Skip to content

Commit

Permalink
Elevate com.sun.security.enableCRLDP instruction to a Getting Started…
Browse files Browse the repository at this point in the history 
… step
  • Loading branch information
@emlun
emlun committed May 3, 2023
1 parent 74dd748 commit e2409b5
Showing 1 changed file with 9 additions and 6 deletions.
15 changes: 9 additions & 6 deletions webauthn-server-attestation/README.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@ Breaking changes to these will NOT be reflected in version numbers.

== Getting started

Using this module consists of 4 major steps:
Using this module consists of 5 major steps:

1. Create a
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.4.0/com/yubico/fido/metadata/FidoMetadataDownloader.html[`FidoMetadataDownloader`]
Expand Down Expand Up @@ -218,13 +218,16 @@ RegistrationResult result = rp.finishRegistration(/* ... */);
Set<MetadataBLOBPayloadEntry> metadata = mds.findEntries(result);
----------

By default,
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.4.0/com/yubico/fido/metadata/FidoMetadataDownloader.html[`FidoMetadataDownloader`]
will probably use the SUN provider for the `PKIX` certificate path validation algorithm.
This requires the `com.sun.security.enableCRLDP` system property set to `true` in order to verify the BLOB signature.
5. If you use the SUN provider for the `PKIX` certificate path validation algorithm, which many deployments do by default:
set the `com.sun.security.enableCRLDP` system property to `true`.
This is required for the SUN `PKIX` provider to support the CRL Distribution Points extension,
which is needed in order to verify the BLOB signature.
+
For example, this can be done on the JVM command line using a `-Dcom.sun.security.enableCRLDP=true` option.
See the https://docs.oracle.com/javase/9/security/java-pki-programmers-guide.htm#JSSEC-GUID-EB250086-0AC1-4D60-AE2A-FC7461374746[Java PKI Programmers Guide]
See the https://docs.oracle.com/javase/9/security/java-pki-programmers-guide.htm#GUID-EB250086-0AC1-4D60-AE2A-FC7461374746__SECTION-139-623E860E[Java PKI Programmers Guide]
for details.
+
This step may not be necessary if you use a different provider for the `PKIX` certificate path validation algorithm.


== Selecting trusted authenticators
Expand Down

1 comment on commit e2409b5

@github-actions
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mutation test results

Package Coverage Stats Prev Prev
Overall 81 % 🔻 1266 🔻 / 1559 🔹 84 % 1317 / 1559
com.yubico.fido.metadata 68 % 🔻 218 🔻 / 318 🔹 84 % 269 / 318
com.yubico.internal.util 47 % 🔹 57 🔹 / 120 🔹 47 % 57 / 120
com.yubico.webauthn 87 % 🔹 558 🔹 / 637 🔹 87 % 558 / 637
com.yubico.webauthn.attestation 92 % 🔹 13 🔹 / 14 🔹 92 % 13 / 14
com.yubico.webauthn.data 93 % 🔹 395 🔹 / 423 🔹 93 % 395 / 423
com.yubico.webauthn.extension.appid 100 % 🏆 13 🔹 / 13 🔹 100 % 13 / 13
com.yubico.webauthn.extension.uvm 50 % 🔹 12 🔹 / 24 🔹 50 % 12 / 24
com.yubico.webauthn.meta 0 % 🔹 0 🔹 / 10 🔹 0 % 0 / 10

Previous run: 74dd748 - Diff

Detailed reports: workflow run #218

Please sign in to comment.