Package com.yubico.fido.metadata
Class FidoMetadataDownloader
java.lang.Object
com.yubico.fido.metadata.FidoMetadataDownloader
Utility for downloading, caching and verifying Fido Metadata Service BLOBs and associated
 certificates.
 
This class is NOT THREAD SAFE since it reads and writes caches. However, it has no internal
 mutable state, so instances MAY be reused in single-threaded or externally synchronized contexts.
 See also the loadCachedBlob() and refreshBlob() methods.
 
Use the builder to configure settings, then use the loadCachedBlob() and refreshBlob() methods to load the metadata BLOB.
- 
Nested Class SummaryNested ClassesModifier and TypeClassDescriptionstatic class
- 
Method SummaryModifier and TypeMethodDescriptionbuilder()Begin configuring aFidoMetadataDownloaderinstance.Load the metadata BLOB from cache, or download a fresh one if necessary.Download and cache a fresh metadata BLOB, or read it from cache if the downloaded BLOB is not up to date.
- 
Method Details- 
builderBegin configuring aFidoMetadataDownloaderinstance. See theStep1type.
- 
loadCachedBlobpublic MetadataBLOB loadCachedBlob() throws CertPathValidatorException, InvalidAlgorithmParameterException, Base64UrlException, CertificateException, IOException, NoSuchAlgorithmException, SignatureException, InvalidKeyException, UnexpectedLegalHeader, DigestException, FidoMetadataDownloaderExceptionLoad the metadata BLOB from cache, or download a fresh one if necessary.This method is NOT THREAD SAFE since it reads and writes caches. On each execution this will, in order: - Download the trust root certificate, if necessary: if the cache is empty, the cache fails
       to load, or the cached cert is not valid at the current time (as determined by the clocksetting).
- If downloaded, cache the trust root certificate using the configured FileorConsumer(seeFidoMetadataDownloader.FidoMetadataDownloaderBuilder.Step3)
- Download the metadata BLOB, if necessary: if the cache is empty, the cache fails to load,
       or the "nextUpdate"property in the cached BLOB is the current date (as determined by theclocksetting) or earlier.
- Check the "no"property of the downloaded BLOB, if any, and compare it with the"no"of the cached BLOB, if any. The one with a greater"no"overrides the other, even if its"nextUpdate"is in the past.
- If a BLOB with a newer "no"was downloaded, verify that the value of its"legalHeader"appears in the configuredexpectLegalHeadersetting. If not, throw anUnexpectedLegalHeaderexception containing the cached BLOB, if any, and the downloaded BLOB.
- If a BLOB with a newer "no"was downloaded and had an expected"legalHeader", cache the new BLOB using the configuredFileorConsumer(seeFidoMetadataDownloader.FidoMetadataDownloaderBuilder.Step5).
 "legalHeader"as necessary. You may therefore reuse aFidoMetadataDownloaderinstance and, for example, call this method periodically to refresh the BLOB when appropriate. Each call will return a newMetadataBLOBinstance; ones already returned will not be updated by subsequent calls.- Returns:
- the successfully retrieved and validated metadata BLOB.
- Throws:
- Base64UrlException- if the explicitly configured or newly downloaded BLOB is not a well-formed JWT in compact serialization.
- CertPathValidatorException- if the explicitly configured or newly downloaded BLOB fails certificate path validation.
- CertificateException- if the trust root certificate was downloaded and passed the SHA-256 integrity check, but does not contain a currently valid X.509 DER certificate; or if the BLOB signing certificate chain fails to parse.
- DigestException- if the trust root certificate was downloaded but failed the SHA-256 integrity check.
- FidoMetadataDownloaderException- if the explicitly configured or newly downloaded BLOB (if any) has a bad signature and there is no cached BLOB to fall back to.
- IOException- if any of the following fails: downloading the trust root certificate, downloading the BLOB, reading or writing any cache file (if any), or parsing the BLOB contents.
- InvalidAlgorithmParameterException- if certificate path validation fails.
- InvalidKeyException- if signature verification fails.
- NoSuchAlgorithmException- if signature verification fails, or if the SHA-256 algorithm is not available.
- SignatureException- if signature verification fails.
- UnexpectedLegalHeader- if the downloaded BLOB (if any) contains a- "legalHeader"value not configured in- expectLegalHeader(String...)but is otherwise valid. The downloaded BLOB will not be written to cache in this case.
 
