com.webauthn4j.data.attestation.authenticator.AAGUID Java Examples

private void validateX5c(TPMAttestationStatement attestationStatement, TPMSAttest certInfo, AuthenticatorData<RegistrationExtensionAuthenticatorOutput<?>> authenticatorData) {
    X509Certificate aikCert = attestationStatement.getX5c().getEndEntityAttestationCertificate().getCertificate();

    /// Verify the sig is a valid signature over certInfo using the attestation public key in aikCert with the algorithm specified in alg.
    String jcaName = getJcaName(attestationStatement.getAlg());
    Signature certInfoSignature = SignatureUtil.createSignature(jcaName);
    try {
        certInfoSignature.initVerify(aikCert.getPublicKey());
        certInfoSignature.update(certInfo.getBytes());
        if (!certInfoSignature.verify(attestationStatement.getSig())) {
            throw new BadAttestationStatementException("hash of certInfo doesn't match with sig.");
        }
    } catch (SignatureException | InvalidKeyException e) {
        throw new BadAttestationStatementException("Failed to validate the signature.", e);
    }

    /// Verify that aikCert meets the requirements in §8.3.1 TPM Attestation Statement Certificate Requirements.
    validateAikCert(aikCert);

    /// If aikCert contains an extension with OID 1 3 6 1 4 1 45724 1 1 4 (id-fido-gen-ce-aaguid) verify that the value of this extension matches the aaguid in authenticatorData.
    byte[] aaguidBytes = aikCert.getExtensionValue(ID_FIDO_GEN_CE_AAGUID);
    if (aaguidBytes != null && !Objects.equals(new AAGUID(aaguidBytes), authenticatorData.getAttestedCredentialData().getAaguid())) {
        throw new BadAttestationStatementException("AAGUID in aikCert doesn't match with that in authenticatorData");
    }
}
 

/**
 * Retrieves {@link TrustAnchor}s from Java KeyStore resource.
 *
 * @return null key {@link TrustAnchor} {@link Set} value {@link Map}
 */
@Override
protected Map<AAGUID, Set<TrustAnchor>> loadTrustAnchors() {
    checkConfig();
    Resource keystore = getKeyStore();
    try (InputStream inputStream = keystore.getInputStream()) {
        KeyStore keyStoreObject = loadKeyStoreFromStream(inputStream, getPassword());
        List<String> aliases = Collections.list(keyStoreObject.aliases());
        Set<TrustAnchor> trustAnchors = new HashSet<>();
        for (String alias : aliases) {
            X509Certificate certificate = (X509Certificate) keyStoreObject.getCertificate(alias);
            trustAnchors.add(new TrustAnchor(certificate, null));
        }
        return Collections.singletonMap(null, trustAnchors);
    } catch (java.security.KeyStoreException | IOException | NoSuchAlgorithmException | CertificateException e) {
        throw new KeyStoreException("Failed to load TrustAnchor from keystore", e);
    }
}
 

public MetadataItemImpl(
        String aaid,
        AAGUID aaguid,
        List<String> attestationCertificateKeyIdentifiers,
        String hash,
        List<StatusReport> statusReports,
        LocalDate timeOfLastStatusChange,
        MetadataStatement metadataStatement) {
    this.aaid = aaid;
    this.aaguid = aaguid;
    this.attestationCertificateKeyIdentifiers = attestationCertificateKeyIdentifiers;
    this.hash = hash;
    this.statusReports = statusReports;
    this.timeOfLastStatusChange = timeOfLastStatusChange;
    this.metadataStatement = metadataStatement;
}
 

public static void validate(AttestedCredentialData attestedCredentialData) {
    if (attestedCredentialData == null) {
        throw new ConstraintViolationException("attestedCredentialData must not be null");
    }

    AAGUID aaguid = attestedCredentialData.getAaguid();
    if (aaguid == null) {
        throw new ConstraintViolationException("aaguid must not be null");
    }

    if (attestedCredentialData.getCredentialId() == null) {
        throw new ConstraintViolationException("credentialId must not be null");
    }

