Google Git
Sign in
chromium/chromium/src.git/fafff21/./third_party/cloud_authenticator/processor/src/passkeys.rs
blob: 107c1701243c3728eacf59dd8855204c2b4829b3 [file]
// Copyright 2024 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// Passkey-related functionality in the enclave.
extern crate bytes;
extern crate chromesync;
extern crate crypto;
extern crate prost;
use super::{
debug, get_secret_from_request, open_aes_256_gcm, AuthLevel, Authentication, DirtyFlag,
OneTimeUV, PINState, ParsedState, Reauth, RequestError, SourceOfSecret, COUNTER_ID_KEY,
KEY_PURPOSE_SECURITY_DOMAIN_SECRET, PUB_KEY, VAULT_HANDLE_WITHOUT_TYPE_KEY,
WRAPPED_PIN_DATA_KEY, WRAPPED_SECRET_KEY,
};
use crate::pin::VaultCohortDetails;
use crate::{pin, MetricsUpdate, CERT_XML_SERIAL_NUMBER_KEY, COHORT_PUBLIC_KEY_KEY};
use alloc::collections::BTreeMap;
use alloc::string::String;
use alloc::vec::Vec;
use base64::Engine;
use cbor::{MapKey, MapKeyRef, MapLookupKey, Value};
use chromesync::pb::webauthn_credential_specifics::EncryptedData;
use chromesync::pb::WebauthnCredentialSpecifics;
use core::ops::Deref;
use crypto::EcdsaKeyPair;
use prost::Message;
map_keys! {
CLAIMED_PIN, CLAIMED_PIN_KEY = "claimed_pin",
CLIENT_DATA_JSON, CLIENT_DATA_JSON_KEY = "client_data_json",
CLIENT_DATA_JSON_HASH, CLIENT_DATA_JSON_HASH_KEY = "client_data_json_hash",
COSE_ALGORITHM, COSE_ALGORITHM_KEY = "alg",
ENCRYPTED, ENCRYPTED_KEY = "encrypted",
EVAL, EVAL_KEY = "eval",
EVAL_BY_CREDENTIAL, EVAL_BY_CREDENTIAL_KEY = "evalByCredential",
EXTENSIONS, EXTENSIONS_KEY = "extensions",
FIRST, FIRST_KEY = "first",
LARGE_BLOB, LARGE_BLOB_KEY = "largeBlob",
LARGE_BLOB_READ, LARGE_BLOB_READ_KEY = "read",
LARGE_BLOB_WRITE, LARGE_BLOB_WRITE_KEY = "write",
LARGE_BLOB_DATA, LARGE_BLOB_DATA_KEY = "largeBlobData",
LARGE_BLOB_SIZE, LARGE_BLOB_SIZE_KEY = "largeBlobSize",
LARGE_BLOB_SUPPORTED, LARGE_BLOB_SUPPORTED_KEY = "largeBlobSupported",
LARGE_BLOB_WRITTEN, LARGE_BLOB_WRITTEN_KEY = "largeBlobWritten",
PIN_CLAIM_KEY, PIN_CLAIM_KEY_KEY = "pin_claim_key",
PIN_HASH, PIN_HASH_KEY = "pin_hash",
PRF, PRF_KEY = "prf",
PROTOBUF, PROTOBUF_KEY = "protobuf",
PUB_KEY_CRED_PARAMS, PUB_KEY_CRED_PARAMS_KEY = "pubKeyCredParams",
RP_ID, RP_ID_KEY = "rpId",
SECOND, SECOND_KEY = "second",
VERSION, VERSION_KEY = "version",
WEBAUTHN_REQUEST, WEBAUTHN_REQUEST_KEY = "request",
}
// The encrypted part of a WebauthnCredentialSpecifics sync entity is encrypted
// with AES-GCM and can come in two forms. These are the AAD inputs to AES-GCM
// that ensure domain separation.
const PRIVATE_KEY_FIELD_AAD: &[u8] = b"";
const ENCRYPTED_FIELD_AAD: &[u8] = b"WebauthnCredentialSpecifics.Encrypted";
pub(crate) const PIN_CLAIM_AAD: &[u8] = b"PIN claim";
// These constants are CTAP flags.
// See https://w3c.github.io/webauthn/#authdata-flags
const FLAG_USER_PRESENT: u8 = 1 << 0;
const FLAG_USER_VERIFIED: u8 = 1 << 2;
const FLAG_BACKUP_ELIGIBLE: u8 = 1 << 3;
const FLAG_BACKED_UP: u8 = 1 << 4;
// The signed authenticator data contains a four-byte signature counter. This
// is the special zero value that indicates that a counter is not supported.
// See https://w3c.github.io/webauthn/#authdata-signcount
const ZERO_SIGNATURE_COUNTER: &[u8; 4] = &[0u8; 4];
// https://www.w3.org/TR/webauthn-2/#sctn-alg-identifier
const COSE_ALGORITHM_ECDSA_P256_SHA256: i64 = -7;
// The number of incorrect PIN attempts before further PIN attempts will be
// denied.
const MAX_PIN_ATTEMPTS: i64 = 5;
fn key(k: &str) -> MapKey {
MapKey::String(String::from(k))
}
/// Returns a passkey assertion.
/// This function can take either a `client_data_json` or a
/// `client_data_json_hash`. If both are passed, `client_data_json_hash` is
/// ignored. Callers should prefer passing `client_data_json_hash`.
///
/// If a client passes `client_data_json`, the enclave will return it as part of
/// the assertion response. Otherwise, clients are expected to fill it in.
pub(crate) fn do_assert(
metrics: &mut MetricsUpdate,
auth: &Authentication,
state: &mut DirtyFlag<ParsedState>,
request: BTreeMap<MapKey, Value>,
) -> Result<cbor::Value, RequestError> {
let Authentication::Device(device_id, auth_level, one_time_uv, _) = auth else {
return debug("device identity required");
};
let Some(Value::Bytestring(proto_bytes)) = request.get(PROTOBUF_KEY) else {
return debug("protobuf required");
};
let client_data_json = match request.get(CLIENT_DATA_JSON_KEY) {
Some(Value::String(client_data_json)) => Some(client_data_json),
Some(_) => return debug("clientDataJson is not a string"),
None => None,
};
let client_data_json_hash = if let Some(client_data_json) = client_data_json {
crypto::sha256(client_data_json.as_bytes())
} else {
match request.get(CLIENT_DATA_JSON_HASH_KEY) {
Some(Value::Bytestring(client_data_json_hash)) => {
client_data_json_hash.to_vec().try_into().map_err(|_| {
RequestError::Debug("clientDataJsonHash does not match expected length")
})?
