Omit zero AAGUIDs from runtime filter argument

emlun · emlun · commit 23846c1e671e · 2022-09-14T18:42:08.000+02:00
diff --git a/NEWS b/NEWS
@@ -39,6 +39,11 @@ Fixes:
 
 `webauthn-server-attestation`:
 
+Changes:
+
+* The `AuthenticatorToBeFiltered` argument of the `FidoMetadataService` runtime
+  filter now omits zero AAGUIDs.
+
 Fixes:
 
 * Fixed various typos and mistakes in JavaDocs.
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/FidoMetadataService.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/FidoMetadataService.java
@@ -432,6 +432,9 @@ public static class AuthenticatorToBeFiltered {
        * The AAGUID from the <a
        * href="https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#sctn-attested-credential-data">attested
        * credential data</a> of a credential about ot be registered.
+       *
+       * <p>This will not be present if the attested credential data contained an AAGUID of all
+       * zeroes.
        */
       public Optional<AAGUID> getAaguid() {
         return Optional.ofNullable(aaguid);
@@ -522,7 +525,7 @@ public Set<MetadataBLOBPayloadEntry> findEntries(
                         new AuthenticatorToBeFiltered(
                             attestationCertificateChain,
                             metadataBLOBPayloadEntry,
-                            aaguid.orElse(null))))
+                            nonzeroAaguid.orElse(null))))
             .collect(Collectors.toSet());
 
     log.debug(
diff --git a/webauthn-server-attestation/src/test/scala/com/yubico/fido/metadata/FidoMds3Spec.scala b/webauthn-server-attestation/src/test/scala/com/yubico/fido/metadata/FidoMds3Spec.scala
@@ -5,6 +5,7 @@ import com.fasterxml.jackson.databind.node.ArrayNode
 import com.fasterxml.jackson.databind.node.JsonNodeFactory
 import com.fasterxml.jackson.databind.node.ObjectNode
 import com.fasterxml.jackson.databind.node.TextNode
+import com.yubico.fido.metadata.FidoMetadataService.Filters.AuthenticatorToBeFiltered
 import com.yubico.internal.util.CertificateParser
 import com.yubico.webauthn.FinishRegistrationOptions
 import com.yubico.webauthn.RegistrationResult
@@ -204,8 +205,11 @@ class FidoMds3Spec extends AnyFunSpec with Matchers {
         def makeMds(
             blobTuple: (String, X509Certificate, java.util.Set[CRL]),
             attestationCrls: Set[CRL] = Set.empty,
-        )(prefilter: MetadataBLOBPayloadEntry => Boolean): FidoMetadataService =
-          FidoMetadataService
+        )(
+            prefilter: MetadataBLOBPayloadEntry => Boolean,
+            filter: Option[AuthenticatorToBeFiltered => Boolean] = None,
+        ): FidoMetadataService = {
+          val builder = FidoMetadataService
             .builder()
             .useBlob(makeDownloader(blobTuple).loadCachedBlob())
             .prefilter(prefilter.asJava)
@@ -215,7 +219,9 @@ class FidoMds3Spec extends AnyFunSpec with Matchers {
                 new CollectionCertStoreParameters(attestationCrls.asJava),
               )
             )
-            .build()
+          filter.foreach(f => builder.filter(f.asJava))
+          builder.build()
+        }
 
         val blobTuple = makeBlob(s"""{
           "legalHeader" : "Kom ihåg att du aldrig får snyta dig i mattan!",
@@ -405,6 +411,66 @@ class FidoMds3Spec extends AnyFunSpec with Matchers {
             _.getAaguid.toScala.contains(aaguidB)
           ).isAttestationTrusted should be(false)
         }
+
+        describe("Zero AAGUIDs") {
+          val zeroAaguid =
+            new AAGUID(ByteArray.fromHex("00000000000000000000000000000000"))
+
+          it("are not used to find metadata entries.") {
+            aaguidA should not equal zeroAaguid
+
+            val blobTuple = makeBlob(s"""{
+              "legalHeader" : "Kom ihåg att du aldrig får snyta dig i mattan!",
+              "nextUpdate" : "2022-12-01",
+              "no" : 0,
+              "entries": [
+                ${makeEntry(aaguid = Some(aaguidA))},
+                ${makeEntry(aaguid = Some(zeroAaguid))}
+              ]
+            }""")
+            var filterRan = false
+            val mds = makeMds(blobTuple)(
+              _ => true,
+              filter = Some({ _ =>
+                filterRan = true
+                true
+              }),
+            )
+
+            mds.findEntries(zeroAaguid) shouldBe empty
+            filterRan should be(false)
+          }
+
+          it("are omitted in the argument to the runtime filter.") {
+            aaguidA should not equal zeroAaguid
+
+            val (cert, _) = TestAuthenticator.generateAttestationCertificate()
+            val acki: String = new ByteArray(
+              CertificateParser.computeSubjectKeyIdentifier(cert)
+            ).getHex
+            val blobTuple = makeBlob(s"""{
+              "legalHeader" : "Kom ihåg att du aldrig får snyta dig i mattan!",
+              "nextUpdate" : "2022-12-01",
+              "no" : 0,
+              "entries": [
+                ${makeEntry(acki = Some(Set(acki)), aaguid = Some(aaguidA))}
+              ]
+            }""")
+            var filterRan = false
+            val mds = makeMds(blobTuple)(
+              _ => true,
+              filter = Some({ authenticatorToBeFiltered =>
+                filterRan = true
+                authenticatorToBeFiltered.getAaguid.toScala should be(None)
+                true
+              }),
+            )
+
+            mds.findEntries(List(cert).asJava, zeroAaguid).size should be(1)
+            filterRan should be(true)
+          }
+        }
+
       }
 
       describe("2.1. Check whether the status report of the authenticator model has changed compared to the cached entry by looking at the fields timeOfLastStatusChange and statusReport.") {
