resources =
+ AttestationResolver.class.getClassLoader().getResources("META-INF/MANIFEST.MF");
+
+ while (resources.hasMoreElements()) {
+ final URL resource = resources.nextElement();
+ final Manifest manifest = new Manifest(resource.openStream());
+ if ("java-webauthn-server-attestation"
+ .equals(manifest.getMainAttributes().getValue("Implementation-Id"))) {
+ return manifest.getMainAttributes().getValue(key);
+ }
}
-
- @Test
- public void customImplementationPropertiesAreSet() throws IOException {
- assertTrue(lookup("Git-Commit").matches("^[a-f0-9]{40}$"));
- }
-
+ throw new NoSuchElementException("Could not find \"" + key + "\" in manifest.");
+ }
+
+ @Test
+ public void standardImplementationPropertiesAreSet() throws IOException {
+ assertTrue(lookup("Implementation-Title").contains("attestation"));
+ assertTrue(lookup("Implementation-Version").matches("^\\d+\\.\\d+\\.\\d+(-.*)?"));
+ assertEquals("Yubico", lookup("Implementation-Vendor"));
+ }
+
+ @Test
+ public void customImplementationPropertiesAreSet() throws IOException {
+ assertTrue(
+ lookup("Git-Commit").matches("^[a-f0-9]{40}$") || lookup("Git-Commit").equals("UNKNOWN"));
+ }
}
diff --git a/test-dependent-projects/java-dep-webauthn-server-core-minimal/src/test/java/com/yubico/webauthn/BouncyCastleProviderPresenceTest.java b/test-dependent-projects/java-dep-webauthn-server-core-minimal/src/test/java/com/yubico/webauthn/BouncyCastleProviderPresenceTest.java
index d9ca840d2..e3dc68d5a 100644
--- a/test-dependent-projects/java-dep-webauthn-server-core-minimal/src/test/java/com/yubico/webauthn/BouncyCastleProviderPresenceTest.java
+++ b/test-dependent-projects/java-dep-webauthn-server-core-minimal/src/test/java/com/yubico/webauthn/BouncyCastleProviderPresenceTest.java
@@ -1,78 +1,75 @@
package com.yubico.webauthn;
+import static org.junit.Assert.assertTrue;
+
import COSE.CoseException;
import com.yubico.webauthn.data.AttestationObject;
import com.yubico.webauthn.data.RelyingPartyIdentity;
import java.io.IOException;
import java.security.NoSuchAlgorithmException;
-import java.security.PublicKey;
+import java.security.Security;
import java.security.spec.InvalidKeySpecException;
+import java.util.Arrays;
import org.junit.Test;
import org.mockito.Mockito;
-import java.security.Security;
-import java.util.Arrays;
-
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-
/**
- * Test that the BouncyCastle provider is not loaded by default
- * when depending on the webauthn-server-core-minimal package.
+ * Test that the BouncyCastle provider is not loaded by default when depending on the
+ * webauthn-server-core-minimal package.
*
- * Motivation: https://github.com/Yubico/java-webauthn-server/issues/97
+ * Motivation: https://github.com/Yubico/java-webauthn-server/issues/97
*/
public class BouncyCastleProviderPresenceTest {
- @Test(expected = ClassNotFoundException.class)
- public void bouncyCastleProviderIsNotInClasspath() throws ClassNotFoundException {
- Class.forName("org.bouncycastle.jce.provider.BouncyCastleProvider");
- }
+ @Test(expected = ClassNotFoundException.class)
+ public void bouncyCastleProviderIsNotInClasspath() throws ClassNotFoundException {
+ Class.forName("org.bouncycastle.jce.provider.BouncyCastleProvider");
+ }
- @Test
- public void bouncyCastleProviderIsNotLoadedByDefault() {
- assertTrue(
- Arrays.stream(Security.getProviders())
- .noneMatch(prov -> prov.getName().toLowerCase().contains("bouncy"))
- );
- }
+ @Test
+ public void bouncyCastleProviderIsNotLoadedByDefault() {
+ assertTrue(
+ Arrays.stream(Security.getProviders())
+ .noneMatch(prov -> prov.getName().toLowerCase().contains("bouncy")));
+ }
- @Test
- public void bouncyCastleProviderIsNotLoadedAfterInstantiatingRelyingParty() {
- // The RelyingParty constructor has the possible side-effect of loading the BouncyCastle provider
- RelyingParty.builder()
- .identity(RelyingPartyIdentity.builder().id("foo").name("foo").build())
- .credentialRepository(Mockito.mock(CredentialRepository.class))
- .build();
+ @Test
+ public void bouncyCastleProviderIsNotLoadedAfterInstantiatingRelyingParty() {
+ // The RelyingParty constructor has the possible side-effect of loading the BouncyCastle
+ // provider
+ RelyingParty.builder()
+ .identity(RelyingPartyIdentity.builder().id("foo").name("foo").build())
+ .credentialRepository(Mockito.mock(CredentialRepository.class))
+ .build();
- assertTrue(
- Arrays.stream(Security.getProviders())
- .noneMatch(prov ->
+ assertTrue(
+ Arrays.stream(Security.getProviders())
+ .noneMatch(
+ prov ->
prov.getName().equals("BC")
- || prov.getClass().getCanonicalName().contains("bouncy")
- ));
- }
+ || prov.getClass().getCanonicalName().contains("bouncy")));
+ }
- @Test
- public void bouncyCastleProviderIsNotLoadedAfterAttemptingToLoadEddsaKey() throws IOException, CoseException, NoSuchAlgorithmException, InvalidKeySpecException {
- try {
- WebAuthnCodecs.importCosePublicKey(
- new AttestationObject(RegistrationTestData.Packed$.MODULE$.BasicAttestationEdDsa().attestationObject())
- .getAuthenticatorData()
- .getAttestedCredentialData()
- .get()
- .getCredentialPublicKey()
- );
- } catch (NoSuchAlgorithmException e) {
- // OK
- }
-
- assertTrue(
- Arrays.stream(Security.getProviders())
- .noneMatch(prov ->
- prov.getName().equals("BC")
- || prov.getClass().getCanonicalName().contains("bouncy")
- ));
+ @Test
+ public void bouncyCastleProviderIsNotLoadedAfterAttemptingToLoadEddsaKey()
+ throws IOException, CoseException, NoSuchAlgorithmException, InvalidKeySpecException {
+ try {
+ WebAuthnCodecs.importCosePublicKey(
+ new AttestationObject(
+ RegistrationTestData.Packed$.MODULE$.BasicAttestationEdDsa().attestationObject())
+ .getAuthenticatorData()
+ .getAttestedCredentialData()
+ .get()
+ .getCredentialPublicKey());
+ } catch (NoSuchAlgorithmException e) {
+ // OK
}
+ assertTrue(
+ Arrays.stream(Security.getProviders())
+ .noneMatch(
+ prov ->
+ prov.getName().equals("BC")
+ || prov.getClass().getCanonicalName().contains("bouncy")));
+ }
}
diff --git a/test-dependent-projects/java-dep-webauthn-server-core/src/main/java/com/yubico/test/compilability/ThisShouldCompile.java b/test-dependent-projects/java-dep-webauthn-server-core/src/main/java/com/yubico/test/compilability/ThisShouldCompile.java
index 4c1a8b761..5201a6409 100644
--- a/test-dependent-projects/java-dep-webauthn-server-core/src/main/java/com/yubico/test/compilability/ThisShouldCompile.java
+++ b/test-dependent-projects/java-dep-webauthn-server-core/src/main/java/com/yubico/test/compilability/ThisShouldCompile.java
@@ -12,33 +12,50 @@
public class ThisShouldCompile {
- public RelyingParty getRp() {
- return RelyingParty.builder()
- .identity(RelyingPartyIdentity.builder()
- .id("localhost")
- .name("Example RP")
- .build())
- .credentialRepository(new CredentialRepository() {
- @Override public Set getCredentialIdsForUsername(String username) { return null; }
- @Override public Optional getUserHandleForUsername(String username) { return Optional.empty(); }
- @Override public Optional getUsernameForUserHandle(ByteArray userHandle) { return Optional.empty(); }
- @Override public Optional lookup(ByteArray credentialId, ByteArray userHandle) { return Optional.empty(); }
- @Override public Set lookupAll(ByteArray credentialId) { return null; }
- })
- .build();
- }
-
- public ByteArray getByteArray() {
- ByteArray a = new ByteArray(new byte[] {1, 2, 3, 4});
- byte[] b = a.getBytes();
- return a;
- }
-
- public PublicKeyCredentialType getPublicKeyCredentialType() {
- PublicKeyCredentialType a = PublicKeyCredentialType.PUBLIC_KEY;
- String b = a.toJsonString();
- return a;
- }
+ public RelyingParty getRp() {
+ return RelyingParty.builder()
+ .identity(RelyingPartyIdentity.builder().id("localhost").name("Example RP").build())
+ .credentialRepository(
+ new CredentialRepository() {
+ @Override
+ public Set getCredentialIdsForUsername(
+ String username) {
+ return null;
+ }
+ @Override
+ public Optional getUserHandleForUsername(String username) {
+ return Optional.empty();
+ }
+ @Override
+ public Optional getUsernameForUserHandle(ByteArray userHandle) {
+ return Optional.empty();
+ }
+
+ @Override
+ public Optional lookup(
+ ByteArray credentialId, ByteArray userHandle) {
+ return Optional.empty();
+ }
+
+ @Override
+ public Set lookupAll(ByteArray credentialId) {
+ return null;
+ }
+ })
+ .build();
+ }
+
+ public ByteArray getByteArray() {
+ ByteArray a = new ByteArray(new byte[] {1, 2, 3, 4});
+ byte[] b = a.getBytes();
+ return a;
+ }
+
+ public PublicKeyCredentialType getPublicKeyCredentialType() {
+ PublicKeyCredentialType a = PublicKeyCredentialType.PUBLIC_KEY;
+ String b = a.toJsonString();
+ return a;
+ }
}
diff --git a/test-dependent-projects/java-dep-webauthn-server-core/src/test/java/com/yubico/webauthn/CryptoAlgorithmsTest.java b/test-dependent-projects/java-dep-webauthn-server-core/src/test/java/com/yubico/webauthn/CryptoAlgorithmsTest.java
index ef87ce9f3..d3b38f338 100644
--- a/test-dependent-projects/java-dep-webauthn-server-core/src/test/java/com/yubico/webauthn/CryptoAlgorithmsTest.java
+++ b/test-dependent-projects/java-dep-webauthn-server-core/src/test/java/com/yubico/webauthn/CryptoAlgorithmsTest.java
@@ -1,5 +1,8 @@
package com.yubico.webauthn;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
import COSE.CoseException;
import com.yubico.webauthn.data.AttestationObject;
import com.yubico.webauthn.data.RelyingPartyIdentity;
@@ -17,66 +20,71 @@
import org.junit.Test;
import org.mockito.Mockito;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-
public class CryptoAlgorithmsTest {
- private List providersBefore;
+ private List providersBefore;
- @Before
- public void setUp() {
- providersBefore = Stream.of(Security.getProviders()).collect(Collectors.toList());
+ @Before
+ public void setUp() {
+ providersBefore = Stream.of(Security.getProviders()).collect(Collectors.toList());
- // The RelyingParty constructor has the possible side-effect of loading the BouncyCastle provider
- RelyingParty.builder()
- .identity(RelyingPartyIdentity.builder().id("foo").name("foo").build())
- .credentialRepository(Mockito.mock(CredentialRepository.class))
- .build();
- }
+ // The RelyingParty constructor has the possible side-effect of loading the BouncyCastle
+ // provider
+ RelyingParty.builder()
+ .identity(RelyingPartyIdentity.builder().id("foo").name("foo").build())
+ .credentialRepository(Mockito.mock(CredentialRepository.class))
+ .build();
+ }
- @After
- public void tearDown() {
- for (Provider prov : Security.getProviders()) {
- Security.removeProvider(prov.getName());
- }
- providersBefore.forEach(Security::addProvider);
+ @After
+ public void tearDown() {
+ for (Provider prov : Security.getProviders()) {
+ Security.removeProvider(prov.getName());
}
+ providersBefore.forEach(Security::addProvider);
+ }
- @Test
- public void importRsa() throws IOException, CoseException, NoSuchAlgorithmException, InvalidKeySpecException {
- PublicKey key = WebAuthnCodecs.importCosePublicKey(
- new AttestationObject(RegistrationTestData.Packed$.MODULE$.BasicAttestationRsa().attestationObject())
+ @Test
+ public void importRsa()
+ throws IOException, CoseException, NoSuchAlgorithmException, InvalidKeySpecException {
+ PublicKey key =
+ WebAuthnCodecs.importCosePublicKey(
+ new AttestationObject(
+ RegistrationTestData.Packed$.MODULE$.BasicAttestationRsa().attestationObject())
.getAuthenticatorData()
.getAttestedCredentialData()
.get()
- .getCredentialPublicKey()
- );
- assertEquals(key.getAlgorithm(), "RSA");
- }
+ .getCredentialPublicKey());
+ assertEquals(key.getAlgorithm(), "RSA");
+ }
- @Test
- public void importEcdsa() throws IOException, CoseException, NoSuchAlgorithmException, InvalidKeySpecException {
- PublicKey key = WebAuthnCodecs.importCosePublicKey(
- new AttestationObject(RegistrationTestData.Packed$.MODULE$.BasicAttestation().attestationObject())
+ @Test
+ public void importEcdsa()
+ throws IOException, CoseException, NoSuchAlgorithmException, InvalidKeySpecException {
+ PublicKey key =
+ WebAuthnCodecs.importCosePublicKey(
+ new AttestationObject(
+ RegistrationTestData.Packed$.MODULE$.BasicAttestation().attestationObject())
.getAuthenticatorData()
.getAttestedCredentialData()
.get()
- .getCredentialPublicKey()
- );
- assertEquals(key.getAlgorithm(), "EC");
- }
+ .getCredentialPublicKey());
+ assertEquals(key.getAlgorithm(), "EC");
+ }
- @Test
- public void importEddsa() throws IOException, CoseException, NoSuchAlgorithmException, InvalidKeySpecException {
- PublicKey key = WebAuthnCodecs.importCosePublicKey(
- new AttestationObject(RegistrationTestData.Packed$.MODULE$.BasicAttestationEdDsa().attestationObject())
+ @Test
+ public void importEddsa()
+ throws IOException, CoseException, NoSuchAlgorithmException, InvalidKeySpecException {
+ PublicKey key =
+ WebAuthnCodecs.importCosePublicKey(
+ new AttestationObject(
+ RegistrationTestData.Packed$.MODULE$
+ .BasicAttestationEdDsa()
+ .attestationObject())
.getAuthenticatorData()
.getAttestedCredentialData()
.get()
- .getCredentialPublicKey()
- );
- assertTrue("EdDSA".equals(key.getAlgorithm()) || "Ed25519".equals(key.getAlgorithm()));
- }
-
+ .getCredentialPublicKey());
+ assertTrue("EdDSA".equals(key.getAlgorithm()) || "Ed25519".equals(key.getAlgorithm()));
+ }
}
diff --git a/test-dependent-projects/java-dep-webauthn-server-core/src/test/java/com/yubico/webauthn/meta/ManifestInfoTest.java b/test-dependent-projects/java-dep-webauthn-server-core/src/test/java/com/yubico/webauthn/meta/ManifestInfoTest.java
index 4a4aefd6b..2c7cad123 100644
--- a/test-dependent-projects/java-dep-webauthn-server-core/src/test/java/com/yubico/webauthn/meta/ManifestInfoTest.java
+++ b/test-dependent-projects/java-dep-webauthn-server-core/src/test/java/com/yubico/webauthn/meta/ManifestInfoTest.java
@@ -1,5 +1,8 @@
package com.yubico.webauthn.meta;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
import com.yubico.webauthn.RelyingParty;
import java.io.IOException;
import java.net.URL;
@@ -9,50 +12,49 @@
import java.util.jar.Manifest;
import org.junit.Test;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-
public class ManifestInfoTest {
- private static String lookup(String key) throws IOException {
- final Enumeration resources = RelyingParty.class.getClassLoader().getResources("META-INF/MANIFEST.MF");
-
- while (resources.hasMoreElements()) {
- final URL resource = resources.nextElement();
- final Manifest manifest = new Manifest(resource.openStream());
- if ("java-webauthn-server".equals(manifest.getMainAttributes().getValue("Implementation-Id"))) {
- return manifest.getMainAttributes().getValue(key);
- }
- }
- throw new NoSuchElementException("Could not find \"" + key + "\" in manifest.");
- }
-
- @Test
- public void standardSpecPropertiesAreSet() throws IOException {
- assertTrue(lookup("Specification-Title").startsWith("Web Authentication"));
- assertTrue(lookup("Specification-Version").startsWith("Level"));
- assertEquals("World Wide Web Consortium", lookup("Specification-Vendor"));
+ private static String lookup(String key) throws IOException {
+ final Enumeration resources =
+ RelyingParty.class.getClassLoader().getResources("META-INF/MANIFEST.MF");
+
+ while (resources.hasMoreElements()) {
+ final URL resource = resources.nextElement();
+ final Manifest manifest = new Manifest(resource.openStream());
+ if ("java-webauthn-server"
+ .equals(manifest.getMainAttributes().getValue("Implementation-Id"))) {
+ return manifest.getMainAttributes().getValue(key);
+ }
}
-
-
- @Test
- public void customSpecPropertiesAreSet() throws IOException {
- assertTrue(lookup("Specification-Url").startsWith("https://"));
- assertTrue(lookup("Specification-Url-Latest").startsWith("https://"));
- assertTrue(DocumentStatus.fromString(lookup("Specification-W3c-Status")).isPresent());
- assertTrue(LocalDate.parse(lookup("Specification-Release-Date")).isAfter(LocalDate.of(2019, 3, 3)));
- }
-
- @Test
- public void standardImplementationPropertiesAreSet() throws IOException {
- assertTrue(lookup("Implementation-Title").contains("Web Authentication"));
- assertTrue(lookup("Implementation-Version").matches("^\\d+\\.\\d+\\.\\d+(-.*)?"));
- assertEquals("Yubico", lookup("Implementation-Vendor"));
- }
-
- @Test
- public void customImplementationPropertiesAreSet() throws IOException {
- assertTrue(lookup("Git-Commit").matches("^[a-f0-9]{40}$"));
- }
-
+ throw new NoSuchElementException("Could not find \"" + key + "\" in manifest.");
+ }
+
+ @Test
+ public void standardSpecPropertiesAreSet() throws IOException {
+ assertTrue(lookup("Specification-Title").startsWith("Web Authentication"));
+ assertTrue(lookup("Specification-Version").startsWith("Level"));
+ assertEquals("World Wide Web Consortium", lookup("Specification-Vendor"));
+ }
+
+ @Test
+ public void customSpecPropertiesAreSet() throws IOException {
+ assertTrue(lookup("Specification-Url").startsWith("https://"));
+ assertTrue(lookup("Specification-Url-Latest").startsWith("https://"));
+ assertTrue(DocumentStatus.fromString(lookup("Specification-W3c-Status")).isPresent());
+ assertTrue(
+ LocalDate.parse(lookup("Specification-Release-Date")).isAfter(LocalDate.of(2019, 3, 3)));
+ }
+
+ @Test
+ public void standardImplementationPropertiesAreSet() throws IOException {
+ assertTrue(lookup("Implementation-Title").contains("Web Authentication"));
+ assertTrue(lookup("Implementation-Version").matches("^\\d+\\.\\d+\\.\\d+(-.*)?"));
+ assertEquals("Yubico", lookup("Implementation-Vendor"));
+ }
+
+ @Test
+ public void customImplementationPropertiesAreSet() throws IOException {
+ assertTrue(
+ lookup("Git-Commit").matches("^[a-f0-9]{40}$") || lookup("Git-Commit").equals("UNKNOWN"));
+ }
}
diff --git a/test-dependent-projects/java-dep-webauthn-server-core/src/test/java/com/yubico/webauthn/meta/VersionInfoTest.java b/test-dependent-projects/java-dep-webauthn-server-core/src/test/java/com/yubico/webauthn/meta/VersionInfoTest.java
index 3ef4f822c..e867eb214 100644
--- a/test-dependent-projects/java-dep-webauthn-server-core/src/test/java/com/yubico/webauthn/meta/VersionInfoTest.java
+++ b/test-dependent-projects/java-dep-webauthn-server-core/src/test/java/com/yubico/webauthn/meta/VersionInfoTest.java
@@ -1,42 +1,44 @@
package com.yubico.webauthn.meta;
-import java.time.LocalDate;
-import org.junit.Test;
-
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;
+import java.time.LocalDate;
+import org.junit.Test;
+
/**
- * Since this depends on the manifest of the core jar, and the manifest is build by Gradle, this test is likely to fail
- * when run in an IDE. It works as expected when run via Gradle.
+ * Since this depends on the manifest of the core jar, and the manifest is build by Gradle, this
+ * test is likely to fail when run in an IDE. It works as expected when run via Gradle.
*/
public class VersionInfoTest {
- final VersionInfo versionInfo = VersionInfo.getInstance();
-
- @Test
- public void specPropertiesAreSet() {
- final Specification spec = versionInfo.getSpecification();
- assertTrue(spec.getLatestVersionUrl().toExternalForm().startsWith("https://"));
- assertTrue(spec.getUrl().toExternalForm().startsWith("https://"));
- assertTrue(spec.getReleaseDate().isAfter(LocalDate.of(2019, 3, 3)));
- assertNotNull(spec.getStatus());
- }
-
- @Test
- public void implementationPropertiesAreSet() {
- final Implementation impl = versionInfo.getImplementation();
- assertTrue(impl.getSourceCodeUrl().toExternalForm().startsWith("https://"));
- assertTrue(impl.getVersion().matches("^\\d+\\.\\d+\\.\\d+(-.*)?"));
- assertTrue(impl.getGitCommit().matches("^[a-f0-9]{40}$"));
+ final VersionInfo versionInfo = VersionInfo.getInstance();
+
+ @Test
+ public void specPropertiesAreSet() {
+ final Specification spec = versionInfo.getSpecification();
+ assertTrue(spec.getLatestVersionUrl().toExternalForm().startsWith("https://"));
+ assertTrue(spec.getUrl().toExternalForm().startsWith("https://"));
+ assertTrue(spec.getReleaseDate().isAfter(LocalDate.of(2019, 3, 3)));
+ assertNotNull(spec.getStatus());
+ }
+
+ @Test
+ public void implementationPropertiesAreSet() {
+ final Implementation impl = versionInfo.getImplementation();
+ assertTrue(impl.getSourceCodeUrl().toExternalForm().startsWith("https://"));
+ assertTrue(impl.getVersion().matches("^\\d+\\.\\d+\\.\\d+(-.*)?"));
+ assertTrue(
+ impl.getGitCommit().matches("^[a-f0-9]{40}$") || impl.getGitCommit().equals("UNKNOWN"));
+ }
+
+ @Test
+ public void majorVersionIsUnknownOrAtLeast1() {
+ final String version = versionInfo.getImplementation().getVersion();
+ if (!"0.1.0-SNAPSHOT".equals(version)) {
+ String[] splits = version.split("\\.");
+ final int majorVersion = Integer.parseInt(splits[0]);
+ assertTrue(majorVersion >= 1);
}
-
- @Test
- public void majorVersionIsAtLeast1() {
- final String version = versionInfo.getImplementation().getVersion();
- String[] splits = version.split("\\.");
- final int majorVersion = Integer.parseInt(splits[0]);
- assertTrue(majorVersion >= 1);
- }
-
+ }
}
diff --git a/test-dependent-projects/java-dep-yubico-util/src/main/java/com/yubico/test/compilability/ThisShouldCompile.java b/test-dependent-projects/java-dep-yubico-util/src/main/java/com/yubico/test/compilability/ThisShouldCompile.java
index 71f885e21..1a7effa38 100644
--- a/test-dependent-projects/java-dep-yubico-util/src/main/java/com/yubico/test/compilability/ThisShouldCompile.java
+++ b/test-dependent-projects/java-dep-yubico-util/src/main/java/com/yubico/test/compilability/ThisShouldCompile.java
@@ -5,8 +5,7 @@
public class ThisShouldCompile {
- public String getEncodedValue() throws JsonProcessingException {
- return JacksonCodecs.json().writeValueAsString("hej");
- }
-
+ public String getEncodedValue() throws JsonProcessingException {
+ return JacksonCodecs.json().writeValueAsString("hej");
+ }
}
diff --git a/webauthn-server-attestation/build.gradle b/webauthn-server-attestation/build.gradle
index c40388fdc..e59af0c86 100644
--- a/webauthn-server-attestation/build.gradle
+++ b/webauthn-server-attestation/build.gradle
@@ -1,12 +1,16 @@
plugins {
id 'java-library'
id 'scala'
+ id 'io.github.cosmicsilence.scalafix'
}
description = 'Yubico WebAuthn attestation subsystem'
project.ext.publishMe = true
+sourceCompatibility = 1.8
+targetCompatibility = 1.8
+
evaluationDependsOn(':webauthn-server-core-minimal')
dependencies {
@@ -17,28 +21,32 @@ dependencies {
implementation(
project(':yubico-util'),
- addVersion('com.google.guava:guava'),
- addVersion('com.fasterxml.jackson.core:jackson-databind'),
- addVersion('org.bouncycastle:bcprov-jdk15on'),
- addVersion('org.slf4j:slf4j-api'),
+ 'com.google.guava:guava',
+ 'com.fasterxml.jackson.core:jackson-databind',
+ 'org.bouncycastle:bcprov-jdk15on',
+ 'org.slf4j:slf4j-api',
)
testImplementation(
project(':webauthn-server-core-minimal').sourceSets.test.output,
project(':yubico-util-scala'),
- addVersion('junit:junit'),
- addVersion('org.mockito:mockito-core'),
- addVersion('org.scala-lang:scala-library'),
- addVersion('org.scalacheck:scalacheck_2.13'),
- addVersion('org.scalatest:scalatest_2.13'),
+ 'junit:junit',
+ 'org.mockito:mockito-core',
+ 'org.scala-lang:scala-library',
+ 'org.scalacheck:scalacheck_2.13',
+ 'org.scalatest:scalatest_2.13',
)
testRuntimeOnly(
- addVersion('ch.qos.logback:logback-classic'),
+ 'ch.qos.logback:logback-classic',
)
testRuntimeOnly(
// Transitive dependency from :webauthn-server-core:test
- addVersion('org.bouncycastle:bcpkix-jdk15on'),
+ 'org.bouncycastle:bcpkix-jdk15on',
+ )
+
+ testRuntimeOnly(
+ 'ch.qos.logback:logback-classic',
)
}
@@ -50,7 +58,7 @@ jar {
'Implementation-Title': project.description,
'Implementation-Version': project.version,
'Implementation-Vendor': 'Yubico',
- 'Git-Commit': getGitCommit(),
+ 'Git-Commit': getGitCommitOrUnknown(),
])
}
}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/AttestationResolver.java b/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/AttestationResolver.java
index fb0d622a0..69a08efad 100644
--- a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/AttestationResolver.java
+++ b/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/AttestationResolver.java
@@ -31,14 +31,13 @@
public interface AttestationResolver {
- /**
- * Alias of resolve(attestationCertificate, Collections.emptyList()).
