Enable using FidoMetadataService in demo

Author: emlun

webauthn-server-demo/.gitignore

@@ -0,0 +1,3 @@
+# FidoMetadataDownloader cache files
+webauthn-server-demo-fido-mds-blob-cache.bin
+webauthn-server-demo-fido-mds-trust-root-cache.bin

webauthn-server-demo/README

@@ -18,6 +18,12 @@ class which provides the REST API on top of it.
   $ ./gradlew run
   $ $BROWSER https://localhost:8443/
 
+Or to run with the https://fidoalliance.org/metadata/[FIDO Metadata Service] as
+a source of attestation metadata:
+
+  $ YUBICO_WEBAUTHN_USE_FIDO_MDS=true ./gradlew run
+  $ $BROWSER https://localhost:8443/
+
 
 == Architecture
 
@@ -150,3 +156,11 @@ correct environment.
     https://www.w3.org/TR/webauthn/#dom-publickeycredentialentity-name[RP name]
     the server will report. Example: `YUBICO_WEBAUTHN_RP_ID='Yubico Web
     Authentication demo'`
+
+  - `YUBICO_WEBAUTHN_USE_FIDO_MDS`: If set to `true` (case-insensitive), use
+    https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.4.1/com/yubico/fido/metadata/FidoMetadataService.html[`FidoMetadataService`]
+    from the link:../webauthn-server-attestation[`webauthn-server-attestation`]
+    module as a source of attestation data in addition to the static JSON file
+    bundled with the demo. This will write cache files to the
+    `webauthn-server-demo` project root directory; see the patterns in the
+    `.gitignore` file.

webauthn-server-demo/build.gradle.kts

@@ -55,6 +55,9 @@ dependencies {
 
 application {
   mainClass.set("demo.webauthn.EmbeddedServer")
+
+  // Required for processing CRL distribution points extension
+  applicationDefaultJvmArgs = listOf("-Dcom.sun.security.enableCRLDP=true")
 }
 
 for (task in listOf(tasks.installDist, tasks.distZip, tasks.distTar)) {

webauthn-server-demo/src/main/java/com/yubico/webauthn/attestation/YubicoJsonMetadataService.java

@@ -31,8 +31,10 @@
 import com.yubico.internal.util.CertificateParser;
 import com.yubico.internal.util.CollectionUtil;
 import com.yubico.internal.util.OptionalUtil;
+import com.yubico.webauthn.RegistrationResult;
 import com.yubico.webauthn.attestation.matcher.ExtensionMatcher;
 import com.yubico.webauthn.data.ByteArray;
+import demo.webauthn.MetadataService;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.util.Collection;
@@ -48,7 +50,7 @@
 import lombok.extern.slf4j.Slf4j;
 
 @Slf4j
-public final class YubicoJsonMetadataService implements AttestationTrustSource {
+public final class YubicoJsonMetadataService implements AttestationTrustSource, MetadataService {
 
   private static final String SELECTORS = "selectors";
   private static final String SELECTOR_TYPE = "type";
@@ -90,43 +92,53 @@ public YubicoJsonMetadataService() {
         DEFAULT_DEVICE_MATCHERS);
   }
 
-  public Optional<Attestation> findMetadata(X509Certificate attestationCertificate) {
-    return metadataObjects.stream()
+  @Override
+  public Set<Object> findEntries(@NonNull RegistrationResult registrationResult) {
+    return registrationResult
+        .getAttestationTrustPath()
         .map(
-            metadata -> {
-              Map<String, String> vendorProperties;
-              Map<String, String> deviceProperties = null;
-              String identifier;
+            certs -> {
+              X509Certificate attestationCertificate = certs.get(0);
+              return metadataObjects.stream()
+                  .map(
+                      metadata -> {
+                        Map<String, String> vendorProperties;
+                        Map<String, String> deviceProperties = null;
+                        String identifier;
 
