Reflect Authenicator Name with Passkeys (#9716)

* feat(jans-fido2): reflect authenticator name with passkeys

Signed-off-by: imran-ishaq <imranishaq024@gmail.com>

* fix(jans-fido2): handle test cases for authenticator name

Signed-off-by: imran-ishaq <imranishaq024@gmail.com>

---------

Signed-off-by: imran-ishaq <imranishaq024@gmail.com>
Co-authored-by: Mohammad Abudayyeh <47318409+moabu@users.noreply.github.com>

jans-fido2/server/src/main/java/io/jans/fido2/model/auth/CredAndCounterData.java

@@ -30,6 +30,7 @@ public class CredAndCounterData {
 	private boolean extensionDataFlag;
 	private boolean userVerifiedFlag;
 	private boolean userPresentFlag;
+	private String authenticatorName;
 
 	public String getCredId() {
 		return credId;
@@ -122,4 +123,7 @@ public boolean isUserPresentFlag() {
 	public void setUserPresentFlag(boolean userPresentFlag) {
 		this.userPresentFlag = userPresentFlag;
 	}
+
+	public void setAuthenticatorName(String authenticatorName) {this.authenticatorName = authenticatorName;}
+	public String getAuthenticatorName() {return authenticatorName;}
 }

jans-fido2/server/src/main/java/io/jans/fido2/service/mds/AttestationCertificateService.java

@@ -112,7 +112,27 @@ public List<X509Certificate> getAttestationRootCertificates(JsonNode metadataNod
 		return certificateService.getCertificates(x509certificates);
 	}
 
-	public List<X509Certificate> getAttestationRootCertificates(AuthData authData, List<X509Certificate> attestationCertificates) {
+	public String getAttestationAuthenticatorName(AuthData authData) {
+		JsonNode metadataForAuthenticator = getMetadataForAuthenticator(authData);
+		JsonNode metaDataStatement = null;
+		if ((metadataForAuthenticator != null)) {
+			if (metadataForAuthenticator.has("description")) {
+				metaDataStatement = metadataForAuthenticator;
+			} else if (metadataForAuthenticator.has("metadataStatement")) {
+				try {
+					metaDataStatement = dataMapperService.readTree(metadataForAuthenticator.get("metadataStatement").toPrettyString());
+				} catch (IOException e) {
+					log.error("Error parsing the metadata statement", e);
+				}
+			}
+		}
+		if (metadataForAuthenticator == null || metaDataStatement == null
+				|| !metaDataStatement.has("description")) {
+			return null;
+		}
+		return metaDataStatement.get("description").asText();
+	}
+	private JsonNode getMetadataForAuthenticator(AuthData authData) {
 		String aaguid = Hex.encodeHexString(authData.getAaguid());
 		Fido2Configuration fido2Configuration = appConfiguration.getFido2Configuration();
 		JsonNode metadataForAuthenticator;
@@ -126,14 +146,18 @@ public List<X509Certificate> getAttestationRootCertificates(AuthData authData, L
 				log.info("No Local metadata for authenticator {}. Checking for metadata MDS3 blob", aaguid);
 				JsonNode metadata = mdsService.fetchMetadata(authData.getAaguid());
 				commonVerifiers.verifyThatMetadataIsValid(metadata);
-				return getAttestationRootCertificates(metadata, attestationCertificates);
+				metadataForAuthenticator = metadata;
 			} catch (Fido2RuntimeException ex) {
 				log.warn("Failed to get metadata from Fido2 meta-data server: {}", ex.getMessage(), ex);
 
 				metadataForAuthenticator = dataMapperService.createObjectNode();
 			}
 		}
+		return metadataForAuthenticator;
+	}
 
+	public List<X509Certificate> getAttestationRootCertificates(AuthData authData, List<X509Certificate> attestationCertificates) {
+		JsonNode metadataForAuthenticator = getMetadataForAuthenticator(authData);
 		return getAttestationRootCertificates(metadataForAuthenticator, attestationCertificates);
 	}
 

jans-fido2/server/src/main/java/io/jans/fido2/service/operation/AttestationService.java

@@ -353,6 +353,7 @@ public AttestationOrAssertionResponse verify(AttestationResult attestationResult
 		attestationResultResponse.setCredentials(credentialDescriptor);
 		attestationResultResponse.setStatus("ok");
 		attestationResultResponse.setErrorMessage("");
+		attestationResultResponse.setAuthenticatorName(attestationData.getAuthenticatorName());
 
 		externalFido2InterceptionContext.addToContext(registrationEntry, null);
 		externalFido2InterceptionService.verifyAttestationFinish(CommonUtilService.toJsonNode(attestationResult), externalFido2InterceptionContext);

jans-fido2/server/src/main/java/io/jans/fido2/service/processor/attestation/AppleAttestationProcessor.java

