Add policy tree validator setting

Author: emlun

NEWS

@@ -9,6 +9,11 @@ New features:
 
 * Added support for the `"tpm"` attestation statement format.
 * Added support for ES384 and ES512 signature algorithms.
+* Added property `policyTreeValidator` to `TrustRootsResult`. If set, the given
+  predicate function will be used to validate the certificate policy tree after
+  successful attestation certificate path validation. This may be required for
+  some JCA providers to accept attestation certificates with critical
+  certificate policy extensions.
 
 Fixes:
 

webauthn-server-core/src/main/java/com/yubico/webauthn/FinishRegistrationSteps.java

@@ -50,6 +50,7 @@
 import java.security.cert.CertPathValidatorException;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
+import java.security.cert.PKIXCertPathValidatorResult;
 import java.security.cert.PKIXParameters;
 import java.security.cert.TrustAnchor;
 import java.security.cert.X509Certificate;
@@ -536,10 +537,25 @@ public boolean attestationTrusted() {
             pathParams.setDate(Date.from(clock.instant()));
             pathParams.setRevocationEnabled(trustRoots.get().isEnableRevocationChecking());
             pathParams.setPolicyQualifiersRejected(
-                false); // TODO: Add parameter to configure policy qualifier processor
+                !trustRoots.get().getPolicyTreeValidator().isPresent());
             trustRoots.get().getCertStore().ifPresent(pathParams::addCertStore);
-            cpv.validate(certPath, pathParams);
-            return true;
+            final PKIXCertPathValidatorResult result =
+                (PKIXCertPathValidatorResult) cpv.validate(certPath, pathParams);
+            return trustRoots
+                .get()
+                .getPolicyTreeValidator()
+                .map(
+                    policyNodePredicate -> {
+                      if (policyNodePredicate.test(result.getPolicyTree())) {
+                        return true;
+                      } else {
+                        log.info(
+                            "Failed to derive trust in attestation statement: Certificate path policy tree does not satisfy policy tree validator. Attestation object: {}",
+                            response.getResponse().getAttestationObject());
+                        return false;
+                      }
+                    })
+                .orElse(true);
           }
 
         } catch (CertPathValidatorException e) {

webauthn-server-core/src/main/java/com/yubico/webauthn/attestation/AttestationTrustSource.java

@@ -27,10 +27,12 @@
 import com.yubico.internal.util.CollectionUtil;
 import com.yubico.webauthn.data.ByteArray;
 import java.security.cert.CertStore;
+import java.security.cert.PolicyNode;
 import java.security.cert.X509Certificate;
 import java.util.List;
 import java.util.Optional;
 import java.util.Set;
+import java.util.function.Predicate;
 import lombok.Builder;
 import lombok.NonNull;
 import lombok.Value;
@@ -60,11 +62,21 @@ TrustRootsResult findTrustRoots(
       List<X509Certificate> attestationCertificateChain, Optional<ByteArray> aaguid);
 
   /**
-   * A result of looking up attestation trust roots for a particular attestation statement. This
-   * primarily consists of a set of trust root certificates, but may also include a {@link
-   * CertStore} of additional CRLs and/or intermediate certificate to use during certificate path
-   * validation, and may also disable certificate revocation checking for the relevant attestation
-   * statement.
+   * A result of looking up attestation trust roots for a particular attestation statement.
+   *
+   * <p>This primarily consists of a set of trust root certificates - see {@link
+   * TrustRootsResultBuilder#trustRoots(Set) trustRoots(Set)} - but may also:
+   *
+   * <ul>
+   *   <li>include a {@link CertStore} of additional CRLs and/or intermediate certificates to use
+   *       during certificate path validation - see {@link
+   *       TrustRootsResultBuilder#certStore(CertStore) certStore(CertStore)};
+   *   <li>disable certificate revocation checking for the relevant attestation statement - see
+   *       {@link TrustRootsResultBuilder#enableRevocationChecking(boolean)
+   *       enableRevocationChecking(boolean)}; and/or
+   *   <li>define a policy tree validator for the PKIX policy tree result - see {@link
+   *       TrustRootsResultBuilder#policyTreeValidator(Predicate) policyTreeValidator(Predicate)}.
+   * </ul>
    */
   @Value
   @Builder(toBuilder = true)
@@ -97,19 +109,47 @@ class TrustRootsResult {
      */
     @Builder.Default private final boolean enableRevocationChecking = true;
 
