Closed mmoayyed closed 1 year ago
Hi! Does PR #280 help do what you want?
We considered having some kind of findMetadata()
method in AttestationTrustSource
but decided against it, for a couple of reasons.
RelyingParty
class to find trust roots it can use to verify attestation certificate chains.findMetadata()
up into AttestationTrustSource
would require defining a unified data format for any kind of attestation metadata, which as you can already see in the demo is at least difficult and probably pointless. The FIDO Metadata Service formats are the closest thing there is to a standard, but even those only really apply to FIDO as a metadata provider; Yubico still provides https://developers.yubico.com/U2F/yubico-metadata.json in a completely different format. And the data format may restrict what kinds of lookup you can do, so a findMetadata()
signature that makes sense for one metadata source might be awkward or impossible to implement on top of a different data source.But none of that is to stop downstream users from adding their own abstractions. :slightly_smiling_face: For example PR #280 extends the demo app with a new MetadataService
interface which does abstract the findMetadata()
method, and a FidoMetadataServiceAdapter
that wraps FidoMetadataService
under the new interface. This allows the demo to combine both a FidoMetadataService
and a YubicoJsonMetadataService
into one composite metadata service (with Object
as the metadata type, as noted above!).
Does any of that help?
Yes, thank you. In fact, I was about to do something quite similar to how you manage composite sources, etc. This should do the job for me.
I'll also add that the new abstractions you added would be very useful to include in the "core" upstream project. I don't really see/treat them as demo quality (and I would, i.e. be somewhat forced to copy/paste those and adapt in very small ways for my own project). So it would be great if they were to become part of the core library, as that would be less code for me to manage and maintain, but of course, perhaps more work for you :)
Thanks again! If it's OK with you, I can close this issue out and then try out the changes in the PR when they get merged, etc.
Ok, glad I could help!
Unfortunately I don't think the demo abstractions are a good fit for promoting into the core library, or even the attestation module, again for the same reasons that they end up tightly coupled to a particular implementation of a metadata source. But we'll reconsider if something new comes up that would enable some kind of generic abstraction - other than degenerating to Object
types and thus forfeiting most of the benefits of the static type system.
Hello, I am using the latest version of the java-webauthn-server as of this writing, 2.4.1 and I am experimenting with the provided demo project to allow it to use the
FidoMetadataService
. One potential issue I see is that theWebAuthnServer.java
declares this:...which is then used here:
Of course, the
findMetadata()
method is part of theAttestationMetadataSource
hierarchy which does not make for an easy replacement of themetadataService
with an instance ofFidoMetadataService
, etc.Could the
findMetadata()
method be moved up the chain and is that a sensible thing to do, or are there better alternatives in adapting the demo to use theFidoMetadataService
?Thanks for your help!