|
1 | | -using System; |
2 | | -using System.Linq; |
3 | | -using System.Security.Cryptography.X509Certificates; |
4 | | - |
5 | | -using Fido2NetLib.Exceptions; |
6 | | - |
7 | | -namespace Fido2NetLib; |
8 | | - |
9 | | -public static class TrustAnchor |
10 | | -{ |
11 | | - public static void Verify(MetadataBLOBPayloadEntry? metadataEntry, X509Certificate2[] trustPath, bool conformance) |
12 | | - { |
13 | | - if (trustPath != null && metadataEntry?.MetadataStatement?.AttestationTypes is not null) |
14 | | - { |
15 | | - static bool ContainsAttestationType(MetadataBLOBPayloadEntry entry, MetadataAttestationType type) |
16 | | - { |
17 | | - return entry.MetadataStatement.AttestationTypes.Contains(type.ToEnumMemberValue()); |
18 | | - } |
19 | | - |
20 | | - // If the authenticator's metadata requires basic full attestation, build and verify the chain |
21 | | - if (ContainsAttestationType(metadataEntry, MetadataAttestationType.ATTESTATION_BASIC_FULL) || |
22 | | - ContainsAttestationType(metadataEntry, MetadataAttestationType.ATTESTATION_PRIVACY_CA)) |
23 | | - { |
24 | | - string[] certStrings = metadataEntry.MetadataStatement.AttestationRootCertificates; |
25 | | - var attestationRootCertificates = new X509Certificate2[certStrings.Length]; |
26 | | - |
27 | | - for (int i = 0; i < attestationRootCertificates.Length; i++) |
28 | | - { |
29 | | - attestationRootCertificates[i] = new X509Certificate2(Convert.FromBase64String(certStrings[i])); |
30 | | - } |
31 | | - |
32 | | - if (trustPath.Length > 1 && attestationRootCertificates.Any(c => string.Equals(c.Thumbprint, trustPath[^1].Thumbprint, StringComparison.Ordinal))) |
| 1 | +using System; |
| 2 | +using System.Linq; |
| 3 | +using System.Security.Cryptography.X509Certificates; |
| 4 | + |
| 5 | +using Fido2NetLib.Exceptions; |
| 6 | + |
| 7 | +namespace Fido2NetLib; |
| 8 | + |
| 9 | +public static class TrustAnchor |
| 10 | +{ |
| 11 | + public static void Verify(MetadataBLOBPayloadEntry? metadataEntry, X509Certificate2[] trustPath, bool conformance) |
| 12 | + { |
| 13 | + if (trustPath != null && metadataEntry?.MetadataStatement?.AttestationTypes is not null) |
| 14 | + { |
| 15 | + static bool ContainsAttestationType(MetadataBLOBPayloadEntry entry, MetadataAttestationType type) |
| 16 | + { |
| 17 | + return entry.MetadataStatement.AttestationTypes.Contains(type.ToEnumMemberValue()); |
| 18 | + } |
| 19 | + |
| 20 | + // If the authenticator's metadata requires basic full attestation, build and verify the chain |
| 21 | + if (ContainsAttestationType(metadataEntry, MetadataAttestationType.ATTESTATION_BASIC_FULL) || |
| 22 | + ContainsAttestationType(metadataEntry, MetadataAttestationType.ATTESTATION_PRIVACY_CA)) |
| 23 | + { |
| 24 | + string[] certStrings = metadataEntry.MetadataStatement.AttestationRootCertificates; |
| 25 | + var attestationRootCertificates = new X509Certificate2[certStrings.Length]; |
| 26 | + |
| 27 | + for (int i = 0; i < attestationRootCertificates.Length; i++) |
| 28 | + { |
| 29 | + attestationRootCertificates[i] = new X509Certificate2(Convert.FromBase64String(certStrings[i])); |
| 30 | + } |
| 31 | + |
| 32 | + if (trustPath.Length > 1 && attestationRootCertificates.Any(c => string.Equals(c.Thumbprint, trustPath[^1].Thumbprint, StringComparison.Ordinal))) |
| 33 | + { |
| 34 | + throw new Fido2VerificationException(Fido2ErrorMessages.InvalidCertificateChain); |
| 35 | + } |
| 36 | + |
| 37 | + if (!CryptoUtils.ValidateTrustChain(trustPath, attestationRootCertificates, conformance)) |
33 | 38 | { |
34 | 39 | throw new Fido2VerificationException(Fido2ErrorMessages.InvalidCertificateChain); |
35 | | - } |
36 | | - |
37 | | - if (!CryptoUtils.ValidateTrustChain(trustPath, attestationRootCertificates, conformance)) |
38 | | - { |
39 | | - throw new Fido2VerificationException(Fido2ErrorMessages.InvalidCertificateChain); |
40 | | - } |
41 | | - } |
42 | | - |
43 | | - else if (ContainsAttestationType(metadataEntry, MetadataAttestationType.ATTESTATION_ANONCA)) |
44 | | - { |
45 | | - // skip verification for Anonymization CA (AnonCA) |
46 | | - } |
47 | | - else // otherwise, ensure the certificate is self signed |
48 | | - { |
49 | | - var trustPath0 = trustPath[0]; |
50 | | - |
51 | | - if (!string.Equals(trustPath0.Subject, trustPath0.Issuer, StringComparison.Ordinal)) |
52 | | - { |
53 | | - // TODO: Improve this error message |
54 | | - throw new Fido2VerificationException("Attestation with full attestation from authenticator that does not support full attestation"); |
55 | | - } |
56 | | - } |
57 | | - |
58 | | - // TODO: Verify all MetadataAttestationTypes are correctly handled |
59 | | - |
60 | | - // [ ] ATTESTATION_ECDAA "ecdaa" | currently handled as self signed w/ no test coverage |
61 | | - // [ ] ATTESTATION_ANONCA "anonca" | currently not verified w/ no test coverage |
62 | | - // [ ] ATTESTATION_NONE "none" | currently handled as self signed w/ no test coverage |
63 | | - } |
64 | | - } |
65 | | -} |
| 40 | + } |
| 41 | + } |
| 42 | + |
| 43 | + else if (ContainsAttestationType(metadataEntry, MetadataAttestationType.ATTESTATION_ANONCA)) |
| 44 | + { |
| 45 | + // skip verification for Anonymization CA (AnonCA) |
| 46 | + } |
| 47 | + else // otherwise, ensure the certificate is self signed |
| 48 | + { |
| 49 | + var trustPath0 = trustPath[0]; |
| 50 | + |
| 51 | + if (!string.Equals(trustPath0.Subject, trustPath0.Issuer, StringComparison.Ordinal)) |
| 52 | + { |
| 53 | + // TODO: Improve this error message |
| 54 | + throw new Fido2VerificationException("Attestation with full attestation from authenticator that does not support full attestation"); |
| 55 | + } |
| 56 | + } |
| 57 | + |
| 58 | + // TODO: Verify all MetadataAttestationTypes are correctly handled |
| 59 | + |
| 60 | + // [ ] ATTESTATION_ECDAA "ecdaa" | currently handled as self signed w/ no test coverage |
| 61 | + // [ ] ATTESTATION_ANONCA "anonca" | currently not verified w/ no test coverage |
| 62 | + // [ ] ATTESTATION_NONE "none" | currently handled as self signed w/ no test coverage |
| 63 | + } |
| 64 | + } |
| 65 | +} |
0 commit comments