache_",
+ ".tmp",
+ )
+ val f = new FileOutputStream(cacheFile)
+ f.write(oldTrustRootCert.getEncoded)
+ f.close()
+ cacheFile.deleteOnExit()
+
+ val blob = FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader("Kom ihåg att du aldrig får snyta dig i mattan!")
+ .downloadTrustRoot(
+ new URL(s"${serverUrl}/trust-root.der"),
+ Set(
+ TestAuthenticator.sha256(
+ new ByteArray(newTrustRootCert.getEncoded)
+ )
+ ).asJava,
+ )
+ .useTrustRootCacheFile(cacheFile)
+ .useBlob(blobJwt)
+ .clock(Clock.fixed(CertValidFrom, ZoneOffset.UTC))
+ .useCrls(crls.asJava)
+ .trustHttpsCerts(httpsCert)
+ .build()
+ .loadCachedBlob
+ blob should not be null
+ blob.getHeader.getX5c.get.asScala.last.getIssuerDN.getName should equal(
+ newTrustRootDistinguishedName
+ )
+ cacheFile.exists() should be(true)
+ BinaryUtil.readAll(new FileInputStream(cacheFile)) should equal(
+ newTrustRootCert.getEncoded
+ )
+ }
+
+ it("The trust root is not downloaded if there's a valid one in supplier-cache.") {
+ val random = new SecureRandom()
+ val trustRootDistinguishedName =
+ s"CN=Test trust root ${random.nextInt(10000)}"
+ val (trustRootCert, caKeypair, caName) =
+ makeTrustRootCert(distinguishedName = trustRootDistinguishedName)
+ val (blobCert, blobKeypair, _) = makeCert(caKeypair, caName)
+ val blobJwt =
+ makeBlob(List(blobCert), blobKeypair, LocalDate.now())
+ val crls = List[CRL](
+ TestAuthenticator.buildCrl(
+ caName,
+ caKeypair.getPrivate,
+ "SHA256withECDSA",
+ CertValidFrom,
+ CertValidTo,
+ )
+ )
+
+ var writtenCache: Option[ByteArray] = None
+
+ val blob = FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader("Kom ihåg att du aldrig får snyta dig i mattan!")
+ .useDefaultTrustRoot()
+ .useTrustRootCache(
+ () => Optional.of(new ByteArray(trustRootCert.getEncoded)),
+ newCache => { writtenCache = Some(newCache) },
+ )
+ .useBlob(blobJwt)
+ .clock(Clock.fixed(CertValidFrom, ZoneOffset.UTC))
+ .useCrls(crls.asJava)
+ .build()
+ .loadCachedBlob
+ blob should not be null
+ blob.getHeader.getX5c.get.asScala.last.getIssuerDN.getName should equal(
+ trustRootDistinguishedName
+ )
+ writtenCache should equal(None)
+ }
+
+ it("The downloaded trust root cert must match one of the expected SHA256 hashes.") {
+ val (trustRootCert, caKeypair, caName) = makeTrustRootCert()
+ val (blobCert, blobKeypair, _) = makeCert(caKeypair, caName)
+ val blobJwt = makeBlob(List(blobCert), blobKeypair, LocalDate.now())
+ val crls = List[CRL](
+ TestAuthenticator.buildCrl(
+ caName,
+ caKeypair.getPrivate,
+ "SHA256withECDSA",
+ CertValidFrom,
+ CertValidTo,
+ )
+ )
+
+ val (server, serverUrl, httpsCert) =
+ makeHttpServer("/trust-root.der", trustRootCert.getEncoded)
+ startServer(server)
+
+ def testWithHashes(hashes: Set[ByteArray]): MetadataBLOB = {
+ FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader("Kom ihåg att du aldrig får snyta dig i mattan!")
+ .downloadTrustRoot(
+ new URL(s"${serverUrl}/trust-root.der"),
+ hashes.asJava,
+ )
+ .useTrustRootCache(() => Optional.empty(), _ => {})
+ .useBlob(blobJwt)
+ .useCrls(crls.asJava)
+ .trustHttpsCerts(httpsCert)
+ .clock(Clock.fixed(CertValidFrom, ZoneOffset.UTC))
+ .build()
+ .loadCachedBlob
+ }
+
+ val goodHash =
+ TestAuthenticator.sha256(new ByteArray(trustRootCert.getEncoded))
+ val badHash = TestAuthenticator.sha256(goodHash)
+
+ a[DigestException] should be thrownBy { testWithHashes(Set(badHash)) }
+ testWithHashes(Set(goodHash)) should not be null
+ testWithHashes(Set(badHash, goodHash)) should not be null
+ }
+ }
+
+ describe("2. To validate the digital certificates used in the digital signature, the certificate revocation information MUST be available in the form of CRLs at the respective MDS CRL location e.g. More information can be found at https://fidoalliance.org/metadata/") {
+ val (trustRootCert, caKeypair, caName) = makeTrustRootCert()
+ val (blobCert, blobKeypair, _) = makeCert(caKeypair, caName)
+ val blobJwt =
+ makeBlob(List(blobCert), blobKeypair, LocalDate.parse("2022-01-19"))
+
+ it(
+ "Verification fails if the certs don't declare CRL distribution points."
+ ) {
+ val thrown = the[CertPathValidatorException] thrownBy {
+ FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader("Kom ihåg att du aldrig får snyta dig i mattan!")
+ .useTrustRoot(trustRootCert)
+ .useBlob(blobJwt)
+ .clock(Clock.fixed(CertValidFrom, ZoneOffset.UTC))
+ .build()
+ .loadCachedBlob()
+ }
+ thrown.getReason should equal(
+ BasicReason.UNDETERMINED_REVOCATION_STATUS
+ )
+ }
+
+ it("Verification succeeds if explicitly given appropriate CRLs.") {
+ val crls = List[CRL](
+ TestAuthenticator.buildCrl(
+ caName,
+ caKeypair.getPrivate,
+ "SHA256withECDSA",
+ CertValidFrom,
+ CertValidTo,
+ )
+ )
+
+ val blob = FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader("Kom ihåg att du aldrig får snyta dig i mattan!")
+ .useTrustRoot(trustRootCert)
+ .useBlob(blobJwt)
+ .useCrls(crls.asJava)
+ .clock(Clock.fixed(CertValidFrom, ZoneOffset.UTC))
+ .build()
+ .loadCachedBlob()
+ blob should not be null
+ }
+
+ describe("Intermediate certificates") {
+
+ val (intermediateCert, intermediateKeypair, intermediateName) =
+ makeCert(
+ caKeypair,
+ caName,
+ isCa = true,
+ name = "CN=Yubico java-webauthn-server unit tests intermediate CA, O=Yubico",
+ )
+ val (blobCert, blobKeypair, _) =
+ makeCert(intermediateKeypair, intermediateName)
+ val blobJwt = makeBlob(
+ List(blobCert, intermediateCert),
+ blobKeypair,
+ LocalDate.parse("2022-01-19"),
+ )
+
+ it("each require their own CRL.") {
+ val thrown = the[CertPathValidatorException] thrownBy {
+ FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader(
+ "Kom ihåg att du aldrig får snyta dig i mattan!"
+ )
+ .useTrustRoot(trustRootCert)
+ .useBlob(blobJwt)
+ .clock(Clock.fixed(CertValidFrom, ZoneOffset.UTC))
+ .build()
+ .loadCachedBlob()
+ }
+ thrown.getReason should equal(
+ BasicReason.UNDETERMINED_REVOCATION_STATUS
+ )
+
+ val rootCrl = TestAuthenticator.buildCrl(
+ caName,
+ caKeypair.getPrivate,
+ "SHA256withECDSA",
+ CertValidFrom,
+ CertValidTo,
+ )
+
+ val thrown2 = the[CertPathValidatorException] thrownBy {
+ FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader(
+ "Kom ihåg att du aldrig får snyta dig i mattan!"
+ )
+ .useTrustRoot(trustRootCert)
+ .useBlob(blobJwt)
+ .clock(Clock.fixed(CertValidFrom, ZoneOffset.UTC))
+ .useCrls(List[CRL](rootCrl).asJava)
+ .build()
+ .loadCachedBlob()
+ }
+ thrown2.getReason should equal(
+ BasicReason.UNDETERMINED_REVOCATION_STATUS
+ )
+
+ val intermediateCrl = TestAuthenticator.buildCrl(
+ intermediateName,
+ intermediateKeypair.getPrivate,
+ "SHA256withECDSA",
+ CertValidFrom,
+ CertValidTo,
+ )
+
+ val thrown3 = the[CertPathValidatorException] thrownBy {
+ FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader(
+ "Kom ihåg att du aldrig får snyta dig i mattan!"
+ )
+ .useTrustRoot(trustRootCert)
+ .useBlob(blobJwt)
+ .clock(Clock.fixed(CertValidFrom, ZoneOffset.UTC))
+ .useCrls(List[CRL](intermediateCrl).asJava)
+ .build()
+ .loadCachedBlob()
+ }
+ thrown3.getReason should equal(
+ BasicReason.UNDETERMINED_REVOCATION_STATUS
+ )
+
+ val blob = FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader("Kom ihåg att du aldrig får snyta dig i mattan!")
+ .useTrustRoot(trustRootCert)
+ .useBlob(blobJwt)
+ .useCrls(List[CRL](rootCrl, intermediateCrl).asJava)
+ .clock(Clock.fixed(CertValidFrom, ZoneOffset.UTC))
+ .build()
+ .loadCachedBlob()
+ blob should not be null
+ }
+
+ it("can revoke downstream certificates too.") {
+ val rootCrl = TestAuthenticator.buildCrl(
+ caName,
+ caKeypair.getPrivate,
+ "SHA256withECDSA",
+ CertValidFrom,
+ CertValidTo,
+ )
+ val intermediateCrl = TestAuthenticator.buildCrl(
+ intermediateName,
+ intermediateKeypair.getPrivate,
+ "SHA256withECDSA",
+ CertValidFrom,
+ CertValidTo,
+ revoked = Set(blobCert),
+ )
+ val crls = List(rootCrl, intermediateCrl)
+
+ val thrown = the[CertPathValidatorException] thrownBy {
+ FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader(
+ "Kom ihåg att du aldrig får snyta dig i mattan!"
+ )
+ .useTrustRoot(trustRootCert)
+ .useBlob(blobJwt)
+ .useCrls(crls.asJava)
+ .clock(Clock.fixed(CertValidFrom.plusSeconds(1), ZoneOffset.UTC))
+ .build()
+ .loadCachedBlob()
+ }
+ thrown.getReason should equal(
+ BasicReason.REVOKED
+ )
+ }
+ }
+ }
+
+ describe("3. The FIDO Server MUST be able to download the latest metadata BLOB object from the well-known URL when appropriate, e.g. https://mds.fidoalliance.org/. The nextUpdate field of the Metadata BLOB specifies a date when the download SHOULD occur at latest.") {
+ it("The BLOB is downloaded if there isn't a cached one.") {
+ val random = new SecureRandom()
+ val blobLegalHeader =
+ s"Kom ihåg att du aldrig får snyta dig i mattan! ${random.nextInt(10000)}"
+ val blobNo = random.nextInt(10000);
+
+ val (trustRootCert, caKeypair, caName) = makeTrustRootCert()
+ val (blobCert, blobKeypair, _) = makeCert(caKeypair, caName)
+ val blobJwt =
+ makeBlob(
+ List(blobCert),
+ blobKeypair,
+ LocalDate.parse("2022-01-19"),
+ no = blobNo,
+ legalHeader = blobLegalHeader,
+ )
+ val crls = List[CRL](
+ TestAuthenticator.buildCrl(
+ caName,
+ caKeypair.getPrivate,
+ "SHA256withECDSA",
+ CertValidFrom,
+ CertValidTo,
+ )
+ )
+
+ val (server, serverUrl, httpsCert) =
+ makeHttpServer("/blob.jwt", blobJwt)
+ startServer(server)
+
+ val blob = FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader(blobLegalHeader)
+ .useTrustRoot(trustRootCert)
+ .downloadBlob(new URL(s"${serverUrl}/blob.jwt"))
+ .useBlobCache(() => Optional.empty(), _ => {})
+ .clock(Clock.fixed(CertValidFrom, ZoneOffset.UTC))
+ .useCrls(crls.asJava)
+ .trustHttpsCerts(httpsCert)
+ .build()
+ .loadCachedBlob()
+ .getPayload
+ blob should not be null
+ blob.getLegalHeader should equal(blobLegalHeader)
+ blob.getNo should equal(blobNo)
+ }
+
+ it("The BLOB is downloaded if the cached one is out of date.") {
+ val oldBlobNo = 1
+ val newBlobNo = 2
+
+ val (trustRootCert, caKeypair, caName) = makeTrustRootCert()
+ val (blobCert, blobKeypair, _) = makeCert(caKeypair, caName)
+ val oldBlobJwt =
+ makeBlob(
+ List(blobCert),
+ blobKeypair,
+ CertValidFrom.atOffset(ZoneOffset.UTC).toLocalDate,
+ no = oldBlobNo,
+ )
+ val newBlobJwt =
+ makeBlob(
+ List(blobCert),
+ blobKeypair,
+ CertValidTo.atOffset(ZoneOffset.UTC).toLocalDate,
+ no = newBlobNo,
+ )
+ val crls = List[CRL](
+ TestAuthenticator.buildCrl(
+ caName,
+ caKeypair.getPrivate,
+ "SHA256withECDSA",
+ CertValidFrom,
+ CertValidTo,
+ )
+ )
+
+ val (server, serverUrl, httpsCert) =
+ makeHttpServer("/blob.jwt", newBlobJwt)
+ startServer(server)
+
+ val blob = FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader("Kom ihåg att du aldrig får snyta dig i mattan!")
