| // Copyright 2024 The Chromium Authors |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include "chrome/browser/webauthn/chromeos/passkey_authenticator.h" |
| |
| #include "base/containers/span.h" |
| #include "base/functional/bind.h" |
| #include "base/functional/callback.h" |
| #include "base/functional/callback_helpers.h" |
| #include "base/memory/weak_ptr.h" |
| #include "base/no_destructor.h" |
| #include "base/notimplemented.h" |
| #include "base/task/sequenced_task_runner.h" |
| #include "chrome/browser/webauthn/chromeos/passkey_in_session_auth.h" |
| #include "chrome/browser/webauthn/chromeos/passkey_service.h" |
| #include "components/device_event_log/device_event_log.h" |
| #include "components/webauthn/core/browser/passkey_model.h" |
| #include "components/webauthn/core/browser/passkey_model_utils.h" |
| #include "content/public/browser/render_frame_host.h" |
| #include "crypto/ec_private_key.h" |
| #include "crypto/ec_signature_creator.h" |
| #include "crypto/sha2.h" |
| #include "device/fido/authenticator_get_assertion_response.h" |
| #include "device/fido/authenticator_supported_options.h" |
| #include "device/fido/ctap_get_assertion_request.h" |
| #include "device/fido/ctap_make_credential_request.h" |
| #include "device/fido/fido_authenticator.h" |
| #include "device/fido/fido_constants.h" |
| #include "device/fido/fido_transport_protocol.h" |
| #include "device/fido/fido_types.h" |
| #include "ui/aura/window.h" |
| |
| using device::AuthenticatorData; |
| using device::AuthenticatorGetAssertionResponse; |
| using device::AuthenticatorSupportedOptions; |
| using device::AuthenticatorType; |
| using device::CoseAlgorithmIdentifier; |
| using device::CredentialType; |
| using device::CtapGetAssertionOptions; |
| using device::CtapGetAssertionRequest; |
| using device::CtapMakeCredentialRequest; |
| using device::FidoAuthenticator; |
| using device::FidoRequestHandlerBase; |
| using device::FidoTransportProtocol; |
| using device::GetAssertionStatus; |
| using device::MakeCredentialOptions; |
| using device::PublicKeyCredentialDescriptor; |
| using device::PublicKeyCredentialUserEntity; |
| |
| namespace chromeos { |
| namespace { |
| |
| AuthenticatorSupportedOptions PasskeyAuthenticatorOptions() { |
| AuthenticatorSupportedOptions options; |
| options.is_platform_device = |
| AuthenticatorSupportedOptions::PlatformDevice::kYes; |
| options.supports_resident_key = true; |
| options.user_verification_availability = AuthenticatorSupportedOptions:: |
| UserVerificationAvailability::kSupportedAndConfigured; |
| return options; |
| } |
| |
| // Returns the WebAuthn authenticator data for this authenticator. See |
| // https://w3c.github.io/webauthn/#authenticator-data. |
| AuthenticatorData MakeAuthenticatorDataForAssertion(std::string_view rp_id) { |
| using Flag = AuthenticatorData::Flag; |
| return AuthenticatorData( |
| crypto::SHA256Hash(base::as_byte_span(rp_id)), |
| {Flag::kTestOfUserPresence, Flag::kTestOfUserVerification, |
| Flag::kBackupEligible, Flag::kBackupState}, |
| /*sign_counter=*/0u, |
| /*attested_credential_data=*/std::nullopt, |
| /*extensions=*/std::nullopt); |
| } |
| |
| std::optional<std::vector<uint8_t>> GenerateEcSignature( |
| base::span<const uint8_t> pkcs8_ec_private_key, |
| base::span<const uint8_t> signed_over_data) { |
| auto ec_private_key = |
| crypto::ECPrivateKey::CreateFromPrivateKeyInfo(pkcs8_ec_private_key); |
| if (!ec_private_key) { |
| return std::nullopt; |
| } |
| auto signer = crypto::ECSignatureCreator::Create(ec_private_key.get()); |
| std::vector<uint8_t> signature; |
| if (!signer->Sign(signed_over_data, &signature)) { |
| return std::nullopt; |
| } |
| return signature; |
| } |
| |
| } // namespace |
| |
| PasskeyAuthenticator::PasskeyAuthenticator( |
| content::RenderFrameHost* rfh, |
| PasskeyService* passkey_service, |
| webauthn::PasskeyModel* passkey_model) |
| : render_frame_host_id_(rfh->GetGlobalId()), |
| passkey_service_(passkey_service), |
| passkey_model_(passkey_model) {} |
| |
| PasskeyAuthenticator::~PasskeyAuthenticator() = default; |
| |
| AuthenticatorType PasskeyAuthenticator::GetType() const { |
| return AuthenticatorType::kChromeOSPasskeys; |
| } |
| |
| std::string PasskeyAuthenticator::GetId() const { |
| return "ChromeOSPasskeysAuthenticator"; |
| } |
| |
| std::optional<base::span<const int32_t>> PasskeyAuthenticator::GetAlgorithms() { |
| constexpr std::array<int32_t, 1> kAlgorithms{ |
| static_cast<int32_t>(CoseAlgorithmIdentifier::kEs256)}; |
| return kAlgorithms; |
| } |
| |
| const AuthenticatorSupportedOptions& PasskeyAuthenticator::Options() const { |
| static const base::NoDestructor<AuthenticatorSupportedOptions> options( |
| PasskeyAuthenticatorOptions()); |
| return *options; |
| } |
| |
| std::optional<FidoTransportProtocol> |
| PasskeyAuthenticator::AuthenticatorTransport() const { |
| return FidoTransportProtocol::kInternal; |
| } |
| |
| void PasskeyAuthenticator::GetTouch(base::OnceClosure callback) {} |
| |
| void PasskeyAuthenticator::InitializeAuthenticator(base::OnceClosure callback) { |
| std::move(callback).Run(); |
| } |
| |
| void PasskeyAuthenticator::MakeCredential(CtapMakeCredentialRequest request, |
| MakeCredentialOptions request_options, |
| MakeCredentialCallback callback) {} |
| |
| void PasskeyAuthenticator::GetAssertion(CtapGetAssertionRequest request, |
| CtapGetAssertionOptions options, |
| GetAssertionCallback callback) { |
| std::string rp_id = request.rp_id; |
| PasskeyInSessionAuthProvider::Get()->ShowPasskeyInSessionAuthDialog( |
| content::RenderFrameHost::FromID(render_frame_host_id_) |
| ->GetNativeView() |
| ->GetToplevelWindow(), |
| rp_id, |
| base::BindOnce(&PasskeyAuthenticator::FinishGetAssertion, |
| weak_factory_.GetWeakPtr(), std::move(request), |
| std::move(options), std::move(callback))); |
| return; |
| } |
| |
| void PasskeyAuthenticator::FinishGetAssertion(CtapGetAssertionRequest request, |
| CtapGetAssertionOptions options, |
| GetAssertionCallback callback, |
| bool user_verification_success) { |
| if (!user_verification_success) { |
| std::move(callback).Run( |
| GetAssertionStatus::kUserConsentButCredentialNotRecognized, {}); |
| return; |
| } |
| |
| CHECK_EQ(request.allow_list.size(), 1u); |
| const std::vector<uint8_t>& credential_id = request.allow_list.begin()->id; |
| const std::string credential_id_str = {credential_id.begin(), |
| credential_id.end()}; |
| |
| std::optional<sync_pb::WebauthnCredentialSpecifics> credential_specifics = |
| passkey_model_->GetPasskeyByCredentialId(request.rp_id, |
| credential_id_str); |
| if (!credential_specifics) { |
| FIDO_LOG(ERROR) << "Could not find a matching GPM credential."; |
| std::move(callback).Run( |
| GetAssertionStatus::kUserConsentButCredentialNotRecognized, {}); |
| return; |
| } |
| |
| const std::optional<std::vector<uint8_t>> security_domain_secret = |
| passkey_service_->GetCachedSecurityDomainSecret(); |
| if (!security_domain_secret) { |
| FIDO_LOG(ERROR) << "Security domain secret unavailable."; |
| std::move(callback).Run( |
| GetAssertionStatus::kUserConsentButCredentialNotRecognized, {}); |
| return; |
| } |
| |
| // Decrypt the sealed data from `credential_specifics` into |
| // `credential_secrets`. Note that `DecryptWebauthnCredentialSpecificsData()` |
| // internally maps both the `encrypted` and `private_key` case of the |
| // `encrypted_data` oneof to `WebauthnCredentialSpecifics_Encrypted`. In the |
| // latter case, only the `private_key` field will be set. |
| sync_pb::WebauthnCredentialSpecifics_Encrypted unsealed_credential_secrets; |
| if (!webauthn::passkey_model_utils::DecryptWebauthnCredentialSpecificsData( |
| base::make_span(*security_domain_secret), *credential_specifics, |
| &unsealed_credential_secrets)) { |
| FIDO_LOG(ERROR) << "Decrypting WebauthnCredentialSpecifics failed."; |
| std::move(callback).Run( |
| GetAssertionStatus::kUserConsentButCredentialNotRecognized, {}); |
| return; |
| } |
| |
| AuthenticatorData authenticator_data = |
| MakeAuthenticatorDataForAssertion(request.rp_id); |
| std::vector<uint8_t> signed_over_data( |
| authenticator_data.SerializeToByteArray()); |
| signed_over_data.insert(signed_over_data.end(), |
| request.client_data_hash.begin(), |
| request.client_data_hash.end()); |
| std::optional<std::vector<uint8_t>> assertion_signature = GenerateEcSignature( |
| base::as_byte_span(unsealed_credential_secrets.private_key()), |
| signed_over_data); |
| if (!assertion_signature) { |
| FIDO_LOG(ERROR) << "Generating assertion signature failed"; |
| std::move(callback).Run( |
| GetAssertionStatus::kUserConsentButCredentialNotRecognized, {}); |
| return; |
| } |
| |
| AuthenticatorGetAssertionResponse assertion_response( |
| std::move(authenticator_data), std::move(*assertion_signature), |
| /*transport_used=*/std::nullopt); |
| assertion_response.credential = |
| PublicKeyCredentialDescriptor(CredentialType::kPublicKey, credential_id); |
| assertion_response.user_entity = PublicKeyCredentialUserEntity( |
| std::vector<uint8_t>(credential_specifics->user_id().begin(), |
| credential_specifics->user_id().end())); |
| std::vector<AuthenticatorGetAssertionResponse> responses; |
| responses.emplace_back(std::move(assertion_response)); |
| std::move(callback).Run(GetAssertionStatus::kSuccess, std::move(responses)); |
| } |
| |
| void PasskeyAuthenticator::Cancel() { |
| NOTIMPLEMENTED(); |
| } |
| |
| base::WeakPtr<FidoAuthenticator> PasskeyAuthenticator::GetWeakPtr() { |
| return weak_factory_.GetWeakPtr(); |
| } |
| |
| } // namespace chromeos |