    COSEKey coseKey = attestedCredentialData.getCOSEKey();
    validate(coseKey);
}
 

/**
 * {@inheritDoc}
 */
@Override
protected Map<AAGUID, Set<TrustAnchor>> loadTrustAnchors() {
    checkConfig();
    Path keystore = getKeyStore();
    try (InputStream inputStream = Files.newInputStream(keystore)) {
        KeyStore keyStoreObject = loadKeyStoreFromStream(inputStream, getPassword());
        List<String> aliases = Collections.list(keyStoreObject.aliases());
        Set<TrustAnchor> trustAnchors = new HashSet<>();
        for (String alias : aliases) {
            X509Certificate certificate = (X509Certificate) keyStoreObject.getCertificate(alias);
            trustAnchors.add(new TrustAnchor(certificate, null));
        }
        return Collections.singletonMap(AAGUID.NULL, trustAnchors);
    } catch (java.security.KeyStoreException | IOException | NoSuchAlgorithmException | CertificateException e) {
        throw new KeyStoreException("Failed to load TrustAnchor from keystore", e);
    }
}
 

@Override
public void validate(RegistrationObject registrationObject) {
    AAGUID aaguid = registrationObject.getAttestationObject().getAuthenticatorData().getAttestedCredentialData().getAaguid();
    AttestationStatement attestationStatement = registrationObject.getAttestationObject().getAttestationStatement();

    Set<MetadataItem> metadataItems = metadataItemsResolver.resolve(aaguid);

    List<AttestationType> attestationTypes = metadataItems.stream()
            .flatMap(item -> item.getMetadataStatement().getAttestationTypes().stream()).collect(Collectors.toList());

    boolean isSurrogate = !attestationTypes.isEmpty() &&
            attestationTypes.stream().allMatch(type -> type.equals(AttestationType.BASIC_SURROGATE));

    if (isSurrogate && attestationStatement instanceof CertificateBaseAttestationStatement) {
        CertificateBaseAttestationStatement certificateBaseAttestationStatement = (CertificateBaseAttestationStatement) attestationStatement;
        if (certificateBaseAttestationStatement.getX5c() != null) {
            throw new BadAttestationStatementException("Although AAGUID is registered for surrogate attestation in metadata, x5c contains certificates.");
        }
    }

    for (MetadataItem metadataItem : metadataItems) {
        doAdditionalValidationForFidoMdsMetadataItem(metadataItem);
    }
}
 

private AttestationType validateX5c(RegistrationObject registrationObject, PackedAttestationStatement attestationStatement, byte[] sig, COSEAlgorithmIdentifier alg, byte[] attrToBeSigned) {
    if (attestationStatement.getX5c() == null || attestationStatement.getX5c().isEmpty()) {
        throw new BadAttestationStatementException("No attestation certificate is found in packed attestation statement.");
    }

    // Verify that sig is a valid signature over the concatenation of authenticatorData and clientDataHash
    // using the attestation public key in x5c with the algorithm specified in alg.
    if (!verifySignature(attestationStatement.getX5c().getEndEntityAttestationCertificate().getCertificate().getPublicKey(), alg, sig, attrToBeSigned)) {
        throw new BadSignatureException("`sig` in attestation statement is not valid signature over the concatenation of authenticatorData and clientDataHash.");
    }
    // Verify that x5c meets the requirements in §8.2.1 Packed attestation statement certificate requirements.
    attestationStatement.getX5c().getEndEntityAttestationCertificate().validate();

    // If x5c contains an extension with OID 1.3.6.1.4.1.45724.1.1.4 (id-fido-gen-ce-aaguid) verify that
    // the value of this extension matches the aaguid in authenticatorData.
    X509Certificate attestationCertificate = attestationStatement.getX5c().getEndEntityAttestationCertificate().getCertificate();
    AAGUID aaguidInCertificate = extractAAGUIDFromAttestationCertificate(attestationCertificate);
    AAGUID aaguid = registrationObject.getAttestationObject().getAuthenticatorData().getAttestedCredentialData().getAaguid();
    if (aaguidInCertificate != AAGUID.NULL && !Objects.equals(aaguidInCertificate, aaguid)) {
        throw new BadAttestationStatementException("AAGUID in attestation certificate doesn't match the AAGUID in authenticatorData.");
    }