- */
- default Optional resolve(X509Certificate attestationCertificate) {
- return resolve(attestationCertificate, Collections.emptyList());
- }
+ /** Alias of resolve(attestationCertificate, Collections.emptyList()). */
+ default Optional resolve(X509Certificate attestationCertificate) {
+ return resolve(attestationCertificate, Collections.emptyList());
+ }
- Optional resolve(X509Certificate attestationCertificate, List certificateChain);
- Attestation untrustedFromCertificate(X509Certificate attestationCertificate);
+ Optional resolve(
+ X509Certificate attestationCertificate, List certificateChain);
+ Attestation untrustedFromCertificate(X509Certificate attestationCertificate);
}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/DeviceMatcher.java b/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/DeviceMatcher.java
index 163ebc14d..8fd5a8c3f 100644
--- a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/DeviceMatcher.java
+++ b/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/DeviceMatcher.java
@@ -28,5 +28,5 @@
import java.security.cert.X509Certificate;
public interface DeviceMatcher {
- boolean matches(X509Certificate attestationCertificate, JsonNode parameters);
+ boolean matches(X509Certificate attestationCertificate, JsonNode parameters);
}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/MetadataObject.java b/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/MetadataObject.java
index 1faeb7c68..7d75da901 100644
--- a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/MetadataObject.java
+++ b/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/MetadataObject.java
@@ -48,79 +48,82 @@
@Slf4j
@JsonIgnoreProperties(ignoreUnknown = true)
-@EqualsAndHashCode(of = { "data" }, callSuper = false)
+@EqualsAndHashCode(
+ of = {"data"},
+ callSuper = false)
public final class MetadataObject {
- private static final ObjectMapper OBJECT_MAPPER = JacksonCodecs.json();
-
- private static final TypeReference> MAP_STRING_STRING_TYPE = new TypeReference>() {
- };
- private static final TypeReference> LIST_STRING_TYPE = new TypeReference>() {
- };
- private static final TypeReference> LIST_JSONNODE_TYPE = new TypeReference>() {
- };
-
- private final transient JsonNode data;
-
- private final String identifier;
- private final long version;
- private final Map vendorInfo;
- private final List trustedCertificates;
- private final List devices;
-
- @JsonCreator
- public MetadataObject(JsonNode data) {
- this.data = data;
- try {
- vendorInfo = OBJECT_MAPPER.readValue(data.get("vendorInfo").traverse(), MAP_STRING_STRING_TYPE);
- trustedCertificates = OBJECT_MAPPER.readValue(data.get("trustedCertificates").traverse(), LIST_STRING_TYPE);
- devices = OBJECT_MAPPER.readValue(data.get("devices").traverse(), LIST_JSONNODE_TYPE);
- } catch (IOException e) {
- throw new IllegalArgumentException("Invalid JSON data", e);
- }
-
- identifier = data.get("identifier").asText();
- version = data.get("version").asLong();
- }
-
- public static MetadataObject readDefault() {
- InputStream is = MetadataObject.class.getResourceAsStream("/metadata.json");
- try {
- return JacksonCodecs.json().readValue(is, MetadataObject.class);
- } catch (IOException e) {
- throw ExceptionUtil.wrapAndLog(log, "Failed to read default metadata", e);
- } finally {
- Closeables.closeQuietly(is);
- }
- }
-
- public String getIdentifier() {
- return identifier;
- }
-
- public long getVersion() {
- return version;
- }
-
- public Map getVendorInfo() {
- return vendorInfo;
- }
-
- public List getTrustedCertificates() {
- return trustedCertificates;
+ private static final ObjectMapper OBJECT_MAPPER = JacksonCodecs.json();
+
+ private static final TypeReference> MAP_STRING_STRING_TYPE =
+ new TypeReference>() {};
+ private static final TypeReference> LIST_STRING_TYPE =
+ new TypeReference>() {};
+ private static final TypeReference> LIST_JSONNODE_TYPE =
+ new TypeReference>() {};
+
+ private final transient JsonNode data;
+
+ private final String identifier;
+ private final long version;
+ private final Map vendorInfo;
+ private final List trustedCertificates;
+ private final List devices;
+
+ @JsonCreator
+ public MetadataObject(JsonNode data) {
+ this.data = data;
+ try {
+ vendorInfo =
+ OBJECT_MAPPER.readValue(data.get("vendorInfo").traverse(), MAP_STRING_STRING_TYPE);
+ trustedCertificates =
+ OBJECT_MAPPER.readValue(data.get("trustedCertificates").traverse(), LIST_STRING_TYPE);
+ devices = OBJECT_MAPPER.readValue(data.get("devices").traverse(), LIST_JSONNODE_TYPE);
+ } catch (IOException e) {
+ throw new IllegalArgumentException("Invalid JSON data", e);
}
- @JsonIgnore
- public List getParsedTrustedCertificates() throws CertificateException {
- List list = new ArrayList<>();
- for (String trustedCertificate : trustedCertificates) {
- X509Certificate x509Certificate = CertificateParser.parsePem(trustedCertificate);
- list.add(x509Certificate);
- }
- return list;
+ identifier = data.get("identifier").asText();
+ version = data.get("version").asLong();
+ }
+
+ public static MetadataObject readDefault() {
+ InputStream is = MetadataObject.class.getResourceAsStream("/metadata.json");
+ try {
+ return JacksonCodecs.json().readValue(is, MetadataObject.class);
+ } catch (IOException e) {
+ throw ExceptionUtil.wrapAndLog(log, "Failed to read default metadata", e);
+ } finally {
+ Closeables.closeQuietly(is);
}
-
- public List getDevices() {
- return MoreObjects.firstNonNull(devices, ImmutableList.of());
+ }
+
+ public String getIdentifier() {
+ return identifier;
+ }
+
+ public long getVersion() {
+ return version;
+ }
+
+ public Map getVendorInfo() {
+ return vendorInfo;
+ }
+
+ public List getTrustedCertificates() {
+ return trustedCertificates;
+ }
+
+ @JsonIgnore
+ public List getParsedTrustedCertificates() throws CertificateException {
+ List list = new ArrayList<>();
+ for (String trustedCertificate : trustedCertificates) {
+ X509Certificate x509Certificate = CertificateParser.parsePem(trustedCertificate);
+ list.add(x509Certificate);
}
+ return list;
+ }
+ public List getDevices() {
+ return MoreObjects.firstNonNull(devices, ImmutableList.of());
+ }
}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/StandardMetadataService.java b/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/StandardMetadataService.java
index 129eb699e..501b09eb5 100644
--- a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/StandardMetadataService.java
+++ b/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/StandardMetadataService.java
@@ -41,108 +41,94 @@
import org.slf4j.LoggerFactory;
public final class StandardMetadataService implements MetadataService {
- private static final Logger logger = LoggerFactory.getLogger(StandardMetadataService.class);
+ private static final Logger logger = LoggerFactory.getLogger(StandardMetadataService.class);
- private final Attestation unknownAttestation = Attestation.empty();
- private final AttestationResolver attestationResolver;
- private final Cache cache;
+ private final Attestation unknownAttestation = Attestation.empty();
+ private final AttestationResolver attestationResolver;
+ private final Cache cache;
- private StandardMetadataService(
- @NonNull
- AttestationResolver attestationResolver,
- @NonNull
- Cache cache
- ) {
- this.attestationResolver = attestationResolver;
- this.cache = cache;
- }
+ private StandardMetadataService(
+ @NonNull AttestationResolver attestationResolver, @NonNull Cache cache) {
+ this.attestationResolver = attestationResolver;
+ this.cache = cache;
+ }
- public StandardMetadataService(AttestationResolver attestationResolver) {
- this(
- attestationResolver,
- CacheBuilder.newBuilder().build()
- );
- }
+ public StandardMetadataService(AttestationResolver attestationResolver) {
+ this(attestationResolver, CacheBuilder.newBuilder().build());
+ }
- public StandardMetadataService() throws CertificateException {
- this(createDefaultAttestationResolver());
- }
+ public StandardMetadataService() throws CertificateException {
+ this(createDefaultAttestationResolver());
+ }
- public static TrustResolver createDefaultTrustResolver() throws CertificateException {
- return SimpleTrustResolver.fromMetadata(Collections.singleton(MetadataObject.readDefault()));
- }
+ public static TrustResolver createDefaultTrustResolver() throws CertificateException {
+ return SimpleTrustResolver.fromMetadata(Collections.singleton(MetadataObject.readDefault()));
+ }
- public static AttestationResolver createDefaultAttestationResolver(TrustResolver trustResolver) throws CertificateException {
- return new SimpleAttestationResolver(
- Collections.singleton(MetadataObject.readDefault()),
- trustResolver
- );
- }
+ public static AttestationResolver createDefaultAttestationResolver(TrustResolver trustResolver)
+ throws CertificateException {
+ return new SimpleAttestationResolver(
+ Collections.singleton(MetadataObject.readDefault()), trustResolver);
+ }
- public static AttestationResolver createDefaultAttestationResolver() throws CertificateException {
- return createDefaultAttestationResolver(createDefaultTrustResolver());
- }
+ public static AttestationResolver createDefaultAttestationResolver() throws CertificateException {
+ return createDefaultAttestationResolver(createDefaultTrustResolver());
+ }
- public Attestation getCachedAttestation(String attestationCertificateFingerprint) {
- return cache.getIfPresent(attestationCertificateFingerprint);
- }
+ public Attestation getCachedAttestation(String attestationCertificateFingerprint) {
+ return cache.getIfPresent(attestationCertificateFingerprint);
+ }
- /**
- * Attempt to look up attestation for a chain of certificates
- *
- *
- * If there is a signature path from any trusted certificate to the first
- * certificate in attestationCertificateChain, then the first
- * certificate in attestationCertificateChain is matched
- * against the metadata registry to look up metadata for the device.
- *
- *
- *
- * If the certificate chain is trusted but no metadata exists in the
- * registry, the method returns a trusted attestation populated with
- * information found embedded in the attestation certificate.
- *
- *
- *
- * If the certificate chain is not trusted, the method returns an untrusted
- * attestation populated with {@link Attestation#getTransports() transports}
- * information found embedded in the attestation certificate.
- *
- *
- *
- * If the certificate chain is empty, an untrusted empty attestation is
- * returned.
- *
- *
- * @param attestationCertificateChain a certificate chain, where each
- * certificate in the list should be signed by the following certificate.
- *
- * @throws CertificateEncodingException if computation of the fingerprint
- * fails for any element of attestationCertificateChain that
- * needs to be inspected
- *
- * @return An attestation as described above.
- */
- @Override
- public Attestation getAttestation(@NonNull List attestationCertificateChain) throws CertificateEncodingException {
- if (attestationCertificateChain.isEmpty()) {
- return unknownAttestation;
- }
+ /**
+ * Attempt to look up attestation for a chain of certificates
+ *
+ * If there is a signature path from any trusted certificate to the first certificate in
+ * attestationCertificateChain, then the first certificate in
+ * attestationCertificateChain is matched against the metadata registry to look up metadata
+ * for the device.
+ *
+ *
If the certificate chain is trusted but no metadata exists in the registry, the method
+ * returns a trusted attestation populated with information found embedded in the attestation
+ * certificate.
+ *
+ *
If the certificate chain is not trusted, the method returns an untrusted attestation
+ * populated with {@link Attestation#getTransports() transports} information found embedded in the
+ * attestation certificate.
+ *
+ *
If the certificate chain is empty, an untrusted empty attestation is returned.
+ *
+ * @param attestationCertificateChain a certificate chain, where each certificate in the list
+ * should be signed by the following certificate.
+ * @throws CertificateEncodingException if computation of the fingerprint fails for any element of
+ * attestationCertificateChain that needs to be inspected
+ * @return An attestation as described above.
+ */
+ @Override
+ public Attestation getAttestation(@NonNull List attestationCertificateChain)
+ throws CertificateEncodingException {
+ if (attestationCertificateChain.isEmpty()) {
+ return unknownAttestation;
+ }
- X509Certificate attestationCertificate = attestationCertificateChain.get(0);
- List certificateChain = attestationCertificateChain.subList(1, attestationCertificateChain.size());
+ X509Certificate attestationCertificate = attestationCertificateChain.get(0);
+ List certificateChain =
+ attestationCertificateChain.subList(1, attestationCertificateChain.size());
- try {
- final String fingerprint = Hashing.sha1().hashBytes(attestationCertificate.getEncoded()).toString();
- return cache.get(
- fingerprint,
- () ->
- attestationResolver.resolve(attestationCertificate, certificateChain)
- .orElseGet(() -> attestationResolver.untrustedFromCertificate(attestationCertificate))
- );
- } catch (ExecutionException e) {
- throw ExceptionUtil.wrapAndLog(logger, "Failed to look up attestation information for certificate: " + attestationCertificate, e);
- }
+ try {
+ final String fingerprint =
+ Hashing.sha1().hashBytes(attestationCertificate.getEncoded()).toString();
+ return cache.get(
+ fingerprint,
+ () ->
+ attestationResolver
+ .resolve(attestationCertificate, certificateChain)
+ .orElseGet(
+ () -> attestationResolver.untrustedFromCertificate(attestationCertificate)));
+ } catch (ExecutionException e) {
+ throw ExceptionUtil.wrapAndLog(
+ logger,
+ "Failed to look up attestation information for certificate: " + attestationCertificate,
+ e);
}
-
+ }
}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/TrustResolver.java b/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/TrustResolver.java
index 105fce61a..803d879a2 100644
--- a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/TrustResolver.java
+++ b/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/TrustResolver.java
@@ -31,25 +31,25 @@
public interface TrustResolver {
- /**
- * Alias of resolveTrustAnchor(attestationCertificate, Collections.emptyList()).
- *
- * @see #resolveTrustAnchor(X509Certificate, List)
- */
- default Optional resolveTrustAnchor(X509Certificate attestationCertificate) {
- return resolveTrustAnchor(attestationCertificate, Collections.emptyList());
- }
-
- /**
- * Resolve a trusted root anchor for the given attestation certificate and certificate chain
- *
- * @param attestationCertificate The attestation certificate
- * @param caCertificateChain Zero or more certificates, of which the first
- * has signed attestationCertificate and each of the
- * remaining certificates has signed the certificate preceding it.
- * @return A trusted root certificate from which there is a signature path
- * to attestationCertificate, if one exists.
- */
- Optional resolveTrustAnchor(X509Certificate attestationCertificate, List caCertificateChain);
+ /**
+ * Alias of resolveTrustAnchor(attestationCertificate, Collections.emptyList()).
+ *
+ * @see #resolveTrustAnchor(X509Certificate, List)
+ */
+ default Optional resolveTrustAnchor(X509Certificate attestationCertificate) {
+ return resolveTrustAnchor(attestationCertificate, Collections.emptyList());
+ }
+ /**
+ * Resolve a trusted root anchor for the given attestation certificate and certificate chain
+ *
+ * @param attestationCertificate The attestation certificate
+ * @param caCertificateChain Zero or more certificates, of which the first has signed
+ * attestationCertificate and each of the remaining certificates has signed the
+ * certificate preceding it.
+ * @return A trusted root certificate from which there is a signature path to
+ * attestationCertificate, if one exists.
+ */
+ Optional resolveTrustAnchor(
+ X509Certificate attestationCertificate, List caCertificateChain);
}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/matcher/ExtensionMatcher.java b/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/matcher/ExtensionMatcher.java
index 276069944..fa6f0b269 100644
--- a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/matcher/ExtensionMatcher.java
+++ b/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/matcher/ExtensionMatcher.java
@@ -37,101 +37,99 @@
@Slf4j
public final class ExtensionMatcher implements DeviceMatcher {
- private static final Charset CHARSET = Charset.forName("UTF-8");
+ private static final Charset CHARSET = Charset.forName("UTF-8");
- public static final String SELECTOR_TYPE = "x509Extension";
+ public static final String SELECTOR_TYPE = "x509Extension";
- private static final String EXTENSION_KEY = "key";
- private static final String EXTENSION_VALUE = "value";
- private static final String EXTENSION_VALUE_TYPE = "type";
- private static final String EXTENSION_VALUE_VALUE = "value";
- private static final String EXTENSION_VALUE_TYPE_HEX = "hex";
+ private static final String EXTENSION_KEY = "key";
+ private static final String EXTENSION_VALUE = "value";
+ private static final String EXTENSION_VALUE_TYPE = "type";
+ private static final String EXTENSION_VALUE_VALUE = "value";
+ private static final String EXTENSION_VALUE_TYPE_HEX = "hex";
- @Override
- public boolean matches(X509Certificate attestationCertificate, JsonNode parameters) {
- String matchKey = parameters.get(EXTENSION_KEY).asText();
- JsonNode matchValue = parameters.get(EXTENSION_VALUE);
- byte[] extensionValue = attestationCertificate.getExtensionValue(matchKey);
- if (extensionValue != null) {
- if (matchValue == null) {
- return true;
- } else {
- try {
- final ASN1Primitive value = ASN1Primitive.fromByteArray(extensionValue);
+ @Override
+ public boolean matches(X509Certificate attestationCertificate, JsonNode parameters) {
+ String matchKey = parameters.get(EXTENSION_KEY).asText();
+ JsonNode matchValue = parameters.get(EXTENSION_VALUE);
+ byte[] extensionValue = attestationCertificate.getExtensionValue(matchKey);
+ if (extensionValue != null) {
+ if (matchValue == null) {
+ return true;
+ } else {
+ try {
+ final ASN1Primitive value = ASN1Primitive.fromByteArray(extensionValue);
- if (matchValue.isObject()) {
- if (matchTypedValue(matchKey, matchValue, value)) {
- return true;
- }
- } else if (matchValue.isTextual()) {
- if (matchStringValue(matchKey, matchValue, value)) return true;
- }
- } catch (IOException e) {
- log.error("Failed to parse extension value as ASN1: {}", new ByteArray(extensionValue).getHex(), e);
- }
+ if (matchValue.isObject()) {
+ if (matchTypedValue(matchKey, matchValue, value)) {
+ return true;
}
+ } else if (matchValue.isTextual()) {
+ if (matchStringValue(matchKey, matchValue, value)) return true;
+ }
+ } catch (IOException e) {
+ log.error(
+ "Failed to parse extension value as ASN1: {}",
+ new ByteArray(extensionValue).getHex(),
+ e);
}
- return false;
+ }
}
+ return false;
+ }
- private boolean matchStringValue(String matchKey, JsonNode matchValue, ASN1Primitive value) {
- if (value instanceof DEROctetString) {
- final String readValue = new String(((DEROctetString) value).getOctets(), CHARSET);
- return matchValue.asText().equals(readValue);
- } else {
- log.debug("Expected text string value for extension {}, was: {}", matchKey, value);
- return false;
- }
+ private boolean matchStringValue(String matchKey, JsonNode matchValue, ASN1Primitive value) {
+ if (value instanceof DEROctetString) {
+ final String readValue = new String(((DEROctetString) value).getOctets(), CHARSET);
+ return matchValue.asText().equals(readValue);
+ } else {
+ log.debug("Expected text string value for extension {}, was: {}", matchKey, value);
+ return false;
}
+ }
- private boolean matchTypedValue(String matchKey, JsonNode matchValue, ASN1Primitive value) {
- final String extensionValueType = matchValue.get(EXTENSION_VALUE_TYPE).textValue();
- switch (extensionValueType) {
- case EXTENSION_VALUE_TYPE_HEX:
- return matchHex(matchKey, matchValue, value);
+ private boolean matchTypedValue(String matchKey, JsonNode matchValue, ASN1Primitive value) {
+ final String extensionValueType = matchValue.get(EXTENSION_VALUE_TYPE).textValue();
+ switch (extensionValueType) {
+ case EXTENSION_VALUE_TYPE_HEX:
+ return matchHex(matchKey, matchValue, value);
- default:
- throw new IllegalArgumentException(String.format(
- "Unknown extension value type \"%s\" for extension \"%s\"",
- extensionValueType,
- matchKey
- ));
- }
+ default:
+ throw new IllegalArgumentException(
+ String.format(
+ "Unknown extension value type \"%s\" for extension \"%s\"",
+ extensionValueType, matchKey));
}
+ }
- private boolean matchHex(String matchKey, JsonNode matchValue, ASN1Primitive value) {
- final String matchValueString = matchValue.get(EXTENSION_VALUE_VALUE).textValue();
- final ByteArray matchBytes;
- try {
- matchBytes = ByteArray.fromHex(matchValueString);
- } catch (HexException e) {
- throw new IllegalArgumentException(String.format(
- "Bad hex value in extension %s: %s",
- matchKey,
- matchValueString
- ));
- }
-
- final ASN1Primitive innerValue;
- if (value instanceof DEROctetString) {
- try {
- innerValue = ASN1Primitive.fromByteArray(((DEROctetString) value).getOctets());
- } catch (IOException e) {
- log.debug("Failed to parse {} extension value as ASN1: {}", matchKey, value);
- return false;
- }
- } else {
- log.debug("Expected nested bit string value for extension {}, was: {}", matchKey, value);
- return false;
- }
+ private boolean matchHex(String matchKey, JsonNode matchValue, ASN1Primitive value) {
+ final String matchValueString = matchValue.get(EXTENSION_VALUE_VALUE).textValue();
+ final ByteArray matchBytes;
+ try {
+ matchBytes = ByteArray.fromHex(matchValueString);
+ } catch (HexException e) {
+ throw new IllegalArgumentException(
+ String.format("Bad hex value in extension %s: %s", matchKey, matchValueString));
+ }
- if (innerValue instanceof DEROctetString) {
- final ByteArray readBytes = new ByteArray(((DEROctetString) innerValue).getOctets());
- return matchBytes.equals(readBytes);
- } else {
- log.debug("Expected nested bit string value for extension {}, was: {}", matchKey, value);
- return false;
- }
+ final ASN1Primitive innerValue;
+ if (value instanceof DEROctetString) {
+ try {
+ innerValue = ASN1Primitive.fromByteArray(((DEROctetString) value).getOctets());
+ } catch (IOException e) {
+ log.debug("Failed to parse {} extension value as ASN1: {}", matchKey, value);
+ return false;
+ }
+ } else {
+ log.debug("Expected nested bit string value for extension {}, was: {}", matchKey, value);
+ return false;
}
+ if (innerValue instanceof DEROctetString) {
+ final ByteArray readBytes = new ByteArray(((DEROctetString) innerValue).getOctets());
+ return matchBytes.equals(readBytes);
+ } else {
+ log.debug("Expected nested bit string value for extension {}, was: {}", matchKey, value);
+ return false;
+ }
+ }
}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/matcher/FingerprintMatcher.java b/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/matcher/FingerprintMatcher.java
index cdd7f3720..a057368c3 100644
--- a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/matcher/FingerprintMatcher.java
+++ b/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/matcher/FingerprintMatcher.java
@@ -31,25 +31,26 @@
import java.security.cert.X509Certificate;
public final class FingerprintMatcher implements DeviceMatcher {
- public static final String SELECTOR_TYPE = "fingerprint";
+ public static final String SELECTOR_TYPE = "fingerprint";
- private static final String FINGERPRINTS_KEY = "fingerprints";
+ private static final String FINGERPRINTS_KEY = "fingerprints";
- @Override
- public boolean matches(X509Certificate attestationCertificate, JsonNode parameters) {
- JsonNode fingerprints = parameters.get(FINGERPRINTS_KEY);
- if(fingerprints.isArray()) {
- try {
- String fingerprint = Hashing.sha1().hashBytes(attestationCertificate.getEncoded()).toString().toLowerCase();
- for(JsonNode candidate : fingerprints) {
- if(fingerprint.equals(candidate.asText().toLowerCase())) {
- return true;
- }
- }
- } catch (CertificateEncodingException e) {
- //Fall through to return false.
- }
+ @Override
+ public boolean matches(X509Certificate attestationCertificate, JsonNode parameters) {
+ JsonNode fingerprints = parameters.get(FINGERPRINTS_KEY);
+ if (fingerprints.isArray()) {
+ try {
+ String fingerprint =
+ Hashing.sha1().hashBytes(attestationCertificate.getEncoded()).toString().toLowerCase();
+ for (JsonNode candidate : fingerprints) {
+ if (fingerprint.equals(candidate.asText().toLowerCase())) {
+ return true;
+ }
}
- return false;
+ } catch (CertificateEncodingException e) {
+ // Fall through to return false.
+ }
}
+ return false;
+ }
}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/resolver/CompositeAttestationResolver.java b/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/resolver/CompositeAttestationResolver.java
index e0bb0b5c7..85ff4a367 100644
--- a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/resolver/CompositeAttestationResolver.java
+++ b/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/resolver/CompositeAttestationResolver.java
@@ -32,40 +32,37 @@
import java.util.Optional;
/**
- * An {@link AttestationResolver} whose {@link #resolve(X509Certificate, List)}
- * method calls {@link AttestationResolver#resolve(X509Certificate, List)} on
- * each of the subordinate {@link AttestationResolver}s in turn, and returns
- * the first non-null result.
+ * An {@link AttestationResolver} whose {@link #resolve(X509Certificate, List)} method calls {@link
+ * AttestationResolver#resolve(X509Certificate, List)} on each of the subordinate {@link
+ * AttestationResolver}s in turn, and returns the first non-null result.
*/
public final class CompositeAttestationResolver implements AttestationResolver {
- private final List resolvers;
+ private final List resolvers;
- public CompositeAttestationResolver(List resolvers) {
- this.resolvers = CollectionUtil.immutableList(resolvers);
- }
+ public CompositeAttestationResolver(List resolvers) {
+ this.resolvers = CollectionUtil.immutableList(resolvers);
+ }
- @Override
- public Optional resolve(X509Certificate attestationCertificate, List certificateChain) {
- for (AttestationResolver resolver : resolvers) {
- Optional result = resolver.resolve(attestationCertificate, certificateChain);
- if (result.isPresent()) {
- return result;
- }
- }
- return Optional.empty();
+ @Override
+ public Optional resolve(
+ X509Certificate attestationCertificate, List certificateChain) {
+ for (AttestationResolver resolver : resolvers) {
+ Optional result = resolver.resolve(attestationCertificate, certificateChain);
+ if (result.isPresent()) {
+ return result;
+ }
}
+ return Optional.empty();
+ }
- /**
- * Delegates to the first subordinate resolver, or throws an exception if there is none.
- */
- @Override
- public Attestation untrustedFromCertificate(X509Certificate attestationCertificate) {
- if (resolvers.isEmpty()) {
- throw new UnsupportedOperationException("Cannot do this without any sub-resolver.");
- } else {
- return resolvers.get(0).untrustedFromCertificate(attestationCertificate);
- }
+ /** Delegates to the first subordinate resolver, or throws an exception if there is none. */
+ @Override
+ public Attestation untrustedFromCertificate(X509Certificate attestationCertificate) {
+ if (resolvers.isEmpty()) {
+ throw new UnsupportedOperationException("Cannot do this without any sub-resolver.");
+ } else {
+ return resolvers.get(0).untrustedFromCertificate(attestationCertificate);
}
-
+ }
}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/resolver/CompositeTrustResolver.java b/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/resolver/CompositeTrustResolver.java
index c1cc4be31..4578f29ea 100644
--- a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/resolver/CompositeTrustResolver.java
+++ b/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/resolver/CompositeTrustResolver.java
@@ -31,27 +31,28 @@
import java.util.Optional;
/**
- * A {@link TrustResolver} whose {@link #resolveTrustAnchor(X509Certificate,
- * List)} method calls {@link TrustResolver#resolveTrustAnchor(X509Certificate,
- * List)} on each of the subordinate {@link TrustResolver}s in turn, and
- * returns the first non-null result.
+ * A {@link TrustResolver} whose {@link #resolveTrustAnchor(X509Certificate, List)} method calls
+ * {@link TrustResolver#resolveTrustAnchor(X509Certificate, List)} on each of the subordinate {@link
+ * TrustResolver}s in turn, and returns the first non-null result.
*/
public final class CompositeTrustResolver implements TrustResolver {
- private final List resolvers;
+ private final List resolvers;
- public CompositeTrustResolver(List resolvers) {
- this.resolvers = CollectionUtil.immutableList(resolvers);
- }
+ public CompositeTrustResolver(List resolvers) {
+ this.resolvers = CollectionUtil.immutableList(resolvers);
+ }
- @Override
- public Optional resolveTrustAnchor(X509Certificate attestationCertificate, List certificateChain) {
- for (TrustResolver resolver : resolvers) {
- Optional result = resolver.resolveTrustAnchor(attestationCertificate, certificateChain);
- if (result.isPresent()) {
- return result;
- }
- }
- return Optional.empty();
+ @Override
+ public Optional resolveTrustAnchor(
+ X509Certificate attestationCertificate, List certificateChain) {
+ for (TrustResolver resolver : resolvers) {
+ Optional result =
+ resolver.resolveTrustAnchor(attestationCertificate, certificateChain);
+ if (result.isPresent()) {
+ return result;
+ }
}
+ return Optional.empty();
+ }
}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/resolver/SimpleAttestationResolver.java b/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/resolver/SimpleAttestationResolver.java
index 37878434a..a3e7a4d57 100644
--- a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/resolver/SimpleAttestationResolver.java
+++ b/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/resolver/SimpleAttestationResolver.java
@@ -31,6 +31,7 @@
import com.yubico.internal.util.CertificateParser;
import com.yubico.internal.util.CollectionUtil;
import com.yubico.internal.util.ExceptionUtil;
+import com.yubico.internal.util.OptionalUtil;
import com.yubico.webauthn.attestation.Attestation;
import com.yubico.webauthn.attestation.AttestationResolver;
import com.yubico.webauthn.attestation.DeviceMatcher;
@@ -49,144 +50,153 @@
import java.util.Optional;
import lombok.NonNull;
-
public final class SimpleAttestationResolver implements AttestationResolver {
- private static final String SELECTORS = "selectors";
- private static final String SELECTOR_TYPE = "type";
- private static final String SELECTOR_PARAMETERS = "parameters";
-
- private static final String TRANSPORTS = "transports";
- private static final String TRANSPORTS_EXT_OID = "1.3.6.1.4.1.45724.2.1.1";
-
- private static final Map DEFAULT_DEVICE_MATCHERS = ImmutableMap.of(
- ExtensionMatcher.SELECTOR_TYPE, new ExtensionMatcher(),
- FingerprintMatcher.SELECTOR_TYPE, new FingerprintMatcher()
- );
-
- private final Map metadata = new HashMap<>();
- private final TrustResolver trustResolver;
- private final Map matchers;
-
- public SimpleAttestationResolver(
- @NonNull Collection objects,
- @NonNull TrustResolver trustResolver,
- @NonNull Map matchers
- ) throws CertificateException {
- for (MetadataObject object : objects) {
- for (String caPem : object.getTrustedCertificates()) {
- X509Certificate trustAnchor = CertificateParser.parsePem(caPem);
- metadata.put(trustAnchor, object);
- }
- }
-
- this.trustResolver = trustResolver;
- this.matchers = CollectionUtil.immutableMap(matchers);
- }
-
- public SimpleAttestationResolver(Collection objects, TrustResolver trustResolver) throws CertificateException {
- this(objects, trustResolver, DEFAULT_DEVICE_MATCHERS);
+ private static final String SELECTORS = "selectors";
+ private static final String SELECTOR_TYPE = "type";
+ private static final String SELECTOR_PARAMETERS = "parameters";
+
+ private static final String TRANSPORTS = "transports";
+ private static final String TRANSPORTS_EXT_OID = "1.3.6.1.4.1.45724.2.1.1";
+
+ private static final Map DEFAULT_DEVICE_MATCHERS =
+ ImmutableMap.of(
+ ExtensionMatcher.SELECTOR_TYPE, new ExtensionMatcher(),
+ FingerprintMatcher.SELECTOR_TYPE, new FingerprintMatcher());
+
+ private final Map metadata = new HashMap<>();
+ private final TrustResolver trustResolver;
+ private final Map matchers;
+
+ public SimpleAttestationResolver(
+ @NonNull Collection objects,
+ @NonNull TrustResolver trustResolver,
+ @NonNull Map matchers)
+ throws CertificateException {
+ for (MetadataObject object : objects) {
+ for (String caPem : object.getTrustedCertificates()) {
+ X509Certificate trustAnchor = CertificateParser.parsePem(caPem);
+ metadata.put(trustAnchor, object);
+ }
}
- private Optional lookupTrustAnchor(X509Certificate trustAnchor) {
- return Optional.ofNullable(metadata.get(trustAnchor));
- }
-
- @Override
- public Optional resolve(X509Certificate attestationCertificate, List certificateChain) {
- Optional trustAnchor = trustResolver.resolveTrustAnchor(attestationCertificate, certificateChain);
-
- return trustAnchor.flatMap(this::lookupTrustAnchor).map(metadata -> {
- Map vendorProperties;
- Map deviceProperties = null;
- String identifier;
- int metadataTransports = 0;
-
- identifier = metadata.getIdentifier();
- vendorProperties = Maps.filterValues(metadata.getVendorInfo(), Objects::nonNull);
- for (JsonNode device : metadata.getDevices()) {
+ this.trustResolver = trustResolver;
+ this.matchers = CollectionUtil.immutableMap(matchers);
+ }
+
+ public SimpleAttestationResolver(Collection objects, TrustResolver trustResolver)
+ throws CertificateException {
+ this(objects, trustResolver, DEFAULT_DEVICE_MATCHERS);
+ }
+
+ private Optional lookupTrustAnchor(X509Certificate trustAnchor) {
+ return Optional.ofNullable(metadata.get(trustAnchor));
+ }
+
+ @Override
+ public Optional resolve(
+ X509Certificate attestationCertificate, List certificateChain) {
+ Optional trustAnchor =
+ trustResolver.resolveTrustAnchor(attestationCertificate, certificateChain);
+
+ return trustAnchor
+ .flatMap(this::lookupTrustAnchor)
+ .map(
+ metadata -> {
+ Map vendorProperties;
+ Map deviceProperties = null;
+ String identifier;
+ int metadataTransports = 0;
+
+ identifier = metadata.getIdentifier();
+ vendorProperties = Maps.filterValues(metadata.getVendorInfo(), Objects::nonNull);
+ for (JsonNode device : metadata.getDevices()) {
if (deviceMatches(device.get(SELECTORS), attestationCertificate)) {
- JsonNode transportNode = device.get(TRANSPORTS);
- if (transportNode != null) {
- metadataTransports |= transportNode.asInt(0);
- }
- ImmutableMap.Builder devicePropertiesBuilder = ImmutableMap.builder();
- for (Map.Entry deviceEntry : Lists.newArrayList(device.fields())) {
- JsonNode value = deviceEntry.getValue();
- if (value.isTextual()) {
- devicePropertiesBuilder.put(deviceEntry.getKey(), value.asText());
- }
+ JsonNode transportNode = device.get(TRANSPORTS);
+ if (transportNode != null) {
+ metadataTransports |= transportNode.asInt(0);
+ }
+ ImmutableMap.Builder devicePropertiesBuilder =
+ ImmutableMap.builder();
+ for (Map.Entry deviceEntry :
+ Lists.newArrayList(device.fields())) {
+ JsonNode value = deviceEntry.getValue();
+ if (value.isTextual()) {
+ devicePropertiesBuilder.put(deviceEntry.getKey(), value.asText());
}
- deviceProperties = devicePropertiesBuilder.build();
- break;
+ }
+ deviceProperties = devicePropertiesBuilder.build();
+ break;
}
- }
-
- return Attestation.builder()
- .trusted(true)
- .metadataIdentifier(Optional.ofNullable(identifier))
- .vendorProperties(Optional.of(vendorProperties))
- .deviceProperties(Optional.ofNullable(deviceProperties))
- .transports(Optional.of(Transport.fromInt(getTransports(attestationCertificate) | metadataTransports)))
- .build();
- });
- }
-
- private boolean deviceMatches(
- JsonNode selectors,
- @NonNull X509Certificate attestationCertificate
- ) {
- if (selectors == null || selectors.isNull()) {
- return true;
- } else {
- for (JsonNode selector : selectors) {
- DeviceMatcher matcher = matchers.get(selector.get(SELECTOR_TYPE).asText());
- if (matcher != null && matcher.matches(attestationCertificate, selector.get(SELECTOR_PARAMETERS))) {
- return true;
- }
- }
- return false;
+ }
+
+ return Attestation.builder()
+ .trusted(true)
+ .metadataIdentifier(Optional.ofNullable(identifier))
+ .vendorProperties(Optional.of(vendorProperties))
+ .deviceProperties(Optional.ofNullable(deviceProperties))
+ .transports(
+ OptionalUtil.zipWith(
+ getTransports(attestationCertificate),
+ Optional.of(metadataTransports).filter(t -> t != 0),
+ (a, b) -> a | b)
+ .map(Transport::fromInt))
+ .build();
+ });
+ }
+
+ private boolean deviceMatches(
+ JsonNode selectors, @NonNull X509Certificate attestationCertificate) {
+ if (selectors == null || selectors.isNull()) {
+ return true;
+ } else {
+ for (JsonNode selector : selectors) {
+ DeviceMatcher matcher = matchers.get(selector.get(SELECTOR_TYPE).asText());
+ if (matcher != null
+ && matcher.matches(attestationCertificate, selector.get(SELECTOR_PARAMETERS))) {
+ return true;
}
+ }
+ return false;
}
+ }
- private static int getTransports(X509Certificate cert) {
- byte[] extensionValue = cert.getExtensionValue(TRANSPORTS_EXT_OID);
-
- if(extensionValue == null) {
- return 0;
- }
+ private static Optional getTransports(X509Certificate cert) {
+ byte[] extensionValue = cert.getExtensionValue(TRANSPORTS_EXT_OID);
- ExceptionUtil.assure(
- extensionValue.length >= 4,
- "Transports extension value must be at least 4 bytes (2 bytes octet string header, 2 bytes bit string header), was: %d",
- extensionValue.length
- );
+ if (extensionValue == null) {
+ return Optional.empty();
+ }
- // Mask out unused bits (shouldn't be needed as they should already be 0).