+ .useTrustRoot(trustRootCert)
+ .downloadBlob(new URL(s"${serverUrl}/blob.jwt"))
+ .useBlobCache(
+ () =>
+ Optional.of(
+ new ByteArray(oldBlobJwt.getBytes(StandardCharsets.UTF_8))
+ ),
+ _ => {},
+ )
+ .clock(Clock.fixed(CertValidFrom, ZoneOffset.UTC))
+ .useCrls(crls.asJava)
+ .trustHttpsCerts(httpsCert)
+ .build()
+ .loadCachedBlob()
+ .getPayload
+ blob should not be null
+ blob.getNo should equal(newBlobNo)
+ }
+
+ it(
+ "The BLOB is not downloaded if the cached one is not yet out of date."
+ ) {
+ val oldBlobNo = 1
+ val newBlobNo = 2
+
+ val (trustRootCert, caKeypair, caName) = makeTrustRootCert()
+ val (blobCert, blobKeypair, _) = makeCert(caKeypair, caName)
+ val oldBlobJwt =
+ makeBlob(
+ List(blobCert),
+ blobKeypair,
+ CertValidTo.atOffset(ZoneOffset.UTC).toLocalDate,
+ no = oldBlobNo,
+ )
+ val newBlobJwt =
+ makeBlob(
+ List(blobCert),
+ blobKeypair,
+ CertValidTo.atOffset(ZoneOffset.UTC).toLocalDate,
+ no = newBlobNo,
+ )
+ val crls = List[CRL](
+ TestAuthenticator.buildCrl(
+ caName,
+ caKeypair.getPrivate,
+ "SHA256withECDSA",
+ CertValidFrom,
+ CertValidTo,
+ )
+ )
+
+ val (server, serverUrl, httpsCert) =
+ makeHttpServer("/blob.jwt", newBlobJwt)
+ startServer(server)
+
+ val blob = FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader("Kom ihåg att du aldrig får snyta dig i mattan!")
+ .useTrustRoot(trustRootCert)
+ .downloadBlob(new URL(s"${serverUrl}/blob.jwt"))
+ .useBlobCache(
+ () =>
+ Optional.of(
+ new ByteArray(oldBlobJwt.getBytes(StandardCharsets.UTF_8))
+ ),
+ _ => {},
+ )
+ .clock(Clock.fixed(CertValidFrom, ZoneOffset.UTC))
+ .useCrls(crls.asJava)
+ .trustHttpsCerts(httpsCert)
+ .build()
+ .loadCachedBlob()
+ .getPayload
+ blob should not be null
+ blob.getNo should equal(oldBlobNo)
+ }
+
+ }
+
+ describe("4. If the x5u attribute is present in the JWT Header, then:") {
+
+ describe("1. The FIDO Server MUST verify that the URL specified by the x5u attribute has the same web-origin as the URL used to download the metadata BLOB from. The FIDO Server SHOULD ignore the file if the web-origin differs (in order to prevent loading objects from arbitrary sites).") {
+ it("x5u on a different host is rejected.") {
+ val (trustRootCert, caKeypair, caName) = makeTrustRootCert()
+ val (blobCert, blobKeypair, _) = makeCert(caKeypair, caName)
+
+ val certChain = List(blobCert)
+ val certChainPem = certChain
+ .map(cert => new ByteArray(cert.getEncoded).getBase64)
+ .mkString(
+ "-----BEGIN CERTIFICATE-----\n",
+ "\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n",
+ "\n-----END CERTIFICATE-----",
+ )
+
+ val blobJwt =
+ makeBlob(
+ blobKeypair,
+ s"""{"alg":"ES256","x5u": "https://localhost:8444/chain.pem"}""",
+ s"""{
+ "legalHeader": "Kom ihåg att du aldrig får snyta dig i mattan!",
+ "no": 1,
+ "nextUpdate": "2022-01-19",
+ "entries": []
+ }""",
+ )
+
+ val (server, _, httpsCert) =
+ makeHttpServer(
+ Map(
+ "/chain.pem" -> certChainPem.getBytes(StandardCharsets.UTF_8),
+ "/blob.jwt" -> blobJwt.getBytes(StandardCharsets.UTF_8),
+ )
+ )
+ startServer(server)
+
+ val crls = List[CRL](
+ TestAuthenticator.buildCrl(
+ caName,
+ caKeypair.getPrivate,
+ "SHA256withECDSA",
+ CertValidFrom,
+ CertValidTo,
+ )
+ )
+
+ val thrown = the[IllegalArgumentException] thrownBy {
+ FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader(
+ "Kom ihåg att du aldrig får snyta dig i mattan!"
+ )
+ .useTrustRoot(trustRootCert)
+ .downloadBlob(new URL("https://localhost:8443/blob.jwt"))
+ .useBlobCache(() => Optional.empty(), _ => {})
+ .useCrls(crls.asJava)
+ .trustHttpsCerts(httpsCert)
+ .build()
+ .loadCachedBlob
+ }
+ thrown should not be null
+ }
+ }
+
+ describe("2. The FIDO Server MUST download the certificate (chain) from the URL specified by the x5u attribute [JWS]. The certificate chain MUST be verified to properly chain to the metadata BLOB signing trust anchor according to [RFC5280]. All certificates in the chain MUST be checked for revocation according to [RFC5280].") {
+ it("x5u with one cert is accepted.") {
+ val (trustRootCert, caKeypair, caName) = makeTrustRootCert()
+ val (blobCert, blobKeypair, _) = makeCert(caKeypair, caName)
+
+ val certChain = List(blobCert)
+ val certChainPem = certChain
+ .map(cert => new ByteArray(cert.getEncoded).getBase64)
+ .mkString(
+ "-----BEGIN CERTIFICATE-----\n",
+ "\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n",
+ "\n-----END CERTIFICATE-----",
+ )
+
+ val (server, serverUrl, httpsCert) =
+ makeHttpServer("/chain.pem", certChainPem)
+ startServer(server)
+
+ val blobJwt =
+ makeBlob(
+ blobKeypair,
+ s"""{"alg":"ES256","x5u": "${serverUrl}/chain.pem"}""",
+ s"""{
+ "legalHeader": "Kom ihåg att du aldrig får snyta dig i mattan!",
+ "no": 1,
+ "nextUpdate": "2022-01-19",
+ "entries": []
+ }""",
+ )
+ val crls = List[CRL](
+ TestAuthenticator.buildCrl(
+ caName,
+ caKeypair.getPrivate,
+ "SHA256withECDSA",
+ CertValidFrom,
+ CertValidTo,
+ )
+ )
+
+ val blob = FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader("Kom ihåg att du aldrig får snyta dig i mattan!")
+ .useTrustRoot(trustRootCert)
+ .useBlob(blobJwt)
+ .useCrls(crls.asJava)
+ .trustHttpsCerts(httpsCert)
+ .clock(Clock.fixed(CertValidFrom, ZoneOffset.UTC))
+ .build()
+ .loadCachedBlob
+ blob should not be null
+ }
+
+ it("x5u with an unknown trust anchor is rejected.") {
+ val (trustRootCert, caKeypair, caName) = makeTrustRootCert()
+ val (_, untrustedCaKeypair, untrustedCaName) = makeTrustRootCert()
+ val (blobCert, blobKeypair, _) =
+ makeCert(untrustedCaKeypair, untrustedCaName)
+
+ val certChain = List(blobCert)
+ val certChainPem = certChain
+ .map(cert => new ByteArray(cert.getEncoded).getBase64)
+ .mkString(
+ "-----BEGIN CERTIFICATE-----\n",
+ "\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n",
+ "\n-----END CERTIFICATE-----",
+ )
+
+ val (server, serverUrl, httpsCert) =
+ makeHttpServer("/chain.pem", certChainPem)
+ startServer(server)
+
+ val blobJwt =
+ makeBlob(
+ blobKeypair,
+ s"""{"alg":"ES256","x5u": "${serverUrl}/chain.pem"}""",
+ s"""{
+ "legalHeader": "Kom ihåg att du aldrig får snyta dig i mattan!",
+ "no": 1,
+ "nextUpdate": "2022-01-19",
+ "entries": []
+ }""",
+ )
+ val crls = List[CRL](
+ TestAuthenticator.buildCrl(
+ caName,
+ caKeypair.getPrivate,
+ "SHA256withECDSA",
+ CertValidFrom,
+ CertValidTo,
+ )
+ )
+
+ val thrown = the[CertPathValidatorException] thrownBy {
+ FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader(
+ "Kom ihåg att du aldrig får snyta dig i mattan!"
+ )
+ .useTrustRoot(trustRootCert)
+ .useBlob(blobJwt)
+ .useCrls(crls.asJava)
+ .trustHttpsCerts(httpsCert)
+ .clock(Clock.fixed(CertValidFrom, ZoneOffset.UTC))
+ .build()
+ .loadCachedBlob
+ }
+ thrown should not be null
+ thrown.getReason should be(
+ CertPathValidatorException.BasicReason.INVALID_SIGNATURE
+ )
+ }
+
+ it("x5u with three certs requires a CRL for each CA certificate.") {
+ val (trustRootCert, caKeypair, caName) = makeTrustRootCert()
+ val certChain = makeCertChain(caKeypair, caName, 3)
+ certChain.length should be(3)
+ val certChainPem = certChain
+ .map({
+ case (cert, _, _) => new ByteArray(cert.getEncoded).getBase64
+ })
+ .mkString(
+ "-----BEGIN CERTIFICATE-----\n",
+ "\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n",
+ "\n-----END CERTIFICATE-----",
+ )
+
+ val crls =
+ (certChain.tail :+ (trustRootCert, caKeypair, caName)).map({
+ case (_, keypair, name) =>
+ TestAuthenticator.buildCrl(
+ name,
+ keypair.getPrivate,
+ "SHA256withECDSA",
+ CertValidFrom,
+ CertValidTo,
+ )
+ })
+
+ val (server, serverUrl, httpsCert) =
+ makeHttpServer("/chain.pem", certChainPem)
+ startServer(server)
+
+ val blobJwt =
+ makeBlob(
+ certChain.head._2,
+ s"""{"alg":"ES256","x5u": "${serverUrl}/chain.pem"}""",
+ s"""{
+ "legalHeader": "Kom ihåg att du aldrig får snyta dig i mattan!",
+ "no": 1,
+ "nextUpdate": "2022-01-19",
+ "entries": []
+ }""",
+ )
+
+ val clock = Clock.fixed(CertValidFrom, ZoneOffset.UTC)
+
+ val blob = FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader("Kom ihåg att du aldrig får snyta dig i mattan!")
+ .useTrustRoot(trustRootCert)
+ .useBlob(blobJwt)
+ .useCrls(crls.asJava)
+ .trustHttpsCerts(httpsCert)
+ .clock(clock)
+ .build()
+ .loadCachedBlob
+ blob should not be null
+
+ for { i <- certChain.indices } {
+ val splicedCrls = crls.take(i) ++ crls.drop(i + 1)
+ splicedCrls.length should be(crls.length - 1)
+ val thrown = the[CertPathValidatorException] thrownBy {
+ FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader(
+ "Kom ihåg att du aldrig får snyta dig i mattan!"
+ )
+ .useTrustRoot(trustRootCert)
+ .useBlob(blobJwt)
+ .useCrls(splicedCrls.asJava)
+ .trustHttpsCerts(httpsCert)
+ .clock(clock)
+ .build()
+ .loadCachedBlob
+ }
+ thrown should not be null
+ thrown.getReason should be(
+ CertPathValidatorException.BasicReason.UNDETERMINED_REVOCATION_STATUS
+ )
+ }
+ }
+ }
+
+ describe("3. The FIDO Server SHOULD ignore the file if the chain cannot be verified or if one of the chain certificates is revoked.") {
+ it("Verification fails if explicitly given CRLs where a cert in the chain is revoked.") {
+ val (trustRootCert, caKeypair, caName) = makeTrustRootCert()
+ val certChain = makeCertChain(caKeypair, caName, 3)
+ certChain.length should be(3)
+ val certChainPem = certChain
+ .map({
+ case (cert, _, _) => new ByteArray(cert.getEncoded).getBase64
+ })
+ .mkString(
+ "-----BEGIN CERTIFICATE-----\n",
+ "\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n",
+ "\n-----END CERTIFICATE-----",
+ )
+
+ val crls =
+ (certChain.tail :+ (trustRootCert, caKeypair, caName)).map({
+ case (_, keypair, name) =>
+ TestAuthenticator.buildCrl(
+ name,
+ keypair.getPrivate,
+ "SHA256withECDSA",
+ CertValidFrom,
+ CertValidTo,
+ )
+ })
+
+ val (server, serverUrl, httpsCert) =
+ makeHttpServer("/chain.pem", certChainPem)
+ startServer(server)
+
+ val blobJwt =
+ makeBlob(
+ certChain.head._2,
+ s"""{"alg":"ES256","x5u": "${serverUrl}/chain.pem"}""",
+ s"""{
+ "legalHeader": "Kom ihåg att du aldrig får snyta dig i mattan!",
+ "no": 1,
+ "nextUpdate": "2022-01-19",
+ "entries": []
+ }""",
+ )
+
+ val clock = Clock.fixed(CertValidFrom.plusSeconds(1), ZoneOffset.UTC)
+
+ val blob = FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader("Kom ihåg att du aldrig får snyta dig i mattan!")
+ .useTrustRoot(trustRootCert)
+ .useBlob(blobJwt)
+ .useCrls(crls.asJava)
+ .trustHttpsCerts(httpsCert)
+ .clock(clock)
+ .build()
+ .loadCachedBlob
+ blob should not be null
+
+ for { i <- certChain.indices } {
+ val crlsWithRevocation =
+ crls.take(i) ++ crls.drop(i + 1) :+ TestAuthenticator.buildCrl(
+ certChain.lift(i + 1).map(_._3).getOrElse(caName),
+ certChain.lift(i + 1).map(_._2).getOrElse(caKeypair).getPrivate,
+ "SHA256withECDSA",
+ CertValidFrom,
+ CertValidTo,
+ revoked = Set(certChain(i)._1),
+ )
+ crlsWithRevocation.length should equal(crls.length)
+ val thrown = the[CertPathValidatorException] thrownBy {
+ FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader(
+ "Kom ihåg att du aldrig får snyta dig i mattan!"
