| 1 | // Copyright (c) 2018, Yubico AB | |
| 2 | // All rights reserved. | |
| 3 | // | |
| 4 | // Redistribution and use in source and binary forms, with or without | |
| 5 | // modification, are permitted provided that the following conditions are met: | |
| 6 | // | |
| 7 | // 1. Redistributions of source code must retain the above copyright notice, this | |
| 8 | // list of conditions and the following disclaimer. | |
| 9 | // | |
| 10 | // 2. Redistributions in binary form must reproduce the above copyright notice, | |
| 11 | // this list of conditions and the following disclaimer in the documentation | |
| 12 | // and/or other materials provided with the distribution. | |
| 13 | // | |
| 14 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
| 15 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
| 16 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
| 17 | // DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE | |
| 18 | // FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
| 19 | // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
| 20 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
| 21 | // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
| 22 | // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
| 23 | // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
| 24 | ||
| 25 | package com.yubico.webauthn; | |
| 26 | ||
| 27 | import com.fasterxml.jackson.databind.JsonNode; | |
| 28 | import com.upokecenter.cbor.CBORObject; | |
| 29 | import com.yubico.internal.util.CertificateParser; | |
| 30 | import com.yubico.internal.util.CollectionUtil; | |
| 31 | import com.yubico.internal.util.ExceptionUtil; | |
| 32 | import com.yubico.webauthn.data.AttestationObject; | |
| 33 | import com.yubico.webauthn.data.AttestationType; | |
| 34 | import com.yubico.webauthn.data.ByteArray; | |
| 35 | import com.yubico.webauthn.data.COSEAlgorithmIdentifier; | |
| 36 | import java.io.IOException; | |
| 37 | import java.security.InvalidKeyException; | |
| 38 | import java.security.NoSuchAlgorithmException; | |
| 39 | import java.security.PublicKey; | |
| 40 | import java.security.Signature; | |
| 41 | import java.security.SignatureException; | |
| 42 | import java.security.cert.CertificateException; | |
| 43 | import java.security.cert.X509Certificate; | |
| 44 | import java.security.spec.InvalidKeySpecException; | |
| 45 | import java.util.Arrays; | |
| 46 | import java.util.HashSet; | |
| 47 | import java.util.Locale; | |
| 48 | import java.util.Objects; | |
| 49 | import java.util.Optional; | |
| 50 | import java.util.Set; | |
| 51 | import javax.naming.InvalidNameException; | |
| 52 | import javax.naming.ldap.LdapName; | |
| 53 | import javax.naming.ldap.Rdn; | |
| 54 | import lombok.extern.slf4j.Slf4j; | |
| 55 | import lombok.val; | |
| 56 | ||
| 57 | @Slf4j | |
| 58 | final class PackedAttestationStatementVerifier | |
| 59 | implements AttestationStatementVerifier, X5cAttestationStatementVerifier { | |
| 60 | ||
| 61 | @Override | |
| 62 | public AttestationType getAttestationType(AttestationObject attestation) { | |
| 63 |
1
1. getAttestationType : negated conditional → KILLED |
if (attestation.getAttestationStatement().hasNonNull("x5c")) { |
| 64 |
1
1. getAttestationType : replaced return value with null for com/yubico/webauthn/PackedAttestationStatementVerifier::getAttestationType → KILLED |
return AttestationType.BASIC; |
| 65 | } else { | |
| 66 |
1
1. getAttestationType : replaced return value with null for com/yubico/webauthn/PackedAttestationStatementVerifier::getAttestationType → KILLED |
return AttestationType.SELF_ATTESTATION; |
| 67 | } | |
| 68 | } | |
| 69 | ||
| 70 | @Override | |
| 71 | public boolean verifyAttestationSignature( | |
