Package com.yubico.fido.metadata
Class FidoMetadataDownloader.FidoMetadataDownloaderBuilder.Step2
java.lang.Object
com.yubico.fido.metadata.FidoMetadataDownloader.FidoMetadataDownloaderBuilder.Step2
- Enclosing class:
- FidoMetadataDownloader.FidoMetadataDownloaderBuilder
Step 2: Configure how to retrieve the FIDO Metadata Service trust root certificate when
necessary.
This step offers three mutually exclusive options:
- Use the default download URL and certificate hash. This is the main intended use case.
See
useDefaultTrustRoot()
. - Use a custom download URL and certificate hash. This is for future-proofing in case the
trust root certificate changes and there is no new release of this library. See
downloadTrustRoot(URL, Set)
. - Use a pre-retrieved trust root certificate. It is up to you to perform any integrity
checks and cache it as desired. See
useTrustRoot(X509Certificate)
.
-
Method Summary
Modifier and TypeMethodDescriptiondownloadTrustRoot
(@NonNull URL url, @NonNull Set<com.yubico.webauthn.data.ByteArray> acceptedCertSha256) Download the trust root certificate from the given HTTPSurl
and verify its SHA-256 hash againstacceptedCertSha256
.Download the trust root certificate from a hard-coded URL and verify it against a hard-coded SHA-256 hash.useTrustRoot
(@NonNull X509Certificate trustRootCertificate) Use the given trust root certificate.
-
Method Details
-
useDefaultTrustRoot
Download the trust root certificate from a hard-coded URL and verify it against a hard-coded SHA-256 hash.This is an alias of:
downloadTrustRoot( new URL("https://secure.globalsign.com/cacert/root-r3.crt"), Collections.singleton(ByteArray.fromHex("cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b")) )
This is the current FIDO Metadata Service trust root certificate at the time of this library release.- See Also:
-
downloadTrustRoot
public FidoMetadataDownloader.FidoMetadataDownloaderBuilder.Step3 downloadTrustRoot(@NonNull @NonNull URL url, @NonNull @NonNull Set<com.yubico.webauthn.data.ByteArray> acceptedCertSha256) Download the trust root certificate from the given HTTPSurl
and verify its SHA-256 hash againstacceptedCertSha256
.The certificate will be downloaded if it does not exist in the cache, or if the cached certificate is not currently valid.
If the cert is downloaded, it is also written to the cache
File
orConsumer
configured in thenext step
.- Parameters:
url
- the HTTP URL to download. It MUST use thehttps:
scheme.acceptedCertSha256
- a set of SHA-256 hashes to verify the downloaded certificate against. The downloaded certificate MUST match at least one of these hashes.- Throws:
IllegalArgumentException
- ifurl
is not a HTTPS URL.
-
useTrustRoot
public FidoMetadataDownloader.FidoMetadataDownloaderBuilder.Step4 useTrustRoot(@NonNull @NonNull X509Certificate trustRootCertificate) Use the given trust root certificate. It is the caller's responsibility to perform any integrity checks and/or caching logic.- Parameters:
trustRootCertificate
- the certificate to use as the FIDO Metadata Service trust root.
-