| // Copyright 2017 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #ifndef DEVICE_FIDO_CTAP_MAKE_CREDENTIAL_REQUEST_H_ |
| #define DEVICE_FIDO_CTAP_MAKE_CREDENTIAL_REQUEST_H_ |
| |
| #include <stdint.h> |
| |
| #include <array> |
| #include <string> |
| #include <vector> |
| |
| #include "base/component_export.h" |
| #include "base/containers/span.h" |
| #include "base/macros.h" |
| #include "device/fido/fido_constants.h" |
| #include "device/fido/pin.h" |
| #include "device/fido/public_key_credential_descriptor.h" |
| #include "device/fido/public_key_credential_params.h" |
| #include "device/fido/public_key_credential_rp_entity.h" |
| #include "device/fido/public_key_credential_user_entity.h" |
| #include "third_party/abseil-cpp/absl/types/optional.h" |
| |
| namespace cbor { |
| class Value; |
| } |
| |
| namespace device { |
| |
| // Object containing request parameters for AuthenticatorMakeCredential command |
| // as specified in |
| // https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-client-to-authenticator-protocol-v2.0-rd-20170927.html |
| struct COMPONENT_EXPORT(DEVICE_FIDO) CtapMakeCredentialRequest { |
| public: |
| using ClientDataHash = std::array<uint8_t, kClientDataHashLength>; |
| |
| // ParseOpts are optional parameters passed to Parse(). |
| struct ParseOpts { |
| // reject_all_extensions makes parsing fail if any extensions are present. |
| bool reject_all_extensions = false; |
| }; |
| |
| // Decodes a CTAP2 authenticatorMakeCredential request message. The request's |
| // |client_data_json| will be empty and |client_data_hash| will be set. |
| static absl::optional<CtapMakeCredentialRequest> Parse( |
| const cbor::Value::MapValue& request_map) { |
| return Parse(request_map, ParseOpts()); |
| } |
| static absl::optional<CtapMakeCredentialRequest> Parse( |
| const cbor::Value::MapValue& request_map, |
| const ParseOpts& opts); |
| |
| CtapMakeCredentialRequest( |
| std::string client_data_json, |
| PublicKeyCredentialRpEntity rp, |
| PublicKeyCredentialUserEntity user, |
| PublicKeyCredentialParams public_key_credential_params); |
| CtapMakeCredentialRequest(const CtapMakeCredentialRequest& that); |
| CtapMakeCredentialRequest(CtapMakeCredentialRequest&& that); |
| CtapMakeCredentialRequest& operator=(const CtapMakeCredentialRequest& that); |
| CtapMakeCredentialRequest& operator=(CtapMakeCredentialRequest&& that); |
| ~CtapMakeCredentialRequest(); |
| |
| std::string client_data_json; |
| ClientDataHash client_data_hash; |
| PublicKeyCredentialRpEntity rp; |
| PublicKeyCredentialUserEntity user; |
| PublicKeyCredentialParams public_key_credential_params; |
| UserVerificationRequirement user_verification = |
| UserVerificationRequirement::kDiscouraged; |
| AuthenticatorAttachment authenticator_attachment = |
| AuthenticatorAttachment::kAny; |
| bool resident_key_required = false; |
| |
| // hmac_secret indicates whether the "hmac-secret" extension should be |
| // asserted to CTAP2 authenticators. |
| bool hmac_secret = false; |
| |
| // large_blob_key indicates whether a large blob key should be associated to |
| // the new credential through the "largeBlobKey" extension. |
| bool large_blob_key = false; |
| |
| // Instructs the request handler only to dispatch this request via U2F. |
| bool is_u2f_only = false; |
| |
| // Indicates whether the request was created in an off-the-record |
| // BrowserContext (e.g. Chrome Incognito mode). |
| bool is_off_the_record_context = false; |
| |
| std::vector<PublicKeyCredentialDescriptor> exclude_list; |
| |
| // The pinUvAuthParam field. This is the result of calling |
| // |pin::TokenResponse::PinAuth(client_data_hash)| with the PIN/UV Auth Token |
| // response obtained from the authenticator. |
| absl::optional<std::vector<uint8_t>> pin_auth; |
| |
| // The pinUvAuthProtocol field. It is the version of the PIN/UV Auth Token |
| // response obtained from the authenticator. |
| absl::optional<PINUVAuthProtocol> pin_protocol; |
| |
| // The PIN/UV Auth Token response obtained from the authenticator. This field |
| // is only used for computing a fresh pinUvAuthParam for getAssertion requests |
| // during silent probing of |exclude_list| credentials. It is ignored when |
| // encoding this request to CBOR (|pin_auth| and |pin_protocol| are used for |
| // that). |
| absl::optional<pin::TokenResponse> pin_token_for_exclude_list_probing; |
| |
| AttestationConveyancePreference attestation_preference = |
| AttestationConveyancePreference::kNone; |
| |
| // U2F AppID for excluding credentials. |
| absl::optional<std::string> app_id; |
| |
| // cred_protect indicates the level of protection afforded to a credential. |
| // This depends on a CTAP2 extension that not all authenticators will support. |
| // This is filled out by |MakeCredentialRequestHandler|. |
| absl::optional<CredProtect> cred_protect; |
| |
| // If |cred_protect| is not |nullopt|, this is true if the credProtect level |
| // must be provided by the target authenticator for the MakeCredential request |
| // to be sent. This only makes sense when there is a collection of |
| // authenticators to consider, i.e. for the Windows API. |
| bool cred_protect_enforce = false; |
| |
| // cred_blob contains an optional credBlob extension. |
| // https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html#sctn-credBlob-extension |
| absl::optional<std::vector<uint8_t>> cred_blob; |
| }; |
| |
| // Serializes MakeCredential request parameter into CBOR encoded map with |
| // integer keys and CBOR encoded values as defined by the CTAP spec. |
| // https://drafts.fidoalliance.org/fido-2/latest/fido-client-to-authenticator-protocol-v2.0-wd-20180305.html#authenticatorMakeCredential |
| COMPONENT_EXPORT(DEVICE_FIDO) |
| std::pair<CtapRequestCommand, absl::optional<cbor::Value>> |
| AsCTAPRequestValuePair(const CtapMakeCredentialRequest& request); |
| |
| } // namespace device |
| |
| #endif // DEVICE_FIDO_CTAP_MAKE_CREDENTIAL_REQUEST_H_ |