- int unusedBitMask = 0xff;
- for(int i=0; i < extensionValue[3]; i++) {
- unusedBitMask <<= 1;
- }
- extensionValue[extensionValue.length-1] &= unusedBitMask;
-
- int transports = 0;
- for(int i=extensionValue.length - 1; i >= 5; i--) {
- byte b = extensionValue[i];
- for(int bi=0; bi < 8; bi++) {
- transports = (transports << 1) | (b & 1);
- b >>= 1;
- }
- }
+ ExceptionUtil.assure(
+ extensionValue.length >= 4,
+ "Transports extension value must be at least 4 bytes (2 bytes octet string header, 2 bytes bit string header), was: %d",
+ extensionValue.length);
- return transports;
+ // Mask out unused bits (shouldn't be needed as they should already be 0).
+ int unusedBitMask = 0xff;
+ for (int i = 0; i < extensionValue[3]; i++) {
+ unusedBitMask <<= 1;
}
-
- @Override
- public Attestation untrustedFromCertificate(X509Certificate attestationCertificate) {
- return Attestation.builder()
- .trusted(false)
- .transports(Optional.of(Transport.fromInt(getTransports(attestationCertificate))))
- .build();
+ extensionValue[extensionValue.length - 1] &= unusedBitMask;
+
+ int transports = 0;
+ for (int i = extensionValue.length - 1; i >= 5; i--) {
+ byte b = extensionValue[i];
+ for (int bi = 0; bi < 8; bi++) {
+ transports = (transports << 1) | (b & 1);
+ b >>= 1;
+ }
}
+ return Optional.of(transports);
+ }
+
+ @Override
+ public Attestation untrustedFromCertificate(X509Certificate attestationCertificate) {
+ return Attestation.builder()
+ .trusted(false)
+ .transports(getTransports(attestationCertificate).map(Transport::fromInt))
+ .build();
+ }
}
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/resolver/SimpleTrustResolver.java b/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/resolver/SimpleTrustResolver.java
index 8020eb505..e7552a7cb 100644
--- a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/resolver/SimpleTrustResolver.java
+++ b/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/resolver/SimpleTrustResolver.java
@@ -46,79 +46,97 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-
/**
- * Assesses whether an argument certificate can be trusted, and if so, by what
- * trusted root certificate.
+ * Assesses whether an argument certificate can be trusted, and if so, by what trusted root
+ * certificate.
*/
public final class SimpleTrustResolver implements TrustResolver {
- private static final Logger logger = LoggerFactory.getLogger(SimpleTrustResolver.class);
+ private static final Logger logger = LoggerFactory.getLogger(SimpleTrustResolver.class);
- private final Multimap trustedCerts = ArrayListMultimap.create();
+ private final Multimap trustedCerts = ArrayListMultimap.create();
- public SimpleTrustResolver(Iterable trustedCertificates) {
- for (X509Certificate cert : trustedCertificates) {
- trustedCerts.put(cert.getSubjectDN().getName(), cert);
- }
+ public SimpleTrustResolver(Iterable trustedCertificates) {
+ for (X509Certificate cert : trustedCertificates) {
+ trustedCerts.put(cert.getSubjectDN().getName(), cert);
}
-
- public static SimpleTrustResolver fromMetadata(Iterable metadataObjects) throws CertificateException {
- Set certs = new HashSet<>();
- for (MetadataObject metadata : metadataObjects) {
- for (String encodedCert : metadata.getTrustedCertificates()) {
- certs.add(CertificateParser.parsePem(encodedCert));
- }
- }
- return new SimpleTrustResolver(certs);
+ }
+
+ public static SimpleTrustResolver fromMetadata(Iterable metadataObjects)
+ throws CertificateException {
+ Set certs = new HashSet<>();
+ for (MetadataObject metadata : metadataObjects) {
+ for (String encodedCert : metadata.getTrustedCertificates()) {
+ certs.add(CertificateParser.parsePem(encodedCert));
+ }
}
-
- public static SimpleTrustResolver fromMetadataJson(String metadataObjectJson) throws IOException, CertificateException {
- return fromMetadata(Collections.singleton(JacksonCodecs.json().readValue(metadataObjectJson, MetadataObject.class)));
- }
-
- @Override
- public Optional resolveTrustAnchor(X509Certificate attestationCertificate, List caCertificateChain) {
- final List certChain = new ArrayList<>();
- certChain.add(attestationCertificate);
- certChain.addAll(caCertificateChain);
-
- X509Certificate lastTriedCert = null;
-
- for (X509Certificate untrustedCert : certChain) {
- if (lastTriedCert != null) {
- logger.trace("No trusted certificate has signed certificate [{}] - trying next element in certificate chain.", lastTriedCert);
-
- try {
- lastTriedCert.verify(untrustedCert.getPublicKey());
- } catch (CertificateException | NoSuchAlgorithmException | InvalidKeyException | NoSuchProviderException e) {
- logger.error("Failed to verify that certificate [{}] was signed by [{}]", lastTriedCert, untrustedCert, e);
- throw new RuntimeException("Resolve failed", e);
- } catch (SignatureException e) {
- logger.debug("Certificate chain broken - certificate [{}] was not signed by certificate [{}]", lastTriedCert, untrustedCert);
- return Optional.empty();
- }
- }
-
- final String issuer = untrustedCert.getIssuerDN().getName();
- for (X509Certificate trustedCert : trustedCerts.get(issuer)) {
- try {
- untrustedCert.verify(trustedCert.getPublicKey());
- logger.debug("Found signature from trusted certificate [{}]", trustedCert);
- return Optional.of(trustedCert);
- } catch (CertificateException | NoSuchAlgorithmException | InvalidKeyException | NoSuchProviderException e) {
- logger.error("Resolve failed", e);
- throw new RuntimeException("Resolve failed", e);
- } catch (SignatureException e) {
- // Not signed by the trusted cert
- }
- }
-
- lastTriedCert = untrustedCert;
+ return new SimpleTrustResolver(certs);
+ }
+
+ public static SimpleTrustResolver fromMetadataJson(String metadataObjectJson)
+ throws IOException, CertificateException {
+ return fromMetadata(
+ Collections.singleton(
+ JacksonCodecs.json().readValue(metadataObjectJson, MetadataObject.class)));
+ }
+
+ @Override
+ public Optional resolveTrustAnchor(
+ X509Certificate attestationCertificate, List caCertificateChain) {
+ final List certChain = new ArrayList<>();
+ certChain.add(attestationCertificate);
+ certChain.addAll(caCertificateChain);
+
+ X509Certificate lastTriedCert = null;
+
+ for (X509Certificate untrustedCert : certChain) {
+ if (lastTriedCert != null) {
+ logger.trace(
+ "No trusted certificate has signed certificate [{}] - trying next element in certificate chain.",
+ lastTriedCert);
+
+ try {
+ lastTriedCert.verify(untrustedCert.getPublicKey());
+ } catch (CertificateException
+ | NoSuchAlgorithmException
+ | InvalidKeyException
+ | NoSuchProviderException e) {
+ logger.error(
+ "Failed to verify that certificate [{}] was signed by [{}]",
+ lastTriedCert,
+ untrustedCert,
+ e);
+ throw new RuntimeException("Resolve failed", e);
+ } catch (SignatureException e) {
+ logger.debug(
+ "Certificate chain broken - certificate [{}] was not signed by certificate [{}]",
+ lastTriedCert,
+ untrustedCert);
+ return Optional.empty();
+ }
+ }
+
+ final String issuer = untrustedCert.getIssuerDN().getName();
+ for (X509Certificate trustedCert : trustedCerts.get(issuer)) {
+ try {
+ untrustedCert.verify(trustedCert.getPublicKey());
+ logger.debug("Found signature from trusted certificate [{}]", trustedCert);
+ return Optional.of(trustedCert);
+ } catch (CertificateException
+ | NoSuchAlgorithmException
+ | InvalidKeyException
+ | NoSuchProviderException e) {
+ logger.error("Resolve failed", e);
+ throw new RuntimeException("Resolve failed", e);
+ } catch (SignatureException e) {
+ // Not signed by the trusted cert
}
+ }
- logger.debug("No trusted certificate has signed certificate chain {}", certChain);
- return Optional.empty();
+ lastTriedCert = untrustedCert;
}
+ logger.debug("No trusted certificate has signed certificate chain {}", certChain);
+ return Optional.empty();
+ }
}
diff --git a/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/MetadataObjectTest.java b/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/MetadataObjectTest.java
index bfca8d5dc..445dced2c 100644
--- a/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/MetadataObjectTest.java
+++ b/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/MetadataObjectTest.java
@@ -24,49 +24,50 @@
package com.yubico.webauthn.attestation;
+import static org.junit.Assert.assertEquals;
+
import com.fasterxml.jackson.databind.ObjectMapper;
import com.yubico.internal.util.JacksonCodecs;
import org.junit.Test;
-import static org.junit.Assert.assertEquals;
-
public class MetadataObjectTest {
- public static final String JSON = "{"
- + "\"identifier\":\"foobar\","
- + "\"version\":1,"
- + "\"vendorInfo\":{\"name\":\"Yubico\",\"url\":\"https://yubico.com\",\"imageUrl\":\"https://developers.yubico.com/U2F/Images/yubico.png\"},"
- + "\"trustedCertificates\":[\"-----BEGIN CERTIFICATE-----\\nMIIDHjCCAgagAwIBAgIEG1BT9zANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZ\\ndWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAw\\nMDBaGA8yMDUwMDkwNDAwMDAwMFowLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290\\nIENBIFNlcmlhbCA0NTcyMDA2MzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\\nAoIBAQC/jwYuhBVlqaiYWEMsrWFisgJ+PtM91eSrpI4TK7U53mwCIawSDHy8vUmk\\n5N2KAj9abvT9NP5SMS1hQi3usxoYGonXQgfO6ZXyUA9a+KAkqdFnBnlyugSeCOep\\n8EdZFfsaRFtMjkwz5Gcz2Py4vIYvCdMHPtwaz0bVuzneueIEz6TnQjE63Rdt2zbw\\nnebwTG5ZybeWSwbzy+BJ34ZHcUhPAY89yJQXuE0IzMZFcEBbPNRbWECRKgjq//qT\\n9nmDOFVlSRCt2wiqPSzluwn+v+suQEBsUjTGMEd25tKXXTkNW21wIWbxeSyUoTXw\\nLvGS6xlwQSgNpk2qXYwf8iXg7VWZAgMBAAGjQjBAMB0GA1UdDgQWBBQgIvz0bNGJ\\nhjgpToksyKpP9xv9oDAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAN\\nBgkqhkiG9w0BAQsFAAOCAQEAjvjuOMDSa+JXFCLyBKsycXtBVZsJ4Ue3LbaEsPY4\\nMYN/hIQ5ZM5p7EjfcnMG4CtYkNsfNHc0AhBLdq45rnT87q/6O3vUEtNMafbhU6kt\\nhX7Y+9XFN9NpmYxr+ekVY5xOxi8h9JDIgoMP4VB1uS0aunL1IGqrNooL9mmFnL2k\\nLVVee6/VR6C5+KSTCMCWppMuJIZII2v9o4dkoZ8Y7QRjQlLfYzd3qGtKbw7xaF1U\\nsG/5xUb/Btwb2X2g4InpiB/yt/3CpQXpiWX/K4mBvUKiGn05ZsqeY1gx4g0xLBqc\\nU9psmyPzK+Vsgw2jeRQ5JlKDyqE0hebfC1tvFu0CCrJFcw==\\n-----END CERTIFICATE-----\"],"
- + "\"devices\":[{"
- + "\"deviceId\":\"1.3.6.1.4.1.41482.1.2\","
- + "\"deviceUrl\":\"https://www.yubico.com/products/yubikey-hardware/yubikey-neo/\","
- + "\"displayName\":\"YubiKey NEO/NEO-n\","
- + "\"imageUrl\":\"https://developers.yubico.com/U2F/Images/NEO.png\","
- + "\"selectors\":[{"
- + "\"type\":\"x509Extension\","
- + "\"parameters\":{"
- + "\"key\":\"1.3.6.1.4.1.41482.1.2\""
- + "}"
- + "}]"
- + "}]"
- + "}";
-
- private final ObjectMapper objectMapper = JacksonCodecs.json();
+ public static final String JSON =
+ "{"
+ + "\"identifier\":\"foobar\","
+ + "\"version\":1,"
+ + "\"vendorInfo\":{\"name\":\"Yubico\",\"url\":\"https://yubico.com\",\"imageUrl\":\"https://developers.yubico.com/U2F/Images/yubico.png\"},"
+ + "\"trustedCertificates\":[\"-----BEGIN CERTIFICATE-----\\nMIIDHjCCAgagAwIBAgIEG1BT9zANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZ\\ndWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAw\\nMDBaGA8yMDUwMDkwNDAwMDAwMFowLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290\\nIENBIFNlcmlhbCA0NTcyMDA2MzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\\nAoIBAQC/jwYuhBVlqaiYWEMsrWFisgJ+PtM91eSrpI4TK7U53mwCIawSDHy8vUmk\\n5N2KAj9abvT9NP5SMS1hQi3usxoYGonXQgfO6ZXyUA9a+KAkqdFnBnlyugSeCOep\\n8EdZFfsaRFtMjkwz5Gcz2Py4vIYvCdMHPtwaz0bVuzneueIEz6TnQjE63Rdt2zbw\\nnebwTG5ZybeWSwbzy+BJ34ZHcUhPAY89yJQXuE0IzMZFcEBbPNRbWECRKgjq//qT\\n9nmDOFVlSRCt2wiqPSzluwn+v+suQEBsUjTGMEd25tKXXTkNW21wIWbxeSyUoTXw\\nLvGS6xlwQSgNpk2qXYwf8iXg7VWZAgMBAAGjQjBAMB0GA1UdDgQWBBQgIvz0bNGJ\\nhjgpToksyKpP9xv9oDAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAN\\nBgkqhkiG9w0BAQsFAAOCAQEAjvjuOMDSa+JXFCLyBKsycXtBVZsJ4Ue3LbaEsPY4\\nMYN/hIQ5ZM5p7EjfcnMG4CtYkNsfNHc0AhBLdq45rnT87q/6O3vUEtNMafbhU6kt\\nhX7Y+9XFN9NpmYxr+ekVY5xOxi8h9JDIgoMP4VB1uS0aunL1IGqrNooL9mmFnL2k\\nLVVee6/VR6C5+KSTCMCWppMuJIZII2v9o4dkoZ8Y7QRjQlLfYzd3qGtKbw7xaF1U\\nsG/5xUb/Btwb2X2g4InpiB/yt/3CpQXpiWX/K4mBvUKiGn05ZsqeY1gx4g0xLBqc\\nU9psmyPzK+Vsgw2jeRQ5JlKDyqE0hebfC1tvFu0CCrJFcw==\\n-----END CERTIFICATE-----\"],"
+ + "\"devices\":[{"
+ + "\"deviceId\":\"1.3.6.1.4.1.41482.1.2\","
+ + "\"deviceUrl\":\"https://www.yubico.com/products/yubikey-hardware/yubikey-neo/\","
+ + "\"displayName\":\"YubiKey NEO/NEO-n\","
+ + "\"imageUrl\":\"https://developers.yubico.com/U2F/Images/NEO.png\","
+ + "\"selectors\":[{"
+ + "\"type\":\"x509Extension\","
+ + "\"parameters\":{"
+ + "\"key\":\"1.3.6.1.4.1.41482.1.2\""
+ + "}"
+ + "}]"
+ + "}]"
+ + "}";
- @Test
- public void testToAndFromJson() throws Exception {
- MetadataObject metadata = objectMapper.readValue(JSON, MetadataObject.class);
- ObjectMapper objectMapper = new ObjectMapper();
- MetadataObject metadata2 = objectMapper.readValue(objectMapper.writeValueAsString(metadata), MetadataObject.class);
+ private final ObjectMapper objectMapper = JacksonCodecs.json();
- assertEquals("foobar", metadata.getIdentifier());
- assertEquals(1, metadata.getVersion());
- assertEquals(1, metadata.getTrustedCertificates().size());
+ @Test
+ public void testToAndFromJson() throws Exception {
+ MetadataObject metadata = objectMapper.readValue(JSON, MetadataObject.class);
+ ObjectMapper objectMapper = new ObjectMapper();
+ MetadataObject metadata2 =
+ objectMapper.readValue(objectMapper.writeValueAsString(metadata), MetadataObject.class);
- assertEquals("Yubico", metadata.getVendorInfo().get("name"));
- assertEquals("1.3.6.1.4.1.41482.1.2", metadata.getDevices().get(0).get("deviceId").asText());
+ assertEquals("foobar", metadata.getIdentifier());
+ assertEquals(1, metadata.getVersion());
+ assertEquals(1, metadata.getTrustedCertificates().size());
- assertEquals(metadata, metadata2);
- assertEquals(JSON, objectMapper.writeValueAsString(metadata));
- }
+ assertEquals("Yubico", metadata.getVendorInfo().get("name"));
+ assertEquals("1.3.6.1.4.1.41482.1.2", metadata.getDevices().get(0).get("deviceId").asText());
+ assertEquals(metadata, metadata2);
+ assertEquals(JSON, objectMapper.writeValueAsString(metadata));
+ }
}
diff --git a/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/StandardMetadataServiceTest.java b/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/StandardMetadataServiceTest.java
index 6582a848e..df57edccf 100644
--- a/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/StandardMetadataServiceTest.java
+++ b/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/StandardMetadataServiceTest.java
@@ -24,6 +24,10 @@
package com.yubico.webauthn.attestation;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+
import com.google.common.hash.Hashing;
import com.yubico.internal.util.CertificateParser;
import java.security.cert.CertificateException;
@@ -33,75 +37,75 @@
import java.util.Optional;
import org.junit.Test;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNull;
-import static org.junit.Assert.assertTrue;
-
public class StandardMetadataServiceTest {
- private static final String ATTESTATION_CERT = "MIICGzCCAQWgAwIBAgIEdaP2dTALBgkqhkiG9w0BAQswLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwIBcNMTQwODAxMDAwMDAwWhgPMjA1MDA5MDQwMDAwMDBaMCoxKDAmBgNVBAMMH1l1YmljbyBVMkYgRUUgU2VyaWFsIDE5NzM2Nzk3MzMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQZo35Damtpl81YdmcbhEuXKAr7xDcQzAy5n3ftAAhtBbu8EeGU4ynfSgLonckqX6J2uXLBppTNE3v2bt+Yf8MLoxIwEDAOBgorBgEEAYLECgECBAAwCwYJKoZIhvcNAQELA4IBAQG9LbiNPgs0sQYOHAJcg+lMk+HCsiWRlYVnbT4I/5lnqU907vY17XYAORd432bU3Nnhsbkvjz76kQJGXeNAF4DPANGGlz8JU+LNEVE2PWPGgEM0GXgB7mZN5Sinfy1AoOdO+3c3bfdJQuXlUxHbo+nDpxxKpzq9gr++RbokF1+0JBkMbaA/qLYL4WdhY5NvaOyMvYpO3sBxlzn6FcP67hlotGH1wU7qhCeh+uur7zDeAWVh7c4QtJOXHkLJQfV3Z7ZMvhkIA6jZJAX99hisABU/SSa5DtgX7AfsHwa04h69AAAWDUzSk3HgOXbUd1FaSOPdlVFkG2N2JllFHykyO3zO";
- private static final String ATTESTATION_CERT2 = "MIICLzCCARmgAwIBAgIEQvUaTTALBgkqhkiG9w0BAQswLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwIBcNMTQwODAxMDAwMDAwWhgPMjA1MDA5MDQwMDAwMDBaMCoxKDAmBgNVBAMMH1l1YmljbyBVMkYgRUUgU2VyaWFsIDExMjMzNTkzMDkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQphQ+PJYiZjZEVHtrx5QGE3/LE1+OytZPTwzrpWBKywji/3qmg22mwmVFl32PO269TxY+yVN4jbfVf5uX0EWJWoyYwJDAiBgkrBgEEAYLECgIEFTEuMy42LjEuNC4xLjQxNDgyLjEuNDALBgkqhkiG9w0BAQsDggEBALSc3YwTRbLwXhePj/imdBOhWiqh6ssS2ONgp5tphJCHR5Agjg2VstLBRsJzyJnLgy7bGZ0QbPOyh/J0hsvgBfvjByXOu1AwCW+tcoJ+pfxESojDLDn8hrFph6eWZoCtBsWMDh6vMqPENeP6grEAECWx4fTpBL9Bm7F+0Rp/d1/l66g4IhF/ZvuRFhY+BUK94BfivuBHpEkMwxKENTas7VkxvlVstUvPqhPHGYOq7RdF1D/THsbNY8+tgCTgvTziEG+bfDeY6zIz5h7bxb1rpajNVTpUDWtVYL7/w44e1KCoErqdS+kEbmmkmm7KvDE8kuyg42Fmb5DTMsbY2jxMlMU=";
- private static final String ATTESTATION_CERT_WITH_TRANSPORTS = "MIICIjCCAQygAwIBAgIEIHHwozALBgkqhkiG9w0BAQswDzENMAsGA1UEAxMEdGVzdDAeFw0xNTA4MTEwOTAwMzNaFw0xNjA4MTAwOTAwMzNaMCkxJzAlBgNVBAMTHll1YmljbyBVMkYgRUUgU2VyaWFsIDU0NDMzODA4MzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPdFG1pBjBBQVhLrD39Qg1vKjuR2kRdBZnwLI/zgzztQpf4ffpkrkB/3E0TXj5zg8gN9sgMkX48geBe+tBEpvMmjOzA5MCIGCSsGAQQBgsQKAgQVMS4zLjYuMS40LjEuNDE0ODIuMS4yMBMGCysGAQQBguUcAgEBBAQDAgQwMAsGCSqGSIb3DQEBCwOCAQEAb3YpnmHHduNuWEXlLqlnww9034ZeZaojhPAYSLR8d5NPk9gc0hkjQKmIaaBM7DsaHbcHMKpXoMGTQSC++NCZTcKvZ0Lt12mp5HRnM1NNBPol8Hte5fLmvW4tQ9EzLl4gkz7LSlORxTuwTbae1eQqNdxdeB+0ilMFCEUc+3NGCNM0RWd+sP5+gzMXBDQAI1Sc9XaPIg8t3du5JChAl1ifpu/uERZ2WQgtxeBDO6z1Xoa5qz4svf5oURjPZjxS0WUKht48Z2rIjk5lZzERSaY3RrX3UtrnZEIzCmInXOrcRPeAD4ZutpiwuHe62ABsjuMRnKbATbOUiLdknNyPYYQz2g==";
-
- @Test
- public void testGetAttestation_x509extension_key() throws Exception {
- StandardMetadataService service = new StandardMetadataService();
+ private static final String ATTESTATION_CERT =
+ "MIICGzCCAQWgAwIBAgIEdaP2dTALBgkqhkiG9w0BAQswLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwIBcNMTQwODAxMDAwMDAwWhgPMjA1MDA5MDQwMDAwMDBaMCoxKDAmBgNVBAMMH1l1YmljbyBVMkYgRUUgU2VyaWFsIDE5NzM2Nzk3MzMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQZo35Damtpl81YdmcbhEuXKAr7xDcQzAy5n3ftAAhtBbu8EeGU4ynfSgLonckqX6J2uXLBppTNE3v2bt+Yf8MLoxIwEDAOBgorBgEEAYLECgECBAAwCwYJKoZIhvcNAQELA4IBAQG9LbiNPgs0sQYOHAJcg+lMk+HCsiWRlYVnbT4I/5lnqU907vY17XYAORd432bU3Nnhsbkvjz76kQJGXeNAF4DPANGGlz8JU+LNEVE2PWPGgEM0GXgB7mZN5Sinfy1AoOdO+3c3bfdJQuXlUxHbo+nDpxxKpzq9gr++RbokF1+0JBkMbaA/qLYL4WdhY5NvaOyMvYpO3sBxlzn6FcP67hlotGH1wU7qhCeh+uur7zDeAWVh7c4QtJOXHkLJQfV3Z7ZMvhkIA6jZJAX99hisABU/SSa5DtgX7AfsHwa04h69AAAWDUzSk3HgOXbUd1FaSOPdlVFkG2N2JllFHykyO3zO";
+ private static final String ATTESTATION_CERT2 =
+ "MIICLzCCARmgAwIBAgIEQvUaTTALBgkqhkiG9w0BAQswLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwIBcNMTQwODAxMDAwMDAwWhgPMjA1MDA5MDQwMDAwMDBaMCoxKDAmBgNVBAMMH1l1YmljbyBVMkYgRUUgU2VyaWFsIDExMjMzNTkzMDkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQphQ+PJYiZjZEVHtrx5QGE3/LE1+OytZPTwzrpWBKywji/3qmg22mwmVFl32PO269TxY+yVN4jbfVf5uX0EWJWoyYwJDAiBgkrBgEEAYLECgIEFTEuMy42LjEuNC4xLjQxNDgyLjEuNDALBgkqhkiG9w0BAQsDggEBALSc3YwTRbLwXhePj/imdBOhWiqh6ssS2ONgp5tphJCHR5Agjg2VstLBRsJzyJnLgy7bGZ0QbPOyh/J0hsvgBfvjByXOu1AwCW+tcoJ+pfxESojDLDn8hrFph6eWZoCtBsWMDh6vMqPENeP6grEAECWx4fTpBL9Bm7F+0Rp/d1/l66g4IhF/ZvuRFhY+BUK94BfivuBHpEkMwxKENTas7VkxvlVstUvPqhPHGYOq7RdF1D/THsbNY8+tgCTgvTziEG+bfDeY6zIz5h7bxb1rpajNVTpUDWtVYL7/w44e1KCoErqdS+kEbmmkmm7KvDE8kuyg42Fmb5DTMsbY2jxMlMU=";
+ private static final String ATTESTATION_CERT_WITH_TRANSPORTS =
+ "MIICIjCCAQygAwIBAgIEIHHwozALBgkqhkiG9w0BAQswDzENMAsGA1UEAxMEdGVzdDAeFw0xNTA4MTEwOTAwMzNaFw0xNjA4MTAwOTAwMzNaMCkxJzAlBgNVBAMTHll1YmljbyBVMkYgRUUgU2VyaWFsIDU0NDMzODA4MzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPdFG1pBjBBQVhLrD39Qg1vKjuR2kRdBZnwLI/zgzztQpf4ffpkrkB/3E0TXj5zg8gN9sgMkX48geBe+tBEpvMmjOzA5MCIGCSsGAQQBgsQKAgQVMS4zLjYuMS40LjEuNDE0ODIuMS4yMBMGCysGAQQBguUcAgEBBAQDAgQwMAsGCSqGSIb3DQEBCwOCAQEAb3YpnmHHduNuWEXlLqlnww9034ZeZaojhPAYSLR8d5NPk9gc0hkjQKmIaaBM7DsaHbcHMKpXoMGTQSC++NCZTcKvZ0Lt12mp5HRnM1NNBPol8Hte5fLmvW4tQ9EzLl4gkz7LSlORxTuwTbae1eQqNdxdeB+0ilMFCEUc+3NGCNM0RWd+sP5+gzMXBDQAI1Sc9XaPIg8t3du5JChAl1ifpu/uERZ2WQgtxeBDO6z1Xoa5qz4svf5oURjPZjxS0WUKht48Z2rIjk5lZzERSaY3RrX3UtrnZEIzCmInXOrcRPeAD4ZutpiwuHe62ABsjuMRnKbATbOUiLdknNyPYYQz2g==";
- X509Certificate attestationCert = CertificateParser.parsePem(ATTESTATION_CERT);
- Attestation attestation = service.getAttestation(Collections.singletonList(attestationCert));
+ @Test
+ public void testGetAttestation_x509extension_key() throws Exception {
+ StandardMetadataService service = new StandardMetadataService();
- assertTrue(attestation.isTrusted());
- assertEquals("Yubico", attestation.getVendorProperties().get().get("name"));
- assertEquals("1.3.6.1.4.1.41482.1.2", attestation.getDeviceProperties().get().get("deviceId"));
- }
+ X509Certificate attestationCert = CertificateParser.parsePem(ATTESTATION_CERT);
+ Attestation attestation = service.getAttestation(Collections.singletonList(attestationCert));
- @Test
- public void testGetAttestation_x509extension_key_value() throws Exception {
- StandardMetadataService service = new StandardMetadataService();
+ assertTrue(attestation.isTrusted());
+ assertEquals("Yubico", attestation.getVendorProperties().get().get("name"));
+ assertEquals("1.3.6.1.4.1.41482.1.2", attestation.getDeviceProperties().get().get("deviceId"));
+ }
- X509Certificate attestationCert = CertificateParser.parsePem(ATTESTATION_CERT2);
- Attestation attestation = service.getAttestation(Collections.singletonList(attestationCert));
+ @Test
+ public void testGetAttestation_x509extension_key_value() throws Exception {
+ StandardMetadataService service = new StandardMetadataService();
- assertTrue(attestation.isTrusted());
- assertEquals("Yubico", attestation.getVendorProperties().get().get("name"));
- assertEquals("1.3.6.1.4.1.41482.1.4", attestation.getDeviceProperties().get().get("deviceId"));
- }
+ X509Certificate attestationCert = CertificateParser.parsePem(ATTESTATION_CERT2);
+ Attestation attestation = service.getAttestation(Collections.singletonList(attestationCert));
- @Test
- public void testGetTransportsFromCertificate() throws CertificateException {
- StandardMetadataService service = new StandardMetadataService();
+ assertTrue(attestation.isTrusted());
+ assertEquals("Yubico", attestation.getVendorProperties().get().get("name"));
+ assertEquals("1.3.6.1.4.1.41482.1.4", attestation.getDeviceProperties().get().get("deviceId"));
+ }
- X509Certificate attestationCert = CertificateParser.parsePem(ATTESTATION_CERT_WITH_TRANSPORTS);
- Attestation attestation = service.getAttestation(Collections.singletonList(attestationCert));
+ @Test
+ public void testGetTransportsFromCertificate() throws CertificateException {
+ StandardMetadataService service = new StandardMetadataService();
- assertEquals(Optional.of(EnumSet.of(Transport.USB, Transport.NFC)), attestation.getTransports());
- }
+ X509Certificate attestationCert = CertificateParser.parsePem(ATTESTATION_CERT_WITH_TRANSPORTS);
+ Attestation attestation = service.getAttestation(Collections.singletonList(attestationCert));
- @Test
- public void testGetTransportsFromMetadata() throws CertificateException {
- StandardMetadataService service = new StandardMetadataService();
+ assertEquals(
+ Optional.of(EnumSet.of(Transport.USB, Transport.NFC)), attestation.getTransports());
+ }
- X509Certificate attestationCert = CertificateParser.parsePem(ATTESTATION_CERT2);
- Attestation attestation = service.getAttestation(Collections.singletonList(attestationCert));
+ @Test
