Google Git
Sign in
chromium / chromium / src / 96ad22527d78588a5c8889f66709aa3d8e009241 / . / content / browser / webauth / authenticator_common_impl.cc
blob: 21015d788bf5edcd544a47ba6b037d6def55fbc3 [file] [log] [blame]
// Copyright 2019 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "content/browser/webauth/authenticator_common_impl.h"
#include <array>
#include <string>
#include <utility>
#include <vector>
#include "base/base64url.h"
#include "base/check.h"
#include "base/functional/bind.h"
#include "base/functional/callback_helpers.h"
#include "base/notreached.h"
#include "base/strings/string_piece.h"
#include "base/timer/timer.h"
#include "build/build_config.h"
#include "content/browser/renderer_host/back_forward_cache_disable.h"
#include "content/browser/webauth/authenticator_environment.h"
#include "content/browser/webauth/client_data_json.h"
#include "content/browser/webauth/virtual_authenticator_manager_impl.h"
#include "content/browser/webauth/virtual_fido_discovery_factory.h"
#include "content/browser/webauth/webauth_request_security_checker.h"
#include "content/public/browser/browser_context.h"
#include "content/public/browser/content_browser_client.h"
#include "content/public/browser/render_frame_host.h"
#include "content/public/browser/web_contents.h"
#include "content/public/common/content_client.h"
#include "crypto/sha2.h"
#include "device/fido/attestation_statement.h"
#include "device/fido/authenticator_data.h"
#include "device/fido/authenticator_get_assertion_response.h"
#include "device/fido/ctap_make_credential_request.h"
#include "device/fido/features.h"
#include "device/fido/fido_authenticator.h"
#include "device/fido/fido_constants.h"
#include "device/fido/fido_parsing_utils.h"
#include "device/fido/fido_transport_protocol.h"
#include "device/fido/fido_types.h"
#include "device/fido/filter.h"
#include "device/fido/get_assertion_request_handler.h"
#include "device/fido/make_credential_request_handler.h"
#include "device/fido/public_key.h"
#include "device/fido/public_key_credential_descriptor.h"
#include "device/fido/public_key_credential_params.h"
#include "net/cert/asn1_util.h"
#include "net/der/input.h"
#include "net/der/parse_values.h"
#include "net/der/parser.h"
#include "third_party/abseil-cpp/absl/types/optional.h"
#if BUILDFLAG(IS_MAC)
#include "device/fido/mac/authenticator.h"
#include "device/fido/mac/credential_metadata.h"
#endif
#if BUILDFLAG(IS_CHROMEOS)
#include "device/fido/cros/authenticator.h"
#endif
#if BUILDFLAG(IS_WIN)
#include "device/fido/features.h"
#include "device/fido/win/authenticator.h"
#endif
#if BUILDFLAG(IS_MAC) || BUILDFLAG(IS_CHROMEOS) || BUILDFLAG(IS_WIN)
#include "content/browser/webauth/is_uvpaa.h"
#endif
namespace content {
// RequestExtension is a type of extension in a WebAuthn request that might
// yield an extension output in the response.
enum class RequestExtension {
kAppID,
kHMACSecret,
kPRF,
kCredProps,
kLargeBlobEnable,
kLargeBlobRead,
kLargeBlobWrite,
kCredBlob,
kGetCredBlob,
kMinPINLength,
kDevicePublicKey,
};
enum class AttestationErasureOption {
kIncludeAttestation,
kEraseAttestationButIncludeAaguid,
kEraseAttestationAndAaguid,
};
namespace {
WebAuthenticationDelegate* GetWebAuthenticationDelegate() {
return GetContentClient()->browser()->GetWebAuthenticationDelegate();
}
std::string Base64UrlEncode(const base::span<const uint8_t> input) {
std::string ret;
base::Base64UrlEncode(
base::StringPiece(reinterpret_cast<const char*>(input.data()),
input.size()),
base::Base64UrlEncodePolicy::OMIT_PADDING, &ret);
return ret;
}
// The application parameter is the SHA-256 hash of the UTF-8 encoding of
// the application identity (i.e. relying_party_id) of the application
// requesting the registration.
std::array<uint8_t, crypto::kSHA256Length> CreateApplicationParameter(
const std::string& relying_party_id) {
std::array<uint8_t, crypto::kSHA256Length> application_parameter;
crypto::SHA256HashString(relying_party_id, application_parameter.data(),
application_parameter.size());
return application_parameter;
}
device::CtapGetAssertionRequest CreateCtapGetAssertionRequest(
const std::string& client_data_json,
const blink::mojom::PublicKeyCredentialRequestOptionsPtr& options,
absl::optional<std::string> app_id) {
device::CtapGetAssertionRequest request_parameter(options->relying_party_id,
client_data_json);
request_parameter.allow_list = options->allow_credentials;
request_parameter.user_verification = options->user_verification;
if (app_id) {
request_parameter.alternative_application_parameter =
CreateApplicationParameter(*app_id);
request_parameter.app_id = std::move(*app_id);
}
if (!options->cable_authentication_data.empty()) {
request_parameter.cable_extension = options->cable_authentication_data;
}
return request_parameter;
}
// Parses the FIDO transport types extension from the DER-encoded, X.509
// certificate in |der_cert| and adds any transport types found to
// |out_transports|. Returns true if any transports were added.
bool AddTransportsFromCertificate(
base::span<const uint8_t> der_cert,
base::flat_set<device::FidoTransportProtocol>* out_transports) {
// See
// https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-authenticator-transports-extension-v1.2-ps-20170411.html#fido-u2f-certificate-transports-extension
static constexpr uint8_t kTransportTypesOID[] = {
0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xe5, 0x1c, 0x02, 0x01, 0x01};
bool present, critical;
base::StringPiece contents;
if (!net::asn1::ExtractExtensionFromDERCert(
base::StringPiece(reinterpret_cast<const char*>(der_cert.data()),
der_cert.size()),
base::StringPiece(reinterpret_cast<const char*>(kTransportTypesOID),
sizeof(kTransportTypesOID)),
&present, &critical, &contents) ||
!present) {
return false;
}
const net::der::Input contents_der(contents);
net::der::Parser contents_parser(contents_der);
absl::optional<net::der::BitString> transport_bits =
contents_parser.ReadBitString();
if (!transport_bits) {
return false;
}
// The certificate extension contains a BIT STRING where different bits
// indicate support for different transports. The following array maps
// between these bit indexes and the FidoTransportProtocol enum.
static constexpr struct {
uint8_t bit_index;
device::FidoTransportProtocol transport;
} kTransportMapping[] = {
// Bit 0 is "Bluetooth Classic", not BLE. Since webauthn doesn't define a
// transport type for this we ignore it.
{1, device::FidoTransportProtocol::kBluetoothLowEnergy},
{2, device::FidoTransportProtocol::kUsbHumanInterfaceDevice},
{3, device::FidoTransportProtocol::kNearFieldCommunication},
{4, device::FidoTransportProtocol::kInternal},
};
bool ret = false;
for (const auto& mapping : kTransportMapping) {
if (transport_bits->AssertsBit(mapping.bit_index)) {
out_transports->insert(mapping.transport);
ret |= true;
}
}
return ret;
}
base::TimeDelta AdjustTimeout(absl::optional<base::TimeDelta> timeout,
RenderFrameHost* render_frame_host) {
// Time to wait for an authenticator to successfully complete an operation.
static constexpr base::TimeDelta kAdjustedTimeoutLower = base::Seconds(10);
static constexpr base::TimeDelta kAdjustedTimeoutUpper = base::Minutes(10);
if (!timeout) {
return kAdjustedTimeoutUpper;
}
const bool testing_api_enabled =
AuthenticatorEnvironment::GetInstance()->IsVirtualAuthenticatorEnabledFor(
static_cast<RenderFrameHostImpl*>(render_frame_host)
->frame_tree_node());
if (testing_api_enabled) {
return *timeout;
}
return std::max(kAdjustedTimeoutLower,
std::min(kAdjustedTimeoutUpper, *timeout));
}
bool UsesDiscoverableCreds(const device::MakeCredentialOptions& options) {
return options.resident_key == device::ResidentKeyRequirement::kRequired;
}
bool UsesDiscoverableCreds(const device::CtapGetAssertionRequest& request) {
return request.allow_list.empty();
}
// GetWebAuthnTransports returns the set of transports that should be passed to
// a FidoRequestHandler for a WebAuthn request. This determines for which
// transports the request handler will attempt to obtain FidoDiscovery
// instances.
base::flat_set<device::FidoTransportProtocol> GetWebAuthnTransports(
RenderFrameHost* render_frame_host,
device::FidoDiscoveryFactory* discovery_factory,
bool uses_discoverable_creds) {
base::flat_set<device::FidoTransportProtocol> transports;
transports.insert(device::FidoTransportProtocol::kUsbHumanInterfaceDevice);
// Only instantiate platform discovery if the embedder hasn't chosen to
// override IsUserVerifyingPlatformAuthenticatorAvailable() to be false.
// Chrome disables platform authenticators in Guest modes this way.
absl::optional<bool> embedder_isuvpaa_override =
GetWebAuthenticationDelegate()
->IsUserVerifyingPlatformAuthenticatorAvailableOverride(
render_frame_host);
if (!embedder_isuvpaa_override || *embedder_isuvpaa_override) {
transports.insert(device::FidoTransportProtocol::kInternal);
}
if (discovery_factory->IsTestOverride()) {
// The desktop implementation does not support BLE or NFC, but we emulate
// them if the testing API is enabled.
transports.insert(device::FidoTransportProtocol::kBluetoothLowEnergy);
transports.insert(device::FidoTransportProtocol::kNearFieldCommunication);
// Ensure virtual platform authenticators can be instantiated even if they
// are not-user-verifying, i.e. IsUVPAA() returns false.
transports.insert(device::FidoTransportProtocol::kInternal);
}
transports.insert(device::FidoTransportProtocol::kHybrid);
// kAndroidAccessory doesn't work on Windows because of USB stack issues.
// Note: even if this value were inserted it wouldn't take effect on Windows
// versions with a native API because FidoRequestHandlerBase filters out
// non-kHybrid transports in that case.
#if !BUILDFLAG(IS_WIN)
// In order for AOA to be active the |AuthenticatorRequestClientDelegate|
// must still configure a |UsbDeviceManager|.
transports.insert(device::FidoTransportProtocol::kAndroidAccessory);
#endif
return transports;
}
// Returns a new FidoDiscoveryFactory for the current request. This may be
// a factory for virtual authenticators if the testing API is enabled for the
// given frame.
std::unique_ptr<device::FidoDiscoveryFactory> MakeDiscoveryFactory(
RenderFrameHost* render_frame_host) {
VirtualAuthenticatorManagerImpl* virtual_authenticator_manager =
AuthenticatorEnvironment::GetInstance()
->MaybeGetVirtualAuthenticatorManager(
static_cast<RenderFrameHostImpl*>(render_frame_host)
->frame_tree_node());
if (virtual_authenticator_manager) {
return virtual_authenticator_manager->MakeDiscoveryFactory();
}
auto discovery_factory = std::make_unique<device::FidoDiscoveryFactory>();
#if BUILDFLAG(IS_MAC)
discovery_factory->set_mac_touch_id_info(
GetWebAuthenticationDelegate()->GetTouchIdAuthenticatorConfig(
render_frame_host->GetBrowserContext()));
#endif // BUILDFLAG(IS_MAC)
#if BUILDFLAG(IS_WIN)
if (base::FeatureList::IsEnabled(device::kWebAuthUseNativeWinApi)) {
discovery_factory->set_win_webauthn_api(
AuthenticatorEnvironment::GetInstance()->win_webauthn_api());
}
#endif // BUILDFLAG(IS_WIN)
#if BUILDFLAG(IS_CHROMEOS)
// Ignore the ChromeOS u2fd virtual U2F HID device so that it doesn't collide
// with the ChromeOS platform authenticator, also implemented in u2fd.
if (base::FeatureList::IsEnabled(device::kWebAuthCrosPlatformAuthenticator)) {
// There are two possible PIDs the virtual U2F HID device could use, with or
// without corp protocol functionality.
constexpr device::VidPid kChromeOsU2fdVidPid{0x18d1, 0x502c};
constexpr device::VidPid kChromeOsU2fdCorpVidPid{0x18d1, 0x5212};
discovery_factory->set_hid_ignore_list(
{kChromeOsU2fdVidPid, kChromeOsU2fdCorpVidPid});
discovery_factory->set_generate_request_id_callback(
GetWebAuthenticationDelegate()->GetGenerateRequestIdCallback(
render_frame_host));
}
#endif // BUILDFLAG(IS_CHROMEOS)
return discovery_factory;
}
absl::optional<device::CredProtectRequest> ProtectionPolicyToCredProtect(
blink::mojom::ProtectionPolicy protection_policy,
const device::MakeCredentialOptions& make_credential_options) {
switch (protection_policy) {
case blink::mojom::ProtectionPolicy::UNSPECIFIED:
// Some platform authenticators have the behaviour that uv=required
// demands a local reauthentication but uv=preferred can be satisfied by
// just clicking a button. Since the device has to be unlocked by the
// user, this seems to balance the demands of uv=required against the
// fact that quite a number of (non-mobile) devices lack biometrics and
// thus full UV requires entering the local password. Since password
// autofill doesn't demand entering the local password all the time, it
// would be sad if WebAuthn was much worse in that respect.
//
// Also, some sites have (or will) implement a sign-in flow where the
// user enters their username and then the site makes a WebAuthn
// request, with an allowlist, where completing that request is
// sufficient to sign-in. I.e. there's no additional password challenge.
// Since these sites are trying to replace passwords, we expect them to
// set uv=preferred in order to work well with the platform behaviour
// detailed in the first paragraph.
//
// If such sites remembered the UV flag from the registration and enforced
// it at assertion time, that would break situations where closing a
// laptop lid covers the biometric sensor and makes entering a password
// preferable. But without any enforcement of the UV flag, someone could
// pick a security key off the ground and do a uv=false request to get a
// sufficient assertion.
//
// Thus if rk=required and uv=preferred, credProtect level three is set
// to tell security keys to only create an assertion after UV for this
// credential. (Sites can still override this by setting a specific
// credProtect level.)
//
// If a site sets rk=preferred then we assume that they're doing something
// unusual and will only set credProtect level two.
//
// See also
// https://chromium.googlesource.com/chromium/src/+/main/content/browser/webauth/cred_protect.md
if (make_credential_options.resident_key ==
device::ResidentKeyRequirement::kRequired &&
make_credential_options.user_verification ==
device::UserVerificationRequirement::kPreferred) {
return device::CredProtectRequest::kUVRequired;
}
if (make_credential_options.resident_key !=
device::ResidentKeyRequirement::kDiscouraged) {
// Otherwise, kUVOrCredIDRequired is made the default unless
// the authenticator defaults to something better.
return device::CredProtectRequest::kUVOrCredIDRequiredOrBetter;
}
return absl::nullopt;
case blink::mojom::ProtectionPolicy::NONE:
return device::CredProtectRequest::kUVOptional;
case blink::mojom::ProtectionPolicy::UV_OR_CRED_ID_REQUIRED:
return device::CredProtectRequest::kUVOrCredIDRequired;
case blink::mojom::ProtectionPolicy::UV_REQUIRED:
return device::CredProtectRequest::kUVRequired;
}
}
} // namespace
// static
std::unique_ptr<AuthenticatorCommon> AuthenticatorCommon::Create(
RenderFrameHost* render_frame_host) {
return std::make_unique<AuthenticatorCommonImpl>(render_frame_host);
}
AuthenticatorCommonImpl::AuthenticatorCommonImpl(
RenderFrameHost* render_frame_host)
: render_frame_host_id_(render_frame_host->GetGlobalId()),
security_checker_(static_cast<RenderFrameHostImpl*>(render_frame_host)
->GetWebAuthRequestSecurityChecker()) {
// Disable the back-forward cache for any document that makes WebAuthn
// requests. Pages using privacy-sensitive APIs are generally exempt from
// back-forward cache for now as a precaution.
BackForwardCache::DisableForRenderFrameHost(
render_frame_host,
BackForwardCacheDisable::DisabledReason(
BackForwardCacheDisable::DisabledReasonId::kWebAuthenticationAPI));
}
AuthenticatorCommonImpl::~AuthenticatorCommonImpl() = default;
std::unique_ptr<AuthenticatorRequestClientDelegate>
AuthenticatorCommonImpl::MaybeCreateRequestDelegate() {
RenderFrameHostImpl* const render_frame_host_impl =
static_cast<RenderFrameHostImpl*>(GetRenderFrameHost());
std::unique_ptr<AuthenticatorRequestClientDelegate> delegate =
GetContentClient()->browser()->GetWebAuthenticationRequestDelegate(
render_frame_host_impl);
if (!delegate) {
return nullptr;
}
VirtualAuthenticatorManagerImpl* virtual_authenticator_manager =
AuthenticatorEnvironment::GetInstance()
->MaybeGetVirtualAuthenticatorManager(
render_frame_host_impl->frame_tree_node());
if (virtual_authenticator_manager) {
delegate->SetVirtualEnvironment(true);
if (!virtual_authenticator_manager->is_ui_enabled()) {
delegate->DisableUI();
}
}
return delegate;
}
void AuthenticatorCommonImpl::StartMakeCredentialRequest(
bool allow_skipping_pin_touch) {
InitDiscoveryFactory();
request_delegate_->ConfigureCable(
caller_origin_, device::FidoRequestType::kMakeCredential,
make_credential_options_->resident_key,
base::span<const device::CableDiscoveryData>(), discovery_factory());
make_credential_options_->allow_skipping_pin_touch = allow_skipping_pin_touch;
base::flat_set<device::FidoTransportProtocol> transports =
GetWebAuthnTransports(GetRenderFrameHost(), discovery_factory(),
UsesDiscoverableCreds(*make_credential_options_));
request_handler_ = std::make_unique<device::MakeCredentialRequestHandler>(
discovery_factory(), transports, *ctap_make_credential_request_,
*make_credential_options_,
base::BindOnce(&AuthenticatorCommonImpl::OnRegisterResponse,
weak_factory_.GetWeakPtr()));
request_delegate_->RegisterActionCallbacks(
base::BindOnce(&AuthenticatorCommonImpl::OnCancelFromUI,
weak_factory_.GetWeakPtr()) /* cancel_callback */,
base::BindRepeating(
&AuthenticatorCommonImpl::StartMakeCredentialRequest,
weak_factory_.GetWeakPtr(),
/*allow_skipping_pin_touch=*/false) /* start_over_callback */,
base::DoNothing() /* account_preselected_callback */,
base::BindRepeating(
&device::FidoRequestHandlerBase::StartAuthenticatorRequest,
request_handler_->GetWeakPtr()) /* request_callback */,
base::BindRepeating(
&device::FidoRequestHandlerBase::PowerOnBluetoothAdapter,
request_handler_
->GetWeakPtr()) /* bluetooth_adapter_power_on_callback */);
request_handler_->set_observer(request_delegate_.get());
}
void AuthenticatorCommonImpl::StartGetAssertionRequest(
bool allow_skipping_pin_touch) {
InitDiscoveryFactory();
base::span<const device::CableDiscoveryData> cable_pairings;
if (ctap_get_assertion_request_->cable_extension && IsFocused()) {
cable_pairings = *ctap_get_assertion_request_->cable_extension;
}
request_delegate_->ConfigureCable(caller_origin_,
device::FidoRequestType::kGetAssertion,
