Package com.yubico.fido.metadata

Class FidoMetadataDownloader.FidoMetadataDownloaderBuilder.Step2

  • Enclosing class:
    FidoMetadataDownloader.FidoMetadataDownloaderBuilder
    public static class FidoMetadataDownloader.FidoMetadataDownloaderBuilder.Step2
extends java.lang.Object
    Step 2: Configure how to retrieve the FIDO Metadata Service trust root certificate when necessary.

    This step offers three mutually exclusive options:

    1. Use the default download URL and certificate hash. This is the main intended use case. See useDefaultTrustRoot().
    2. Use a custom download URL and certificate hash. This is for future-proofing in case the trust root certificate changes and there is no new release of this library. See downloadTrustRoot(URL, Set).
    3. Use a pre-retrieved trust root certificate. It is up to you to perform any integrity checks and cache it as desired. See useTrustRoot(X509Certificate).

    • Method Detail

      • useDefaultTrustRoot

        public FidoMetadataDownloader.FidoMetadataDownloaderBuilder.Step3 useDefaultTrustRoot()
        Download the trust root certificate from a hard-coded URL and verify it against a hard-coded SHA-256 hash.

        This is an alias of: 

         downloadTrustRoot(
   new URL("https://secure.globalsign.com/cacert/root-r3.crt"),
   Collections.singleton(ByteArray.fromHex("cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b"))
 )
        This is the current FIDO Metadata Service trust root certificate at the time of this library release.
        See Also:
        downloadTrustRoot(URL, Set)

      • downloadTrustRoot

        public FidoMetadataDownloader.FidoMetadataDownloaderBuilder.Step3 downloadTrustRoot​(@NonNull
                                                                                    @NonNull java.net.URL url,
                                                                                    @NonNull
                                                                                    @NonNull java.util.Set<com.yubico.webauthn.data.ByteArray> acceptedCertSha256)
        Download the trust root certificate from the given HTTPS url and verify its SHA-256 hash against acceptedCertSha256.

        The certificate will be downloaded if it does not exist in the cache, or if the cached certificate is not currently valid.

        If the cert is downloaded, it is also written to the cache File or Consumer configured in the next step.

        Parameters:
        url - the HTTP URL to download. It MUST use the https: scheme.
        acceptedCertSha256 - a set of SHA-256 hashes to verify the downloaded certificate against. The downloaded certificate MUST match at least one of these hashes.
        Throws:
        java.lang.IllegalArgumentException - if url is not a HTTPS URL.

      • useTrustRoot

        public FidoMetadataDownloader.FidoMetadataDownloaderBuilder.Step4 useTrustRoot​(@NonNull
                                                                               @NonNull java.security.cert.X509Certificate trustRootCertificate)
        Use the given trust root certificate. It is the caller's responsibility to perform any integrity checks and/or caching logic.
        Parameters:
        trustRootCertificate - the certificate to use as the FIDO Metadata Service trust root.