Interface AttestationTrustSource

public interface AttestationTrustSource
Abstraction of a repository which can look up trust roots for authenticator attestation.
  • Method Details

    • findTrustRoots

      AttestationTrustSource.TrustRootsResult findTrustRoots(List<X509Certificate> attestationCertificateChain, Optional<ByteArray> aaguid)
      Attempt to look up attestation trust roots for an authenticator.

      Note that it is possible for the same trust root to be used for different certificate chains. For example, an authenticator vendor may make two different authenticator models, each with its own attestation leaf certificate but both signed by the same attestation root certificate. If a Relying Party trusts one of those authenticator models but not the other, then its implementation of this method MUST return an empty set for the untrusted certificate chain.

      attestationCertificateChain - the attestation certificate chain for the authenticator.
      aaguid - the AAGUID of the authenticator, if available.
      A set of attestation root certificates trusted to attest for this authenticator, if any are available. If no trust roots are found, or if this authenticator is not trusted, return an empty result. Implementations MAY reuse the same result object, or parts of it, for multiple calls of this method, even with different arguments, but MUST return an empty set of trust roots for authenticators that should not be trusted.