| // Copyright 2024 The Chromium Authors |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #ifndef DEVICE_FIDO_ENCLAVE_CONSTANTS_H_ |
| #define DEVICE_FIDO_ENCLAVE_CONSTANTS_H_ |
| |
| #include <memory> |
| |
| #include "base/component_export.h" |
| #include "base/memory/raw_ptr.h" |
| #include "crypto/signature_verifier.h" |
| |
| namespace device::enclave { |
| |
| // This file contains various constants used to communicate with the enclave. |
| |
| struct EnclaveIdentity; |
| |
| // GetEnclaveIdentity returns the default URL & public-key of the enclave. In |
| // tests, its return value can be set using `ScopedEnclaveOverride`. |
| COMPONENT_EXPORT(DEVICE_FIDO) |
| EnclaveIdentity GetEnclaveIdentity(); |
| |
| // Creating a `ScopedEnclaveOverride` allows the URL and public key of the |
| // enclave to be overridden for testing. These objects can be nested. |
| class COMPONENT_EXPORT(DEVICE_FIDO) ScopedEnclaveOverride { |
| public: |
| explicit ScopedEnclaveOverride(EnclaveIdentity identity); |
| ~ScopedEnclaveOverride(); |
| |
| private: |
| const raw_ptr<const EnclaveIdentity> prev_; |
| const std::unique_ptr<EnclaveIdentity> enclave_identity_; |
| }; |
| |
| // Maximum number of consecutive failed PIN attempts for a UV passkey request |
| // before getting locked out. This is enforced by the service, so it needs to |
| // match MAX_PIN_ATTEMPTS in |
| // third_party/cloud_authenticator/processor/src/passkeys.rs. |
| inline constexpr int kMaxFailedPINAttempts = 5; |
| |
| // The length of a recovery key store counter ID. |
| inline constexpr size_t kCounterIDLen = 8; |
| // The length of a recovery key store "vault handle" value. |
| inline constexpr size_t kVaultHandleLen = 17; |
| |
| // The maximum number of times that GPM enclave bootstrapping can be declined |
| // before it becomes deprioritized as an authenticator option. |
| inline constexpr int kMaxGPMBootstrapPrompts = 2; |
| |
| // The list of algorithms that are acceptable as device identity keys. |
| inline constexpr crypto::SignatureVerifier::SignatureAlgorithm |
| kSigningAlgorithms[] = { |
| // This is in preference order and the enclave must support all the |
| // algorithms listed here. |
| crypto::SignatureVerifier::SignatureAlgorithm::ECDSA_SHA256, |
| crypto::SignatureVerifier::SignatureAlgorithm::RSA_PKCS1_SHA256, |
| }; |
| |
| // Error codes from the service on per-request failures. These can be returned |
| // alongside success responses in some cases. |
| // Needs to match `RequestError` in |
| // //third_party/cloud_authenticator/processor/src/lib.rs. |
| // Update `kMinValue` and `kMaxValue` when adding or removing values. |
| enum class RequestError : int { |
| // An error code not known by the client. |
| kUnknown = -9999, |
| |
| kNoSupportedAlgorithm = 1, |
| kDuplicate = 2, |
| kIncorrectPIN = 3, |
| kPINLocked = 4, |
| kPINOutdated = 5, |
| kRecoveryKeyStoreDowngrade = 6, |
| kCohortNotYetDeprecated = 7, |
| |
| // Ranges for known error codes. |
| kMinValue = kNoSupportedAlgorithm, |
| kMaxValue = kCohortNotYetDeprecated, |
| }; |
| |
| // Converts `code` into a `RequestError` value. If the value is unknown, returns |
| // `RequestError::kUnknown`. |
| COMPONENT_EXPORT(DEVICE_FIDO) RequestError GetRequestError(int code); |
| |
| // Keys in the top-level request message. |
| COMPONENT_EXPORT(DEVICE_FIDO) extern const char kCommandEncodedRequestsKey[]; |
| COMPONENT_EXPORT(DEVICE_FIDO) extern const char kCommandDeviceIdKey[]; |
| COMPONENT_EXPORT(DEVICE_FIDO) extern const char kCommandSigKey[]; |
| COMPONENT_EXPORT(DEVICE_FIDO) extern const char kCommandAuthLevelKey[]; |
| |
| // Generic keys for all request types. |
| COMPONENT_EXPORT(DEVICE_FIDO) extern const char kRequestCommandKey[]; |
| COMPONENT_EXPORT(DEVICE_FIDO) extern const char kRequestWrappedSecretKey[]; |