- Download the trust root certificate, if necessary: if the cache is empty, the cache fails
       to load, or the cached cert is not valid at the current time (as determined by the 
- 
refreshBlobpublic MetadataBLOB refreshBlob() throws CertPathValidatorException, InvalidAlgorithmParameterException, Base64UrlException, CertificateException, IOException, NoSuchAlgorithmException, SignatureException, InvalidKeyException, UnexpectedLegalHeader, DigestException, FidoMetadataDownloaderExceptionDownload and cache a fresh metadata BLOB, or read it from cache if the downloaded BLOB is not up to date.This method is NOT THREAD SAFE since it reads and writes caches. On each execution this will, in order: - Download the trust root certificate, if necessary: if the cache is empty, the cache fails
       to load, or the cached cert is not valid at the current time (as determined by the clocksetting).
- If downloaded, cache the trust root certificate using the configured FileorConsumer(seeFidoMetadataDownloader.FidoMetadataDownloaderBuilder.Step3)
- Download the metadata BLOB.
- Check the "no"property of the downloaded BLOB and compare it with the"no"of the cached BLOB, if any. The one with a greater"no"overrides the other, even if its"nextUpdate"is in the past.
- If the downloaded BLOB has a newer "no", or if no BLOB was cached, verify that the value of the downloaded BLOB's"legalHeader"appears in the configuredexpectLegalHeadersetting. If not, throw anUnexpectedLegalHeaderexception containing the cached BLOB, if any, and the downloaded BLOB.
- If the downloaded BLOB has an expected "legalHeader", cache it using the configuredFileorConsumer(seeFidoMetadataDownloader.FidoMetadataDownloaderBuilder.Step5).
 "legalHeader"as necessary. You may therefore reuse aFidoMetadataDownloaderinstance and, for example, call this method periodically to refresh the BLOB. Each call will return a newMetadataBLOBinstance; ones already returned will not be updated by subsequent calls.- Returns:
- the successfully retrieved and validated metadata BLOB.
- Throws:
- Base64UrlException- if the explicitly configured or newly downloaded BLOB is not a well-formed JWT in compact serialization.
- CertPathValidatorException- if the explicitly configured or newly downloaded BLOB fails certificate path validation.
- CertificateException- if the trust root certificate was downloaded and passed the SHA-256 integrity check, but does not contain a currently valid X.509 DER certificate; or if the BLOB signing certificate chain fails to parse.
- DigestException- if the trust root certificate was downloaded but failed the SHA-256 integrity check.
- FidoMetadataDownloaderException- if the explicitly configured or newly downloaded BLOB (if any) has a bad signature and there is no cached BLOB to fall back to.
- IOException- if any of the following fails: downloading the trust root certificate, downloading the BLOB, reading or writing any cache file (if any), or parsing the BLOB contents.
- InvalidAlgorithmParameterException- if certificate path validation fails.
- InvalidKeyException- if signature verification fails.
- NoSuchAlgorithmException- if signature verification fails, or if the SHA-256 algorithm is not available.
- SignatureException- if signature verification fails.
- UnexpectedLegalHeader- if the downloaded BLOB (if any) contains a- "legalHeader"value not configured in- expectLegalHeader(String...)but is otherwise valid. The downloaded BLOB will not be written to cache in this case.
 
- Download the trust root certificate, if necessary: if the cache is empty, the cache fails
       to load, or the cached cert is not valid at the current time (as determined by the 
 
-