    // If successful, return attestation type BASIC and attestation trust path x5c.
    return AttestationType.BASIC;
}
 

public WebAuthnModelAuthenticator(
        AAGUID aaguid,
        KeyPair attestationKeyPair,
        CACertificatePath caCertificatePath,
        PrivateKey attestationIssuerPrivateKey,
        int counter,
        boolean capableOfUserVerification,
        ObjectConverter objectConverter) {
    this.aaguid = aaguid;
    this.attestationKeyPair = attestationKeyPair;
    this.caCertificatePath = caCertificatePath;
    this.attestationIssuerPrivateKey = attestationIssuerPrivateKey;
    this.credentialMap = new HashMap<>();
    this.counter = counter;
    this.capableOfUserVerification = capableOfUserVerification;
    this.objectConverter = objectConverter;
    this.cborConverter = objectConverter.getCborConverter();
    this.authenticatorDataConverter = new AuthenticatorDataConverter(objectConverter);
}
 

public AttestedCredentialData convert(ByteBuffer attestedCredentialData) {
    byte[] aaguidBytes = new byte[AAGUID_LENGTH];
    attestedCredentialData.get(aaguidBytes, 0, AAGUID_LENGTH);
    AAGUID aaguid = new AAGUID(aaguidBytes);
    int length = UnsignedNumberUtil.getUnsignedShort(attestedCredentialData);
    byte[] credentialId = new byte[length];
    attestedCredentialData.get(credentialId, 0, length);
    byte[] remaining = new byte[attestedCredentialData.remaining()];
    attestedCredentialData.get(remaining);
    ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(remaining);
    COSEKeyEnvelope coseKeyEnvelope = convertToCredentialPublicKey(byteArrayInputStream);
    COSEKey coseKey = coseKeyEnvelope.getCOSEKey();
    AttestedCredentialData result = new AttestedCredentialData(aaguid, credentialId, coseKey);
    int extensionsBufferLength = remaining.length - coseKeyEnvelope.getLength();
    attestedCredentialData.position(attestedCredentialData.position() - extensionsBufferLength);
    return result;
}
 

@SuppressWarnings("Duplicates")
@Override
public Map<AAGUID, Set<MetadataItem>> provide() {
    return metadataItemsProviders.stream()
            .flatMap(provider -> {
                try {
                    return provider.provide().entrySet().stream();
                } catch (RuntimeException e) {
                    logger.warn("Failed to load metadata from one of metadataItemsProviders", e);
                    return null;
                }
            })
            .filter(Objects::nonNull)
            .collect(Collectors.toMap(Map.Entry::getKey, Map.Entry::getValue));
}
 

@Test
void provide_with_one_of_provider_throws_exception_test() {
    MetadataStatementsProvider providerA = mock(MetadataStatementsProvider.class);
    Map<AAGUID, Set<MetadataStatement>> mapA = new HashMap<>();
    mapA.put(new AAGUID("df495bdc-223a-429d-9f0e-ebfa29155812"), new HashSet<>());
    when(providerA.provide()).thenReturn(mapA);

    MetadataStatementsProvider providerB = mock(MetadataStatementsProvider.class);
    when(providerB.provide()).thenThrow(new RuntimeException("unexpected error"));

    AggregatingMetadataStatementsProvider target = new AggregatingMetadataStatementsProvider(Arrays.asList(providerA, providerB));
    assertThat(target.provide()).containsOnlyKeys(new AAGUID("df495bdc-223a-429d-9f0e-ebfa29155812"));
}
 

@Test
public void extractAAGUID_with_fido2_test() {
    AAGUID aaguid = new AAGUID(UUID.randomUUID());
    MetadataStatement metadataStatement = mock(MetadataStatement.class);
    when(metadataStatement.getProtocolFamily()).thenReturn("fido2");
    when(metadataStatement.getAaguid()).thenReturn(aaguid);
    assertThat(target.extractAAGUID(metadataStatement)).isEqualTo(aaguid);
}
 

AAGUID extractAAGUID(MetadataStatement metadataStatement) {
    switch (metadataStatement.getProtocolFamily()) {
        case "fido2":
            return metadataStatement.getAaguid();
        case "u2f":
            return AAGUID.ZERO;
        case "uaf":
        default:
            return AAGUID.NULL;
    }
}
 

@Override
public Map<AAGUID, Set<TrustAnchor>> provide() {
    return metadataStatementsProvider.provide().entrySet().stream()
            .collect(Collectors.toMap(
                    Map.Entry::getKey,
                    entry -> entry.getValue().stream().flatMap(metadataStatement ->
                            metadataStatement.getAttestationRootCertificates().stream()
                                    .map(certificate -> new TrustAnchor(certificate, null))
                    ).collect(Collectors.toSet())
            ));
}
 