+ )
+ .useTrustRoot(trustRootCert)
+ .useBlob(blobJwt)
+ .useCrls(crlsWithRevocation.asJava)
+ .trustHttpsCerts(httpsCert)
+ .clock(clock)
+ .build()
+ .loadCachedBlob
+ }
+ thrown should not be null
+ thrown.getReason should be(BasicReason.REVOKED)
+ thrown.getIndex should equal(i)
+ }
+ }
+ }
+ }
+
+ describe("5. If the x5u attribute is missing, the chain should be retrieved from the x5c attribute. If that attribute is missing as well, Metadata BLOB signing trust anchor is considered the BLOB signing certificate chain.") {
+ it("x5c with one cert is accepted.") {
+ val (trustRootCert, caKeypair, caName) = makeTrustRootCert()
+ val (blobCert, blobKeypair, _) = makeCert(caKeypair, caName)
+ val certChain = List(blobCert)
+ val certChainJson = certChain
+ .map(cert => new ByteArray(cert.getEncoded).getBase64)
+ .mkString("[\"", "\",\"", "\"]")
+ val blobJwt =
+ makeBlob(
+ blobKeypair,
+ s"""{"alg":"ES256","x5c": ${certChainJson}}""",
+ s"""{
+ "legalHeader": "Kom ihåg att du aldrig får snyta dig i mattan!",
+ "no": 1,
+ "nextUpdate": "2022-01-19",
+ "entries": []
+ }""",
+ )
+ val crls = List[CRL](
+ TestAuthenticator.buildCrl(
+ caName,
+ caKeypair.getPrivate,
+ "SHA256withECDSA",
+ CertValidFrom,
+ CertValidTo,
+ )
+ )
+
+ val blob = FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader("Kom ihåg att du aldrig får snyta dig i mattan!")
+ .useTrustRoot(trustRootCert)
+ .useBlob(blobJwt)
+ .useCrls(crls.asJava)
+ .clock(Clock.fixed(CertValidFrom, ZoneOffset.UTC))
+ .build()
+ .loadCachedBlob
+ blob should not be null
+ }
+
+ it("x5c with three certs requires a CRL for each CA certificate.") {
+ val (trustRootCert, caKeypair, caName) = makeTrustRootCert()
+ val certChain = makeCertChain(caKeypair, caName, 3)
+ certChain.length should be(3)
+ val certChainJson = certChain
+ .map({
+ case (cert, _, _) => new ByteArray(cert.getEncoded).getBase64
+ })
+ .mkString("[\"", "\",\"", "\"]")
+
+ val blobJwt =
+ makeBlob(
+ certChain.head._2,
+ s"""{"alg":"ES256","x5c": ${certChainJson}}""",
+ s"""{
+ "legalHeader": "Kom ihåg att du aldrig får snyta dig i mattan!",
+ "no": 1,
+ "nextUpdate": "2022-01-19",
+ "entries": []
+ }""",
+ )
+ val crls = (certChain.tail :+ (trustRootCert, caKeypair, caName)).map({
+ case (_, keypair, name) =>
+ TestAuthenticator.buildCrl(
+ name,
+ keypair.getPrivate,
+ "SHA256withECDSA",
+ CertValidFrom,
+ CertValidTo,
+ )
+ })
+
+ val clock = Clock.fixed(CertValidFrom, ZoneOffset.UTC)
+
+ val blob = Try(
+ FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader("Kom ihåg att du aldrig får snyta dig i mattan!")
+ .useTrustRoot(trustRootCert)
+ .useBlob(blobJwt)
+ .useCrls(crls.asJava)
+ .clock(clock)
+ .build()
+ .loadCachedBlob
+ )
+ blob should not be null
+ blob shouldBe a[Success[_]]
+
+ for { i <- certChain.indices } {
+ val splicedCrls = crls.take(i) ++ crls.drop(i + 1)
+ splicedCrls.length should be(crls.length - 1)
+ val thrown = the[CertPathValidatorException] thrownBy {
+ FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader(
+ "Kom ihåg att du aldrig får snyta dig i mattan!"
+ )
+ .useTrustRoot(trustRootCert)
+ .useBlob(blobJwt)
+ .useCrls(splicedCrls.asJava)
+ .clock(clock)
+ .build()
+ .loadCachedBlob
+ }
+ thrown should not be null
+ thrown.getReason should be(
+ CertPathValidatorException.BasicReason.UNDETERMINED_REVOCATION_STATUS
+ )
+ }
+ }
+
+ it("Missing x5c means the trust root cert is used as the signer.") {
+ val (trustRootCert, caKeypair, caName) = makeTrustRootCert()
+ val blobJwt =
+ makeBlob(
+ caKeypair,
+ s"""{"alg":"ES256"}""",
+ s"""{
+ "legalHeader": "Kom ihåg att du aldrig får snyta dig i mattan!",
+ "no": 1,
+ "nextUpdate": "2022-01-19",
+ "entries": []
+ }""",
+ )
+
+ val crls = List(
+ TestAuthenticator.buildCrl(
+ caName,
+ caKeypair.getPrivate,
+ "SHA256withECDSA",
+ CertValidFrom,
+ CertValidTo,
+ )
+ )
+
+ val blob = FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader("Kom ihåg att du aldrig får snyta dig i mattan!")
+ .useTrustRoot(trustRootCert)
+ .useBlob(blobJwt)
+ .useCrls(crls.asJava)
+ .clock(Clock.fixed(CertValidFrom, ZoneOffset.UTC))
+ .build()
+ .loadCachedBlob
+ blob should not be null
+ }
+ }
+
+ describe("6. Verify the signature of the Metadata BLOB object using the BLOB signing certificate chain (as determined by the steps above). The FIDO Server SHOULD ignore the file if the signature is invalid. It SHOULD also ignore the file if its number (no) is less or equal to the number of the last Metadata BLOB object cached locally.") {
+ it("Invalid signatures are detected.") {
+ val (trustRootCert, caKeypair, caName) = makeTrustRootCert()
+ val (blobCert, blobKeypair, _) = makeCert(caKeypair, caName)
+
+ val validBlobJwt =
+ makeBlob(List(blobCert), blobKeypair, LocalDate.parse("2022-01-19"))
+ val crls = List(
+ TestAuthenticator.buildCrl(
+ caName,
+ caKeypair.getPrivate,
+ "SHA256withECDSA",
+ CertValidFrom,
+ CertValidTo,
+ )
+ )
+ val badBlobJwt = validBlobJwt
+ .split(raw"\.")
+ .updated(
+ 1, {
+ val json = JacksonCodecs.json()
+ val badBlobBody = json
+ .readTree(
+ ByteArray
+ .fromBase64Url(validBlobJwt.split(raw"\.")(1))
+ .getBytes
+ )
+ .asInstanceOf[ObjectNode]
+ badBlobBody.set("no", new IntNode(7))
+ new ByteArray(
+ json
+ .writeValueAsString(badBlobBody)
+ .getBytes(StandardCharsets.UTF_8)
+ ).getBase64
+ },
+ )
+ .mkString(".")
+
+ val thrown = the[FidoMetadataDownloaderException] thrownBy {
+ FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader("Kom ihåg att du aldrig får snyta dig i mattan!")
+ .useTrustRoot(trustRootCert)
+ .useBlob(badBlobJwt)
+ .useCrls(crls.asJava)
+ .build()
+ .loadCachedBlob
+ }
+ thrown.getReason should be(Reason.BAD_SIGNATURE)
+ }
+
+ it("""A newly downloaded BLOB is disregarded if the cached one has a greater "no".""") {
+ val oldBlobNo = 2
+ val newBlobNo = 1
+
+ val (trustRootCert, caKeypair, caName) = makeTrustRootCert()
+ val (blobCert, blobKeypair, _) = makeCert(caKeypair, caName)
+ val oldBlobJwt =
+ makeBlob(
+ List(blobCert),
+ blobKeypair,
+ CertValidFrom.atOffset(ZoneOffset.UTC).toLocalDate,
+ no = oldBlobNo,
+ )
+ val newBlobJwt =
+ makeBlob(
+ List(blobCert),
+ blobKeypair,
+ CertValidTo.atOffset(ZoneOffset.UTC).toLocalDate,
+ no = newBlobNo,
+ )
+ val crls = List[CRL](
+ TestAuthenticator.buildCrl(
+ caName,
+ caKeypair.getPrivate,
+ "SHA256withECDSA",
+ CertValidFrom,
+ CertValidTo,
+ )
+ )
+
+ val (server, serverUrl, httpsCert) =
+ makeHttpServer("/blob.jwt", newBlobJwt)
+ startServer(server)
+
+ val blob = FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader("Kom ihåg att du aldrig får snyta dig i mattan!")
+ .useTrustRoot(trustRootCert)
+ .downloadBlob(new URL(s"${serverUrl}/blob.jwt"))
+ .useBlobCache(
+ () =>
+ Optional.of(
+ new ByteArray(oldBlobJwt.getBytes(StandardCharsets.UTF_8))
+ ),
+ _ => {},
+ )
+ .clock(Clock.fixed(CertValidFrom, ZoneOffset.UTC))
+ .useCrls(crls.asJava)
+ .trustHttpsCerts(httpsCert)
+ .build()
+ .loadCachedBlob
+ .getPayload
+ blob should not be null
+ blob.getNo should equal(oldBlobNo)
+ }
+
+ it("A newly downloaded BLOB is disregarded if it has an invalid signature but the cached one has a valid signature.") {
+ val oldBlobNo = 1
+ val newBlobNo = 2
+
+ val (trustRootCert, caKeypair, caName) = makeTrustRootCert()
+ val (blobCert, blobKeypair, _) = makeCert(caKeypair, caName)
+ val oldBlobJwt =
+ makeBlob(
+ List(blobCert),
+ blobKeypair,
+ CertValidFrom.atOffset(ZoneOffset.UTC).toLocalDate,
+ no = oldBlobNo,
+ )
+ val newBlobJwt =
+ makeBlob(
+ List(blobCert),
+ blobKeypair,
+ CertValidTo.atOffset(ZoneOffset.UTC).toLocalDate,
+ no = newBlobNo,
+ )
+ val crls = List[CRL](
+ TestAuthenticator.buildCrl(
+ caName,
+ caKeypair.getPrivate,
+ "SHA256withECDSA",
+ CertValidFrom,
+ CertValidTo,
+ )
+ )
+
+ val badNewBlobJwt = newBlobJwt
+ .split(raw"\.")
+ .updated(
+ 1, {
+ val json = JacksonCodecs.json()
+ val badBlobBody = json
+ .readTree(
+ ByteArray.fromBase64Url(newBlobJwt.split(raw"\.")(1)).getBytes
+ )
+ .asInstanceOf[ObjectNode]
+ badBlobBody.set("no", new IntNode(7))
+ new ByteArray(
+ json
+ .writeValueAsString(badBlobBody)
+ .getBytes(StandardCharsets.UTF_8)
+ ).getBase64
+ },
+ )
+ .mkString(".")
+
+ val (server, serverUrl, httpsCert) =
+ makeHttpServer("/blob.jwt", badNewBlobJwt)
+ startServer(server)
+
+ val blob = FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader("Kom ihåg att du aldrig får snyta dig i mattan!")
+ .useTrustRoot(trustRootCert)
+ .downloadBlob(new URL(s"${serverUrl}/blob.jwt"))
+ .useBlobCache(
+ () =>
+ Optional.of(
+ new ByteArray(oldBlobJwt.getBytes(StandardCharsets.UTF_8))
+ ),
+ _ => {},
+ )
+ .clock(Clock.fixed(CertValidFrom, ZoneOffset.UTC))
+ .useCrls(crls.asJava)
+ .trustHttpsCerts(httpsCert)
+ .build()
+ .loadCachedBlob
+ .getPayload
+ blob should not be null
+ blob.getNo should equal(oldBlobNo)
+ }
+ }
+
+ describe("7. Write the verified object to a local cache as required.") {
+ it("Cache consumer works.") {
+ val (trustRootCert, caKeypair, caName) = makeTrustRootCert()
+ val (blobCert, blobKeypair, _) = makeCert(caKeypair, caName)
+ val blobJwt =
+ makeBlob(List(blobCert), blobKeypair, LocalDate.parse("2022-01-19"))
+ val crls = List(
+ TestAuthenticator.buildCrl(
+ caName,
+ caKeypair.getPrivate,
+ "SHA256withECDSA",
+ CertValidFrom,
+ CertValidTo,
+ )
+ )
+
+ val (server, serverUrl, httpsCert) =
+ makeHttpServer("/blob.jwt", blobJwt)
+ startServer(server)
+
+ var writtenCache: Option[ByteArray] = None
+
+ val blob = FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader("Kom ihåg att du aldrig får snyta dig i mattan!")
+ .useTrustRoot(trustRootCert)
+ .downloadBlob(new URL(s"${serverUrl}/blob.jwt"))
+ .useBlobCache(
+ () => Optional.empty(),
+ cacheme => { writtenCache = Some(cacheme) },
+ )
+ .clock(Clock.fixed(CertValidFrom, ZoneOffset.UTC))
+ .useCrls(crls.asJava)
+ .trustHttpsCerts(httpsCert)
+ .build()
+ .loadCachedBlob
+ .getPayload
+ blob should not be null
+ writtenCache should equal(
+ Some(new ByteArray(blobJwt.getBytes(StandardCharsets.UTF_8)))
+ )
+ }
+
+ describe("File cache") {
+ val (trustRootCert, caKeypair, caName) = makeTrustRootCert()
+ val (blobCert, blobKeypair, _) = makeCert(caKeypair, caName)
+ val blobJwt =
+ makeBlob(
+ List(blobCert),
+ blobKeypair,
+ LocalDate.parse("2022-01-19"),
+ no = 2,
+ )
+ val oldBlobJwt =
+ makeBlob(
+ List(blobCert),
+ blobKeypair,
+ LocalDate.parse("2022-01-19"),
+ no = 1,
+ )
+ val crls = List(
+ TestAuthenticator.buildCrl(
+ caName,
+ caKeypair.getPrivate,
+ "SHA256withECDSA",
+ CertValidFrom,
+ CertValidTo,
+ )
+ )
+
+ it("is overwritten if it exists.") {
+ val (server, serverUrl, httpsCert) =
+ makeHttpServer("/blob.jwt", blobJwt)
+ startServer(server)
+
+ val cacheFile = File.createTempFile(
+ s"${getClass.getCanonicalName}_test_cache_",
+ ".tmp",
+ )
+ val f = new FileOutputStream(cacheFile)
+ f.write(oldBlobJwt.getBytes(StandardCharsets.UTF_8))
+ f.close()
+ cacheFile.deleteOnExit()
+
+ val blob = FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader("Kom ihåg att du aldrig får snyta dig i mattan!")