}
Some(_) => return debug("clientDataJsonHash is not a bytestring"),
None => return debug("either clientDataJson or clientDataJsonHash are required"),
}
};
let Some(Value::Map(webauthn_request)) = request.get(WEBAUTHN_REQUEST_KEY) else {
return debug("WebAuthn request required");
};
let Some(Value::String(rp_id)) = webauthn_request.get(RP_ID_KEY) else {
return debug("rpId required");
};
let rp_id_hash = crypto::sha256(rp_id.as_bytes());
let (security_domain_secret, secret_source) =
get_secret_from_request(state, &request, device_id)?;
let proto = WebauthnCredentialSpecifics::decode(proto_bytes.deref())
.map_err(|_| RequestError::Debug("failed to decode protobuf"))?;
let Some(ref credential_id) = proto.credential_id else {
return debug("protobuf is missing credential ID");
};
let Some(ref user_id) = proto.user_id else {
return debug("protobuf is missing user ID");
};
let mut entity_secrets = entity_secrets_from_proto(&security_domain_secret, &proto)?;
let pin_verified =
maybe_validate_pin_from_request(&request, state, device_id, &security_domain_secret)?;
let user_verification = matches!(auth_level, AuthLevel::UserVerification)
|| matches!(auth_level, AuthLevel::SoftwareUserVerification)
|| pin_verified
// If the client provided the security domain secret itself, then it could have
// done the signing itself too. Thus this is sufficient to claim UV.
|| matches!(secret_source, SourceOfSecret::Direct)
// A client can also nominate to get one free UV when registering their
// UV key, which is also sufficient for an assertion.
|| matches!(one_time_uv, OneTimeUV::Consumed);
let flags = [FLAG_BACKUP_ELIGIBLE
| FLAG_BACKED_UP
| FLAG_USER_PRESENT
| if user_verification {
FLAG_USER_VERIFIED
} else {
0
}];
let authenticator_data = [rp_id_hash.as_slice(), &flags, ZERO_SIGNATURE_COUNTER].concat();
let signed_data = [&authenticator_data, client_data_json_hash.as_slice()].concat();
let signature = entity_secrets
.primary_key
.sign(&signed_data)
.map_err(|_| RequestError::Debug("signing failed"))?;
// https://w3c.github.io/webauthn/#dictdef-authenticatorassertionresponsejson
let mut assertion_response_json = BTreeMap::<MapKey, Value>::from([
(key("authenticatorData"), Value::from(authenticator_data)),
(key("signature"), Value::from(signature.as_ref())),
(key("userHandle"), Value::from(user_id.to_vec())),
]);
if let Some(client_data_json) = client_data_json {
assertion_response_json.insert(
key("clientDataJSON"),
Value::String(client_data_json.clone()),
);
}
let mut response = BTreeMap::from([(key("response"), Value::Map(assertion_response_json))]);
if let Some(prf_result) = handle_prf(
webauthn_request,
&entity_secrets.hmac_secret,
Some(credential_id.as_ref()),
)? {
response.insert(key(PRF), prf_result);
}
if let Some(large_blob_out) = handle_large_blob(
webauthn_request,
&mut entity_secrets,
&security_domain_secret,
)? {
response.insert(key(LARGE_BLOB), large_blob_out);
}
metrics.passkeys_assert += 1;
Ok(Value::Map(response))
}
pub(crate) fn do_create(
metrics: &mut MetricsUpdate,
auth: &Authentication,
state: &mut DirtyFlag<ParsedState>,
request: BTreeMap<MapKey, Value>,
) -> Result<cbor::Value, RequestError> {
let Authentication::Device(device_id, _, _, _) = auth else {
return debug("device identity required");
};
let (security_domain_secret, _) = get_secret_from_request(state, &request, device_id)?;
let Some(Value::Map(webauthn_request)) = request.get(WEBAUTHN_REQUEST_KEY) else {
return debug("WebAuthn request required");
};
let Some(Value::Array(pub_key_cred_params)) = webauthn_request.get(PUB_KEY_CRED_PARAMS_KEY)
else {
return debug("missing pubKeyCredParams array");
};
let cose_algorithms: Result<Vec<i64>, RequestError> = pub_key_cred_params
.iter()
.map(|cred_param| match cred_param {
Value::Map(i) => {
let Some(Value::Int(alg)) = i.get(COSE_ALGORITHM_KEY) else {
return debug("missing algorithm");
};
Ok(*alg)
}
_ => debug("invalid algorithm type"),
})
.collect();
// I can't get Rust to accept merging this "?" into the previous line.
let cose_algorithms = cose_algorithms?;
if !cose_algorithms.contains(&COSE_ALGORITHM_ECDSA_P256_SHA256) {
return Err(RequestError::NoSupportedAlgorithm);
}
// Creating a credential doesn't sign anything, so the return value here
// isn't used. But an incorrect PIN will still cause the request to fail
// so that the client can check whether it was correct.
maybe_validate_pin_from_request(&request, state, device_id, &security_domain_secret)?;
let pkcs8 = EcdsaKeyPair::generate_pkcs8();
let key = EcdsaKeyPair::from_pkcs8(pkcs8.as_ref())
.map_err(|_| RequestError::Debug("failed to parse private key"))?;
let pub_key = key.public_key();
let mut hmac_secret = [0u8; 32];
crypto::rand_bytes(&mut hmac_secret);
let pb = chromesync::pb::webauthn_credential_specifics::Encrypted {
private_key: Some(pkcs8.as_ref().to_vec()),
hmac_secret: Some(hmac_secret.to_vec()),
cred_blob: None,
large_blob: None,
large_blob_uncompressed_size: None,
};
let ciphertext = encrypt(
&security_domain_secret,
pb.encode_to_vec(),
ENCRYPTED_FIELD_AAD,
)?;
let mut result = BTreeMap::from([
(
MapKey::String(String::from(ENCRYPTED)),
Value::from(ciphertext),
),
(
MapKey::String(String::from(PUB_KEY)),
Value::from(pub_key.as_ref().to_vec()),
),
]);
if let Some(prf_result) = handle_prf(webauthn_request, &hmac_secret, None)? {
result.insert(MapKey::String(String::from(PRF)), prf_result);
}
result.insert(
MapKey::String(String::from(LARGE_BLOB_SUPPORTED)),
Value::Boolean(true),
);
metrics.passkeys_create += 1;
Ok(Value::Map(result))
}
/// Attempt to verify a claimed PIN from `request`. Returns true if the PIN
/// verified correctly, false if there was no PIN claim, and an error if
/// the PIN claim was invalid for any reason.