+ public void testGetTransportsFromMetadata() throws CertificateException {
+ StandardMetadataService service = new StandardMetadataService();
- assertEquals(Optional.of(EnumSet.of(Transport.USB)), attestation.getTransports());
- }
+ X509Certificate attestationCert = CertificateParser.parsePem(ATTESTATION_CERT2);
+ Attestation attestation = service.getAttestation(Collections.singletonList(attestationCert));
- @Test
- public void getCachedAttestationReturnsCertIfPresent() throws Exception {
- StandardMetadataService service = new StandardMetadataService();
+ assertEquals(Optional.of(EnumSet.of(Transport.USB)), attestation.getTransports());
+ }
- final X509Certificate attestationCert = CertificateParser.parsePem(ATTESTATION_CERT);
- final String certFingerprint = Hashing.sha1().hashBytes(attestationCert.getEncoded()).toString();
+ @Test
+ public void getCachedAttestationReturnsCertIfPresent() throws Exception {
+ StandardMetadataService service = new StandardMetadataService();
- assertNull(service.getCachedAttestation(certFingerprint));
+ final X509Certificate attestationCert = CertificateParser.parsePem(ATTESTATION_CERT);
+ final String certFingerprint =
+ Hashing.sha1().hashBytes(attestationCert.getEncoded()).toString();
- service.getAttestation(Collections.singletonList(attestationCert));
+ assertNull(service.getCachedAttestation(certFingerprint));
- Attestation attestation = service.getCachedAttestation(certFingerprint);
+ service.getAttestation(Collections.singletonList(attestationCert));
- assertTrue(attestation.isTrusted());
- assertEquals("Yubico", attestation.getVendorProperties().get().get("name"));
- assertEquals("1.3.6.1.4.1.41482.1.2", attestation.getDeviceProperties().get().get("deviceId"));
- }
+ Attestation attestation = service.getCachedAttestation(certFingerprint);
+ assertTrue(attestation.isTrusted());
+ assertEquals("Yubico", attestation.getVendorProperties().get().get("name"));
+ assertEquals("1.3.6.1.4.1.41482.1.2", attestation.getDeviceProperties().get().get("deviceId"));
+ }
}
diff --git a/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/matcher/FingerprintMatcherTest.java b/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/matcher/FingerprintMatcherTest.java
index abfe9be42..3e9fea7cf 100644
--- a/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/matcher/FingerprintMatcherTest.java
+++ b/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/matcher/FingerprintMatcherTest.java
@@ -24,6 +24,11 @@
package com.yubico.webauthn.attestation.matcher;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.node.ArrayNode;
import com.fasterxml.jackson.databind.node.BooleanNode;
@@ -35,50 +40,45 @@
import java.security.cert.X509Certificate;
import org.junit.Test;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
-
public class FingerprintMatcherTest {
- private static final String ATTESTATION_CERT = "MIICGzCCAQWgAwIBAgIEdaP2dTALBgkqhkiG9w0BAQswLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwIBcNMTQwODAxMDAwMDAwWhgPMjA1MDA5MDQwMDAwMDBaMCoxKDAmBgNVBAMMH1l1YmljbyBVMkYgRUUgU2VyaWFsIDE5NzM2Nzk3MzMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQZo35Damtpl81YdmcbhEuXKAr7xDcQzAy5n3ftAAhtBbu8EeGU4ynfSgLonckqX6J2uXLBppTNE3v2bt+Yf8MLoxIwEDAOBgorBgEEAYLECgECBAAwCwYJKoZIhvcNAQELA4IBAQG9LbiNPgs0sQYOHAJcg+lMk+HCsiWRlYVnbT4I/5lnqU907vY17XYAORd432bU3Nnhsbkvjz76kQJGXeNAF4DPANGGlz8JU+LNEVE2PWPGgEM0GXgB7mZN5Sinfy1AoOdO+3c3bfdJQuXlUxHbo+nDpxxKpzq9gr++RbokF1+0JBkMbaA/qLYL4WdhY5NvaOyMvYpO3sBxlzn6FcP67hlotGH1wU7qhCeh+uur7zDeAWVh7c4QtJOXHkLJQfV3Z7ZMvhkIA6jZJAX99hisABU/SSa5DtgX7AfsHwa04h69AAAWDUzSk3HgOXbUd1FaSOPdlVFkG2N2JllFHykyO3zO";
-
- @Test
- public void matchesIsFalseForNonArrayFingerprints() {
- JsonNode parameters = mock(JsonNode.class);
- when(parameters.get("fingerprints")).thenReturn(BooleanNode.TRUE);
+ private static final String ATTESTATION_CERT =
+ "MIICGzCCAQWgAwIBAgIEdaP2dTALBgkqhkiG9w0BAQswLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwIBcNMTQwODAxMDAwMDAwWhgPMjA1MDA5MDQwMDAwMDBaMCoxKDAmBgNVBAMMH1l1YmljbyBVMkYgRUUgU2VyaWFsIDE5NzM2Nzk3MzMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQZo35Damtpl81YdmcbhEuXKAr7xDcQzAy5n3ftAAhtBbu8EeGU4ynfSgLonckqX6J2uXLBppTNE3v2bt+Yf8MLoxIwEDAOBgorBgEEAYLECgECBAAwCwYJKoZIhvcNAQELA4IBAQG9LbiNPgs0sQYOHAJcg+lMk+HCsiWRlYVnbT4I/5lnqU907vY17XYAORd432bU3Nnhsbkvjz76kQJGXeNAF4DPANGGlz8JU+LNEVE2PWPGgEM0GXgB7mZN5Sinfy1AoOdO+3c3bfdJQuXlUxHbo+nDpxxKpzq9gr++RbokF1+0JBkMbaA/qLYL4WdhY5NvaOyMvYpO3sBxlzn6FcP67hlotGH1wU7qhCeh+uur7zDeAWVh7c4QtJOXHkLJQfV3Z7ZMvhkIA6jZJAX99hisABU/SSa5DtgX7AfsHwa04h69AAAWDUzSk3HgOXbUd1FaSOPdlVFkG2N2JllFHykyO3zO";
- assertFalse(new FingerprintMatcher().matches(mock(X509Certificate.class), parameters));
- }
+ @Test
+ public void matchesIsFalseForNonArrayFingerprints() {
+ JsonNode parameters = mock(JsonNode.class);
+ when(parameters.get("fingerprints")).thenReturn(BooleanNode.TRUE);
- @Test
- public void matchesIsFalseIfNoFingerprintMatches() throws CertificateException {
- final X509Certificate cert = CertificateParser.parsePem(ATTESTATION_CERT);
+ assertFalse(new FingerprintMatcher().matches(mock(X509Certificate.class), parameters));
+ }
- ArrayNode fingerprints = new ArrayNode(JsonNodeFactory.instance);
- fingerprints.add(new TextNode("foo"));
- fingerprints.add(new TextNode("bar"));
+ @Test
+ public void matchesIsFalseIfNoFingerprintMatches() throws CertificateException {
+ final X509Certificate cert = CertificateParser.parsePem(ATTESTATION_CERT);
- JsonNode parameters = mock(JsonNode.class);
- when(parameters.get("fingerprints")).thenReturn(fingerprints);
+ ArrayNode fingerprints = new ArrayNode(JsonNodeFactory.instance);
+ fingerprints.add(new TextNode("foo"));
+ fingerprints.add(new TextNode("bar"));
- assertFalse(new FingerprintMatcher().matches(cert, parameters));
- }
+ JsonNode parameters = mock(JsonNode.class);
+ when(parameters.get("fingerprints")).thenReturn(fingerprints);
- @Test
- public void matchesIsTrueIfSomeFingerprintMatches() throws CertificateException {
- final X509Certificate cert = CertificateParser.parsePem(ATTESTATION_CERT);
- final String fingerprint = Hashing.sha1().hashBytes(cert.getEncoded()).toString().toLowerCase();
+ assertFalse(new FingerprintMatcher().matches(cert, parameters));
+ }
- ArrayNode fingerprints = new ArrayNode(JsonNodeFactory.instance);
- fingerprints.add(new TextNode("foo"));
- fingerprints.add(new TextNode(fingerprint));
+ @Test
+ public void matchesIsTrueIfSomeFingerprintMatches() throws CertificateException {
+ final X509Certificate cert = CertificateParser.parsePem(ATTESTATION_CERT);
+ final String fingerprint = Hashing.sha1().hashBytes(cert.getEncoded()).toString().toLowerCase();
- JsonNode parameters = mock(JsonNode.class);
- when(parameters.get("fingerprints")).thenReturn(fingerprints);
+ ArrayNode fingerprints = new ArrayNode(JsonNodeFactory.instance);
+ fingerprints.add(new TextNode("foo"));
+ fingerprints.add(new TextNode(fingerprint));
- assertTrue(new FingerprintMatcher().matches(cert, parameters));
- }
+ JsonNode parameters = mock(JsonNode.class);
+ when(parameters.get("fingerprints")).thenReturn(fingerprints);
+ assertTrue(new FingerprintMatcher().matches(cert, parameters));
+ }
}
diff --git a/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/resolver/SimpleAttestationResolverTest.java b/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/resolver/SimpleAttestationResolverTest.java
index 8cfa27db9..8f74df544 100644
--- a/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/resolver/SimpleAttestationResolverTest.java
+++ b/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/resolver/SimpleAttestationResolverTest.java
@@ -24,6 +24,9 @@
package com.yubico.webauthn.attestation.resolver;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+
import com.yubico.internal.util.CertificateParser;
import com.yubico.internal.util.JacksonCodecs;
import com.yubico.webauthn.attestation.Attestation;
@@ -35,45 +38,43 @@
import java.util.Optional;
import org.junit.Test;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNotNull;
-
-
public class SimpleAttestationResolverTest {
- private static final String METADATA_JSON = "{\"identifier\":\"foobar\",\"version\":1,\"trustedCertificates\":[\"-----BEGIN CERTIFICATE-----\\nMIIDHjCCAgagAwIBAgIEG1BT9zANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZ\\ndWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAw\\nMDBaGA8yMDUwMDkwNDAwMDAwMFowLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290\\nIENBIFNlcmlhbCA0NTcyMDA2MzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\\nAoIBAQC/jwYuhBVlqaiYWEMsrWFisgJ+PtM91eSrpI4TK7U53mwCIawSDHy8vUmk\\n5N2KAj9abvT9NP5SMS1hQi3usxoYGonXQgfO6ZXyUA9a+KAkqdFnBnlyugSeCOep\\n8EdZFfsaRFtMjkwz5Gcz2Py4vIYvCdMHPtwaz0bVuzneueIEz6TnQjE63Rdt2zbw\\nnebwTG5ZybeWSwbzy+BJ34ZHcUhPAY89yJQXuE0IzMZFcEBbPNRbWECRKgjq//qT\\n9nmDOFVlSRCt2wiqPSzluwn+v+suQEBsUjTGMEd25tKXXTkNW21wIWbxeSyUoTXw\\nLvGS6xlwQSgNpk2qXYwf8iXg7VWZAgMBAAGjQjBAMB0GA1UdDgQWBBQgIvz0bNGJ\\nhjgpToksyKpP9xv9oDAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAN\\nBgkqhkiG9w0BAQsFAAOCAQEAjvjuOMDSa+JXFCLyBKsycXtBVZsJ4Ue3LbaEsPY4\\nMYN/hIQ5ZM5p7EjfcnMG4CtYkNsfNHc0AhBLdq45rnT87q/6O3vUEtNMafbhU6kt\\nhX7Y+9XFN9NpmYxr+ekVY5xOxi8h9JDIgoMP4VB1uS0aunL1IGqrNooL9mmFnL2k\\nLVVee6/VR6C5+KSTCMCWppMuJIZII2v9o4dkoZ8Y7QRjQlLfYzd3qGtKbw7xaF1U\\nsG/5xUb/Btwb2X2g4InpiB/yt/3CpQXpiWX/K4mBvUKiGn05ZsqeY1gx4g0xLBqc\\nU9psmyPzK+Vsgw2jeRQ5JlKDyqE0hebfC1tvFu0CCrJFcw==\\n-----END CERTIFICATE-----\"],\"vendorInfo\":{\"name\":\"Yubico\",\"url\":\"https://yubico.com\",\"imageUrl\":\"https://developers.yubico.com/U2F/Images/yubico.png\"},\"devices\":[{\"displayName\":\"YubiKey NEO/NEO-n\",\"deviceId\":\"1.3.6.1.4.1.41482.1.2\",\"deviceUrl\":\"https://www.yubico.com/products/yubikey-hardware/yubikey-neo/\",\"imageUrl\":\"https://developers.yubico.com/U2F/Images/NEO.png\",\"selectors\":[{\"type\":\"x509Extension\",\"parameters\":{\"key\":\"1.3.6.1.4.1.41482.1.2\"}}]}] }";
- private static final String ATTESTATION_CERT = "MIICGzCCAQWgAwIBAgIEdaP2dTALBgkqhkiG9w0BAQswLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwIBcNMTQwODAxMDAwMDAwWhgPMjA1MDA5MDQwMDAwMDBaMCoxKDAmBgNVBAMMH1l1YmljbyBVMkYgRUUgU2VyaWFsIDE5NzM2Nzk3MzMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQZo35Damtpl81YdmcbhEuXKAr7xDcQzAy5n3ftAAhtBbu8EeGU4ynfSgLonckqX6J2uXLBppTNE3v2bt+Yf8MLoxIwEDAOBgorBgEEAYLECgECBAAwCwYJKoZIhvcNAQELA4IBAQG9LbiNPgs0sQYOHAJcg+lMk+HCsiWRlYVnbT4I/5lnqU907vY17XYAORd432bU3Nnhsbkvjz76kQJGXeNAF4DPANGGlz8JU+LNEVE2PWPGgEM0GXgB7mZN5Sinfy1AoOdO+3c3bfdJQuXlUxHbo+nDpxxKpzq9gr++RbokF1+0JBkMbaA/qLYL4WdhY5NvaOyMvYpO3sBxlzn6FcP67hlotGH1wU7qhCeh+uur7zDeAWVh7c4QtJOXHkLJQfV3Z7ZMvhkIA6jZJAX99hisABU/SSa5DtgX7AfsHwa04h69AAAWDUzSk3HgOXbUd1FaSOPdlVFkG2N2JllFHykyO3zO";
+ private static final String METADATA_JSON =
+ "{\"identifier\":\"foobar\",\"version\":1,\"trustedCertificates\":[\"-----BEGIN CERTIFICATE-----\\nMIIDHjCCAgagAwIBAgIEG1BT9zANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZ\\ndWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAw\\nMDBaGA8yMDUwMDkwNDAwMDAwMFowLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290\\nIENBIFNlcmlhbCA0NTcyMDA2MzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\\nAoIBAQC/jwYuhBVlqaiYWEMsrWFisgJ+PtM91eSrpI4TK7U53mwCIawSDHy8vUmk\\n5N2KAj9abvT9NP5SMS1hQi3usxoYGonXQgfO6ZXyUA9a+KAkqdFnBnlyugSeCOep\\n8EdZFfsaRFtMjkwz5Gcz2Py4vIYvCdMHPtwaz0bVuzneueIEz6TnQjE63Rdt2zbw\\nnebwTG5ZybeWSwbzy+BJ34ZHcUhPAY89yJQXuE0IzMZFcEBbPNRbWECRKgjq//qT\\n9nmDOFVlSRCt2wiqPSzluwn+v+suQEBsUjTGMEd25tKXXTkNW21wIWbxeSyUoTXw\\nLvGS6xlwQSgNpk2qXYwf8iXg7VWZAgMBAAGjQjBAMB0GA1UdDgQWBBQgIvz0bNGJ\\nhjgpToksyKpP9xv9oDAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAN\\nBgkqhkiG9w0BAQsFAAOCAQEAjvjuOMDSa+JXFCLyBKsycXtBVZsJ4Ue3LbaEsPY4\\nMYN/hIQ5ZM5p7EjfcnMG4CtYkNsfNHc0AhBLdq45rnT87q/6O3vUEtNMafbhU6kt\\nhX7Y+9XFN9NpmYxr+ekVY5xOxi8h9JDIgoMP4VB1uS0aunL1IGqrNooL9mmFnL2k\\nLVVee6/VR6C5+KSTCMCWppMuJIZII2v9o4dkoZ8Y7QRjQlLfYzd3qGtKbw7xaF1U\\nsG/5xUb/Btwb2X2g4InpiB/yt/3CpQXpiWX/K4mBvUKiGn05ZsqeY1gx4g0xLBqc\\nU9psmyPzK+Vsgw2jeRQ5JlKDyqE0hebfC1tvFu0CCrJFcw==\\n-----END CERTIFICATE-----\"],\"vendorInfo\":{\"name\":\"Yubico\",\"url\":\"https://yubico.com\",\"imageUrl\":\"https://developers.yubico.com/U2F/Images/yubico.png\"},\"devices\":[{\"displayName\":\"YubiKey NEO/NEO-n\",\"deviceId\":\"1.3.6.1.4.1.41482.1.2\",\"deviceUrl\":\"https://www.yubico.com/products/yubikey-hardware/yubikey-neo/\",\"imageUrl\":\"https://developers.yubico.com/U2F/Images/NEO.png\",\"selectors\":[{\"type\":\"x509Extension\",\"parameters\":{\"key\":\"1.3.6.1.4.1.41482.1.2\"}}]}] }";
+ private static final String ATTESTATION_CERT =
+ "MIICGzCCAQWgAwIBAgIEdaP2dTALBgkqhkiG9w0BAQswLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwIBcNMTQwODAxMDAwMDAwWhgPMjA1MDA5MDQwMDAwMDBaMCoxKDAmBgNVBAMMH1l1YmljbyBVMkYgRUUgU2VyaWFsIDE5NzM2Nzk3MzMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQZo35Damtpl81YdmcbhEuXKAr7xDcQzAy5n3ftAAhtBbu8EeGU4ynfSgLonckqX6J2uXLBppTNE3v2bt+Yf8MLoxIwEDAOBgorBgEEAYLECgECBAAwCwYJKoZIhvcNAQELA4IBAQG9LbiNPgs0sQYOHAJcg+lMk+HCsiWRlYVnbT4I/5lnqU907vY17XYAORd432bU3Nnhsbkvjz76kQJGXeNAF4DPANGGlz8JU+LNEVE2PWPGgEM0GXgB7mZN5Sinfy1AoOdO+3c3bfdJQuXlUxHbo+nDpxxKpzq9gr++RbokF1+0JBkMbaA/qLYL4WdhY5NvaOyMvYpO3sBxlzn6FcP67hlotGH1wU7qhCeh+uur7zDeAWVh7c4QtJOXHkLJQfV3Z7ZMvhkIA6jZJAX99hisABU/SSa5DtgX7AfsHwa04h69AAAWDUzSk3HgOXbUd1FaSOPdlVFkG2N2JllFHykyO3zO";
- private final MetadataObject metadata = JacksonCodecs.json().readValue(METADATA_JSON, MetadataObject.class);
- private final X509Certificate attestationCertificate = CertificateParser.parseDer(ATTESTATION_CERT);
+ private final MetadataObject metadata =
+ JacksonCodecs.json().readValue(METADATA_JSON, MetadataObject.class);
+ private final X509Certificate attestationCertificate =
+ CertificateParser.parseDer(ATTESTATION_CERT);
- public SimpleAttestationResolverTest() throws IOException, CertificateException {
- }
+ public SimpleAttestationResolverTest() throws IOException, CertificateException {}
- private static SimpleAttestationResolver createAttestationResolver(MetadataObject metadata) throws CertificateException {
- return new SimpleAttestationResolver(
- Collections.singleton(metadata),
- SimpleTrustResolver.fromMetadata(Collections.singleton(metadata))
- );
- }
+ private static SimpleAttestationResolver createAttestationResolver(MetadataObject metadata)
+ throws CertificateException {
+ return new SimpleAttestationResolver(
+ Collections.singleton(metadata),
+ SimpleTrustResolver.fromMetadata(Collections.singleton(metadata)));
+ }
- @Test
- public void testResolve() throws Exception {
- final SimpleAttestationResolver resolver = createAttestationResolver(metadata);
- Attestation metadata = resolver.resolve(attestationCertificate).orElse(null);
+ @Test
+ public void testResolve() throws Exception {
+ final SimpleAttestationResolver resolver = createAttestationResolver(metadata);
+ Attestation metadata = resolver.resolve(attestationCertificate).orElse(null);
- assertNotNull(metadata);
- assertEquals("foobar", metadata.getMetadataIdentifier().get());
- }
+ assertNotNull(metadata);
+ assertEquals("foobar", metadata.getMetadataIdentifier().get());
+ }
- @Test
- public void resolveReturnsEmptyOnUntrustedSignature() throws Exception {
- final SimpleAttestationResolver resolver = new SimpleAttestationResolver(
+ @Test
+ public void resolveReturnsEmptyOnUntrustedSignature() throws Exception {
+ final SimpleAttestationResolver resolver =
+ new SimpleAttestationResolver(
Collections.singletonList(metadata),
- SimpleTrustResolver.fromMetadata(Collections.emptyList())
- );
-
- assertEquals(Optional.empty(), resolver.resolve(attestationCertificate));
- }
+ SimpleTrustResolver.fromMetadata(Collections.emptyList()));
+ assertEquals(Optional.empty(), resolver.resolve(attestationCertificate));
+ }
}
diff --git a/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/resolver/SimpleTrustResolverTest.java b/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/resolver/SimpleTrustResolverTest.java
index f84119ed6..e2e4570ad 100644
--- a/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/resolver/SimpleTrustResolverTest.java
+++ b/webauthn-server-attestation/src/test/java/com/yubico/webauthn/attestation/resolver/SimpleTrustResolverTest.java
@@ -24,6 +24,12 @@
package com.yubico.webauthn.attestation.resolver;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.Mockito.doThrow;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
import com.yubico.internal.util.CertificateParser;
import java.io.IOException;
import java.security.InvalidKeyException;
@@ -37,71 +43,66 @@
import org.junit.Test;
import org.mockito.ArgumentMatchers;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import static org.mockito.Mockito.doThrow;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
-
public class SimpleTrustResolverTest {
- private static final String METADATA_JSON = "{\"identifier\":\"foobar\",\"version\":1,\"trustedCertificates\":[\"-----BEGIN CERTIFICATE-----\\nMIIDHjCCAgagAwIBAgIEG1BT9zANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZ\\ndWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAw\\nMDBaGA8yMDUwMDkwNDAwMDAwMFowLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290\\nIENBIFNlcmlhbCA0NTcyMDA2MzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\\nAoIBAQC/jwYuhBVlqaiYWEMsrWFisgJ+PtM91eSrpI4TK7U53mwCIawSDHy8vUmk\\n5N2KAj9abvT9NP5SMS1hQi3usxoYGonXQgfO6ZXyUA9a+KAkqdFnBnlyugSeCOep\\n8EdZFfsaRFtMjkwz5Gcz2Py4vIYvCdMHPtwaz0bVuzneueIEz6TnQjE63Rdt2zbw\\nnebwTG5ZybeWSwbzy+BJ34ZHcUhPAY89yJQXuE0IzMZFcEBbPNRbWECRKgjq//qT\\n9nmDOFVlSRCt2wiqPSzluwn+v+suQEBsUjTGMEd25tKXXTkNW21wIWbxeSyUoTXw\\nLvGS6xlwQSgNpk2qXYwf8iXg7VWZAgMBAAGjQjBAMB0GA1UdDgQWBBQgIvz0bNGJ\\nhjgpToksyKpP9xv9oDAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAN\\nBgkqhkiG9w0BAQsFAAOCAQEAjvjuOMDSa+JXFCLyBKsycXtBVZsJ4Ue3LbaEsPY4\\nMYN/hIQ5ZM5p7EjfcnMG4CtYkNsfNHc0AhBLdq45rnT87q/6O3vUEtNMafbhU6kt\\nhX7Y+9XFN9NpmYxr+ekVY5xOxi8h9JDIgoMP4VB1uS0aunL1IGqrNooL9mmFnL2k\\nLVVee6/VR6C5+KSTCMCWppMuJIZII2v9o4dkoZ8Y7QRjQlLfYzd3qGtKbw7xaF1U\\nsG/5xUb/Btwb2X2g4InpiB/yt/3CpQXpiWX/K4mBvUKiGn05ZsqeY1gx4g0xLBqc\\nU9psmyPzK+Vsgw2jeRQ5JlKDyqE0hebfC1tvFu0CCrJFcw==\\n-----END CERTIFICATE-----\"],\"vendorInfo\":{\"name\":\"Yubico\",\"url\":\"https://yubico.com\",\"imageUrl\":\"https://developers.yubico.com/U2F/Images/yubico.png\"},\"devices\":[{\"displayName\":\"YubiKey NEO/NEO-n\",\"deviceId\":\"1.3.6.1.4.1.41482.1.2\",\"deviceUrl\":\"https://www.yubico.com/products/yubikey-hardware/yubikey-neo/\",\"imageUrl\":\"https://developers.yubico.com/U2F/Images/NEO.png\",\"selectors\":[{\"type\":\"x509Extension\",\"parameters\":{\"key\":\"1.3.6.1.4.1.41482.1.2\"}}]}] }";
- private static final String ATTESTATION_CERT = "MIICGzCCAQWgAwIBAgIEdaP2dTALBgkqhkiG9w0BAQswLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwIBcNMTQwODAxMDAwMDAwWhgPMjA1MDA5MDQwMDAwMDBaMCoxKDAmBgNVBAMMH1l1YmljbyBVMkYgRUUgU2VyaWFsIDE5NzM2Nzk3MzMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQZo35Damtpl81YdmcbhEuXKAr7xDcQzAy5n3ftAAhtBbu8EeGU4ynfSgLonckqX6J2uXLBppTNE3v2bt+Yf8MLoxIwEDAOBgorBgEEAYLECgECBAAwCwYJKoZIhvcNAQELA4IBAQG9LbiNPgs0sQYOHAJcg+lMk+HCsiWRlYVnbT4I/5lnqU907vY17XYAORd432bU3Nnhsbkvjz76kQJGXeNAF4DPANGGlz8JU+LNEVE2PWPGgEM0GXgB7mZN5Sinfy1AoOdO+3c3bfdJQuXlUxHbo+nDpxxKpzq9gr++RbokF1+0JBkMbaA/qLYL4WdhY5NvaOyMvYpO3sBxlzn6FcP67hlotGH1wU7qhCeh+uur7zDeAWVh7c4QtJOXHkLJQfV3Z7ZMvhkIA6jZJAX99hisABU/SSa5DtgX7AfsHwa04h69AAAWDUzSk3HgOXbUd1FaSOPdlVFkG2N2JllFHykyO3zO";
-
- private final SimpleTrustResolver resolver = SimpleTrustResolver.fromMetadataJson(METADATA_JSON);
-
- public SimpleTrustResolverTest() throws IOException, CertificateException {
- }
-
- @Test
- public void testResolve() throws Exception {
- X509Certificate certificate = CertificateParser.parseDer(ATTESTATION_CERT);
-
- Optional trustAnchor = resolver.resolveTrustAnchor(certificate);
-
- assertTrue(trustAnchor.isPresent());
- assertEquals("CN=Yubico U2F Root CA Serial 457200631", trustAnchor.get().getSubjectDN().getName());
- }
-
- @Test
- public void resolveReturnsEmptyOnUntrustedSignature() throws Exception {
- X509Certificate cert = mock(X509Certificate.class);
- doThrow(new SignatureException("Forced failure")).when(cert).verify(ArgumentMatchers.any());
- Principal issuerDN = mock(Principal.class);
- when(issuerDN.getName()).thenReturn("CN=Yubico U2F Root CA Serial 457200631");
- when(cert.getIssuerDN()).thenReturn(issuerDN);
-
- assertEquals(Optional.empty(), resolver.resolveTrustAnchor(cert));
- }
-
- private void resolveThrowsExceptionOnUnexpectedError(Exception thrownException) throws Exception {
- X509Certificate cert = mock(X509Certificate.class);
- doThrow(thrownException).when(cert).verify(ArgumentMatchers.any());
- Principal issuerDN = mock(Principal.class);
- when(issuerDN.getName()).thenReturn("CN=Yubico U2F Root CA Serial 457200631");
- when(cert.getIssuerDN()).thenReturn(issuerDN);
-
- resolver.resolveTrustAnchor(cert);
- }
-
- @Test(expected = RuntimeException.class)
- public void resolveThrowsExceptionOnCertificateException() throws Exception {
- resolveThrowsExceptionOnUnexpectedError(new CertificateException("Forced failure"));
- }
-
- @Test(expected = RuntimeException.class)
- public void resolveThrowsExceptionOnNoSuchAlgorithmException() throws Exception {
- resolveThrowsExceptionOnUnexpectedError(new NoSuchAlgorithmException("Forced failure"));
- }
-
- @Test(expected = RuntimeException.class)
- public void resolveThrowsExceptionOnInvalidKeyException() throws Exception {
- resolveThrowsExceptionOnUnexpectedError(new InvalidKeyException("Forced failure"));
- }
-
- @Test(expected = RuntimeException.class)
- public void resolveThrowsExceptionOnNoSuchProviderException() throws Exception {
- resolveThrowsExceptionOnUnexpectedError(new NoSuchProviderException("Forced failure"));
- }
-
+ private static final String METADATA_JSON =
+ "{\"identifier\":\"foobar\",\"version\":1,\"trustedCertificates\":[\"-----BEGIN CERTIFICATE-----\\nMIIDHjCCAgagAwIBAgIEG1BT9zANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZ\\ndWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAw\\nMDBaGA8yMDUwMDkwNDAwMDAwMFowLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290\\nIENBIFNlcmlhbCA0NTcyMDA2MzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\\nAoIBAQC/jwYuhBVlqaiYWEMsrWFisgJ+PtM91eSrpI4TK7U53mwCIawSDHy8vUmk\\n5N2KAj9abvT9NP5SMS1hQi3usxoYGonXQgfO6ZXyUA9a+KAkqdFnBnlyugSeCOep\\n8EdZFfsaRFtMjkwz5Gcz2Py4vIYvCdMHPtwaz0bVuzneueIEz6TnQjE63Rdt2zbw\\nnebwTG5ZybeWSwbzy+BJ34ZHcUhPAY89yJQXuE0IzMZFcEBbPNRbWECRKgjq//qT\\n9nmDOFVlSRCt2wiqPSzluwn+v+suQEBsUjTGMEd25tKXXTkNW21wIWbxeSyUoTXw\\nLvGS6xlwQSgNpk2qXYwf8iXg7VWZAgMBAAGjQjBAMB0GA1UdDgQWBBQgIvz0bNGJ\\nhjgpToksyKpP9xv9oDAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAN\\nBgkqhkiG9w0BAQsFAAOCAQEAjvjuOMDSa+JXFCLyBKsycXtBVZsJ4Ue3LbaEsPY4\\nMYN/hIQ5ZM5p7EjfcnMG4CtYkNsfNHc0AhBLdq45rnT87q/6O3vUEtNMafbhU6kt\\nhX7Y+9XFN9NpmYxr+ekVY5xOxi8h9JDIgoMP4VB1uS0aunL1IGqrNooL9mmFnL2k\\nLVVee6/VR6C5+KSTCMCWppMuJIZII2v9o4dkoZ8Y7QRjQlLfYzd3qGtKbw7xaF1U\\nsG/5xUb/Btwb2X2g4InpiB/yt/3CpQXpiWX/K4mBvUKiGn05ZsqeY1gx4g0xLBqc\\nU9psmyPzK+Vsgw2jeRQ5JlKDyqE0hebfC1tvFu0CCrJFcw==\\n-----END CERTIFICATE-----\"],\"vendorInfo\":{\"name\":\"Yubico\",\"url\":\"https://yubico.com\",\"imageUrl\":\"https://developers.yubico.com/U2F/Images/yubico.png\"},\"devices\":[{\"displayName\":\"YubiKey NEO/NEO-n\",\"deviceId\":\"1.3.6.1.4.1.41482.1.2\",\"deviceUrl\":\"https://www.yubico.com/products/yubikey-hardware/yubikey-neo/\",\"imageUrl\":\"https://developers.yubico.com/U2F/Images/NEO.png\",\"selectors\":[{\"type\":\"x509Extension\",\"parameters\":{\"key\":\"1.3.6.1.4.1.41482.1.2\"}}]}] }";
