Package com.yubico.webauthn

Class RelyingParty

java.lang.Object

com.yubico.webauthn.RelyingParty

public final class RelyingParty
extends Object

Encapsulates the four basic Web Authentication operations - start/finish registration, start/finish authentication - along with overall operational settings for them.

This class has no mutable state. An instance of this class may therefore be thought of as a container for specialized versions (function closures) of these four operations rather than a stateful object.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	RelyingParty.RelyingPartyBuilder

Method Summary

Modifier and Type	Method	Description
static RelyingParty.RelyingPartyBuilder.MandatoryStages	builder()
boolean	equals(Object o)
AssertionResult	finishAssertion(FinishAssertionOptions finishAssertionOptions)
RegistrationResult	finishRegistration(FinishRegistrationOptions finishRegistrationOptions)
@NonNull Optional<AppId>	getAppId()	The extension input to set for the appid and appidExclude extensions.
@NonNull Optional<AttestationConveyancePreference>	getAttestationConveyancePreference()	The argument for the attestation parameter in registration operations.
@NonNull Optional<AttestationTrustSource>	getAttestationTrustSource()	An AttestationTrustSource instance to use for looking up trust roots for authenticator attestation.
@NonNull Clock	getClock()	A Clock which will be used to tell the current time while verifying attestation certificate chains.
@NonNull CredentialRepository	getCredentialRepository()	An abstract database which can look up credentials, usernames and user handles from usernames, user handles and credential IDs.
@NonNull RelyingPartyIdentity	getIdentity()	The RelyingPartyIdentity that will be set as the rp parameter when initiating registration operations, and which AuthenticatorData.getRpIdHash() will be compared against.
@NonNull Set<String>	getOrigins()	The allowed origins that returned authenticator responses will be compared against.
@NonNull List<PublicKeyCredentialParameters>	getPreferredPubkeyParams()	The argument for the pubKeyCredParams parameter in registration operations.
int	hashCode()
boolean	isAllowOriginPort()	If true, the origin matching rule is relaxed to allow any port number.
boolean	isAllowOriginSubdomain()	If true, the origin matching rule is relaxed to allow any subdomain, of any depth, of the values of origins.
boolean	isAllowUntrustedAttestation()	If false, finishRegistration will only allow registrations where the attestation signature can be linked to a trusted attestation root.
boolean	isValidateSignatureCounter()	If true, finishAssertion will succeed only if the signature counter value in the response is strictly greater than the stored signature counter value, or if both counters are exactly zero.
AssertionRequest	startAssertion(StartAssertionOptions startAssertionOptions)
PublicKeyCredentialCreationOptions	startRegistration(StartRegistrationOptions startRegistrationOptions)
RelyingParty.RelyingPartyBuilder	toBuilder()
String	toString()

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Method Details

startRegistration

public PublicKeyCredentialCreationOptions startRegistration(StartRegistrationOptions startRegistrationOptions)

finishRegistration

public RegistrationResult finishRegistration(FinishRegistrationOptions finishRegistrationOptions)
                                      throws RegistrationFailedException

Throws:

RegistrationFailedException

startAssertion

public AssertionRequest startAssertion(StartAssertionOptions startAssertionOptions)

finishAssertion

public AssertionResult finishAssertion(FinishAssertionOptions finishAssertionOptions)
                                throws AssertionFailedException

Throws:

InvalidSignatureCountException - if validateSignatureCounter is true, the signature count in the response is less than or equal to the stored signature count, and at least one of the signature count values is nonzero.

AssertionFailedException - if validation fails for any other reason.

builder

public static RelyingParty.RelyingPartyBuilder.MandatoryStages builder()

toBuilder

public RelyingParty.RelyingPartyBuilder toBuilder()

getIdentity

@NonNull
public @NonNull RelyingPartyIdentity getIdentity()

The RelyingPartyIdentity that will be set as the rp parameter when initiating registration operations, and which AuthenticatorData.getRpIdHash() will be compared against. This is a required parameter.

A successful registration or authentication operation requires AuthenticatorData.getRpIdHash() to exactly equal the SHA-256 hash of this member's id member. Alternatively, it may instead equal the SHA-256 hash of appId if the latter is present.

See Also:

• startRegistration(StartRegistrationOptions)
• PublicKeyCredentialCreationOptions

getOrigins

@NonNull
public @NonNull Set<String> getOrigins()

The allowed origins that returned authenticator responses will be compared against.

The default is the set containing only the string "https://" + getIdentity().getId().

If allowOriginPort and allowOriginSubdomain are both false (the default), then a successful registration or authentication operation requires CollectedClientData.getOrigin() to exactly equal one of these values.

If allowOriginPort is true , then the above rule is relaxed to allow any port number in CollectedClientData.getOrigin(), regardless of any port specified.

If allowOriginSubdomain is true, then the above rule is relaxed to allow any subdomain, of any depth, of any of these values.

For either of the above relaxations to take effect, both the allowed origin and the client data origin must be valid URLs. Origins that are not valid URLs are matched only by exact string equality.

See Also:

• getIdentity()

getCredentialRepository

@NonNull
public @NonNull CredentialRepository getCredentialRepository()

An abstract database which can look up credentials, usernames and user handles from usernames, user handles and credential IDs. This is a required parameter.