fn maybe_validate_pin_from_request(
request: &BTreeMap<MapKey, Value>,
state: &mut DirtyFlag<'_, ParsedState>,
device_id: &[u8],
security_domain_secret: &[u8; 32],
) -> Result<bool, RequestError> {
if let Some(Value::Bytestring(wrapped_pin_data)) = request.get(WRAPPED_PIN_DATA_KEY) {
let Some(Value::Bytestring(claimed_pin)) = request.get(CLAIMED_PIN_KEY) else {
return debug("claimed PIN required");
};
validate_pin(
state,
device_id,
security_domain_secret.as_ref(),
claimed_pin,
wrapped_pin_data,
)?;
Ok(true)
} else {
Ok(false)
}
}
/// Contains the secrets from a specific passkey Sync entity.
struct EntitySecrets {
primary_key: EcdsaKeyPair,
hmac_secret: [u8; 32],
// The encrypted part of the WebauthnCredentialSpecifics protobuf.
// This is needed to update the large blob data.
encrypted: Option<chromesync::pb::webauthn_credential_specifics::Encrypted>,
// This field is not yet implemented but is contained in the protobuf
// definition.
// cred_blob: Option<Vec<u8>>,
}
/// Given a list of wrapped secrets and the wrapping key for this device,
/// returns the entity secrets from a protobuf and the security domain secret
/// used.
fn entity_secrets_from_proto(
security_domain_secret: &[u8; 32],
proto: &WebauthnCredentialSpecifics,
) -> Result<EntitySecrets, RequestError> {
let Some(encrypted_data) = &proto.encrypted_data else {
return debug("sync entity missing encrypted data");
};
match encrypted_data {
EncryptedData::PrivateKey(ciphertext) => {
let plaintext = decrypt(ciphertext, security_domain_secret, PRIVATE_KEY_FIELD_AAD)?;
let primary_key = EcdsaKeyPair::from_pkcs8(&plaintext)
.map_err(|_| RequestError::Debug("PKCS#8 parse failed"))?;
let hmac_secret = derive_hmac_secret_from_private_key(&plaintext);
Ok(EntitySecrets {
primary_key,
hmac_secret,
encrypted: None,
})
}
EncryptedData::Encrypted(ciphertext) => {
let plaintext = decrypt(ciphertext, security_domain_secret, ENCRYPTED_FIELD_AAD)?;
let encrypted = chromesync::pb::webauthn_credential_specifics::Encrypted::decode(
plaintext.as_slice(),
)
.map_err(|_| RequestError::Debug("failed to decode encrypted data"))?;
let Some(ref private_key_bytes) = encrypted.private_key else {
return debug("missing private key");
};
let primary_key = EcdsaKeyPair::from_pkcs8(private_key_bytes.as_slice())
.map_err(|_| RequestError::Debug("PKCS#8 parse failed"))?;
let hmac_secret = encrypted
.hmac_secret
.as_ref()
.and_then(|vec| <[u8; 32]>::try_from(vec.as_slice()).ok())
.unwrap_or_else(|| {
derive_hmac_secret_from_private_key(private_key_bytes.as_slice())
});
Ok(EntitySecrets {
primary_key,
hmac_secret,
encrypted: Some(encrypted),
})
}
}
}
/// Calculate an HMAC secret from a private key.
///
/// We want to support the PRF extension for credentials that were generated
/// without PRF support being requested at creation time. To do so we derive an
/// HMAC secret from the encoded private key.
fn derive_hmac_secret_from_private_key(pkcs8_bytes: &[u8]) -> [u8; 32] {
let mut ret = [0u8; 32];
// unwrap: only fails if the output length is too long, but we know that
// `ret` is 32 bytes.
crypto::hkdf_sha256(pkcs8_bytes, &[], b"derived PRF HMAC secret", &mut ret).unwrap();
ret
}
/// Encrypt an entity secret using a security domain secret.
fn encrypt(
security_domain_secret: &[u8; 32],
mut plaintext: Vec<u8>,
aad: &[u8],
) -> Result<Vec<u8>, RequestError> {
let mut encryption_key = [0u8; 32];
security_domain_secret_to_encryption_key(security_domain_secret, &mut encryption_key);
let mut nonce_bytes = [0u8; 12];
crypto::rand_bytes(&mut nonce_bytes);
crypto::aes_256_gcm_seal_in_place(&encryption_key, &nonce_bytes, aad, &mut plaintext);
Ok([nonce_bytes.as_slice(), &plaintext].concat())
}
/// Decrypt an entity secret using a security domain secret.
///
/// Different entity secrets will have different "additional authenticated
/// data" values to ensure that ciphertexts are interpreted in their correct
/// context.
fn decrypt(
ciphertext: &[u8],
security_domain_secret: &[u8; 32],
aad: &[u8],
) -> Result<Vec<u8>, RequestError> {
let mut encryption_key = [0u8; 32];
security_domain_secret_to_encryption_key(security_domain_secret, &mut encryption_key);
open_aes_256_gcm(&encryption_key, ciphertext, aad)
.ok_or(RequestError::Debug("decryption failed"))
}
/// Derive the key used for encrypting entity secrets from the security domain
/// secret.
fn security_domain_secret_to_encryption_key(
security_domain_secret: &[u8; 32],
out_passkey_key: &mut [u8; 32],
) {
// unwrap: only fails if the output length is too long, but we know that
// `out_passkey_key` is 32 bytes.
crypto::hkdf_sha256(
security_domain_secret,
&[],
b"KeychainApplicationKey:gmscore_module:com.google.android.gms.fido",
out_passkey_key,
)
.unwrap();
}
/// Compares two secrets for equality.
fn constant_time_compare(a: &[u8], b: &[u8]) -> bool {
if a.len() != b.len() {
return false;
}
// There is a crate called `constant_time_eq` that uses lots of magic to
// try and stop Rust from optimising away the constant-time compare. I
// can't judge whether that magic is sufficient nor, if it is today,
// whether it'll continue to be in the future. Since this operation isn't
// performance-sensitive in the context that it's used here, this code
// does a randomised hash of the secret values and compares the digests.
