Yubico
diff --git a/‎NEWS
Lines changed: 7 additions & 0 deletions b/‎NEWS
Lines changed: 7 additions & 0 deletions
diff --git a/‎webauthn-server-attestation/src/test/scala/com/yubico/fido/metadata/FidoMds3Spec.scala
Lines changed: 1 addition & 1 deletion b/‎webauthn-server-attestation/src/test/scala/com/yubico/fido/metadata/FidoMds3Spec.scala
Lines changed: 1 addition & 1 deletion
diff --git a/‎webauthn-server-core/src/main/java/com/yubico/webauthn/Crypto.java
Lines changed: 9 additions & 0 deletions b/‎webauthn-server-core/src/main/java/com/yubico/webauthn/Crypto.java
Lines changed: 9 additions & 0 deletions
diff --git a/‎webauthn-server-core/src/main/java/com/yubico/webauthn/FinishRegistrationSteps.java
Lines changed: 22 additions & 5 deletions b/‎webauthn-server-core/src/main/java/com/yubico/webauthn/FinishRegistrationSteps.java
Lines changed: 22 additions & 5 deletions
diff --git a/‎webauthn-server-core/src/main/java/com/yubico/webauthn/RelyingParty.java
Lines changed: 7 additions & 1 deletion b/‎webauthn-server-core/src/main/java/com/yubico/webauthn/RelyingParty.java
Lines changed: 7 additions & 1 deletion
@@ -17,6 +17,13 @@ New features:
 * Added method `FidoMetadataDownloader.refreshBlob()`.
 * Added function `COSEAlgorithmIdentifier.fromPublicKey(ByteArray)`.
 * Added method `AssertionResult.getCredential(): RegisteredCredential`.
+* Added support for the `"tpm"` attestation statement format.
+* Added support for ES384 and ES512 signature algorithms.
+* Added property `policyTreeValidator` to `TrustRootsResult`. If set, the given
+  predicate function will be used to validate the certificate policy tree after
+  successful attestation certificate path validation. This may be required for
+  some JCA providers to accept attestation certificates with critical
+  certificate policy extensions.
 
 Fixes:
 
 
@@ -312,7 +312,7 @@ class FidoMds3Spec extends AnyFunSpec with Matchers {
               attestationMaker = AttestationMaker.packed(
                 AttestationSigner.ca(
                   COSEAlgorithmIdentifier.ES256,
-                  aaguid = aaguidA.asBytes,
+                  aaguid = Some(aaguidA.asBytes),
                   validFrom = CertValidFrom,
                   validTo = CertValidTo,
                 )
 
@@ -96,9 +96,18 @@ public static boolean verifySignature(
 
   public static ByteArray sha256(ByteArray bytes) {
     //noinspection UnstableApiUsage
+    // TODO remove noinspection
     return new ByteArray(Hashing.sha256().hashBytes(bytes.getBytes()).asBytes());
   }
 
+  public static ByteArray sha384(ByteArray bytes) {
+    return new ByteArray(Hashing.sha384().hashBytes(bytes.getBytes()).asBytes());
+  }
+
+  public static ByteArray sha512(ByteArray bytes) {
+    return new ByteArray(Hashing.sha512().hashBytes(bytes.getBytes()).asBytes());
+  }
+
   public static ByteArray sha256(String str) {
     return sha256(new ByteArray(str.getBytes(StandardCharsets.UTF_8)));
   }
 