/*resident_key_requirement=*/absl::nullopt,
cable_pairings, discovery_factory());
#if BUILDFLAG(IS_CHROMEOS)
discovery_factory()->set_get_assertion_request_for_legacy_credential_check(
*ctap_get_assertion_request_);
#endif
base::flat_set<device::FidoTransportProtocol> transports =
GetWebAuthnTransports(
GetRenderFrameHost(), discovery_factory(),
UsesDiscoverableCreds(*ctap_get_assertion_request_));
auto request_handler = std::make_unique<device::GetAssertionRequestHandler>(
discovery_factory(), transports, *ctap_get_assertion_request_,
*ctap_get_assertion_options_, allow_skipping_pin_touch,
base::BindOnce(&AuthenticatorCommonImpl::OnSignResponse,
weak_factory_.GetWeakPtr()));
request_delegate_->RegisterActionCallbacks(
base::BindOnce(&AuthenticatorCommonImpl::OnCancelFromUI,
weak_factory_.GetWeakPtr()) /* cancel_callback */,
base::BindRepeating(
&AuthenticatorCommonImpl::StartGetAssertionRequest,
weak_factory_.GetWeakPtr(),
/*allow_skipping_pin_touch=*/false) /* start_over_callback */,
base::BindRepeating(
&device::GetAssertionRequestHandler::PreselectAccount,
request_handler->GetWeakPtr()) /* account_preselected_callback */,
base::BindRepeating(
&device::GetAssertionRequestHandler::StartAuthenticatorRequest,
request_handler->GetWeakPtr()) /* request_callback */,
base::BindRepeating(
&device::FidoRequestHandlerBase::PowerOnBluetoothAdapter,
request_handler
->GetWeakPtr()) /* bluetooth_adapter_power_on_callback */);
request_handler->set_observer(request_delegate_.get());
request_handler_ = std::move(request_handler);
}
bool AuthenticatorCommonImpl::IsFocused() const {
return GetRenderFrameHost()->IsActive() &&
GetWebAuthenticationDelegate()->IsFocused(
WebContents::FromRenderFrameHost(GetRenderFrameHost()));
}
// mojom::Authenticator
void AuthenticatorCommonImpl::MakeCredential(
url::Origin caller_origin,
blink::mojom::PublicKeyCredentialCreationOptionsPtr options,
blink::mojom::Authenticator::MakeCredentialCallback callback) {
if (has_pending_request_) {
std::move(callback).Run(blink::mojom::AuthenticatorStatus::PENDING_REQUEST,
nullptr, nullptr);
return;
}
has_pending_request_ = true;
DCHECK(make_credential_response_callback_.is_null());
make_credential_response_callback_ = std::move(callback);
BeginRequestTimeout(options->timeout);
WebAuthRequestSecurityChecker::RequestType request_type =
options->is_payment_credential_creation
? WebAuthRequestSecurityChecker::RequestType::kMakePaymentCredential
: WebAuthRequestSecurityChecker::RequestType::kMakeCredential;
bool is_cross_origin_iframe = false;
blink::mojom::AuthenticatorStatus status =
security_checker_->ValidateAncestorOrigins(caller_origin, request_type,
&is_cross_origin_iframe);
if (status != blink::mojom::AuthenticatorStatus::SUCCESS) {
CompleteMakeCredentialRequest(status);
return;
}
if (!security_checker_->DeduplicateCredentialDescriptorListAndValidateLength(
&options->exclude_credentials)) {
mojo::ReportBadMessage("invalid exclude_credentials length");
CompleteMakeCredentialRequest(
blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR);
return;
}
status = security_checker_->ValidateDomainAndRelyingPartyID(
caller_origin, options->relying_party.id, request_type,
options->remote_desktop_client_override);
if (status != blink::mojom::AuthenticatorStatus::SUCCESS) {
CompleteMakeCredentialRequest(status);
return;
}
request_delegate_ = MaybeCreateRequestDelegate();
if (!request_delegate_) {
CompleteMakeCredentialRequest(
blink::mojom::AuthenticatorStatus::PENDING_REQUEST);
return;
}
if (!request_delegate_->IsVirtualEnvironmentEnabled() &&
!disable_tls_check_ &&
!GetWebAuthenticationDelegate()->IsSecurityLevelAcceptableForWebAuthn(
GetRenderFrameHost(), caller_origin)) {
CompleteMakeCredentialRequest(
blink::mojom::AuthenticatorStatus::CERTIFICATE_ERROR);
return;
}
caller_origin_ = caller_origin;
relying_party_id_ = options->relying_party.id;
absl::optional<std::string> appid_exclude;
if (options->appid_exclude) {
appid_exclude = "";
auto add_id_status = security_checker_->ValidateAppIdExtension(
*options->appid_exclude, caller_origin,
options->remote_desktop_client_override, &appid_exclude.value());
if (add_id_status != blink::mojom::AuthenticatorStatus::SUCCESS) {
CompleteMakeCredentialRequest(add_id_status);
return;
}
// `ValidateAppidExtension` must have set a value to use. If not, it would
// be a security bug, so crashing seems appropriate here.
CHECK(!appid_exclude->empty());
}
// If there is an active webAuthenticationProxy extension, let it handle the
// request.
WebAuthenticationRequestProxy* proxy =
GetWebAuthnRequestProxyIfActive(caller_origin);
if (proxy) {
if (options->remote_desktop_client_override) {
// Don't allow proxying of an already proxied request.
CompleteMakeCredentialRequest(
blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR);
return;
}
options->remote_desktop_client_override =
blink::mojom::RemoteDesktopClientOverride::New(
/*origin=*/caller_origin_,
/*same_origin_with_ancestors=*/!is_cross_origin_iframe);
pending_proxied_request_id_ = proxy->SignalCreateRequest(
options,
base::BindOnce(&AuthenticatorCommonImpl::OnMakeCredentialProxyResponse,
weak_factory_.GetWeakPtr()));
return;
}
// Let the embedder override the RP ID to use for the request. In practice
// this rewrites the RP ID that Chrome extensions use.
absl::optional<std::string> rp_id_override =
GetWebAuthenticationDelegate()->MaybeGetRelyingPartyIdOverride(
options->relying_party.id, caller_origin);
if (rp_id_override) {
options->relying_party.id = *rp_id_override;
relying_party_id_ = *rp_id_override;
}
request_delegate_->SetRelyingPartyId(relying_party_id_);
request_delegate_->SetUserEntityForMakeCredentialRequest(options->user);
device::fido_filter::MaybeInitialize();
switch (device::fido_filter::Evaluate(
device::fido_filter::Operation::MAKE_CREDENTIAL, relying_party_id_,
/*device=*/absl::nullopt,
/*id=*/absl::nullopt)) {
case device::fido_filter::Action::ALLOW:
break;
case device::fido_filter::Action::NO_ATTESTATION:
// This will be handled by the request handler.
break;
case device::fido_filter::Action::BLOCK:
CompleteMakeCredentialRequest(
blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR);
return;
}
if (status != blink::mojom::AuthenticatorStatus::SUCCESS) {
CompleteMakeCredentialRequest(status);
return;
}
if (!IsFocused()) {
CompleteMakeCredentialRequest(
blink::mojom::AuthenticatorStatus::NOT_FOCUSED);
return;
}
const device::AuthenticatorSelectionCriteria
authenticator_selection_criteria =
options->authenticator_selection
? *options->authenticator_selection
: device::AuthenticatorSelectionCriteria();
make_credential_options_ =
device::MakeCredentialOptions(authenticator_selection_criteria);
const bool might_create_resident_key =
make_credential_options_->resident_key !=
device::ResidentKeyRequirement::kDiscouraged;
if (might_create_resident_key &&
!GetWebAuthenticationDelegate()->SupportsResidentKeys(
GetRenderFrameHost())) {
if (make_credential_options_->resident_key ==
device::ResidentKeyRequirement::kRequired) {
CompleteMakeCredentialRequest(
blink::mojom::AuthenticatorStatus::RESIDENT_CREDENTIALS_UNSUPPORTED);
return;
}
// Downgrade 'preferred' to 'discouraged'.
make_credential_options_->resident_key =
device::ResidentKeyRequirement::kDiscouraged;
}
// Reject any non-sensical credProtect extension values.
if ( // Can't require the default policy (or no policy).
(options->enforce_protection_policy &&
(options->protection_policy ==
blink::mojom::ProtectionPolicy::UNSPECIFIED ||
options->protection_policy == blink::mojom::ProtectionPolicy::NONE)) ||
// For non-resident keys, NONE doesn't make sense. (UV_OR_CRED_ID_REQUIRED
// does because, with CTAP 2.0, just because a resident key isn't
// _required_ doesn't mean that one won't be created and an RP might want
// credProtect to take effect if that happens.)
(!might_create_resident_key &&
options->protection_policy == blink::mojom::ProtectionPolicy::NONE) ||
// UV_REQUIRED only makes sense if UV is required overall.
(options->protection_policy ==
blink::mojom::ProtectionPolicy::UV_REQUIRED &&
authenticator_selection_criteria.user_verification_requirement !=
device::UserVerificationRequirement::kRequired)) {
CompleteMakeCredentialRequest(
blink::mojom::AuthenticatorStatus::PROTECTION_POLICY_INCONSISTENT);
return;
}
absl::optional<device::CredProtectRequest> cred_protect_request =
ProtectionPolicyToCredProtect(options->protection_policy,
*make_credential_options_);
if (cred_protect_request) {
make_credential_options_->cred_protect_request = {
{*cred_protect_request, options->enforce_protection_policy}};
}
// Touch-to-Autofill should be proxied without UI.
if (disable_ui_) {
request_delegate_->DisableUI();
}
// Assemble clientDataJSON.
ClientDataJsonParams client_data_json_params(
ClientDataRequestType::kWebAuthnCreate, caller_origin_,
options->challenge, is_cross_origin_iframe);
if (options->remote_desktop_client_override) {
client_data_json_params.origin =
options->remote_desktop_client_override->origin;
client_data_json_params.is_cross_origin_iframe =
!options->remote_desktop_client_override->same_origin_with_ancestors;
}
client_data_json_ = BuildClientDataJson(std::move(client_data_json_params));
ctap_make_credential_request_ = device::CtapMakeCredentialRequest(
client_data_json_, options->relying_party, options->user,
device::PublicKeyCredentialParams(options->public_key_parameters));
ctap_make_credential_request_->exclude_list = options->exclude_credentials;
if (options->prf_enable) {
requested_extensions_.insert(RequestExtension::kPRF);
ctap_make_credential_request_->hmac_secret = true;
}
if (options->hmac_create_secret) {
requested_extensions_.insert(RequestExtension::kHMACSecret);
ctap_make_credential_request_->hmac_secret = true;
}
if (options->cred_props) {
requested_extensions_.insert(RequestExtension::kCredProps);
}
if (options->large_blob_enable != device::LargeBlobSupport::kNotRequested) {
requested_extensions_.insert(RequestExtension::kLargeBlobEnable);
}
if (options->cred_blob) {
requested_extensions_.insert(RequestExtension::kCredBlob);
ctap_make_credential_request_->cred_blob = *options->cred_blob;
}
if (options->min_pin_length_requested) {
requested_extensions_.insert(RequestExtension::kMinPINLength);
ctap_make_credential_request_->min_pin_length_requested = true;
}
make_credential_options_->large_blob_support = options->large_blob_enable;
ctap_make_credential_request_->app_id_exclude = std::move(appid_exclude);
make_credential_options_->is_off_the_record_context =
GetBrowserContext()->IsOffTheRecord();
if (options->device_public_key) {
requested_extensions_.insert(RequestExtension::kDevicePublicKey);
ctap_make_credential_request_->device_public_key.emplace();
device::DevicePublicKeyRequest& device_public_key =
ctap_make_credential_request_->device_public_key.value();
device_public_key.attestation = options->device_public_key->attestation;
device_public_key.attestation_formats =
options->device_public_key->attestation_formats;
device_public_key_attestation_requested_ =
device_public_key.attestation !=
device::AttestationConveyancePreference::kNone;
switch (device_public_key.attestation) {
// DPK attestation is currently an enterprise-only feature. Non-enterprise
// values are mapped to "none".
case device::AttestationConveyancePreference::kIndirect:
case device::AttestationConveyancePreference::kDirect:
case device::AttestationConveyancePreference::kNone:
device_public_key.attestation =
device::AttestationConveyancePreference::kNone;
device_public_key.attestation_formats.clear();
break;
case device::AttestationConveyancePreference::
kEnterpriseIfRPListedOnAuthenticator:
if (GetWebAuthenticationDelegate()->ShouldPermitIndividualAttestation(
GetBrowserContext(), caller_origin, relying_party_id_)) {
device_public_key.attestation = device::
AttestationConveyancePreference::kEnterpriseApprovedByBrowser;
}
break;
case device::AttestationConveyancePreference::
kEnterpriseApprovedByBrowser:
// Enterprise attestation should not have been approved by this point.
NOTREACHED();
return;
}
}
// Compute the effective attestation conveyance preference.
device::AttestationConveyancePreference attestation = options->attestation;
// Enterprise attestation should not have been approved by this point.
DCHECK_NE(
attestation,
device::AttestationConveyancePreference::kEnterpriseApprovedByBrowser);
if (attestation == device::AttestationConveyancePreference::
kEnterpriseIfRPListedOnAuthenticator &&
GetWebAuthenticationDelegate()->ShouldPermitIndividualAttestation(
GetBrowserContext(), caller_origin, relying_party_id_)) {
attestation =
device::AttestationConveyancePreference::kEnterpriseApprovedByBrowser;
}
ctap_make_credential_request_->attestation_preference = attestation;
StartMakeCredentialRequest(/*allow_skipping_pin_touch=*/true);
}
void AuthenticatorCommonImpl::GetAssertion(
url::Origin caller_origin,
blink::mojom::PublicKeyCredentialRequestOptionsPtr options,
blink::mojom::PaymentOptionsPtr payment_options,
blink::mojom::Authenticator::GetAssertionCallback callback) {
if (has_pending_request_) {
std::move(callback).Run(blink::mojom::AuthenticatorStatus::PENDING_REQUEST,
nullptr, nullptr);
return;
}
has_pending_request_ = true;
DCHECK(get_assertion_response_callback_.is_null());
get_assertion_response_callback_ = std::move(callback);
if (!options->is_conditional) {
BeginRequestTimeout(options->timeout);
}
WebAuthRequestSecurityChecker::RequestType request_type =
payment_options.is_null()
? WebAuthRequestSecurityChecker::RequestType::kGetAssertion
: WebAuthRequestSecurityChecker::RequestType::
kGetPaymentCredentialAssertion;
if (!payment_options.is_null() && options->allow_credentials.empty()) {
CompleteGetAssertionRequest(
blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR);
NOTREACHED();
return;
}
bool is_cross_origin_iframe = false;
blink::mojom::AuthenticatorStatus status =
security_checker_->ValidateAncestorOrigins(caller_origin, request_type,
&is_cross_origin_iframe);
if (status != blink::mojom::AuthenticatorStatus::SUCCESS) {
CompleteGetAssertionRequest(status);
return;
}
if (!security_checker_->DeduplicateCredentialDescriptorListAndValidateLength(
&options->allow_credentials)) {
mojo::ReportBadMessage("invalid allow_credentials length");
CompleteGetAssertionRequest(
blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR);
return;
}
status = security_checker_->ValidateDomainAndRelyingPartyID(
caller_origin, options->relying_party_id, request_type,
options->remote_desktop_client_override);
if (status != blink::mojom::AuthenticatorStatus::SUCCESS) {
CompleteGetAssertionRequest(status);
return;
}
request_delegate_ = MaybeCreateRequestDelegate();
if (!request_delegate_) {
CompleteGetAssertionRequest(
blink::mojom::AuthenticatorStatus::PENDING_REQUEST);
return;
}
if (!request_delegate_->IsVirtualEnvironmentEnabled() &&
!disable_tls_check_ &&
!GetWebAuthenticationDelegate()->IsSecurityLevelAcceptableForWebAuthn(
GetRenderFrameHost(), caller_origin)) {
CompleteGetAssertionRequest(
blink::mojom::AuthenticatorStatus::CERTIFICATE_ERROR);
return;
}
caller_origin_ = caller_origin;
relying_party_id_ = options->relying_party_id;
if (options->appid) {
requested_extensions_.insert(RequestExtension::kAppID);
std::string app_id;
auto add_id_status = security_checker_->ValidateAppIdExtension(
*options->appid, caller_origin, options->remote_desktop_client_override,
&app_id);
if (add_id_status != blink::mojom::AuthenticatorStatus::SUCCESS) {
CompleteGetAssertionRequest(add_id_status);
return;
}
// `ValidateAppidExtension` must have set a value to use. If not, it would
// be a security bug, so crashing seems appropriate here.
CHECK(!app_id.empty());
app_id_ = app_id;
}
WebAuthenticationRequestProxy* proxy =
GetWebAuthnRequestProxyIfActive(caller_origin);
if (proxy) {
if (options->is_conditional || options->remote_desktop_client_override) {
// Don't allow proxying of an already proxied or conditional request.
CompleteGetAssertionRequest(
blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR);
return;
}
options->remote_desktop_client_override =
blink::mojom::RemoteDesktopClientOverride::New(
/*origin=*/caller_origin_,
/*same_origin_with_ancestors=*/!is_cross_origin_iframe);
pending_proxied_request_id_ = proxy->SignalGetRequest(
options,
base::BindOnce(&AuthenticatorCommonImpl::OnGetAssertionProxyResponse,
weak_factory_.GetWeakPtr()));
return;
}
// Let the embedder override the RP ID to use for the request. In practice
// this rewrites the RP ID that Chrome extension use.
absl::optional<std::string> rp_id_override =
GetWebAuthenticationDelegate()->MaybeGetRelyingPartyIdOverride(
options->relying_party_id, caller_origin);
if (rp_id_override) {
options->relying_party_id = *rp_id_override;
relying_party_id_ = *rp_id_override;
}
request_delegate_->SetRelyingPartyId(relying_party_id_);
// Assemble clientDataJSON.
ClientDataJsonParams client_data_json_params(
ClientDataRequestType::kWebAuthnGet, caller_origin, options->challenge,
is_cross_origin_iframe);
if (payment_options) {
client_data_json_params.type = ClientDataRequestType::kPaymentGet;
client_data_json_params.payment_options = std::move(payment_options);
client_data_json_params.payment_rp = relying_party_id_;
client_data_json_params.payment_top_origin = GetRenderFrameHost()
->GetOutermostMainFrame()
->GetLastCommittedOrigin()
.Serialize();
} else if (options->remote_desktop_client_override) {
client_data_json_params.origin =
options->remote_desktop_client_override->origin;
client_data_json_params.is_cross_origin_iframe =
!options->remote_desktop_client_override->same_origin_with_ancestors;
}
client_data_json_ = BuildClientDataJson(std::move(client_data_json_params));
device::fido_filter::MaybeInitialize();
if (device::fido_filter::Evaluate(
device::fido_filter::Operation::GET_ASSERTION, relying_party_id_,
/*device=*/absl::nullopt,
/*id=*/absl::nullopt) == device::fido_filter::Action::BLOCK) {
CompleteGetAssertionRequest(
blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR);
return;
}
if (disable_ui_) {
DCHECK(!options->is_conditional);
request_delegate_->DisableUI();
}
request_delegate_->SetConditionalRequest(options->is_conditional);
if (options->is_conditional && !options->allow_credentials.empty()) {
// Conditional mediation requests can only be fulfilled by discoverable
// credentials. The provided allowCredentials list is stripped and will be
// used to filter returned passkeys
request_delegate_->SetCredentialIdFilter(
std::move(options->allow_credentials));
options->allow_credentials =
std::vector<device::PublicKeyCredentialDescriptor>();
}
if (options->allow_credentials.empty()) {
if (!GetWebAuthenticationDelegate()->SupportsResidentKeys(
GetRenderFrameHost())) {
CompleteGetAssertionRequest(
blink::mojom::AuthenticatorStatus::RESIDENT_CREDENTIALS_UNSUPPORTED);
return;
}
discoverable_credential_request_ = true;
}
if (options->large_blob_read && options->large_blob_write) {
CompleteGetAssertionRequest(
blink::mojom::AuthenticatorStatus::CANNOT_READ_AND_WRITE_LARGE_BLOB);
return;
}
if (options->large_blob_read) {
requested_extensions_.insert(RequestExtension::kLargeBlobRead);
} else if (options->large_blob_write) {
if (options->allow_credentials.size() != 1) {
CompleteGetAssertionRequest(blink::mojom::AuthenticatorStatus::
INVALID_ALLOW_CREDENTIALS_FOR_LARGE_BLOB);
return;
}
requested_extensions_.insert(RequestExtension::kLargeBlobWrite);
}
ctap_get_assertion_request_ =
CreateCtapGetAssertionRequest(client_data_json_, options, app_id_);
ctap_get_assertion_options_.emplace();
ctap_get_assertion_options_->is_off_the_record_context =
GetBrowserContext()->IsOffTheRecord();
if (options->prf) {
requested_extensions_.insert(RequestExtension::kPRF);
bool is_first = true;
absl::optional<std::vector<uint8_t>> last_id;
// TODO(agl): should match the credential IDs from the allow list, which
// will also limit the size to the size of the allow list.
for (const auto& prf_input_from_renderer : options->prf_inputs) {
device::PRFInput prf_input;
// This statement enforces invariants that should be established by the
// renderer.
if (
// Only the first element in the vector may be the default.