// That's very slow, but it's safe.
let mut rand_bytes = [0; 32];
crypto::rand_bytes(&mut rand_bytes);
crypto::sha256_two_part(&rand_bytes, a) == crypto::sha256_two_part(&rand_bytes, b)
}
/// Validate a claimed PIN, returning an error if it's incorrect.
fn validate_pin(
state: &mut DirtyFlag<ParsedState>,
device_id: &[u8],
security_domain_secret: &[u8],
claim: &[u8],
wrapped_pin_data: &[u8],
) -> Result<(), RequestError> {
let PINState { attempts } = state.get_pin_state(device_id)?;
if attempts >= MAX_PIN_ATTEMPTS {
return Err(RequestError::PINLocked);
}
let pin_data = pin::Data::from_wrapped(wrapped_pin_data, security_domain_secret)?;
let claimed_pin_hash = open_aes_256_gcm(&pin_data.claim_key, claim, PIN_CLAIM_AAD)
.ok_or(RequestError::Debug("failed to decrypt PIN claim"))?;
if !constant_time_compare(&claimed_pin_hash, &pin_data.pin_hash) {
state.get_mut().set_pin_state(
device_id,
PINState {
attempts: attempts + 1,
},
)?;
return Err(RequestError::IncorrectPIN);
}
// These is an availability / security tradeoff here. In the case of a correct
// PIN guess, we don't serialise the updated state. Thus, if a user's machine
// has malware that can grab the needed secrets it can try to rush more than
// `MAX_PIN_ATTEMPTS` guesses at the enclave service. If the storage system is
// having trouble it's possible that more than `MAX_PIN_ATTEMPTS` will be
// considered. However, if we serialize these state updates then every time the
// storage system has a glitch, nobody will be able to validate assertions with
// a PIN. Since the attack requires malware on the client machine, where the
// user could probably be phished for their PIN much more effectively than
// trying to exploit a concurrency issue, we err on the side of availability.
if attempts > 0 {
state
.get_mut_for_minor_change()
.set_pin_state(device_id, PINState { attempts: 0 })?;
}
Ok(())
}
/// This is intended to be removed in favour of recovery_key_store.rs'
/// do_wrap_pin_and_secret.
pub(crate) fn do_wrap_pin(
metrics: &mut MetricsUpdate,
auth: &Authentication,
state: &mut DirtyFlag<ParsedState>,
request: BTreeMap<MapKey, Value>,
) -> Result<cbor::Value, RequestError> {
// Reauth is required to perform this command.
let device_id = match auth {
Authentication::Device(device_id, _, _, Reauth::Done) => device_id,
_ => return debug("PIN change needs reauth via RAPT token"),
};
let Some(Value::Bytestring(pin_hash)) = request.get(PIN_HASH_KEY) else {
return debug("pin_hash required");
};
let Some(Value::Bytestring(claim_key)) = request.get(PIN_CLAIM_KEY_KEY) else {
return debug("pin_claim_key required");
};
let Some(Value::Bytestring(wrapped_secret)) = request.get(WRAPPED_SECRET_KEY) else {
return debug("wrapped secret required");
};
let Some(Value::Bytestring(counter_id)) = request.get(COUNTER_ID_KEY) else {
return debug("counter ID required");
};
let Some(Value::Bytestring(vault_handle_without_type)) =
request.get(VAULT_HANDLE_WITHOUT_TYPE_KEY)
else {
return debug("vault handle required");
};
let cert_xml_serial_number = request.get(CERT_XML_SERIAL_NUMBER_KEY);
let cohort_public_key = request.get(COHORT_PUBLIC_KEY_KEY);
// If either the serial number or the cohort public is present, the other is
// required.
if cert_xml_serial_number.is_none() && cohort_public_key.is_some() {
return debug("cert xml serial number required");
}
if cert_xml_serial_number.is_some() && cohort_public_key.is_none() {
return debug("cohort public key required");
}
let cert_xml_serial_number = match cert_xml_serial_number {
None => None,
Some(Value::Int(cert_xml_serial_number)) => Some(cert_xml_serial_number),
_ => return debug("cert xml serial number has wrong format"),
};
let cohort_public_key = match cohort_public_key {
None => None,
Some(Value::Bytestring(cohort_public_key)) => Some(cohort_public_key),
_ => return debug("cohort public key has wrong format"),
};
let vault_cohort_details = match (cert_xml_serial_number, cohort_public_key) {
(Some(cert_xml_serial_number), Some(cohort_public_key)) => Some(VaultCohortDetails {
cert_xml_serial_number: *cert_xml_serial_number,
cohort_public_key: cohort_public_key.to_vec(),
}),
_ => None,
};
let security_domain_secret = state.unwrap(
device_id,
wrapped_secret,
KEY_PURPOSE_SECURITY_DOMAIN_SECRET,
)?;
let pin_data = pin::Data {
pin_hash: pin_hash
.as_ref()
.try_into()
.map_err(|_| RequestError::Debug("incorrect length PIN hash"))?,
claim_key: claim_key
.as_ref()
.try_into()
.map_err(|_| RequestError::Debug("incorrect length claim key"))?,
counter_id: counter_id
.as_ref()
.try_into()
.map_err(|_| RequestError::Debug("incorrect length counter id"))?,
vault_handle_without_type: vault_handle_without_type
.as_ref()
.try_into()
.map_err(|_| RequestError::Debug("incorrect length vault handle"))?,
vault_cohort_details,
};
metrics.passkeys_wrap_pin += 1;
Ok(Value::from(pin_data.encrypt(&security_domain_secret)))
}
/// PRFValues mirrors `AuthenticationExtensionsPRFValues` from the WebAuthn
/// spec, although it contains either post-hashed values or HMAC outputs.
