Package com.yubico.webauthn.attestation
Interface AttestationTrustSource
-
public interface AttestationTrustSource
Abstraction of a repository which can look up trust roots for authenticator attestation.
-
-
Nested Class Summary
Nested Classes Modifier and Type Interface Description static class
AttestationTrustSource.TrustRootsResult
A result of looking up attestation trust roots for a particular attestation statement.
-
Method Summary
All Methods Instance Methods Abstract Methods Modifier and Type Method Description AttestationTrustSource.TrustRootsResult
findTrustRoots(java.util.List<java.security.cert.X509Certificate> attestationCertificateChain, java.util.Optional<ByteArray> aaguid)
Attempt to look up attestation trust roots for an authenticator.
-
-
-
Method Detail
-
findTrustRoots
AttestationTrustSource.TrustRootsResult findTrustRoots(java.util.List<java.security.cert.X509Certificate> attestationCertificateChain, java.util.Optional<ByteArray> aaguid)
Attempt to look up attestation trust roots for an authenticator.Note that it is possible for the same trust root to be used for different certificate chains. For example, an authenticator vendor may make two different authenticator models, each with its own attestation leaf certificate but both signed by the same attestation root certificate. If a Relying Party trusts one of those authenticators models but not the other, then its implementation of this method MUST return an empty set for the untrusted certificate chain.
- Parameters:
attestationCertificateChain
- the attestation certificate chain for the authenticator.aaguid
- the AAGUID of the authenticator, if available.- Returns:
- A set of attestation root certificates trusted to attest for this authenticator, if any are available. If no trust roots are found, or if this authenticator is not trusted, return an empty result. Implementations MAY reuse the same result object, or parts of it, for multiple calls of this method, even with different arguments, but MUST return an empty set of trust roots for authenticators that should not be trusted.
-
-