Package com.yubico.fido.metadata

Class FidoMetadataDownloader.FidoMetadataDownloaderBuilder.Step2

java.lang.Object

com.yubico.fido.metadata.FidoMetadataDownloader.FidoMetadataDownloaderBuilder.Step2

Enclosing class:

FidoMetadataDownloader.FidoMetadataDownloaderBuilder

public static class FidoMetadataDownloader.FidoMetadataDownloaderBuilder.Step2
extends Object

Step 2: Configure how to retrieve the FIDO Metadata Service trust root certificate when necessary.

This step offers three mutually exclusive options:

1. Use the default download URL and certificate hash. This is the main intended use case. See useDefaultTrustRoot().
2. Use a custom download URL and certificate hash. This is for future-proofing in case the trust root certificate changes and there is no new release of this library. See downloadTrustRoot(URL, Set).
3. Use a pre-retrieved trust root certificate. It is up to you to perform any integrity checks and cache it as desired. See useTrustRoot(X509Certificate).

Method Summary

Modifier and Type	Method	Description
FidoMetadataDownloader.FidoMetadataDownloaderBuilder.Step3	downloadTrustRoot(@NonNull URL url, @NonNull Set<ByteArray> acceptedCertSha256)	Download the trust root certificate from the given HTTPS url and verify its SHA-256 hash against acceptedCertSha256.
FidoMetadataDownloader.FidoMetadataDownloaderBuilder.Step3	useDefaultTrustRoot()	Download the trust root certificate from a hard-coded URL and verify it against a hard-coded SHA-256 hash.
FidoMetadataDownloader.FidoMetadataDownloaderBuilder.Step4	useTrustRoot(@NonNull X509Certificate trustRootCertificate)	Use the given trust root certificate.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details

useDefaultTrustRoot

public FidoMetadataDownloader.FidoMetadataDownloaderBuilder.Step3 useDefaultTrustRoot()

Download the trust root certificate from a hard-coded URL and verify it against a hard-coded SHA-256 hash.

This is an alias of:

 downloadTrustRoot(
   new URL("https://secure.globalsign.com/cacert/root-r3.crt"),
   Collections.singleton(ByteArray.fromHex("cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b"))
 )
 

This is the current FIDO Metadata Service trust root certificate at the time of this library release.

See Also:

• downloadTrustRoot(URL, Set)

downloadTrustRoot

public FidoMetadataDownloader.FidoMetadataDownloaderBuilder.Step3 downloadTrustRoot(@NonNull
 @NonNull URL url,
 @NonNull
 @NonNull Set<ByteArray> acceptedCertSha256)

Download the trust root certificate from the given HTTPS url and verify its SHA-256 hash against acceptedCertSha256.

The certificate will be downloaded if it does not exist in the cache, or if the cached certificate is not currently valid.

If the cert is downloaded, it is also written to the cache File or Consumer configured in the next step.

Parameters:

url - the HTTP URL to download. It MUST use the https: scheme.

acceptedCertSha256 - a set of SHA-256 hashes to verify the downloaded certificate against. The downloaded certificate MUST match at least one of these hashes.

Throws:

IllegalArgumentException - if url is not a HTTPS URL.

useTrustRoot

public FidoMetadataDownloader.FidoMetadataDownloaderBuilder.Step4 useTrustRoot(@NonNull
 @NonNull X509Certificate trustRootCertificate)

Use the given trust root certificate. It is the caller's responsibility to perform any integrity checks and/or caching logic.

Parameters:

trustRootCertificate - the certificate to use as the FIDO Metadata Service trust root.