chromium/device/fido/get_assertion_task.cc


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136

// Copyright 2018 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "device/fido/get_assertion_task.h"

#include <algorithm>
#include <utility>

#include "base/bind.h"
#include "device/base/features.h"
#include "device/fido/authenticator_get_assertion_response.h"
#include "device/fido/ctap2_device_operation.h"
#include "device/fido/ctap_empty_authenticator_request.h"
#include "device/fido/device_response_converter.h"
#include "device/fido/u2f_command_constructor.h"
#include "device/fido/u2f_sign_operation.h"

namespace device {

namespace {

bool ResponseContainsUserIdentifiableInfo(
    const AuthenticatorGetAssertionResponse& response) {
  const auto& user_entity = response.user_entity();
  if (!user_entity)
    return false;

  return user_entity->user_display_name() || user_entity->user_name() ||
         user_entity->user_icon_url();
}

}  // namespace

GetAssertionTask::GetAssertionTask(FidoDevice* device,
                                   CtapGetAssertionRequest request,
                                   GetAssertionTaskCallback callback)
    : FidoTask(device),
      request_(std::move(request)),
      callback_(std::move(callback)),
      weak_factory_(this) {}

GetAssertionTask::~GetAssertionTask() = default;

void GetAssertionTask::StartTask() {
  if (base::FeatureList::IsEnabled(kNewCtap2Device) &&
      device()->supported_protocol() == ProtocolVersion::kCtap) {
    GetAssertion();
  } else {
    U2fSign();
  }
}

void GetAssertionTask::GetAssertion() {
  sign_operation_ =
      std::make_unique<Ctap2DeviceOperation<CtapGetAssertionRequest,
                                            AuthenticatorGetAssertionResponse>>(
          device(), request_,
          base::BindOnce(&GetAssertionTask::OnCtapGetAssertionResponseReceived,
                         weak_factory_.GetWeakPtr()),
          base::BindOnce(&ReadCTAPGetAssertionResponse));
  sign_operation_->Start();
}

void GetAssertionTask::U2fSign() {
  DCHECK(!device()->device_info());
  DCHECK_EQ(ProtocolVersion::kU2f, device()->supported_protocol());

  sign_operation_ = std::make_unique<U2fSignOperation>(
      device(), request_,
      base::BindOnce(&GetAssertionTask::OnCtapGetAssertionResponseReceived,
                     weak_factory_.GetWeakPtr()));
  sign_operation_->Start();
}

bool GetAssertionTask::CheckRequirementsOnReturnedUserEntities(
    const AuthenticatorGetAssertionResponse& response) {
  // If assertion has been made without user verification, user identifiable
  // information must not be included.
  if (!response.auth_data().obtained_user_verification() &&
      ResponseContainsUserIdentifiableInfo(response)) {
    return false;
  }

  // For resident key credentials, user id of the user entity is mandatory.
  if ((!request_.allow_list() || request_.allow_list()->empty()) &&
      !response.user_entity()) {
    return false;
  }

  // When multiple accounts exist for specified RP ID, user entity is mandatory.
  if (response.num_credentials().value_or(0u) > 1 && !response.user_entity()) {
    return false;
  }

  return true;
}

bool GetAssertionTask::CheckRequirementsOnReturnedCredentialId(
    const AuthenticatorGetAssertionResponse& response) {
  if (device()->device_info() &&
      device()->device_info()->options().supports_resident_key()) {
    return true;
  }

  const auto& allow_list = request_.allow_list();
  return allow_list &&
         (allow_list->size() == 1 ||
          std::any_of(allow_list->cbegin(), allow_list->cend(),
                      [&response](const auto& credential) {
                        return credential.id() == response.raw_credential_id();
                      }));
}

void GetAssertionTask::OnCtapGetAssertionResponseReceived(
    CtapDeviceResponseCode response_code,
    base::Optional<AuthenticatorGetAssertionResponse> device_response) {
  if (response_code != CtapDeviceResponseCode::kSuccess) {
    std::move(callback_).Run(response_code, base::nullopt);
    return;
  }

  // TODO(martinkr): CheckRpIdHash invocation needs to move into the Request
  // handler. See https://crbug.com/863988.
  if (!device_response || !device_response->CheckRpIdHash(request_.rp_id()) ||
      !CheckRequirementsOnReturnedCredentialId(*device_response) ||
      !CheckRequirementsOnReturnedUserEntities(*device_response)) {
    std::move(callback_).Run(CtapDeviceResponseCode::kCtap2ErrOther,
                             base::nullopt);
    return;
  }

  std::move(callback_).Run(response_code, std::move(device_response));
}

}  // namespace device