ProjectPasskeys: Add support for Enterprise Attestation

[yackermann]

Add support Enterprise Attestation, so that custom enterprise attestation keys can be used.

[yackermann]

• Add "Enterprise Attestation" mode credential creation
• Add support for EP(enterprise attestation) extension
• Add per-customer metadata store.
• Add configurations "Mandatory Enterprise Attestation" option, with list of applicable customer metadatas

[yackermann]

Expected experience:

1. Configuration:

Customer accesses their admin panel. In the "My Authenticator Metadatas" they add their enterprise metadata. They mark their metadata as "Enterprise only".

In the settings they then enable "Enterprise Attestation" and add "Allowed RPIDs"(The RPIDs that were used to configure authenticators)

They then set enterprise attestation mode to either:

Detect mode - will try running enterprise attestation, but won't fail if it does not match user store.
Enforce mode - will try enterprise attestation, and if its does not match customer metadat a store, it will fail.

2. Usage.

During credential creation (authenticator adding), make credential request payload extensions will include "ep": true.

Once response is received, server will check attestation against customer metadata.

If server in enforce mode, server will respond with error "unauthorized", and log that non-permitted authenticator was attempted to add.

If server in detect mode, then attestation will be checked against public store.

If attestation is required, and that fails too, then error is returned.

[maduvena]

Notes for implementation:

1. LocalMdsService service maintains a json file containing authenticator metadata configured by the administrator. The location of the json file can be configured using config-api

https://github.com/JanssenProject/jans/blob/main/jans-fido2/server/src/main/java/io/jans/fido2/service/mds/LocalMdsService.java

2. Currently, During Attestation, the LocalMetadataService is first checked, then the MDS3MetaDataservice is checked.
   

   jans/jans-fido2/server/src/main/java/io/jans/fido2/service/mds/AttestationCertificateService.java

   Line 118 in 51eaf59

   JsonNode metadataForAuthenticator = localMdsService.getAuthenticatorsMetadata(aaguid);

• So, here we need to go as per Detect mode / Enforce mode which will be set using config-api:
  Detect mode - will try running enterprise attestation, but won't fail if it does not match user store.
  Enforce mode - will try enterprise attestation, and if its does not match customer metadat a store, it will fail.

3. Use Config-API UI to upload new metadata for customers

[yackermann]

TODO:

• Add diagrams
• Add description for hybrid (Attested + Non-attested creds)