verify attestation certificates using issuer certificates

[phavekes]

This issue is imported from pivotal - Originaly created at Apr 24, 2020 by Joost van Dijk

Currently, devices are accepted based on attestation certificates. These certificates are identical for many (typically >100K) devices.
Maintaining these attestation certificates quickly becomes a burden.

FIDO2 devices are identified by an AAGUID, each corresponding to a different attestation certificate (AAGUIDs are embedded in the attestation certificate).

See: https://support.yubico.com/support/solutions/articles/15000028710-yubikey-hardware-fido2-aaguids

Eric has worked on using the FIDO metadata services, based on the following documentation:
From https://webauthn-doc.spomky-labs.com/deep-into-the-framework/attestation-and-metadata-statement

The FIDO metadata services is still somewhat immature (many devices are missing). Instead we can rely on trusting attestation root certificates, e.g. (see doc):

$myMetadataStatementRepository = new SimpleMetadataStatementRepository(
    new FilesystemAdapter(\'webauthn\') // We use filesystem caching in this example
);
$myMetadataStatementRepository->addSingleStatement(\'yubico\', new SingleMetadata(\'<metadata stmt>\', false));

The metadata statement contains the root certificates that can be used to verify the attestation certificates.

{
  "description": "Yubico U2F Root CA Serial 457200631",
  "aaguid": "f8a011f3-8c0a-4d15-8006-17111f9edc7d",
  "protocolFamily": "fido2",
  "attestationRootCertificates": [
    "MIIDHjCCAgagAwIBAgIEG0BT9zANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZdWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAwMDBaGA8yMDUwMDkwNDAwMDAwMFowLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/jwYuhBVlqaiYWEMsrWFisgJ+PtM91eSrpI4TK7U53mwCIawSDHy8vUmk5N2KAj9abvT9NP5SMS1hQi3usxoYGonXQgfO6ZXyUA9a+KAkqdFnBnlyugSeCOep8EdZFfsaRFtMjkwz5Gcz2Py4vIYvCdMHPtwaz0bVuzneueIEz6TnQjE63Rdt2zbwnebwTG5ZybeWSwbzy+BJ34ZHcUhPAY89yJQXuE0IzMZFcEBbPNRbWECRKgjq//qT9nmDOFVlSRCt2wiqPSzluwn+v+suQEBsUjTGMEd25tKXXTkNW21wIWbxeSyUoTXwLvGS6xlwQSgNpk2qXYwf8iXg7VWZAgMBAAGjQjBAMB0GA1UdDgQWBBQgIvz0bNGJhjgpToksyKpP9xv9oDAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAjvjuOMDSa+JXFCLyBKsycXtBVZsJ4Ue3LbaEsPY4MYN/hIQ5ZM5p7EjfcnMG4CtYkNsfNHc0AhBLdq45rnT87q/6O3vUEtNMafbhU6kthX7Y+9XFN9NpmYxr+ekVY5xOxi8h9JDIgoMP4VB1uS0aunL1IGqrNooL9mmFnL2kLVVee6/VR6C5+KSTCMCWppMuJIZII2v9o4dkoZ8Y7QRjQlLfYzd3qGtKbw7xaF1UsG/5xUb/Btwb2X2g4InpiB/yt/3CpQXpiWX/K4mBvUKiGn05ZsqeY1gx4g0xLBqcU9psmyPzK+Vsgw2jeRQ5JlKDyqE0hebfC1tvFu0CCrJFcw=="
  ]
}

This root certificate is published out-of-band by Yubico:

https://developers.yubico.com/U2F/yubico-u2f-ca-certs.txt

and

https://developers.yubico.com/U2F/yubico-metadata.json

[phavekes]

When trusting a root certificate (and hence all tokens with attestation certificates issued by such roots), its becomes necessary too be able to make exceptions using a blacklist. (Joost van Dijk - May 15, 2020)

[phavekes]

Directly use FIDO Alliance Metadata Service : https://fidoalliance.org/metadata/
Trust all certified level2+ devices
https://fidoalliance.org/certification/authenticator-certification-levels/ (Peter Havekes - Apr 3, 2024)