-              identifier = metadata.getIdentifier();
-              vendorProperties = Maps.filterValues(metadata.getVendorInfo(), Objects::nonNull);
-              for (JsonNode device : metadata.getDevices()) {
-                if (deviceMatches(device.get(SELECTORS), attestationCertificate)) {
-                  ImmutableMap.Builder<String, String> devicePropertiesBuilder =
-                      ImmutableMap.builder();
-                  for (Map.Entry<String, JsonNode> deviceEntry :
-                      Lists.newArrayList(device.fields())) {
-                    JsonNode value = deviceEntry.getValue();
-                    if (value.isTextual()) {
-                      devicePropertiesBuilder.put(deviceEntry.getKey(), value.asText());
-                    }
-                  }
-                  deviceProperties = devicePropertiesBuilder.build();
-                  break;
-                }
-              }
+                        identifier = metadata.getIdentifier();
+                        vendorProperties =
+                            Maps.filterValues(metadata.getVendorInfo(), Objects::nonNull);
+                        for (JsonNode device : metadata.getDevices()) {
+                          if (deviceMatches(device.get(SELECTORS), attestationCertificate)) {
+                            ImmutableMap.Builder<String, String> devicePropertiesBuilder =
+                                ImmutableMap.builder();
+                            for (Map.Entry<String, JsonNode> deviceEntry :
+                                Lists.newArrayList(device.fields())) {
+                              JsonNode value = deviceEntry.getValue();
+                              if (value.isTextual()) {
+                                devicePropertiesBuilder.put(deviceEntry.getKey(), value.asText());
+                              }
+                            }
+                            deviceProperties = devicePropertiesBuilder.build();
+                            break;
+                          }
+                        }
 
-              return Optional.ofNullable(deviceProperties)
-                  .map(
-                      deviceProps ->
-                          Attestation.builder()
-                              .metadataIdentifier(Optional.ofNullable(identifier))
-                              .vendorProperties(Optional.of(vendorProperties))
-                              .deviceProperties(deviceProps)
-                              .build());
+                        return Optional.ofNullable(deviceProperties)
+                            .map(
+                                deviceProps ->
+                                    Attestation.builder()
+                                        .metadataIdentifier(Optional.ofNullable(identifier))
+                                        .vendorProperties(Optional.of(vendorProperties))
+                                        .deviceProperties(deviceProps)
+                                        .build());
+                      })
+                  .flatMap(OptionalUtil::stream)
+                  .map(attestation -> (Object) attestation)
+                  .collect(Collectors.toSet());
             })
-        .flatMap(OptionalUtil::stream)
-        .findAny();
+        .orElseGet(Collections::emptySet);
   }
 
   private boolean deviceMatches(

webauthn-server-demo/src/main/java/demo/webauthn/CompositeMetadataService.java

@@ -0,0 +1,46 @@
+package demo.webauthn;
+
+import com.yubico.webauthn.RegistrationResult;
+import com.yubico.webauthn.attestation.AttestationTrustSource;
+import com.yubico.webauthn.data.ByteArray;
+import java.security.cert.X509Certificate;
+import java.util.*;
+import lombok.NonNull;
+
+/**
+ * Combines several attestation metadata sources into one, which delegates to each sub-service in
+ * order until one returns a non-empty result.
+ */
+public class CompositeMetadataService implements AttestationTrustSource, MetadataService {
+
+  private final List<MetadataService> delegates;
+
+  public CompositeMetadataService(MetadataService... delegates) {
+    this.delegates = Collections.unmodifiableList(Arrays.asList(delegates));
+  }
+
+  @Override
+  public TrustRootsResult findTrustRoots(
+      List<X509Certificate> attestationCertificateChain, Optional<ByteArray> aaguid) {
+    for (MetadataService delegate : delegates) {
+      TrustRootsResult res = delegate.findTrustRoots(attestationCertificateChain, aaguid);
+      if (!res.getTrustRoots().isEmpty()) {
+        return res;
+      }
+    }
+
+    return TrustRootsResult.builder().trustRoots(Collections.emptySet()).build();
+  }
+
+  @Override
+  public Set<Object> findEntries(@NonNull RegistrationResult registrationResult) {
+    for (MetadataService delegate : delegates) {
+      Set<Object> res = delegate.findEntries(registrationResult);
+      if (!res.isEmpty()) {
+        return res;
+      }
+    }
+
+    return Collections.emptySet();
+  }
+}

webauthn-server-demo/src/main/java/demo/webauthn/Config.java

@@ -78,6 +78,10 @@ public static RelyingPartyIdentity getRpIdentity() {
     return getInstance().rpIdentity;
   }
 
