Attestation certificate verification for YUBICO - FIDO U2F (Legacy U2F authenticator)

[rvb-git]

Hi. Team -

I'm looking into the line-fido2-server project (link: line-fido2-server), and have some queries related to the verification of attestation certificates.

In the AttestationServiceImpl class, there's a method called verifyAttestationCertificate() that includes a step to fetch attestation root certificates from a database table called METADATA_YUBICO. However, it seems that this table is always empty, and I couldn't find any implementation in line-fido2-server to populate the METADATA_YUBICO table with the necessary metadata.

In particular, the issue arises when the attestation format is "fido-u2f" and the x509 certificate contains the issuer DN name "yubico". The method verifyAttestationCertificate() calls getLatestMetadata() in MetadataYubicoServiceImpl, but since the METADATA_YUBICO table is empty, no attestation root certificates are retrieved. Consequently, the verifyAttestationCertificate() method throws a METADATA_NOT_FOUND exception, as it cannot find the required metadata.

Should the METADATA_YUBICO table be manually populated with the relevant attestation root certificates for "yubico"?

Any assistance or insight would be greatly appreciated. Thank you!