+ .useTrustRoot(trustRootCert)
+ .downloadBlob(new URL(s"${serverUrl}/blob.jwt"))
+ .useBlobCacheFile(cacheFile)
+ .clock(
+ Clock.fixed(Instant.parse("2022-01-19T00:00:00Z"), ZoneOffset.UTC)
+ )
+ .useCrls(crls.asJava)
+ .trustHttpsCerts(httpsCert)
+ .clock(Clock.fixed(CertValidFrom, ZoneOffset.UTC))
+ .build()
+ .loadCachedBlob
+ .getPayload
+ blob should not be null
+ blob.getNo should be(2)
+ cacheFile.exists() should be(true)
+ BinaryUtil.readAll(new FileInputStream(cacheFile)) should equal(
+ blobJwt.getBytes(StandardCharsets.UTF_8)
+ )
+ }
+
+ it("is created if it does not exist.") {
+ val (server, serverUrl, httpsCert) =
+ makeHttpServer("/blob.jwt", blobJwt)
+ startServer(server)
+
+ val cacheFile = File.createTempFile(
+ s"${getClass.getCanonicalName}_test_cache_",
+ ".tmp",
+ )
+ cacheFile.delete()
+ cacheFile.deleteOnExit()
+
+ val blob = FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader("Kom ihåg att du aldrig får snyta dig i mattan!")
+ .useTrustRoot(trustRootCert)
+ .downloadBlob(new URL(s"${serverUrl}/blob.jwt"))
+ .useBlobCacheFile(cacheFile)
+ .clock(
+ Clock.fixed(Instant.parse("2022-01-19T00:00:00Z"), ZoneOffset.UTC)
+ )
+ .useCrls(crls.asJava)
+ .trustHttpsCerts(httpsCert)
+ .clock(Clock.fixed(CertValidFrom, ZoneOffset.UTC))
+ .build()
+ .loadCachedBlob
+ .getPayload
+ blob should not be null
+ blob.getNo should be(2)
+ cacheFile.exists() should be(true)
+ BinaryUtil.readAll(new FileInputStream(cacheFile)) should equal(
+ blobJwt.getBytes(StandardCharsets.UTF_8)
+ )
+ }
+
+ it("is read from.") {
+ val (server, serverUrl, httpsCert) =
+ makeHttpServer("/blob.jwt", oldBlobJwt)
+ startServer(server)
+
+ val cacheFile = File.createTempFile(
+ s"${getClass.getCanonicalName}_test_cache_",
+ ".tmp",
+ )
+ cacheFile.deleteOnExit()
+ val f = new FileOutputStream(cacheFile)
+ f.write(blobJwt.getBytes(StandardCharsets.UTF_8))
+ f.close()
+
+ val blob = FidoMetadataDownloader
+ .builder()
+ .expectLegalHeader("Kom ihåg att du aldrig får snyta dig i mattan!")
+ .useTrustRoot(trustRootCert)
+ .downloadBlob(new URL(s"${serverUrl}/blob.jwt"))
+ .useBlobCacheFile(cacheFile)
+ .clock(Clock.fixed(CertValidFrom, ZoneOffset.UTC))
+ .useCrls(crls.asJava)
+ .trustHttpsCerts(httpsCert)
+ .build()
+ .loadCachedBlob
+ .getPayload
+ blob should not be null
+ blob.getNo should be(2)
+ }
+ }
+ }
+
+ describe("8. Iterate through the individual entries (of type MetadataBLOBPayloadEntry). For each entry:") {
+ it("Nothing to test - see instead FidoMetadataService.") {}
+ }
+ }
+
+}
diff --git a/webauthn-server-attestation/src/test/scala/com/yubico/fido/metadata/Generators.scala b/webauthn-server-attestation/src/test/scala/com/yubico/fido/metadata/Generators.scala
new file mode 100644
index 000000000..2329a8c35
--- /dev/null
+++ b/webauthn-server-attestation/src/test/scala/com/yubico/fido/metadata/Generators.scala
@@ -0,0 +1,489 @@
+package com.yubico.fido.metadata
+
+import com.yubico.scalacheck.gen.JavaGenerators.arbitraryUrl
+import com.yubico.webauthn.TestAuthenticator
+import com.yubico.webauthn.data.AuthenticatorTransport
+import com.yubico.webauthn.data.Generators.arbitraryAuthenticatorTransport
+import com.yubico.webauthn.data.Generators.arbitraryPublicKeyCredentialParameters
+import com.yubico.webauthn.data.Generators.byteArray
+import com.yubico.webauthn.data.PublicKeyCredentialParameters
+import com.yubico.webauthn.extension.uvm.KeyProtectionType
+import com.yubico.webauthn.extension.uvm.MatcherProtectionType
+import com.yubico.webauthn.extension.uvm.UserVerificationMethod
+import org.scalacheck.Arbitrary
+import org.scalacheck.Arbitrary.arbitrary
+import org.scalacheck.Gen
+
+import java.net.URL
+import java.security.cert.X509Certificate
+import java.time.LocalDate
+import scala.jdk.CollectionConverters.MapHasAsJava
+import scala.jdk.CollectionConverters.SeqHasAsJava
+import scala.jdk.CollectionConverters.SetHasAsJava
+
+object Generators {
+
+ implicit val arbitraryMetadataBLOBHeader: Arbitrary[MetadataBLOBHeader] =
+ Arbitrary(
+ for {
+ alg <- arbitrary[String]
+ typ <- Gen.option(Gen.const("JWT"))
+ x5u <- arbitrary[Option[URL]]
+ x5c <- Gen.option(
+ Gen
+ .chooseNum(0, 4)
+ .flatMap(n =>
+ Gen.listOfN(
+ n,
+ TestAuthenticator.generateAttestationCertificate()._1,
+ )
+ )
+ )
+ } yield MetadataBLOBHeader
+ .builder()
+ .alg(alg)
+ .typ(typ.orNull)
+ .x5u(x5u.orNull)
+ .x5c(x5c.map(_.asJava).orNull)
+ .build()
+ )
+
+ implicit val arbitraryMetadataBLOBPayload: Arbitrary[MetadataBLOBPayload] =
+ Arbitrary(
+ for {
+ legalHeader <- arbitrary[Option[String]]
+ no <- arbitrary[Int]
+ nextUpdate <- arbitrary[LocalDate]
+ entries <-
+ Gen
+ .chooseNum(0, 4)
+ .flatMap(n =>
+ Gen.containerOfN[Set, MetadataBLOBPayloadEntry](
+ n,
+ arbitrary[MetadataBLOBPayloadEntry],
+ )
+ )
+ } yield new MetadataBLOBPayload(
+ legalHeader.orNull,
+ no,
+ nextUpdate,
+ entries.asJava,
+ )
+ )
+
+ implicit val arbitraryMetadataBLOBPayloadEntry
+ : Arbitrary[MetadataBLOBPayloadEntry] = Arbitrary(
+ for {
+ aaid <- arbitrary[Option[AAID]]
+ aaguid <- arbitrary[Option[AAGUID]]
+ attestationCertificateKeyIdentifiers <- Gen.option(
+ Gen.containerOf[Set, String](byteArray(32, 32).map(_.getHex))
+ )
+ metadataStatement <- arbitrary[Option[MetadataStatement]]
+ biometricStatusReports <- arbitrary[Option[List[BiometricStatusReport]]]
+ statusReports <- arbitrary[List[StatusReport]]
+ timeOfLastStatusChange <- arbitrary[LocalDate]
+ rogueListURL <- arbitrary[Option[URL]]
+ rogueListHash <- Gen.option(byteArray(1, 512))
+ } yield MetadataBLOBPayloadEntry
+ .builder()
+ .aaid(aaid.orNull)
+ .aaguid(aaguid.orNull)
+ .attestationCertificateKeyIdentifiers(
+ attestationCertificateKeyIdentifiers.map(_.asJava).orNull
+ )
+ .metadataStatement(metadataStatement.orNull)
+ .biometricStatusReports(biometricStatusReports.map(_.asJava).orNull)
+ .statusReports(statusReports.asJava)
+ .timeOfLastStatusChange(timeOfLastStatusChange)
+ .rogueListURL(rogueListURL.orNull)
+ .rogueListHash(rogueListHash.orNull)
+ .build()
+ )
+
+ implicit val arbitraryAaid: Arbitrary[AAID] = Arbitrary(for {
+ prefix <- byteArray(2, 2)
+ suffix <- byteArray(2, 2)
+ } yield new AAID(s"${prefix.getHex}#${suffix.getHex}"))
+
+ implicit val arbitraryAaguid: Arbitrary[AAGUID] = Arbitrary(
+ byteArray(16, 16).map(new AAGUID(_))
+ )
+
+ implicit val arbitraryBiometricStatusReport
+ : Arbitrary[BiometricStatusReport] = Arbitrary(
+ for {
+ certLevel <- arbitrary[Int]
+ modality <- arbitrary[UserVerificationMethod]
+ effectiveDate <- arbitrary[Option[LocalDate]]
+ certificationDescriptor <- arbitrary[Option[String]]
+ certificateNumber <- arbitrary[Option[String]]
+ certificationPolicyVersion <- arbitrary[Option[String]]
+ certificationRequirementsVersion <- arbitrary[Option[String]]
+ } yield BiometricStatusReport
+ .builder()
+ .certLevel(certLevel)
+ .modality(modality)
+ .effectiveDate(effectiveDate.orNull)
+ .certificationDescriptor(certificationDescriptor.orNull)
+ .certificateNumber(certificateNumber.orNull)
+ .certificationPolicyVersion(certificationPolicyVersion.orNull)
+ .certificationRequirementsVersion(certificationRequirementsVersion.orNull)
+ .build()
+ )
+
+ implicit val arbitraryMetadataStatement: Arbitrary[MetadataStatement] =
+ Arbitrary(
+ for {
+ legalHeader <- arbitrary[Option[String]]
+ aaid <- arbitrary[Option[AAID]]
+ aaguid <- arbitrary[Option[AAGUID]]
+ attestationCertificateKeyIdentifiers <- arbitrary[Option[Set[String]]]
+ description <- arbitrary[Option[String]]
+ alternativeDescriptions <- arbitrary[Option[AlternativeDescriptions]]
+ authenticatorVersion <- arbitrary[Long]
+ protocolFamily <- arbitrary[ProtocolFamily]
+ schema <- arbitrary[Int]
+ upv <- arbitrary[Set[Version]]
+ authenticationAlgorithms <- arbitrary[Set[AuthenticationAlgorithm]]
+ publicKeyAlgAndEncodings <-
+ arbitrary[Set[PublicKeyRepresentationFormat]]
+ attestationTypes <- arbitrary[Set[AuthenticatorAttestationType]]
+ userVerificationDetails <-
+ arbitrary[Set[Set[VerificationMethodDescriptor]]]
+ keyProtection <- arbitrary[Set[KeyProtectionType]]
+ isKeyRestricted <- arbitrary[Option[Boolean]]
+ isFreshUserVerificationRequired <- arbitrary[Option[Boolean]]
+ matcherProtection <- arbitrary[Set[MatcherProtectionType]]
+ cryptoStrength <- arbitrary[Option[Int]]
+ attachmentHint <- arbitrary[Option[Set[AttachmentHint]]]
+ tcDisplay <- arbitrary[Set[TransactionConfirmationDisplayType]]
+ tcDisplayContentType <- arbitrary[Option[String]]
+ tcDisplayPNGCharacteristics <-
+ arbitrary[Option[List[DisplayPNGCharacteristicsDescriptor]]]
+ attestationRootCertificates <-
+ Gen
+ .chooseNum(0, 4)
+ .flatMap(n =>
+ Gen.containerOfN[Set, X509Certificate](
+ n,
+ TestAuthenticator.generateAttestationCaCertificate()._1,
+ )
+ )
+ icon <- arbitrary[Option[String]]
+ supportedExtensions <- arbitrary[Option[Set[ExtensionDescriptor]]]
+ authenticatorGetInfo <- arbitrary[Option[AuthenticatorGetInfo]]
+ } yield MetadataStatement
+ .builder()
+ .legalHeader(legalHeader.orNull)
+ .aaid(aaid.orNull)
+ .aaguid(aaguid.orNull)
+ .attestationCertificateKeyIdentifiers(
+ attestationCertificateKeyIdentifiers.map(_.asJava).orNull
+ )
+ .description(description.orNull)
+ .alternativeDescriptions(alternativeDescriptions.orNull)
+ .authenticatorVersion(authenticatorVersion)
+ .protocolFamily(protocolFamily)
+ .schema(schema)
+ .upv(upv.asJava)
+ .authenticationAlgorithms(authenticationAlgorithms.asJava)
+ .publicKeyAlgAndEncodings(publicKeyAlgAndEncodings.asJava)
+ .attestationTypes(attestationTypes.asJava)
+ .userVerificationDetails(userVerificationDetails.map(_.asJava).asJava)
+ .keyProtection(keyProtection.asJava)
+ .isKeyRestricted(isKeyRestricted.map(java.lang.Boolean.valueOf).orNull)
+ .isFreshUserVerificationRequired(
+ isFreshUserVerificationRequired.map(java.lang.Boolean.valueOf).orNull
+ )
+ .matcherProtection(matcherProtection.asJava)
+ .cryptoStrength(cryptoStrength.map(Integer.valueOf).orNull)
+ .attachmentHint(attachmentHint.map(_.asJava).orNull)
+ .tcDisplay(tcDisplay.asJava)
