Enable attestation verification when Attestation.DIRECT or INDIRECT is specified

ynojima · vietj · commit dcaf3dde33a9 · 2024-11-15T08:47:45.000+01:00
diff --git a/vertx-auth-webauthn4j/src/main/java/io/vertx/ext/auth/webauthn4j/impl/WebAuthn4JImpl.java b/vertx-auth-webauthn4j/src/main/java/io/vertx/ext/auth/webauthn4j/impl/WebAuthn4JImpl.java
@@ -141,7 +141,7 @@ public WebAuthn4JImpl(Vertx vertx, WebAuthn4JOptions options) {
       throw new IllegalArgumentException("options.relyingParty.name cannot be null!");
     }
 
-    if(options.getAttestation() == Attestation.ENTERPRISE) {
+    if(options.getAttestation() != Attestation.NONE) {
     	TrustAnchorAsyncRepository something;
     	Set<TrustAnchor> trustAnchors = new HashSet<>();
     	try {
@@ -163,7 +163,7 @@ public WebAuthn4JImpl(Vertx vertx, WebAuthn4JOptions options) {
     		FidoMDS3MetadataBLOBAsyncProvider blobAsyncProvider = new FidoMDS3MetadataBLOBAsyncProvider(objectConverter, FidoMDS3MetadataBLOBAsyncProvider.DEFAULT_BLOB_ENDPOINT, httpClient, trustAnchors);
     		something = new MetadataBLOBBasedTrustAnchorAsyncRepository(blobAsyncProvider);
     	}
-		
+
     	webAuthnManager = new WebAuthnAsyncManager(
     			Arrays.asList(
     					new NoneAttestationStatementAsyncVerifier(),
@@ -178,7 +178,7 @@ public WebAuthn4JImpl(Vertx vertx, WebAuthn4JOptions options) {
     			new DefaultSelfAttestationTrustworthinessAsyncVerifier(),
     			objectConverter
     			);
-    	
+
     } else {
         webAuthnManager = WebAuthnAsyncManager.createNonStrictWebAuthnAsyncManager(objectConverter);
     }
@@ -523,7 +523,7 @@ public Future<User> authenticate(Credentials credentials) {
    * @param clientDataJSON - Binary session data
    */
   private Future<Authenticator> verifyWebAuthNCreate(JsonObject response, WebAuthn4JCredentials authInfo, byte[] clientDataJSON) {
-	  
+
 	  // client properties
 	  byte[] attestationObject = base64UrlDecode(response.getString("attestationObject"));
 	  Set<String> transports = new HashSet<>();
@@ -543,7 +543,7 @@ private Future<Authenticator> verifyWebAuthNCreate(JsonObject response, WebAuthn
 	  String clientExtensionJSON = clientExtensionResults != null ? clientExtensionResults.encode() : null;
 
 	  RegistrationRequest registrationRequest = new RegistrationRequest(attestationObject, clientDataJSON, clientExtensionJSON, transports);
-	  
+
 	  // server properties
 	  ServerProperty serverProperty = getServerProperty(authInfo);
 
@@ -656,7 +656,7 @@ private Future<Long> verifyWebAuthNGet(JsonObject response, WebAuthn4JCredential
 	  boolean userVerificationRequired = options.getUserVerification() == UserVerification.REQUIRED;
 	  boolean userPresenceRequired = options.isUserPresenceRequired();
 	  CredentialRecord credentialRecord = loadCredentialRecord(authenticator);
-	  
+
 	  AuthenticationParameters authenticationParameters =
 			  new AuthenticationParameters(
 					  serverProperty,
@@ -666,15 +666,15 @@ private Future<Long> verifyWebAuthNGet(JsonObject response, WebAuthn4JCredential
 					  userPresenceRequired
 					  );
 
