Add notRetired filter

fdennis · fdennis · commit 1aa28faae451 · 2026-02-06T14:32:50.000+01:00
diff --git a/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/FidoMetadataService.java b/webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/FidoMetadataService.java
@@ -263,8 +263,10 @@ public FidoMetadataServiceBuilder useBlob(@NonNull MetadataBLOBPayload blobPaylo
      *
      * <p>The default is {@link Filters#notRevoked() Filters.notRevoked()}. Setting a different
      * filter overrides this default; to preserve the "not revoked" condition in addition to the new
-     * filter, you must explicitly include the condition in the few filter. For example, by using
-     * {@link Filters#allOf(Predicate[]) Filters.allOf(Predicate...)}.
+     * filter, you must explicitly include the condition in the new filter, for example by using
+     * {@link Filters#allOf(Predicate[]) Filters.allOf(Predicate...)}. To add the {@link
+     * Filters#notRetired() Filters.notRetired()} filter, use: <code>
+     * .prefilter(Filters.allOf(Filters.notRevoked(), Filters.notRetired()))</code>.
      *
      * @param prefilter a {@link Predicate} which returns <code>true</code> for metadata entries to
      *     include in the data source.
@@ -378,6 +380,20 @@ public static Predicate<MetadataBLOBPayloadEntry> notRevoked() {
                   statusReport -> AuthenticatorStatus.REVOKED.equals(statusReport.getStatus()));
     }
 
+    /**
+     * Include any metadata entry whose {@link MetadataBLOBPayloadEntry#getStatusReports()
+     * statusReports} array contains no entry with {@link AuthenticatorStatus#RETIRED RETIRED}
+     * status.
+     *
+     * @see AuthenticatorStatus#RETIRED
+     */
+    public static Predicate<MetadataBLOBPayloadEntry> notRetired() {
+      return (entry) ->
+          entry.getStatusReports().stream()
+              .noneMatch(
+                  statusReport -> AuthenticatorStatus.RETIRED.equals(statusReport.getStatus()));
+    }
+
     /**
      * Accept any authenticator whose matched metadata entry does NOT indicate a compromised
      * attestation key.
diff --git a/webauthn-server-attestation/src/test/scala/com/yubico/fido/metadata/FidoMds3Spec.scala b/webauthn-server-attestation/src/test/scala/com/yubico/fido/metadata/FidoMds3Spec.scala
@@ -1037,4 +1037,88 @@ class FidoMds3Spec extends AnyFunSpec with Matchers {
 
   }
 
+  describe("The notRetired filter") {
+    val attestationRoot = TestAuthenticator.generateAttestationCaCertificate()
+    val rootCertBase64 = new ByteArray(attestationRoot._1.getEncoded).getBase64
+
+    val (goodCert, _) = TestAuthenticator.generateAttestationCertificate(
+      name = new X500Name("CN=Good cert"),
+      caCertAndKey = Some(attestationRoot),
+    )
+
+    val goodCertKeyIdentifier = new ByteArray(
+      CertificateParser.computeSubjectKeyIdentifier(goodCert)
+    ).getHex
+
+    val aaguidRetired =
+      new AAGUID(ByteArray.fromHex("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"))
+
+    val blob: MetadataBLOBPayload =
+      JacksonCodecs.jsonWithDefaultEnums.readValue(
+        s"""{
+        "legalHeader" : "Kom ihåg att du aldrig får snyta dig i mattan!",
+        "nextUpdate" : "2022-12-01",
+        "no" : 0,
+        "entries": [
+          {
+            "aaguid": "${aaguidRetired.asGuidString()}",
+            "attestationCertificateKeyIdentifiers": ["${goodCertKeyIdentifier}"],
+            "metadataStatement": {
+              "aaguid": "${aaguidRetired.asGuidString()}",
+              "attestationCertificateKeyIdentifiers": ["${goodCertKeyIdentifier}"],
+              "authenticatorVersion": 1,
+              "attachmentHint" : ["internal"],
+              "attestationRootCertificates": ["${rootCertBase64}"],
+              "attestationTypes" : ["basic_full"],
+              "authenticationAlgorithms" : ["secp256r1_ecdsa_sha256_raw"],
+              "description" : "Test authenticator",
+              "keyProtection" : ["software"],
+              "matcherProtection" : ["software"],
+              "protocolFamily" : "u2f",
+              "publicKeyAlgAndEncodings" : ["ecc_x962_raw"],
+              "schema" : 3,
+              "tcDisplay" : [],
+              "upv" : [{ "major" : 1, "minor" : 1 }],
+              "userVerificationDetails" : [[{ "userVerificationMethod" : "presence_internal" }]]
+            },
+           "statusReports": [
+              { "status": "RETIRED", "effectiveDate": "2022-02-01" }
+            ],
+            "timeOfLastStatusChange": "2022-02-15"
+          }
+        ]
+      }""".stripMargin,
+        classOf[MetadataBLOBPayload],
+      )
+
+    it("is not enabled by default.") {
+      val mds = FidoMetadataService.builder().useBlob(blob).build()
+
+      mds
+        .findTrustRoots(
+          List(goodCert).asJava,
+          Some(aaguidRetired.asBytes).toJava,
+        )
+        .getTrustRoots
+        .asScala should not be empty
+    }
+
+    it("can be enabled explicitly as a prefilter.") {
+      val mds = FidoMetadataService
+        .builder()
+        .useBlob(blob)
+        .prefilter(FidoMetadataService.Filters.notRetired())
+        .build()
+
+      mds
+        .findTrustRoots(
+          List(goodCert).asJava,
+          Some(aaguidRetired.asBytes).toJava,
+        )
+        .getTrustRoots
+        .asScala shouldBe empty
+    }
+
+  }
+
 }
