Google Git
Sign in
chromium / chromium / src / d5b519e817d07443baf76ad4153ad414f009b020
commitd5b519e817d07443baf76ad4153ad414f009b020[log] [tgz]
authorMartin Kreichgauer <martinkr@google.com>Wed Aug 17 18:13:48 2022
committerChromium LUCI CQ <chromium-scoped@luci-project-accounts.iam.gserviceaccount.com>Wed Aug 17 18:13:48 2022
treec3c85f73d19c00c5b305c4e12ef183c72adb2a92
parentc7f7dd0aa2c2404ccab441a9cffbb4d73d4938cb [diff]
fido/mac: fix a bug in keychain item handling

CL:3781120 changed the data persisted into the kSecAttrApplicationTag
attribute for new credentials. Prior to that change, and up to
CredentialMetadata version 2, the field contained an encoding of (RP ID,
user ID); the CL makes that field store the encrypted metadata. Another
thing that CL changed was the data type of the stored value, from
CFStringRef to CFDataRef (because the official keychain docs say it
should be CFDataRef:
https://developer.apple.com/documentation/security/ksecattrapplicationtag?language=objc#:~:text=The%20corresponding%20value%20is%20of%20type%20CFDataRef%20and%20contains%20private%20tag%20data).

However, TouchIdCredentialStore::FindCredentialsImpl() expected all
query keychain items to contain CFDataRef, and returned absl::nullopt if
that wasn't true. This made credential lookups in the Touch ID
authenticator fail in the presence of older (version < 3) credentials
for the given RP.

To fix this, change TouchIdCredentialStore::FindCredentialsImpl() to not
bail entirely if kSecAttrApplicationTag doesn't contain the expected
type.

An existing test in CredentialStoreTest would have caught this issue, if
it hadn't been for a test bug where creating a legacy credential
mistakenly created a V3 credential. So this fix that bug as well.

Fixed: 1353101
Change-Id: I6cc04e84c1a011b5db1eed96734792fa9cd8aa4a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3832144
Reviewed-by: Adam Langley <agl@chromium.org>
Commit-Queue: Adam Langley <agl@chromium.org>
Auto-Submit: Martin Kreichgauer <martinkr@google.com>
Cr-Commit-Position: refs/heads/main@{#1036179}
3 files changed
tree: c3c85f73d19c00c5b305c4e12ef183c72adb2a92
  1. android_webview/
  2. apps/
  3. ash/
  4. base/
  5. build/
  6. build_overrides/
  7. buildtools/
  8. cc/
  9. chrome/
  10. chromecast/
  11. chromeos/
  12. codelabs/
  13. components/
  14. content/
  15. courgette/
  16. crypto/
  17. dbus/
  18. device/
  19. docs/
  20. extensions/
  21. fuchsia_web/
  22. gin/
  23. google_apis/
  24. google_update/
  25. gpu/
  26. headless/
  27. infra/
  28. ios/
  29. ipc/
  30. media/
  31. mojo/
  32. native_client_sdk/
  33. net/
  34. pdf/
  35. ppapi/
  36. printing/
  37. remoting/
  38. rlz/
  39. sandbox/
  40. services/
  41. skia/
  42. sql/
  43. storage/
  44. styleguide/
  45. testing/
  46. third_party/
  47. tools/
  48. ui/
  49. url/
  50. weblayer/
  51. .clang-format
  52. .clang-tidy
  53. .eslintrc.js
  54. .git-blame-ignore-revs
  55. .gitattributes
  56. .gitignore
  57. .gn
  58. .mailmap
  59. .rustfmt.toml
  60. .vpython
  61. .vpython3
  62. .yapfignore
  63. AUTHORS
  64. BUILD.gn
  65. CODE_OF_CONDUCT.md
  66. codereview.settings
  67. DEPS
  68. DIR_METADATA
  69. ENG_REVIEW_OWNERS
  70. LICENSE
  71. LICENSE.chromium_os
  72. OWNERS
  73. PRESUBMIT.py
  74. PRESUBMIT_test.py
  75. PRESUBMIT_test_mocks.py
  76. README.md
  77. WATCHLISTS
README.md

Logo Chromium

Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.

The project's web site is https://www.chromium.org.

To check out the source code locally, don't use git clone! Instead, follow the instructions on how to get the code.

Documentation in the source is rooted in docs/README.md.

Learn how to Get Around the Chromium Source Code Directory Structure .

For historical reasons, there are some small top level directories. Now the guidance is that new top level directories are for product (e.g. Chrome, Android WebView, Ash). Even if these products have multiple executables, the code should be in subdirectories of the product.

If you found a bug, please file it at https://crbug.com/new.