Check hash of cached trust root cert as promised in JavaDoc

emlun · emlun · commit 9adcde5ad51c · 2022-09-14T01:00:04.000+02:00
diff --git a/NEWS b/NEWS
@@ -1,5 +1,7 @@
 == Version 2.1.0 (unreleased) ==
 
+`webauthn-server-core`:
+
 Changes:
 
 * Log messages on attestation certificate path validation failure now include
@@ -33,6 +35,16 @@ Fixes:
   `webauthn-server-parent` to unpublished test meta-module.
 
 
+`webauthn-server-attestation`:
+
+Fixes:
+
+* Fixed various typos and mistakes in JavaDocs.
+* `FidoMetadataDownloader` now verifies the SHA-256 hash of the cached trust
+  root certificate, as promised in the JavaDoc of `useTrustRootCacheFile` and
+  `useTrustRootCache`.
+
+
 == Version 2.0.0 ==
 
 This release removes deprecated APIs and changes some defaults to better align
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/FidoMetadataDownloader.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/FidoMetadataDownloader.java
@@ -867,13 +867,16 @@ private X509Certificate retrieveTrustRootCert()
 
       X509Certificate cert = null;
       if (cachedContents.isPresent()) {
-        try {
-          final X509Certificate cachedCert =
-              CertificateParser.parseDer(cachedContents.get().getBytes());
-          cachedCert.checkValidity(Date.from(clock.instant()));
-          cert = cachedCert;
-        } catch (CertificateException e) {
-          // Fall through
+        final ByteArray verifiedCachedContents = verifyHash(cachedContents.get(), trustRootSha256);
+        if (verifiedCachedContents != null) {
+          try {
+            final X509Certificate cachedCert =
+                CertificateParser.parseDer(verifiedCachedContents.getBytes());
+            cachedCert.checkValidity(Date.from(clock.instant()));
+            cert = cachedCert;
+          } catch (CertificateException e) {
+            // Fall through
+          }
         }
       }
 
diff --git a/webauthn-server-attestation/src/test/scala/com/yubico/fido/metadata/FidoMetadataDownloaderSpec.scala b/webauthn-server-attestation/src/test/scala/com/yubico/fido/metadata/FidoMetadataDownloaderSpec.scala
@@ -449,7 +449,14 @@ class FidoMetadataDownloaderSpec
               .expectLegalHeader(
                 "Kom ihåg att du aldrig får snyta dig i mattan!"
               )
-              .useDefaultTrustRoot()
+              .downloadTrustRoot(
+                new URL("https://localhost:12345/nonexistent.dev.null"),
+                Set(
+                  TestAuthenticator.sha256(
+                    new ByteArray(trustRootCert.getEncoded)
+                  )
+                ).asJava,
+              )
               .useTrustRootCacheFile(cacheFile)
               .useBlob(blobJwt)
               .clock(Clock.fixed(CertValidFrom, ZoneOffset.UTC))
@@ -626,7 +633,14 @@ class FidoMetadataDownloaderSpec
               .expectLegalHeader(
                 "Kom ihåg att du aldrig får snyta dig i mattan!"
               )
-              .useDefaultTrustRoot()
+              .downloadTrustRoot(
+                new URL("https://localhost:12345/nonexistent.dev.null"),
+                Set(
+                  TestAuthenticator.sha256(
+                    new ByteArray(trustRootCert.getEncoded)
+                  )
+                ).asJava,
+              )
               .useTrustRootCache(
                 () => Optional.of(new ByteArray(trustRootCert.getEncoded)),
                 newCache => {
@@ -693,6 +707,115 @@ class FidoMetadataDownloaderSpec
           testWithHashes(Set(goodHash)) should not be null
           testWithHashes(Set(badHash, goodHash)) should not be null
         }
+
+        it("The cached trust root cert must match one of the expected SHA256 hashes.") {
+          val (cachedTrustRootCert, cachedCaKeypair, cachedCaName) =
+            makeTrustRootCert()
+          val (cachedRootBlobCert, cachedRootBlobKeypair, _) =
+            makeCert(cachedCaKeypair, cachedCaName)
+          val cachedRootBlobJwt = makeBlob(
+            List(cachedRootBlobCert),
+            cachedRootBlobKeypair,
+            LocalDate.now(),
+          )
+          val cachedRootCrls = List[CRL](
+            TestAuthenticator.buildCrl(
+              cachedCaName,
+              cachedCaKeypair.getPrivate,
+              "SHA256withECDSA",
+              CertValidFrom,
+              CertValidTo,
+            )
+          )
+
+          val (downloadedTrustRootCert, downloadedCaKeypair, downloadedCaName) =
+            makeTrustRootCert()
+          val (downloadedRootBlobCert, downloadedRootBlobKeypair, _) =
+            makeCert(downloadedCaKeypair, downloadedCaName)
+          val downloadedRootBlobJwt = makeBlob(
+            List(downloadedRootBlobCert),
+            downloadedRootBlobKeypair,
+            LocalDate.now(),
+          )
+          val downloadedRootCrls = List[CRL](
+            TestAuthenticator.buildCrl(
+              downloadedCaName,
+              downloadedCaKeypair.getPrivate,
+              "SHA256withECDSA",
+              CertValidFrom,
+              CertValidTo,
+            )
+          )
+
+          val (server, serverUrl, httpsCert) =
+            makeHttpServer(
+              "/trust-root.der",
+              downloadedTrustRootCert.getEncoded,
+            )
+          startServer(server)
+
+          def testWithHashes(
+              hashes: Set[ByteArray],
+              blobJwt: String,
+              crls: List[CRL],
+          ): (MetadataBLOB, Option[ByteArray]) = {
+            var writtenCache: Option[ByteArray] = None
+
+            val blob = load(
+              FidoMetadataDownloader
+                .builder()
+                .expectLegalHeader(
+                  "Kom ihåg att du aldrig får snyta dig i mattan!"
+                )
+                .downloadTrustRoot(
+                  new URL(s"${serverUrl}/trust-root.der"),
+                  hashes.asJava,
+                )
+                .useTrustRootCache(
+                  () =>
+                    Optional.of(new ByteArray(cachedTrustRootCert.getEncoded)),
+                  downloaded => { writtenCache = Some(downloaded) },
+                )
+                .useBlob(blobJwt)
+                .useCrls(crls.asJava)
+                .trustHttpsCerts(httpsCert)
+                .clock(Clock.fixed(CertValidFrom, ZoneOffset.UTC))
+                .build()
+            )
+
+            (blob, writtenCache)
+          }
+
+          {
+            val (blob, writtenCache) = testWithHashes(
+              Set(
+                TestAuthenticator.sha256(
+                  new ByteArray(cachedTrustRootCert.getEncoded)
+                )
+              ),
+              cachedRootBlobJwt,
+              cachedRootCrls,
+            )
+            blob should not be null
+            writtenCache should be(None)
+          }
+
+          {
+            val (blob, writtenCache) = testWithHashes(
+              Set(
+                TestAuthenticator.sha256(
+                  new ByteArray(downloadedTrustRootCert.getEncoded)
+                )
+              ),
+              downloadedRootBlobJwt,
+              downloadedRootCrls,
+            )
+            blob should not be null
+            writtenCache should be(
+              Some(new ByteArray(downloadedTrustRootCert.getEncoded))
+            )
+          }
+        }
       }
 
       describe("2. To validate the digital certificates used in the digital signature, the certificate revocation information MUST be available in the form of CRLs at the respective MDS CRL location e.g. More information can be found at https://fidoalliance.org/metadata/") {