+  public static boolean useFidoMds() {
+    return "true".equalsIgnoreCase(System.getenv("YUBICO_WEBAUTHN_USE_FIDO_MDS"));
+  }
+
   private static Set<String> computeOrigins() {
     final String origins = System.getenv("YUBICO_WEBAUTHN_ALLOWED_ORIGINS");
 

webauthn-server-demo/src/main/java/demo/webauthn/FidoMetadataServiceAdapter.java

@@ -0,0 +1,30 @@
+package demo.webauthn;
+
+import com.yubico.fido.metadata.FidoMetadataService;
+import com.yubico.webauthn.RegistrationResult;
+import com.yubico.webauthn.data.ByteArray;
+import java.security.cert.X509Certificate;
+import java.util.List;
+import java.util.Optional;
+import java.util.Set;
+import java.util.stream.Collectors;
+import lombok.AllArgsConstructor;
+import lombok.NonNull;
+
+@AllArgsConstructor
+public class FidoMetadataServiceAdapter implements MetadataService {
+  private final FidoMetadataService fido;
+
+  @Override
+  public TrustRootsResult findTrustRoots(
+      List<X509Certificate> attestationCertificateChain, Optional<ByteArray> aaguid) {
+    return fido.findTrustRoots(attestationCertificateChain, aaguid);
+  }
+
+  @Override
+  public Set<Object> findEntries(@NonNull RegistrationResult registrationResult) {
+    return fido.findEntries(registrationResult).stream()
+        .map(metadataBLOBPayloadEntry -> (Object) metadataBLOBPayloadEntry)
+        .collect(Collectors.toSet());
+  }
+}

webauthn-server-demo/src/main/java/demo/webauthn/MetadataService.java

@@ -0,0 +1,10 @@
+package demo.webauthn;
+
+import com.yubico.webauthn.RegistrationResult;
+import com.yubico.webauthn.attestation.AttestationTrustSource;
+import java.util.Set;
+import lombok.NonNull;
+
+public interface MetadataService extends AttestationTrustSource {
+  Set<Object> findEntries(@NonNull RegistrationResult registrationResult);
+}

webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnServer.java

@@ -32,6 +32,10 @@
 import com.fasterxml.jackson.databind.annotation.JsonSerialize;
 import com.google.common.cache.Cache;
 import com.google.common.cache.CacheBuilder;
+import com.yubico.fido.metadata.FidoMetadataDownloader;
+import com.yubico.fido.metadata.FidoMetadataDownloaderException;
+import com.yubico.fido.metadata.FidoMetadataService;
+import com.yubico.fido.metadata.UnexpectedLegalHeader;
 import com.yubico.internal.util.CertificateParser;
 import com.yubico.internal.util.JacksonCodecs;
 import com.yubico.util.Either;
@@ -43,7 +47,6 @@
 import com.yubico.webauthn.RelyingParty;
 import com.yubico.webauthn.StartAssertionOptions;
 import com.yubico.webauthn.StartRegistrationOptions;
-import com.yubico.webauthn.attestation.Attestation;
 import com.yubico.webauthn.attestation.YubicoJsonMetadataService;
 import com.yubico.webauthn.data.AttestationConveyancePreference;
 import com.yubico.webauthn.data.AuthenticatorData;
@@ -53,15 +56,23 @@
 import com.yubico.webauthn.data.RelyingPartyIdentity;
 import com.yubico.webauthn.data.ResidentKeyRequirement;
 import com.yubico.webauthn.data.UserIdentity;
+import com.yubico.webauthn.data.exception.Base64UrlException;
 import com.yubico.webauthn.exception.AssertionFailedException;
 import com.yubico.webauthn.exception.RegistrationFailedException;
 import demo.webauthn.data.AssertionRequestWrapper;
 import demo.webauthn.data.AssertionResponse;
 import demo.webauthn.data.CredentialRegistration;
 import demo.webauthn.data.RegistrationRequest;
 import demo.webauthn.data.RegistrationResponse;
+import java.io.File;
 import java.io.IOException;
+import java.security.DigestException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
+import java.security.SignatureException;
+import java.security.cert.CertPathValidatorException;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.time.Clock;
@@ -91,14 +102,48 @@ public class WebAuthnServer {
   private final InMemoryRegistrationStorage userStorage;
   private final SessionManager sessions = new SessionManager();
 