+    /**
+     * If non-null, the PolicyQualifiersRejected flag will be set to false during certificate path
+     * validation. See {@link
+     * java.security.cert.PKIXParameters#setPolicyQualifiersRejected(boolean)}.
+     *
+     * <p>The given {@link Predicate} will be used to validate the policy tree. The {@link
+     * Predicate} should return <code>true</code> if the policy tree is acceptable, and <code>false
+     * </code> otherwise.
+     *
+     * <p>This may be required if any certificate in the certificate path contains a certificate
+     * policies extension marked critical. If this is not set, then such a certificate will be
+     * rejected by the certificate path validator.
+     *
+     * <p>Consult the <a
+     * href="https://docs.oracle.com/en/java/javase/17/security/java-pki-programmers-guide.html#GUID-3AD41382-E729-469B-83EE-CB2FE66D71D8">Java
+     * PKI Programmer's Guide</a> for how to use the {@link PolicyNode} argument of the {@link
+     * Predicate}.
+     *
+     * <p>The default is <code>null</code>.
+     */
+    @Builder.Default private final Predicate<PolicyNode> policyTreeValidator = null;
+
     private TrustRootsResult(
         @NonNull Set<X509Certificate> trustRoots,
         CertStore certStore,
-        boolean enableRevocationChecking) {
+        boolean enableRevocationChecking,
+        Predicate<PolicyNode> policyTreeValidator) {
       this.trustRoots = CollectionUtil.immutableSet(trustRoots);
       this.certStore = certStore;
       this.enableRevocationChecking = enableRevocationChecking;
+      this.policyTreeValidator = policyTreeValidator;
     }
 
     public Optional<CertStore> getCertStore() {
       return Optional.ofNullable(certStore);
     }
 
+    public Optional<Predicate<PolicyNode>> getPolicyTreeValidator() {
+      return Optional.ofNullable(policyTreeValidator);
+    }
+
     public static TrustRootsResultBuilder.Step1 builder() {
       return new TrustRootsResultBuilder.Step1();
     }

webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyRegistrationSpec.scala

@@ -81,6 +81,7 @@ import org.bouncycastle.asn1.x509.Extension
 import org.bouncycastle.asn1.x509.GeneralName
 import org.bouncycastle.asn1.x509.GeneralNamesBuilder
 import org.bouncycastle.cert.jcajce.JcaX500NameUtil
+import org.bouncycastle.jce.provider.BouncyCastleProvider
 import org.junit.runner.RunWith
 import org.mockito.Mockito
 import org.scalacheck.Arbitrary.arbitrary
@@ -98,10 +99,12 @@ import java.security.KeyFactory
 import java.security.KeyPair
 import java.security.MessageDigest
 import java.security.PrivateKey
+import java.security.Security
 import java.security.SignatureException
 import java.security.cert.CRL
 import java.security.cert.CertStore
 import java.security.cert.CollectionCertStoreParameters
+import java.security.cert.PolicyNode
 import java.security.cert.X509Certificate
 import java.security.interfaces.ECPublicKey
 import java.security.interfaces.RSAPublicKey
@@ -111,6 +114,7 @@ import java.time.ZoneOffset
 import java.util
 import java.util.Collections
 import java.util.Optional
+import java.util.function.Predicate
 import javax.security.auth.x500.X500Principal
 import scala.jdk.CollectionConverters._
 import scala.jdk.OptionConverters.RichOption
@@ -193,6 +197,7 @@ class RelyingPartyRegistrationSpec
       trustedCert: X509Certificate,
       crls: Option[Set[CRL]] = None,
       enableRevocationChecking: Boolean = true,
+      policyTreeValidator: Option[Predicate[PolicyNode]] = None,
   ): AttestationTrustSource =
     (_: util.List[X509Certificate], _: Optional[ByteArray]) => {
       TrustRootsResult
@@ -209,6 +214,7 @@ class RelyingPartyRegistrationSpec
             .orNull
         )
         .enableRevocationChecking(enableRevocationChecking)
+        .policyTreeValidator(policyTreeValidator.orNull)
         .build()
     }
 
