Class FidoMetadataDownloader.FidoMetadataDownloaderBuilder.Step2

java.lang.Object
com.yubico.fido.metadata.FidoMetadataDownloader.FidoMetadataDownloaderBuilder.Step2
Enclosing class:
FidoMetadataDownloader.FidoMetadataDownloaderBuilder

public static class FidoMetadataDownloader.FidoMetadataDownloaderBuilder.Step2 extends Object
Step 2: Configure how to retrieve the FIDO Metadata Service trust root certificate when necessary.

This step offers three mutually exclusive options:

  1. Use the default download URL and certificate hash. This is the main intended use case. See useDefaultTrustRoot().
  2. Use a custom download URL and certificate hash. This is for future-proofing in case the trust root certificate changes and there is no new release of this library. See downloadTrustRoot(URL, Set).
  3. Use a pre-retrieved trust root certificate. It is up to you to perform any integrity checks and cache it as desired. See useTrustRoot(X509Certificate).
  • Method Details

    • useDefaultTrustRoot

      Download the trust root certificate from a hard-coded URL and verify it against a hard-coded SHA-256 hash.

      This is an alias of:

       downloadTrustRoot(
         new URL("https://secure.globalsign.com/cacert/root-r3.crt"),
         Collections.singleton(ByteArray.fromHex("cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b"))
       )
       
      This is the current FIDO Metadata Service trust root certificate at the time of this library release.
      See Also:
    • downloadTrustRoot

      public FidoMetadataDownloader.FidoMetadataDownloaderBuilder.Step3 downloadTrustRoot(@NonNull @NonNull URL url, @NonNull @NonNull Set<com.yubico.webauthn.data.ByteArray> acceptedCertSha256)
      Download the trust root certificate from the given HTTPS url and verify its SHA-256 hash against acceptedCertSha256.

      The certificate will be downloaded if it does not exist in the cache, or if the cached certificate is not currently valid.

      If the cert is downloaded, it is also written to the cache File or Consumer configured in the next step.

      Parameters:
      url - the HTTP URL to download. It MUST use the https: scheme.
      acceptedCertSha256 - a set of SHA-256 hashes to verify the downloaded certificate against. The downloaded certificate MUST match at least one of these hashes.
      Throws:
      IllegalArgumentException - if url is not a HTTPS URL.
    • useTrustRoot

      public FidoMetadataDownloader.FidoMetadataDownloaderBuilder.Step4 useTrustRoot(@NonNull @NonNull X509Certificate trustRootCertificate)
      Use the given trust root certificate. It is the caller's responsibility to perform any integrity checks and/or caching logic.
      Parameters:
      trustRootCertificate - the certificate to use as the FIDO Metadata Service trust root.