@SuppressWarnings("Duplicates")
@Override
public Map<AAGUID, Set<MetadataStatement>> provide() {
    return metadataStatementsProviders.stream()
            .flatMap(provider -> {
                try {
                    return provider.provide().entrySet().stream();
                } catch (RuntimeException e) {
                    logger.warn("Failed to load metadata from one of metadataStatementsProviders", e);
                    return null;
                }
            })
            .filter(Objects::nonNull)
            .collect(Collectors.toMap(Map.Entry::getKey, Map.Entry::getValue));
}
 

/**
 * Retrieves {@link TrustAnchor}s from {@link Resource}s.
 *
 * @return null key {@link TrustAnchor} {@link Set} value {@link Map}
 */
@Override
protected Map<AAGUID, Set<TrustAnchor>> loadTrustAnchors() {
    checkConfig();
    Set<TrustAnchor> trustAnchors = certificates.stream().map(this::loadTrustAnchor).collect(Collectors.toSet());
    return Collections.singletonMap(AAGUID.NULL, trustAnchors);
}
 

@Override
public Map<AAGUID, Set<MetadataStatement>> provide() {
    checkConfig();
    if (cachedMetadataItems == null) {
        cachedMetadataItems =
                resources.stream()
                        .map(this::readJsonFile)
                        .distinct()
                        .collect(Collectors.groupingBy(this::extractAAGUID))
                        .entrySet().stream()
                        .collect(Collectors.toMap(Map.Entry::getKey, entry -> new HashSet<>(entry.getValue())));
    }
    return cachedMetadataItems;
}
 

@Test
void validateAAGUID(@Mock(answer = Answers.RETURNS_DEEP_STUBS) AuthenticatorData<RegistrationExtensionAuthenticatorOutput<?>> authenticatorData) {
    AttestationValidator attestationValidator = new AttestationValidator(
            Collections.singletonList(new FIDOU2FAttestationStatementValidator()),
            new NullCertPathTrustworthinessValidator(),
            new NullSelfAttestationTrustworthinessValidator());

    AttestationObject attestationObject = mock(AttestationObject.class);
    when(attestationObject.getFormat()).thenReturn(FIDOU2FAttestationStatement.FORMAT);
    when(authenticatorData.getAttestedCredentialData().getAaguid()).thenReturn(new AAGUID("fea37a71-08ce-479f-bf4b-472a93e2d17d"));
    when(attestationObject.getAuthenticatorData()).thenReturn(authenticatorData);
    assertThrows(BadAaguidException.class,
            () -> attestationValidator.validateAAGUID(attestationObject)
    );
}
 

public WebAuthnModelAuthenticator() {
    this(
            AAGUID.ZERO,
            new KeyPair(
                    TestAttestationUtil.load3tierTestAuthenticatorAttestationPublicKey(),
                    TestAttestationUtil.load3tierTestAuthenticatorAttestationPrivateKey()),
            TestAttestationUtil.load3tierTestCACertificatePath(),
            TestAttestationUtil.load3tierTestIntermediateCAPrivateKey(),
            0,
            true,
            new ObjectConverter()
    );
}
 

void validateAAGUID(AttestationObject attestationObject) {
    if (attestationObject.getFormat().equals(FIDOU2FAttestationStatement.FORMAT)) {
        AAGUID aaguid = attestationObject.getAuthenticatorData().getAttestedCredentialData().getAaguid();
        if (!Objects.equals(aaguid, U2F_AAGUID)) {
            throw new BadAaguidException("AAGUID is expected to be zero filled in U2F attestation, but it isn't.");
        }
    }
}
 

@Test
void test() {
    TrustAnchorsResolverImpl target = new TrustAnchorsResolverImpl(new SampleTrustAnchorsProvider());

    Set<TrustAnchor> trustAnchorsA = target.resolve(AAGUID.ZERO);
    Set<TrustAnchor> trustAnchorsB = target.resolve(AAGUID.ZERO);
    assertThat(trustAnchorsA).isEqualTo(trustAnchorsB);
}
 

@Override
public Map<AAGUID, Set<MetadataStatement>> provide() {
    return metadataItemsProvider.provide().entrySet().stream()
            .collect(Collectors.toMap(
                    Map.Entry::getKey,
                    entry -> entry.getValue().stream().map(MetadataItem::getMetadataStatement).collect(Collectors.toSet())
            ));
}
 

