Google Git
Sign in
chromium / chromium / src / 96ad22527d78588a5c8889f66709aa3d8e009241 / . / device / fido / fido_device_authenticator.h
blob: 070ef88926dbb3100886460825856d5de90ab585 [file] [log] [blame]
// Copyright 2018 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef DEVICE_FIDO_FIDO_DEVICE_AUTHENTICATOR_H_
#define DEVICE_FIDO_FIDO_DEVICE_AUTHENTICATOR_H_
#include <memory>
#include <string>
#include <vector>
#include "base/component_export.h"
#include "base/memory/weak_ptr.h"
#include "build/build_config.h"
#include "build/chromeos_buildflags.h"
#include "device/fido/authenticator_get_assertion_response.h"
#include "device/fido/device_operation.h"
#include "device/fido/fido_authenticator.h"
#include "device/fido/fido_constants.h"
#include "device/fido/fido_request_handler_base.h"
#include "device/fido/large_blob.h"
#include "device/fido/pin.h"
#include "mojo/public/cpp/base/big_buffer.h"
#include "services/data_decoder/public/cpp/data_decoder.h"
#include "third_party/abseil-cpp/absl/types/optional.h"
namespace device {
struct CtapGetAssertionRequest;
struct CtapGetAssertionOptions;
struct CtapMakeCredentialRequest;
struct EnumerateRPsResponse;
class FidoDevice;
class FidoTask;
class GenericDeviceOperation;
// Adaptor class from a |FidoDevice| to the |FidoAuthenticator| interface.
// Responsible for translating WebAuthn-level requests into serializations that
// can be passed to the device for transport.
class COMPONENT_EXPORT(DEVICE_FIDO) FidoDeviceAuthenticator
: public FidoAuthenticator {
public:
// These values are persisted to logs. Entries should not be renumbered and
// numeric values should never be reused.
enum class LargeBlobKeyWriteResult {
kSuccess = 0,
kNotEnoughSpace = 1,
kCompressionError = 2,
kCredentialHasNoLargeBlobKey = 3,
kCtapError = 4,
kMaxValue = kCtapError,
};
explicit FidoDeviceAuthenticator(std::unique_ptr<FidoDevice> device);
FidoDeviceAuthenticator(const FidoDeviceAuthenticator&) = delete;
FidoDeviceAuthenticator& operator=(const FidoDeviceAuthenticator&) = delete;
~FidoDeviceAuthenticator() override;
// FidoAuthenticator:
void InitializeAuthenticator(base::OnceClosure callback) override;
void ExcludeAppIdCredentialsBeforeMakeCredential(
CtapMakeCredentialRequest request,
MakeCredentialOptions options,
base::OnceCallback<void(CtapDeviceResponseCode, absl::optional<bool>)>)
override;
void MakeCredential(CtapMakeCredentialRequest request,
MakeCredentialOptions options,
MakeCredentialCallback callback) override;
void GetAssertion(CtapGetAssertionRequest request,
CtapGetAssertionOptions options,
GetAssertionCallback callback) override;
void GetTouch(base::OnceClosure callback) override;
void GetPinRetries(GetRetriesCallback callback) override;
void GetPINToken(std::string pin,
std::vector<pin::Permissions> permissions,
absl::optional<std::string> rp_id,
GetTokenCallback callback) override;
void GetUvRetries(GetRetriesCallback callback) override;
bool CanGetUvToken() override;
void GetUvToken(std::vector<pin::Permissions> permissions,
absl::optional<std::string> rp_id,
GetTokenCallback callback) override;
uint32_t CurrentMinPINLength() override;
uint32_t NewMinPINLength() override;
bool ForcePINChange() override;
void SetPIN(const std::string& pin, SetPINCallback callback) override;
void ChangePIN(const std::string& old_pin,
const std::string& new_pin,
SetPINCallback callback) override;
PINUVDisposition PINUVDispositionForMakeCredential(
const CtapMakeCredentialRequest& request,
const FidoRequestHandlerBase::Observer* observer) override;
// WillNeedPINToGetAssertion returns whether a PIN prompt will be needed to
// serve the given request on this authenticator.