+ private static final String ATTESTATION_CERT =
+ "MIICGzCCAQWgAwIBAgIEdaP2dTALBgkqhkiG9w0BAQswLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwIBcNMTQwODAxMDAwMDAwWhgPMjA1MDA5MDQwMDAwMDBaMCoxKDAmBgNVBAMMH1l1YmljbyBVMkYgRUUgU2VyaWFsIDE5NzM2Nzk3MzMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQZo35Damtpl81YdmcbhEuXKAr7xDcQzAy5n3ftAAhtBbu8EeGU4ynfSgLonckqX6J2uXLBppTNE3v2bt+Yf8MLoxIwEDAOBgorBgEEAYLECgECBAAwCwYJKoZIhvcNAQELA4IBAQG9LbiNPgs0sQYOHAJcg+lMk+HCsiWRlYVnbT4I/5lnqU907vY17XYAORd432bU3Nnhsbkvjz76kQJGXeNAF4DPANGGlz8JU+LNEVE2PWPGgEM0GXgB7mZN5Sinfy1AoOdO+3c3bfdJQuXlUxHbo+nDpxxKpzq9gr++RbokF1+0JBkMbaA/qLYL4WdhY5NvaOyMvYpO3sBxlzn6FcP67hlotGH1wU7qhCeh+uur7zDeAWVh7c4QtJOXHkLJQfV3Z7ZMvhkIA6jZJAX99hisABU/SSa5DtgX7AfsHwa04h69AAAWDUzSk3HgOXbUd1FaSOPdlVFkG2N2JllFHykyO3zO";
+
+ private final SimpleTrustResolver resolver = SimpleTrustResolver.fromMetadataJson(METADATA_JSON);
+
+ public SimpleTrustResolverTest() throws IOException, CertificateException {}
+
+ @Test
+ public void testResolve() throws Exception {
+ X509Certificate certificate = CertificateParser.parseDer(ATTESTATION_CERT);
+
+ Optional trustAnchor = resolver.resolveTrustAnchor(certificate);
+
+ assertTrue(trustAnchor.isPresent());
+ assertEquals(
+ "CN=Yubico U2F Root CA Serial 457200631", trustAnchor.get().getSubjectDN().getName());
+ }
+
+ @Test
+ public void resolveReturnsEmptyOnUntrustedSignature() throws Exception {
+ X509Certificate cert = mock(X509Certificate.class);
+ doThrow(new SignatureException("Forced failure")).when(cert).verify(ArgumentMatchers.any());
+ Principal issuerDN = mock(Principal.class);
+ when(issuerDN.getName()).thenReturn("CN=Yubico U2F Root CA Serial 457200631");
+ when(cert.getIssuerDN()).thenReturn(issuerDN);
+
+ assertEquals(Optional.empty(), resolver.resolveTrustAnchor(cert));
+ }
+
+ private void resolveThrowsExceptionOnUnexpectedError(Exception thrownException) throws Exception {
+ X509Certificate cert = mock(X509Certificate.class);
+ doThrow(thrownException).when(cert).verify(ArgumentMatchers.any());
+ Principal issuerDN = mock(Principal.class);
+ when(issuerDN.getName()).thenReturn("CN=Yubico U2F Root CA Serial 457200631");
+ when(cert.getIssuerDN()).thenReturn(issuerDN);
+
+ resolver.resolveTrustAnchor(cert);
+ }
+
+ @Test(expected = RuntimeException.class)
+ public void resolveThrowsExceptionOnCertificateException() throws Exception {
+ resolveThrowsExceptionOnUnexpectedError(new CertificateException("Forced failure"));
+ }
+
+ @Test(expected = RuntimeException.class)
+ public void resolveThrowsExceptionOnNoSuchAlgorithmException() throws Exception {
+ resolveThrowsExceptionOnUnexpectedError(new NoSuchAlgorithmException("Forced failure"));
+ }
+
+ @Test(expected = RuntimeException.class)
+ public void resolveThrowsExceptionOnInvalidKeyException() throws Exception {
+ resolveThrowsExceptionOnUnexpectedError(new InvalidKeyException("Forced failure"));
+ }
+
+ @Test(expected = RuntimeException.class)
+ public void resolveThrowsExceptionOnNoSuchProviderException() throws Exception {
+ resolveThrowsExceptionOnUnexpectedError(new NoSuchProviderException("Forced failure"));
+ }
}
diff --git a/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala b/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala
index 1e06cd6b6..acaa74e8f 100644
--- a/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala
+++ b/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala
@@ -24,65 +24,89 @@
package com.yubico.webauthn.attestation
-import java.util.Collections
-
import com.yubico.internal.util.CertificateParser
import com.yubico.internal.util.JacksonCodecs
-import com.yubico.webauthn.attestation.resolver.SimpleAttestationResolver
-import com.yubico.webauthn.attestation.resolver.SimpleTrustResolver
-import com.yubico.webauthn.test.RealExamples
import com.yubico.webauthn.FinishRegistrationOptions
import com.yubico.webauthn.RelyingParty
import com.yubico.webauthn.attestation.Transport.LIGHTNING
import com.yubico.webauthn.attestation.Transport.NFC
import com.yubico.webauthn.attestation.Transport.USB
+import com.yubico.webauthn.attestation.resolver.SimpleAttestationResolver
+import com.yubico.webauthn.attestation.resolver.SimpleTrustResolver
import com.yubico.webauthn.data.PublicKeyCredentialCreationOptions
import com.yubico.webauthn.data.PublicKeyCredentialParameters
import com.yubico.webauthn.test.Helpers
+import com.yubico.webauthn.test.RealExamples
import org.junit.runner.RunWith
import org.scalatest.FunSpec
import org.scalatest.Matchers
import org.scalatestplus.junit.JUnitRunner
+import java.util.Collections
import scala.jdk.CollectionConverters._
-
@RunWith(classOf[JUnitRunner])
class DeviceIdentificationSpec extends FunSpec with Matchers {
def metadataService(metadataJson: String): StandardMetadataService = {
- val metadata = Collections.singleton(JacksonCodecs.json().readValue(metadataJson, classOf[MetadataObject]))
+ val metadata = Collections.singleton(
+ JacksonCodecs.json().readValue(metadataJson, classOf[MetadataObject])
+ )
new StandardMetadataService(
- new SimpleAttestationResolver(metadata, SimpleTrustResolver.fromMetadata(metadata))
+ new SimpleAttestationResolver(
+ metadata,
+ SimpleTrustResolver.fromMetadata(metadata),
+ )
)
}
describe("A RelyingParty with the default StandardMetadataService") {
describe("correctly identifies") {
- def check(expectedName: String, testData: RealExamples.Example, transports: Set[Transport]): Unit = {
- val rp = RelyingParty.builder()
+ def check(
+ expectedName: String,
+ testData: RealExamples.Example,
+ transports: Set[Transport],
+ ): Unit = {
+ val rp = RelyingParty
+ .builder()
.identity(testData.rp)
.credentialRepository(Helpers.CredentialRepository.empty)
.metadataService(new StandardMetadataService())
.build()
- val result = rp.finishRegistration(FinishRegistrationOptions.builder()
- .request(PublicKeyCredentialCreationOptions.builder()
- .rp(testData.rp)
- .user(testData.user)
- .challenge(testData.attestation.challenge)
- .pubKeyCredParams(List(PublicKeyCredentialParameters.ES256).asJava)
- .build())
- .response(testData.attestation.credential)
- .build());
+ val result = rp.finishRegistration(
+ FinishRegistrationOptions
+ .builder()
+ .request(
+ PublicKeyCredentialCreationOptions
+ .builder()
+ .rp(testData.rp)
+ .user(testData.user)
+ .challenge(testData.attestation.challenge)
+ .pubKeyCredParams(
+ List(PublicKeyCredentialParameters.ES256).asJava
+ )
+ .build()
+ )
+ .response(testData.attestation.credential)
+ .build()
+ );
- result.isAttestationTrusted should be (true)
- result.getAttestationMetadata.isPresent should be (true)
- result.getAttestationMetadata.get.getDeviceProperties.isPresent should be (true)
- result.getAttestationMetadata.get.getDeviceProperties.get().get("displayName") should equal (expectedName)
- result.getAttestationMetadata.get.getTransports.isPresent should be (true)
- result.getAttestationMetadata.get.getTransports.get.asScala should equal (transports)
+ result.isAttestationTrusted should be(true)
+ result.getAttestationMetadata.isPresent should be(true)
+ result.getAttestationMetadata.get.getDeviceProperties.isPresent should be(
+ true
+ )
+ result.getAttestationMetadata.get.getDeviceProperties
+ .get()
+ .get("displayName") should equal(expectedName)
+ result.getAttestationMetadata.get.getTransports.isPresent should be(
+ true
+ )
+ result.getAttestationMetadata.get.getTransports.get.asScala should equal(
+ transports
+ )
}
it("a YubiKey NEO.") {
@@ -98,7 +122,11 @@ class DeviceIdentificationSpec extends FunSpec with Matchers {
check("YubiKey 5 NFC", RealExamples.YubiKey5Nfc, Set(USB, NFC))
}
it("a newer YubiKey 5 NFC.") {
- check("YubiKey 5/5C NFC", RealExamples.YubiKey5NfcPost5cNfc, Set(USB, NFC))
+ check(
+ "YubiKey 5/5C NFC",
+ RealExamples.YubiKey5NfcPost5cNfc,
+ Set(USB, NFC),
+ )
}
it("a YubiKey 5C NFC.") {
check("YubiKey 5/5C NFC", RealExamples.YubiKey5cNfc, Set(USB, NFC))
@@ -116,21 +144,78 @@ class DeviceIdentificationSpec extends FunSpec with Matchers {
check("Security Key by Yubico", RealExamples.SecurityKey2, Set(USB))
}
it("a Security Key NFC by Yubico.") {
- check("Security Key NFC by Yubico", RealExamples.SecurityKeyNfc, Set(USB, NFC))
+ check(
+ "Security Key NFC by Yubico",
+ RealExamples.SecurityKeyNfc,
+ Set(USB, NFC),
+ )
+ }
+ }
+
+ describe("fails to identify") {
+ def check(testData: RealExamples.Example): Unit = {
+ val rp = RelyingParty
+ .builder()
+ .identity(testData.rp)
+ .credentialRepository(Helpers.CredentialRepository.empty)
+ .metadataService(new StandardMetadataService())
+ .build()
+
+ val result = rp.finishRegistration(
+ FinishRegistrationOptions
+ .builder()
+ .request(
+ PublicKeyCredentialCreationOptions
+ .builder()
+ .rp(testData.rp)
+ .user(testData.user)
+ .challenge(testData.attestation.challenge)
+ .pubKeyCredParams(
+ List(PublicKeyCredentialParameters.ES256).asJava
+ )
+ .build()
+ )
+ .response(testData.attestation.credential)
+ .build()
+ );
+
+ result.isAttestationTrusted should be(false)
+ result.getAttestationMetadata.isPresent should be(true)
+ result.getAttestationMetadata.get.getDeviceProperties.isPresent should be(
+ false
+ )
+ result.getAttestationMetadata.get.getVendorProperties.isPresent should be(
+ false
+ )
+ result.getAttestationMetadata.get.getTransports.isPresent should be(
+ false
+ )
+ }
+
+ it("an Apple iOS device.") {
+ check(RealExamples.AppleAttestationIos)
}
}
}
describe("The default AttestationResolver") {
describe("successfully identifies") {
- def check(expectedName: String, testData: RealExamples.Example, transports: Set[Transport]): Unit = {
+ def check(
+ expectedName: String,
+ testData: RealExamples.Example,
+ transports: Set[Transport],
+ ): Unit = {
val cert = CertificateParser.parseDer(testData.attestationCert.getBytes)
- val resolved = StandardMetadataService.createDefaultAttestationResolver().resolve(cert)
- resolved.isPresent should be (true)
- resolved.get.getDeviceProperties.isPresent should be (true)
- resolved.get.getDeviceProperties.get.get("displayName") should equal (expectedName)
- resolved.get.getTransports.isPresent should be (true)
- resolved.get.getTransports.get.asScala should equal (transports)
+ val resolved = StandardMetadataService
+ .createDefaultAttestationResolver()
+ .resolve(cert)
+ resolved.isPresent should be(true)
+ resolved.get.getDeviceProperties.isPresent should be(true)
+ resolved.get.getDeviceProperties.get.get("displayName") should equal(
+ expectedName
+ )
+ resolved.get.getTransports.isPresent should be(true)
+ resolved.get.getTransports.get.asScala should equal(transports)
}
it("a YubiKey NEO.") {
@@ -146,7 +231,11 @@ class DeviceIdentificationSpec extends FunSpec with Matchers {
check("YubiKey 5 NFC", RealExamples.YubiKey5Nfc, Set(USB, NFC))
}
it("a newer YubiKey 5 NFC.") {
- check("YubiKey 5/5C NFC", RealExamples.YubiKey5NfcPost5cNfc, Set(USB, NFC))
+ check(
+ "YubiKey 5/5C NFC",
+ RealExamples.YubiKey5NfcPost5cNfc,
+ Set(USB, NFC),
+ )
}
it("a YubiKey 5C NFC.") {
check("YubiKey 5/5C NFC", RealExamples.YubiKey5cNfc, Set(USB, NFC))
@@ -164,7 +253,141 @@ class DeviceIdentificationSpec extends FunSpec with Matchers {
check("Security Key by Yubico", RealExamples.SecurityKey2, Set(USB))
}
it("a Security Key NFC by Yubico.") {
- check("Security Key NFC by Yubico", RealExamples.SecurityKeyNfc, Set(USB, NFC))
+ check(
+ "Security Key NFC by Yubico",
+ RealExamples.SecurityKeyNfc,
+ Set(USB, NFC),
+ )
+ }
+ }
+ }
+
+ describe(
+ "A StandardMetadataService configured with an Apple root certificate"
+ ) {
+ // Apple WebAuthn Root CA cert downloaded from https://www.apple.com/certificateauthority/private/ on 2021-04-12
+ // https://www.apple.com/certificateauthority/Apple_WebAuthn_Root_CA.pem
+ val mds = metadataService("""{
+ | "identifier": "98cf2729-e2b9-4633-8b6a-b295cda99ccf",
+ | "version": 1,
+ | "vendorInfo": {
+ | "name": "Apple Inc. (Metadata file by Yubico)"
+ | },
+ | "trustedCertificates": [
+ | "-----BEGIN CERTIFICATE-----\nMIICEjCCAZmgAwIBAgIQaB0BbHo84wIlpQGUKEdXcTAKBggqhkjOPQQDAzBLMR8w\nHQYDVQQDDBZBcHBsZSBXZWJBdXRobiBSb290IENBMRMwEQYDVQQKDApBcHBsZSBJ\nbmMuMRMwEQYDVQQIDApDYWxpZm9ybmlhMB4XDTIwMDMxODE4MjEzMloXDTQ1MDMx\nNTAwMDAwMFowSzEfMB0GA1UEAwwWQXBwbGUgV2ViQXV0aG4gUm9vdCBDQTETMBEG\nA1UECgwKQXBwbGUgSW5jLjETMBEGA1UECAwKQ2FsaWZvcm5pYTB2MBAGByqGSM49\nAgEGBSuBBAAiA2IABCJCQ2pTVhzjl4Wo6IhHtMSAzO2cv+H9DQKev3//fG59G11k\nxu9eI0/7o6V5uShBpe1u6l6mS19S1FEh6yGljnZAJ+2GNP1mi/YK2kSXIuTHjxA/\npcoRf7XkOtO4o1qlcaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUJtdk\n2cV4wlpn0afeaxLQG2PxxtcwDgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMDA2cA\nMGQCMFrZ+9DsJ1PW9hfNdBywZDsWDbWFp28it1d/5w2RPkRX3Bbn/UbDTNLx7Jr3\njAGGiQIwHFj+dJZYUJR786osByBelJYsVZd2GbHQu209b5RCmGQ21gpSAk9QZW4B\n1bWeT0vT\n-----END CERTIFICATE-----"
+ | ],
+ | "devices": [
+ | {
+ | "displayName": "Apple device",
+ | "selectors": [
+ | {
+ | "type": "x509Extension",
+ | "parameters": {
+ | "key": "1.2.840.113635.100.8.2"
+ | }
+ | }
+ | ]
+ | }
+ | ]
+ |}""".stripMargin)
+
+ describe("successfully identifies") {
+ def check(
+ expectedName: String,
+ testData: RealExamples.Example,
+ ): Unit = {
+ val rp = RelyingParty
+ .builder()
+ .identity(testData.rp)
+ .credentialRepository(Helpers.CredentialRepository.empty)
+ .metadataService(mds)
+ .build()
+
+ val result = rp.finishRegistration(
+ FinishRegistrationOptions
+ .builder()
+ .request(
+ PublicKeyCredentialCreationOptions
+ .builder()
+ .rp(testData.rp)
+ .user(testData.user)
+ .challenge(testData.attestation.challenge)
+ .pubKeyCredParams(
+ List(PublicKeyCredentialParameters.ES256).asJava
+ )
+ .build()
+ )
+ .response(testData.attestation.credential)
+ .build()
+ )
+
+ result.isAttestationTrusted should be(true)
+ result.getAttestationMetadata.isPresent should be(true)
+ result.getAttestationMetadata.get.getDeviceProperties.isPresent should be(
+ true
+ )
+ result.getAttestationMetadata.get.getDeviceProperties
+ .get()
+ .get("displayName") should equal(expectedName)
+ result.getAttestationMetadata.get.getTransports.isPresent should be(
+ false
+ )
+ }
+
+ it("an Apple iOS device.") {
+ check(
+ "Apple device",
+ RealExamples.AppleAttestationIos,
+ )
+ }
+
+ it("an Apple MacOS device.") {
+ check(
+ "Apple device",
+ RealExamples.AppleAttestationMacos,
+ )
+ }
+ }
+
+ describe("fails to identify") {
+ def check(testData: RealExamples.Example): Unit = {
+ val rp = RelyingParty
+ .builder()
+ .identity(testData.rp)
+ .credentialRepository(Helpers.CredentialRepository.empty)
+ .metadataService(mds)
+ .build()
+
+ val result = rp.finishRegistration(
+ FinishRegistrationOptions
+ .builder()
+ .request(
+ PublicKeyCredentialCreationOptions
+ .builder()
+ .rp(testData.rp)
+ .user(testData.user)
+ .challenge(testData.attestation.challenge)
+ .pubKeyCredParams(
+ List(PublicKeyCredentialParameters.ES256).asJava
+ )
+ .build()
+ )
+ .response(testData.attestation.credential)
+ .build()
+ )
+
+ result.isAttestationTrusted should be(false)
+ result.getAttestationMetadata.isPresent should be(true)
+ result.getAttestationMetadata.get.getVendorProperties.isPresent should be(
+ false
+ )
+ result.getAttestationMetadata.get.getDeviceProperties.isPresent should be(
+ false
+ )
+ }
+
+ it("a YubiKey 5 NFC.") {
+ check(RealExamples.YubiKey5)
}
}
}
diff --git a/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/StandardMetadataServiceSpec.scala b/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/StandardMetadataServiceSpec.scala
index c1d362627..c47ae6a75 100644
--- a/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/StandardMetadataServiceSpec.scala
+++ b/webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/StandardMetadataServiceSpec.scala
@@ -24,13 +24,9 @@
package com.yubico.webauthn.attestation
-import java.security.cert.X509Certificate
-import java.util.Base64
-import java.util.Collections
-
import com.fasterxml.jackson.databind.node.JsonNodeFactory
-import com.yubico.internal.util.scala.JavaConverters._
import com.yubico.internal.util.JacksonCodecs
+import com.yubico.internal.util.scala.JavaConverters._
import com.yubico.webauthn.TestAuthenticator
import com.yubico.webauthn.attestation.resolver.SimpleAttestationResolver
import com.yubico.webauthn.attestation.resolver.SimpleTrustResolver
@@ -42,9 +38,11 @@ import org.scalatest.FunSpec
import org.scalatest.Matchers
import org.scalatestplus.junit.JUnitRunner
+import java.security.cert.X509Certificate
+import java.util.Base64
+import java.util.Collections
import scala.jdk.CollectionConverters._
-
@RunWith(classOf[JUnitRunner])
class StandardMetadataServiceSpec extends FunSpec with Matchers {
@@ -56,17 +54,27 @@ class StandardMetadataServiceSpec extends FunSpec with Matchers {
private val ooidB = "1.3.6.1.4.1.41482.1.2"
def metadataService(metadataJson: String): StandardMetadataService = {
- val metadata = Collections.singleton(JacksonCodecs.json().readValue(metadataJson, classOf[MetadataObject]))
+ val metadata = Collections.singleton(
+ JacksonCodecs.json().readValue(metadataJson, classOf[MetadataObject])
+ )
new StandardMetadataService(
- new SimpleAttestationResolver(metadata, SimpleTrustResolver.fromMetadata(metadata))
+ new SimpleAttestationResolver(
+ metadata,
+ SimpleTrustResolver.fromMetadata(metadata),
+ )
)
}
- def toPem(cert: X509Certificate): String = (
- "-----BEGIN CERTIFICATE-----\n"
- + Base64.getMimeEncoder(64, System.getProperty("line.separator").getBytes("UTF-8"))
- .encodeToString(cert.getEncoded)
- + "\n-----END CERTIFICATE-----\n"
+ def toPem(cert: X509Certificate): String =
+ (
+ "-----BEGIN CERTIFICATE-----\n"
+ + Base64
+ .getMimeEncoder(
+ 64,
+ System.getProperty("line.separator").getBytes("UTF-8"),
+ )
+ .encodeToString(cert.getEncoded)
+ + "\n-----END CERTIFICATE-----\n"
)
describe("StandardMetadataService") {
@@ -75,17 +83,17 @@ class StandardMetadataServiceSpec extends FunSpec with Matchers {
val cacaca = TestAuthenticator.generateAttestationCaCertificate(
name = new X500Name("CN=CA CA CA"),
- extensions = List((ooidB, false, new DEROctetString(Array[Byte]())))
+ extensions = List((ooidB, false, new DEROctetString(Array[Byte]()))),
)
val caca = TestAuthenticator.generateAttestationCaCertificate(
name = new X500Name("CN=CA CA"),
superCa = Some(cacaca),
- extensions = List((ooidB, false, new DEROctetString(Array[Byte]())))
+ extensions = List((ooidB, false, new DEROctetString(Array[Byte]()))),
)
val (caCert, caKey) = TestAuthenticator.generateAttestationCaCertificate(
name = new X500Name("CN=CA"),
superCa = Some(caca),
- extensions = List((ooidB, false, new DEROctetString(Array[Byte]())))
+ extensions = List((ooidB, false, new DEROctetString(Array[Byte]()))),
)
val (certA, _) = TestAuthenticator.generateAttestationCertificate(
@@ -93,24 +101,26 @@ class StandardMetadataServiceSpec extends FunSpec with Matchers {
caCertAndKey = Some((caCert, caKey)),
extensions = List(
(ooidA, false, new DEROctetString(Array[Byte]())),
- (TRANSPORTS_EXT_OID, false, new DERBitString(Array[Byte](0x60)))
- )
+ (TRANSPORTS_EXT_OID, false, new DERBitString(Array[Byte](0x60))),
+ ),
)
val (certB, _) = TestAuthenticator.generateAttestationCertificate(
name = new X500Name("CN=Cert B"),
caCertAndKey = Some((caCert, caKey)),
- extensions = List((ooidB, false, new DEROctetString(Array[Byte]())))
+ extensions = List((ooidB, false, new DEROctetString(Array[Byte]()))),
)
val (unknownCert, _) = TestAuthenticator.generateAttestationCertificate(
name = new X500Name("CN=Unknown Cert"),
- extensions = List((ooidA, false, new DEROctetString(Array[Byte]())))
+ extensions = List((ooidA, false, new DEROctetString(Array[Byte]()))),
)
val metadataJson =
s"""{
"identifier": "44c87ead-4455-423e-88eb-9248e0ebe847",
"version": 1,
- "trustedCertificates": ["${toPem(caCert).linesIterator.mkString(raw"\n")}"],
+ "trustedCertificates": ["${toPem(caCert).linesIterator.mkString(
+ raw"\n"
+ )}"],
"vendorInfo": {},
"devices": [
{
@@ -139,28 +149,32 @@ class StandardMetadataServiceSpec extends FunSpec with Matchers {
}
]
}"""
- val service = metadataService(metadataJson)
+ val service = metadataService(metadataJson)
it("returns the trusted attestation matching the single cert passed, if it is signed by a trusted certificate.") {
- val attestationA: Attestation = service.getAttestation(List(certA).asJava)
- val attestationB: Attestation = service.getAttestation(List(certB).asJava)
+ val attestationA: Attestation =
+ service.getAttestation(List(certA).asJava)
+ val attestationB: Attestation =
+ service.getAttestation(List(certB).asJava)
- attestationA.isTrusted should be (true)
- attestationA.getDeviceProperties.get.get("deviceId") should be ("DevA")
+ attestationA.isTrusted should be(true)
+ attestationA.getDeviceProperties.get.get("deviceId") should be("DevA")
- attestationB.isTrusted should be (true)
- attestationB.getDeviceProperties.get.get("deviceId") should be ("DevB")
+ attestationB.isTrusted should be(true)
+ attestationB.getDeviceProperties.get.get("deviceId") should be("DevB")
}
it("returns the trusted attestation matching the first cert in the chain if it is signed by a trusted certificate.") {
- val attestationA: Attestation = service.getAttestation(List(certA, certB).asJava)
- val attestationB: Attestation = service.getAttestation(List(certB, certA).asJava)
+ val attestationA: Attestation =
+ service.getAttestation(List(certA, certB).asJava)
+ val attestationB: Attestation =
+ service.getAttestation(List(certB, certA).asJava)
- attestationA.isTrusted should be (true)
- attestationA.getDeviceProperties.get.get("deviceId") should be ("DevA")
+ attestationA.isTrusted should be(true)
+ attestationA.getDeviceProperties.get.get("deviceId") should be("DevA")
- attestationB.isTrusted should be (true)
- attestationB.getDeviceProperties.get.get("deviceId") should be ("DevB")
+ attestationB.isTrusted should be(true)
+ attestationB.getDeviceProperties.get.get("deviceId") should be("DevB")
}
it("returns a trusted best-effort attestation if the certificate is trusted but matches no known metadata.") {
@@ -168,17 +182,22 @@ class StandardMetadataServiceSpec extends FunSpec with Matchers {
s"""{
"identifier": "44c87ead-4455-423e-88eb-9248e0ebe847",
"version": 1,
- "trustedCertificates": ["${toPem(caCert).linesIterator.mkString(raw"\n")}"],
+ "trustedCertificates": ["${toPem(caCert).linesIterator.mkString(
+ raw"\n"
+ )}"],
"vendorInfo": {},
"devices": []
}"""
val service = metadataService(metadataJson)
- val attestation: Attestation = service.getAttestation(List(certA).asJava)
+ val attestation: Attestation =
+ service.getAttestation(List(certA).asJava)
- attestation.isTrusted should be (true)
+ attestation.isTrusted should be(true)
attestation.getDeviceProperties.asScala shouldBe empty
- attestation.getTransports.get.asScala should equal (Set(Transport.BLE, Transport.USB))