-  private final YubicoJsonMetadataService metadataService = new YubicoJsonMetadataService();
+  private final MetadataService metadataService = getMetadataService();
+
+  private static MetadataService getMetadataService()
+      throws CertPathValidatorException, InvalidAlgorithmParameterException, Base64UrlException,
+          DigestException, FidoMetadataDownloaderException, CertificateException,
+          UnexpectedLegalHeader, IOException, NoSuchAlgorithmException, SignatureException,
+          InvalidKeyException {
+    if (Config.useFidoMds()) {
+      logger.info("Using combination of Yubico JSON file and FIDO MDS for attestation metadata.");
+      return new CompositeMetadataService(
+          new YubicoJsonMetadataService(),
+          new FidoMetadataServiceAdapter(
+              FidoMetadataService.builder()
+                  .useBlob(
+                      FidoMetadataDownloader.builder()
+                          .expectLegalHeader(
+                              "Retrieval and use of this BLOB indicates acceptance of the appropriate agreement located at https://fidoalliance.org/metadata/metadata-legal-terms/")
+                          .useDefaultTrustRoot()
+                          .useTrustRootCacheFile(
+                              new File("webauthn-server-demo-fido-mds-trust-root-cache.bin"))
+                          .useDefaultBlob()
+                          .useBlobCacheFile(
+                              new File("webauthn-server-demo-fido-mds-blob-cache.bin"))
+                          .build()
+                          .loadCachedBlob())
+                  .build()));
+    } else {
+      logger.info("Using only Yubico JSON file for attestation metadata.");
+      return new YubicoJsonMetadataService();
+    }
+  }
 
   private final Clock clock = Clock.systemDefaultZone();
   private final ObjectMapper jsonMapper = JacksonCodecs.json();
 
   private final RelyingParty rp;
 
-  public WebAuthnServer() {
+  public WebAuthnServer()
+      throws CertificateException, CertPathValidatorException, InvalidAlgorithmParameterException,
+          Base64UrlException, DigestException, FidoMetadataDownloaderException,
+          UnexpectedLegalHeader, IOException, NoSuchAlgorithmException, SignatureException,
+          InvalidKeyException {
     this(
         new InMemoryRegistrationStorage(),
         newCache(),
@@ -112,7 +157,11 @@ public WebAuthnServer(
       Cache<ByteArray, RegistrationRequest> registerRequestStorage,
       Cache<ByteArray, AssertionRequestWrapper> assertRequestStorage,
       RelyingPartyIdentity rpIdentity,
-      Set<String> origins) {
+      Set<String> origins)
+      throws CertificateException, CertPathValidatorException, InvalidAlgorithmParameterException,
+          Base64UrlException, DigestException, FidoMetadataDownloaderException,
+          UnexpectedLegalHeader, IOException, NoSuchAlgorithmException, SignatureException,
+          InvalidKeyException {
     this.userStorage = userStorage;
     this.registerRequestStorage = registerRequestStorage;
     this.assertRequestStorage = assertRequestStorage;
@@ -526,18 +575,15 @@ private CredentialRegistration addRegistration(
             .signatureCount(result.getSignatureCount())
             .build(),
         result.getKeyId().getTransports().orElseGet(TreeSet::new),
-        result
-            .getAttestationTrustPath()
-            .flatMap(x5c -> x5c.stream().findFirst())
-            .flatMap(metadataService::findMetadata));
+        metadataService.findEntries(result).stream().findAny());
   }
 
   private CredentialRegistration addRegistration(
       UserIdentity userIdentity,
       Optional<String> nickname,
       RegisteredCredential credential,
       SortedSet<AuthenticatorTransport> transports,
-      Optional<Attestation> attestationMetadata) {
+      Optional<Object> attestationMetadata) {
     CredentialRegistration reg =
         CredentialRegistration.builder()
             .userIdentity(userIdentity)

webauthn-server-demo/src/main/java/demo/webauthn/data/CredentialRegistration.java

@@ -27,7 +27,6 @@
 import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.yubico.webauthn.RegisteredCredential;
-import com.yubico.webauthn.attestation.Attestation;
 import com.yubico.webauthn.data.AuthenticatorTransport;
 import com.yubico.webauthn.data.UserIdentity;
 import java.time.Instant;
@@ -49,7 +48,7 @@ public class CredentialRegistration {
   @JsonIgnore Instant registrationTime;
   RegisteredCredential credential;
 
-  Optional<Attestation> attestationMetadata;
+  Optional<Object> attestationMetadata;
 
   @JsonProperty("registrationTime")
   public String getRegistrationTimestamp() {