Package com.yubico.fido.metadata

Class FidoMetadataService.FidoMetadataServiceBuilder

java.lang.Object

com.yubico.fido.metadata.FidoMetadataService.FidoMetadataServiceBuilder

Enclosing class:

FidoMetadataService

public static class FidoMetadataService.FidoMetadataServiceBuilder
extends java.lang.Object

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	FidoMetadataService.FidoMetadataServiceBuilder.Step1

Method Summary

Modifier and Type	Method	Description
FidoMetadataService	build()
FidoMetadataService.FidoMetadataServiceBuilder	certStore(@NonNull java.security.cert.CertStore certStore)	Set a CertStore of additional CRLs and/or intermediate certificates to use while validating attestation certificate paths.
FidoMetadataService.FidoMetadataServiceBuilder	filter(@NonNull java.util.function.Predicate<FidoMetadataService.Filters.AuthenticatorToBeFiltered> filter)	Set a filter for which metadata entries to allow for a given authenticator during credential registration and metadata lookup.
FidoMetadataService.FidoMetadataServiceBuilder	prefilter(@NonNull java.util.function.Predicate<MetadataBLOBPayloadEntry> prefilter)	Set a first-stage filter for which metadata entries to include in the data source.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

prefilter

public FidoMetadataService.FidoMetadataServiceBuilder prefilter(@NonNull
                                                                @NonNull java.util.function.Predicate<MetadataBLOBPayloadEntry> prefilter)

Set a first-stage filter for which metadata entries to include in the data source.

This prefilter is executed once for each metadata entry during initial construction of a FidoMetadataService instance.

The default is Filters.notRevoked(). Setting a different filter overrides this default; to preserve the "not revoked" condition in addition to the new filter, you must explicitly include the condition in the few filter. For example, by using Filters.allOf(Predicate...).

Parameters:

prefilter - a Predicate which returns true for metadata entries to include in the data source.

See Also:

filter, FidoMetadataService.Filters.allOf(Predicate[])

filter

public FidoMetadataService.FidoMetadataServiceBuilder filter(@NonNull
                                                             @NonNull java.util.function.Predicate<FidoMetadataService.Filters.AuthenticatorToBeFiltered> filter)

Set a filter for which metadata entries to allow for a given authenticator during credential registration and metadata lookup.

This filter is executed during each execution of FidoMetadataService.findEntries(List, AAGUID), its overloads, and FidoMetadataService.findTrustRoots(List, Optional).

The default is Filters.noAttestationKeyCompromise(). Setting a different filter overrides this default; to preserve this condition in addition to the new filter, you must explicitly include the condition in the few filter. For example, by using Filters.allOf(Predicate...).

Note: Returning true in the filter predicate does not automatically make the authenticator trusted, as its attestation certificate must also correctly chain to a trusted attestation root. Rather, returning true in the filter predicate allows the corresponding metadata entry to be used for further trust assessment for that authenticator, while returning false eliminates the metadata entry (and thus any associated trust roots) for the ongoing query.

Parameters:

filter - a Predicate which returns true for metadata entries to allow for the corresponding authenticator during credential registration and metadata lookup.

See Also:

prefilter(Predicate), FidoMetadataService.Filters.AuthenticatorToBeFiltered, FidoMetadataService.Filters.allOf(Predicate[])

certStore

public FidoMetadataService.FidoMetadataServiceBuilder certStore(@NonNull
                                                                @NonNull java.security.cert.CertStore certStore)

Set a CertStore of additional CRLs and/or intermediate certificates to use while validating attestation certificate paths.

This setting is most likely useful for tests.

Parameters:

certStore - a CertStore of additional CRLs and/or intermediate certificates to use while validating attestation certificate paths.

build

public FidoMetadataService build()
                          throws java.security.cert.CertPathValidatorException,
                                 java.security.InvalidAlgorithmParameterException,
                                 com.yubico.webauthn.data.exception.Base64UrlException,
                                 java.security.DigestException,
                                 FidoMetadataDownloaderException,
                                 java.security.cert.CertificateException,
                                 UnexpectedLegalHeader,
                                 java.io.IOException,
                                 java.security.NoSuchAlgorithmException,
                                 java.security.SignatureException,
                                 java.security.InvalidKeyException

Throws:

java.security.cert.CertPathValidatorException

java.security.InvalidAlgorithmParameterException

com.yubico.webauthn.data.exception.Base64UrlException

java.security.DigestException

FidoMetadataDownloaderException

java.security.cert.CertificateException

UnexpectedLegalHeader

java.io.IOException

java.security.NoSuchAlgorithmException

java.security.SignatureException

java.security.InvalidKeyException