| 72 | AttestationObject attestationObject, ByteArray clientDataJsonHash) { | |
| 73 | val signatureNode = attestationObject.getAttestationStatement().get("sig"); | |
| 74 | ||
| 75 |
2
1. verifyAttestationSignature : negated conditional → KILLED 2. verifyAttestationSignature : negated conditional → KILLED |
if (signatureNode == null || !signatureNode.isBinary()) { |
| 76 | throw new IllegalArgumentException("attStmt.sig must be set to a binary value."); | |
| 77 | } | |
| 78 | ||
| 79 |
1
1. verifyAttestationSignature : negated conditional → KILLED |
if (attestationObject.getAttestationStatement().has("x5c")) { |
| 80 |
2
1. verifyAttestationSignature : replaced boolean return with true for com/yubico/webauthn/PackedAttestationStatementVerifier::verifyAttestationSignature → KILLED 2. verifyAttestationSignature : replaced boolean return with false for com/yubico/webauthn/PackedAttestationStatementVerifier::verifyAttestationSignature → KILLED |
return verifyX5cSignature(attestationObject, clientDataJsonHash); |
| 81 | } else { | |
| 82 |
2
1. verifyAttestationSignature : replaced boolean return with true for com/yubico/webauthn/PackedAttestationStatementVerifier::verifyAttestationSignature → KILLED 2. verifyAttestationSignature : replaced boolean return with false for com/yubico/webauthn/PackedAttestationStatementVerifier::verifyAttestationSignature → KILLED |
return verifySelfAttestationSignature(attestationObject, clientDataJsonHash); |
| 83 | } | |
| 84 | } | |
| 85 | ||
| 86 | private boolean verifySelfAttestationSignature( | |
| 87 | AttestationObject attestationObject, ByteArray clientDataJsonHash) { | |
| 88 | final PublicKey pubkey; | |
| 89 | try { | |
| 90 | pubkey = | |
| 91 | WebAuthnCodecs.importCosePublicKey( | |
| 92 | attestationObject | |
| 93 | .getAuthenticatorData() | |
| 94 | .getAttestedCredentialData() | |
| 95 | .get() | |
| 96 | .getCredentialPublicKey()); | |
| 97 | } catch (IOException | InvalidKeySpecException e) { | |
| 98 | throw ExceptionUtil.wrapAndLog( | |
| 99 | log, | |
| 100 | String.format( | |
| 101 | "Failed to parse public key from attestation data %s", | |
| 102 | attestationObject.getAuthenticatorData().getAttestedCredentialData()), | |
| 103 | e); | |
| 104 | } catch (NoSuchAlgorithmException e) { | |
| 105 | throw new RuntimeException(e); | |
| 106 | } | |
| 107 | ||
| 108 | final long keyAlgId = | |
| 109 | CBORObject.DecodeFromBytes( | |
| 110 | attestationObject | |
| 111 | .getAuthenticatorData() | |
| 112 | .getAttestedCredentialData() | |
| 113 | .get() | |
| 114 | .getCredentialPublicKey() | |
| 115 | .getBytes()) | |
| 116 | .get(CBORObject.FromObject(3)) | |
| 117 | .AsNumber() | |
| 118 | .ToInt64IfExact(); | |
| 119 | final COSEAlgorithmIdentifier keyAlg = | |
| 120 | COSEAlgorithmIdentifier.fromId(keyAlgId) | |
| 121 | .orElseThrow( | |
| 122 | () -> | |
| 123 |
1
1. lambda$verifySelfAttestationSignature$0 : replaced return value with null for com/yubico/webauthn/PackedAttestationStatementVerifier::lambda$verifySelfAttestationSignature$0 → NO_COVERAGE |
new IllegalArgumentException( |
| 124 | "Unsupported COSE algorithm identifier: " + keyAlgId)); | |
| 125 | ||
| 126 | final long sigAlgId = attestationObject.getAttestationStatement().get("alg").asLong(); | |
| 127 | final COSEAlgorithmIdentifier sigAlg = | |
| 128 | COSEAlgorithmIdentifier.fromId(sigAlgId) | |
| 129 | .orElseThrow( | |
| 130 | () -> | |
| 131 |
1
1. lambda$verifySelfAttestationSignature$1 : replaced return value with null for com/yubico/webauthn/PackedAttestationStatementVerifier::lambda$verifySelfAttestationSignature$1 → NO_COVERAGE |
new IllegalArgumentException( |
| 132 | "Unsupported COSE algorithm identifier: " + sigAlgId)); | |
| 133 | ||
| 134 |
1
1. verifySelfAttestationSignature : negated conditional → KILLED |