+ attestation.getTransports.get.asScala should equal(
+ Set(Transport.BLE, Transport.USB)
+ )
}
it("returns an untrusted attestation with transports if the certificate is not trusted.") {
@@ -192,13 +211,16 @@ class StandardMetadataServiceSpec extends FunSpec with Matchers {
}"""
val service = metadataService(metadataJson)
- val attestation: Attestation = service.getAttestation(List(certA).asJava)
+ val attestation: Attestation =
+ service.getAttestation(List(certA).asJava)
- attestation.isTrusted should be (false)
+ attestation.isTrusted should be(false)
attestation.getMetadataIdentifier.asScala shouldBe empty
attestation.getVendorProperties.asScala shouldBe empty
attestation.getDeviceProperties.asScala shouldBe empty
- attestation.getTransports.get.asScala should equal (Set(Transport.BLE, Transport.USB))
+ attestation.getTransports.get.asScala should equal(
+ Set(Transport.BLE, Transport.USB)
+ )
}
it("returns the trusted attestation matching the first cert in the chain if the chain resolves to a trusted certificate.") {
@@ -206,7 +228,8 @@ class StandardMetadataServiceSpec extends FunSpec with Matchers {
s"""{
"identifier": "44c87ead-4455-423e-88eb-9248e0ebe847",
"version": 1,
- "trustedCertificates": ["${toPem(cacaca._1).linesIterator.mkString(raw"\n")}"],
+ "trustedCertificates": ["${toPem(cacaca._1).linesIterator
+ .mkString(raw"\n")}"],
"vendorInfo": {},
"devices": [
{
@@ -225,10 +248,11 @@ class StandardMetadataServiceSpec extends FunSpec with Matchers {
}"""
val service = metadataService(metadataJson)
- val attestation: Attestation = service.getAttestation(List(certA, caCert, caca._1).asJava)
+ val attestation: Attestation =
+ service.getAttestation(List(certA, caCert, caca._1).asJava)
- attestation.isTrusted should be (true)
- attestation.getDeviceProperties.get.get("deviceId") should be ("DevA")
+ attestation.isTrusted should be(true)
+ attestation.getDeviceProperties.get.get("deviceId") should be("DevA")
}
it("matches any certificate to a device with no selectors.") {
@@ -236,7 +260,9 @@ class StandardMetadataServiceSpec extends FunSpec with Matchers {
s"""{
"identifier": "44c87ead-4455-423e-88eb-9248e0ebe847",
"version": 1,
- "trustedCertificates": ["${toPem(caCert).linesIterator.mkString(raw"\n")}"],
+ "trustedCertificates": ["${toPem(caCert).linesIterator.mkString(
+ raw"\n"
+ )}"],
"vendorInfo": {},
"devices": [
{
@@ -249,8 +275,8 @@ class StandardMetadataServiceSpec extends FunSpec with Matchers {
val resultA = service.getAttestation(List(certA).asJava)
val resultB = service.getAttestation(List(certB).asJava)
- resultA.getDeviceProperties.get.get("deviceId") should be ("DevA")
- resultB.getDeviceProperties.get.get("deviceId") should be ("DevA")
+ resultA.getDeviceProperties.get.get("deviceId") should be("DevA")
+ resultB.getDeviceProperties.get.get("deviceId") should be("DevA")
}
}
diff --git a/webauthn-server-core-bundle/build.gradle b/webauthn-server-core-bundle/build.gradle
index c9b07ac7b..0e037c025 100644
--- a/webauthn-server-core-bundle/build.gradle
+++ b/webauthn-server-core-bundle/build.gradle
@@ -6,13 +6,16 @@ description = 'Yubico WebAuthn server core API'
project.ext.publishMe = true
+sourceCompatibility = 1.8
+targetCompatibility = 1.8
+
dependencies {
api(
project(':webauthn-server-core-minimal'),
)
implementation(
- addVersion('org.bouncycastle:bcprov-jdk15on'),
+ 'org.bouncycastle:bcprov-jdk15on',
)
}
@@ -24,7 +27,7 @@ jar {
'Implementation-Version': project.version,
'Implementation-Vendor': 'Yubico',
'Implementation-Source-Url': 'https://github.com/Yubico/java-webauthn-server',
- 'Git-Commit': getGitCommit(),
+ 'Git-Commit': getGitCommitOrUnknown(),
])
}
}
diff --git a/webauthn-server-core/build.gradle b/webauthn-server-core/build.gradle
index b921144c9..f990b2511 100644
--- a/webauthn-server-core/build.gradle
+++ b/webauthn-server-core/build.gradle
@@ -2,49 +2,54 @@ plugins {
id 'java-library'
id 'scala'
id 'info.solidsoft.pitest'
+ id 'io.github.cosmicsilence.scalafix'
}
description = 'Yubico WebAuthn server core API (fewer dependencies)'
project.ext.publishMe = true
+sourceCompatibility = 1.8
+targetCompatibility = 1.8
+
dependencies {
+ api(platform(rootProject))
api(
project(':yubico-util'),
)
compileOnly(
- addVersion('org.bouncycastle:bcprov-jdk15on'),
+ platform(rootProject),
+ 'org.bouncycastle:bcprov-jdk15on',
)
implementation(
- addVersion('com.augustcellars.cose:cose-java'),
- addVersion('com.google.guava:guava'),
- addVersion('com.fasterxml.jackson.core:jackson-databind'),
- addVersion('com.upokecenter:cbor'),
- addVersion('org.apache.httpcomponents:httpclient'),
- addVersion('org.slf4j:slf4j-api'),
+ 'com.augustcellars.cose:cose-java',
+ 'com.google.guava:guava',
+ 'com.fasterxml.jackson.core:jackson-databind',
+ 'com.upokecenter:cbor',
+ 'org.apache.httpcomponents:httpclient',
+ 'org.slf4j:slf4j-api',
)
testImplementation(
project(':yubico-util-scala'),
- addVersion('com.fasterxml.jackson.datatype:jackson-datatype-jdk8'),
- addVersion('junit:junit'),
- addVersion('org.bouncycastle:bcpkix-jdk15on'),
- addVersion('org.bouncycastle:bcprov-jdk15on'),
- addVersion('org.mockito:mockito-core'),
- addVersion('org.scala-lang:scala-library'),
- addVersion('org.scalacheck:scalacheck_2.13'),
- addVersion('org.scalatest:scalatest_2.13'),
+ 'com.fasterxml.jackson.datatype:jackson-datatype-jdk8',
+ 'junit:junit',
+ 'org.bouncycastle:bcpkix-jdk15on',
+ 'org.bouncycastle:bcprov-jdk15on',
+ 'org.mockito:mockito-core',
+ 'org.scala-lang:scala-library',
+ 'org.scalacheck:scalacheck_2.13',
+ 'org.scalatest:scalatest_2.13',
)
testRuntimeOnly(
- addVersion('ch.qos.logback:logback-classic'),
+ 'ch.qos.logback:logback-classic',
)
}
-
jar {
manifest {
attributes([
@@ -62,7 +67,7 @@ jar {
'Implementation-Version': project.version,
'Implementation-Vendor': 'Yubico',
'Implementation-Source-Url': 'https://github.com/Yubico/java-webauthn-server',
- 'Git-Commit': getGitCommit(),
+ 'Git-Commit': getGitCommitOrUnknown(),
])
}
}
diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/AndroidSafetynetAttestationStatementVerifier.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/AndroidSafetynetAttestationStatementVerifier.java
index 4495bf58f..d728bb24f 100644
--- a/webauthn-server-core/src/main/java/com/yubico/webauthn/AndroidSafetynetAttestationStatementVerifier.java
+++ b/webauthn-server-core/src/main/java/com/yubico/webauthn/AndroidSafetynetAttestationStatementVerifier.java
@@ -1,7 +1,5 @@
package com.yubico.webauthn;
-import javax.net.ssl.SSLException;
-
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.node.ArrayNode;
@@ -23,167 +21,179 @@
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
+import javax.net.ssl.SSLException;
import lombok.Value;
import lombok.extern.slf4j.Slf4j;
import org.apache.http.conn.ssl.DefaultHostnameVerifier;
@Slf4j
-class AndroidSafetynetAttestationStatementVerifier implements AttestationStatementVerifier, X5cAttestationStatementVerifier {
-
- private static final DefaultHostnameVerifier HOSTNAME_VERIFIER = new DefaultHostnameVerifier();
-
- @Override
- public AttestationType getAttestationType(AttestationObject attestation) {
- return AttestationType.BASIC;
+class AndroidSafetynetAttestationStatementVerifier
+ implements AttestationStatementVerifier, X5cAttestationStatementVerifier {
+
+ private static final DefaultHostnameVerifier HOSTNAME_VERIFIER = new DefaultHostnameVerifier();
+
+ @Override
+ public AttestationType getAttestationType(AttestationObject attestation) {
+ return AttestationType.BASIC;
+ }
+
+ @Override
+ public JsonNode getX5cArray(AttestationObject attestationObject) {
+ JsonNodeFactory jsonFactory = JsonNodeFactory.instance;
+ ArrayNode array = jsonFactory.arrayNode();
+ for (JsonNode cert : parseJws(attestationObject).getHeader().get("x5c")) {
+ array.add(jsonFactory.binaryNode(ByteArray.fromBase64(cert.textValue()).getBytes()));
}
-
- @Override
- public JsonNode getX5cArray(AttestationObject attestationObject) {
- JsonNodeFactory jsonFactory = JsonNodeFactory.instance;
- ArrayNode array = jsonFactory.arrayNode();
- for (JsonNode cert : parseJws(attestationObject).getHeader().get("x5c")) {
- array.add(jsonFactory.binaryNode(ByteArray.fromBase64(cert.textValue()).getBytes()));
- }
- return array;
+ return array;
+ }
+
+ @Override
+ public boolean verifyAttestationSignature(
+ AttestationObject attestationObject, ByteArray clientDataJsonHash) {
+ final JsonNode ver = attestationObject.getAttestationStatement().get("ver");
+
+ if (ver == null || !ver.isTextual()) {
+ throw new IllegalArgumentException(
+ "Property \"ver\" of android-safetynet attestation statement must be a string, was: "
+ + ver);
}
- @Override
- public boolean verifyAttestationSignature(AttestationObject attestationObject, ByteArray clientDataJsonHash) {
- final JsonNode ver = attestationObject.getAttestationStatement().get("ver");
+ JsonWebSignatureCustom jws = parseJws(attestationObject);
- if (ver == null || !ver.isTextual()) {
- throw new IllegalArgumentException("Property \"ver\" of android-safetynet attestation statement must be a string, was: " + ver);
- }
-
- JsonWebSignatureCustom jws = parseJws(attestationObject);
+ if (!verifySignature(jws)) {
+ return false;
+ }
- if (!verifySignature(jws)) {
- return false;
- }
+ JsonNode payload = jws.getPayload();
+
+ ByteArray signedData =
+ attestationObject.getAuthenticatorData().getBytes().concat(clientDataJsonHash);
+ ByteArray hashSignedData = Crypto.sha256(signedData);
+ ByteArray nonceByteArray = ByteArray.fromBase64(payload.get("nonce").textValue());
+ ExceptionUtil.assure(
+ hashSignedData.equals(nonceByteArray),
+ "Nonce does not equal authenticator data + client data. Expected nonce: %s, was nonce: %s",
+ hashSignedData.getBase64Url(),
+ nonceByteArray.getBase64Url());
+
+ ExceptionUtil.assure(
+ payload.get("ctsProfileMatch").booleanValue(),
+ "Expected ctsProfileMatch to be true, was: %s",
+ payload.get("ctsProfileMatch"));
+
+ return true;
+ }
+
+ private static JsonWebSignatureCustom parseJws(AttestationObject attestationObject) {
+ return new JsonWebSignatureCustom(
+ new String(getResponseBytes(attestationObject).getBytes(), StandardCharsets.UTF_8));
+ }
+
+ private static ByteArray getResponseBytes(AttestationObject attestationObject) {
+ final JsonNode response = attestationObject.getAttestationStatement().get("response");
+ if (response == null || !response.isBinary()) {
+ throw new IllegalArgumentException(
+ "Property \"response\" of android-safetynet attestation statement must be a binary value, was: "
+ + response);
+ }
- JsonNode payload = jws.getPayload();
+ try {
+ return new ByteArray(response.binaryValue());
+ } catch (IOException ioe) {
+ throw ExceptionUtil.wrapAndLog(
+ log, "response.isBinary() was true but response.binaryValue failed: " + response, ioe);
+ }
+ }
- ByteArray signedData = attestationObject.getAuthenticatorData().getBytes().concat(clientDataJsonHash);
- ByteArray hashSignedData = Crypto.hash(signedData);
- ByteArray nonceByteArray = ByteArray.fromBase64(payload.get("nonce").textValue());
- ExceptionUtil.assure(
- hashSignedData.equals(nonceByteArray),
- "Nonce does not equal authenticator data + client data. Expected nonce: %s, was nonce: %s",
- hashSignedData.getBase64Url(),
- nonceByteArray.getBase64Url()
- );
+ private boolean verifySignature(JsonWebSignatureCustom jws) {
+ // Verify the signature of the JWS and retrieve the signature certificate.
+ X509Certificate attestationCertificate = jws.getX5c().get(0);
- ExceptionUtil.assure(
- payload.get("ctsProfileMatch").booleanValue(),
- "Expected ctsProfileMatch to be true, was: %s",
- payload.get("ctsProfileMatch")
- );
+ String signatureAlgorithmName =
+ WebAuthnCodecs.jwsAlgorithmNameToJavaAlgorithmName(jws.getAlgorithm());
- return true;
+ Signature signatureVerifier;
+ try {
+ signatureVerifier = Crypto.getSignature(signatureAlgorithmName);
+ } catch (NoSuchAlgorithmException e) {
+ throw ExceptionUtil.wrapAndLog(
+ log, "Failed to get a Signature instance for " + signatureAlgorithmName, e);
}
-
- private static JsonWebSignatureCustom parseJws(AttestationObject attestationObject) {
- return new JsonWebSignatureCustom(new String(getResponseBytes(attestationObject).getBytes(), StandardCharsets.UTF_8));
+ try {
+ signatureVerifier.initVerify(attestationCertificate.getPublicKey());
+ } catch (InvalidKeyException e) {
+ throw ExceptionUtil.wrapAndLog(
+ log, "Attestation key is invalid: " + attestationCertificate, e);
}
-
- private static ByteArray getResponseBytes(AttestationObject attestationObject) {
- final JsonNode response = attestationObject.getAttestationStatement().get("response");
- if (response == null || !response.isBinary()) {
- throw new IllegalArgumentException("Property \"response\" of android-safetynet attestation statement must be a binary value, was: " + response);
- }
-
- try {
- return new ByteArray(response.binaryValue());
- } catch (IOException ioe) {
- throw ExceptionUtil.wrapAndLog(log, "response.isBinary() was true but response.binaryValue failed: " + response, ioe);
- }
+ try {
+ signatureVerifier.update(jws.getSignedBytes().getBytes());
+ } catch (SignatureException e) {
+ throw ExceptionUtil.wrapAndLog(
+ log, "Signature object in invalid state: " + signatureVerifier, e);
}
- private boolean verifySignature(JsonWebSignatureCustom jws) {
- // Verify the signature of the JWS and retrieve the signature certificate.
- X509Certificate attestationCertificate = jws.getX5c().get(0);
-
- String signatureAlgorithmName = WebAuthnCodecs.jwsAlgorithmNameToJavaAlgorithmName(jws.getAlgorithm());
-
- Signature signatureVerifier;
- try {
- signatureVerifier = Crypto.getSignature(signatureAlgorithmName);
- } catch (NoSuchAlgorithmException e) {
- throw ExceptionUtil.wrapAndLog(log, "Failed to get a Signature instance for " + signatureAlgorithmName, e);
- }
- try {
- signatureVerifier.initVerify(attestationCertificate.getPublicKey());
- } catch (InvalidKeyException e) {
- throw ExceptionUtil.wrapAndLog(log, "Attestation key is invalid: " + attestationCertificate, e);
- }
- try {
- signatureVerifier.update(jws.getSignedBytes().getBytes());
- } catch (SignatureException e) {
- throw ExceptionUtil.wrapAndLog(log, "Signature object in invalid state: " + signatureVerifier, e);
- }
-
- // Verify the hostname of the certificate.
- ExceptionUtil.assure(
- verifyHostname(attestationCertificate),
- "Certificate isn't issued for the hostname attest.android.com: %s",
- attestationCertificate
- );
-
- try {
- return signatureVerifier.verify(jws.getSignature().getBytes());
- } catch (SignatureException e) {
- throw ExceptionUtil.wrapAndLog(log, "Failed to verify signature of JWS: " + jws, e);
- }
- }
+ // Verify the hostname of the certificate.
+ ExceptionUtil.assure(
+ verifyHostname(attestationCertificate),
+ "Certificate isn't issued for the hostname attest.android.com: %s",
+ attestationCertificate);
- @Value
- private static class JsonWebSignatureCustom {
- public final JsonNode header;
- public final JsonNode payload;
- public final ByteArray signedBytes;
- public final ByteArray signature;
- public final List x5c;
- public final String algorithm;
-
- JsonWebSignatureCustom(String jwsCompact) {
- String[] parts = jwsCompact.split("\\.");
- ObjectMapper json = JacksonCodecs.json();
-
- try {
- final ByteArray header = ByteArray.fromBase64Url(parts[0]);
- final ByteArray payload = ByteArray.fromBase64Url(parts[1]);
-
- this.header = json.readTree(header.getBytes());
- this.payload = json.readTree(payload.getBytes());
- this.signedBytes = new ByteArray((parts[0] + "." + parts[1]).getBytes(StandardCharsets.UTF_8));
- this.signature = ByteArray.fromBase64Url(parts[2]);
- this.x5c = getX5c(this.header);
- this.algorithm = this.header.get("alg").textValue();
- } catch (IOException | Base64UrlException e) {
- throw ExceptionUtil.wrapAndLog(log, "Failed to parse JWS: " + jwsCompact, e);
- } catch (CertificateException e) {
- throw ExceptionUtil.wrapAndLog(log, "Failed to parse attestation certificates in JWS header: " + jwsCompact, e);
- }
- }
-
- private static List getX5c(JsonNode header) throws IOException, CertificateException {
- List result = new ArrayList<>();
- for (JsonNode jsonNode : header.get("x5c")) {
- result.add(CertificateParser.parseDer(jsonNode.binaryValue()));
- }
- return result;
- }
+ try {
+ return signatureVerifier.verify(jws.getSignature().getBytes());
+ } catch (SignatureException e) {
+ throw ExceptionUtil.wrapAndLog(log, "Failed to verify signature of JWS: " + jws, e);
+ }
+ }
+
+ @Value
+ private static class JsonWebSignatureCustom {
+ public final JsonNode header;
+ public final JsonNode payload;
+ public final ByteArray signedBytes;
+ public final ByteArray signature;
+ public final List x5c;
+ public final String algorithm;
+
+ JsonWebSignatureCustom(String jwsCompact) {
+ String[] parts = jwsCompact.split("\\.");
+ ObjectMapper json = JacksonCodecs.json();
+
+ try {
+ final ByteArray header = ByteArray.fromBase64Url(parts[0]);
+ final ByteArray payload = ByteArray.fromBase64Url(parts[1]);
+
+ this.header = json.readTree(header.getBytes());
+ this.payload = json.readTree(payload.getBytes());
+ this.signedBytes =
+ new ByteArray((parts[0] + "." + parts[1]).getBytes(StandardCharsets.UTF_8));
+ this.signature = ByteArray.fromBase64Url(parts[2]);
+ this.x5c = getX5c(this.header);
+ this.algorithm = this.header.get("alg").textValue();
+ } catch (IOException | Base64UrlException e) {
+ throw ExceptionUtil.wrapAndLog(log, "Failed to parse JWS: " + jwsCompact, e);
+ } catch (CertificateException e) {
+ throw ExceptionUtil.wrapAndLog(
+ log, "Failed to parse attestation certificates in JWS header: " + jwsCompact, e);
+ }
}
- /**
- * Verifies that the certificate matches the hostname "attest.android.com".
- */
- private static boolean verifyHostname(X509Certificate leafCert) {
- try {
- HOSTNAME_VERIFIER.verify("attest.android.com", leafCert);
- return true;
- } catch (SSLException e) {
- return false;
- }
+ private static List getX5c(JsonNode header)
+ throws IOException, CertificateException {
+ List result = new ArrayList<>();
+ for (JsonNode jsonNode : header.get("x5c")) {
+ result.add(CertificateParser.parseDer(jsonNode.binaryValue()));
+ }
+ return result;
+ }
+ }
+
+ /** Verifies that the certificate matches the hostname "attest.android.com". */
+ private static boolean verifyHostname(X509Certificate leafCert) {
+ try {
+ HOSTNAME_VERIFIER.verify("attest.android.com", leafCert);
+ return true;
+ } catch (SSLException e) {
+ return false;
}
+ }
}
diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/AppleAttestationStatementVerifier.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/AppleAttestationStatementVerifier.java
new file mode 100644
index 000000000..efb3f5d93
--- /dev/null
+++ b/webauthn-server-core/src/main/java/com/yubico/webauthn/AppleAttestationStatementVerifier.java
@@ -0,0 +1,126 @@
+// Copyright (c) 2018, Yubico AB
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are met:
+//
+// 1. Redistributions of source code must retain the above copyright notice, this
+// list of conditions and the following disclaimer.
+//
+// 2. Redistributions in binary form must reproduce the above copyright notice,
+// this list of conditions and the following disclaimer in the documentation
+// and/or other materials provided with the distribution.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+package com.yubico.webauthn;
+
+import com.yubico.internal.util.ExceptionUtil;
+import com.yubico.webauthn.data.AttestationObject;
+import com.yubico.webauthn.data.AttestationType;
+import com.yubico.webauthn.data.ByteArray;
+import java.security.PublicKey;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.Optional;
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+final class AppleAttestationStatementVerifier
+ implements AttestationStatementVerifier, X5cAttestationStatementVerifier {
+
+ private static final String NONCE_EXTENSION_OID = "1.2.840.113635.100.8.2";
+
+ @Override
+ public AttestationType getAttestationType(AttestationObject attestation) {
+ return AttestationType.ANONYMIZATION_CA;
+ }
+
+ @Override
+ public boolean verifyAttestationSignature(
+ AttestationObject attestationObject, ByteArray clientDataJsonHash) {
+ final Optional attestationCert;
+ try {
+ attestationCert = getX5cAttestationCertificate(attestationObject);
+ } catch (CertificateException e) {
+ throw ExceptionUtil.wrapAndLog(
+ log,
+ String.format(
+ "Failed to parse X.509 certificate from attestation object: %s", attestationObject),
+ e);
+ }
+
+ return attestationCert
+ .map(
+ attestationCertificate -> {
+ final ByteArray nonceToHash =
+ attestationObject.getAuthenticatorData().getBytes().concat(clientDataJsonHash);
+
+ final ByteArray nonce = Crypto.sha256(nonceToHash);
+
+ byte[] nonceExtension = attestationCertificate.getExtensionValue(NONCE_EXTENSION_OID);
+ if (nonceExtension == null) {
+ throw new IllegalArgumentException(
+ "Apple anonymous attestation certificate must contain extension OID: "
+ + NONCE_EXTENSION_OID);
+ }
+
+ // X.509 extension values is a DER octet string: 0x0426
+ // Then the extension contains a 1-element sequence: 0x3024
+ // The element has context-specific tag "[1]": 0xa122
+ // Then the sequence contains a 32-byte octet string: 0x0420
+ final ByteArray expectedExtensionValue =
+ new ByteArray(
+ new byte[] {
+ 0x04, 0x26, 0x30, 0x24, (-128) + (0xa1 - 128), 0x22, 0x04, 0x20
+ })
+ .concat(nonce);
+
+ if (!expectedExtensionValue.equals(new ByteArray(nonceExtension))) {
+ throw new IllegalArgumentException(
+ String.format(
+ "Apple anonymous attestation certificate extension %s must equal nonceToHash. Expected: %s, was: %s",
+ NONCE_EXTENSION_OID,
+ expectedExtensionValue,
+ new ByteArray(nonceExtension)));
+ }
+
+ final PublicKey credentialPublicKey;
+ try {
+ credentialPublicKey =
+ WebAuthnCodecs.importCosePublicKey(
+ attestationObject
+ .getAuthenticatorData()
+ .getAttestedCredentialData()
+ .get()
+ .getCredentialPublicKey());
+ } catch (Exception e) {
+ throw ExceptionUtil.wrapAndLog(log, "Failed to import credential public key", e);
+ }
+
+ final PublicKey certPublicKey = attestationCertificate.getPublicKey();
+
+ if (!credentialPublicKey.equals(certPublicKey)) {
+ throw new IllegalArgumentException(
+ String.format(
+ "Apple anonymous attestation certificate subject public key must equal credential public key. Expected: %s, was: %s",
+ credentialPublicKey, certPublicKey));
+ }
+
+ return true;
+ })
+ .orElseThrow(
+ () ->
+ new IllegalArgumentException(
+ "Failed to parse attestation certificate from \"apple\" attestation statement."));
+ }
+}
diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/AssertionRequest.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/AssertionRequest.java
index 77d2a2357..b44ba8377 100644
--- a/webauthn-server-core/src/main/java/com/yubico/webauthn/AssertionRequest.java
+++ b/webauthn-server-core/src/main/java/com/yubico/webauthn/AssertionRequest.java
@@ -32,95 +32,95 @@
import lombok.NonNull;
import lombok.Value;
-
/**
- * A combination of a {@link PublicKeyCredentialRequestOptions} and, optionally, a {@link #getUsername() username}.