struct PRFValues {
first: [u8; 32],
second: Option<[u8; 32]>,
}
impl PRFValues {
/// Treat a `PRFValues` as evaluation points and evaluate them for a given
/// HMAC key.
fn hmac(self, hmac_key: &[u8; 32]) -> Self {
PRFValues {
first: crypto::hmac_sha256(hmac_key, &self.first),
second: self
.second
.map(|second| crypto::hmac_sha256(hmac_key, &second)),
}
}
/// Convert to a CBOR structure.
fn into_cbor(self) -> Value {
let mut ret = BTreeMap::from([(key(FIRST), Value::from(&self.first))]);
if let Some(second) = self.second {
ret.insert(key(SECOND), Value::from(&second));
}
Value::Map(ret)
}
}
impl TryFrom<&Value> for PRFValues {
type Error = RequestError;
/// Attempt to parse a PRFValues from a CBOR input that reflects a
/// `AuthenticationExtensionsPRFValues` WebAuthn structure.
fn try_from(v: &Value) -> Result<Self, Self::Error> {
let Value::Map(prf) = v else {
return debug("PRF value is not a map");
};
fn get_value(value: &Value) -> Result<[u8; 32], RequestError> {
let Value::String(value) = value else {
return debug("invalid PRF value");
};
let value = base64::engine::general_purpose::URL_SAFE_NO_PAD
.decode(value)
.map_err(|_| RequestError::Debug("invalid PRF base64url"))?;
Ok(hash_prf_value(&value))
}
let first = get_value(
prf.get(FIRST_KEY)
.ok_or(RequestError::Debug("missing PRF first value"))?,
)?;
let second = prf.get(SECOND_KEY).map(get_value).transpose()?;
Ok(PRFValues { first, second })
}
}
/// Map WebAuthn-scoped PRF inputs to raw values.
///
/// The PRF inputs that a website is allowed to evaluate are limited to the
/// images of a hash function so that different parties can be given different
/// evaluation powers. See https://w3c.github.io/webauthn/#prf-extension
fn hash_prf_value(input: &[u8]) -> [u8; 32] {
const PREFIX: &[u8] = b"WebAuthn PRF\x00";
crypto::sha256_two_part(PREFIX, input)
}
/// Optionally handle the PRF extension from a request given an HMAC key. If the
/// request is an assertion then `credential_id` specifies the credential being
/// evaluated.
fn handle_prf(
webauthn_request: &BTreeMap<MapKey, Value>,
hmac_secret: &[u8; 32],
credential_id: Option<&[u8]>,
) -> Result<Option<Value>, RequestError> {
let Some(Value::Map(extensions)) = webauthn_request.get(EXTENSIONS_KEY) else {
return Ok(None);
};
let Some(Value::Map(prf)) = extensions.get(PRF_KEY) else {
return Ok(None);
};
if credential_id.is_none() && prf.is_empty() {
return Ok(Some(Value::Boolean(true)));
}
Ok(prf_values_by_id(prf, credential_id)?
.or(prf_default_values(prf)?)
.map(|values| values.hmac(hmac_secret))
.map(PRFValues::into_cbor))
}
/// Get the PRF values for a given credential ID, if any.
fn prf_values_by_id(
prf: &BTreeMap<MapKey, Value>,
credential_id: Option<&[u8]>,
) -> Result<Option<PRFValues>, RequestError> {
let Some(credential_id) = credential_id else {
return Ok(None);
};
let Some(Value::Map(by_credential)) = prf.get(EVAL_BY_CREDENTIAL_KEY) else {
return Ok(None);
};
let base64url_credential_id =
base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(credential_id);
let Some(values) = by_credential.get(&MapKey::String(base64url_credential_id)) else {
return Ok(None);
};
Ok(Some(values.try_into()?))
}
/// Get the default PRF values from the extension, if any.
fn prf_default_values(prf: &BTreeMap<MapKey, Value>) -> Result<Option<PRFValues>, RequestError> {
let Some(eval) = prf.get(EVAL_KEY) else {
return Ok(None);
};
Ok(Some(eval.try_into()?))
}
/// Handle the large blob extension request.
/// The large blob extension allows a Relying Party to associate opaque binary data
/// with a credential. See https://w3c.github.io/webauthn/#sctn-large-blob-extension
///
/// Returns:
/// - `Ok(None)` if the request doesn't contain a large blob extension.
/// - `Ok(Some(Value))` if the request contains a large blob extension.
/// - The returned `Value` is a map containing the large blob response fields.
/// - `Err(RequestError)` if the request is invalid.
fn handle_large_blob(
webauthn_req: &BTreeMap<MapKey, Value>,
entity_secrets: &mut EntitySecrets,
security_domain_secret: &[u8; 32],
) -> Result<Option<Value>, RequestError> {
let Some(Value::Map(exts)) = webauthn_req.get(EXTENSIONS_KEY) else {
return Ok(None);
};
let Some(Value::Map(large_blob_req)) = exts.get(LARGE_BLOB_KEY) else {
return Ok(None);
};
// Both read and write is disallowed.
if large_blob_req.contains_key(LARGE_BLOB_READ_KEY)
&& large_blob_req.contains_key(LARGE_BLOB_WRITE_KEY)
{
return debug("invalid largeBlob request: read + write");
}
// Read path.
if let Some(read_resp) = handle_read_large_blob(large_blob_req, entity_secrets) {
return Ok(Some(read_resp));
}
// Write path.
if let Some(write_resp) =
handle_write_large_blob(large_blob_req, entity_secrets, security_domain_secret)?
{
return Ok(Some(write_resp));
}
// Any other shape is invalid.
debug("invalid large blob request")
}
/// Helper function that handles large blob read.