@@ -171,6 +171,7 @@ public void process(JsonNode attStmt, AuthData authData, Fido2RegistrationData c
 			// log.info("attStmt.get(\"alg\")"+attStmt.get("alg"));
 			int alg = -7;// commonVerifiers.verifyAlgorithm(attStmt.get("alg"), authData.getKeyType());
 			credIdAndCounters.setSignatureAlgorithm(alg);
+			credIdAndCounters.setAuthenticatorName(attestationCertificateService.getAttestationAuthenticatorName(authData));
 		}
 	}
 }

jans-fido2/server/src/main/java/io/jans/fido2/service/processor/attestation/PackedAttestationProcessor.java

@@ -120,6 +120,7 @@ public void process(JsonNode attStmt, AuthData authData, Fido2RegistrationData r
         credIdAndCounters.setCredId(base64Service.urlEncodeToString(authData.getCredId()));
         credIdAndCounters.setUncompressedEcPoint(base64Service.urlEncodeToString(authData.getCosePublicKey()));
         credIdAndCounters.setSignatureAlgorithm(alg);
+        credIdAndCounters.setAuthenticatorName(attestationCertificateService.getAttestationAuthenticatorName(authData));
     }
 
 	private List<X509Certificate> getAttestationCertificates(JsonNode attStmt) {

jans-fido2/server/src/main/java/io/jans/fido2/service/processor/attestation/TPMProcessor.java

@@ -168,6 +168,7 @@ public void process(JsonNode attStmt, AuthData authData, Fido2RegistrationData c
             credIdAndCounters.setAttestationType(getAttestationFormat().getFmt());
             credIdAndCounters.setCredId(base64Service.urlEncodeToString(authData.getCredId()));
             credIdAndCounters.setUncompressedEcPoint(base64Service.urlEncodeToString(authData.getCosePublicKey()));
+            credIdAndCounters.setAuthenticatorName(attestationCertificateService.getAttestationAuthenticatorName(authData));
             credIdAndCounters.setSignatureAlgorithm(alg);
         } else {
             throw errorResponseFactory.badRequestException(AttestationErrorResponseType.TPM_ERROR, "Problem with TPM attestation. Unsupported");

jans-fido2/server/src/main/java/io/jans/fido2/service/processor/attestation/U2FAttestationProcessor.java

@@ -138,5 +138,6 @@ public void process(JsonNode attStmt, AuthData authData, Fido2RegistrationData r
         credIdAndCounters.setAttestationType(getAttestationFormat().getFmt());
         credIdAndCounters.setCredId(base64Service.urlEncodeToString(authData.getCredId()));
         credIdAndCounters.setUncompressedEcPoint(base64Service.urlEncodeToString(authData.getCosePublicKey()));
+        credIdAndCounters.setAuthenticatorName(attestationCertificateService.getAttestationAuthenticatorName(authData));
     }
 }

jans-fido2/server/src/main/java/io/jans/fido2/service/processor/attestation/U2FSuperGluuAttestationProcessor.java

@@ -127,6 +127,7 @@ public void process(JsonNode attStmt, AuthData authData, Fido2RegistrationData r
         credIdAndCounters.setAttestationType(getAttestationFormat().getFmt());
         credIdAndCounters.setCredId(base64Service.urlEncodeToString(authData.getCredId()));
         credIdAndCounters.setUncompressedEcPoint(base64Service.urlEncodeToString(authData.getCosePublicKey()));
+        credIdAndCounters.setAuthenticatorName(attestationCertificateService.getAttestationAuthenticatorName(authData));
     }
 
 }

jans-fido2/server/src/test/java/io/jans/fido2/service/processor/attestation/PackedAttestationProcessorTest.java

@@ -275,6 +275,6 @@ void process_ifAttStmtIsNotX5cOrEcdaaKey_valid() {
         verify(commonVerifiers).verifyAlgorithm(any(JsonNode.class), any(Integer.class));
         verify(commonVerifiers).verifyBase64String(any(JsonNode.class));
         verify(base64Service, times(2)).urlEncodeToString(any());
-        verifyNoInteractions(certificateService, attestationCertificateService, appConfiguration, log, certificateVerifier);
+        verifyNoInteractions(certificateService, appConfiguration, log, certificateVerifier);
     }
 }

jans-fido2/server/src/test/java/io/jans/fido2/service/processor/attestation/U2FAttestationProcessorTest.java

@@ -239,6 +239,6 @@ void process_ifAttStmtNotIsX5cOrEcdaaKeyId_success() {
         verify(commonVerifiers).verifyRpIdHash(authData, "test-domain");
         verify(coseService).getPublicKeyFromUncompressedECPoint(any());
         verify(authenticatorDataVerifier).verifyPackedSurrogateAttestationSignature(authData.getAuthDataDecoded(), clientDataHash, "test-signature", publicKey, -7);
-        verifyNoInteractions(log, certificateService, certificateVerifier, appConfiguration, attestationCertificateService);
+        verifyNoInteractions(log, certificateService, certificateVerifier, appConfiguration);
     }
 }