(!is_first && !prf_input_from_renderer->id) ||
// The PRF inputs must be sorted by credential ID to show that there
// are no duplicates.
(last_id.has_value() && prf_input_from_renderer->id.has_value() &&
*last_id >= *prf_input_from_renderer->id) ||
// The lengths are specified in authenticator.mojom, so hopefully Mojo
// enforces them too.
prf_input_from_renderer->first.size() != prf_input.salt1.size() ||
(prf_input_from_renderer->second &&
prf_input_from_renderer->second->size() != prf_input.salt1.size())) {
NOTREACHED();
CompleteGetAssertionRequest(
blink::mojom::AuthenticatorStatus::UNKNOWN_ERROR);
return;
}
is_first = false;
last_id = prf_input_from_renderer->id;
if (prf_input_from_renderer->id) {
prf_input.credential_id = std::move(*prf_input_from_renderer->id);
}
memcpy(prf_input.salt1.data(), prf_input_from_renderer->first.data(),
prf_input.salt1.size());
if (prf_input_from_renderer->second) {
prf_input.salt2.emplace();
memcpy(prf_input.salt2->data(), prf_input_from_renderer->second->data(),
prf_input.salt2->size());
}
ctap_get_assertion_options_->prf_inputs.emplace_back(
std::move(prf_input));
}
}
if (options->device_public_key) {
requested_extensions_.insert(RequestExtension::kDevicePublicKey);
ctap_get_assertion_request_->device_public_key.emplace();
device::DevicePublicKeyRequest& device_public_key =
ctap_get_assertion_request_->device_public_key.value();
device_public_key.attestation = options->device_public_key->attestation;
device_public_key.attestation_formats =
options->device_public_key->attestation_formats;
switch (device_public_key.attestation) {
// DPK attestation is currently an enterprise-only feature. Non-enterprise
// values are mapped to "none". There's no prompting for getAssertion
// either so only policy-configured enterprise attestation works for this
// call.
case device::AttestationConveyancePreference::
kEnterpriseIfRPListedOnAuthenticator:
device_public_key.attestation = device::
AttestationConveyancePreference::kEnterpriseApprovedByBrowser;
[[fallthrough]];
case device::AttestationConveyancePreference::kIndirect:
case device::AttestationConveyancePreference::kDirect:
if (GetWebAuthenticationDelegate()->ShouldPermitIndividualAttestation(
GetBrowserContext(), caller_origin, relying_party_id_)) {
break;
}
[[fallthrough]];
case device::AttestationConveyancePreference::kNone:
device_public_key.attestation =
device::AttestationConveyancePreference::kNone;
device_public_key.attestation_formats.clear();
break;
case device::AttestationConveyancePreference::
kEnterpriseApprovedByBrowser:
// This should never come from the renderer.
mojo::ReportBadMessage("invalid devicePubKey attestation value");
CompleteGetAssertionRequest(
blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR);
break;
}
}
if (options->get_cred_blob) {
requested_extensions_.insert(RequestExtension::kGetCredBlob);
ctap_get_assertion_request_->get_cred_blob = true;
}
ctap_get_assertion_options_->large_blob_read = options->large_blob_read;
ctap_get_assertion_options_->large_blob_write = options->large_blob_write;
StartGetAssertionRequest(/*allow_skipping_pin_touch=*/true);
}
void AuthenticatorCommonImpl::IsUserVerifyingPlatformAuthenticatorAvailable(
url::Origin caller_origin,
blink::mojom::Authenticator::
IsUserVerifyingPlatformAuthenticatorAvailableCallback callback) {
WebAuthenticationRequestProxy* proxy =
GetWebAuthnRequestProxyIfActive(caller_origin);
if (proxy) {
// Note that IsUvpaa requests can interleave with MakeCredential or
// GetAssertion, and cannot be cancelled. Thus, we do not set
// `pending_proxied_request_id_` here.
proxy->SignalIsUvpaaRequest(std::move(callback));
return;
}
// Check for a delegate override. Chrome overrides IsUVPAA() in Guest mode.
absl::optional<bool> is_uvpaa_override =
GetWebAuthenticationDelegate()
->IsUserVerifyingPlatformAuthenticatorAvailableOverride(
GetRenderFrameHost());
if (is_uvpaa_override) {
std::move(callback).Run(*is_uvpaa_override);
return;
}
// Record IsUVPAA result in a UMA metric, but only if they're not the
// WebAuthenticationDelegate override value, so that results from the testing
// API and disabling in Guest/Off-The-Record profiles aren't counted.
auto uma_decorated_callback =
base::BindOnce([](bool available) {
base::UmaHistogramBoolean(
"WebAuthentication.IsUVPlatformAuthenticatorAvailable2", available);
return available;
}).Then(std::move(callback));
#if BUILDFLAG(IS_MAC)
IsUVPlatformAuthenticatorAvailable(GetBrowserContext(),
std::move(uma_decorated_callback));
#elif BUILDFLAG(IS_WIN)
IsUVPlatformAuthenticatorAvailable(GetBrowserContext()->IsOffTheRecord(),
std::move(uma_decorated_callback));
#elif BUILDFLAG(IS_CHROMEOS)
IsUVPlatformAuthenticatorAvailable(std::move(uma_decorated_callback));
#else
std::move(uma_decorated_callback).Run(false);
#endif
}
void AuthenticatorCommonImpl::IsConditionalMediationAvailable(
url::Origin caller_origin,
blink::mojom::Authenticator::IsConditionalMediationAvailableCallback
callback) {
// Conditional mediation is always supported if the virtual environment is
// providing a platform authenticator.
absl::optional<bool> embedder_isuvpaa_override =
GetWebAuthenticationDelegate()
->IsUserVerifyingPlatformAuthenticatorAvailableOverride(
GetRenderFrameHost());
if (embedder_isuvpaa_override.has_value()) {
std::move(callback).Run(*embedder_isuvpaa_override);
return;
}
if (GetWebAuthnRequestProxyIfActive(caller_origin)) {
// Conditional requests cannot be proxied, signal the feature as
// unavailable.
std::move(callback).Run(false);
return;
}
#if BUILDFLAG(IS_MAC)
std::move(callback).Run(true);
#elif BUILDFLAG(IS_WIN)
device::WinWebAuthnApiAuthenticator::IsConditionalMediationAvailable(
AuthenticatorEnvironment::GetInstance()->win_webauthn_api(),
std::move(callback));
#else
std::move(callback).Run(false);
#endif
}
void AuthenticatorCommonImpl::Cancel() {
CancelWithStatus(blink::mojom::AuthenticatorStatus::ABORT_ERROR);
}
void AuthenticatorCommonImpl::OnRegisterResponse(
device::MakeCredentialStatus status_code,
absl::optional<device::AuthenticatorMakeCredentialResponse> response_data,
const device::FidoAuthenticator* authenticator) {
if (!request_handler_) {
// Either the callback was called immediately and |request_handler_| has not
// yet been assigned (this is a bug), or a navigation caused the request to
// be canceled while a callback was enqueued.
return;
}
switch (status_code) {
case device::MakeCredentialStatus::kUserConsentButCredentialExcluded:
case device::MakeCredentialStatus::kWinInvalidStateError:
// Duplicate registration: the new credential would be created on an
// authenticator that already contains one of the credentials in
// |exclude_credentials|. If the request specified that only a platform
// authenticator was acceptable then we don't show an error message
// because there's no other authenticator that could be used for this
// request. Instead the RP learns of the result via the distinctive
// InvalidStateError result. This tells them that the platform
// authenticator is already registered with one of the credential IDs that
// they already know about.
//
// Windows already behaves like this and so its representation of
// InvalidStateError is handled this way too.
if (make_credential_options_->authenticator_attachment ==
device::AuthenticatorAttachment::kPlatform ||
status_code == device::MakeCredentialStatus::kWinInvalidStateError) {
CompleteMakeCredentialRequest(
blink::mojom::AuthenticatorStatus::CREDENTIAL_EXCLUDED, nullptr,
nullptr, Focus::kDoCheck);
} else {
SignalFailureToRequestDelegate(
AuthenticatorRequestClientDelegate::InterestingFailureReason::
kKeyAlreadyRegistered,
blink::mojom::AuthenticatorStatus::CREDENTIAL_EXCLUDED);
}
return;
case device::MakeCredentialStatus::kAuthenticatorResponseInvalid:
// The response from the authenticator was corrupted.
