From 6f37aa3cffc2f87f89f6dcaaaa92327d922fc21a Mon Sep 17 00:00:00 2001
From: Dennis Fokin <dennis.fokin@yubico.com>
Date: Thu, 19 Dec 2024 14:00:58 +0100
Subject: [PATCH] Add enterprise attestation serial number helper

---
 .../webauthn/attestation/CertificateUtil.java | 33 +++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/CertificateUtil.java

diff --git a/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/CertificateUtil.java b/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/CertificateUtil.java
new file mode 100644
index 000000000..50caa1ed3
--- /dev/null
+++ b/webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/CertificateUtil.java
@@ -0,0 +1,33 @@
+package com.yubico.webauthn.attestation;
+
+import java.nio.ByteBuffer;
+import java.security.cert.X509Certificate;
+import java.util.Optional;
+
+public class CertificateUtil {
+  public static final String ID_FIDO_GEN_CE_SERNUM = "1.3.6.1.4.1.45724.1.1.2";
+
+  private static byte[] parseSerNum(byte[] bytes) {
+    if (bytes != null) {
+      ByteBuffer buffer = ByteBuffer.wrap(bytes);
+
+      if (buffer.get() == (byte) 0x04
+          && buffer.get() > 0
+          && buffer.get() == (byte) 0x04) {
+
+        byte length = buffer.get();
+        byte[] serNumBytes = new byte[length];
+        buffer.get(serNumBytes);
+
+        return serNumBytes;
+      }
+    }
+
+    throw new IllegalArgumentException(
+        "X.509 extension 1.3.6.1.4.1.45724.1.1.2 (id-fido-gen-ce-sernum) is not valid.");
+  }
+
+  public static Optional<byte[]> parseFidoSerNumExtension(X509Certificate cert) {
+    return Optional.ofNullable(cert.getExtensionValue(ID_FIDO_GEN_CE_SERNUM)).map(CertificateUtil::parseSerNum);
+  }
+}