+ .tcDisplayContentType(tcDisplayContentType.orNull)
+ .tcDisplayPNGCharacteristics(
+ tcDisplayPNGCharacteristics.map(_.asJava).orNull
+ )
+ .attestationRootCertificates(attestationRootCertificates.asJava)
+ .icon(icon.orNull)
+ .supportedExtensions(supportedExtensions.map(_.asJava).orNull)
+ .authenticatorGetInfo(authenticatorGetInfo.orNull)
+ .build()
+ )
+
+ implicit val arbitraryAlternativeDescriptions
+ : Arbitrary[AlternativeDescriptions] = Arbitrary(for {
+ entries: Map[String, String] <- Gen.mapOf(for {
+ prefix <- Gen.alphaLowerStr.suchThat(_.length >= 2).map(_.take(2))
+ suffix <-
+ Gen.option(Gen.alphaUpperStr.suchThat(_.length >= 2).map(_.take(2)))
+ text <- arbitrary[String]
+ } yield (s"${prefix}${suffix.map(s => s"_${s}").getOrElse("")}", text))
+ } yield new AlternativeDescriptions(entries.asJava))
+
+ implicit val arbitraryVersion: Arbitrary[Version] = Arbitrary(for {
+ major <- arbitrary[Int]
+ minor <- arbitrary[Int]
+ } yield new Version(major, minor))
+
+ implicit val arbitraryVerificationMethodDescriptor
+ : Arbitrary[VerificationMethodDescriptor] = Arbitrary(
+ for {
+ userVerificationMethod <- arbitrary[UserVerificationMethod]
+ caDesc <- arbitrary[CodeAccuracyDescriptor]
+ baDesc <- arbitrary[BiometricAccuracyDescriptor]
+ paDesc <- arbitrary[PatternAccuracyDescriptor]
+ } yield new VerificationMethodDescriptor(
+ userVerificationMethod,
+ caDesc,
+ baDesc,
+ paDesc,
+ )
+ )
+
+ implicit val arbitraryCodeAccuracyDescriptor
+ : Arbitrary[CodeAccuracyDescriptor] = Arbitrary(
+ for {
+ base <- arbitrary[Int]
+ minLength <- arbitrary[Int]
+ maxRetries <- arbitrary[Option[Int]]
+ blockSlowdown <- arbitrary[Option[Int]]
+ } yield CodeAccuracyDescriptor
+ .builder()
+ .base(base)
+ .minLength(minLength)
+ .maxRetries(maxRetries.map(Integer.valueOf).orNull)
+ .blockSlowdown(blockSlowdown.map(Integer.valueOf).orNull)
+ .build()
+ )
+
+ implicit val arbitraryBiometricAccuracyDescriptor
+ : Arbitrary[BiometricAccuracyDescriptor] = Arbitrary(
+ for {
+ selfAttestedFRR <- arbitrary[Option[Double]]
+ selfAttestedFAR <- arbitrary[Option[Double]]
+ maxTemplates <- arbitrary[Option[Int]]
+ maxRetries <- arbitrary[Option[Int]]
+ blockSlowdown <- arbitrary[Option[Int]]
+ } yield new BiometricAccuracyDescriptor(
+ selfAttestedFRR.map(Double.box).orNull,
+ selfAttestedFAR.map(Double.box).orNull,
+ maxTemplates.map(Integer.valueOf).orNull,
+ maxRetries.map(Integer.valueOf).orNull,
+ blockSlowdown.map(Integer.valueOf).orNull,
+ )
+ )
+
+ implicit val arbitraryPatternAccuracyDescriptor
+ : Arbitrary[PatternAccuracyDescriptor] = Arbitrary(
+ for {
+ minComplexity <- arbitrary[Long]
+ maxRetries <- arbitrary[Option[Int]]
+ blockSlowdown <- arbitrary[Option[Int]]
+ } yield PatternAccuracyDescriptor
+ .builder()
+ .minComplexity(minComplexity)
+ .maxRetries(maxRetries.map(Integer.valueOf).orNull)
+ .blockSlowdown(blockSlowdown.map(Integer.valueOf).orNull)
+ .build()
+ )
+
+ implicit val arbitraryDisplayPNGCharacteristicsDescriptor
+ : Arbitrary[DisplayPNGCharacteristicsDescriptor] = Arbitrary(
+ for {
+ width <- arbitrary[Long]
+ height <- arbitrary[Long]
+ bitDepth <- arbitrary[Short]
+ colorType <- arbitrary[Short]
+ compression <- arbitrary[Short]
+ filter <- arbitrary[Short]
+ interlace <- arbitrary[Short]
+ plte <- arbitrary[Option[List[RgbPaletteEntry]]]
+ } yield DisplayPNGCharacteristicsDescriptor
+ .builder()
+ .width(width)
+ .height(height)
+ .bitDepth(bitDepth)
+ .colorType(colorType)
+ .compression(compression)
+ .filter(filter)
+ .interlace(interlace)
+ .plte(plte.map(_.asJava).orNull)
+ .build()
+ )
+
+ implicit val arbitraryRgbPaletteEntry: Arbitrary[RgbPaletteEntry] = Arbitrary(
+ for {
+ r <- arbitrary[Int]
+ g <- arbitrary[Int]
+ b <- arbitrary[Int]
+ } yield new RgbPaletteEntry(r, g, b)
+ )
+
+ implicit val arbitraryExtensionDescriptor: Arbitrary[ExtensionDescriptor] =
+ Arbitrary(
+ for {
+ id <- arbitrary[String]
+ tag <- arbitrary[Option[Int]]
+ data <- arbitrary[Option[String]]
+ failIfUnknown <- arbitrary[Boolean]
+ } yield ExtensionDescriptor
+ .builder()
+ .id(id)
+ .tag(tag.map(Integer.valueOf).orNull)
+ .data(data.orNull)
+ .failIfUnknown(failIfUnknown)
+ .build()
+ )
+
+ implicit val arbitraryAuthenticatorGetInfo: Arbitrary[AuthenticatorGetInfo] =
+ Arbitrary(
+ for {
+ versions <- arbitrary[Set[CtapVersion]]
+ extensions <- arbitrary[Option[Set[String]]]
+ aaguid <- arbitrary[Option[AAGUID]]
+ options <- arbitrary[Option[SupportedCtapOptions]]
+ maxMsgSize <- arbitrary[Option[Int]]
+ pinUvAuthProtocols <-
+ arbitrary[Option[Set[CtapPinUvAuthProtocolVersion]]]
+ maxCredentialCountInList <- arbitrary[Option[Int]]
+ maxCredentialIdLength <- arbitrary[Option[Int]]
+ transports <- arbitrary[Option[Set[AuthenticatorTransport]]]
+ algorithms <- arbitrary[Option[List[PublicKeyCredentialParameters]]]
+ maxSerializedLargeBlobArray <- arbitrary[Option[Int]]
+ forcePINChange <- arbitrary[Option[Boolean]]
+ minPINLength <- arbitrary[Option[Int]]
+ firmwareVersion <- arbitrary[Option[Int]]
+ maxCredBlobLength <- arbitrary[Option[Int]]
+ maxRPIDsForSetMinPINLength <- arbitrary[Option[Int]]
+ preferredPlatformUvAttempts <- arbitrary[Option[Int]]
+ uvModality <- arbitrary[Option[Set[UserVerificationMethod]]]
+ certifications <- arbitrary[Option[Map[CtapCertificationId, Int]]]
+ remainingDiscoverableCredentials <- arbitrary[Option[Int]]
+ vendorPrototypeConfigCommands <- arbitrary[Option[Set[Int]]]
+ } yield AuthenticatorGetInfo
+ .builder()
+ .versions(versions.asJava)
+ .extensions(extensions.map(_.asJava).orNull)
+ .aaguid(aaguid.orNull)
+ .options(options.orNull)
+ .maxMsgSize(maxMsgSize.map(Integer.valueOf).orNull)
+ .pinUvAuthProtocols(pinUvAuthProtocols.map(_.asJava).orNull)
+ .maxCredentialCountInList(
+ maxCredentialCountInList.map(Integer.valueOf).orNull
+ )
+ .maxCredentialIdLength(
+ maxCredentialIdLength.map(Integer.valueOf).orNull
+ )
+ .transports(transports.map(_.asJava).orNull)
+ .algorithms(algorithms.map(_.asJava).orNull)
+ .maxSerializedLargeBlobArray(
+ maxSerializedLargeBlobArray.map(Integer.valueOf).orNull
+ )
+ .forcePINChange(forcePINChange.map(java.lang.Boolean.valueOf).orNull)
+ .minPINLength(minPINLength.map(Integer.valueOf).orNull)
+ .firmwareVersion(firmwareVersion.map(Integer.valueOf).orNull)
+ .maxCredBlobLength(maxCredBlobLength.map(Integer.valueOf).orNull)
+ .maxRPIDsForSetMinPINLength(
+ maxRPIDsForSetMinPINLength.map(Integer.valueOf).orNull
+ )
+ .preferredPlatformUvAttempts(
+ preferredPlatformUvAttempts.map(Integer.valueOf).orNull
+ )
+ .uvModality(uvModality.map(_.asJava).orNull)
+ .certifications(
+ certifications
+ .map(_.map({ case (k, v) => (k, Integer.valueOf(v)) }).asJava)
+ .orNull
+ )
+ .remainingDiscoverableCredentials(
+ remainingDiscoverableCredentials.map(Integer.valueOf).orNull
+ )
+ .vendorPrototypeConfigCommands(
+ vendorPrototypeConfigCommands
+ .map(_.map(Integer.valueOf).asJava)
+ .orNull
+ )
+ .build()
+ )
+
+ implicit val arbitrarySupportedCtapOptions: Arbitrary[SupportedCtapOptions] =
+ Arbitrary(
+ for {
+ plat <- arbitrary[Boolean]
+ rk <- arbitrary[Boolean]
+ clientPin <- arbitrary[Boolean]
+ up <- arbitrary[Boolean]
+ uv <- arbitrary[Boolean]
+ pinUvAuthToken <- arbitrary[Boolean]
+ noMcGaPermissionsWithClientPin <- arbitrary[Boolean]
+ largeBlobs <- arbitrary[Boolean]
+ ep <- arbitrary[Boolean]
+ bioEnroll <- arbitrary[Boolean]
+ userVerificationMgmtPreview <- arbitrary[Boolean]
+ uvBioEnroll <- arbitrary[Boolean]
+ authnrCfg <- arbitrary[Boolean]
+ uvAcfg <- arbitrary[Boolean]
+ credMgmt <- arbitrary[Boolean]
+ credentialMgmtPreview <- arbitrary[Boolean]
+ setMinPINLength <- arbitrary[Boolean]
+ makeCredUvNotRqd <- arbitrary[Boolean]
+ alwaysUv <- arbitrary[Boolean]
+ } yield SupportedCtapOptions
+ .builder()
+ .plat(plat)
+ .rk(rk)
+ .clientPin(clientPin)
+ .up(up)
+ .uv(uv)
+ .pinUvAuthToken(pinUvAuthToken)
+ .noMcGaPermissionsWithClientPin(noMcGaPermissionsWithClientPin)
+ .largeBlobs(largeBlobs)
+ .ep(ep)
+ .bioEnroll(bioEnroll)
+ .userVerificationMgmtPreview(userVerificationMgmtPreview)
+ .uvBioEnroll(uvBioEnroll)
+ .authnrCfg(authnrCfg)
+ .uvAcfg(uvAcfg)
+ .credMgmt(credMgmt)
+ .credentialMgmtPreview(credentialMgmtPreview)
+ .setMinPINLength(setMinPINLength)
+ .makeCredUvNotRqd(makeCredUvNotRqd)
+ .alwaysUv(alwaysUv)
+ .build()
+ )
+
+ implicit val arbitraryStatusReport: Arbitrary[StatusReport] = Arbitrary(
+ for {
+ status <- arbitrary[AuthenticatorStatus]
+ effectiveDate <- arbitrary[Option[LocalDate]]
+ authenticatorVersion <- arbitrary[Option[Long]]
+ certificate <- Gen.option(
+ Gen.delay(
+ Gen
+ .const(TestAuthenticator.generateAttestationCertificate())
+ .map(_._1)
+ )
+ )
+ url <- arbitrary[Option[String]]
+ certificationDescriptor <- arbitrary[Option[String]]
+ certificateNumber <- arbitrary[Option[String]]
+ certificationPolicyVersion <- arbitrary[Option[String]]
+ certificationRequirementsVersion <- arbitrary[Option[String]]
+ } yield StatusReport
+ .builder()
+ .status(status)
+ .effectiveDate(effectiveDate.orNull)
+ .authenticatorVersion(
+ authenticatorVersion.map(java.lang.Long.valueOf).orNull
+ )
+ .certificate(certificate.orNull)
+ .url(url.orNull)
+ .certificationDescriptor(certificationDescriptor.orNull)
+ .certificateNumber(certificateNumber.orNull)
+ .certificationPolicyVersion(certificationPolicyVersion.orNull)
+ .certificationRequirementsVersion(certificationRequirementsVersion.orNull)
+ .build()
+ )
+
+}
diff --git a/webauthn-server-attestation/src/test/scala/com/yubico/fido/metadata/JsonIoSpec.scala b/webauthn-server-attestation/src/test/scala/com/yubico/fido/metadata/JsonIoSpec.scala
new file mode 100644
index 000000000..419af153e
--- /dev/null
+++ b/webauthn-server-attestation/src/test/scala/com/yubico/fido/metadata/JsonIoSpec.scala
@@ -0,0 +1,112 @@
+// Copyright (c) 2018, Yubico AB
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are met:
+//
+// 1. Redistributions of source code must retain the above copyright notice, this
+// list of conditions and the following disclaimer.
