java-webauthn-server/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/AuthenticatorStatus.java at 382529263d3d3fbe600735a89650071cf7ab7f74 · Yubico/java-webauthn-server · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
package com.yubico.fido.metadata;

import com.fasterxml.jackson.annotation.JsonEnumDefaultValue;

/**
 * This enumeration describes the status of an authenticator model as identified by its AAID/AAGUID
 * or attestationCertificateKeyIdentifiers and potentially some additional information (such as a
 * specific attestation key).
 *
 * @since 2.0.0
 * @see <a
 *     href="https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html#enumdef-authenticatorstatus">FIDO
 *     Metadata Service §3.1.4. AuthenticatorStatus enum</a>
 */
public enum AuthenticatorStatus {
  /**
   * (NOT DEFINED IN SPEC) Placeholder for any unknown {@link AuthenticatorStatus} value.
   *
   * @since 2.0.0
   */
  @JsonEnumDefaultValue
  UNKNOWN(0),

  /**
   * This authenticator is not FIDO certified.
   *
   * @since 2.0.0
   * @see <a
   *     href="https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html#enumdef-authenticatorstatus">FIDO
   *     Metadata Service §3.1.4. AuthenticatorStatus enum</a>
   */
  NOT_FIDO_CERTIFIED(0),

  /**
   * This authenticator has passed FIDO functional certification. This certification scheme is
   * phased out and will be replaced by {@link #FIDO_CERTIFIED_L1}.
   *
   * @since 2.0.0
   * @see <a
   *     href="https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html#enumdef-authenticatorstatus">FIDO
   *     Metadata Service §3.1.4. AuthenticatorStatus enum</a>
   */
  FIDO_CERTIFIED(10),

  /**
   * Indicates that malware is able to bypass the user verification. This means that the
   * authenticator could be used without the user’s consent and potentially even without the user’s
   * knowledge.
   *
   * @since 2.0.0
   * @see <a
   *     href="https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html#enumdef-authenticatorstatus">FIDO
   *     Metadata Service §3.1.4. AuthenticatorStatus enum</a>
   */
  USER_VERIFICATION_BYPASS(0),

  /**
   * Indicates that an attestation key for this authenticator is known to be compromised. The
   * relying party SHOULD check the certificate field and use it to identify the compromised
   * authenticator batch. If the certificate field is not set, the relying party should reject all
   * new registrations of the compromised authenticator. The Authenticator manufacturer should set
   * the date to the date when compromise has occurred.
   *
   * @since 2.0.0
   * @see <a
   *     href="https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html#enumdef-authenticatorstatus">FIDO
   *     Metadata Service §3.1.4. AuthenticatorStatus enum</a>
   */
  ATTESTATION_KEY_COMPROMISE(0),

  /**
   * This authenticator has identified weaknesses that allow registered keys to be compromised and
   * should not be trusted. This would include both, e.g. weak entropy that causes predictable keys
   * to be generated or side channels that allow keys or signatures to be forged, guessed or
   * extracted.
   *
   * @since 2.0.0
   * @see <a
   *     href="https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html#enumdef-authenticatorstatus">FIDO
   *     Metadata Service §3.1.4. AuthenticatorStatus enum</a>
   */
  USER_KEY_REMOTE_COMPROMISE(0),

  /**
   * This authenticator has known weaknesses in its key protection mechanism(s) that allow user keys
   * to be extracted by an adversary in physical possession of the device.
   *
   * @since 2.0.0
   * @see <a
   *     href="https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html#enumdef-authenticatorstatus">FIDO
   *     Metadata Service §3.1.4. AuthenticatorStatus enum</a>
   */
  USER_KEY_PHYSICAL_COMPROMISE(0),

  /**
   * A software or firmware update is available for the device. The Authenticator manufacturer
   * should set the url to the URL where users can obtain an update and the date the update was
   * published. When this status code is used, then the field authenticatorVersion in the
   * authenticator Metadata Statement [<a
   * href="https://fidoalliance.org/specs/mds/fido-metadata-statement-v3.0-ps-20210518.html">FIDOMetadataStatement</a>]
   * MUST be updated, if the update fixes severe security issues, e.g. the ones reported by
   * preceding StatusReport entries with status code {@link #USER_VERIFICATION_BYPASS}, {@link
   * #ATTESTATION_KEY_COMPROMISE}, {@link #USER_KEY_REMOTE_COMPROMISE}, {@link
   * #USER_KEY_PHYSICAL_COMPROMISE}, {@link #REVOKED}. The Relying party MUST reject the Metadata
   * Statement if the authenticatorVersion has not increased
   *
   * @since 2.0.0
   * @see <a
   *     href="https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html#enumdef-authenticatorstatus">FIDO
   *     Metadata Service §3.1.4. AuthenticatorStatus enum</a>
   */
  UPDATE_AVAILABLE(0),

