Your FIDO Server will need to download the MDS directly from the FIDO Alliance.
Figure 2 demonstrates a code sample can be used to initialize the MDS in your application.
MetadataBLOB downloader = FidoMetadataDownloader.builder()
.expectLegalHeader("Put the legal header here (get exact wording from BLOB)")
.useDefaultTrustRoot()
.useTrustRootCache(new File("/tmp/fido-mds-trust-root-cache.bin"))
.useDefaultBlob()
.useBlobCache(new File("/tmp/fido-mds-blob-cache.bin"))
.build();
Note
|
By default, FidoMetadataDownloader will probably use the SUN provider for the PKIX certificate path validation algorithm. This requires the com.sun.security.enableCRLDP system property set to true in order to verify the BLOB signature. For example, this can be done on the JVM command line using a -Dcom.sun.security.enableCRLDP=true option. See the Java PKI Programmers Guide for details.
|
Let’s explore this code in more detail. The first point of interest is .expectLegalHeader()
. By using the FIDO MDS, you will be held to its terms of service. This is a way to alert the developer and code reviewers that you are acknowledging the terms of the MDS, and any implications that may have on your application. The input into this method is the Legal Header that exists within the BLOB.
Figure 3 includes the statement required to populate the .expectLegalHeader()
method
"Retrieval and use of this BLOB indicates acceptance of the appropriate agreement located at https://fidoalliance.org/metadata/metadata-legal-terms/"
Next you will get the Trust Root Certificates for the MDS. You can proceed with the default method using useDefaultTrustRoot()
while building your downloader. Next is useTrustRootCache()
- the FIDO Spec notes that when grabbing the Trust Root Certificate, your app should have some sort of caching logic. Our example above is writing this to a file in a directory named "tmp"
The next two lines are used to download the BLOB repository. In this example we are pulling the default BLOB, and telling the downloader to cache it in the "tmp" directory.
Figure 4 will be used to create a FidoMetadataService
object
FidoMetadataService mds = FidoMetadataService.builder()
.useDownloader(downloader)
.build();