Support unknown attestation statement formats

emlun · emlun · commit ad3040a2c984 · 2020-10-05T16:05:50.000+02:00
diff --git a/NEWS b/NEWS
@@ -1,3 +1,13 @@
+== Version 1.7.0 (unreleased) ==
+
+Changes:
+
+* Fixed crash on unknown attestation statement formats
+ ** Unless `RelyingParty.allowUntrustedAttestation` is set to `false`, unknown
+    attestation statements will now pass as untrusted attestations, instead of
+    throwing an IllegalArgumentException.
+
+
 == Version 1.6.4 ==
 
 * Changed dependency declarations to version ranges
diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/FinishRegistrationSteps.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/FinishRegistrationSteps.java
@@ -463,7 +463,7 @@ public AttestationType attestationType() {
                                 return AttestationType.ECDAA;
                             }
                         default:
-                            throw new IllegalArgumentException("Failed to resolve attestation type; unknown attestation statement format: " + attestation.getFormat());
+                            return AttestationType.UNKNOWN;
                     }
                 }
             } catch (IOException | CoseException | CertificateException e) {
@@ -509,6 +509,7 @@ public Optional<AttestationTrustResolver> trustResolver() {
             switch (attestationType) {
                 case NONE:
                 case SELF_ATTESTATION:
+                case UNKNOWN:
                     return Optional.empty();
 
                 case ATTESTATION_CA:
@@ -562,6 +563,10 @@ public void validate() {
                     assure(allowUntrustedAttestation, "No attestation is not allowed.");
                     break;
 
+                case UNKNOWN:
+                    assure(allowUntrustedAttestation, "Unknown attestation statement formats are not allowed.");
+                    break;
+
                 default:
                     throw new UnsupportedOperationException("Attestation type not implemented: " + attestationType);
             }
@@ -574,8 +579,9 @@ public Step17 nextStep() {
 
         public boolean attestationTrusted() {
             switch (attestationType) {
-                case SELF_ATTESTATION:
                 case NONE:
+                case SELF_ATTESTATION:
+                case UNKNOWN:
                     return false;
 
                 case ATTESTATION_CA:
