device/fido/credential_management.h

// Copyright 2019 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef DEVICE_FIDO_CREDENTIAL_MANAGEMENT_H_
#define DEVICE_FIDO_CREDENTIAL_MANAGEMENT_H_

#include "base/component_export.h"
#include "base/optional.h"
#include "device/fido/fido_constants.h"
#include "device/fido/public_key_credential_descriptor.h"
#include "device/fido/public_key_credential_rp_entity.h"
#include "device/fido/public_key_credential_user_entity.h"

namespace cbor {
class Value;
}

namespace device {

namespace pin {
struct EmptyResponse;
}

// https://drafts.fidoalliance.org/fido-2/latest/fido-client-to-authenticator-protocol-v2.0-wd-20190409.html#authenticatorCredentialManagement

enum class CredentialManagementRequestKey : uint8_t {
  kSubCommand = 0x01,
  kSubCommandParams = 0x02,
  kPinProtocol = 0x03,
  kPinAuth = 0x04,
};

enum class CredentialManagementRequestParamKey : uint8_t {
  kRPIDHash = 0x01,
  kCredentialID = 0x02,
};

enum class CredentialManagementResponseKey : uint8_t {
  kExistingResidentCredentialsCount = 0x01,
  kMaxPossibleRemainingResidentCredentialsCount = 0x02,
  kRP = 0x03,
  kRPIDHash = 0x04,
  kTotalRPs = 0x05,
  kUser = 0x06,
  kCredentialID = 0x07,
  kPublicKey = 0x08,
  kTotalCredentials = 0x09,
  kCredProtect = 0x0a,
};

enum class CredentialManagementSubCommand : uint8_t {
  kGetCredsMetadata = 0x01,
  kEnumerateRPsBegin = 0x02,
  kEnumerateRPsGetNextRP = 0x03,
  kEnumerateCredentialsBegin = 0x04,
  kEnumerateCredentialsGetNextCredential = 0x05,
  kDeleteCredential = 0x06,
};

// CredentialManagementPreviewRequestAdapter wraps any credential management
// request struct in order to replace the authenticatorCredentialManagement
// command byte returned by the static EncodeAsCBOR() method (0x0a) with its
// vendor-specific preview equivalent (0x41).
template <class T>
class CredentialManagementPreviewRequestAdapter {
 public:
  static std::pair<CtapRequestCommand, base::Optional<cbor::Value>>
  EncodeAsCBOR(const CredentialManagementPreviewRequestAdapter<T>& request) {
    auto result = T::EncodeAsCBOR(request.wrapped_request_);
    DCHECK_EQ(result.first,
              CtapRequestCommand::kAuthenticatorCredentialManagement);
    result.first =
        CtapRequestCommand::kAuthenticatorCredentialManagementPreview;
    return result;
  }

  CredentialManagementPreviewRequestAdapter(T request)
      : wrapped_request_(std::move(request)) {}

 private:
  T wrapped_request_;
};

// CredentialManagementRequest is an authenticatorCredentialManagement(0x0a)
// CTAP2 request. Instances can be obtained via one of the subcommand-specific
// static factory methods.
struct CredentialManagementRequest {
  static std::pair<CtapRequestCommand, base::Optional<cbor::Value>>
  EncodeAsCBOR(const CredentialManagementRequest&);

  enum Version {
    kDefault,
    kPreview,
  };

  static CredentialManagementRequest ForGetCredsMetadata(
      Version version,
      base::span<const uint8_t> pin_token);
  static CredentialManagementRequest ForEnumerateRPsBegin(
      Version version,
      base::span<const uint8_t> pin_token);
  static CredentialManagementRequest ForEnumerateRPsGetNext(Version version);
  static CredentialManagementRequest ForEnumerateCredentialsBegin(
      Version version,
      base::span<const uint8_t> pin_token,
      std::array<uint8_t, kRpIdHashLength> rp_id_hash);
  static CredentialManagementRequest ForEnumerateCredentialsGetNext(
      Version version);
  static CredentialManagementRequest ForDeleteCredential(
      Version version,
      base::span<const uint8_t> pin_token,
      std::vector<uint8_t> credential_id);

