Package com.yubico.fido.metadata

Class FidoMetadataService

  • All Implemented Interfaces:
    com.yubico.webauthn.attestation.AttestationTrustSource
    public final class FidoMetadataService
extends java.lang.Object
implements com.yubico.webauthn.attestation.AttestationTrustSource
    Utility for filtering and querying Fido Metadata Service BLOB entries.

    This class implements AttestationTrustSource, so it can be configured as the attestationTrustSource setting in RelyingParty.

    The metadata service may be configured with a two stages of filters to select trusted authenticators. The first stage is the prefilter setting, which is executed once when the FidoMetadataService instance is constructed. The second stage is the filter setting, which is executed whenever metadata or trust roots are to be looked up for a given authenticator. Any metadata entry that satisfies both filters will be considered trusted.

    Use the builder to configure settings, then use the findEntries(List, AAGUID) method or its overloads to retrieve metadata entries.

    • Method Detail

      • findEntries

        public java.util.Set<MetadataBLOBPayloadEntry> findEntries​(@NonNull
                                                           @NonNull java.util.List<java.security.cert.X509Certificate> attestationCertificateChain,
                                                           @NonNull
                                                           @NonNull java.util.Optional<AAGUID> aaguid)
        Look up metadata entries matching a given attestation certificate chain or AAGUID.
        Parameters:
        attestationCertificateChain - an attestation certificate chain, presumably from a WebAuthn attestation statement.
        aaguid - the AAGUID of the authenticator to look up, if available.
        Returns:
        All metadata entries which satisfy ALL of the following:
        • It satisfies the prefilter.
        • It satisfies AT LEAST ONE of the following:
        • It satisfies the filter together with attestationCertificateChain and aaguid.
        See Also:
        findEntries(List), findEntries(List, AAGUID)

      • findEntries

        public java.util.Set<MetadataBLOBPayloadEntry> findEntries​(@NonNull
                                                           @NonNull java.util.List<java.security.cert.X509Certificate> attestationCertificateChain)
        Alias of findEntries(attestationCertificateChain, Optional.empty()).
        See Also:
        findEntries(List, Optional)

      • findEntries

        public java.util.Set<MetadataBLOBPayloadEntry> findEntries​(@NonNull
                                                           @NonNull java.util.List<java.security.cert.X509Certificate> attestationCertificateChain,
                                                           @NonNull
                                                           @NonNull AAGUID aaguid)
        Alias of findEntries(attestationCertificateChain, Optional.of(aaguid)).
        See Also:
        findEntries(List, Optional)

      • findEntries

        public java.util.Set<MetadataBLOBPayloadEntry> findEntries​(@NonNull
                                                           @NonNull com.yubico.webauthn.RegistrationResult registrationResult)
        Find metadata entries matching the credential represented by registrationResult.

        This is an alias of: 

         registrationResult.getAttestationTrustPath()
   .map(atp -> this.findEntries(atp, new AAGUID(registrationResult.getAaguid())))
   .orElseGet(Collections::emptySet)
        See Also:
        findEntries(List, Optional)

      • findEntries

        public java.util.Set<MetadataBLOBPayloadEntry> findEntries​(@NonNull
                                                           @NonNull java.util.function.Predicate<MetadataBLOBPayloadEntry> filter)
        Retrieve metadata entries matching the given filter.

        Note: The result MAY include fewer results than the number of times the filter returned true, because of possible duplication in the underlying data store.

        Parameters:
        filter - a Predicate which returns true for metadata entries to include in the result.
        Returns:
        All metadata entries which which satisfy the prefilter AND for which the filter returns true.
        See Also:
        findEntries(List, Optional)

      • findTrustRoots

        public com.yubico.webauthn.attestation.AttestationTrustSource.TrustRootsResult findTrustRoots​(java.util.List<java.security.cert.X509Certificate> attestationCertificateChain,
                                                                                              java.util.Optional<com.yubico.webauthn.data.ByteArray> aaguid)
        Specified by:
        findTrustRoots in interface com.yubico.webauthn.attestation.AttestationTrustSource