Package com.yubico.fido.metadata

Class FidoMetadataService

java.lang.Object

com.yubico.fido.metadata.FidoMetadataService

All Implemented Interfaces:

AttestationTrustSource

public final class FidoMetadataService
extends Object
implements AttestationTrustSource

Utility for filtering and querying Fido Metadata Service BLOB entries.

This class implements AttestationTrustSource, so it can be configured as the attestationTrustSource setting in RelyingParty. This implementation always sets enableRevocationChecking(false), because the FIDO MDS has its own revocation procedures and not all attestation certificates provide CRLs; and always sets policyTreeValidator to accept any policy tree, because a Windows Hello attestation certificate is known to include a critical certificate policies extension.

The metadata service may be configured with two stages of filters to select trusted authenticators. The first stage is the prefilter setting, which is executed once when the FidoMetadataService instance is constructed. The second stage is the filter setting, which is executed whenever metadata or trust roots are to be looked up for a given authenticator. Any metadata entry that satisfies both filters will be considered trusted.

Use the builder to configure settings, then use the findEntries(List, AAGUID) method or its overloads to retrieve metadata entries.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	FidoMetadataService.FidoMetadataServiceBuilder
static class	FidoMetadataService.Filters	Preconfigured filters and utilities for combining filters.

Nested classes/interfaces inherited from interface com.yubico.webauthn.attestation.AttestationTrustSource

AttestationTrustSource.TrustRootsResult

Method Summary

Modifier and Type	Method	Description
static FidoMetadataService.FidoMetadataServiceBuilder.Step1	builder()
Set<MetadataBLOBPayloadEntry>	findEntries(@NonNull AAGUID aaguid)	Find metadata entries matching the given AAGUID.
Set<MetadataBLOBPayloadEntry>	findEntries(@NonNull RegistrationResult registrationResult)	Find metadata entries matching the credential represented by registrationResult.
Set<MetadataBLOBPayloadEntry>	findEntries(@NonNull Predicate<MetadataBLOBPayloadEntry> filter)	Retrieve metadata entries matching the given filter.
Set<MetadataBLOBPayloadEntry>	findEntries(@NonNull List<X509Certificate> attestationCertificateChain)	Alias of findEntries(attestationCertificateChain, Optional.empty()).
Set<MetadataBLOBPayloadEntry>	findEntries(@NonNull List<X509Certificate> attestationCertificateChain, @NonNull AAGUID aaguid)	Alias of findEntries(attestationCertificateChain, Optional.of(aaguid)).
Set<MetadataBLOBPayloadEntry>	findEntries(@NonNull List<X509Certificate> attestationCertificateChain, @NonNull Optional<AAGUID> aaguid)	Look up metadata entries matching a given attestation certificate chain or AAGUID.
AttestationTrustSource.TrustRootsResult	findTrustRoots(List<X509Certificate> attestationCertificateChain, Optional<ByteArray> aaguid)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details

builder

public static FidoMetadataService.FidoMetadataServiceBuilder.Step1 builder()

findEntries

public Set<MetadataBLOBPayloadEntry> findEntries(@NonNull
 @NonNull List<X509Certificate> attestationCertificateChain,
 @NonNull
 @NonNull Optional<AAGUID> aaguid)

Look up metadata entries matching a given attestation certificate chain or AAGUID.

Parameters:

attestationCertificateChain - an attestation certificate chain, presumably from a WebAuthn attestation statement.

aaguid - the AAGUID of the authenticator to look up, if available.

Returns:

All metadata entries which satisfy ALL of the following:

• It satisfies the prefilter.
• It satisfies AT LEAST ONE of the following:
  • _aaguid is present and equals the AAGUID of the metadata entry.
  • _aaguid is present and equals the AAGUID of the metadata statement, if any, in the metadata entry.
  • The certificate subject key identifier of any certificate in attestationCertificateChain matches any element of attestationCertificateKeyIdentifiers in the metadata entry.
  • The certificate subject key identifier of any certificate in attestationCertificateChain matches any element of attestationCertificateKeyIdentifiers in the metadata statement, if any, in the metadata entry.
• It satisfies the filter together with attestationCertificateChain and _aaguid.

In the above, _aaguid is the first of the following that is present and not zero, or empty otherwise:

• The aaguid argument.
• The value of the X.509 extension with OID 1.3.6.1.4.1.45724.1.1.4 (id-fido-gen-ce-aaguid), if any, in the first certificate in attestationCertificateChain, if any.

See Also:

• findEntries(List)
• findEntries(List, AAGUID)

findEntries

public Set<MetadataBLOBPayloadEntry> findEntries(@NonNull
 @NonNull List<X509Certificate> attestationCertificateChain)

Alias of findEntries(attestationCertificateChain, Optional.empty()).

See Also:

• findEntries(List, Optional)

findEntries

public Set<MetadataBLOBPayloadEntry> findEntries(@NonNull
 @NonNull List<X509Certificate> attestationCertificateChain,
 @NonNull
 @NonNull AAGUID aaguid)

Alias of findEntries(attestationCertificateChain, Optional.of(aaguid)).

See Also:

• findEntries(List, Optional)

findEntries

public Set<MetadataBLOBPayloadEntry> findEntries(@NonNull
 @NonNull RegistrationResult registrationResult)

Find metadata entries matching the credential represented by registrationResult.

This is an alias of:

 registrationResult.getAttestationTrustPath()
   .map(atp -> this.findEntries(atp, new AAGUID(registrationResult.getAaguid())))
   .orElseGet(Collections::emptySet)
 

See Also:

• findEntries(List, Optional)

findEntries

public Set<MetadataBLOBPayloadEntry> findEntries(@NonNull
 @NonNull AAGUID aaguid)

Find metadata entries matching the given AAGUID.

See Also:

• findEntries(List, Optional)

findEntries

public Set<MetadataBLOBPayloadEntry> findEntries(@NonNull
 @NonNull Predicate<MetadataBLOBPayloadEntry> filter)

Retrieve metadata entries matching the given filter.

Note: The result MAY include fewer results than the number of times the filter returned true, because of possible duplication in the underlying data store.

Parameters:

filter - a Predicate which returns true for metadata entries to include in the result.

Returns:

All metadata entries which satisfy the prefilter AND for which the filter returns true.

See Also:

• findEntries(List, Optional)

findTrustRoots

public AttestationTrustSource.TrustRootsResult findTrustRoots(List<X509Certificate> attestationCertificateChain,
 Optional<ByteArray> aaguid)

Specified by:

findTrustRoots in interface AttestationTrustSource