CompleteMakeCredentialRequest(
blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR, nullptr,
nullptr, Focus::kDoCheck);
return;
case device::MakeCredentialStatus::kUserConsentDenied:
SignalFailureToRequestDelegate(
AuthenticatorRequestClientDelegate::InterestingFailureReason::
kUserConsentDenied,
blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR);
return;
case device::MakeCredentialStatus::kSoftPINBlock:
SignalFailureToRequestDelegate(
AuthenticatorRequestClientDelegate::InterestingFailureReason::
kSoftPINBlock,
blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR);
return;
case device::MakeCredentialStatus::kHardPINBlock:
SignalFailureToRequestDelegate(
AuthenticatorRequestClientDelegate::InterestingFailureReason::
kHardPINBlock,
blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR);
return;
case device::MakeCredentialStatus::kAuthenticatorRemovedDuringPINEntry:
SignalFailureToRequestDelegate(
AuthenticatorRequestClientDelegate::InterestingFailureReason::
kAuthenticatorRemovedDuringPINEntry,
blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR);
return;
case device::MakeCredentialStatus::kAuthenticatorMissingResidentKeys:
SignalFailureToRequestDelegate(
AuthenticatorRequestClientDelegate::InterestingFailureReason::
kAuthenticatorMissingResidentKeys,
blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR);
return;
case device::MakeCredentialStatus::kAuthenticatorMissingUserVerification:
SignalFailureToRequestDelegate(
AuthenticatorRequestClientDelegate::InterestingFailureReason::
kAuthenticatorMissingUserVerification,
blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR);
return;
case device::MakeCredentialStatus::kAuthenticatorMissingLargeBlob:
SignalFailureToRequestDelegate(
AuthenticatorRequestClientDelegate::InterestingFailureReason::
kAuthenticatorMissingLargeBlob,
blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR);
return;
case device::MakeCredentialStatus::kNoCommonAlgorithms:
SignalFailureToRequestDelegate(
AuthenticatorRequestClientDelegate::InterestingFailureReason::
kNoCommonAlgorithms,
blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR);
return;
case device::MakeCredentialStatus::kStorageFull:
SignalFailureToRequestDelegate(
AuthenticatorRequestClientDelegate::InterestingFailureReason::
kStorageFull,
blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR);
return;
case device::MakeCredentialStatus::kWinNotAllowedError:
SignalFailureToRequestDelegate(
AuthenticatorRequestClientDelegate::InterestingFailureReason::
kWinUserCancelled,
blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR);
return;
case device::MakeCredentialStatus::kSuccess:
DCHECK(response_data.has_value());
DCHECK(authenticator);
absl::optional<device::FidoTransportProtocol> transport =
authenticator->AuthenticatorTransport();
bool is_transport_used_internal = false;
bool is_transport_used_cable = false;
if (transport) {
is_transport_used_internal =
*transport == device::FidoTransportProtocol::kInternal;
is_transport_used_cable =
*transport == device::FidoTransportProtocol::kHybrid;
}
absl::optional<device::DevicePublicKeyOutput> device_public_key_output =
response_data->GetDevicePublicKeyResponse();
const bool have_enterprise_attestation =
response_data->enterprise_attestation_returned ||
(device_public_key_output &&
device_public_key_output->enterprise_attestation_returned);
const bool device_public_key_included_attestation =
device_public_key_output &&
device_public_key_output->attestation_format !=
device::kNoneAttestationValue;
const auto attestation =
ctap_make_credential_request_->attestation_preference;
absl::optional<AttestationErasureOption> attestation_erasure;
if (response_data->attestation_should_be_filtered &&
!GetWebAuthenticationDelegate()->ShouldPermitIndividualAttestation(
GetBrowserContext(), caller_origin_, relying_party_id_)) {
attestation_erasure =
AttestationErasureOption::kEraseAttestationAndAaguid;
} else if (attestation == device::AttestationConveyancePreference::
kEnterpriseApprovedByBrowser) {
// If enterprise attestation was approved by policy then it can be
// returned immediately.
attestation_erasure = AttestationErasureOption::kIncludeAttestation;
} else if (attestation == device::AttestationConveyancePreference::
kEnterpriseIfRPListedOnAuthenticator &&
!response_data->enterprise_attestation_returned) {
// If enterprise attestation was requested, not approved by policy, and
// not approved by the authenticator, then any attestation is stripped.
attestation_erasure =
AttestationErasureOption::kEraseAttestationAndAaguid;
} else if (is_transport_used_cable) {
// Attestation is not returned when caBLEv2 is used, but the AAGUID is
// maintained.
attestation_erasure =
AttestationErasureOption::kEraseAttestationButIncludeAaguid;
} else if (is_transport_used_internal) {
// Direct attestation from platform authenticators is known to be
// privacy preserving, so we always return it when requested. Also,
// counter to what the WebAuthn spec says, we do not erase the AAGUID
// even when attestation wasn't requested.
attestation_erasure =
attestation != device::AttestationConveyancePreference::kNone
? AttestationErasureOption::kIncludeAttestation
: AttestationErasureOption::kEraseAttestationButIncludeAaguid;
} else if (attestation ==
device::AttestationConveyancePreference::kNone &&
response_data->attestation_object.IsSelfAttestation()) {
attestation_erasure = AttestationErasureOption::kIncludeAttestation;
} else if (attestation ==
device::AttestationConveyancePreference::kNone) {
attestation_erasure =
AttestationErasureOption::kEraseAttestationAndAaguid;
}
if (attestation_erasure.has_value() &&
// If a DPK attestation was requested then we show a prompt. (If
// the RP ID is allowlisted by policy then the prompt will be
// resolved immediately and never actually shown.)
!device_public_key_attestation_requested_) {
CompleteMakeCredentialRequest(
blink::mojom::AuthenticatorStatus::SUCCESS,
CreateMakeCredentialResponse(std::move(*response_data),
*attestation_erasure),
nullptr, Focus::kDoCheck);
} else {
awaiting_attestation_response_ = true;
request_delegate_->ShouldReturnAttestation(
relying_party_id_, authenticator, have_enterprise_attestation,
base::BindOnce(
&AuthenticatorCommonImpl::OnRegisterResponseAttestationDecided,
weak_factory_.GetWeakPtr(),
attestation_erasure.value_or(
AttestationErasureOption::kIncludeAttestation),
device_public_key_output.has_value(),
device_public_key_included_attestation,
std::move(*response_data)));
}
return;
}
NOTREACHED();
}
void AuthenticatorCommonImpl::OnRegisterResponseAttestationDecided(
AttestationErasureOption attestation_erasure,
const bool has_device_public_key_output,
const bool device_public_key_included_attestation,
device::AuthenticatorMakeCredentialResponse response_data,
bool attestation_permitted) {
awaiting_attestation_response_ = false;
if (!request_handler_) {
// The request has already been cleaned up, probably because a navigation
// occurred while the permissions prompt was pending.
return;
}
if (!attestation_permitted) {
attestation_erasure = AttestationErasureOption::kEraseAttestationAndAaguid;
}
// The check for IsAttestationCertificateInappropriatelyIdentifying is
// performed after the permissions prompt, even though we know the answer
// before, because this still effectively discloses the make & model of
// the authenticator: If an RP sees a "none" attestation from Chrome after
// requesting direct attestation then it knows that it was one of the
// tokens with inappropriate certs.
if (response_data.attestation_object
.IsAttestationCertificateInappropriatelyIdentifying() &&
!GetWebAuthenticationDelegate()->ShouldPermitIndividualAttestation(
GetBrowserContext(), caller_origin_, relying_party_id_)) {
// The attestation response is incorrectly individually identifiable, but
// the consent is for make & model information about a token, not for
// individually-identifiable information. Erase the attestation to stop it
// begin a tracking signal.
// The only way to get the underlying attestation will be to list the RP ID
// in the enterprise policy, because that enables the individual attestation
// bit in the register request and permits individual attestation generally.
attestation_erasure = AttestationErasureOption::kEraseAttestationAndAaguid;
}
CompleteMakeCredentialRequest(
blink::mojom::AuthenticatorStatus::SUCCESS,
CreateMakeCredentialResponse(std::move(response_data),
attestation_erasure),
nullptr, Focus::kDoCheck);
}
void AuthenticatorCommonImpl::OnSignResponse(
device::GetAssertionStatus status_code,
absl::optional<std::vector<device::AuthenticatorGetAssertionResponse>>
response_data) {
DCHECK(!response_data || !response_data->empty()); // empty vector is invalid
if (!request_handler_) {
// Either the callback was called immediately and |request_handler_| has not
// yet been assigned (this is a bug), or a navigation caused the request to
// be canceled while a callback was enqueued.
return;
}
switch (status_code) {
case device::GetAssertionStatus::kUserConsentButCredentialNotRecognized:
SignalFailureToRequestDelegate(
AuthenticatorRequestClientDelegate::InterestingFailureReason::
kKeyNotRegistered,
blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR);
return;
case device::GetAssertionStatus::kAuthenticatorResponseInvalid:
// The response from the authenticator was corrupted.
CompleteGetAssertionRequest(
blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR);
return;
case device::GetAssertionStatus::kUserConsentDenied:
SignalFailureToRequestDelegate(
AuthenticatorRequestClientDelegate::InterestingFailureReason::
kUserConsentDenied,
blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR);
return;
case device::GetAssertionStatus::kSoftPINBlock:
SignalFailureToRequestDelegate(
AuthenticatorRequestClientDelegate::InterestingFailureReason::
kSoftPINBlock,
blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR);
return;
case device::GetAssertionStatus::kHardPINBlock:
SignalFailureToRequestDelegate(
AuthenticatorRequestClientDelegate::InterestingFailureReason::
kHardPINBlock,
blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR);
return;
case device::GetAssertionStatus::kAuthenticatorRemovedDuringPINEntry:
SignalFailureToRequestDelegate(
AuthenticatorRequestClientDelegate::InterestingFailureReason::
kAuthenticatorRemovedDuringPINEntry,
blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR);
return;
case device::GetAssertionStatus::kAuthenticatorMissingResidentKeys:
SignalFailureToRequestDelegate(
AuthenticatorRequestClientDelegate::InterestingFailureReason::
kAuthenticatorMissingResidentKeys,
blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR);
return;
case device::GetAssertionStatus::kAuthenticatorMissingUserVerification:
SignalFailureToRequestDelegate(
AuthenticatorRequestClientDelegate::InterestingFailureReason::
kAuthenticatorMissingUserVerification,
blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR);
return;
case device::GetAssertionStatus::kWinNotAllowedError:
SignalFailureToRequestDelegate(
AuthenticatorRequestClientDelegate::InterestingFailureReason::
kWinUserCancelled,
blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR);
return;
case device::GetAssertionStatus::kSuccess:
break;
}
DCHECK_EQ(status_code, device::GetAssertionStatus::kSuccess);
DCHECK(response_data.has_value());
// Show an account picker for discoverable credential requests (empty allow
// lists). Responses with a single credential are considered pre-selected if
// one of the following is true:
// - The authenticator omitted user entity information because only one
// credential matched (only valid in CTAP 2.0).