/// It returns a `Value` containing the large blob data and its size if a read
/// was requested. Otherwise, it returns `None`.
fn handle_read_large_blob(
large_blob_req: &BTreeMap<MapKey, Value>,
entity_secrets: &EntitySecrets,
) -> Option<Value> {
if !matches!(
large_blob_req.get(LARGE_BLOB_READ_KEY),
Some(Value::Boolean(true))
) {
return None;
}
let (data, size_val) = match entity_secrets.encrypted.as_ref() {
Some(enc) if enc.large_blob.is_some() && enc.large_blob_uncompressed_size.is_some() => {
let blob = enc.large_blob.as_ref().unwrap();
let size = enc.large_blob_uncompressed_size.unwrap();
(Value::from(blob.as_slice()), Value::Int(size as i64))
}
_ => (Value::from(&[] as &[u8]), Value::Int(0_i64)),
};
Some(Value::Map(BTreeMap::from([
(key(LARGE_BLOB_DATA), data),
(key(LARGE_BLOB_SIZE), size_val),
])))
}
/// Helper function to write large blob data.
///
/// This function takes a large blob request, the entity secrets, and the
/// security domain secret. It updates the `entity_secrets` with the new
/// large blob data and returns a tuple containing:
/// - A `Value` representing the response to the large blob write request.
///
/// It returns `None` if the request does not contain a large blob write.
/// It returns an error if the new blob is larger than 8KiB.
fn handle_write_large_blob(
large_blob_req: &BTreeMap<MapKey, Value>,
entity_secrets: &mut EntitySecrets,
security_domain_secret: &[u8; 32],
) -> Result<Option<Value>, RequestError> {
let new_blob: Vec<u8> = match large_blob_req.get(LARGE_BLOB_WRITE_KEY) {
Some(Value::String(s)) => base64::engine::general_purpose::URL_SAFE_NO_PAD
.decode(s)
.map_err(|_| RequestError::Debug("invalid base64 in largeBlob.write"))?,
_ => return Ok(None),
};
const MAX_LARGE_BLOB_LEN: usize = 8 * 1024;
if new_blob.len() > MAX_LARGE_BLOB_LEN {
return Err(RequestError::Debug("large blob write > 8KiB"));
}
// The caller must tell what the uncompressed length of its data is.
let Some(Value::Int(uncompressed_len)) = large_blob_req.get(LARGE_BLOB_SIZE_KEY) else {
return debug("largeBlobSize required");
};
if *uncompressed_len < 0 {
return debug("largeBlobSize must be non-negative");
}
let Some(enc) = entity_secrets.encrypted.as_mut() else {
// Old style passkeys without an `encrypted` field do not support large
// blobs.
return Ok(Some(Value::Map(BTreeMap::from([(
key(LARGE_BLOB_WRITTEN),
Value::Boolean(false),
)]))));
};
enc.large_blob = Some(new_blob.to_vec());
enc.large_blob_uncompressed_size = Some(*uncompressed_len as u64);
let ciphertext = encrypt(
security_domain_secret,
enc.encode_to_vec(),
ENCRYPTED_FIELD_AAD,
)?;
let resp = Value::Map(BTreeMap::from([
(key(LARGE_BLOB_WRITTEN), Value::Boolean(true)),
(key(ENCRYPTED), Value::from(ciphertext)),
]));
Ok(Some(resp))
}
#[cfg(test)]
pub mod tests {
use super::*;
use crate::recovery_key_store;
use crate::tests::{
PROTOBUF2_BYTES, PROTOBUF_BYTES, SAMPLE_SECURITY_DOMAIN_SECRET,
WEBAUTHN_SECRETS_ENCRYPTION_KEY,
};
use alloc::vec;
use cbor::cbor;
lazy_static! {
static ref PROTOBUF: WebauthnCredentialSpecifics =
WebauthnCredentialSpecifics::decode(PROTOBUF_BYTES).unwrap();
static ref PROTOBUF2: WebauthnCredentialSpecifics =
WebauthnCredentialSpecifics::decode(PROTOBUF2_BYTES).unwrap();
}
#[test]
fn test_decrypt() {
let Some(EncryptedData::PrivateKey(ciphertext)) = &PROTOBUF.encrypted_data else {
panic!("bad protobuf");
};
let pkcs8 = decrypt(
&ciphertext,
SAMPLE_SECURITY_DOMAIN_SECRET.try_into().unwrap(),
&[],
)
.unwrap();
assert!(EcdsaKeyPair::from_pkcs8(&pkcs8).is_ok());
assert!(decrypt(
&[0u8; 8],
SAMPLE_SECURITY_DOMAIN_SECRET.try_into().unwrap(),
&[]
)
.is_err());
}
#[test]
fn test_entity_secrets_from_proto() {
let protobuf1: &WebauthnCredentialSpecifics = &PROTOBUF;
let protobuf2: &WebauthnCredentialSpecifics = &PROTOBUF2;
for proto in [protobuf1, protobuf2] {
let result =
entity_secrets_from_proto(SAMPLE_SECURITY_DOMAIN_SECRET.try_into().unwrap(), proto);
assert!(result.is_ok(), "{:?}", proto);
}
}
#[test]
fn test_derived_hmac_secret() {
// This HMAC secret is derived.
let secrets =
entity_secrets_from_proto(SAMPLE_SECURITY_DOMAIN_SECRET.try_into().unwrap(), &PROTOBUF)
.unwrap();
assert_eq!(&secrets.hmac_secret, b"\x78\xbd\x3f\x1a\xbb\x66\x52\xe3\x2d\xc1\x50\x7d\x75\x83\x73\xdc\xeb\xa5\x8a\x17\x02\x9c\xe5\x12\x73\xee\x3f\x85\xd6\xc9\x2e\x21");
// This protobuf has an explicit HMAC secret and so one must not be derived from
// the private key.