-	  
+
 	  return Future.fromCompletionStage(webAuthnManager.verify(authenticationRequest, authenticationParameters))
 			  .map(parsedAuthenticatorData -> parsedAuthenticatorData.getAuthenticatorData().getSignCount());
   }
 
   private CredentialRecord loadCredentialRecord(Authenticator authenticator) {
     // AFAICT, we could reconstruct that from the fmt and certificates, but it doesn't look like it is used
     // apparently only coseKey and counter are used for verification, not the attestation statement.
-    
+
     // important
     long counter = authenticator.getCounter();
     COSEKey coseKey = objectConverter.getCborConverter().readValue(base64UrlDecode(authenticator.getPublicKey()), COSEKey.class);
@@ -691,8 +691,8 @@ private CredentialRecord loadCredentialRecord(Authenticator authenticator) {
     CollectedClientData clientData = null;
     AuthenticationExtensionsClientOutputs<RegistrationExtensionClientOutput> clientExtensions = null;
     Set<com.webauthn4j.data.AuthenticatorTransport> transports = null;
-    
-	  return new CredentialRecordImpl(attestationStatement, uvInitialized, backupEligible, backupState, counter, attestedCredentialData, 
+
+	  return new CredentialRecordImpl(attestationStatement, uvInitialized, backupEligible, backupState, counter, attestedCredentialData,
 			  authenticatorExtensions, clientData, clientExtensions, transports);
   }
-}
+}
diff --git a/vertx-auth-webauthn4j/src/test/java/io/vertx/tests/EmulatorTest.java b/vertx-auth-webauthn4j/src/test/java/io/vertx/tests/EmulatorTest.java
@@ -96,7 +96,7 @@ public void resetDatabase() {
 		database.clear();
 	}
 
-	
+
 	@Test
 	public void testMetadata(TestContext should) {
 		final Async test = should.async();
@@ -111,11 +111,11 @@ public void testMetadata(TestContext should) {
 		}
 		FidoMDS3MetadataBLOBAsyncProvider blobAsyncProvider = new FidoMDS3MetadataBLOBAsyncProvider(objectConverter, FidoMDS3MetadataBLOBAsyncProvider.DEFAULT_BLOB_ENDPOINT, httpClient, trustAnchors);
 		MetadataBLOBBasedTrustAnchorAsyncRepository something = new MetadataBLOBBasedTrustAnchorAsyncRepository(blobAsyncProvider);
-		blobAsyncProvider.provide() 
+		blobAsyncProvider.provide()
 				.thenCompose(metadataBLOB -> {
 			Assert.assertNotEquals(0, metadataBLOB.getPayload().getEntries().size());
 			for (MetadataBLOBPayloadEntry entry : metadataBLOB.getPayload().getEntries()) {
-				if(entry.getAaguid() != null 
+				if(entry.getAaguid() != null
 						// the following are things that are in the implementation of webauthn4j that will filter what find() returns, so make sure
 						// they pass
 						&& !entry.getMetadataStatement().getAttestationRootCertificates().isEmpty()
@@ -137,7 +137,7 @@ public void testMetadata(TestContext should) {
 			return null;
 		});
 	}
-	
+
 	@Test
 	public void testDefaults(TestContext should) throws DataConversionException, InterruptedException, ExecutionException {
 		final Async test = should.async();
@@ -149,48 +149,48 @@ public void testDefaults(TestContext should) throws DataConversionException, Int
 
 		WebAuthnAuthenticatorAdaptor webAuthnAuthenticatorAdaptor = new WebAuthnAuthenticatorAdaptor(EmulatorUtil.PACKED_AUTHENTICATOR);
 		ClientPlatform clientPlatform = new ClientPlatform(origin, webAuthnAuthenticatorAdaptor);
-		
+
 		testRegistration(webAuthN, clientPlatform, should)
 		.flatMap(v -> testAuthentication(webAuthN, clientPlatform, should))
 		.onFailure(should::fail)
 		.onSuccess(v -> test.complete());
 	}
 
