Explain policyTreeValidator setting better in NEWS and README

emlun · emlun · commit bd522d728950 · 2022-09-13T21:09:13.000+02:00
diff --git a/NEWS b/NEWS
@@ -23,7 +23,8 @@ New features:
   predicate function will be used to validate the certificate policy tree after
   successful attestation certificate path validation. This may be required for
   some JCA providers to accept attestation certificates with critical
-  certificate policy extensions.
+  certificate policy extensions. See the JavaDoc for
+  `TrustRootsResultBuilder.policyTreeValidator(Predicate)` for more information.
 
 Fixes:
 
diff --git a/README b/README
@@ -624,6 +624,21 @@ The link:webauthn-server-attestation[`webauthn-server-attestation` module]
 provides optional additional features for working with attestation.
 See the module documentation for more details.
 
+Alternatively, you can use the
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/attestation/AttestationTrustSource.html[`AttestationTrustSource`]
+interface to implement your own source of attestation root certificates
+and set it as the
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/RelyingParty.RelyingPartyBuilder.html#attestationTrustSource(com.yubico.webauthn.attestation.AttestationTrustSource)[`attestationTrustSource`]
+for your
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/RelyingParty.html[`RelyingParty`]
+instance.
+Note that depending on your JCA provider configuration, you may need to set the
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/attestation/AttestationTrustSource.TrustRootsResult.TrustRootsResultBuilder.html#enableRevocationChecking(boolean)[`enableRevocationChecking`]
+and/or
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/attestation/AttestationTrustSource.TrustRootsResult.TrustRootsResultBuilder.html#policyTreeValidator(java.util.function.Predicate)[`policyTreeValidator`]
+settings for compatibility with some authenticators' attestation certificates.
+See the JavaDoc for these settings for more information.
+
 
 == Building
 
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/FidoMetadataService.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/FidoMetadataService.java
@@ -69,7 +69,13 @@
  *
  * <p>This class implements {@link AttestationTrustSource}, so it can be configured as the {@link
  * RelyingPartyBuilder#attestationTrustSource(AttestationTrustSource) attestationTrustSource}
- * setting in {@link RelyingParty}.
+ * setting in {@link RelyingParty}. This implementation always sets {@link
+ * com.yubico.webauthn.attestation.AttestationTrustSource.TrustRootsResult.TrustRootsResultBuilder#enableRevocationChecking(boolean)
+ * enableRevocationChecking(false)}, because the FIDO MDS has its own revocation procedures and not
+ * all attestation certificates provide CRLs; and always sets {@link
+ * com.yubico.webauthn.attestation.AttestationTrustSource.TrustRootsResult.TrustRootsResultBuilder#policyTreeValidator(Predicate)
+ * policyTreeValidator} to accept any policy tree, because a Windows Hello attestation certificate
+ * is known to include a critical certificate policies extension.
  *
  * <p>The metadata service may be configured with a two stages of filters to select trusted
  * authenticators. The first stage is the {@link FidoMetadataServiceBuilder#prefilter(Predicate)
