Merge pull request #280 from Yubico/demo-fido-mds

emlun · web-flow · commit 17b7bb33a641 · 2023-05-10T19:54:59.000+02:00
Enable using FidoMetadataService in demo
diff --git a/webauthn-server-demo/.gitignore b/webauthn-server-demo/.gitignore
@@ -0,0 +1,3 @@
+# FidoMetadataDownloader cache files
+webauthn-server-demo-fido-mds-blob-cache.bin
+webauthn-server-demo-fido-mds-trust-root-cache.bin
diff --git a/webauthn-server-demo/README b/webauthn-server-demo/README
@@ -18,6 +18,12 @@ class which provides the REST API on top of it.
   $ ./gradlew run
   $ $BROWSER https://localhost:8443/
 
+Or to run with the https://fidoalliance.org/metadata/[FIDO Metadata Service] as
+a source of attestation metadata:
+
+  $ YUBICO_WEBAUTHN_USE_FIDO_MDS=true ./gradlew run
+  $ $BROWSER https://localhost:8443/
+
 
 == Architecture
 
@@ -150,3 +156,11 @@ correct environment.
     https://www.w3.org/TR/webauthn/#dom-publickeycredentialentity-name[RP name]
     the server will report. Example: `YUBICO_WEBAUTHN_RP_ID='Yubico Web
     Authentication demo'`
+
+  - `YUBICO_WEBAUTHN_USE_FIDO_MDS`: If set to `true` (case-insensitive), use
+    https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.4.1/com/yubico/fido/metadata/FidoMetadataService.html[`FidoMetadataService`]
+    from the link:../webauthn-server-attestation[`webauthn-server-attestation`]
+    module as a source of attestation data in addition to the static JSON file
+    bundled with the demo. This will write cache files to the
+    `webauthn-server-demo` project root directory; see the patterns in the
+    `.gitignore` file.
diff --git a/webauthn-server-demo/build.gradle.kts b/webauthn-server-demo/build.gradle.kts
@@ -55,6 +55,9 @@ dependencies {
 
 application {
   mainClass.set("demo.webauthn.EmbeddedServer")
+
+  // Required for processing CRL distribution points extension
+  applicationDefaultJvmArgs = listOf("-Dcom.sun.security.enableCRLDP=true")
 }
 
 for (task in listOf(tasks.installDist, tasks.distZip, tasks.distTar)) {
diff --git a/webauthn-server-demo/src/main/java/com/yubico/webauthn/attestation/YubicoJsonMetadataService.java b/webauthn-server-demo/src/main/java/com/yubico/webauthn/attestation/YubicoJsonMetadataService.java
@@ -31,8 +31,10 @@
 import com.yubico.internal.util.CertificateParser;
 import com.yubico.internal.util.CollectionUtil;
 import com.yubico.internal.util.OptionalUtil;
+import com.yubico.webauthn.RegistrationResult;
 import com.yubico.webauthn.attestation.matcher.ExtensionMatcher;
 import com.yubico.webauthn.data.ByteArray;
+import demo.webauthn.MetadataService;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.util.Collection;
@@ -48,7 +50,7 @@
 import lombok.extern.slf4j.Slf4j;
 
 @Slf4j
-public final class YubicoJsonMetadataService implements AttestationTrustSource {
+public final class YubicoJsonMetadataService implements AttestationTrustSource, MetadataService {
 
   private static final String SELECTORS = "selectors";
   private static final String SELECTOR_TYPE = "type";
@@ -90,43 +92,53 @@ public YubicoJsonMetadataService() {
         DEFAULT_DEVICE_MATCHERS);
   }
 
-  public Optional<Attestation> findMetadata(X509Certificate attestationCertificate) {
-    return metadataObjects.stream()
+  @Override
+  public Set<Object> findEntries(@NonNull RegistrationResult registrationResult) {
+    return registrationResult
+        .getAttestationTrustPath()
         .map(
-            metadata -> {
-              Map<String, String> vendorProperties;
-              Map<String, String> deviceProperties = null;
-              String identifier;
+            certs -> {
+              X509Certificate attestationCertificate = certs.get(0);
+              return metadataObjects.stream()
+                  .map(
+                      metadata -> {
+                        Map<String, String> vendorProperties;
+                        Map<String, String> deviceProperties = null;
+                        String identifier;
 
-              identifier = metadata.getIdentifier();
-              vendorProperties = Maps.filterValues(metadata.getVendorInfo(), Objects::nonNull);
-              for (JsonNode device : metadata.getDevices()) {
-                if (deviceMatches(device.get(SELECTORS), attestationCertificate)) {
-                  ImmutableMap.Builder<String, String> devicePropertiesBuilder =
-                      ImmutableMap.builder();
-                  for (Map.Entry<String, JsonNode> deviceEntry :
-                      Lists.newArrayList(device.fields())) {
-                    JsonNode value = deviceEntry.getValue();
-                    if (value.isTextual()) {
-                      devicePropertiesBuilder.put(deviceEntry.getKey(), value.asText());
-                    }
-                  }
-                  deviceProperties = devicePropertiesBuilder.build();
-                  break;
-                }
-              }
+                        identifier = metadata.getIdentifier();
+                        vendorProperties =
+                            Maps.filterValues(metadata.getVendorInfo(), Objects::nonNull);
+                        for (JsonNode device : metadata.getDevices()) {
+                          if (deviceMatches(device.get(SELECTORS), attestationCertificate)) {
+                            ImmutableMap.Builder<String, String> devicePropertiesBuilder =
+                                ImmutableMap.builder();
+                            for (Map.Entry<String, JsonNode> deviceEntry :
+                                Lists.newArrayList(device.fields())) {
+                              JsonNode value = deviceEntry.getValue();
+                              if (value.isTextual()) {
+                                devicePropertiesBuilder.put(deviceEntry.getKey(), value.asText());
+                              }
+                            }
+                            deviceProperties = devicePropertiesBuilder.build();
+                            break;
+                          }
+                        }
 
-              return Optional.ofNullable(deviceProperties)
-                  .map(
-                      deviceProps ->
-                          Attestation.builder()
-                              .metadataIdentifier(Optional.ofNullable(identifier))
-                              .vendorProperties(Optional.of(vendorProperties))
-                              .deviceProperties(deviceProps)
-                              .build());
+                        return Optional.ofNullable(deviceProperties)
+                            .map(
+                                deviceProps ->
+                                    Attestation.builder()
+                                        .metadataIdentifier(Optional.ofNullable(identifier))
+                                        .vendorProperties(Optional.of(vendorProperties))
+                                        .deviceProperties(deviceProps)
+                                        .build());
+                      })
+                  .flatMap(OptionalUtil::stream)
+                  .map(attestation -> (Object) attestation)
+                  .collect(Collectors.toSet());
             })
-        .flatMap(OptionalUtil::stream)
-        .findAny();
+        .orElseGet(Collections::emptySet);
   }
 
   private boolean deviceMatches(
diff --git a/webauthn-server-demo/src/main/java/demo/webauthn/CompositeMetadataService.java b/webauthn-server-demo/src/main/java/demo/webauthn/CompositeMetadataService.java
@@ -0,0 +1,46 @@
+package demo.webauthn;
+
+import com.yubico.webauthn.RegistrationResult;
+import com.yubico.webauthn.attestation.AttestationTrustSource;
+import com.yubico.webauthn.data.ByteArray;
+import java.security.cert.X509Certificate;
+import java.util.*;
+import lombok.NonNull;
+
+/**
+ * Combines several attestation metadata sources into one, which delegates to each sub-service in
+ * order until one returns a non-empty result.
+ */
+public class CompositeMetadataService implements AttestationTrustSource, MetadataService {
+
+  private final List<MetadataService> delegates;
+
+  public CompositeMetadataService(MetadataService... delegates) {
+    this.delegates = Collections.unmodifiableList(Arrays.asList(delegates));
+  }
+
+  @Override
+  public TrustRootsResult findTrustRoots(
+      List<X509Certificate> attestationCertificateChain, Optional<ByteArray> aaguid) {
+    for (MetadataService delegate : delegates) {
+      TrustRootsResult res = delegate.findTrustRoots(attestationCertificateChain, aaguid);
+      if (!res.getTrustRoots().isEmpty()) {
+        return res;
+      }
+    }
+
+    return TrustRootsResult.builder().trustRoots(Collections.emptySet()).build();
+  }
+
+  @Override
+  public Set<Object> findEntries(@NonNull RegistrationResult registrationResult) {
+    for (MetadataService delegate : delegates) {
+      Set<Object> res = delegate.findEntries(registrationResult);
+      if (!res.isEmpty()) {
+        return res;
+      }
+    }
+
+    return Collections.emptySet();
+  }
+}
diff --git a/webauthn-server-demo/src/main/java/demo/webauthn/Config.java b/webauthn-server-demo/src/main/java/demo/webauthn/Config.java
@@ -78,6 +78,10 @@ public static RelyingPartyIdentity getRpIdentity() {
     return getInstance().rpIdentity;
   }
 
