Test that RelyingParty trusts MDS results in integration test

Author: emlun

webauthn-server-attestation/src/integrationTest/scala/com/yubico/fido/metadata/FidoMetadataServiceIntegrationTest.scala

@@ -6,8 +6,13 @@ import com.yubico.fido.metadata.AttachmentHint.ATTACHMENT_HINT_NFC
 import com.yubico.fido.metadata.AttachmentHint.ATTACHMENT_HINT_WIRED
 import com.yubico.fido.metadata.AttachmentHint.ATTACHMENT_HINT_WIRELESS
 import com.yubico.internal.util.CertificateParser
+import com.yubico.webauthn.FinishRegistrationOptions
+import com.yubico.webauthn.RelyingParty
+import com.yubico.webauthn.TestWithEachProvider
 import com.yubico.webauthn.data.AttestationObject
+import com.yubico.webauthn.test.Helpers
 import com.yubico.webauthn.test.RealExamples
+import org.bouncycastle.jce.provider.BouncyCastleProvider
 import org.junit.runner.RunWith
 import org.scalatest.BeforeAndAfter
 import org.scalatest.funspec.AnyFunSpec
@@ -18,11 +23,13 @@ import org.scalatestplus.junit.JUnitRunner
 
 import java.io.IOException
 import java.security.cert.X509Certificate
+import java.time.Clock
+import java.time.ZoneOffset
 import java.util
 import java.util.Optional
 import scala.jdk.CollectionConverters.IteratorHasAsScala
+import scala.jdk.CollectionConverters.SetHasAsJava
 import scala.jdk.CollectionConverters.SetHasAsScala
-import scala.jdk.OptionConverters.RichOption
 import scala.jdk.OptionConverters.RichOptional
 import scala.util.Try
 
@@ -32,7 +39,8 @@ import scala.util.Try
 class FidoMetadataServiceIntegrationTest
     extends AnyFunSpec
     with Matchers
-    with BeforeAndAfter {
+    with BeforeAndAfter
+    with TestWithEachProvider {
 
   describe("FidoMetadataService") {
 
@@ -60,7 +68,7 @@ class FidoMetadataServiceIntegrationTest
       val attachmentHintsNfc =
         attachmentHintsUsb ++ Set(ATTACHMENT_HINT_WIRELESS, ATTACHMENT_HINT_NFC)
 
-      describe("correctly identifies") {
+      describe("correctly identifies and trusts") {
         def check(
             expectedDescriptionRegex: String,
             testData: RealExamples.Example,
@@ -101,17 +109,38 @@ class FidoMetadataServiceIntegrationTest
           def getX5cArray(attestationObject: AttestationObject): JsonNode =
             attestationObject.getAttestationStatement.get("x5c")
 
-          val entries = fidoMds.get
-            .findEntries(
-              getAttestationTrustPath(
-                testData.attestation.attestationObject
-              ).get,
-              Some(
-                new AAGUID(
-                  testData.attestation.attestationObject.getAuthenticatorData.getAttestedCredentialData.get.getAaguid
-                )
-              ).toJava,
+          val rp = RelyingParty
+            .builder()
+            .identity(testData.rp)
+            .credentialRepository(Helpers.CredentialRepository.empty)
+            .origins(
+              Set(testData.attestation.collectedClientData.getOrigin).asJava
             )
+            .allowUntrustedAttestation(false)
+            .attestationTrustSource(fidoMds.get)
+            .clock(
+              Clock.fixed(
+                CertificateParser
+                  .parseDer(testData.attestationCert.getBytes)
+                  .getNotBefore
+                  .toInstant,
+                ZoneOffset.UTC,
+              )
+            )
+            .build()
+
+          val registrationResult = rp.finishRegistration(
+            FinishRegistrationOptions
+              .builder()
+              .request(testData.asRegistrationTestData.request)
+              .response(testData.attestation.credential)
+              .build()
+          )
+
+          registrationResult.isAttestationTrusted should be(true)
+
+          val entries = fidoMds.get
+            .findEntries(registrationResult)
             .asScala
           entries should not be empty
           val metadataStatements =
@@ -214,11 +243,13 @@ class FidoMetadataServiceIntegrationTest
         }
 
         it("a YubiKey 5.4 NFC FIPS.") {
-          check(
-            "YubiKey 5 FIPS Series with NFC",
-            RealExamples.YubikeyFips5Nfc,
-            attachmentHintsNfc,
-          )
+          withProviderContext(List(new BouncyCastleProvider)) { // Needed for JDK<14 because this example uses EdDSA
+            check(
+              "YubiKey 5 FIPS Series with NFC",
+              RealExamples.YubikeyFips5Nfc,
+              attachmentHintsNfc,
+            )
+          }
         }
 
         it("a YubiKey 5.4 Ci FIPS.") {

yubico-util-scala/src/main/scala/com/yubico/webauthn/TestWithEachProvider.scala

@@ -10,6 +10,24 @@ import java.security.Security
 trait TestWithEachProvider extends Matchers {
   this: AnyFunSpec =>
 
+  /** Run the `body` in a context with the given JCA [[Security]] providers,
+    * then reset the providers to their state before.
+    */
+  def withProviderContext(
+      providers: List[Provider]
+  )(
+      body: => Any
+  ): Unit = {
+    val originalProviders = Security.getProviders.toList
+    Security.getProviders.foreach(prov => Security.removeProvider(prov.getName))
+    providers.foreach(Security.addProvider)
+
+    body
+
+    Security.getProviders.foreach(prov => Security.removeProvider(prov.getName))
+    originalProviders.foreach(Security.addProvider)
+  }
+
   def wrapItFunctionWithProviderContext(
       providerSetName: String,
       providers: List[Provider],
@@ -29,18 +47,7 @@ trait TestWithEachProvider extends Matchers {
       */
     def it(testName: String)(testFun: => Any): Unit = {
       this.it.apply(testName) {
-        val originalProviders = Security.getProviders.toList
-        Security.getProviders.foreach(prov =>
-          Security.removeProvider(prov.getName)
-        )
-        providers.foreach(Security.addProvider)
-
-        testFun
-
-        Security.getProviders.foreach(prov =>
-          Security.removeProvider(prov.getName)
-        )
-        originalProviders.foreach(Security.addProvider)
+        withProviderContext(providers)(testFun)
       }
     }