com.yubico.webauthn.attestation

Interface AttestationTrustSource

public interface AttestationTrustSource

Abstraction of a repository which can look up trust roots for authenticator attestation.

Nested Class Summary

Nested Classes

Modifier and Type	Interface and Description
static class	AttestationTrustSource.TrustRootsResult A result of looking up attestation trust roots for a particular attestation statement.

Method Summary

Modifier and Type	Method and Description
AttestationTrustSource.TrustRootsResult	findTrustRoots(java.util.List<java.security.cert.X509Certificate> attestationCertificateChain, java.util.Optional<ByteArray> aaguid) Attempt to look up attestation trust roots for an authenticator.

Method Detail

findTrustRoots

AttestationTrustSource.TrustRootsResult findTrustRoots(java.util.List<java.security.cert.X509Certificate> attestationCertificateChain,
                                                       java.util.Optional<ByteArray> aaguid)

Attempt to look up attestation trust roots for an authenticator.

Note that it is possible for the same trust root to be used for different certificate chains. For example, an authenticator vendor may make two different authenticator models, each with its own attestation leaf certificate but both signed by the same attestation root certificate. If a Relying Party trusts one of those authenticator models but not the other, then its implementation of this method MUST return an empty set for the untrusted certificate chain.

Parameters:

attestationCertificateChain - the attestation certificate chain for the authenticator.

aaguid - the AAGUID of the authenticator, if available.

Returns:

A set of attestation root certificates trusted to attest for this authenticator, if any are available. If no trust roots are found, or if this authenticator is not trusted, return an empty result. Implementations MAY reuse the same result object, or parts of it, for multiple calls of this method, even with different arguments, but MUST return an empty set of trust roots for authenticators that should not be trusted.