feat(jans-fido2): add support for isEnterpriseAttestation in local me… (

#9521) * feat(jans-fido2): add support for isEnterpriseAttestation in local metadata retrieval Signed-off-by: imran-ishaq <imranishaq024@gmail.com> * feat(jans-fido2): add new unit test for isEnterpriseAttestation Signed-off-by: imran-ishaq <imranishaq024@gmail.com> --------- Signed-off-by: imran-ishaq <imranishaq024@gmail.com>
JanssenProject · Nov 7, 2024 · 050fa52 · 050fa52
1 parent d7bd2b1
commit 050fa52
Show file tree

Hide file tree

Showing 2 changed files with 72 additions and 5 deletions.
diff --git a/jans-fido2/server/src/main/java/io/jans/fido2/service/mds/AttestationCertificateService.java b/jans-fido2/server/src/main/java/io/jans/fido2/service/mds/AttestationCertificateService.java
@@ -114,18 +114,22 @@ public List<X509Certificate> getAttestationRootCertificates(JsonNode metadataNod
 
 	public List<X509Certificate> getAttestationRootCertificates(AuthData authData, List<X509Certificate> attestationCertificates) {
 		String aaguid = Hex.encodeHexString(authData.getAaguid());
-
-		JsonNode metadataForAuthenticator = localMdsService.getAuthenticatorsMetadata(aaguid);
-		if (metadataForAuthenticator == null) {
+		Fido2Configuration fido2Configuration = appConfiguration.getFido2Configuration();
+		JsonNode metadataForAuthenticator;
+		if (fido2Configuration.isEnterpriseAttestation()) {
+			metadataForAuthenticator = localMdsService.getAuthenticatorsMetadata(aaguid);
+			if (metadataForAuthenticator == null) {
+				metadataForAuthenticator = dataMapperService.createObjectNode();
+			}
+		} else {
 			try {
 				log.info("No Local metadata for authenticator {}. Checking for metadata MDS3 blob", aaguid);
 				JsonNode metadata = mdsService.fetchMetadata(authData.getAaguid());
 				commonVerifiers.verifyThatMetadataIsValid(metadata);
-
 				return getAttestationRootCertificates(metadata, attestationCertificates);
 			} catch (Fido2RuntimeException ex) {
 				log.warn("Failed to get metadata from Fido2 meta-data server: {}", ex.getMessage(), ex);
-				
+
 				metadataForAuthenticator = dataMapperService.createObjectNode();
 			}
 		}

diff --git a/...o2/server/src/test/java/io/jans/fido2/service/processor/attestation/TPMProcessorTest.java b/...o2/server/src/test/java/io/jans/fido2/service/processor/attestation/TPMProcessorTest.java
@@ -1,5 +1,6 @@
 package io.jans.fido2.service.processor.attestation;
 
+import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.node.ArrayNode;
 import com.fasterxml.jackson.databind.node.ObjectNode;
@@ -12,12 +13,15 @@
 import io.jans.fido2.service.CertificateService;
 import io.jans.fido2.service.DataMapperService;
 import io.jans.fido2.service.mds.AttestationCertificateService;
+import io.jans.fido2.service.mds.LocalMdsService;
+import io.jans.fido2.service.mds.MdsService;
 import io.jans.fido2.service.verifier.CertificateVerifier;
 import io.jans.fido2.service.verifier.CommonVerifiers;
 import io.jans.fido2.service.verifier.SignatureVerifier;
 import io.jans.orm.model.fido2.Fido2RegistrationData;
 import jakarta.ws.rs.WebApplicationException;
 import jakarta.ws.rs.core.Response;
+import org.apache.commons.codec.binary.Hex;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.InjectMocks;
@@ -28,6 +32,7 @@
 import tss.tpm.TPMT_PUBLIC;
 
 import java.io.IOException;
+import java.nio.charset.StandardCharsets;
 import java.security.MessageDigest;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
@@ -76,6 +81,15 @@ class TPMProcessorTest {
     @Mock
     private ErrorResponseFactory errorResponseFactory;
 
+    @InjectMocks
+    private AttestationCertificateService attestationCertificateServices;
+
+    @Mock
+    private LocalMdsService localMdsService;
+
+    @Mock
+    private MdsService mdsService;
+
     @Test
     void getAttestationFormat_valid_tpm() {
         String fmt = tpmProcessor.getAttestationFormat().getFmt();
@@ -234,4 +248,53 @@ void process_ifX5cAndSkipValidateMdsInAttestationIsFalseAndVerifyAttestationCert
         verify(base64Service, times(2)).urlEncodeToString(any());
         verifyNoMoreInteractions(log);
     }
+
+    @Test
+    void getAttestationRootCertificates_enterpriseAttestationEnabled() {
+        String aaguid = "test-aaguid";
+        AuthData authData = mock(AuthData.class);
+        when(authData.getAaguid()).thenReturn(aaguid.getBytes(StandardCharsets.UTF_8));
+
+        List<X509Certificate> attestationCertificates = Collections.singletonList(mock(X509Certificate.class));
+
+        Fido2Configuration fido2Config = mock(Fido2Configuration.class);
+        when(fido2Config.isEnterpriseAttestation()).thenReturn(true);
+        when(appConfiguration.getFido2Configuration()).thenReturn(fido2Config);
+
+        String hexAaguid = Hex.encodeHexString(aaguid.getBytes(StandardCharsets.UTF_8));
+        JsonNode metadata = mock(JsonNode.class);
+        when(localMdsService.getAuthenticatorsMetadata(hexAaguid)).thenReturn(metadata);
+
+        List<X509Certificate> result = attestationCertificateServices.getAttestationRootCertificates(authData, attestationCertificates);
+
+        assertNotNull(result);
+        verify(localMdsService).getAuthenticatorsMetadata(hexAaguid);
+    }
+
+    @Test
+    void getAttestationRootCertificates_enterpriseAttestationDisabled() {
+        String aaguid = "test-aaguid";
+        AuthData authData = mock(AuthData.class);
+        when(authData.getAaguid()).thenReturn(aaguid.getBytes(StandardCharsets.UTF_8));
+
+        List<X509Certificate> attestationCertificates = Collections.singletonList(mock(X509Certificate.class));
+
+        Fido2Configuration fido2Config = mock(Fido2Configuration.class);
+        when(fido2Config.isEnterpriseAttestation()).thenReturn(false);
+        when(appConfiguration.getFido2Configuration()).thenReturn(fido2Config);
+
+        JsonNode fetchedMetadata = mock(JsonNode.class);
+        when(mdsService.fetchMetadata(authData.getAaguid())).thenReturn(fetchedMetadata);
+        doNothing().when(commonVerifiers).verifyThatMetadataIsValid(fetchedMetadata);
+
+        List<X509Certificate> expectedCertificates = Collections.singletonList(mock(X509Certificate.class));
+        when(attestationCertificateServices.getAttestationRootCertificates(fetchedMetadata, attestationCertificates))
+                .thenReturn(expectedCertificates);
+
+        List<X509Certificate> result = attestationCertificateServices.getAttestationRootCertificates(authData, attestationCertificates);
+
+        assertNotNull(result);
+        verify(mdsService).fetchMetadata(authData.getAaguid());
+        verify(commonVerifiers).verifyThatMetadataIsValid(fetchedMetadata);
+    }
 }