  CredentialManagementRequest(CredentialManagementRequest&&);
  CredentialManagementRequest& operator=(CredentialManagementRequest&&);
  ~CredentialManagementRequest();

  Version version;
  CredentialManagementSubCommand subcommand;
  base::Optional<cbor::Value::MapValue> params;
  base::Optional<std::array<uint8_t, 16>> pin_auth;

 private:
  CredentialManagementRequest() = delete;
  CredentialManagementRequest(Version version,
                              CredentialManagementSubCommand subcommand,
                              base::Optional<cbor::Value::MapValue> params,
                              base::Optional<std::array<uint8_t, 16>> pin_auth);
  CredentialManagementRequest(const CredentialManagementRequest&) = delete;
  CredentialManagementRequest& operator=(const CredentialManagementRequest&) =
      delete;
};

struct CredentialsMetadataResponse {
  static base::Optional<CredentialsMetadataResponse> Parse(
      const base::Optional<cbor::Value>& cbor_response);

  size_t num_existing_credentials;
  size_t num_estimated_remaining_credentials;

 private:
  CredentialsMetadataResponse() = default;
};

struct EnumerateRPsResponse {
  static base::Optional<EnumerateRPsResponse> Parse(
      bool expect_rp_count,
      const base::Optional<cbor::Value>& cbor_response);

  EnumerateRPsResponse(EnumerateRPsResponse&&);
  EnumerateRPsResponse& operator=(EnumerateRPsResponse&&);
  ~EnumerateRPsResponse();

  base::Optional<PublicKeyCredentialRpEntity> rp;
  base::Optional<std::array<uint8_t, kRpIdHashLength>> rp_id_hash;
  size_t rp_count;

 private:
  EnumerateRPsResponse(
      base::Optional<PublicKeyCredentialRpEntity> rp,
      base::Optional<std::array<uint8_t, kRpIdHashLength>> rp_id_hash,
      size_t rp_count);
  EnumerateRPsResponse(const EnumerateRPsResponse&) = delete;
  EnumerateRPsResponse& operator=(const EnumerateRPsResponse&) = delete;
};

struct EnumerateCredentialsResponse {
  static base::Optional<EnumerateCredentialsResponse> Parse(
      bool expect_credential_count,
      const base::Optional<cbor::Value>& cbor_response);

  EnumerateCredentialsResponse(EnumerateCredentialsResponse&&);
  EnumerateCredentialsResponse& operator=(EnumerateCredentialsResponse&&);
  ~EnumerateCredentialsResponse();

  PublicKeyCredentialUserEntity user;
  PublicKeyCredentialDescriptor credential_id;
  size_t credential_count;

 private:
  EnumerateCredentialsResponse(PublicKeyCredentialUserEntity user,
                               PublicKeyCredentialDescriptor credential_id,
                               size_t credential_count);
  EnumerateCredentialsResponse(const EnumerateCredentialsResponse&) = delete;
  EnumerateCredentialsResponse& operator=(EnumerateCredentialsResponse&) =
      delete;
};

struct COMPONENT_EXPORT(DEVICE_FIDO) AggregatedEnumerateCredentialsResponse {
  AggregatedEnumerateCredentialsResponse(PublicKeyCredentialRpEntity rp);
  AggregatedEnumerateCredentialsResponse(
      AggregatedEnumerateCredentialsResponse&&);
  AggregatedEnumerateCredentialsResponse& operator=(
      AggregatedEnumerateCredentialsResponse&&);
  ~AggregatedEnumerateCredentialsResponse();

  PublicKeyCredentialRpEntity rp;
  std::list<EnumerateCredentialsResponse> credentials;

 private:
  AggregatedEnumerateCredentialsResponse(
      const AggregatedEnumerateCredentialsResponse&) = delete;
};

using DeleteCredentialResponse = pin::EmptyResponse;

std::pair<CtapRequestCommand, base::Optional<cbor::Value>>
AsCTAPRequestValuePair(const CredentialManagementRequest&);

}  // namespace device

#endif  // DEVICE_FIDO_CREDENTIAL_MANAGEMENT_H_