Blob validation fails: "Could not determine revocation status"

[iaik-jheher]

I am trying to experiment with webauthn-server-attestation, but even the "standard" way of downloading blobs fails for me, leaving me stumped.

package toy;

import java.util.Optional;
import java.util.function.Consumer;
import java.util.function.Supplier;

import com.yubico.fido.metadata.FidoMetadataDownloader;
import com.yubico.webauthn.data.ByteArray;

public class Test {
  private static class MemoryCache<T> implements Supplier<Optional<T>>, Consumer<T> {
    Optional<T> v = Optional.empty();
    @Override public void accept(T t) { this.v = Optional.of(t); }
    @Override public Optional<T> get() { return this.v; }
  }

  public static void main(String[] args) {
    final MemoryCache<ByteArray> trustRootCache = new MemoryCache<>();
    final MemoryCache<ByteArray> blobCache = new MemoryCache<>();

    final var downloader = FidoMetadataDownloader.builder()
      .expectLegalHeader("Retrieval and use of this BLOB indicates acceptance of the appropriate agreement located at https://fidoalliance.org/metadata/metadata-legal-terms/")
      .useDefaultTrustRoot()
      .useTrustRootCache(trustRootCache, trustRootCache)
      .useDefaultBlob()
      .useBlobCache(blobCache, blobCache)
      .build();
    try {
      downloader.loadCachedBlob();
    } catch (Exception e) {
      e.printStackTrace();
    }
  }
}

This results in:

java.security.cert.CertPathValidatorException: Could not determine revocation status
        at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
        at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:224)
        at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:144)
        at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:83)       
        at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)
        at com.yubico.fido.metadata.FidoMetadataDownloader.verifyBlob(FidoMetadataDownloader.java:1097)
        at com.yubico.fido.metadata.FidoMetadataDownloader.parseAndVerifyBlob(FidoMetadataDownloader.java:1018)
        at com.yubico.fido.metadata.FidoMetadataDownloader.refreshBlobInternal(FidoMetadataDownloader.java:807)
        at com.yubico.fido.metadata.FidoMetadataDownloader.loadCachedBlob(FidoMetadataDownloader.java:712)
        at toy.Test.main(Test.java:29)
Caused by: java.security.cert.CertPathValidatorException: Could not determine revocation status
        at java.base/sun.security.provider.certpath.RevocationChecker.buildToNewKey(RevocationChecker.java:1152)
        at java.base/sun.security.provider.certpath.RevocationChecker.verifyWithSeparateSigningKey(RevocationChecker.java:972)
        at java.base/sun.security.provider.certpath.RevocationChecker.checkCRLs(RevocationChecker.java:611)
        at java.base/sun.security.provider.certpath.RevocationChecker.checkCRLs(RevocationChecker.java:471)
        at java.base/sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:373)
        at java.base/sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:343)
        at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
        ... 9 more

Is there something incredibly obvious that I am missing?
I am using openjdk 17.0.3 2022-04-19 and webauthn-server-attestation-2.4.1-RC1.

[emlun]

Hi! Did you notice the mention of setting com.sun.security.enableCRLDP=true at the end of the Getting started guide? That is the most common issue I've seen. We should probably make that note more prominent in the instructions.

[iaik-jheher]

Ah, no, I did not. It appears I was indeed missing something obvious. Thanks!

[emlun]

I've made that instruction more discoverable in the Getting Started guide. Thanks for pointing it out!

[iaik-jheher]

Thanks! Might also be worth replacing the webauthn-server-attestation reference on https://developers.yubico.com/java-webauthn-server/ with a link to the "Getting Started" page. The current reference there 404s, either way.

[emlun]

Oh! Indeed, thanks for pointing that out too!