+  public static boolean useFidoMds() {
+    return "true".equalsIgnoreCase(System.getenv("YUBICO_WEBAUTHN_USE_FIDO_MDS"));
+  }
+
   private static Set<String> computeOrigins() {
     final String origins = System.getenv("YUBICO_WEBAUTHN_ALLOWED_ORIGINS");
 
diff --git a/webauthn-server-demo/src/main/java/demo/webauthn/FidoMetadataServiceAdapter.java b/webauthn-server-demo/src/main/java/demo/webauthn/FidoMetadataServiceAdapter.java
@@ -0,0 +1,30 @@
+package demo.webauthn;
+
+import com.yubico.fido.metadata.FidoMetadataService;
+import com.yubico.webauthn.RegistrationResult;
+import com.yubico.webauthn.data.ByteArray;
+import java.security.cert.X509Certificate;
+import java.util.List;
+import java.util.Optional;
+import java.util.Set;
+import java.util.stream.Collectors;
+import lombok.AllArgsConstructor;
+import lombok.NonNull;
+
+@AllArgsConstructor
+public class FidoMetadataServiceAdapter implements MetadataService {
+  private final FidoMetadataService fido;
+
+  @Override
+  public TrustRootsResult findTrustRoots(
+      List<X509Certificate> attestationCertificateChain, Optional<ByteArray> aaguid) {
+    return fido.findTrustRoots(attestationCertificateChain, aaguid);
+  }
+
+  @Override
+  public Set<Object> findEntries(@NonNull RegistrationResult registrationResult) {
+    return fido.findEntries(registrationResult).stream()
+        .map(metadataBLOBPayloadEntry -> (Object) metadataBLOBPayloadEntry)
+        .collect(Collectors.toSet());
+  }
+}
diff --git a/webauthn-server-demo/src/main/java/demo/webauthn/MetadataService.java b/webauthn-server-demo/src/main/java/demo/webauthn/MetadataService.java
@@ -0,0 +1,10 @@
+package demo.webauthn;
+
+import com.yubico.webauthn.RegistrationResult;
+import com.yubico.webauthn.attestation.AttestationTrustSource;
+import java.util.Set;
+import lombok.NonNull;
+
+public interface MetadataService extends AttestationTrustSource {
+  Set<Object> findEntries(@NonNull RegistrationResult registrationResult);
+}
diff --git a/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnServer.java b/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnServer.java
diff --git a/webauthn-server-demo/src/main/java/demo/webauthn/data/CredentialRegistration.java b/webauthn-server-demo/src/main/java/demo/webauthn/data/CredentialRegistration.java
diff --git a/webauthn-server-demo/src/main/webapp/index.html b/webauthn-server-demo/src/main/webapp/index.html

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# FidoMetadataDownloader cache files`
	`2`	`+webauthn-server-demo-fido-mds-blob-cache.bin`
	`3`	`+webauthn-server-demo-fido-mds-trust-root-cache.bin`
Original file line number	Diff line number	Diff line change
`@@ -55,6 +55,9 @@ dependencies {`
`55`	`55`
`56`	`56`	`application {`
`57`	`57`	`mainClass.set("demo.webauthn.EmbeddedServer")`
	`58`	`+`
	`59`	`+ // Required for processing CRL distribution points extension`
	`60`	`+ applicationDefaultJvmArgs = listOf("-Dcom.sun.security.enableCRLDP=true")`
`58`	`61`	`}`
`59`	`62`
`60`	`63`	`for (task in listOf(tasks.installDist, tasks.distZip, tasks.distTar)) {`
Original file line number	Diff line number	Diff line change
`@@ -78,6 +78,10 @@ public static RelyingPartyIdentity getRpIdentity() {`
`78`	`78`	`return getInstance().rpIdentity;`
`79`	`79`	`}`
`80`	`80`
	`81`	`+ public static boolean useFidoMds() {`
	`82`	`+ return "true".equalsIgnoreCase(System.getenv("YUBICO_WEBAUTHN_USE_FIDO_MDS"));`
	`83`	`+ }`
	`84`	`+`
`81`	`85`	`private static Set<String> computeOrigins() {`
`82`	`86`	`final String origins = System.getenv("YUBICO_WEBAUTHN_ALLOWED_ORIGINS");`
`83`	`87`