AAGUID extractAAGUIDFromAttestationCertificate(X509Certificate certificate) {
    byte[] extensionValue = certificate.getExtensionValue(ID_FIDO_GEN_CE_AAGUID);
    if (extensionValue == null) {
        return AAGUID.NULL;
    }
    try {
        Asn1OctetString envelope = new Asn1OctetString();
        envelope.decode(extensionValue);
        Asn1OctetString innerEnvelope = new Asn1OctetString();
        innerEnvelope.decode(envelope.getValue());
        return new AAGUID(UUIDUtil.fromBytes(innerEnvelope.getValue()));
    } catch (IOException e) {
        throw new UncheckedIOException(e);
    }
}
 

@Test
void provide_test() throws Exception {
    target = new CertFileTrustAnchorsProvider();
    Path path = Paths.get(ClassLoader.getSystemResource("com/webauthn4j/anchor/CertFileTrustAnchorsProviderTest/test.crt").toURI());
    target.setCertificates(Collections.singletonList(path));

    Map<AAGUID, Set<TrustAnchor>> trustAnchors = target.provide();
    assertThat(trustAnchors.keySet()).containsExactly(AAGUID.NULL);
    assertThat(trustAnchors).isNotEmpty();
}
 

private Map<AAGUID, Set<TrustAnchor>> loadTrustAnchors() {
    checkConfig();
    KeyStore keyStoreObject = getKeyStore();
    try {
        List<String> aliases = Collections.list(keyStoreObject.aliases());
        Set<TrustAnchor> trustAnchors = new HashSet<>();
        for (String alias : aliases) {
            X509Certificate certificate = (X509Certificate) keyStoreObject.getCertificate(alias);
            trustAnchors.add(new TrustAnchor(certificate, null));
        }
        return Collections.singletonMap(AAGUID.NULL, trustAnchors);
    } catch (java.security.KeyStoreException e) {
        throw new KeyStoreException("Failed to load TrustAnchor from keystore", e);
    }
}
 

@Test
void provide_test() throws Exception {
    target = new KeyStoreFileTrustAnchorsProvider();
    Path path = Paths.get(ClassLoader.getSystemResource("com/webauthn4j/anchor/KeyStoreFileTrustAnchorsProviderTest/test.jks").toURI());
    target.setKeyStore(path);
    target.setPassword("password");

    Map<AAGUID, Set<TrustAnchor>> trustAnchors = target.provide();
    assertThat(trustAnchors.keySet()).containsExactly(AAGUID.NULL);
    assertThat(trustAnchors).isNotEmpty();
}
 

@Override
protected Map<AAGUID, Set<TrustAnchor>> loadTrustAnchors() {
    Set<TrustAnchor> set = new HashSet<>();
    for (String classPath : classPaths) {
        InputStream inputStream = this.getClass().getClassLoader()
                .getResourceAsStream(classPath);
        TrustAnchor trustAnchor = new TrustAnchor(CertificateUtil.generateX509Certificate(inputStream), null);
        set.add(trustAnchor);
    }
    return Collections.singletonMap(null, set);
}
 

/**
 * Loads {@link AAGUID} key {@link TrustAnchor} {@link Set} value {@link Map} and cache it.
 *
 * @return {@link AAGUID} key {@link TrustAnchor} {@link Set} value {@link Map}
 */
@Override
public Map<AAGUID, Set<TrustAnchor>> provide() {
    if (cachedTrustAnchors == null) {
        synchronized (this) {
            cachedTrustAnchors = loadTrustAnchors();
        }
    }
    return cachedTrustAnchors;
}
 

@Test
void provide_test() throws Exception {
    target = new KeyStoreTrustAnchorsProvider();
    Path path = Paths.get(ClassLoader.getSystemResource("com/webauthn4j/anchor/KeyStoreFileTrustAnchorsProviderTest/test.jks").toURI());
    InputStream inputStream = Files.newInputStream(path);
    KeyStore keyStoreObject = loadKeyStoreFromStream(inputStream, "password");
    target.setKeyStore(keyStoreObject);

    Map<AAGUID, Set<TrustAnchor>> trustAnchors = target.provide();
    assertThat(trustAnchors).isNotEmpty();
}
 

/**
 * {@inheritDoc}
 */
@Override
public Set<TrustAnchor> resolve(AAGUID aaguid) {
    AssertUtil.notNull(aaguid, "aaguid must not be null");

    Map<AAGUID, Set<TrustAnchor>> trustAnchors = trustAnchorsProvider.provide();

    HashSet<TrustAnchor> set = new HashSet<>();
    set.addAll(trustAnchors.getOrDefault(AAGUID.NULL, Collections.emptySet()));
    set.addAll(trustAnchors.getOrDefault(aaguid, Collections.emptySet()));
    return set;
}