PINUVDisposition PINUVDispositionForGetAssertion(
const CtapGetAssertionRequest& request,
const FidoRequestHandlerBase::Observer* observer) override;
void GetCredentialsMetadata(const pin::TokenResponse& pin_token,
GetCredentialsMetadataCallback callback) override;
void EnumerateCredentials(const pin::TokenResponse& pin_token,
EnumerateCredentialsCallback callback) override;
void DeleteCredential(const pin::TokenResponse& pin_token,
const PublicKeyCredentialDescriptor& credential_id,
DeleteCredentialCallback callback) override;
bool SupportsUpdateUserInformation() const override;
void UpdateUserInformation(const pin::TokenResponse& pin_token,
const PublicKeyCredentialDescriptor& credential_id,
const PublicKeyCredentialUserEntity& updated_user,
UpdateUserInformationCallback callback) override;
void GetModality(BioEnrollmentCallback callback) override;
void GetSensorInfo(BioEnrollmentCallback callback) override;
void BioEnrollFingerprint(const pin::TokenResponse&,
absl::optional<std::vector<uint8_t>> template_id,
BioEnrollmentCallback) override;
void BioEnrollCancel(BioEnrollmentCallback) override;
void BioEnrollEnumerate(const pin::TokenResponse&,
BioEnrollmentCallback) override;
void BioEnrollRename(const pin::TokenResponse&,
std::vector<uint8_t> template_id,
std::string name,
BioEnrollmentCallback) override;
void BioEnrollDelete(const pin::TokenResponse&,
std::vector<uint8_t> template_id,
BioEnrollmentCallback) override;
void GarbageCollectLargeBlob(
const pin::TokenResponse& pin_uv_auth_token,
base::OnceCallback<void(CtapDeviceResponseCode)> callback) override;
absl::optional<base::span<const int32_t>> GetAlgorithms() override;
bool DiscoverableCredentialStorageFull() const override;
void Reset(ResetCallback callback) override;
void Cancel() override;
std::string GetId() const override;
std::string GetDisplayName() const override;
ProtocolVersion SupportedProtocol() const override;
const AuthenticatorSupportedOptions& Options() const override;
absl::optional<FidoTransportProtocol> AuthenticatorTransport() const override;
base::WeakPtr<FidoAuthenticator> GetWeakPtr() override;
FidoDevice* device() { return device_.get(); }
void SetTaskForTesting(std::unique_ptr<FidoTask> task);
private:
using GetEphemeralKeyCallback =
base::OnceCallback<void(CtapDeviceResponseCode,
absl::optional<pin::KeyAgreementResponse>)>;
using LargeBlobReadCallback = base::OnceCallback<void(
CtapDeviceResponseCode,
absl::optional<std::vector<std::pair<LargeBlobKey, LargeBlob>>>
callback)>;
void InitializeAuthenticatorDone(base::OnceClosure callback);
void GetEphemeralKey(GetEphemeralKeyCallback callback);
void DoGetAssertion(CtapGetAssertionRequest request,
CtapGetAssertionOptions options,
GetAssertionCallback callback);
void OnHaveCompressedLargeBlobForGetAssertion(
CtapGetAssertionRequest request,
CtapGetAssertionOptions options,
GetAssertionCallback callback,
size_t original_size,
base::expected<mojo_base::BigBuffer, std::string> result);
void MaybeGetEphemeralKeyForGetAssertion(CtapGetAssertionRequest request,
CtapGetAssertionOptions options,
GetAssertionCallback callback);
void OnHaveNextAssertion(
CtapGetAssertionRequest request,
CtapGetAssertionOptions options,
std::vector<AuthenticatorGetAssertionResponse> responses,
GetAssertionCallback callback,
CtapDeviceResponseCode status,
absl::optional<AuthenticatorGetAssertionResponse> response);
void PerformGetAssertionLargeBlobOperation(
CtapGetAssertionRequest request,
CtapGetAssertionOptions options,
std::vector<AuthenticatorGetAssertionResponse> responses,
GetAssertionCallback callback);
void OnHaveEphemeralKeyForGetAssertion(
CtapGetAssertionRequest request,
CtapGetAssertionOptions options,
GetAssertionCallback callback,
CtapDeviceResponseCode status,
absl::optional<pin::KeyAgreementResponse> key);
void OnHaveEphemeralKeyForGetPINToken(
std::string pin,
std::vector<pin::Permissions> permissions,
absl::optional<std::string> rp_id,
GetTokenCallback callback,
CtapDeviceResponseCode status,
absl::optional<pin::KeyAgreementResponse> key);
void OnHaveEphemeralKeyForSetPIN(
std::string pin,
SetPINCallback callback,
CtapDeviceResponseCode status,
absl::optional<pin::KeyAgreementResponse> key);
void OnHaveEphemeralKeyForChangePIN(
std::string old_pin,
std::string new_pin,
SetPINCallback callback,
CtapDeviceResponseCode status,
absl::optional<pin::KeyAgreementResponse> key);
void OnHaveEphemeralKeyForUvToken(
absl::optional<std::string> rp_id,
std::vector<pin::Permissions> permissions,
GetTokenCallback callback,
CtapDeviceResponseCode status,
absl::optional<pin::KeyAgreementResponse> key);
// Attempts to read large blobs from the credential encrypted with
// |large_blob_keys|. Returns a map of keys to their blobs.
void ReadLargeBlob(const std::vector<LargeBlobKey>& large_blob_keys,
LargeBlobReadCallback callback);
void FetchLargeBlobArray(
LargeBlobArrayReader large_blob_array_reader,
base::OnceCallback<void(CtapDeviceResponseCode,
absl::optional<LargeBlobArrayReader>)> callback);
void WriteLargeBlobArray(
absl::optional<pin::TokenResponse> pin_uv_auth_token,
LargeBlobArrayWriter large_blob_array_writer,
base::OnceCallback<void(CtapDeviceResponseCode)> callback);
void OnReadLargeBlobFragment(
const size_t bytes_requested,
LargeBlobArrayReader large_blob_array_reader,
base::OnceCallback<void(CtapDeviceResponseCode,
absl::optional<LargeBlobArrayReader>)> callback,
CtapDeviceResponseCode status,
absl::optional<LargeBlobsResponse> response);
void OnWriteLargeBlobFragment(
LargeBlobArrayWriter large_blob_array_writer,
absl::optional<pin::TokenResponse> pin_uv_auth_token,
base::OnceCallback<void(CtapDeviceResponseCode)> callback,
CtapDeviceResponseCode status,
absl::optional<LargeBlobsResponse> response);
void OnWroteLargeBlobForGetAssertion(
std::vector<AuthenticatorGetAssertionResponse> responses,
GetAssertionCallback callback,
CtapDeviceResponseCode status);
void OnReadLargeBlobForGetAssertion(
std::vector<AuthenticatorGetAssertionResponse> responses,
GetAssertionCallback callback,
CtapDeviceResponseCode status,
absl::optional<std::vector<std::pair<LargeBlobKey, LargeBlob>>> blobs);
void OnBlobUncompressed(
std::vector<AuthenticatorGetAssertionResponse> responses,
std::vector<std::pair<LargeBlobKey, LargeBlob>> blobs,
LargeBlobKey uncompressed_key,
GetAssertionCallback callback,
base::expected<mojo_base::BigBuffer, std::string> result);
void OnLargeBlobExtensionUncompressed(
std::vector<AuthenticatorGetAssertionResponse> responses,
GetAssertionCallback callback,
base::expected<mojo_base::BigBuffer, std::string> result);
void OnCredentialsEnumeratedForGarbageCollect(
const pin::TokenResponse& pin_uv_auth_token,
base::OnceCallback<void(CtapDeviceResponseCode)> callback,
CtapDeviceResponseCode status,
absl::optional<std::vector<AggregatedEnumerateCredentialsResponse>>
credentials);
void OnHaveLargeBlobArrayForWrite(
const LargeBlobKey& large_blob_key,
absl::optional<pin::TokenResponse> pin_uv_auth_token,
base::OnceCallback<void(CtapDeviceResponseCode)> callback,
CtapDeviceResponseCode status,
absl::optional<LargeBlobArrayReader> large_blob_array_reader);
void OnHaveLargeBlobArrayForRead(
const std::vector<LargeBlobKey>& large_blob_keys,
LargeBlobReadCallback callback,
CtapDeviceResponseCode status,
absl::optional<LargeBlobArrayReader> large_blob_array_reader);
void OnHaveLargeBlobArrayForGarbageCollect(
std::vector<AggregatedEnumerateCredentialsResponse> credentials,
const pin::TokenResponse& pin_uv_auth_token,
base::OnceCallback<void(CtapDeviceResponseCode)> callback,
CtapDeviceResponseCode status,
absl::optional<LargeBlobArrayReader> large_blob_array_reader);
void LogLargeBlobResult(LargeBlobKeyWriteResult result);
template <typename... Args>
void TaskClearProxy(base::OnceCallback<void(Args...)> callback, Args... args);
template <typename... Args>
void OperationClearProxy(base::OnceCallback<void(Args...)> callback,
Args... args);
template <typename Task, typename Response, typename... RequestArgs>
void RunTask(RequestArgs&&... request_args,
base::OnceCallback<void(CtapDeviceResponseCode,
absl::optional<Response>)> callback);
template <typename Request, typename Response>
void RunOperation(Request request,
base::OnceCallback<void(CtapDeviceResponseCode,
absl::optional<Response>)> callback,
base::OnceCallback<absl::optional<Response>(
const absl::optional<cbor::Value>&)> parser,
bool (*string_fixup_predicate)(
const std::vector<const cbor::Value*>&) = nullptr);
struct EnumerateCredentialsState;
void OnEnumerateRPsDone(EnumerateCredentialsState state,
CtapDeviceResponseCode status,
absl::optional<EnumerateRPsResponse> response);
void OnEnumerateCredentialsDone(
EnumerateCredentialsState state,
CtapDeviceResponseCode status,
absl::optional<EnumerateCredentialsResponse> response);
size_t max_large_blob_fragment_length();
const std::unique_ptr<FidoDevice> device_;
AuthenticatorSupportedOptions options_;
std::unique_ptr<FidoTask> task_;
std::unique_ptr<GenericDeviceOperation> operation_;
bool initialized_ = false;
// The highest advertised PINUVAuthProtocol version that the authenticator
// supports. This is guaranteed to be non-null after authenticator
// initialization if |options_| indicates that PIN is supported.
absl::optional<PINUVAuthProtocol> chosen_pin_uv_auth_protocol_;
data_decoder::DataDecoder data_decoder_;
// large_blob_ contains a compressed largeBlob and indicates that an
// largeBlobKey-based write will occur in a `GetAssertion` operation.
absl::optional<LargeBlob> large_blob_;
// large_blob_read_ indicates that a largeBlobKey-based read will occur
// in a `GetAssertion` operation.
bool large_blob_read_;
base::WeakPtrFactory<FidoDeviceAuthenticator> weak_factory_{this};
};
} // namespace device
#endif // DEVICE_FIDO_FIDO_DEVICE_AUTHENTICATOR_H_