if (!Objects.equals(keyAlg, sigAlg)) { |
| 135 | throw new IllegalArgumentException( | |
| 136 | String.format( | |
| 137 | "Key algorithm and signature algorithm must be equal, was: Key: %s, Sig: %s", | |
| 138 | keyAlg, sigAlg)); | |
| 139 | } | |
| 140 | ||
| 141 | ByteArray signedData = | |
| 142 | attestationObject.getAuthenticatorData().getBytes().concat(clientDataJsonHash); | |
| 143 | ByteArray signature; | |
| 144 | try { | |
| 145 | signature = | |
| 146 | new ByteArray(attestationObject.getAttestationStatement().get("sig").binaryValue()); | |
| 147 | } catch (IOException e) { | |
| 148 | throw ExceptionUtil.wrapAndLog(log, ".binaryValue() of \"sig\" failed", e); | |
| 149 | } | |
| 150 | ||
| 151 |
2
1. verifySelfAttestationSignature : replaced boolean return with false for com/yubico/webauthn/PackedAttestationStatementVerifier::verifySelfAttestationSignature → KILLED 2. verifySelfAttestationSignature : replaced boolean return with true for com/yubico/webauthn/PackedAttestationStatementVerifier::verifySelfAttestationSignature → KILLED |
return Crypto.verifySignature(pubkey, signedData, signature, keyAlg); |
| 152 | } | |
| 153 | ||
| 154 | private boolean verifyX5cSignature( | |
| 155 | AttestationObject attestationObject, ByteArray clientDataHash) { | |
| 156 | final Optional<X509Certificate> attestationCert; | |
| 157 | try { | |
| 158 | attestationCert = getX5cAttestationCertificate(attestationObject); | |
| 159 | } catch (CertificateException e) { | |
| 160 | throw ExceptionUtil.wrapAndLog( | |
| 161 | log, | |
| 162 | String.format( | |
| 163 | "Failed to parse X.509 certificate from attestation object: %s", attestationObject), | |
| 164 | e); | |
| 165 | } | |
| 166 |
2
1. verifyX5cSignature : replaced boolean return with true for com/yubico/webauthn/PackedAttestationStatementVerifier::verifyX5cSignature → KILLED 2. verifyX5cSignature : replaced boolean return with false for com/yubico/webauthn/PackedAttestationStatementVerifier::verifyX5cSignature → KILLED |
return attestationCert |
| 167 | .map( | |
| 168 | attestationCertificate -> { | |
| 169 | JsonNode signatureNode = attestationObject.getAttestationStatement().get("sig"); | |
| 170 |
1
1. lambda$verifyX5cSignature$3 : negated conditional → KILLED |
if (signatureNode == null) { |
| 171 | throw new IllegalArgumentException( | |
| 172 | "Packed attestation statement must have field \"sig\"."); | |
| 173 | } | |
| 174 | ||
| 175 |
1
1. lambda$verifyX5cSignature$3 : negated conditional → KILLED |
if (signatureNode.isBinary()) { |
| 176 | ByteArray signature; | |
| 177 | try { | |
| 178 | signature = new ByteArray(signatureNode.binaryValue()); | |
| 179 | } catch (IOException e) { | |
| 180 | throw ExceptionUtil.wrapAndLog( | |
| 181 | log, | |
| 182 | "signatureNode.isBinary() was true but signatureNode.binaryValue() failed", | |
| 183 | e); | |
| 184 | } | |
| 185 | ||
| 186 | JsonNode algNode = attestationObject.getAttestationStatement().get("alg"); | |
| 187 |
1
1. lambda$verifyX5cSignature$3 : negated conditional → KILLED |
if (algNode == null) { |
| 188 | throw new IllegalArgumentException( | |
| 189 | "Packed attestation statement must have field \"alg\"."); | |
| 190 | } | |
| 191 |
1
1. lambda$verifyX5cSignature$3 : removed call to com/yubico/internal/util/ExceptionUtil::assertTrue → SURVIVED |
ExceptionUtil.assertTrue( |
| 192 | algNode.isIntegralNumber(), | |
| 193 | "Field \"alg\" in packed attestation statement must be a COSEAlgorithmIdentifier."); | |
| 194 | final Long sigAlgId = algNode.asLong(); | |
| 195 | final COSEAlgorithmIdentifier sigAlg = | |
| 196 | COSEAlgorithmIdentifier.fromId(sigAlgId) | |
| 197 | .orElseThrow( | |
| 198 | () -> | |
| 199 |
1