+//
+// 2. Redistributions in binary form must reproduce the above copyright notice,
+// this list of conditions and the following disclaimer in the documentation
+// and/or other materials provided with the distribution.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+package com.yubico.fido.metadata
+
+import com.fasterxml.jackson.core.`type`.TypeReference
+import com.fasterxml.jackson.databind.ObjectMapper
+import com.yubico.fido.metadata.Generators._
+import org.junit.runner.RunWith
+import org.scalacheck.Arbitrary
+import org.scalatest.FunSpec
+import org.scalatest.Matchers
+import org.scalatestplus.junit.JUnitRunner
+import org.scalatestplus.scalacheck.ScalaCheckDrivenPropertyChecks
+
+@RunWith(classOf[JUnitRunner])
+class JsonIoSpec
+ extends FunSpec
+ with Matchers
+ with ScalaCheckDrivenPropertyChecks {
+
+ def json: ObjectMapper = JacksonCodecs.jsonWithDefaultEnums()
+
+ describe("The class") {
+
+ def test[A](tpe: TypeReference[A])(implicit a: Arbitrary[A]): Unit = {
+ val cn = tpe.getType.getTypeName
+ describe(s"${cn}") {
+ it("can be serialized to JSON.") {
+ forAll { value: A =>
+ val encoded: String = json.writeValueAsString(value)
+
+ encoded should not be empty
+ }
+ }
+
+ it("can be deserialized from JSON.") {
+ forAll { value: A =>
+ val encoded: String = json.writeValueAsString(value)
+ val decoded: A = json.readValue(encoded, tpe)
+
+ decoded should equal(value)
+ }
+ }
+
+ it("is identical after multiple serialization round-trips.") {
+ forAll { value: A =>
+ val encoded: String = json.writeValueAsString(value)
+ val decoded: A = json.readValue(encoded, tpe)
+ decoded should equal(value)
+
+ val recoded: String = json.writeValueAsString(decoded)
+ val redecoded: A = json.readValue(recoded, tpe)
+ redecoded should equal(value)
+ }
+ }
+ }
+ }
+
+ test(new TypeReference[AAGUID]() {})
+ test(new TypeReference[AAID]() {})
+ test(new TypeReference[AlternativeDescriptions]() {})
+ test(new TypeReference[AttachmentHint]() {})
+ test(new TypeReference[AuthenticationAlgorithm]() {})
+ test(new TypeReference[AuthenticatorAttestationType]() {})
+ test(new TypeReference[AuthenticatorGetInfo]() {})
+ test(new TypeReference[AuthenticatorStatus]() {})
+ test(new TypeReference[BiometricAccuracyDescriptor]() {})
+ test(new TypeReference[BiometricStatusReport]() {})
+ test(new TypeReference[CodeAccuracyDescriptor]() {})
+ test(new TypeReference[CtapCertificationId]() {})
+ test(new TypeReference[CtapPinUvAuthProtocolVersion]() {})
+ test(new TypeReference[CtapVersion]() {})
+ test(new TypeReference[DisplayPNGCharacteristicsDescriptor]() {})
+ test(new TypeReference[ExtensionDescriptor]() {})
+ test(new TypeReference[MetadataBLOBHeader]() {})
+ test(new TypeReference[MetadataBLOBPayload]() {})
+ test(new TypeReference[MetadataBLOBPayloadEntry]() {})
+ test(new TypeReference[MetadataStatement]() {})
+ test(new TypeReference[PatternAccuracyDescriptor]() {})
+ test(new TypeReference[ProtocolFamily]() {})
+ test(new TypeReference[PublicKeyRepresentationFormat]() {})
+ test(new TypeReference[RgbPaletteEntry]() {})
+ test(new TypeReference[StatusReport]() {})
+ test(new TypeReference[SupportedCtapOptions]() {})
+ test(new TypeReference[TransactionConfirmationDisplayType]() {})
+ test(new TypeReference[VerificationMethodDescriptor]() {})
+ test(new TypeReference[Version]() {})
+ }
+
+}
diff --git a/webauthn-server-attestation/src/test/scala/com/yubico/fido/metadata/MetadataBlobSpec.scala b/webauthn-server-attestation/src/test/scala/com/yubico/fido/metadata/MetadataBlobSpec.scala
new file mode 100644
index 000000000..7d07a1e82
--- /dev/null
+++ b/webauthn-server-attestation/src/test/scala/com/yubico/fido/metadata/MetadataBlobSpec.scala
@@ -0,0 +1,53 @@
+package com.yubico.fido.metadata
+
+import com.yubico.internal.util.JacksonCodecs
+import com.yubico.webauthn.data.ByteArray
+import org.scalatest.FunSpec
+import org.scalatest.Matchers
+import org.scalatestplus.scalacheck.ScalaCheckDrivenPropertyChecks
+
+class MetadataBlobSpec
+ extends FunSpec
+ with Matchers
+ with ScalaCheckDrivenPropertyChecks {
+
+ describe("FIDO Metadata Service 3 blob payloads") {
+ it("can be parsed as MetadataBLOBPayload.") {
+ val blob = JacksonCodecs
+ .json()
+ .readValue(
+ ByteArray
+ .fromBase64Url(FidoMds3Examples.BlobPayloadBase64url)
+ .getBytes,
+ classOf[MetadataBLOBPayload],
+ )
+ blob should not be null
+ blob.getLegalHeader should equal(
+ "Retrieval and use of this BLOB indicates acceptance of the appropriate agreement located at https://fidoalliance.org/metadata/metadata-legal-terms/"
+ )
+ }
+
+ it(
+ "are structurally identical after multiple (de)serialization round-trips."
+ ) {
+ val json = JacksonCodecs.json()
+ val blob1 = json
+ .readValue(
+ ByteArray
+ .fromBase64Url(FidoMds3Examples.BlobPayloadBase64url)
+ .getBytes,
+ classOf[MetadataBLOBPayload],
+ )
+ val encodedBlob1 = json.writeValueAsBytes(blob1)
+ val blob2 = json.readValue(encodedBlob1, classOf[MetadataBLOBPayload])
+ val encodedBlob2 = json.writeValueAsBytes(blob2)
+ val blob3 = json.readValue(encodedBlob2, classOf[MetadataBLOBPayload])
+
+ blob2 should not be null
+ blob2 should equal(blob1)
+ blob3 should not be null
+ blob3 should equal(blob1)
+ }
+ }
+
+}
diff --git a/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala b/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala
deleted file mode 100644
index 082ac3448..000000000
--- a/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala
+++ /dev/null
@@ -1,455 +0,0 @@
-// Copyright (c) 2018, Yubico AB
-// All rights reserved.
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are met:
-//
-// 1. Redistributions of source code must retain the above copyright notice, this
-// list of conditions and the following disclaimer.
-//
-// 2. Redistributions in binary form must reproduce the above copyright notice,
-// this list of conditions and the following disclaimer in the documentation
-// and/or other materials provided with the distribution.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-package com.yubico.webauthn.attestation
-
-import com.yubico.internal.util.CertificateParser
-import com.yubico.internal.util.JacksonCodecs
-import com.yubico.webauthn.FinishRegistrationOptions
-import com.yubico.webauthn.RelyingParty
-import com.yubico.webauthn.attestation.Transport.LIGHTNING
-import com.yubico.webauthn.attestation.Transport.NFC
-import com.yubico.webauthn.attestation.Transport.USB
-import com.yubico.webauthn.attestation.resolver.SimpleAttestationResolver
-import com.yubico.webauthn.attestation.resolver.SimpleTrustResolver
-import com.yubico.webauthn.data.PublicKeyCredentialCreationOptions
-import com.yubico.webauthn.data.PublicKeyCredentialParameters
-import com.yubico.webauthn.test.Helpers
-import com.yubico.webauthn.test.RealExamples
-import org.junit.runner.RunWith
-import org.scalatest.FunSpec
-import org.scalatest.Matchers
-import org.scalatestplus.junit.JUnitRunner
-
-import java.util.Collections
-import scala.jdk.CollectionConverters._
-
-@RunWith(classOf[JUnitRunner])
-class DeviceIdentificationSpec extends FunSpec with Matchers {
-
- def metadataService(metadataJson: String): StandardMetadataService = {
- val metadata = Collections.singleton(
- JacksonCodecs.json().readValue(metadataJson, classOf[MetadataObject])
- )
- new StandardMetadataService(
- new SimpleAttestationResolver(
- metadata,
- SimpleTrustResolver.fromMetadata(metadata),
- )
- )
- }
-
- describe("A RelyingParty with the default StandardMetadataService") {
-
- describe("correctly identifies") {
- def check(
- expectedName: String,
- testData: RealExamples.Example,
- transports: Set[Transport],
- ): Unit = {
- val rp = RelyingParty
- .builder()
- .identity(testData.rp)
- .credentialRepository(Helpers.CredentialRepository.empty)
- .metadataService(new StandardMetadataService())
- .allowUnrequestedExtensions(true)
- .build()
-
- val result = rp.finishRegistration(
- FinishRegistrationOptions
- .builder()
- .request(
- PublicKeyCredentialCreationOptions
- .builder()
- .rp(testData.rp)
- .user(testData.user)
- .challenge(testData.attestation.challenge)
- .pubKeyCredParams(
- List(
- PublicKeyCredentialParameters.ES256,
- PublicKeyCredentialParameters.EdDSA,
- ).asJava
- )
- .build()
- )
- .response(testData.attestation.credential)
- .build()
- );
-
- result.isAttestationTrusted should be(true)
- result.getAttestationMetadata.isPresent should be(true)
- result.getAttestationMetadata.get.getDeviceProperties.isPresent should be(
- true
- )
- result.getAttestationMetadata.get.getDeviceProperties
- .get()
- .get("displayName") should equal(expectedName)
- result.getAttestationMetadata.get.getTransports.isPresent should be(
- true
- )
- result.getAttestationMetadata.get.getTransports.get.asScala should equal(
- transports
- )
- }
-
- it("a YubiKey NEO.") {
- check("YubiKey NEO/NEO-n", RealExamples.YubiKeyNeo, Set(USB, NFC))
- }
- it("a YubiKey 4.") {
- check("YubiKey 4/YubiKey 4 Nano", RealExamples.YubiKey4, Set(USB))
- }
- it("a YubiKey 5 NFC.") {
- check("YubiKey 5 NFC", RealExamples.YubiKey5, Set(USB, NFC))
- }
- it("an early YubiKey 5 NFC.") {
- check("YubiKey 5 NFC", RealExamples.YubiKey5Nfc, Set(USB, NFC))
- }
- it("a newer YubiKey 5 NFC.") {
- check(
- "YubiKey 5/5C NFC",
- RealExamples.YubiKey5NfcPost5cNfc,
- Set(USB, NFC),
- )
- }
- it("a YubiKey 5C NFC.") {
- check("YubiKey 5/5C NFC", RealExamples.YubiKey5cNfc, Set(USB, NFC))
- }
- it("a YubiKey 5 Nano.") {
- check("YubiKey 5 Series", RealExamples.YubiKey5Nano, Set(USB))
- }
- it("a YubiKey 5Ci.") {
- check("YubiKey 5Ci", RealExamples.YubiKey5Ci, Set(USB, LIGHTNING))
- }
- it("a Security Key by Yubico.") {
- check("Security Key by Yubico", RealExamples.SecurityKey, Set(USB))
- }
- it("a Security Key 2 by Yubico.") {
- check("Security Key by Yubico", RealExamples.SecurityKey2, Set(USB))
- }
- it("a Security Key NFC by Yubico.") {
- check(
- "Security Key NFC by Yubico",
- RealExamples.SecurityKeyNfc,
- Set(USB, NFC),
- )
- }
-
- it("a YubiKey 5.4 NFC FIPS.") {
- check(
- "YubiKey 5/5C NFC FIPS",
- RealExamples.YubikeyFips5Nfc,
- Set(USB, NFC),
- )
- }
- it("a YubiKey 5.4 Ci FIPS.") {
- check(
- "YubiKey 5Ci FIPS",
- RealExamples.Yubikey5ciFips,
- Set(USB, LIGHTNING),
- )
- }
-
- it("a YubiKey Bio.") {
- check(
- "YubiKey Bio - FIDO Edition",
- RealExamples.YubikeyBio_5_5_4,
- Set(USB),
- )
- check(
- "YubiKey Bio - FIDO Edition",
- RealExamples.YubikeyBio_5_5_5,
- Set(USB),
- )
- }
- }
-
- describe("fails to identify") {
- def check(testData: RealExamples.Example): Unit = {
- val rp = RelyingParty
- .builder()
- .identity(testData.rp)
- .credentialRepository(Helpers.CredentialRepository.empty)
- .metadataService(new StandardMetadataService())
- .build()
-
- val result = rp.finishRegistration(
- FinishRegistrationOptions
- .builder()
- .request(
- PublicKeyCredentialCreationOptions
- .builder()
- .rp(testData.rp)
- .user(testData.user)
- .challenge(testData.attestation.challenge)
- .pubKeyCredParams(
- List(PublicKeyCredentialParameters.ES256).asJava
- )
- .build()
- )
- .response(testData.attestation.credential)
- .build()
- );
-
- result.isAttestationTrusted should be(false)
- result.getAttestationMetadata.isPresent should be(true)
- result.getAttestationMetadata.get.getDeviceProperties.isPresent should be(
- false
- )
- result.getAttestationMetadata.get.getVendorProperties.isPresent should be(
- false
- )
- result.getAttestationMetadata.get.getTransports.isPresent should be(
- false
- )
- }
-
- it("an Apple iOS device.") {
- check(RealExamples.AppleAttestationIos)
- }
- }
- }
-
- describe("The default AttestationResolver") {
- describe("successfully identifies") {
- def check(
- expectedName: String,
- testData: RealExamples.Example,
- transports: Set[Transport],
- ): Unit = {
- val cert = CertificateParser.parseDer(testData.attestationCert.getBytes)
- val resolved = StandardMetadataService
- .createDefaultAttestationResolver()
- .resolve(cert)
- resolved.isPresent should be(true)
- resolved.get.getDeviceProperties.isPresent should be(true)
- resolved.get.getDeviceProperties.get.get("displayName") should equal(
- expectedName
- )
- resolved.get.getTransports.isPresent should be(true)