+ * A combination of a {@link PublicKeyCredentialRequestOptions} and, optionally, a {@link
+ * #getUsername() username}.
*/
@Value
@Builder(toBuilder = true)
public class AssertionRequest {
- /**
- * An object that can be serialized to JSON and passed as the publicKey argument to
- * navigator.credentials.get().
- */
- @NonNull
- private final PublicKeyCredentialRequestOptions publicKeyCredentialRequestOptions;
+ /**
+ * An object that can be serialized to JSON and passed as the publicKey argument to
+ * navigator.credentials.get().
+ */
+ @NonNull private final PublicKeyCredentialRequestOptions publicKeyCredentialRequestOptions;
+
+ /**
+ * The username of the user to authenticate, if the user has already been identified.
+ *
+ * If this is absent, this indicates that this is a request for an assertion by a client-side-resident
+ * credential, and identification of the user has been deferred until the response is
+ * received.
+ */
+ private final String username;
+
+ @JsonCreator
+ private AssertionRequest(
+ @NonNull @JsonProperty("publicKeyCredentialRequestOptions")
+ PublicKeyCredentialRequestOptions publicKeyCredentialRequestOptions,
+ @JsonProperty("username") String username) {
+ this.publicKeyCredentialRequestOptions = publicKeyCredentialRequestOptions;
+ this.username = username;
+ }
+
+ /**
+ * The username of the user to authenticate, if the user has already been identified.
+ *
+ *
If this is absent, this indicates that this is a request for an assertion by a client-side-resident
+ * credential, and identification of the user has been deferred until the response is
+ * received.
+ */
+ public Optional getUsername() {
+ return Optional.ofNullable(username);
+ }
+
+ public static AssertionRequestBuilder.MandatoryStages builder() {
+ return new AssertionRequestBuilder.MandatoryStages();
+ }
+
+ public static class AssertionRequestBuilder {
+ private String username = null;
+
+ public static class MandatoryStages {
+ private final AssertionRequestBuilder builder = new AssertionRequestBuilder();
+
+ /**
+ * {@link
+ * AssertionRequestBuilder#publicKeyCredentialRequestOptions(PublicKeyCredentialRequestOptions)
+ * publicKeyCredentialRequestOptions} is a required parameter.
+ */
+ public AssertionRequestBuilder publicKeyCredentialRequestOptions(
+ PublicKeyCredentialRequestOptions publicKeyCredentialRequestOptions) {
+ return builder.publicKeyCredentialRequestOptions(publicKeyCredentialRequestOptions);
+ }
+ }
/**
* The username of the user to authenticate, if the user has already been identified.
- *
- * If this is absent, this indicates that this is a request for an assertion by a If this is absent, this indicates that this is a request for an assertion by a client-side-resident
- * credential, and identification of the user has been deferred until the response is received.
- *
+ * credential, and identification of the user has been deferred until the response is
+ * received.
*/
- private final String username;
-
- @JsonCreator
- private AssertionRequest(
- @NonNull @JsonProperty("publicKeyCredentialRequestOptions") PublicKeyCredentialRequestOptions publicKeyCredentialRequestOptions,
- @JsonProperty("username") String username
- ) {
- this.publicKeyCredentialRequestOptions = publicKeyCredentialRequestOptions;
- this.username = username;
+ public AssertionRequestBuilder username(@NonNull Optional username) {
+ return this.username(username.orElse(null));
}
/**
* The username of the user to authenticate, if the user has already been identified.
- *
- * If this is absent, this indicates that this is a request for an assertion by a If this is absent, this indicates that this is a request for an assertion by a client-side-resident
- * credential, and identification of the user has been deferred until the response is received.
- *
+ * credential, and identification of the user has been deferred until the response is
+ * received.
*/
- public Optional getUsername() {
- return Optional.ofNullable(username);
- }
-
- public static AssertionRequestBuilder.MandatoryStages builder() {
- return new AssertionRequestBuilder.MandatoryStages();
- }
-
- public static class AssertionRequestBuilder {
- private String username = null;
-
- public static class MandatoryStages {
- private final AssertionRequestBuilder builder = new AssertionRequestBuilder();
-
- /**
- * {@link AssertionRequestBuilder#publicKeyCredentialRequestOptions(PublicKeyCredentialRequestOptions)
- * publicKeyCredentialRequestOptions} is a required parameter.
- */
- public AssertionRequestBuilder publicKeyCredentialRequestOptions(PublicKeyCredentialRequestOptions publicKeyCredentialRequestOptions) {
- return builder.publicKeyCredentialRequestOptions(publicKeyCredentialRequestOptions);
- }
- }
-
- /**
- * The username of the user to authenticate, if the user has already been identified.
- *
- * If this is absent, this indicates that this is a request for an assertion by a client-side-resident
- * credential, and identification of the user has been deferred until the response is received.
- *
- */
- public AssertionRequestBuilder username(@NonNull Optional username) {
- return this.username(username.orElse(null));
- }
-
- /**
- * The username of the user to authenticate, if the user has already been identified.
- *
- * If this is absent, this indicates that this is a request for an assertion by a client-side-resident
- * credential, and identification of the user has been deferred until the response is received.
- *
- */
- public AssertionRequestBuilder username(String username) {
- this.username = username;
- return this;
- }
+ public AssertionRequestBuilder username(String username) {
+ this.username = username;
+ return this;
}
-
+ }
}
diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/AssertionResult.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/AssertionResult.java
index 1f889f6f2..a2cec70dd 100644
--- a/webauthn-server-core/src/main/java/com/yubico/webauthn/AssertionResult.java
+++ b/webauthn-server-core/src/main/java/com/yubico/webauthn/AssertionResult.java
@@ -27,166 +27,153 @@
import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.yubico.internal.util.CollectionUtil;
+import com.yubico.webauthn.data.AuthenticatorData;
import com.yubico.webauthn.data.ByteArray;
import com.yubico.webauthn.data.PublicKeyCredentialRequestOptions;
import com.yubico.webauthn.data.UserIdentity;
-import com.yubico.webauthn.data.AuthenticatorData;
import java.util.List;
import lombok.Builder;
import lombok.NonNull;
import lombok.Value;
-
-/**
- * The result of a call to {@link RelyingParty#finishAssertion(FinishAssertionOptions)}.
- */
+/** The result of a call to {@link RelyingParty#finishAssertion(FinishAssertionOptions)}. */
@Value
@Builder(toBuilder = true)
public class AssertionResult {
- /**
- * true if the assertion was verified successfully.
- */
- private final boolean success;
-
- /**
- * The credential ID of the credential
- * used for the assertion.
- *
- * @see Credential ID
- * @see PublicKeyCredentialRequestOptions#getAllowCredentials()
- */
- @NonNull
- private final ByteArray credentialId;
-
- /**
- * The user handle of the authenticated
- * user.
- *
- * @see User Handle
- * @see UserIdentity#getId()
- * @see #getUsername()
- */
- @NonNull
- private final ByteArray userHandle;
-
- /**
- * The username of the authenticated user.
- *
- * @see #getUserHandle()
- */
- @NonNull
- private final String username;
-
- /**
- * The new signature count of the
- * credential used for the assertion.
- *
- *
- * You should update this value in your database.
- *
- *
- * @see AuthenticatorData#getSignatureCounter()
- */
- private final long signatureCount;
-
- /**
- * true if and only if at least one of the following is true:
- *
- * - The {@link AuthenticatorData#getSignatureCounter() signature counter value} in the assertion was strictly
- * greater than {@link RegisteredCredential#getSignatureCount() the stored one}.
- * - The {@link AuthenticatorData#getSignatureCounter() signature counter value} in the assertion and
- * {@link RegisteredCredential#getSignatureCount() the stored one} were both zero.
- *
- *
- * @see §6.1. Authenticator
- * Data
- * @see AuthenticatorData#getSignatureCounter()
- * @see RegisteredCredential#getSignatureCount()
- * @see com.yubico.webauthn.RelyingParty.RelyingPartyBuilder#validateSignatureCounter(boolean)
- */
- private final boolean signatureCounterValid;
-
- /**
- * Zero or more human-readable messages about non-critical issues.
- */
- @NonNull
- private final List warnings;
-
- @JsonCreator
- private AssertionResult(
- @JsonProperty("success") boolean success,
- @NonNull @JsonProperty("credentialId") ByteArray credentialId,
- @NonNull @JsonProperty("userHandle") ByteArray userHandle,
- @NonNull @JsonProperty("username") String username,
- @JsonProperty("signatureCount") long signatureCount,
- @JsonProperty("signatureCounterValid") boolean signatureCounterValid,
- @NonNull @JsonProperty("warnings") List warnings
- ) {
- this.success = success;
- this.credentialId = credentialId;
- this.userHandle = userHandle;
- this.username = username;
- this.signatureCount = signatureCount;
- this.signatureCounterValid = signatureCounterValid;
- this.warnings = CollectionUtil.immutableList(warnings);
- }
+ /** true if the assertion was verified successfully. */
+ private final boolean success;
+
+ /**
+ * The credential ID
+ * of the credential used for the assertion.
+ *
+ * @see Credential ID
+ * @see PublicKeyCredentialRequestOptions#getAllowCredentials()
+ */
+ @NonNull private final ByteArray credentialId;
+
+ /**
+ * The user handle of
+ * the authenticated user.
+ *
+ * @see User Handle
+ * @see UserIdentity#getId()
+ * @see #getUsername()
+ */
+ @NonNull private final ByteArray userHandle;
+
+ /**
+ * The username of the authenticated user.
+ *
+ * @see #getUserHandle()
+ */
+ @NonNull private final String username;
+
+ /**
+ * The new signature
+ * count of the credential used for the assertion.
+ *
+ * You should update this value in your database.
+ *
+ * @see AuthenticatorData#getSignatureCounter()
+ */
+ private final long signatureCount;
+
+ /**
+ * true if and only if at least one of the following is true:
+ *
+ *
+ * - The {@link AuthenticatorData#getSignatureCounter() signature counter value} in the
+ * assertion was strictly greater than {@link RegisteredCredential#getSignatureCount() the
+ * stored one}.
+ *
- The {@link AuthenticatorData#getSignatureCounter() signature counter value} in the
+ * assertion and {@link RegisteredCredential#getSignatureCount() the stored one} were both
+ * zero.
+ *
+ *
+ * @see §6.1.
+ * Authenticator Data
+ * @see AuthenticatorData#getSignatureCounter()
+ * @see RegisteredCredential#getSignatureCount()
+ * @see com.yubico.webauthn.RelyingParty.RelyingPartyBuilder#validateSignatureCounter(boolean)
+ */
+ private final boolean signatureCounterValid;
+
+ /** Zero or more human-readable messages about non-critical issues. */
+ @NonNull private final List warnings;
+
+ @JsonCreator
+ private AssertionResult(
+ @JsonProperty("success") boolean success,
+ @NonNull @JsonProperty("credentialId") ByteArray credentialId,
+ @NonNull @JsonProperty("userHandle") ByteArray userHandle,
+ @NonNull @JsonProperty("username") String username,
+ @JsonProperty("signatureCount") long signatureCount,
+ @JsonProperty("signatureCounterValid") boolean signatureCounterValid,
+ @NonNull @JsonProperty("warnings") List warnings) {
+ this.success = success;
+ this.credentialId = credentialId;
+ this.userHandle = userHandle;
+ this.username = username;
+ this.signatureCount = signatureCount;
+ this.signatureCounterValid = signatureCounterValid;
+ this.warnings = CollectionUtil.immutableList(warnings);
+ }
+
+ static AssertionResultBuilder.MandatoryStages builder() {
+ return new AssertionResultBuilder.MandatoryStages();
+ }
+
+ static class AssertionResultBuilder {
+ public static class MandatoryStages {
+ private final AssertionResultBuilder builder = new AssertionResultBuilder();
+
+ public Step2 success(boolean success) {
+ builder.success(success);
+ return new Step2();
+ }
+
+ public class Step2 {
+ public Step3 credentialId(ByteArray credentialId) {
+ builder.credentialId(credentialId);
+ return new Step3();
+ }
+ }
- static AssertionResultBuilder.MandatoryStages builder() {
- return new AssertionResultBuilder.MandatoryStages();
- }
+ public class Step3 {
+ public Step4 userHandle(ByteArray userHandle) {
+ builder.userHandle(userHandle);
+ return new Step4();
+ }
+ }
- static class AssertionResultBuilder {
- public static class MandatoryStages {
- private final AssertionResultBuilder builder = new AssertionResultBuilder();
-
- public Step2 success(boolean success) {
- builder.success(success);
- return new Step2();
- }
-
- public class Step2 {
- public Step3 credentialId(ByteArray credentialId) {
- builder.credentialId(credentialId);
- return new Step3();
- }
- }
-
- public class Step3 {
- public Step4 userHandle(ByteArray userHandle) {
- builder.userHandle(userHandle);
- return new Step4();
- }
- }
-
- public class Step4 {
- public Step5 username(String username) {
- builder.username(username);
- return new Step5();
- }
- }
-
- public class Step5 {
- public Step6 signatureCount(long signatureCount) {
- builder.signatureCount(signatureCount);
- return new Step6();
- }
- }
-
- public class Step6 {
- public Step7 signatureCounterValid(boolean signatureCounterValid) {
- builder.signatureCounterValid(signatureCounterValid);
- return new Step7();
- }
- }
-
- public class Step7 {
- public AssertionResultBuilder warnings(List warnings) {
- return builder.warnings(warnings);
- }
- }
+ public class Step4 {
+ public Step5 username(String username) {
+ builder.username(username);
+ return new Step5();
}
- }
+ }
-}
+ public class Step5 {
+ public Step6 signatureCount(long signatureCount) {
+ builder.signatureCount(signatureCount);
+ return new Step6();
+ }
+ }
+
+ public class Step6 {
+ public Step7 signatureCounterValid(boolean signatureCounterValid) {
+ builder.signatureCounterValid(signatureCounterValid);
+ return new Step7();
+ }
+ }
+ public class Step7 {
+ public AssertionResultBuilder warnings(List warnings) {
+ return builder.warnings(warnings);
+ }
+ }
+ }
+ }
+}
diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/AttestationStatementVerifier.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/AttestationStatementVerifier.java
index 3c1e18f31..a962164e3 100644
--- a/webauthn-server-core/src/main/java/com/yubico/webauthn/AttestationStatementVerifier.java
+++ b/webauthn-server-core/src/main/java/com/yubico/webauthn/AttestationStatementVerifier.java
@@ -25,17 +25,17 @@
package com.yubico.webauthn;
import COSE.CoseException;
-import com.yubico.webauthn.data.ByteArray;
import com.yubico.webauthn.data.AttestationObject;
import com.yubico.webauthn.data.AttestationType;
+import com.yubico.webauthn.data.ByteArray;
import java.io.IOException;
import java.security.cert.CertificateException;
-
interface AttestationStatementVerifier {
- AttestationType getAttestationType(AttestationObject attestation) throws IOException, CoseException, CertificateException;
-
- boolean verifyAttestationSignature(AttestationObject attestationObject, ByteArray clientDataJsonHash);
+ AttestationType getAttestationType(AttestationObject attestation)
+ throws IOException, CoseException, CertificateException;
+ boolean verifyAttestationSignature(
+ AttestationObject attestationObject, ByteArray clientDataJsonHash);
}
diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/AttestationTrustResolver.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/AttestationTrustResolver.java
index 23932e164..ac87a2af2 100644
--- a/webauthn-server-core/src/main/java/com/yubico/webauthn/AttestationTrustResolver.java
+++ b/webauthn-server-core/src/main/java/com/yubico/webauthn/AttestationTrustResolver.java
@@ -29,9 +29,8 @@
import java.security.cert.X509Certificate;
import java.util.List;
-
interface AttestationTrustResolver {
- Attestation resolveTrustAnchor(List certificateChain) throws CertificateEncodingException;
-
+ Attestation resolveTrustAnchor(List certificateChain)
+ throws CertificateEncodingException;
}
diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/CredentialRepository.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/CredentialRepository.java
index 14dba8bb5..2a11022f8 100644
--- a/webauthn-server-core/src/main/java/com/yubico/webauthn/CredentialRepository.java
+++ b/webauthn-server-core/src/main/java/com/yubico/webauthn/CredentialRepository.java
@@ -29,53 +29,45 @@
import java.util.Optional;
import java.util.Set;
-
/**
* An abstraction of the database lookups needed by this library.
*
- *
- * This is used by {@link RelyingParty} to look up credentials, usernames and user handles from usernames, user handles
- * and credential IDs.
- *
+ * This is used by {@link RelyingParty} to look up credentials, usernames and user handles from
+ * usernames, user handles and credential IDs.
*/
public interface CredentialRepository {
- /**
- * Get the credential IDs of all credentials registered to the user with the given username.
- */
- Set getCredentialIdsForUsername(String username);
-
- /**
- * Get the user handle corresponding to the given username - the inverse of {@link
- * #getUsernameForUserHandle(ByteArray)}.
- */
- Optional getUserHandleForUsername(String username);
+ /** Get the credential IDs of all credentials registered to the user with the given username. */
+ Set getCredentialIdsForUsername(String username);
- /**
- * Get the username corresponding to the given user handle - the inverse of {@link
- * #getUserHandleForUsername(String)}.
- */
- Optional getUsernameForUserHandle(ByteArray userHandle);
+ /**
+ * Get the user handle corresponding to the given username - the inverse of {@link
+ * #getUsernameForUserHandle(ByteArray)}.
+ */
+ Optional getUserHandleForUsername(String username);
- /**
- * Look up the public key and stored signature count for the given credential registered to the given user.
- *
- *
- * The returned {@link RegisteredCredential} is not expected to be long-lived. It may be read directly from a
- * database or assembled from other components.
- *
- */
- Optional lookup(ByteArray credentialId, ByteArray userHandle);
+ /**
+ * Get the username corresponding to the given user handle - the inverse of {@link
+ * #getUserHandleForUsername(String)}.
+ */
+ Optional getUsernameForUserHandle(ByteArray userHandle);
- /**
- * Look up all credentials with the given credential ID, regardless of what user they're registered to.
- *
- *
- * This is used to refuse registration of duplicate credential IDs. Therefore, under normal circumstances this
- * method should only return zero or one credential (this is an expected consequence, not an interface
- * requirement).
- *
- */
- Set lookupAll(ByteArray credentialId);
+ /**
+ * Look up the public key and stored signature count for the given credential registered to the
+ * given user.
+ *
+ * The returned {@link RegisteredCredential} is not expected to be long-lived. It may be read
+ * directly from a database or assembled from other components.
+ */
+ Optional lookup(ByteArray credentialId, ByteArray userHandle);
+ /**
+ * Look up all credentials with the given credential ID, regardless of what user they're
+ * registered to.
+ *
+ * This is used to refuse registration of duplicate credential IDs. Therefore, under normal
+ * circumstances this method should only return zero or one credential (this is an expected
+ * consequence, not an interface requirement).
+ */
+ Set lookupAll(ByteArray credentialId);
}
diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/Crypto.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/Crypto.java
index b98af3a6c..9075f95f1 100755
--- a/webauthn-server-core/src/main/java/com/yubico/webauthn/Crypto.java
+++ b/webauthn-server-core/src/main/java/com/yubico/webauthn/Crypto.java
@@ -50,90 +50,99 @@
@UtilityClass
@Slf4j
-final class Crypto
-{
- // Values from https://apps.nsa.gov/iaarchive/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/mathematical-routines-for-the-nist-prime-elliptic-curves.cfm
- // cross-referenced with "secp256r1" in https://www.secg.org/sec2-v2.pdf
- private static final EllipticCurve P256 = new EllipticCurve(
- new ECFieldFp(
- new BigInteger("115792089210356248762697446949407573530086143415290314195533631308867097853951", 10)),
- new BigInteger("115792089210356248762697446949407573530086143415290314195533631308867097853948", 10),
- new BigInteger("41058363725152142129326129780047268409114441015993725554835256314039467401291", 10));
+final class Crypto {
+ // Values from
+ // https://apps.nsa.gov/iaarchive/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/mathematical-routines-for-the-nist-prime-elliptic-curves.cfm
+ // cross-referenced with "secp256r1" in https://www.secg.org/sec2-v2.pdf
+ private static final EllipticCurve P256 =
+ new EllipticCurve(
+ new ECFieldFp(
+ new BigInteger(
+ "115792089210356248762697446949407573530086143415290314195533631308867097853951",
+ 10)),
+ new BigInteger(
+ "115792089210356248762697446949407573530086143415290314195533631308867097853948", 10),
+ new BigInteger(
+ "41058363725152142129326129780047268409114441015993725554835256314039467401291", 10));
- /*
- * TODO: Delete this in the next major version release
- */
- private static class BouncyCastleLoader {
- private static Provider getProvider() {
- return new BouncyCastleProvider();
- }
+ /*
+ * TODO: Delete this in the next major version release
+ */
+ private static class BouncyCastleLoader {
+ private static Provider getProvider() {
+ return new BouncyCastleProvider();
}
+ }
- /*
- * TODO: Delete this in the next major version release
- */
- public static KeyFactory getKeyFactory(String algorithm) throws NoSuchAlgorithmException {
- try {
- return KeyFactory.getInstance(algorithm);
- } catch (NoSuchAlgorithmException e) {
- log.debug("Caught {}. Attempting fallback to BouncyCastle...", e.toString());
- try {
- return KeyFactory.getInstance(algorithm, BouncyCastleLoader.getProvider());
- } catch (NoSuchAlgorithmException | NoClassDefFoundError e2) {
- throw e;
- }
- }
+ /*
+ * TODO: Delete this in the next major version release
+ */
+ public static KeyFactory getKeyFactory(String algorithm) throws NoSuchAlgorithmException {
+ try {
+ return KeyFactory.getInstance(algorithm);
+ } catch (NoSuchAlgorithmException e) {
+ log.debug("Caught {}. Attempting fallback to BouncyCastle...", e.toString());
+ try {
+ return KeyFactory.getInstance(algorithm, BouncyCastleLoader.getProvider());
+ } catch (NoSuchAlgorithmException | NoClassDefFoundError e2) {
+ throw e;
+ }
}
+ }
- /*
- * TODO: Delete this in the next major version release
- */
- public static Signature getSignature(String algorithm) throws NoSuchAlgorithmException {
- try {
- return Signature.getInstance(algorithm);
- } catch (NoSuchAlgorithmException e) {
- log.debug("Caught {}. Attempting fallback to BouncyCastle...", e.toString());
- try {
- return Signature.getInstance(algorithm, BouncyCastleLoader.getProvider());
- } catch (NoSuchAlgorithmException | NoClassDefFoundError e2) {
- throw e;
- }
- }
+ /*
+ * TODO: Delete this in the next major version release
+ */
+ public static Signature getSignature(String algorithm) throws NoSuchAlgorithmException {
+ try {
+ return Signature.getInstance(algorithm);
+ } catch (NoSuchAlgorithmException e) {
+ log.debug("Caught {}. Attempting fallback to BouncyCastle...", e.toString());
+ try {
+ return Signature.getInstance(algorithm, BouncyCastleLoader.getProvider());
+ } catch (NoSuchAlgorithmException | NoClassDefFoundError e2) {
+ throw e;
+ }
}
+ }
- static boolean isP256(ECParameterSpec params) {
- return P256.equals(params.getCurve());
- }
+ static boolean isP256(ECParameterSpec params) {
+ return P256.equals(params.getCurve());
+ }
- public static boolean verifySignature(X509Certificate attestationCertificate, ByteArray signedBytes, ByteArray signature, COSEAlgorithmIdentifier alg) {
- return verifySignature(attestationCertificate.getPublicKey(), signedBytes, signature, alg);
- }
+ public static boolean verifySignature(
+ X509Certificate attestationCertificate,
+ ByteArray signedBytes,
+ ByteArray signature,
+ COSEAlgorithmIdentifier alg) {
+ return verifySignature(attestationCertificate.getPublicKey(), signedBytes, signature, alg);
+ }
- public static boolean verifySignature(PublicKey publicKey, ByteArray signedBytes, ByteArray signatureBytes, COSEAlgorithmIdentifier alg) {
- try {
- Signature signature = Signature.getInstance(WebAuthnCodecs.getJavaAlgorithmName(alg));
- signature.initVerify(publicKey);
- signature.update(signedBytes.getBytes());
- return signature.verify(signatureBytes.getBytes());
- } catch (GeneralSecurityException | IllegalArgumentException e) {
- throw new RuntimeException(
- String.format(
- "Failed to verify signature. This could be a problem with your JVM environment, or a bug in webauthn-server-core. Public key: %s, signed data: %s , signature: %s",
- publicKey,
- signedBytes.getBase64Url(),
- signatureBytes.getBase64Url()
- ),
- e
- );
- }
+ public static boolean verifySignature(
+ PublicKey publicKey,
+ ByteArray signedBytes,
+ ByteArray signatureBytes,
+ COSEAlgorithmIdentifier alg) {
+ try {
+ Signature signature = Signature.getInstance(WebAuthnCodecs.getJavaAlgorithmName(alg));
+ signature.initVerify(publicKey);
+ signature.update(signedBytes.getBytes());
+ return signature.verify(signatureBytes.getBytes());
+ } catch (GeneralSecurityException | IllegalArgumentException e) {
+ throw new RuntimeException(
+ String.format(
+ "Failed to verify signature. This could be a problem with your JVM environment, or a bug in webauthn-server-core. Public key: %s, signed data: %s , signature: %s",
+ publicKey, signedBytes.getBase64Url(), signatureBytes.getBase64Url()),
+ e);
}
+ }
- public static ByteArray hash(ByteArray bytes) {
- //noinspection UnstableApiUsage
- return new ByteArray(Hashing.sha256().hashBytes(bytes.getBytes()).asBytes());
- }
+ public static ByteArray sha256(ByteArray bytes) {
+ //noinspection UnstableApiUsage
+ return new ByteArray(Hashing.sha256().hashBytes(bytes.getBytes()).asBytes());
+ }
- public static ByteArray hash(String str) {
- return hash(new ByteArray(str.getBytes(StandardCharsets.UTF_8)));
- }
+ public static ByteArray sha256(String str) {
+ return sha256(new ByteArray(str.getBytes(StandardCharsets.UTF_8)));
+ }
}
diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/ExtensionsValidation.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/ExtensionsValidation.java
index 641a1f4b6..6c82e5357 100644
--- a/webauthn-server-core/src/main/java/com/yubico/webauthn/ExtensionsValidation.java
+++ b/webauthn-server-core/src/main/java/com/yubico/webauthn/ExtensionsValidation.java
@@ -34,38 +34,43 @@
import java.util.stream.Collectors;
import lombok.experimental.UtilityClass;
-
@UtilityClass
class ExtensionsValidation {
- static boolean validate(ExtensionInputs requested, PublicKeyCredential response) {
- Set requestedExtensionIds = requested.getExtensionIds();
- Set clientExtensionIds = response.getClientExtensionResults().getExtensionIds();
+ static boolean validate(
+ ExtensionInputs requested,
+ PublicKeyCredential
+ response) {
+ Set requestedExtensionIds = requested.getExtensionIds();
+ Set clientExtensionIds = response.getClientExtensionResults().getExtensionIds();
- if (!requestedExtensionIds.containsAll(clientExtensionIds)) {
- throw new IllegalArgumentException(String.format(
- "Client extensions {%s} are not a subset of requested extensions {%s}.",
- String.join(", ", clientExtensionIds),
- String.join(", ", requestedExtensionIds)
- ));
- }
+ if (!requestedExtensionIds.containsAll(clientExtensionIds)) {
+ throw new IllegalArgumentException(
+ String.format(
+ "Client extensions {%s} are not a subset of requested extensions {%s}.",
+ String.join(", ", clientExtensionIds), String.join(", ", requestedExtensionIds)));
+ }
- Set authenticatorExtensionIds = response.getResponse().getParsedAuthenticatorData().getExtensions()
- .map(extensions -> extensions.getKeys().stream()
- .map(CBORObject::AsString)
- .collect(Collectors.toSet())
- )
+ Set authenticatorExtensionIds =
+ response
+ .getResponse()
+ .getParsedAuthenticatorData()
+ .getExtensions()
+ .map(
+ extensions ->
+ extensions.getKeys().stream()
+ .map(CBORObject::AsString)
+ .collect(Collectors.toSet()))
.orElseGet(HashSet::new);
- if (!requestedExtensionIds.containsAll(authenticatorExtensionIds)) {
- throw new IllegalArgumentException(String.format(
- "Authenticator extensions {%s} are not a subset of requested extensions {%s}.",
- String.join(", ", authenticatorExtensionIds),
- String.join(", ", requestedExtensionIds)
- ));
- }
-
- return true;
+ if (!requestedExtensionIds.containsAll(authenticatorExtensionIds)) {
+ throw new IllegalArgumentException(
+ String.format(
+ "Authenticator extensions {%s} are not a subset of requested extensions {%s}.",
+ String.join(", ", authenticatorExtensionIds),
+ String.join(", ", requestedExtensionIds)));
}
+ return true;
+ }
}
diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/FidoU2fAttestationStatementVerifier.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/FidoU2fAttestationStatementVerifier.java
index c0cc586be..616153e14 100644
--- a/webauthn-server-core/src/main/java/com/yubico/webauthn/FidoU2fAttestationStatementVerifier.java
+++ b/webauthn-server-core/src/main/java/com/yubico/webauthn/FidoU2fAttestationStatementVerifier.java
@@ -24,6 +24,8 @@
package com.yubico.webauthn;
+import static com.yubico.webauthn.Crypto.isP256;
+
import COSE.CoseException;
import com.fasterxml.jackson.databind.JsonNode;
import com.yubico.internal.util.ExceptionUtil;
@@ -41,132 +43,155 @@
import java.util.Optional;
import lombok.extern.slf4j.Slf4j;
-import static com.yubico.webauthn.Crypto.isP256;
-
@Slf4j
-final class FidoU2fAttestationStatementVerifier implements AttestationStatementVerifier, X5cAttestationStatementVerifier {
-
- private X509Certificate getAttestationCertificate(AttestationObject attestationObject) throws CertificateException {
- return getX5cAttestationCertificate(attestationObject).map(attestationCertificate -> {
- if ("EC".equals(attestationCertificate.getPublicKey().getAlgorithm())
- && isP256(((ECPublicKey) attestationCertificate.getPublicKey()).getParams())
- ) {
+final class FidoU2fAttestationStatementVerifier
+ implements AttestationStatementVerifier, X5cAttestationStatementVerifier {
+
+ private X509Certificate getAttestationCertificate(AttestationObject attestationObject)
+ throws CertificateException {
+ return getX5cAttestationCertificate(attestationObject)
+ .map(
+ attestationCertificate -> {
+ if ("EC".equals(attestationCertificate.getPublicKey().getAlgorithm())
+ && isP256(((ECPublicKey) attestationCertificate.getPublicKey()).getParams())) {
return attestationCertificate;
- } else {
- throw new IllegalArgumentException("Attestation certificate for fido-u2f must have an ECDSA P-256 public key.");
- }
- }).orElseThrow(() -> new IllegalArgumentException(
- "fido-u2f attestation statement must have an \"x5c\" property set to an array of at least one DER encoded X.509 certificate."