| COMPONENT_EXPORT(DEVICE_FIDO) extern const char kRequestSecretKey[]; |
| COMPONENT_EXPORT(DEVICE_FIDO) extern const char kRequestCounterIDKey[]; |
| COMPONENT_EXPORT(DEVICE_FIDO) |
| extern const char kRequestVaultHandleWithoutTypeKey[]; |
| COMPONENT_EXPORT(DEVICE_FIDO) extern const char kRequestWrappedPINDataKey[]; |
| |
| // Keys in the top-level of each response. |
| COMPONENT_EXPORT(DEVICE_FIDO) extern const char kResponseSuccessKey[]; |
| COMPONENT_EXPORT(DEVICE_FIDO) extern const char kResponseErrorKey[]; |
| |
| // Command names |
| COMPONENT_EXPORT(DEVICE_FIDO) extern const char kRegisterCommandName[]; |
| COMPONENT_EXPORT(DEVICE_FIDO) extern const char kForgetCommandName[]; |
| COMPONENT_EXPORT(DEVICE_FIDO) extern const char kWrapKeyCommandName[]; |
| COMPONENT_EXPORT(DEVICE_FIDO) extern const char kGenKeyPairCommandName[]; |
| COMPONENT_EXPORT(DEVICE_FIDO) |
| extern const char kRecoveryKeyStoreWrapCommandName[]; |
| COMPONENT_EXPORT(DEVICE_FIDO) extern const char kPasskeysWrapPinCommandName[]; |
| COMPONENT_EXPORT(DEVICE_FIDO) |
| extern const char kRecoveryKeyStoreWrapAsMemberCommandName[]; |
| COMPONENT_EXPORT(DEVICE_FIDO) |
| extern const char kRecoveryKeyStoreWrapPinAndSecretCommandName[]; |
| COMPONENT_EXPORT(DEVICE_FIDO) |
| extern const char kRecoveryKeyStoreRewrapCommandName[]; |
| |
| // Register request keys |
| COMPONENT_EXPORT(DEVICE_FIDO) extern const char kRegisterPubKeysKey[]; |
| COMPONENT_EXPORT(DEVICE_FIDO) extern const char kRegisterDeviceIdKey[]; |
| COMPONENT_EXPORT(DEVICE_FIDO) extern const char kRegisterUVKeyPending[]; |
| |
| // Device key types |
| COMPONENT_EXPORT(DEVICE_FIDO) extern const char kHardwareKey[]; |
| COMPONENT_EXPORT(DEVICE_FIDO) extern const char kSoftwareKey[]; |
| COMPONENT_EXPORT(DEVICE_FIDO) extern const char kUserVerificationKey[]; |
| COMPONENT_EXPORT(DEVICE_FIDO) extern const char kSoftwareUserVerificationKey[]; |
| |
| // Wrapping request keys |
| COMPONENT_EXPORT(DEVICE_FIDO) extern const char kWrappingPurpose[]; |
| COMPONENT_EXPORT(DEVICE_FIDO) extern const char kWrappingKeyToWrap[]; |
| |
| // Wrap PIN request keys |
| COMPONENT_EXPORT(DEVICE_FIDO) extern const char kPinHash[]; |
| COMPONENT_EXPORT(DEVICE_FIDO) extern const char kGeneration[]; |
| COMPONENT_EXPORT(DEVICE_FIDO) extern const char kClaimKey[]; |
| COMPONENT_EXPORT(DEVICE_FIDO) extern const char kWrappedPinKey[]; |
| |
| // Wrapping response keys |
| COMPONENT_EXPORT(DEVICE_FIDO) extern const char kWrappingResponsePublicKey[]; |
| COMPONENT_EXPORT(DEVICE_FIDO) |
| extern const char kWrappingResponseWrappedPrivateKey[]; |
| |
| // Key purpose strings. |
| COMPONENT_EXPORT(DEVICE_FIDO) |
| extern const char kKeyPurposeSecurityDomainMemberKey[]; |
| COMPONENT_EXPORT(DEVICE_FIDO) |
| extern const char kKeyPurposeSecurityDomainSecret[]; |
| |
| // Recovery key store commands. |
| COMPONENT_EXPORT(DEVICE_FIDO) |
| extern const char kRecoveryKeyStorePinHash[]; |
| COMPONENT_EXPORT(DEVICE_FIDO) |
| extern const char kRecoveryKeyStoreCertXml[]; |
| COMPONENT_EXPORT(DEVICE_FIDO) |
| extern const char kRecoveryKeyStoreSigXml[]; |
| COMPONENT_EXPORT(DEVICE_FIDO) |
| extern const char kRecoveryKeyStoreCreateNewVault[]; |
| |
| // Constants for the recovery key store service, which is used in conjunction |
| // with the enclave. |
| COMPONENT_EXPORT(DEVICE_FIDO) |
| extern const char kRecoveryKeyStoreURL[]; |
| |
| // These URLs can be overridden via Finch for experimentation. See |
| // WebAuthenticationEnclaveTrustedVaultCohort. |
| COMPONENT_EXPORT(DEVICE_FIDO) |
| extern const char kRecoveryKeyStoreCertFileURL[]; |
| COMPONENT_EXPORT(DEVICE_FIDO) |
| extern const char kRecoveryKeyStoreSigFileURL[]; |
| |
| } // namespace device::enclave |
| |
| #endif // DEVICE_FIDO_ENCLAVE_CONSTANTS_H_ |