let secrets = entity_secrets_from_proto(
SAMPLE_SECURITY_DOMAIN_SECRET.try_into().unwrap(),
&PROTOBUF2,
)
.unwrap();
assert_eq!(&secrets.hmac_secret, b"\x08\xa2\xe8\x8e\xd3\x78\xbf\xcd\x82\x5f\x0b\x06\xde\xd5\x6d\x2d\x03\xa2\x47\xff\x34\xd0\x81\x40\x52\xec\x6d\xe5\x1a\x98\x22\x91");
}
#[test]
fn test_encrypt() {
let plaintext = b"hello";
let ciphertext = encrypt(
SAMPLE_SECURITY_DOMAIN_SECRET.try_into().unwrap(),
plaintext.to_vec(),
&[],
)
.unwrap();
let plaintext2 = decrypt(
&ciphertext,
SAMPLE_SECURITY_DOMAIN_SECRET.try_into().unwrap(),
&[],
)
.unwrap();
assert_eq!(plaintext, plaintext2.as_slice());
}
#[test]
fn test_security_domain_secret_to_encryption_key() {
let mut calculated = [0u8; 32];
security_domain_secret_to_encryption_key(
SAMPLE_SECURITY_DOMAIN_SECRET.try_into().unwrap(),
&mut calculated,
);
assert_eq!(WEBAUTHN_SECRETS_ENCRYPTION_KEY, &calculated);
}
#[test]
fn test_constant_time_compare() {
struct Test {
a: &'static [u8],
b: &'static [u8],
expected: bool,
}
let tests: &[Test] = &[
Test {
a: b"",
b: b"",
expected: true,
},
Test {
a: b"a",
b: b"",
expected: false,
},
Test {
a: b"",
b: b"b",
expected: false,
},
Test {
a: b"a",
b: b"b",
expected: false,
},
Test {
a: b"a",
b: b"a",
expected: true,
},
Test {
a: b"abcde",
b: b"abcde",
expected: true,
},
Test {
a: b"abcdf",
b: b"abcde",
expected: false,
},
];
for (i, test) in tests.iter().enumerate() {
if constant_time_compare(test.a, test.b) != test.expected {
panic!("failed at #{}", i)
}
}
}
#[test]
fn test_pin_data() {
let pin_data = pin::Data {
pin_hash: [1u8; 32],
claim_key: [2u8; 32],
counter_id: [3u8; recovery_key_store::COUNTER_ID_LEN],
vault_handle_without_type: [4u8; recovery_key_store::VAULT_HANDLE_LEN - 1],
vault_cohort_details: None,
};
let pin_data2: pin::Data = pin_data.to_bytes().try_into().unwrap();
assert_eq!(pin_data, pin_data2);
let security_domain_secret = [3u8; 32];
let encrypted = pin_data.encrypt(&security_domain_secret);
let decrypted = pin::Data::from_wrapped(&encrypted, &security_domain_secret).unwrap();
assert_eq!(pin_data, decrypted);
}
#[test]
fn test_pin_data_with_cohort_details() {
let pin_data = pin::Data {
pin_hash: [1u8; 32],
claim_key: [2u8; 32],
counter_id: [3u8; recovery_key_store::COUNTER_ID_LEN],
vault_handle_without_type: [4u8; recovery_key_store::VAULT_HANDLE_LEN - 1],
vault_cohort_details: Some(VaultCohortDetails {
cert_xml_serial_number: 42,
cohort_public_key: vec![1, 2, 3, 4],
}),
};
let pin_data2: pin::Data = pin_data.to_bytes().try_into().unwrap();
assert_eq!(pin_data, pin_data2);
let security_domain_secret = [3u8; 32];
let encrypted = pin_data.encrypt(&security_domain_secret);
let decrypted = pin::Data::from_wrapped(&encrypted, &security_domain_secret).unwrap();
assert_eq!(pin_data, decrypted);
}
// Helper to generate large blob requests for testing.
fn make_req(large_blob_val: Value) -> BTreeMap<MapKey, Value> {
let Value::Map(map) = cbor!({
"extensions": {
"largeBlob": large_blob_val
}}) else {
panic!("expected map");
};
map
}
// Helper to return a fresh EntitySecrets with empty large blob fields.
// Used to test large blob handling without pre-existing blob data.
fn empty_secrets() -> EntitySecrets {
entity_secrets_from_proto(
&SAMPLE_SECURITY_DOMAIN_SECRET.try_into().unwrap(),
&PROTOBUF2,
)
.unwrap()
}
// Test writing a new large blob, decrypting and reading it back.
#[test]
fn test_large_blob_write_then_read() {
let new_blob_content = b"new blob data".to_vec();
let b64_blob = base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(&new_blob_content);
let uncompressed_size = new_blob_content.len() + 10;
let webauthn_req_write = make_req(cbor!({
"write": (b64_blob.as_str()),
"largeBlobSize": (uncompressed_size as i64),
}));
let mut secrets_for_write = entity_secrets_from_proto(
&SAMPLE_SECURITY_DOMAIN_SECRET.try_into().unwrap(),
&PROTOBUF2,
)
.unwrap();
let enc = secrets_for_write
.encrypted
.as_mut()
.expect("encrypted should be present");
enc.large_blob = None;
enc.large_blob_uncompressed_size = None;
let result = handle_large_blob(
&webauthn_req_write,
&mut secrets_for_write,
&SAMPLE_SECURITY_DOMAIN_SECRET.try_into().unwrap(),
)
.unwrap();
let response_val = result.expect("expected a response");
let Value::Map(response_map) = response_val else {
panic!("expected a map response");
};
assert_eq!(
response_map.get(LARGE_BLOB_WRITTEN_KEY),
Some(&Value::Boolean(true))
);
let Value::Bytestring(new_ciphertext_bs) =
response_map.get(ENCRYPTED_KEY).expect("ciphertext present")
else {
panic!("encrypted not bytestring");
};
let plaintext = decrypt(
&new_ciphertext_bs,
&SAMPLE_SECURITY_DOMAIN_SECRET.try_into().unwrap(),
ENCRYPTED_FIELD_AAD,
)
.unwrap();
let encrypted_proto =
chromesync::pb::webauthn_credential_specifics::Encrypted::decode(plaintext.as_slice())
.unwrap();
assert_eq!(encrypted_proto.large_blob.unwrap(), new_blob_content);
assert_eq!(
secrets_for_write
.encrypted
.as_ref()
.and_then(|e| e.large_blob.as_ref()),
Some(&new_blob_content)
);
assert_eq!(
encrypted_proto.large_blob_uncompressed_size,
Some(uncompressed_size as u64)
);
use chromesync::pb::webauthn_credential_specifics::EncryptedData;
// Re-create a protobuf whose encrypted_data field is the new ciphertext.
let mut proto_after_write = (*PROTOBUF2).clone();
proto_after_write.encrypted_data =
Some(EncryptedData::Encrypted(new_ciphertext_bs.to_vec().into()));
let mut secrets_for_read = entity_secrets_from_proto(
&SAMPLE_SECURITY_DOMAIN_SECRET.try_into().unwrap(),
&proto_after_write,
)
.unwrap();
let webauthn_req_read = make_req(cbor!({
"read": true
}));
let read_resp = handle_large_blob(
&webauthn_req_read,
&mut secrets_for_read,
&SAMPLE_SECURITY_DOMAIN_SECRET.try_into().unwrap(),
)
.unwrap()
.expect("read response");
let Value::Map(ref _read_map) = read_resp else {
panic!("map");
};
assert_eq!(
read_resp,
cbor!({
"largeBlobData": (new_blob_content.clone()),
"largeBlobSize": (uncompressed_size as i64)
})
);
}
// Test write > 8 KiB.