1. lambda$verifyX5cSignature$2 : replaced return value with null for com/yubico/webauthn/PackedAttestationStatementVerifier::lambda$verifyX5cSignature$2 → NO_COVERAGE |
new IllegalArgumentException( |
| 200 | "Unsupported COSE algorithm identifier: " + sigAlgId)); | |
| 201 | ||
| 202 | ByteArray signedData = | |
| 203 | attestationObject.getAuthenticatorData().getBytes().concat(clientDataHash); | |
| 204 | ||
| 205 | final String signatureAlgorithmName = WebAuthnCodecs.getJavaAlgorithmName(sigAlg); | |
| 206 | Signature signatureVerifier; | |
| 207 | try { | |
| 208 | signatureVerifier = Signature.getInstance(signatureAlgorithmName); | |
| 209 | } catch (NoSuchAlgorithmException e) { | |
| 210 | throw ExceptionUtil.wrapAndLog( | |
| 211 | log, "Failed to get a Signature instance for " + signatureAlgorithmName, e); | |
| 212 | } | |
| 213 | try { | |
| 214 |
1
1. lambda$verifyX5cSignature$3 : removed call to java/security/Signature::initVerify → KILLED |
signatureVerifier.initVerify(attestationCertificate.getPublicKey()); |
| 215 | } catch (InvalidKeyException e) { | |
| 216 | throw ExceptionUtil.wrapAndLog( | |
| 217 | log, "Attestation key is invalid: " + attestationCertificate, e); | |
| 218 | } | |
| 219 | try { | |
| 220 |
1
1. lambda$verifyX5cSignature$3 : removed call to java/security/Signature::update → KILLED |
signatureVerifier.update(signedData.getBytes()); |
| 221 | } catch (SignatureException e) { | |
| 222 | throw ExceptionUtil.wrapAndLog( | |
| 223 | log, "Signature object in invalid state: " + signatureVerifier, e); | |
| 224 | } | |
| 225 | ||
| 226 | try { | |
| 227 |
2
1. lambda$verifyX5cSignature$3 : negated conditional → KILLED 2. lambda$verifyX5cSignature$3 : replaced Boolean return with True for com/yubico/webauthn/PackedAttestationStatementVerifier::lambda$verifyX5cSignature$3 → KILLED |
return (signatureVerifier.verify(signature.getBytes()) |
| 228 |
1
1. lambda$verifyX5cSignature$3 : negated conditional → KILLED |
&& verifyX5cRequirements( |
| 229 | attestationCertificate, | |
| 230 | attestationObject | |
| 231 | .getAuthenticatorData() | |
| 232 | .getAttestedCredentialData() | |
| 233 | .get() | |
| 234 | .getAaguid())); | |
| 235 | } catch (SignatureException e) { | |
| 236 | throw ExceptionUtil.wrapAndLog( | |
| 237 | log, "Failed to verify signature: " + attestationObject, e); | |
| 238 | } | |
| 239 | } else { | |
| 240 | throw new IllegalArgumentException( | |
| 241 | "Field \"sig\" in packed attestation statement must be a binary value."); | |
| 242 | } | |
| 243 | }) | |
| 244 | .orElseThrow( | |
| 245 | () -> | |
| 246 |
1
1. lambda$verifyX5cSignature$4 : replaced return value with null for com/yubico/webauthn/PackedAttestationStatementVerifier::lambda$verifyX5cSignature$4 → NO_COVERAGE |
new IllegalArgumentException( |
| 247 | "If \"x5c\" property is present in \"packed\" attestation format it must be an array containing at least one DER encoded X.509 cerficicate.")); | |
| 248 | } | |
| 249 | ||
| 250 | private Optional<Object> getDnField(String field, X509Certificate cert) { | |
| 251 | final LdapName ldap; | |
| 252 | try { | |
| 253 | ldap = new LdapName(cert.getSubjectX500Principal().getName()); | |
| 254 | } catch (InvalidNameException e) { | |
| 255 | throw ExceptionUtil.wrapAndLog( | |
| 256 | log, | |
| 257 | "X500Principal name was not accepted as an LdapName: " | |
| 258 | + cert.getSubjectX500Principal().getName(), | |
| 259 | e); | |
| 260 | } | |
| 261 |
1
1. getDnField : replaced return value with Optional.empty for com/yubico/webauthn/PackedAttestationStatementVerifier::getDnField → KILLED |
return ldap.getRdns().stream() |
| 262 |
2
1. lambda$getDnField$5 : replaced boolean return with true for com/yubico/webauthn/PackedAttestationStatementVerifier::lambda$getDnField$5 → KILLED 2. lambda$getDnField$5 : replaced boolean return with false for com/yubico/webauthn/PackedAttestationStatementVerifier::lambda$getDnField$5 → KILLED |