@@ -2088,6 +2094,7 @@ class RelyingPartyRegistrationSpec
                     trustSourceWith(
                       testData.attestationRootCertificate.get,
                       enableRevocationChecking = false,
+                      policyTreeValidator = Some(_ => true),
                     )
                   ),
                 )
@@ -3364,6 +3371,7 @@ class RelyingPartyRegistrationSpec
                 trustedRootCert: Option[X509Certificate] = None,
                 enableRevocationChecking: Boolean = true,
                 origins: Option[Set[String]] = None,
+                policyTreeValidator: Option[Predicate[PolicyNode]] = None,
             ): Unit = {
               it("is rejected if untrusted attestation is not allowed and the trust source does not trust it.") {
                 val steps = finishRegistration(
@@ -3418,6 +3426,7 @@ class RelyingPartyRegistrationSpec
                               )
                           }),
                         enableRevocationChecking = enableRevocationChecking,
+                        policyTreeValidator = policyTreeValidator,
                       )
                     )
                 val steps = finishRegistration(
@@ -3469,6 +3478,7 @@ class RelyingPartyRegistrationSpec
                         .trustRoots(Collections.emptySet())
                         .certStore(certStore)
                         .enableRevocationChecking(enableRevocationChecking)
+                        .policyTreeValidator(policyTreeValidator.orNull)
                         .build()
                   }
                   val steps = finishRegistration(
@@ -3497,6 +3507,7 @@ class RelyingPartyRegistrationSpec
                         .trustRoots(Collections.singleton(rootCert))
                         .certStore(certStore)
                         .enableRevocationChecking(enableRevocationChecking)
+                        .policyTreeValidator(policyTreeValidator.orNull)
                         .build()
                   }
                   val steps = finishRegistration(
@@ -3573,8 +3584,67 @@ class RelyingPartyRegistrationSpec
                 origins = Some(Set(testData.clientData.getOrigin)),
                 trustedRootCert = Some(testData.attestationRootCertificate.get),
                 enableRevocationChecking = false,
+                policyTreeValidator = Some(_ => true),
               )
             }
+
+            describe("Critical certificate policy extensions") {
+              def init(
+                  policyTreeValidator: Option[Predicate[PolicyNode]]
+              ): FinishRegistrationSteps#Step21 = {
+                val testData = RegistrationTestData.Tpm.RealExample
+                val clock = Clock.fixed(
+                  Instant.parse("2022-08-25T16:00:00Z"),
+                  ZoneOffset.UTC,
+                )
+                val steps = finishRegistration(
+                  allowUntrustedAttestation = false,
+                  origins = Some(Set(testData.clientData.getOrigin)),
+                  testData = testData,
+                  attestationTrustSource = Some(
+                    trustSourceWith(
+                      testData.attestationRootCertificate.get,
+                      enableRevocationChecking = false,
+                      policyTreeValidator = policyTreeValidator,
+                    )
+                  ),
+                  clock = clock,
+                )
+
+                steps.begin.next.next.next.next.next.next.next.next.next.next.next.next.next.next
+              }
+
+              it("are rejected if no policy tree validator is set.") {
+                // BouncyCastle provider does not reject critical policy extensions
+                // TODO Mark test as ignored instead of just skipping (assume() and cancel() currently break pitest)
+                if (
+                  !Security.getProviders
+                    .exists(p => p.isInstanceOf[BouncyCastleProvider])
+                ) {
+                  val step = init(policyTreeValidator = None)
+
+                  step.validations shouldBe a[Failure[_]]
+                  step.attestationTrusted should be(false)
+                  step.tryNext shouldBe a[Failure[_]]
+                }
+              }
+
+              it("are accepted if a policy tree validator is set and accepts the policy tree.") {
+                val step = init(policyTreeValidator = Some(_ => true))
+
+                step.validations shouldBe a[Success[_]]
+                step.attestationTrusted should be(true)
+                step.tryNext shouldBe a[Success[_]]
+              }
+
+              it("are rejected if a policy tree validator is set and does not accept the policy tree.") {
+                val step = init(policyTreeValidator = Some(_ => false))
+
+                step.validations shouldBe a[Failure[_]]
+                step.attestationTrusted should be(false)
+                step.tryNext shouldBe a[Failure[_]]
+              }
+            }
           }
         }
 
@@ -4413,6 +4483,7 @@ class RelyingPartyRegistrationSpec
               trustSourceWith(
                 testData.attestationRootCertificate.get,
                 enableRevocationChecking = false,
+                policyTreeValidator = Some(_ => true),
               )
             ),
             credentialRepository = Helpers.CredentialRepository.empty,