This is used to look up:

• the user handle for a user logging in via user name
• the user name for a user logging in via user handle
• the credential IDs to include in PublicKeyCredentialCreationOptions.getExcludeCredentials()
• the credential IDs to include in PublicKeyCredentialRequestOptions.getAllowCredentials()
• that the correct user owns the credential when verifying an assertion
• the public key to use to verify an assertion
• the stored signature counter when verifying an assertion

getAppId

@NonNull
public @NonNull Optional<AppId> getAppId()

The extension input to set for the appid and appidExclude extensions.

You do not need this extension if you have not previously supported U2F. Its purpose is to make already-registered U2F credentials forward-compatible with the WebAuthn API. It is not needed for new registrations, even of U2F authenticators.

If this member is set, startAssertion will automatically set the appid extension input, and finishAssertion will adjust its verification logic to also accept this AppID as an alternative to the RP ID. Likewise, startRegistration(StartRegistrationOptions) startRegistration} will automatically set the appidExclude extension input.

By default, this is not set.

See Also:

• AssertionExtensionInputs.getAppid()
• RegistrationExtensionInputs.getAppidExclude()
• §10.1. FIDO AppID Extension (appid)
• §10.2. FIDO AppID Exclusion Extension (appidExclude)

getAttestationConveyancePreference

@NonNull
public @NonNull Optional<AttestationConveyancePreference> getAttestationConveyancePreference()

The argument for the attestation parameter in registration operations.

Unless your application has a concrete policy for authenticator attestation, it is recommended to leave this parameter undefined.

If you set this, you may want to explicitly set allowUntrustedAttestation and attestationTrustSource too.

By default, this is not set.

See Also:

• PublicKeyCredentialCreationOptions.getAttestation()
• §6.4. Attestation

getAttestationTrustSource

@NonNull
public @NonNull Optional<AttestationTrustSource> getAttestationTrustSource()

An AttestationTrustSource instance to use for looking up trust roots for authenticator attestation. This matters only if getAttestationConveyancePreference() is non-empty and not set to AttestationConveyancePreference.NONE.

By default, this is not set.

See Also:

• PublicKeyCredentialCreationOptions.getAttestation()
• §6.4. Attestation

getPreferredPubkeyParams

@NonNull
public @NonNull List<PublicKeyCredentialParameters> getPreferredPubkeyParams()

The argument for the pubKeyCredParams parameter in registration operations.

This is a list of acceptable public key algorithms and their parameters, ordered from most to least preferred.

The default is the following list, in order:

1. ES256
2. EdDSA
3. ES384
4. ES512
5. RS256
6. RS384
7. RS512

See Also:

• PublicKeyCredentialCreationOptions.getAttestation()
• §6.4. Attestation

isAllowOriginPort

public boolean isAllowOriginPort()

If true, the origin matching rule is relaxed to allow any port number.

The default is false.

Examples with origins: ["https://example.org", "https://accounts.example.org", "https://acme.com:8443"]

• allowOriginPort: false

  Accepted:

  • https://example.org
  • https://accounts.example.org
  • https://acme.com:8443

  Rejected:

  • https://example.org:8443
  • https://shop.example.org
  • https://acme.com
  • https://acme.com:9000

• allowOriginPort: true

  Accepted:

  • https://example.org
  • https://example.org:8443
  • https://accounts.example.org
  • https://acme.com
  • https://acme.com:8443
  • https://acme.com:9000

  Rejected:

  • https://shop.example.org

isAllowOriginSubdomain

public boolean isAllowOriginSubdomain()

If true, the origin matching rule is relaxed to allow any subdomain, of any depth, of the values of origins.

The default is false.

Examples with origins: ["https://example.org", "https://acme.com:8443"]

• allowOriginSubdomain: false

  Accepted:

  • https://example.org
  • https://acme.com:8443

  Rejected:

  • https://example.org:8443
  • https://accounts.example.org
  • https://acme.com
  • https://eu.shop.acme.com:8443

• allowOriginSubdomain: true

  Accepted:

  • https://example.org
  • https://accounts.example.org
  • https://acme.com:8443
  • https://eu.shop.acme.com:8443

  Rejected:

  • https://example.org:8443
  • https://acme.com

isAllowUntrustedAttestation

public boolean isAllowUntrustedAttestation()

If false, finishRegistration will only allow registrations where the attestation signature can be linked to a trusted attestation root. This excludes none attestation, and self attestation unless the self attestation key is explicitly trusted.

Regardless of the value of this option, invalid attestation statements of supported formats will always be rejected. For example, a "packed" attestation statement with an invalid signature will be rejected even if this option is set to true.

The default is true.

isValidateSignatureCounter

public boolean isValidateSignatureCounter()

If true, finishAssertion will succeed only if the signature counter value in the response is strictly greater than the stored signature counter value, or if both counters are exactly zero.

The default is true.

getClock

@NonNull
public @NonNull Clock getClock()

A Clock which will be used to tell the current time while verifying attestation certificate chains.

This is intended primarily for testing, and relevant only if RelyingParty.RelyingPartyBuilder.attestationTrustSource(AttestationTrustSource) is set.

The default is Clock.systemUTC().

equals

public boolean equals(Object o)

Overrides:

equals in class Object

hashCode

public int hashCode()

Overrides:

hashCode in class Object

toString

public String toString()

Overrides:

toString in class Object