 	@Test
-	public void testEnterprise(TestContext should) throws DataConversionException, InterruptedException, ExecutionException {
+	public void testDirect(TestContext should) throws DataConversionException, InterruptedException, ExecutionException {
 		final Async test = should.async();
 
 		X509Certificate rootCA = TestAttestationUtil.load3tierTestRootCACertificate();
-		
+
 		WebAuthn4J webAuthN = WebAuthn4J.create(
 				rule.vertx(),
 				new WebAuthn4JOptions().setRelyingParty(new RelyingParty().setName(rpName))
-				.setAttestation(Attestation.ENTERPRISE)
+				.setAttestation(Attestation.DIRECT)
 				.addRootCertificate(rootCA))
 	      .credentialStorage(database);
 
 		WebAuthnAuthenticatorAdaptor webAuthnAuthenticatorAdaptor = new WebAuthnAuthenticatorAdaptor(EmulatorUtil.PACKED_AUTHENTICATOR);
 		ClientPlatform clientPlatform = new ClientPlatform(origin, webAuthnAuthenticatorAdaptor);
-		
+
 		testRegistration(webAuthN, clientPlatform, should)
 		.flatMap(v -> testAuthentication(webAuthN, clientPlatform, should))
 		.onFailure(should::fail)
 		.onSuccess(v -> test.complete());
 	}
 
 	@Test
-	public void testEnterpriseWithoutCA(TestContext should) throws DataConversionException, InterruptedException, ExecutionException {
+	public void testDirectWithoutCA(TestContext should) throws DataConversionException, InterruptedException, ExecutionException {
 		final Async test = should.async();
 
 		WebAuthn4J webAuthN = WebAuthn4J.create(
 				rule.vertx(),
 				new WebAuthn4JOptions().setRelyingParty(new RelyingParty().setName(rpName))
-				.setAttestation(Attestation.ENTERPRISE))
+				.setAttestation(Attestation.DIRECT))
 	      .credentialStorage(database);
 
 		WebAuthnAuthenticatorAdaptor webAuthnAuthenticatorAdaptor = new WebAuthnAuthenticatorAdaptor(EmulatorUtil.PACKED_AUTHENTICATOR);
 		ClientPlatform clientPlatform = new ClientPlatform(origin, webAuthnAuthenticatorAdaptor);
-		
+
 		testRegistration(webAuthN, clientPlatform, should)
 		.flatMap(v -> testAuthentication(webAuthN, clientPlatform, should))
 		.onFailure(x -> {
@@ -242,7 +242,7 @@ private Future<?> testRegistration(WebAuthn4J webAuthN, ClientPlatform clientPla
 		});
 
 	}
-	
+
 	private RegistrationRequest createRegistrationRequest(ClientPlatform clientPlatform, String rpId, Challenge challenge, String username, String displayName, TestContext should){
 		AuthenticatorSelectionCriteria authenticatorSelectionCriteria =
 				new AuthenticatorSelectionCriteria(
@@ -353,5 +353,5 @@ private AuthenticationRequest createAuthenticationRequest(ClientPlatform clientP
                 );
 
 	}
-	
+
 }
diff --git a/vertx-auth-webauthn4j/src/test/java/io/vertx/tests/attestation/AttestationTest.java b/vertx-auth-webauthn4j/src/test/java/io/vertx/tests/attestation/AttestationTest.java
@@ -58,7 +58,7 @@ public void testPackedFullAttestation(TestContext should) throws CertificateExce
 
     // we are testing all the certificates, which only happens for ENTERPRISE
     WebAuthn4JOptions options = new WebAuthn4JOptions().setRelyingParty(new RelyingParty().setName("FIDO Examples Corporation"))
-            .setAttestation(Attestation.ENTERPRISE);
+            .setAttestation(Attestation.DIRECT);
     // testing attestation validity only happens if we verify that the root CA is known, so we have to add it
     options.getRootCertificates().put("Yubico FIDO Preview CA", JWS.parseX5c(YUBICO_FIDO_PREVIEW_CA_EXPIRED_2018));
 
