feat(jans-fido2): add support for isEnterpriseAttestation in local me…

[imran-ishaq]

…tadata retrieval

Prepare

• Read PR guidelines
• Read license information

---

Description

Target issue

closes #8909

Implementation Details

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

[dryrunsecurity]

DryRun Security Summary

The pull request focuses on improving the reliability and security of the FIDO2 attestation process in the Jans FIDO2 server application, including enterprise attestation configuration, fallback to empty metadata, handling of metadata formats, and fallback to local root certificates, along with new test cases to ensure the robustness of the FIDO2 authentication process.

Expand for full summary

Summary:

The code changes in this pull request focus on improving the reliability and security of the FIDO2 attestation process in the Jans FIDO2 server application. The key changes include:

1. Enterprise Attestation Configuration: The code now checks the FIDO2 configuration to determine whether to use the local or remote metadata service for fetching attestation root certificates. This can improve security by relying on a trusted local metadata service.

2. Fallback to Empty Metadata: The code now handles cases where the local metadata service fails to retrieve the necessary metadata, by creating an empty JsonNode object instead of returning null. This ensures that the application can still proceed with the attestation verification process.

3. Handling of Metadata Formats: The code now handles different formats of the metadata, including the "metadataStatement" field, to extract the attestation root certificates. This improves the robustness and flexibility of the attestation process.

4. Fallback to Local Root Certificates: If the metadata does not contain the necessary attestation root certificates, the code falls back to using the local root certificates stored in the rootCertificatesMap. This security-conscious approach allows the application to verify the attestation certificates without solely depending on the remote metadata service.

The changes also include new test cases that cover the enterprise attestation feature and the handling of attestation certificates, which are important security-related aspects of the FIDO2 authentication process. These tests help to ensure the reliability and robustness of the FIDO2 server application.

Files Changed:

1. jans-fido2/server/src/main/java/io/jans/fido2/service/mds/AttestationCertificateService.java:

   • Improvements to the handling of attestation root certificates, including the use of enterprise attestation and fallback mechanisms.
   • Enhanced support for different metadata formats and handling of metadata retrieval failures.

2. jans-fido2/server/src/test/java/io/jans/fido2/service/processor/attestation/TPMProcessorTest.java:

   • Introduction of new test cases to cover the enterprise attestation feature and the handling of attestation certificates.
   • Additions of mocks and dependencies related to metadata services, indicating the application's integration with external metadata sources for FIDO2 attestation verification.

Code Analysis

We ran 9 analyzers against 2 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[imran-ishaq]

Note: This pull request is dependent on [PR #9463] so its need to be merged first