  /**
   * The authenticator vendor has decided to retire the product, that this authenticator should not
   * be accepted any longer. For example if a prototype version of the authenticator was added to
   * FIDO MDS and has now been superseded by the final product, the entry for the prototype might be
   * set to "retired".
   *
   * @since 2.9.0
   * @see <a
   *     href="https://fidoalliance.org/specs/mds/fido-metadata-service-v3.1.1-rd-20251016.html#enumdef-authenticatorstatus">FIDO
   *     Metadata Service §3.1.4. AuthenticatorStatus enum</a>
   */
  RETIRED(0),

  /**
   * The FIDO Alliance has determined that this authenticator should not be trusted for any reason.
   * For example if it is known to be a fraudulent product or contain a deliberate backdoor. Relying
   * parties SHOULD reject any future registration of this authenticator model.
   *
   * @since 2.0.0
   * @see <a
   *     href="https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html#enumdef-authenticatorstatus">FIDO
   *     Metadata Service §3.1.4. AuthenticatorStatus enum</a>
   */
  REVOKED(0),

  /**
   * The authenticator vendor has completed and submitted the self-certification checklist to the
   * FIDO Alliance. If this completed checklist is publicly available, the URL will be specified in
   * url.
   *
   * @since 2.0.0
   * @see <a
   *     href="https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html#enumdef-authenticatorstatus">FIDO
   *     Metadata Service §3.1.4. AuthenticatorStatus enum</a>
   */
  SELF_ASSERTION_SUBMITTED(0),

  /**
   * The authenticator has passed FIDO Authenticator certification at level 1. This level is the
   * more strict successor of {@link #FIDO_CERTIFIED}.
   *
   * @since 2.0.0
   * @see <a
   *     href="https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html#enumdef-authenticatorstatus">FIDO
   *     Metadata Service §3.1.4. AuthenticatorStatus enum</a>
   */
  FIDO_CERTIFIED_L1(10),

  /**
   * The authenticator has passed FIDO Authenticator certification at level 1+. This level is the
   * more than level 1.
   *
   * @since 2.0.0
   * @see <a
   *     href="https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html#enumdef-authenticatorstatus">FIDO
   *     Metadata Service §3.1.4. AuthenticatorStatus enum</a>
   */
  FIDO_CERTIFIED_L1plus(11),

  /**
   * The authenticator has passed FIDO Authenticator certification at level 2. This level is more
   * strict than level 1+.
   *
   * @since 2.0.0
   * @see <a
   *     href="https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html#enumdef-authenticatorstatus">FIDO
   *     Metadata Service §3.1.4. AuthenticatorStatus enum</a>
   */
  FIDO_CERTIFIED_L2(20),

  /**
   * The authenticator has passed FIDO Authenticator certification at level 2+. This level is more
   * strict than level 2.
   *
   * @since 2.0.0
   * @see <a
   *     href="https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html#enumdef-authenticatorstatus">FIDO
   *     Metadata Service §3.1.4. AuthenticatorStatus enum</a>
   */
  FIDO_CERTIFIED_L2plus(21),

  /**
   * The authenticator has passed FIDO Authenticator certification at level 3. This level is more
   * strict than level 2+.
   *
   * @since 2.0.0
   * @see <a
   *     href="https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html#enumdef-authenticatorstatus">FIDO
   *     Metadata Service §3.1.4. AuthenticatorStatus enum</a>
   */
  FIDO_CERTIFIED_L3(30),

  /**
   * The authenticator has passed FIDO Authenticator certification at level 3+. This level is more
   * strict than level 3.
   *
   * @since 2.0.0
   * @see <a
   *     href="https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html#enumdef-authenticatorstatus">FIDO
   *     Metadata Service §3.1.4. AuthenticatorStatus enum</a>
   */
  FIDO_CERTIFIED_L3plus(31);

  int certificationLevel;

  AuthenticatorStatus(int certificationLevel) {
    this.certificationLevel = certificationLevel;
  }
}