fido: support bulk deletion of credentials

This adds a DeleteCredentials() method to CredentialManagementHandler to
support deletion of multiple credentials identified by the
CBOR-serialized PublicKeyCredentialDescriptor.

It also extends EnumerateCredentialsResponse with the CBOR-serialized
PublicKeyCredentialDescriptor such that the UI can use it as an opaque
identifier for the credentials without having to do CBOR-serialization.
The FidoAuthenticator::DeleteCredential is changed to take
PublicKeyCredentialDescriptor rather than a sequence of bytes to
identify the to-be-deleted credential.

On a CTAP2 level, credentials are identified for deletion not just via
their credential ID but via the full PublicKeyCredentialDescriptor. The
spec is unclear on whether the non-ID related fields ('transports' in
particular) are significant or not. Hence, it's probably wise to just
echo the descriptor as it was received during credential enumeration,
rather than send an empty descriptor with only the credential ID.

Bug: 955859
Change-Id: Id1b7a9094876c701b21000399870bf439de4d8b9
Commit-Queue: Martin Kreichgauer <>
Reviewed-by: Adam Langley <>
Cr-Commit-Position: refs/heads/master@{#672229}
10 files changed