- ));
+ } else {
+ throw new IllegalArgumentException(
+ "Attestation certificate for fido-u2f must have an ECDSA P-256 public key.");
+ }
+ })
+ .orElseThrow(
+ () ->
+ new IllegalArgumentException(
+ "fido-u2f attestation statement must have an \"x5c\" property set to an array of at least one DER encoded X.509 certificate."));
+ }
+
+ private static boolean validSelfSignature(X509Certificate cert) {
+ try {
+ cert.verify(cert.getPublicKey());
+ return true;
+ } catch (Exception e) {
+ return false;
+ }
+ }
+
+ private static ByteArray getRawUserPublicKey(AttestationObject attestationObject)
+ throws IOException, CoseException {
+ final ByteArray pubkeyCose =
+ attestationObject
+ .getAuthenticatorData()
+ .getAttestedCredentialData()
+ .get()
+ .getCredentialPublicKey();
+ final PublicKey pubkey;
+ try {
+ pubkey = WebAuthnCodecs.importCosePublicKey(pubkeyCose);
+ } catch (InvalidKeySpecException | NoSuchAlgorithmException e) {
+ throw ExceptionUtil.wrapAndLog(log, "Failed to decode public key: " + pubkeyCose.getHex(), e);
}
- private static boolean validSelfSignature(X509Certificate cert) {
- try {
- cert.verify(cert.getPublicKey());
- return true;
- } catch (Exception e) {
- return false;
- }
+ final ECPublicKey ecPubkey;
+ try {
+ ecPubkey = (ECPublicKey) pubkey;
+ } catch (ClassCastException e) {
+ throw new RuntimeException("U2F supports only EC keys, was: " + pubkey);
}
- private static ByteArray getRawUserPublicKey(AttestationObject attestationObject) throws IOException, CoseException {
- final ByteArray pubkeyCose = attestationObject.getAuthenticatorData().getAttestedCredentialData().get().getCredentialPublicKey();
- final PublicKey pubkey;
- try {
- pubkey = WebAuthnCodecs.importCosePublicKey(pubkeyCose);
- } catch (InvalidKeySpecException | NoSuchAlgorithmException e) {
- throw ExceptionUtil.wrapAndLog(log, "Failed to decode public key: " + pubkeyCose.getHex(), e);
- }
-
- final ECPublicKey ecPubkey;
- try {
- ecPubkey = (ECPublicKey) pubkey;
- } catch (ClassCastException e) {
- throw new RuntimeException( "U2F supports only EC keys, was: " + pubkey);
- }
-
- return WebAuthnCodecs.ecPublicKeyToRaw(ecPubkey);
+ return WebAuthnCodecs.ecPublicKeyToRaw(ecPubkey);
+ }
+
+ @Override
+ public AttestationType getAttestationType(AttestationObject attestationObject)
+ throws CoseException, IOException, CertificateException {
+ X509Certificate attestationCertificate = getAttestationCertificate(attestationObject);
+
+ if (attestationCertificate.getPublicKey() instanceof ECPublicKey
+ && validSelfSignature(attestationCertificate)
+ && getRawUserPublicKey(attestationObject)
+ .equals(
+ WebAuthnCodecs.ecPublicKeyToRaw(
+ (ECPublicKey) attestationCertificate.getPublicKey()))) {
+ return AttestationType.SELF_ATTESTATION;
+ } else {
+ return AttestationType.BASIC;
+ }
+ }
+
+ @Override
+ public boolean verifyAttestationSignature(
+ AttestationObject attestationObject, ByteArray clientDataJsonHash) {
+ final X509Certificate attestationCertificate;
+ try {
+ attestationCertificate = getAttestationCertificate(attestationObject);
+ } catch (CertificateException e) {
+ throw new IllegalArgumentException(
+ String.format(
+ "Failed to parse X.509 certificate from attestation object: %s", attestationObject));
}
- @Override
- public AttestationType getAttestationType(AttestationObject attestationObject) throws CoseException, IOException, CertificateException {
- X509Certificate attestationCertificate = getAttestationCertificate(attestationObject);
-
- if (attestationCertificate.getPublicKey() instanceof ECPublicKey
- && validSelfSignature(attestationCertificate)
- && getRawUserPublicKey(attestationObject)
- .equals(
- WebAuthnCodecs.ecPublicKeyToRaw((ECPublicKey) attestationCertificate.getPublicKey())
- )
- ) {
- return AttestationType.SELF_ATTESTATION;
- } else {
- return AttestationType.BASIC;
- }
+ if (!("EC".equals(attestationCertificate.getPublicKey().getAlgorithm())
+ && isP256(((ECPublicKey) attestationCertificate.getPublicKey()).getParams()))) {
+ throw new IllegalArgumentException(
+ "Attestation certificate for fido-u2f must have an ECDSA P-256 public key.");
}
- @Override
- public boolean verifyAttestationSignature(AttestationObject attestationObject, ByteArray clientDataJsonHash) {
- final X509Certificate attestationCertificate;
- try {
- attestationCertificate = getAttestationCertificate(attestationObject);
- } catch (CertificateException e) {
- throw new IllegalArgumentException(String.format(
- "Failed to parse X.509 certificate from attestation object: %s", attestationObject));
- }
-
- if (!(
- "EC".equals(attestationCertificate.getPublicKey().getAlgorithm())
- && isP256(((ECPublicKey) attestationCertificate.getPublicKey()).getParams())
- )) {
- throw new IllegalArgumentException("Attestation certificate for fido-u2f must have an ECDSA P-256 public key.");
- }
-
- final Optional attData = attestationObject.getAuthenticatorData().getAttestedCredentialData();
-
- return attData.map(attestedCredentialData -> {
- JsonNode signature = attestationObject.getAttestationStatement().get("sig");
-
- if (signature == null) {
- throw new IllegalArgumentException("fido-u2f attestation statement must have a \"sig\" property set to a DER encoded signature.");
- }
-
- if (signature.isBinary()) {
+ final Optional attData =
+ attestationObject.getAuthenticatorData().getAttestedCredentialData();
+
+ return attData
+ .map(
+ attestedCredentialData -> {
+ JsonNode signature = attestationObject.getAttestationStatement().get("sig");
+
+ if (signature == null) {
+ throw new IllegalArgumentException(
+ "fido-u2f attestation statement must have a \"sig\" property set to a DER encoded signature.");
+ }
+
+ if (signature.isBinary()) {
final ByteArray userPublicKey;
try {
- userPublicKey = getRawUserPublicKey(attestationObject);
+ userPublicKey = getRawUserPublicKey(attestationObject);
} catch (IOException | CoseException e) {
- RuntimeException err = new RuntimeException(String.format("Failed to parse public key from attestation data %s", attestedCredentialData), e);
- log.error(err.getMessage(), err);
- throw err;
+ RuntimeException err =
+ new RuntimeException(
+ String.format(
+ "Failed to parse public key from attestation data %s",
+ attestedCredentialData),
+ e);
+ log.error(err.getMessage(), err);
+ throw err;
}
ByteArray keyHandle = attestedCredentialData.getCredentialId();
U2fRawRegisterResponse u2fRegisterResponse;
try {
- u2fRegisterResponse = new U2fRawRegisterResponse(
- userPublicKey,
- keyHandle,
- attestationCertificate,
- new ByteArray(signature.binaryValue())
- );
+ u2fRegisterResponse =
+ new U2fRawRegisterResponse(
+ userPublicKey,
+ keyHandle,
+ attestationCertificate,
+ new ByteArray(signature.binaryValue()));
} catch (IOException e) {
- RuntimeException err = new RuntimeException("signature.isBinary() was true but signature.binaryValue() failed", e);
- log.error(err.getMessage(), err);
- throw err;
+ RuntimeException err =
+ new RuntimeException(
+ "signature.isBinary() was true but signature.binaryValue() failed", e);
+ log.error(err.getMessage(), err);
+ throw err;
}
return u2fRegisterResponse.verifySignature(
- attestationObject.getAuthenticatorData().getRpIdHash(),
- clientDataJsonHash
- );
- } else {
- throw new IllegalArgumentException("\"sig\" property of fido-u2f attestation statement must be a CBOR byte array value.");
- }
-
- }).orElseThrow(() -> new IllegalArgumentException("Attestation object for credential creation must have attestation data."));
- }
-
+ attestationObject.getAuthenticatorData().getRpIdHash(), clientDataJsonHash);
+ } else {
+ throw new IllegalArgumentException(
+ "\"sig\" property of fido-u2f attestation statement must be a CBOR byte array value.");
+ }
+ })
+ .orElseThrow(
+ () ->
+ new IllegalArgumentException(
+ "Attestation object for credential creation must have attestation data."));
+ }
}
diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/FinishAssertionOptions.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/FinishAssertionOptions.java
index a94ed4c3b..17cd9ae3d 100644
--- a/webauthn-server-core/src/main/java/com/yubico/webauthn/FinishAssertionOptions.java
+++ b/webauthn-server-core/src/main/java/com/yubico/webauthn/FinishAssertionOptions.java
@@ -33,87 +33,87 @@
import lombok.NonNull;
import lombok.Value;
-/**
- * Parameters for {@link RelyingParty#finishAssertion(FinishAssertionOptions)}.
- */
+/** Parameters for {@link RelyingParty#finishAssertion(FinishAssertionOptions)}. */
@Value
@Builder(toBuilder = true)
public class FinishAssertionOptions {
- /**
- * The request that the {@link #getResponse() response} is a response to.
- */
- @NonNull
- private final AssertionRequest request;
+ /** The request that the {@link #getResponse() response} is a response to. */
+ @NonNull private final AssertionRequest request;
- /**
- * The client's response to the {@link #getRequest() request}.
- *
- * @see navigator.credentials.get()
- */
- @NonNull
- private final PublicKeyCredential response;
-
- /**
- * The token binding ID of the connection to the
- * client, if any.
- *
- * @see The Token Binding Protocol Version 1.0
- */
- private final ByteArray callerTokenBindingId;
+ /**
+ * The client's response to the {@link #getRequest() request}.
+ *
+ * @see navigator.credentials.get()
+ */
+ @NonNull
+ private final PublicKeyCredential
+ response;
- /**
- * The token binding ID of the connection to the
- * client, if any.
- *
- * @see The Token Binding Protocol Version 1.0
- */
- public Optional getCallerTokenBindingId() {
- return Optional.ofNullable(callerTokenBindingId);
- }
+ /**
+ * The token binding ID of the
+ * connection to the client, if any.
+ *
+ * @see The Token Binding Protocol Version 1.0
+ */
+ private final ByteArray callerTokenBindingId;
- public static FinishAssertionOptionsBuilder.MandatoryStages builder() {
- return new FinishAssertionOptionsBuilder.MandatoryStages();
- }
+ /**
+ * The token binding ID of the
+ * connection to the client, if any.
+ *
+ * @see The Token Binding Protocol Version 1.0
+ */
+ public Optional getCallerTokenBindingId() {
+ return Optional.ofNullable(callerTokenBindingId);
+ }
- public static class FinishAssertionOptionsBuilder {
- private ByteArray callerTokenBindingId = null;
+ public static FinishAssertionOptionsBuilder.MandatoryStages builder() {
+ return new FinishAssertionOptionsBuilder.MandatoryStages();
+ }
- public static class MandatoryStages {
- private final FinishAssertionOptionsBuilder builder = new FinishAssertionOptionsBuilder();
+ public static class FinishAssertionOptionsBuilder {
+ private ByteArray callerTokenBindingId = null;
- public Step2 request(AssertionRequest request) {
- builder.request(request);
- return new Step2();
- }
+ public static class MandatoryStages {
+ private final FinishAssertionOptionsBuilder builder = new FinishAssertionOptionsBuilder();
- public class Step2 {
- public FinishAssertionOptionsBuilder response(PublicKeyCredential response) {
- return builder.response(response);
- }
- }
- }
+ public Step2 request(AssertionRequest request) {
+ builder.request(request);
+ return new Step2();
+ }
- /**
- * The token binding ID of the connection to the
- * client, if any.
- *
- * @see The Token Binding Protocol Version 1.0
- */
- public FinishAssertionOptionsBuilder callerTokenBindingId(@NonNull Optional callerTokenBindingId) {
- this.callerTokenBindingId = callerTokenBindingId.orElse(null);
- return this;
+ public class Step2 {
+ public FinishAssertionOptionsBuilder response(
+ PublicKeyCredential
+ response) {
+ return builder.response(response);
}
+ }
+ }
- /**
- * The token binding ID of the connection to the
- * client, if any.
- *
- * @see The Token Binding Protocol Version 1.0
- */
- public FinishAssertionOptionsBuilder callerTokenBindingId(@NonNull ByteArray callerTokenBindingId) {
- return this.callerTokenBindingId(Optional.of(callerTokenBindingId));
- }
+ /**
+ * The token binding ID of the
+ * connection to the client, if any.
+ *
+ * @see The Token Binding Protocol Version 1.0
+ */
+ public FinishAssertionOptionsBuilder callerTokenBindingId(
+ @NonNull Optional callerTokenBindingId) {
+ this.callerTokenBindingId = callerTokenBindingId.orElse(null);
+ return this;
}
+ /**
+ * The token binding ID of the
+ * connection to the client, if any.
+ *
+ * @see The Token Binding Protocol Version 1.0
+ */
+ public FinishAssertionOptionsBuilder callerTokenBindingId(
+ @NonNull ByteArray callerTokenBindingId) {
+ return this.callerTokenBindingId(Optional.of(callerTokenBindingId));
+ }
+ }
}
diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/FinishAssertionSteps.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/FinishAssertionSteps.java
index aa9c86a83..67d705bb6 100644
--- a/webauthn-server-core/src/main/java/com/yubico/webauthn/FinishAssertionSteps.java
+++ b/webauthn-server-core/src/main/java/com/yubico/webauthn/FinishAssertionSteps.java
@@ -24,6 +24,7 @@
package com.yubico.webauthn;
+import static com.yubico.internal.util.ExceptionUtil.assure;
import COSE.CoseException;
import com.yubico.internal.util.CollectionUtil;
@@ -50,617 +51,610 @@
import lombok.Value;
import lombok.extern.slf4j.Slf4j;
-import static com.yubico.internal.util.ExceptionUtil.assure;
-
-
@Builder
@Slf4j
final class FinishAssertionSteps {
- private static final String CLIENT_DATA_TYPE = "webauthn.get";
+ private static final String CLIENT_DATA_TYPE = "webauthn.get";
- private final AssertionRequest request;
- private final PublicKeyCredential response;
- private final Optional callerTokenBindingId;
- private final Set origins;
- private final String rpId;
- private final CredentialRepository credentialRepository;
+ private final AssertionRequest request;
+ private final PublicKeyCredential
+ response;
+ private final Optional callerTokenBindingId;
+ private final Set origins;
+ private final String rpId;
+ private final CredentialRepository credentialRepository;
- @Builder.Default private final boolean allowOriginPort = false;
- @Builder.Default private final boolean allowOriginSubdomain = false;
- @Builder.Default private final boolean allowUnrequestedExtensions = false;
- @Builder.Default private final boolean validateSignatureCounter = true;
+ @Builder.Default private final boolean allowOriginPort = false;
+ @Builder.Default private final boolean allowOriginSubdomain = false;
+ @Builder.Default private final boolean allowUnrequestedExtensions = false;
+ @Builder.Default private final boolean validateSignatureCounter = true;
- public Step0 begin() {
- return new Step0();
- }
+ public Step0 begin() {
+ return new Step0();
+ }
- public AssertionResult run() throws InvalidSignatureCountException {
- return begin().run();
- }
+ public AssertionResult run() throws InvalidSignatureCountException {
+ return begin().run();
+ }
- interface Step> {
- Next nextStep();
+ interface Step> {
+ Next nextStep();
- void validate() throws InvalidSignatureCountException;
+ void validate() throws InvalidSignatureCountException;
- List getPrevWarnings();
+ List getPrevWarnings();
- default Optional result() {
- return Optional.empty();
- }
+ default Optional result() {
+ return Optional.empty();
+ }
- default List getWarnings() {
- return Collections.emptyList();
- }
+ default List getWarnings() {
+ return Collections.emptyList();
+ }
- default List allWarnings() {
- List result = new ArrayList<>(getPrevWarnings().size() + getWarnings().size());
- result.addAll(getPrevWarnings());
- result.addAll(getWarnings());
- return CollectionUtil.immutableList(result);
- }
+ default List allWarnings() {
+ List result = new ArrayList<>(getPrevWarnings().size() + getWarnings().size());
+ result.addAll(getPrevWarnings());
+ result.addAll(getWarnings());
+ return CollectionUtil.immutableList(result);
+ }
- default Next next() throws InvalidSignatureCountException {
- validate();
- return nextStep();
- }
+ default Next next() throws InvalidSignatureCountException {
+ validate();
+ return nextStep();
+ }
- default AssertionResult run() throws InvalidSignatureCountException {
- if (result().isPresent()) {
- return result().get();
- } else {
- return next().run();
- }
- }
+ default AssertionResult run() throws InvalidSignatureCountException {
+ if (result().isPresent()) {
+ return result().get();
+ } else {
+ return next().run();
+ }
}
+ }
- @Value
- class Step0 implements Step {
- @Override
- public Step1 nextStep() {
- return new Step1(username().get(), userHandle().get(), allWarnings());
- }
+ @Value
+ class Step0 implements Step {
+ @Override
+ public Step1 nextStep() {
+ return new Step1(username().get(), userHandle().get(), allWarnings());
+ }
- @Override
- public void validate() {
- assure(
- request.getUsername().isPresent() || response.getResponse().getUserHandle().isPresent(),
- "At least one of username and user handle must be given; none was."
- );
- assure(
- userHandle().isPresent(),
- "No user found for username: %s, userHandle: %s",
- request.getUsername(), response.getResponse().getUserHandle()
- );
- assure(
- username().isPresent(),
- "No user found for username: %s, userHandle: %s",
- request.getUsername(), response.getResponse().getUserHandle()
- );
- }
+ @Override
+ public void validate() {
+ assure(
+ request.getUsername().isPresent() || response.getResponse().getUserHandle().isPresent(),
+ "At least one of username and user handle must be given; none was.");
+ assure(
+ userHandle().isPresent(),
+ "No user found for username: %s, userHandle: %s",
+ request.getUsername(),
+ response.getResponse().getUserHandle());
+ assure(
+ username().isPresent(),
+ "No user found for username: %s, userHandle: %s",
+ request.getUsername(),
+ response.getResponse().getUserHandle());
+ }
- @Override
- public List getPrevWarnings() {
- return Collections.emptyList();
- }
+ @Override
+ public List getPrevWarnings() {
+ return Collections.emptyList();
+ }
- private Optional userHandle() {
- return response.getResponse().getUserHandle()
- .map(Optional::of)
- .orElseGet(() -> credentialRepository.getUserHandleForUsername(request.getUsername().get()));
- }
+ private Optional userHandle() {
+ return response
+ .getResponse()
+ .getUserHandle()
+ .map(Optional::of)
+ .orElseGet(
+ () -> credentialRepository.getUserHandleForUsername(request.getUsername().get()));
+ }
- private Optional username() {
- return request.getUsername()
- .map(Optional::of)
- .orElseGet(() -> credentialRepository.getUsernameForUserHandle(response.getResponse().getUserHandle().get()));
- }
+ private Optional username() {
+ return request
+ .getUsername()
+ .map(Optional::of)
+ .orElseGet(
+ () ->
+ credentialRepository.getUsernameForUserHandle(
+ response.getResponse().getUserHandle().get()));
}
+ }
- @Value
- class Step1 implements Step {
- private final String username;
- private final ByteArray userHandle;
- private final List prevWarnings;
+ @Value
+ class Step1 implements Step {
+ private final String username;
+ private final ByteArray userHandle;
+ private final List prevWarnings;
- @Override
- public Step2 nextStep() {
- return new Step2(username, userHandle, allWarnings());
- }
+ @Override
+ public Step2 nextStep() {
+ return new Step2(username, userHandle, allWarnings());
+ }
- @Override
- public void validate() {
- request.getPublicKeyCredentialRequestOptions().getAllowCredentials().ifPresent(allowed -> {
+ @Override
+ public void validate() {
+ request
+ .getPublicKeyCredentialRequestOptions()
+ .getAllowCredentials()
+ .ifPresent(
+ allowed -> {
assure(
allowed.stream().anyMatch(allow -> allow.getId().equals(response.getId())),
"Unrequested credential ID: %s",
- response.getId()
- );
- });
- }
+ response.getId());
+ });
}
+ }
- @Value
- class Step2 implements Step {
- private final String username;
- private final ByteArray userHandle;
- private final List prevWarnings;
-
- @Override
- public Step3 nextStep() {
- return new Step3(username, userHandle, allWarnings());
- }
+ @Value
+ class Step2 implements Step {
+ private final String username;
+ private final ByteArray userHandle;
+ private final List prevWarnings;
- @Override
- public void validate() {
- Optional registration = credentialRepository.lookup(response.getId(), userHandle);
-
- assure(
- registration.isPresent(),
- "Unknown credential: %s",
- response.getId()
- );
-
- assure(
- userHandle.equals(registration.get().getUserHandle()),
- "User handle %s does not own credential %s",
- userHandle, response.getId()
- );
- }
+ @Override
+ public Step3 nextStep() {
+ return new Step3(username, userHandle, allWarnings());
}
- @Value
- class Step3 implements Step {
- private final String username;
- private final ByteArray userHandle;
- private final List prevWarnings;
-
- @Override
- public Step4 nextStep() {
- return new Step4(username, userHandle, credential(), allWarnings());
- }
+ @Override
+ public void validate() {
+ Optional registration =
+ credentialRepository.lookup(response.getId(), userHandle);
- @Override
- public void validate() {
- assure(
- maybeCredential().isPresent(),
- "Unknown credential. Credential ID: %s, user handle: %s",
- response.getId(), userHandle
- );
- }
+ assure(registration.isPresent(), "Unknown credential: %s", response.getId());
- private Optional maybeCredential() {
- return credentialRepository.lookup(response.getId(), userHandle);
- }
-
- public RegisteredCredential credential() {
- return maybeCredential().get();
- }
+ assure(
+ userHandle.equals(registration.get().getUserHandle()),
+ "User handle %s does not own credential %s",
+ userHandle,
+ response.getId());
}
+ }
- @Value
- class Step4 implements Step {
-
- private final String username;
- private final ByteArray userHandle;
- private final RegisteredCredential credential;
- private final List prevWarnings;
+ @Value
+ class Step3 implements Step {
+ private final String username;
+ private final ByteArray userHandle;
+ private final List prevWarnings;
- @Override
- public void validate() {
- assure(clientData() != null, "Missing client data.");
- assure(authenticatorData() != null, "Missing authenticator data.");
- assure(signature() != null, "Missing signature.");
- }
-
- @Override
- public Step5 nextStep() {
- return new Step5(username, userHandle, credential, allWarnings());
- }
+ @Override
+ public Step4 nextStep() {
+ return new Step4(username, userHandle, credential(), allWarnings());
+ }
- public ByteArray authenticatorData() {
- return response.getResponse().getAuthenticatorData();
- }
+ @Override
+ public void validate() {
+ assure(
+ maybeCredential().isPresent(),
+ "Unknown credential. Credential ID: %s, user handle: %s",
+ response.getId(),
+ userHandle);
+ }
- public ByteArray clientData() {
- return response.getResponse().getClientDataJSON();
- }
+ private Optional maybeCredential() {
+ return credentialRepository.lookup(response.getId(), userHandle);
+ }
- public ByteArray signature() {
- return response.getResponse().getSignature();
- }
+ public RegisteredCredential credential() {
+ return maybeCredential().get();
}
+ }
- @Value
- class Step5 implements Step {
- private final String username;
- private final ByteArray userHandle;
- private final RegisteredCredential credential;
- private final List prevWarnings;
+ @Value
+ class Step4 implements Step {
- // Nothing to do
- @Override
- public void validate() {
- }
+ private final String username;
+ private final ByteArray userHandle;
+ private final RegisteredCredential credential;
+ private final List prevWarnings;
- @Override
- public Step6 nextStep() {
- return new Step6(username, userHandle, credential, allWarnings());
- }
+ @Override
+ public void validate() {
+ assure(clientData() != null, "Missing client data.");
+ assure(authenticatorData() != null, "Missing authenticator data.");
+ assure(signature() != null, "Missing signature.");
}
- @Value
- class Step6 implements Step {
- private final String username;
- private final ByteArray userHandle;
- private final RegisteredCredential credential;
- private final List prevWarnings;
+ @Override
+ public Step5 nextStep() {
+ return new Step5(username, userHandle, credential, allWarnings());
+ }
- @Override
- public void validate() {
- assure(clientData() != null, "Missing client data.");
- }
+ public ByteArray authenticatorData() {
+ return response.getResponse().getAuthenticatorData();
+ }
- @Override
- public Step7 nextStep() {
- return new Step7(username, userHandle, credential, clientData(), allWarnings());
- }
+ public ByteArray clientData() {
+ return response.getResponse().getClientDataJSON();
+ }
- public CollectedClientData clientData() {
- return response.getResponse().getClientData();
- }
+ public ByteArray signature() {
+ return response.getResponse().getSignature();
+ }
+ }
+
+ @Value
+ class Step5 implements Step {
+ private final String username;
+ private final ByteArray userHandle;
+ private final RegisteredCredential credential;
+ private final List prevWarnings;
+
+ // Nothing to do
+ @Override
+ public void validate() {}
+
+ @Override
+ public Step6 nextStep() {
+ return new Step6(username, userHandle, credential, allWarnings());
+ }
+ }
+
+ @Value
+ class Step6 implements Step {
+ private final String username;
+ private final ByteArray userHandle;
+ private final RegisteredCredential credential;
+ private final List prevWarnings;
+
+ @Override
+ public void validate() {
+ assure(clientData() != null, "Missing client data.");
}
- @Value
- class Step7 implements Step {
+ @Override
+ public Step7 nextStep() {
+ return new Step7(username, userHandle, credential, clientData(), allWarnings());
+ }
- private final String username;
- private final ByteArray userHandle;
- private final RegisteredCredential credential;
- private final CollectedClientData clientData;
- private final List prevWarnings;
+ public CollectedClientData clientData() {
+ return response.getResponse().getClientData();
+ }
+ }
- private List warnings = new LinkedList<>();
+ @Value
+ class Step7 implements Step {
- @Override
- public List getWarnings() {
- return CollectionUtil.immutableList(warnings);
- }
+ private final String username;
+ private final ByteArray userHandle;
+ private final RegisteredCredential credential;
+ private final CollectedClientData clientData;
+ private final List prevWarnings;
- @Override
- public void validate() {
- assure(CLIENT_DATA_TYPE.equals(clientData.getType()),
- "The \"type\" in the client data must be exactly \"%s\", was: %s",
- CLIENT_DATA_TYPE, clientData.getType()
- );
- }
+ private List warnings = new LinkedList<>();
- @Override
- public Step8 nextStep() {
- return new Step8(username, userHandle, credential, allWarnings());
- }
+ @Override
+ public List getWarnings() {
+ return CollectionUtil.immutableList(warnings);
}
- @Value
- class Step8 implements Step {
- private final String username;
- private final ByteArray userHandle;
- private final RegisteredCredential credential;
- private final List prevWarnings;
-
- @Override
- public void validate() {
- assure(
- request.getPublicKeyCredentialRequestOptions().getChallenge().equals(response.getResponse().getClientData().getChallenge()),
- "Incorrect challenge."
- );
- }
-
- @Override
- public Step9 nextStep() {
- return new Step9(username, userHandle, credential, allWarnings());
- }
+ @Override
+ public void validate() {
+ assure(
+ CLIENT_DATA_TYPE.equals(clientData.getType()),
+ "The \"type\" in the client data must be exactly \"%s\", was: %s",
+ CLIENT_DATA_TYPE,
+ clientData.getType());
}
- @Value
- class Step9 implements Step {
- private final String username;
- private final ByteArray userHandle;
- private final RegisteredCredential credential;
- private final List prevWarnings;
-
- @Override
- public void validate() {
- final String responseOrigin = response.getResponse().getClientData().getOrigin();
- assure(
- OriginMatcher.isAllowed(
- responseOrigin,
- origins,
- allowOriginPort,
- allowOriginSubdomain
- ),
- "Incorrect origin: " + responseOrigin
- );
- }
-
- @Override
- public Step10 nextStep() {
- return new Step10(username, userHandle, credential, allWarnings());
- }
+ @Override
+ public Step8 nextStep() {
+ return new Step8(username, userHandle, credential, allWarnings());
}
-
- @Value
- class Step10 implements Step