- resolved.get.getTransports.get.asScala should equal(transports)
- }
-
- it("a YubiKey NEO.") {
- check("YubiKey NEO/NEO-n", RealExamples.YubiKeyNeo, Set(USB, NFC))
- }
- it("a YubiKey 4.") {
- check("YubiKey 4/YubiKey 4 Nano", RealExamples.YubiKey4, Set(USB))
- }
- it("a YubiKey 5 NFC.") {
- check("YubiKey 5 NFC", RealExamples.YubiKey5, Set(USB, NFC))
- }
- it("an early YubiKey 5 NFC.") {
- check("YubiKey 5 NFC", RealExamples.YubiKey5Nfc, Set(USB, NFC))
- }
- it("a newer YubiKey 5 NFC.") {
- check(
- "YubiKey 5/5C NFC",
- RealExamples.YubiKey5NfcPost5cNfc,
- Set(USB, NFC),
- )
- }
- it("a YubiKey 5C NFC.") {
- check("YubiKey 5/5C NFC", RealExamples.YubiKey5cNfc, Set(USB, NFC))
- }
- it("a YubiKey 5 Nano.") {
- check("YubiKey 5 Series", RealExamples.YubiKey5Nano, Set(USB))
- }
- it("a YubiKey 5Ci.") {
- check("YubiKey 5Ci", RealExamples.YubiKey5Ci, Set(USB, LIGHTNING))
- }
- it("a Security Key by Yubico.") {
- check("Security Key by Yubico", RealExamples.SecurityKey, Set(USB))
- }
- it("a Security Key 2 by Yubico.") {
- check("Security Key by Yubico", RealExamples.SecurityKey2, Set(USB))
- }
- it("a Security Key NFC by Yubico.") {
- check(
- "Security Key NFC by Yubico",
- RealExamples.SecurityKeyNfc,
- Set(USB, NFC),
- )
- }
-
- it("a YubiKey 5.4 NFC FIPS.") {
- check(
- "YubiKey 5/5C NFC FIPS",
- RealExamples.YubikeyFips5Nfc,
- Set(USB, NFC),
- )
- }
- it("a YubiKey 5.4 Ci FIPS.") {
- check(
- "YubiKey 5Ci FIPS",
- RealExamples.Yubikey5ciFips,
- Set(USB, LIGHTNING),
- )
- }
-
- it("a YubiKey Bio.") {
- check(
- "YubiKey Bio - FIDO Edition",
- RealExamples.YubikeyBio_5_5_4,
- Set(USB),
- )
- check(
- "YubiKey Bio - FIDO Edition",
- RealExamples.YubikeyBio_5_5_5,
- Set(USB),
- )
- }
- }
- }
-
- describe(
- "A StandardMetadataService configured with an Apple root certificate"
- ) {
- // Apple WebAuthn Root CA cert downloaded from https://www.apple.com/certificateauthority/private/ on 2021-04-12
- // https://www.apple.com/certificateauthority/Apple_WebAuthn_Root_CA.pem
- val mds = metadataService("""{
- | "identifier": "98cf2729-e2b9-4633-8b6a-b295cda99ccf",
- | "version": 1,
- | "vendorInfo": {
- | "name": "Apple Inc. (Metadata file by Yubico)"
- | },
- | "trustedCertificates": [
- | "-----BEGIN CERTIFICATE-----\nMIICEjCCAZmgAwIBAgIQaB0BbHo84wIlpQGUKEdXcTAKBggqhkjOPQQDAzBLMR8w\nHQYDVQQDDBZBcHBsZSBXZWJBdXRobiBSb290IENBMRMwEQYDVQQKDApBcHBsZSBJ\nbmMuMRMwEQYDVQQIDApDYWxpZm9ybmlhMB4XDTIwMDMxODE4MjEzMloXDTQ1MDMx\nNTAwMDAwMFowSzEfMB0GA1UEAwwWQXBwbGUgV2ViQXV0aG4gUm9vdCBDQTETMBEG\nA1UECgwKQXBwbGUgSW5jLjETMBEGA1UECAwKQ2FsaWZvcm5pYTB2MBAGByqGSM49\nAgEGBSuBBAAiA2IABCJCQ2pTVhzjl4Wo6IhHtMSAzO2cv+H9DQKev3//fG59G11k\nxu9eI0/7o6V5uShBpe1u6l6mS19S1FEh6yGljnZAJ+2GNP1mi/YK2kSXIuTHjxA/\npcoRf7XkOtO4o1qlcaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUJtdk\n2cV4wlpn0afeaxLQG2PxxtcwDgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMDA2cA\nMGQCMFrZ+9DsJ1PW9hfNdBywZDsWDbWFp28it1d/5w2RPkRX3Bbn/UbDTNLx7Jr3\njAGGiQIwHFj+dJZYUJR786osByBelJYsVZd2GbHQu209b5RCmGQ21gpSAk9QZW4B\n1bWeT0vT\n-----END CERTIFICATE-----"
- | ],
- | "devices": [
- | {
- | "displayName": "Apple device",
- | "selectors": [
- | {
- | "type": "x509Extension",
- | "parameters": {
- | "key": "1.2.840.113635.100.8.2"
- | }
- | }
- | ]
- | }
- | ]
- |}""".stripMargin)
-
- describe("successfully identifies") {
- def check(
- expectedName: String,
- testData: RealExamples.Example,
- ): Unit = {
- val rp = RelyingParty
- .builder()
- .identity(testData.rp)
- .credentialRepository(Helpers.CredentialRepository.empty)
- .metadataService(mds)
- .build()
-
- val result = rp.finishRegistration(
- FinishRegistrationOptions
- .builder()
- .request(
- PublicKeyCredentialCreationOptions
- .builder()
- .rp(testData.rp)
- .user(testData.user)
- .challenge(testData.attestation.challenge)
- .pubKeyCredParams(
- List(PublicKeyCredentialParameters.ES256).asJava
- )
- .build()
- )
- .response(testData.attestation.credential)
- .build()
- )
-
- result.isAttestationTrusted should be(true)
- result.getAttestationMetadata.isPresent should be(true)
- result.getAttestationMetadata.get.getDeviceProperties.isPresent should be(
- true
- )
- result.getAttestationMetadata.get.getDeviceProperties
- .get()
- .get("displayName") should equal(expectedName)
- result.getAttestationMetadata.get.getTransports.isPresent should be(
- false
- )
- }
-
- it("an Apple iOS device.") {
- check(
- "Apple device",
- RealExamples.AppleAttestationIos,
- )
- }
-
- it("an Apple MacOS device.") {
- check(
- "Apple device",
- RealExamples.AppleAttestationMacos,
- )
- }
- }
-
- describe("fails to identify") {
- def check(testData: RealExamples.Example): Unit = {
- val rp = RelyingParty
- .builder()
- .identity(testData.rp)
- .credentialRepository(Helpers.CredentialRepository.empty)
- .metadataService(mds)
- .build()
-
- val result = rp.finishRegistration(
- FinishRegistrationOptions
- .builder()
- .request(
- PublicKeyCredentialCreationOptions
- .builder()
- .rp(testData.rp)
- .user(testData.user)
- .challenge(testData.attestation.challenge)
- .pubKeyCredParams(
- List(PublicKeyCredentialParameters.ES256).asJava
- )
- .build()
- )
- .response(testData.attestation.credential)
- .build()
- )
-
- result.isAttestationTrusted should be(false)
- result.getAttestationMetadata.isPresent should be(true)
- result.getAttestationMetadata.get.getVendorProperties.isPresent should be(
- false
- )
- result.getAttestationMetadata.get.getDeviceProperties.isPresent should be(
- false
- )
- }
-
- it("a YubiKey 5 NFC.") {
- check(RealExamples.YubiKey5)
- }
- }
- }
-
-}
diff --git a/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/StandardMetadataServiceSpec.scala b/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/StandardMetadataServiceSpec.scala
deleted file mode 100644
index 595b71fe2..000000000
--- a/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/StandardMetadataServiceSpec.scala
+++ /dev/null
@@ -1,279 +0,0 @@
-// Copyright (c) 2018, Yubico AB
-// All rights reserved.
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are met:
-//
-// 1. Redistributions of source code must retain the above copyright notice, this
-// list of conditions and the following disclaimer.
-//
-// 2. Redistributions in binary form must reproduce the above copyright notice,
-// this list of conditions and the following disclaimer in the documentation
-// and/or other materials provided with the distribution.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-package com.yubico.webauthn.attestation
-
-import com.yubico.internal.util.JacksonCodecs
-import com.yubico.internal.util.scala.JavaConverters._
-import com.yubico.webauthn.TestAuthenticator
-import com.yubico.webauthn.attestation.resolver.SimpleAttestationResolver
-import com.yubico.webauthn.attestation.resolver.SimpleTrustResolver
-import org.bouncycastle.asn1.DERBitString
-import org.bouncycastle.asn1.DEROctetString
-import org.bouncycastle.asn1.x500.X500Name
-import org.junit.runner.RunWith
-import org.scalatest.FunSpec
-import org.scalatest.Matchers
-import org.scalatestplus.junit.JUnitRunner
-
-import java.security.cert.X509Certificate
-import java.util.Base64
-import java.util.Collections
-import scala.jdk.CollectionConverters._
-
-@RunWith(classOf[JUnitRunner])
-class StandardMetadataServiceSpec extends FunSpec with Matchers {
-
- private val TRANSPORTS_EXT_OID = "1.3.6.1.4.1.45724.2.1.1"
-
- private val ooidA = "1.3.6.1.4.1.41482.1.1"
- private val ooidB = "1.3.6.1.4.1.41482.1.2"
-
- def metadataService(metadataJson: String): StandardMetadataService = {
- val metadata = Collections.singleton(
- JacksonCodecs.json().readValue(metadataJson, classOf[MetadataObject])
- )
- new StandardMetadataService(
- new SimpleAttestationResolver(
- metadata,
- SimpleTrustResolver.fromMetadata(metadata),
- )
- )
- }
-
- def toPem(cert: X509Certificate): String =
- (
- "-----BEGIN CERTIFICATE-----\n"
- + Base64
- .getMimeEncoder(
- 64,
- System.getProperty("line.separator").getBytes("UTF-8"),
- )
- .encodeToString(cert.getEncoded)
- + "\n-----END CERTIFICATE-----\n"
- )
-
- describe("StandardMetadataService") {
-
- describe("has a getAttestation method which") {
-
- val cacaca = TestAuthenticator.generateAttestationCaCertificate(
- name = new X500Name("CN=CA CA CA"),
- extensions = List((ooidB, false, new DEROctetString(Array[Byte]()))),
- )
- val caca = TestAuthenticator.generateAttestationCaCertificate(
- name = new X500Name("CN=CA CA"),
- superCa = Some(cacaca),
- extensions = List((ooidB, false, new DEROctetString(Array[Byte]()))),
- )
- val (caCert, caKey) = TestAuthenticator.generateAttestationCaCertificate(
- name = new X500Name("CN=CA"),
- superCa = Some(caca),
- extensions = List((ooidB, false, new DEROctetString(Array[Byte]()))),
- )
-
- val (certA, _) = TestAuthenticator.generateAttestationCertificate(
- name = new X500Name("CN=Cert A"),
- caCertAndKey = Some((caCert, caKey)),
- extensions = List(
- (ooidA, false, new DEROctetString(Array[Byte]())),
- (TRANSPORTS_EXT_OID, false, new DERBitString(Array[Byte](0x60))),
- ),
- )
- val (certB, _) = TestAuthenticator.generateAttestationCertificate(
- name = new X500Name("CN=Cert B"),
- caCertAndKey = Some((caCert, caKey)),
- extensions = List((ooidB, false, new DEROctetString(Array[Byte]()))),
- )
-
- val metadataJson =
- s"""{
- "identifier": "44c87ead-4455-423e-88eb-9248e0ebe847",
- "version": 1,
- "trustedCertificates": ["${toPem(caCert).linesIterator.mkString(
- raw"\n"
- )}"],
- "vendorInfo": {},
- "devices": [
- {
- "deviceId": "DevA",
- "displayName": "Device A",
- "selectors": [
- {
- "type": "x509Extension",
- "parameters": {
- "key": "${ooidA}"
- }
- }
- ]
- },
- {
- "deviceId": "DevB",
- "displayName": "Device B",
- "selectors": [
- {
- "type": "x509Extension",
- "parameters": {
- "key": "${ooidB}"
- }
- }
- ]
- }
- ]
- }"""
- val service = metadataService(metadataJson)
-
- it("returns the trusted attestation matching the single cert passed, if it is signed by a trusted certificate.") {
- val attestationA: Attestation =
- service.getAttestation(List(certA).asJava)
- val attestationB: Attestation =
- service.getAttestation(List(certB).asJava)
-
- attestationA.isTrusted should be(true)
- attestationA.getDeviceProperties.get.get("deviceId") should be("DevA")
-
- attestationB.isTrusted should be(true)
- attestationB.getDeviceProperties.get.get("deviceId") should be("DevB")
- }
-
- it("returns the trusted attestation matching the first cert in the chain if it is signed by a trusted certificate.") {
- val attestationA: Attestation =
- service.getAttestation(List(certA, certB).asJava)
- val attestationB: Attestation =
- service.getAttestation(List(certB, certA).asJava)
-
- attestationA.isTrusted should be(true)
- attestationA.getDeviceProperties.get.get("deviceId") should be("DevA")
-
- attestationB.isTrusted should be(true)
- attestationB.getDeviceProperties.get.get("deviceId") should be("DevB")
- }
-
- it("returns a trusted best-effort attestation if the certificate is trusted but matches no known metadata.") {
- val metadataJson =
- s"""{
- "identifier": "44c87ead-4455-423e-88eb-9248e0ebe847",
- "version": 1,
- "trustedCertificates": ["${toPem(caCert).linesIterator.mkString(
- raw"\n"
- )}"],
- "vendorInfo": {},
- "devices": []
- }"""
- val service = metadataService(metadataJson)
-
- val attestation: Attestation =
- service.getAttestation(List(certA).asJava)
-
- attestation.isTrusted should be(true)
- attestation.getDeviceProperties.asScala shouldBe empty
- attestation.getTransports.get.asScala should equal(
- Set(Transport.BLE, Transport.USB)
- )
- }
-
- it("returns an untrusted attestation with transports if the certificate is not trusted.") {
- val metadataJson =
- s"""{
- "identifier": "44c87ead-4455-423e-88eb-9248e0ebe847",
- "version": 1,
- "trustedCertificates": [],
- "vendorInfo": {},
- "devices": []
- }"""
- val service = metadataService(metadataJson)
-
- val attestation: Attestation =
- service.getAttestation(List(certA).asJava)
-
- attestation.isTrusted should be(false)
- attestation.getMetadataIdentifier.asScala shouldBe empty
- attestation.getVendorProperties.asScala shouldBe empty
- attestation.getDeviceProperties.asScala shouldBe empty
- attestation.getTransports.get.asScala should equal(