.filter(rdn -> Objects.equals(rdn.getType(), field)) |
| 263 | .findAny() | |
| 264 | .map(Rdn::getValue); | |
| 265 | } | |
| 266 | ||
| 267 | public boolean verifyX5cRequirements(X509Certificate cert, ByteArray aaguid) { | |
| 268 |
1
1. verifyX5cRequirements : negated conditional → KILLED |
if (cert.getVersion() != 3) { |
| 269 | throw new IllegalArgumentException( | |
| 270 | String.format( | |
| 271 | "Wrong attestation certificate X509 version: %s, expected: 3", cert.getVersion())); | |
| 272 | } | |
| 273 | ||
| 274 | final String ouValue = "Authenticator Attestation"; | |
| 275 | final Set<String> countries = | |
| 276 | CollectionUtil.immutableSet(new HashSet<>(Arrays.asList(Locale.getISOCountries()))); | |
| 277 | ||
| 278 |
1
1. verifyX5cRequirements : removed call to com/yubico/internal/util/ExceptionUtil::assertTrue → KILLED |
ExceptionUtil.assertTrue( |
| 279 | getDnField("C", cert).filter(countries::contains).isPresent(), | |
| 280 | "Invalid attestation certificate country code: %s", | |
| 281 | getDnField("C", cert)); | |
| 282 | ||
| 283 |
1
1. verifyX5cRequirements : removed call to com/yubico/internal/util/ExceptionUtil::assertTrue → KILLED |
ExceptionUtil.assertTrue( |
| 284 |
2
1. lambda$verifyX5cRequirements$6 : replaced boolean return with true for com/yubico/webauthn/PackedAttestationStatementVerifier::lambda$verifyX5cRequirements$6 → SURVIVED 2. lambda$verifyX5cRequirements$6 : negated conditional → KILLED |
getDnField("O", cert).filter(o -> !((String) o).isEmpty()).isPresent(), |
| 285 | "Organization (O) field of attestation certificate DN must be present."); | |
| 286 | ||
| 287 |
1
1. verifyX5cRequirements : removed call to com/yubico/internal/util/ExceptionUtil::assertTrue → KILLED |
ExceptionUtil.assertTrue( |
| 288 | getDnField("OU", cert).filter(ouValue::equals).isPresent(), | |
| 289 | "Organization Unit (OU) field of attestation certificate DN must be exactly \"%s\", was: %s", | |
| 290 | ouValue, | |
| 291 | getDnField("OU", cert)); | |
| 292 | ||
| 293 | CertificateParser.parseFidoAaguidExtension(cert) | |
| 294 |
1
1. verifyX5cRequirements : removed call to java/util/Optional::ifPresent → KILLED |
.ifPresent( |
| 295 | extensionAaguid -> { | |
| 296 |
1
1. lambda$verifyX5cRequirements$7 : removed call to com/yubico/internal/util/ExceptionUtil::assertTrue → KILLED |
ExceptionUtil.assertTrue( |
| 297 | Arrays.equals(aaguid.getBytes(), extensionAaguid), | |
| 298 | "X.509 extension \"id-fido-gen-ce-aaguid\" is present but does not match the authenticator AAGUID."); | |
| 299 | }); | |
| 300 | ||
| 301 |
1
1. verifyX5cRequirements : removed call to com/yubico/internal/util/ExceptionUtil::assertTrue → KILLED |
ExceptionUtil.assertTrue( |
| 302 |
1
1. verifyX5cRequirements : negated conditional → KILLED |
cert.getBasicConstraints() == -1, "Attestation certificate must not be a CA certificate."); |
| 303 | ||
| 304 |
1
1. verifyX5cRequirements : replaced boolean return with false for com/yubico/webauthn/PackedAttestationStatementVerifier::verifyX5cRequirements → KILLED |
return true; |
| 305 | } | |
| 306 | } | |
Mutations | ||
| 63 |
1.1 |
|
| 64 |
1.1 |
|
| 66 |
1.1 |
|
| 75 |
1.1 2.2 |
|
| 79 |
1.1 |
|
| 80 |
1.1 2.2 |
|
| 82 |
1.1 2.2 |
|
| 123 |
1.1 |
|
| 131 |
1.1 |
|
| 134 |
1.1 |
|
| 151 |
1.1 2.2 |
|
| 166 |
1.1 2.2 |
|
| 170 |
1.1 |
|
| 175 |
1.1 |
|
| 187 |
1.1 |
|
| 191 |
1.1 |
|
| 199 |
1.1 |
|
| 214 |
1.1 |
|
| 220 |
1.1 |
|
| 227 |
1.1 2.2 |
|
| 228 |
1.1 |
|
| 246 |
1.1 |
|
| 261 |
1.1 |
|
| 262 |
1.1 2.2 |
|
| 268 |
1.1 |
|
| 278 |
1.1 |
|
| 283 |
1.1 |
|
| 284 |
1.1 2.2 |
|
| 287 |
1.1 |
|
| 294 |
1.1 |
|
| 296 |
1.1 |
|
| 301 |
1.1 |
|
| 302 |
1.1 |
|
| 304 |
1.1 |