@@ -50,6 +50,7 @@
 import java.security.cert.CertPathValidatorException;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
+import java.security.cert.PKIXCertPathValidatorResult;
 import java.security.cert.PKIXParameters;
 import java.security.cert.TrustAnchor;
 import java.security.cert.X509Certificate;
@@ -373,6 +374,8 @@ public Optional<AttestationStatementVerifier> attestationStatementVerifier() {
           return Optional.of(new AndroidSafetynetAttestationStatementVerifier());
         case "apple":
           return Optional.of(new AppleAttestationStatementVerifier());
+        case "tpm":
+          return Optional.of(new TpmAttestationStatementVerifier());
         default:
           return Optional.empty();
       }
@@ -411,9 +414,6 @@ public AttestationType attestationType() {
             case "android-key":
               // TODO delete this once android-key attestation verification is implemented
               return AttestationType.BASIC;
-            case "tpm":
-              // TODO delete this once tpm attestation verification is implemented
-              return AttestationType.ATTESTATION_CA;
             default:
               return AttestationType.UNKNOWN;
           }
@@ -536,9 +536,26 @@ public boolean attestationTrusted() {
                         .collect(Collectors.toSet()));
             pathParams.setDate(Date.from(clock.instant()));
             pathParams.setRevocationEnabled(trustRoots.get().isEnableRevocationChecking());
+            pathParams.setPolicyQualifiersRejected(
+                !trustRoots.get().getPolicyTreeValidator().isPresent());
             trustRoots.get().getCertStore().ifPresent(pathParams::addCertStore);
-            cpv.validate(certPath, pathParams);
-            return true;
+            final PKIXCertPathValidatorResult result =
+                (PKIXCertPathValidatorResult) cpv.validate(certPath, pathParams);
+            return trustRoots
+                .get()
+                .getPolicyTreeValidator()
+                .map(
+                    policyNodePredicate -> {
+                      if (policyNodePredicate.test(result.getPolicyTree())) {
+                        return true;
+                      } else {
+                        log.info(
+                            "Failed to derive trust in attestation statement: Certificate path policy tree does not satisfy policy tree validator. Attestation object: {}",
+                            response.getResponse().getAttestationObject());
+                        return false;
+                      }
+                    })
+                .orElse(true);
           }
 
         } catch (CertPathValidatorException e) {
 
@@ -210,11 +210,13 @@ public class RelyingParty {
    * <p>This is a list of acceptable public key algorithms and their parameters, ordered from most
    * to least preferred.
    *
-   * <p>The default is the following list:
+   * <p>The default is the following list, in order:
    *
    * <ol>
    *   <li>{@link com.yubico.webauthn.data.PublicKeyCredentialParameters#ES256 ES256}
    *   <li>{@link com.yubico.webauthn.data.PublicKeyCredentialParameters#EdDSA EdDSA}
+   *   <li>{@link com.yubico.webauthn.data.PublicKeyCredentialParameters#ES256 ES384}
+   *   <li>{@link com.yubico.webauthn.data.PublicKeyCredentialParameters#ES256 ES512}
    *   <li>{@link com.yubico.webauthn.data.PublicKeyCredentialParameters#RS256 RS256}
    * </ol>
    *
@@ -228,6 +230,8 @@ public class RelyingParty {
           Arrays.asList(
               PublicKeyCredentialParameters.ES256,
               PublicKeyCredentialParameters.EdDSA,
+              PublicKeyCredentialParameters.ES384,
+              PublicKeyCredentialParameters.ES512,
               PublicKeyCredentialParameters.RS256));
 
   /**
@@ -417,6 +421,8 @@ private static List<PublicKeyCredentialParameters> filterAvailableAlgorithms(
                         break;
 
                       case ES256:
+                      case ES384:
+                      case ES512:
                         KeyFactory.getInstance("EC");
                         break;
Original file line number	Diff line number	Diff line change
`@@ -312,7 +312,7 @@ class FidoMds3Spec extends AnyFunSpec with Matchers {`
`312`	`312`	`attestationMaker = AttestationMaker.packed(`
`313`	`313`	`AttestationSigner.ca(`
`314`	`314`	`COSEAlgorithmIdentifier.ES256,`
`315`		`- aaguid = aaguidA.asBytes,`
	`315`	`+ aaguid = Some(aaguidA.asBytes),`
`316`	`316`	`validFrom = CertValidFrom,`
`317`	`317`	`validTo = CertValidTo,`
`318`	`318`	`)`