- Set(Transport.BLE, Transport.USB)
- )
- }
-
- it("returns the trusted attestation matching the first cert in the chain if the chain resolves to a trusted certificate.") {
- val metadataJson =
- s"""{
- "identifier": "44c87ead-4455-423e-88eb-9248e0ebe847",
- "version": 1,
- "trustedCertificates": ["${toPem(cacaca._1).linesIterator
- .mkString(raw"\n")}"],
- "vendorInfo": {},
- "devices": [
- {
- "deviceId": "DevA",
- "displayName": "Device A",
- "selectors": [
- {
- "type": "x509Extension",
- "parameters": {
- "key": "${ooidA}"
- }
- }
- ]
- }
- ]
- }"""
- val service = metadataService(metadataJson)
-
- val attestation: Attestation =
- service.getAttestation(List(certA, caCert, caca._1).asJava)
-
- attestation.isTrusted should be(true)
- attestation.getDeviceProperties.get.get("deviceId") should be("DevA")
- }
-
- it("matches any certificate to a device with no selectors.") {
- val metadataJson =
- s"""{
- "identifier": "44c87ead-4455-423e-88eb-9248e0ebe847",
- "version": 1,
- "trustedCertificates": ["${toPem(caCert).linesIterator.mkString(
- raw"\n"
- )}"],
- "vendorInfo": {},
- "devices": [
- {
- "deviceId": "DevA",
- "displayName": "Device A"
- }
- ]
- }"""
- val service = metadataService(metadataJson)
-
- val resultA = service.getAttestation(List(certA).asJava)
- val resultB = service.getAttestation(List(certB).asJava)
- resultA.getDeviceProperties.get.get("deviceId") should be("DevA")
- resultB.getDeviceProperties.get.get("deviceId") should be("DevA")
- }
-
- }
-
- }
-
-}
diff --git a/webauthn-server-core-bundle/build.gradle b/webauthn-server-core-bundle/build.gradle
deleted file mode 100644
index aec8218dc..000000000
--- a/webauthn-server-core-bundle/build.gradle
+++ /dev/null
@@ -1,37 +0,0 @@
-plugins {
- id 'java-library'
- id 'maven-publish'
- id 'signing'
-}
-
-description = 'Yubico WebAuthn server core API'
-
-project.ext.publishMe = true
-
-sourceCompatibility = 1.8
-targetCompatibility = 1.8
-
-dependencies {
- api(platform(rootProject))
-
- api(
- project(':webauthn-server-core-minimal'),
- )
-
- implementation(
- 'org.bouncycastle:bcprov-jdk15on',
- )
-}
-
-
-jar {
- manifest {
- attributes([
- 'Implementation-Title': 'Yubico Web Authentication server library meta-package',
- 'Implementation-Version': project.version,
- 'Implementation-Vendor': 'Yubico',
- 'Implementation-Source-Url': 'https://github.com/Yubico/java-webauthn-server',
- 'Git-Commit': getGitCommitOrUnknown(),
- ])
- }
-}
diff --git a/webauthn-server-core/build.gradle b/webauthn-server-core/build.gradle
index bc9dec636..f593e94e7 100644
--- a/webauthn-server-core/build.gradle
+++ b/webauthn-server-core/build.gradle
@@ -7,7 +7,7 @@ plugins {
id 'io.github.cosmicsilence.scalafix'
}
-description = 'Yubico WebAuthn server core API (fewer dependencies)'
+description = 'Yubico WebAuthn server core API'
project.ext.publishMe = true
@@ -21,15 +21,10 @@ dependencies {
project(':yubico-util'),
)
- compileOnly(
- platform(rootProject),
- 'org.bouncycastle:bcprov-jdk15on',
- )
-
implementation(
'com.augustcellars.cose:cose-java',
- 'com.google.guava:guava',
'com.fasterxml.jackson.core:jackson-databind',
+ 'com.google.guava:guava',
'com.upokecenter:cbor',
'org.apache.httpcomponents:httpclient',
'org.slf4j:slf4j-api',
@@ -45,7 +40,14 @@ dependencies {
'org.scala-lang:scala-library',
'org.scalacheck:scalacheck_2.13',
'org.scalatest:scalatest_2.13',
+ 'uk.org.lidalia:slf4j-test',
)
+
+ testImplementation('org.slf4j:slf4j-api') {
+ version {
+ strictly '[1.7.25,1.8-a)' // Pre-1.8 version required by slf4j-test
+ }
+ }
}
jar {
diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/AndroidSafetynetAttestationStatementVerifier.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/AndroidSafetynetAttestationStatementVerifier.java
index d728bb24f..c135374a0 100644
--- a/webauthn-server-core/src/main/java/com/yubico/webauthn/AndroidSafetynetAttestationStatementVerifier.java
+++ b/webauthn-server-core/src/main/java/com/yubico/webauthn/AndroidSafetynetAttestationStatementVerifier.java
@@ -114,7 +114,7 @@ private boolean verifySignature(JsonWebSignatureCustom jws) {
Signature signatureVerifier;
try {
- signatureVerifier = Crypto.getSignature(signatureAlgorithmName);
+ signatureVerifier = Signature.getInstance(signatureAlgorithmName);
} catch (NoSuchAlgorithmException e) {
throw ExceptionUtil.wrapAndLog(
log, "Failed to get a Signature instance for " + signatureAlgorithmName, e);
diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/AssertionResult.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/AssertionResult.java
index c41a66adb..2b8c3c0f1 100644
--- a/webauthn-server-core/src/main/java/com/yubico/webauthn/AssertionResult.java
+++ b/webauthn-server-core/src/main/java/com/yubico/webauthn/AssertionResult.java
@@ -26,14 +26,12 @@
import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonProperty;
-import com.yubico.internal.util.CollectionUtil;
import com.yubico.webauthn.data.AuthenticatorAssertionExtensionOutputs;
import com.yubico.webauthn.data.AuthenticatorData;
import com.yubico.webauthn.data.ByteArray;
import com.yubico.webauthn.data.ClientAssertionExtensionOutputs;
import com.yubico.webauthn.data.PublicKeyCredentialRequestOptions;
import com.yubico.webauthn.data.UserIdentity;
-import java.util.List;
import java.util.Optional;
import lombok.Builder;
import lombok.NonNull;
@@ -109,9 +107,6 @@ public class AssertionResult {
private final AuthenticatorAssertionExtensionOutputs authenticatorExtensionOutputs;
- /** Zero or more human-readable messages about non-critical issues. */
- @NonNull private final List warnings;
-
@JsonCreator
private AssertionResult(
@JsonProperty("success") boolean success,
@@ -123,8 +118,7 @@ private AssertionResult(
@JsonProperty("clientExtensionOutputs")
ClientAssertionExtensionOutputs clientExtensionOutputs,
@JsonProperty("authenticatorExtensionOutputs")
- AuthenticatorAssertionExtensionOutputs authenticatorExtensionOutputs,
- @NonNull @JsonProperty("warnings") List warnings) {
+ AuthenticatorAssertionExtensionOutputs authenticatorExtensionOutputs) {
this.success = success;
this.credentialId = credentialId;
this.userHandle = userHandle;
@@ -136,7 +130,6 @@ private AssertionResult(
? null
: clientExtensionOutputs;
this.authenticatorExtensionOutputs = authenticatorExtensionOutputs;
- this.warnings = CollectionUtil.immutableList(warnings);
}
/**
@@ -230,16 +223,9 @@ public Step8 clientExtensionOutputs(
}
public class Step8 {
- public Step9 assertionExtensionOutputs(
+ public AssertionResultBuilder assertionExtensionOutputs(
AuthenticatorAssertionExtensionOutputs authenticatorExtensionOutputs) {
- builder.authenticatorExtensionOutputs(authenticatorExtensionOutputs);
- return new Step9();
- }
- }
-
- public class Step9 {
- public AssertionResultBuilder warnings(List warnings) {
- return builder.warnings(warnings);
+ return builder.authenticatorExtensionOutputs(authenticatorExtensionOutputs);
}
}
}
diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/AttestationTrustResolver.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/AttestationTrustResolver.java
deleted file mode 100644
index ac87a2af2..000000000
--- a/webauthn-server-core/src/main/java/com/yubico/webauthn/AttestationTrustResolver.java
+++ /dev/null
@@ -1,36 +0,0 @@
-// Copyright (c) 2018, Yubico AB
-// All rights reserved.
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are met:
-//
-// 1. Redistributions of source code must retain the above copyright notice, this
-// list of conditions and the following disclaimer.
-//
-// 2. Redistributions in binary form must reproduce the above copyright notice,
-// this list of conditions and the following disclaimer in the documentation
-// and/or other materials provided with the distribution.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-package com.yubico.webauthn;
-
-import com.yubico.webauthn.attestation.Attestation;
-import java.security.cert.CertificateEncodingException;
-import java.security.cert.X509Certificate;
-import java.util.List;
-
-interface AttestationTrustResolver {
-
- Attestation resolveTrustAnchor(List certificateChain)
- throws CertificateEncodingException;
-}
diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/Crypto.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/Crypto.java
index 9075f95f1..5893f0dd6 100755
--- a/webauthn-server-core/src/main/java/com/yubico/webauthn/Crypto.java
+++ b/webauthn-server-core/src/main/java/com/yubico/webauthn/Crypto.java
@@ -35,9 +35,8 @@
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
-import java.security.KeyFactory;
+import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
-import java.security.Provider;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.X509Certificate;
@@ -46,7 +45,6 @@
import java.security.spec.EllipticCurve;
import lombok.experimental.UtilityClass;
import lombok.extern.slf4j.Slf4j;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
@UtilityClass
@Slf4j
@@ -65,47 +63,6 @@ final class Crypto {
new BigInteger(
"41058363725152142129326129780047268409114441015993725554835256314039467401291", 10));
- /*
- * TODO: Delete this in the next major version release
- */
- private static class BouncyCastleLoader {
- private static Provider getProvider() {
- return new BouncyCastleProvider();
- }
- }
-
- /*
- * TODO: Delete this in the next major version release
- */
- public static KeyFactory getKeyFactory(String algorithm) throws NoSuchAlgorithmException {
- try {
- return KeyFactory.getInstance(algorithm);
- } catch (NoSuchAlgorithmException e) {
- log.debug("Caught {}. Attempting fallback to BouncyCastle...", e.toString());
- try {
- return KeyFactory.getInstance(algorithm, BouncyCastleLoader.getProvider());
- } catch (NoSuchAlgorithmException | NoClassDefFoundError e2) {
- throw e;
- }
- }
- }
-
- /*
- * TODO: Delete this in the next major version release
- */
- public static Signature getSignature(String algorithm) throws NoSuchAlgorithmException {
- try {
- return Signature.getInstance(algorithm);
- } catch (NoSuchAlgorithmException e) {
- log.debug("Caught {}. Attempting fallback to BouncyCastle...", e.toString());
- try {
- return Signature.getInstance(algorithm, BouncyCastleLoader.getProvider());
- } catch (NoSuchAlgorithmException | NoClassDefFoundError e2) {
- throw e;
- }
- }
- }
-
static boolean isP256(ECParameterSpec params) {
return P256.equals(params.getCurve());
}
@@ -145,4 +102,8 @@ public static ByteArray sha256(ByteArray bytes) {
public static ByteArray sha256(String str) {
return sha256(new ByteArray(str.getBytes(StandardCharsets.UTF_8)));
}
+
+ public static ByteArray sha1(ByteArray bytes) throws NoSuchAlgorithmException {
+ return new ByteArray(MessageDigest.getInstance("SHA-1").digest(bytes.getBytes()));
+ }
}
diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/ExtensionsValidation.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/ExtensionsValidation.java
deleted file mode 100644
index 6c82e5357..000000000
--- a/webauthn-server-core/src/main/java/com/yubico/webauthn/ExtensionsValidation.java
+++ /dev/null
@@ -1,76 +0,0 @@
-// Copyright (c) 2018, Yubico AB
-// All rights reserved.
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are met:
-//
-// 1. Redistributions of source code must retain the above copyright notice, this
-// list of conditions and the following disclaimer.
-//
-// 2. Redistributions in binary form must reproduce the above copyright notice,
-// this list of conditions and the following disclaimer in the documentation
-// and/or other materials provided with the distribution.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-package com.yubico.webauthn;
-
-import com.upokecenter.cbor.CBORObject;
-import com.yubico.webauthn.data.AuthenticatorResponse;
-import com.yubico.webauthn.data.ClientExtensionOutputs;
-import com.yubico.webauthn.data.ExtensionInputs;
-import com.yubico.webauthn.data.PublicKeyCredential;
-import java.util.HashSet;
-import java.util.Set;
-import java.util.stream.Collectors;
-import lombok.experimental.UtilityClass;
-
-@UtilityClass
-class ExtensionsValidation {
-
- static boolean validate(
- ExtensionInputs requested,
- PublicKeyCredential
- response) {
- Set