#[test]
fn test_large_blob_write_too_large() {
let huge_blob = vec![0u8; 8 * 1024 + 1];
let huge_blob_b64 = base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(&huge_blob);
let req = make_req(cbor!({
"write": (huge_blob_b64.as_str()),
"largeBlobSize": (huge_blob.len() as i64)
}));
assert!(matches!(
handle_large_blob(&req,
&mut empty_secrets(),
&SAMPLE_SECURITY_DOMAIN_SECRET.try_into().unwrap()),
Err(RequestError::Debug(m)) if m.contains("8KiB")
));
}
// Test simultaneous read + write.
#[test]
fn test_large_blob_read_and_write() {
let b64_blob = base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(b"abc");
let req = make_req(cbor!({
"read": (true),
"write": (b64_blob.as_str()),
"largeBlobSize": (3)
}));
assert!(matches!(
handle_large_blob(&req,
&mut empty_secrets(),
&SAMPLE_SECURITY_DOMAIN_SECRET.try_into().unwrap()),
Err(RequestError::Debug(m)) if m.contains("read + write")
));
}
// Test missing `largeBlobSize` on write.
#[test]
fn test_large_blob_write_missing_size() {
let b64_blob = base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(b"abc");
let req = make_req(cbor!({
"write": (b64_blob.as_str()),
}));
assert!(matches!(
handle_large_blob(&req,
&mut empty_secrets(),
&SAMPLE_SECURITY_DOMAIN_SECRET.try_into().unwrap()),
Err(RequestError::Debug(m)) if m.contains("largeBlobSize required")
));
}
// Test negative `largeBlobSize`.
#[test]
fn test_large_blob_negative_size() {
let b64_blob = base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(b"abc");
let req = make_req(cbor!({
"write": (b64_blob.as_str()),
"largeBlobSize": (-1),
}));
assert!(matches!(
handle_large_blob(&req,
&mut empty_secrets(),
&SAMPLE_SECURITY_DOMAIN_SECRET.try_into().unwrap()),
Err(RequestError::Debug(m)) if m.contains("non-negative")
));
}
// Test missing `largeBlob` field entirely.
#[test]
fn test_large_blob_extension_absent() {
let req_no_large_blob: BTreeMap<MapKey, Value> = {
let Value::Map(map) = cbor!({
"extensions": {
// no 'largeBlob' field.
}
}) else {
unreachable!();
};
map
};
let no_blob_result = handle_large_blob(
&req_no_large_blob,
&mut empty_secrets(),
&SAMPLE_SECURITY_DOMAIN_SECRET.try_into().unwrap(),
)
.unwrap();
assert!(
no_blob_result.is_none(),
"unexpected large blob handling when field is absent"
);
}
// Test invalid base64 string.
#[test]
fn test_large_blob_invalid_base64() {
let bad_b64 = "***not-b64***";
let req = make_req(cbor!({
"write": (bad_b64),
"largeBlobSize": 0_i64
}));
assert!(matches!(
handle_large_blob(
&req,
&mut empty_secrets(),
&SAMPLE_SECURITY_DOMAIN_SECRET.try_into().unwrap()
),
Err(RequestError::Debug(m)) if m.contains("invalid base64 in largeBlob.write")
));
}
// Test attempting to write a large blob on an old style `private_key` proto
// field.
// Regression test for https://crbug.com/441240975.
#[test]
fn test_write_large_blob_on_old_credential_type() {
let new_blob_content = b"new blob data".to_vec();
let b64_blob = base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(&new_blob_content);
let uncompressed_size = new_blob_content.len() + 10;
let webauthn_req_write = make_req(cbor!({
"write": (b64_blob.as_str()),
"largeBlobSize": (uncompressed_size as i64),
}));
let mut secrets_for_write = entity_secrets_from_proto(
&SAMPLE_SECURITY_DOMAIN_SECRET.try_into().unwrap(),
&PROTOBUF,
)
.unwrap();
assert!(secrets_for_write.encrypted.is_none());
let result = handle_large_blob(
&webauthn_req_write,
&mut secrets_for_write,
&SAMPLE_SECURITY_DOMAIN_SECRET.try_into().unwrap(),
)
.unwrap();
let response_val = result.expect("expected a response");
let Value::Map(response_map) = response_val else {
panic!("expected a map response");
};
assert_eq!(
response_map.get(LARGE_BLOB_WRITTEN_KEY),
Some(&Value::Boolean(false))
);
}
// Test attempting to read a large blob on an old style `private_key` proto
// field.
// Regression test for https://crbug.com/441240975.
#[test]
fn test_read_large_blob_on_old_credential_type() {
let webauthn_req_read = make_req(cbor!({
"read": true
}));
let mut secrets_for_read = entity_secrets_from_proto(
&SAMPLE_SECURITY_DOMAIN_SECRET.try_into().unwrap(),
&PROTOBUF,
)
.unwrap();
assert!(secrets_for_read.encrypted.is_none());
let result = handle_large_blob(
&webauthn_req_read,
&mut secrets_for_read,
&SAMPLE_SECURITY_DOMAIN_SECRET.try_into().unwrap(),
)
.unwrap();
let response_val = result.expect("expected a response");
assert_eq!(
response_val,
cbor!({
"largeBlobData": (&[] as &[u8]),
"largeBlobSize": 0,
})
);
}
// Integration tests of this code are done in Chromium, which builds this
// code and runs it against the client code to ensure that, e.g.,
// assertions work end-to-end.
}