// - The `userSelected` flag is set, because the user chose an account on an
// integrated authenticator UI (CTAP 2.1).
// - The user already pre-selected a platform authenticator credential from
// browser UI prior to the actual GetAssertion request. (The request handler
// set the `userSelected` flag in this case.)
if (response_data->size() == 1) {
const device::AuthenticatorGetAssertionResponse& response =
response_data->at(0);
if (!discoverable_credential_request_ || response.user_selected ||
!response.user_entity || !response.user_entity->name ||
!response.user_entity->display_name) {
OnAccountSelected(std::move(response_data->at(0)));
return;
}
}
// Discoverable credential request without preselection UI. Show an account
// picker.
std::vector<device::PublicKeyCredentialUserEntity> users_list;
users_list.reserve(response_data->size());
for (const auto& response : *response_data) {
if (response.user_entity) {
users_list.push_back(*response.user_entity);
}
}
request_delegate_->SelectAccount(
std::move(*response_data),
base::BindOnce(&AuthenticatorCommonImpl::OnAccountSelected,
weak_factory_.GetWeakPtr()));
}
void AuthenticatorCommonImpl::OnAccountSelected(
device::AuthenticatorGetAssertionResponse response) {
CompleteGetAssertionRequest(blink::mojom::AuthenticatorStatus::SUCCESS,
CreateGetAssertionResponse(std::move(response)));
}
void AuthenticatorCommonImpl::SignalFailureToRequestDelegate(
AuthenticatorRequestClientDelegate::InterestingFailureReason reason,
blink::mojom::AuthenticatorStatus status) {
error_awaiting_user_acknowledgement_ = status;
// The UI may decide to end the request immediately, or after user
// confirmation. Either way stop discoveries and authenticators now.
if (request_handler_) {
request_handler_->StopDiscoveries();
request_handler_->CancelActiveAuthenticators();
}
if (request_delegate_->DoesBlockRequestOnFailure(reason)) {
// The UI may have decided to start the request over. Thus do not assume
// anything about the state here.
return;
}
// The UI wishes the end the request immediately.
CancelWithStatus(error_awaiting_user_acknowledgement_);
}
void AuthenticatorCommonImpl::BeginRequestTimeout(
absl::optional<base::TimeDelta> timeout) {
timer_->Start(FROM_HERE, AdjustTimeout(timeout, GetRenderFrameHost()),
base::BindOnce(&AuthenticatorCommonImpl::OnTimeout,
weak_factory_.GetWeakPtr()));
}
// TODO(crbug.com/814418): Add web tests to verify timeouts are
// indistinguishable from NOT_ALLOWED_ERROR cases.
void AuthenticatorCommonImpl::OnTimeout() {
if (awaiting_attestation_response_) {
awaiting_attestation_response_ = false;
}
DCHECK(request_delegate_);
SignalFailureToRequestDelegate(
AuthenticatorRequestClientDelegate::InterestingFailureReason::kTimeout,
blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR);
}
void AuthenticatorCommonImpl::CancelWithStatus(
blink::mojom::AuthenticatorStatus status) {
DCHECK(!make_credential_response_callback_ ||
!get_assertion_response_callback_);
if (pending_proxied_request_id_) {
WebAuthenticationRequestProxy* proxy =
GetWebAuthenticationDelegate()->MaybeGetRequestProxy(
GetBrowserContext(), caller_origin_);
// As long as `pending_proxied_request_id_` is set, there should be an
// active request proxy. Deactivation of the proxy would have invoked
// `OnMakeCredentialProxyResponse()` or `OnGetAssertionProxyResponse()`, and
// cleared `pending_proxied_request_id_`
DCHECK(proxy);
proxy->CancelRequest(*pending_proxied_request_id_);
}
if (make_credential_response_callback_) {
CompleteMakeCredentialRequest(status);
} else if (get_assertion_response_callback_) {
CompleteGetAssertionRequest(status);
}
}
void AuthenticatorCommonImpl::OnCancelFromUI() {
CancelWithStatus(error_awaiting_user_acknowledgement_);
}
blink::mojom::MakeCredentialAuthenticatorResponsePtr
AuthenticatorCommonImpl::CreateMakeCredentialResponse(
device::AuthenticatorMakeCredentialResponse response_data,
AttestationErasureOption attestation_erasure) {
auto response = blink::mojom::MakeCredentialAuthenticatorResponse::New();
auto common_info = blink::mojom::CommonCredentialInfo::New();
common_info->client_data_json.assign(client_data_json_.begin(),
client_data_json_.end());
common_info->raw_id = response_data.attestation_object.GetCredentialId();
common_info->id = Base64UrlEncode(common_info->raw_id);
response->authenticator_attachment =
response_data.transport_used
? device::AuthenticatorAttachmentFromTransport(
*response_data.transport_used)
: device::AuthenticatorAttachment::kAny;
base::flat_set<device::FidoTransportProtocol> transports;
// transports_authoritative tracks whether the contents of `transports` are
// considered to be sufficient complete to report back to the website.
bool transports_authoritative = false;
if (response_data.transport_used) {
transports.insert(*response_data.transport_used);
}
if (response_data.transports) {
transports.insert(response_data.transports->begin(),
response_data.transports->end());
transports_authoritative = true;
}
// Also include any transports from the attestation certificate.
absl::optional<base::span<const uint8_t>> leaf_cert =
response_data.attestation_object.attestation_statement()
.GetLeafCertificate();
if (leaf_cert) {
transports_authoritative |=
AddTransportsFromCertificate(*leaf_cert, &transports);
}
// The order of transports doesn't matter because Blink will sort the
// resulting strings before returning them.
if (transports_authoritative) {
response->transports.assign(transports.begin(), transports.end());
}
bool did_modify_authenticator_data = false;
switch (attestation_erasure) {
case AttestationErasureOption::kIncludeAttestation:
break;
case AttestationErasureOption::kEraseAttestationButIncludeAaguid:
did_modify_authenticator_data =
response_data.attestation_object.EraseAttestationStatement(
device::AttestationObject::AAGUID::kInclude);
break;
case AttestationErasureOption::kEraseAttestationAndAaguid:
did_modify_authenticator_data =
response_data.attestation_object.EraseAttestationStatement(
device::AttestationObject::AAGUID::kErase);
break;
}
if (did_modify_authenticator_data) {
// The devicePubKey extension signs over the authenticator data so its
// signature is now invalid and we have to remove the extension.
response_data.attestation_object.EraseExtension(
device::kExtensionDevicePublicKey);
}
bool did_create_hmac_secret = response_data.prf_enabled;
bool did_store_cred_blob = false;
absl::optional<std::vector<uint8_t>> device_public_key_authenticator_output;
const absl::optional<cbor::Value>& maybe_extensions =
response_data.attestation_object.authenticator_data().extensions();
if (maybe_extensions) {
DCHECK(maybe_extensions->is_map());
const cbor::Value::MapValue& extensions = maybe_extensions->GetMap();
if (!did_create_hmac_secret) {
const auto hmac_secret_it =
extensions.find(cbor::Value(device::kExtensionHmacSecret));
if (hmac_secret_it != extensions.end() &&
hmac_secret_it->second.is_bool() &&
hmac_secret_it->second.GetBool()) {
did_create_hmac_secret = true;
}
}
const auto cred_blob_it =
extensions.find(cbor::Value(device::kExtensionCredBlob));
if (cred_blob_it != extensions.end() && cred_blob_it->second.is_bool() &&
cred_blob_it->second.GetBool()) {
did_store_cred_blob = true;
}
const auto device_public_key_it =
extensions.find(cbor::Value(device::kExtensionDevicePublicKey));
if (device_public_key_it != extensions.end() &&
device_public_key_it->second.is_bytestring()) {
device_public_key_authenticator_output =
device_public_key_it->second.GetBytestring();
}
}
for (const RequestExtension ext : requested_extensions_) {
switch (ext) {
case RequestExtension::kPRF:
response->echo_prf = true;
response->prf = did_create_hmac_secret;
break;
case RequestExtension::kHMACSecret:
response->echo_hmac_create_secret = true;
response->hmac_create_secret = did_create_hmac_secret;
break;
case RequestExtension::kCredProps:
response->echo_cred_props = true;
if (response_data.is_resident_key) {
response->has_cred_props_rk = true;
response->cred_props_rk = *response_data.is_resident_key;
}
break;
case RequestExtension::kLargeBlobEnable:
response->echo_large_blob = true;
response->supports_large_blob =
response_data.large_blob_type.has_value();
break;
case RequestExtension::kCredBlob:
response->echo_cred_blob = true;
response->cred_blob = did_store_cred_blob;
break;
case RequestExtension::kMinPINLength:
// Ignore. The spec says[1] that there's no client (i.e. browser)
// extension output (as opposed to the output in the returned
// authenticator data). This may have been a mistake but it can always
// be added later.
// [1]
// https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#sctn-minpinlength-extension
break;
case RequestExtension::kDevicePublicKey:
if (device_public_key_authenticator_output &&
response_data.device_public_key_signature) {
DCHECK(!did_modify_authenticator_data);
response->device_public_key =
blink::mojom::DevicePublicKeyResponse::New();
response->device_public_key->authenticator_output =
std::move(*device_public_key_authenticator_output);
response->device_public_key->signature =
*response_data.device_public_key_signature;
}
break;
case RequestExtension::kAppID:
case RequestExtension::kLargeBlobRead:
case RequestExtension::kLargeBlobWrite:
case RequestExtension::kGetCredBlob:
NOTREACHED();
break;
}
}
response->attestation_object =
response_data.GetCBOREncodedAttestationObject();
common_info->authenticator_data =
response_data.attestation_object.authenticator_data()
.SerializeToByteArray();
response->info = std::move(common_info);
const device::PublicKey* public_key =
response_data.attestation_object.authenticator_data()
.attested_data()
->public_key();
response->public_key_algo = public_key->algorithm;
const absl::optional<std::vector<uint8_t>>& public_key_der =
public_key->der_bytes;
if (public_key_der) {
response->public_key_der.emplace(public_key_der.value());
}
return response;
}
void AuthenticatorCommonImpl::CompleteMakeCredentialRequest(
blink::mojom::AuthenticatorStatus status,
blink::mojom::MakeCredentialAuthenticatorResponsePtr response,
blink::mojom::WebAuthnDOMExceptionDetailsPtr dom_exception_details,
Focus check_focus) {
DCHECK(make_credential_response_callback_);
if (check_focus != Focus::kDontCheck && !(request_delegate_ && IsFocused())) {
std::move(make_credential_response_callback_)
.Run(blink::mojom::AuthenticatorStatus::NOT_FOCUSED, nullptr, nullptr);
} else {
std::move(make_credential_response_callback_)
.Run(status, std::move(response), std::move(dom_exception_details));
}
Cleanup();
}
blink::mojom::GetAssertionAuthenticatorResponsePtr
AuthenticatorCommonImpl::CreateGetAssertionResponse(
device::AuthenticatorGetAssertionResponse response_data) {
auto response = blink::mojom::GetAssertionAuthenticatorResponse::New();
auto common_info = blink::mojom::CommonCredentialInfo::New();
common_info->client_data_json.assign(client_data_json_.begin(),
client_data_json_.end());
common_info->raw_id = response_data.credential->id;
common_info->id = Base64UrlEncode(common_info->raw_id);
response->info = std::move(common_info);
response->info->authenticator_data =
response_data.authenticator_data.SerializeToByteArray();
response->signature = response_data.signature;
response->authenticator_attachment =
response_data.transport_used
? device::AuthenticatorAttachmentFromTransport(
*response_data.transport_used)
: device::AuthenticatorAttachment::kAny;
response_data.user_entity
? response->user_handle.emplace(response_data.user_entity->id)
: response->user_handle.emplace();
for (RequestExtension ext : requested_extensions_) {
switch (ext) {
case RequestExtension::kAppID:
DCHECK(app_id_);
response->echo_appid_extension = true;
if (response_data.authenticator_data.application_parameter() ==
CreateApplicationParameter(*app_id_)) {
response->appid_extension = true;
}
break;
case RequestExtension::kPRF: {
response->echo_prf = true;
absl::optional<base::span<const uint8_t>> hmac_secret =
response_data.hmac_secret;
if (hmac_secret) {
auto prf_values = blink::mojom::PRFValues::New();
DCHECK(hmac_secret->size() == 32 || hmac_secret->size() == 64);
prf_values->first = device::fido_parsing_utils::Materialize(
hmac_secret->subspan(0, 32));
if (hmac_secret->size() == 64) {
prf_values->second = device::fido_parsing_utils::Materialize(
hmac_secret->subspan(32, 32));
}
response->prf_results = std::move(prf_values);
} else {
response->prf_not_evaluated = response_data.hmac_secret_not_evaluated;
}
break;
}
case RequestExtension::kLargeBlobRead:
response->echo_large_blob = true;
response->large_blob = response_data.large_blob;
break;
case RequestExtension::kLargeBlobWrite:
response->echo_large_blob = true;
response->echo_large_blob_written = true;
response->large_blob_written = response_data.large_blob_written;
break;
case RequestExtension::kGetCredBlob: {
const absl::optional<cbor::Value>& extensions =
response_data.authenticator_data.extensions();
if (extensions) {
const cbor::Value::MapValue& map = extensions->GetMap();
const auto& it = map.find(cbor::Value(device::kExtensionCredBlob));
if (it != map.end() && it->second.is_bytestring()) {
response->get_cred_blob = it->second.GetBytestring();
}
}
if (!response->get_cred_blob.has_value()) {
// The authenticator is supposed to return an empty byte string if it
// does not have a credBlob for the credential. But in case it
// doesn't, we return one to the caller anyway.
response->get_cred_blob = std::vector<uint8_t>();
}
break;
}
case RequestExtension::kDevicePublicKey: {
const absl::optional<cbor::Value>& maybe_extensions =
response_data.authenticator_data.extensions();
if (maybe_extensions) {
DCHECK(maybe_extensions->is_map());
const cbor::Value::MapValue& extensions = maybe_extensions->GetMap();
const auto it =
extensions.find(cbor::Value(device::kExtensionDevicePublicKey));
if (it != extensions.end() && it->second.is_bytestring()) {
response->device_public_key =
blink::mojom::DevicePublicKeyResponse::New();
response->device_public_key->authenticator_output =
it->second.GetBytestring();
response->device_public_key->signature =
*response_data.device_public_key_signature;
}
}
break;
}
case RequestExtension::kHMACSecret:
case RequestExtension::kCredProps:
case RequestExtension::kLargeBlobEnable:
case RequestExtension::kCredBlob:
case RequestExtension::kMinPINLength:
NOTREACHED();
break;
}
}
return response;
}
void AuthenticatorCommonImpl::CompleteGetAssertionRequest(
blink::mojom::AuthenticatorStatus status,
blink::mojom::GetAssertionAuthenticatorResponsePtr response,
blink::mojom::WebAuthnDOMExceptionDetailsPtr dom_exception_details) {
DCHECK(get_assertion_response_callback_);
std::move(get_assertion_response_callback_)
.Run(status, std::move(response), std::move(dom_exception_details));
Cleanup();
}
void AuthenticatorCommonImpl::Cleanup() {
timer_->Stop();
has_pending_request_ = false;
request_handler_.reset();
discovery_factory_.reset();
discovery_factory_testing_override_ = nullptr;
ctap_make_credential_request_.reset();
make_credential_options_.reset();
ctap_get_assertion_request_.reset();
ctap_get_assertion_options_.reset();
device_public_key_attestation_requested_ = false;
awaiting_attestation_response_ = false;
request_delegate_.reset();
make_credential_response_callback_.Reset();
get_assertion_response_callback_.Reset();
client_data_json_.clear();
app_id_.reset();
caller_origin_ = url::Origin();
relying_party_id_.clear();
error_awaiting_user_acknowledgement_ =
blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR;
requested_extensions_.clear();
pending_proxied_request_id_.reset();
discoverable_credential_request_ = false;
}
void AuthenticatorCommonImpl::DisableUI() {
disable_ui_ = true;
}
void AuthenticatorCommonImpl::DisableTLSCheck() {
disable_tls_check_ = true;
}
RenderFrameHost* AuthenticatorCommonImpl::GetRenderFrameHost() const {
RenderFrameHost* ret = RenderFrameHost::FromID(render_frame_host_id_);
DCHECK(ret);
return ret;
}
BrowserContext* AuthenticatorCommonImpl::GetBrowserContext() const {
return GetRenderFrameHost()->GetBrowserContext();
}
device::FidoDiscoveryFactory* AuthenticatorCommonImpl::discovery_factory() {
DCHECK(discovery_factory_);
return discovery_factory_testing_override_
? discovery_factory_testing_override_.get()
: discovery_factory_.get();
}
void AuthenticatorCommonImpl::InitDiscoveryFactory() {
discovery_factory_ = MakeDiscoveryFactory(GetRenderFrameHost());
// TODO(martinkr): |discovery_factory_testing_override_| is a long-lived
// VirtualFidoDeviceDiscovery so that tests can maintain and alter virtual
// authenticator state in between requests. We should extract a longer-lived
// configuration object from VirtualFidoDeviceDiscovery, so we can simply
// stick a short-lived instance into |discovery_factory_| and eliminate
// |discovery_factory_testing_override_|.
discovery_factory_testing_override_ =
AuthenticatorEnvironment::GetInstance()
->MaybeGetDiscoveryFactoryTestOverride();
}
void AuthenticatorCommonImpl::EnableRequestProxyExtensionsAPISupport() {
enable_request_proxy_api_ = true;
}
WebAuthenticationRequestProxy*
AuthenticatorCommonImpl::GetWebAuthnRequestProxyIfActive(
const url::Origin& caller_origin) {
DCHECK(!caller_origin.opaque());
// The Virtual Authenticator, which can be activated via Dev Tools UI or
// ChromeDriver, should take precedence over request proxying. Otherwise
// attaching a remote desktop session would interfere with automated or manual
// testing.
const bool virtual_authenticator_active =
AuthenticatorEnvironment::GetInstance()
->MaybeGetVirtualAuthenticatorManager(
static_cast<RenderFrameHostImpl*>(GetRenderFrameHost())
->frame_tree_node()) != nullptr;
if (!enable_request_proxy_api_ || virtual_authenticator_active) {
return nullptr;
}
return GetWebAuthenticationDelegate()->MaybeGetRequestProxy(
GetBrowserContext(), caller_origin);
}
void AuthenticatorCommonImpl::OnMakeCredentialProxyResponse(
WebAuthenticationRequestProxy::RequestId request_id,
blink::mojom::WebAuthnDOMExceptionDetailsPtr error,
blink::mojom::MakeCredentialAuthenticatorResponsePtr response) {
DCHECK_EQ(*pending_proxied_request_id_, request_id);
DCHECK(make_credential_response_callback_);
pending_proxied_request_id_.reset();
if (error) {
DCHECK(!response);
CompleteMakeCredentialRequest(
blink::mojom::AuthenticatorStatus::ERROR_WITH_DOM_EXCEPTION_DETAILS,
nullptr, std::move(error), Focus::kDoCheck);
return;
}
CompleteMakeCredentialRequest(blink::mojom::AuthenticatorStatus::SUCCESS,
std::move(response), nullptr, Focus::kDoCheck);
}
void AuthenticatorCommonImpl::OnGetAssertionProxyResponse(
WebAuthenticationRequestProxy::RequestId request_id,
blink::mojom::WebAuthnDOMExceptionDetailsPtr error,
blink::mojom::GetAssertionAuthenticatorResponsePtr response) {
DCHECK_EQ(*pending_proxied_request_id_, request_id);
DCHECK(get_assertion_response_callback_);
pending_proxied_request_id_.reset();
if (error) {
DCHECK(!response);
CompleteGetAssertionRequest(
blink::mojom::AuthenticatorStatus::ERROR_WITH_DOM_EXCEPTION_DETAILS,
nullptr, std::move(error));
return;
}
CompleteGetAssertionRequest(blink::mojom::AuthenticatorStatus::SUCCESS,
std::move(response));
}
} // namespace content