// Copyright 2017 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifndef DEVICE_FIDO_AUTHENTICATOR_DATA_H_ #define DEVICE_FIDO_AUTHENTICATOR_DATA_H_ #include #include #include #include #include "base/component_export.h" #include "base/containers/span.h" #include "base/macros.h" #include "base/numerics/safe_conversions.h" #include "base/optional.h" #include "components/cbor/values.h" #include "device/fido/attested_credential_data.h" #include "device/fido/fido_constants.h" namespace device { // https://www.w3.org/TR/2017/WD-webauthn-20170505/#sec-authenticator-data. class COMPONENT_EXPORT(DEVICE_FIDO) AuthenticatorData { public: enum class Flag : uint8_t { kTestOfUserPresence = 1u << 0, kTestOfUserVerification = 1u << 2, kAttestation = 1u << 6, kExtensionDataIncluded = 1u << 7, }; static base::Optional DecodeAuthenticatorData( base::span auth_data); // The attested credential |data| must be specified iff |flags| have // kAttestation set; and |extensions| must be specified iff |flags| have // kExtensionDataIncluded set. AuthenticatorData(base::span rp_id_hash, uint8_t flags, base::span sign_counter, base::Optional data, base::Optional extensions = base::nullopt); // Creates an AuthenticatorData with flags and signature counter encoded // according to the supplied arguments. AuthenticatorData( base::span rp_id_hash, bool user_present, bool user_verified, uint32_t sign_counter, base::Optional attested_credential_data, base::Optional extensions); AuthenticatorData(AuthenticatorData&& other); AuthenticatorData& operator=(AuthenticatorData&& other); ~AuthenticatorData(); // Replaces device AAGUID in attested credential data section with zeros. // https://w3c.github.io/webauthn/#attested-credential-data void DeleteDeviceAaguid(); // Produces a byte array consisting of: // * hash(relying_party_id / appid) // * flags // * counter // * attestation_data. std::vector SerializeToByteArray() const; // Retrieve credential ID from attested credential data section of the // authenticator data. std::vector GetCredentialId() const; const base::Optional& attested_data() const { return attested_data_; } // If a value is returned then the result of calling |is_map()| on it can be // assumed to be true. const base::Optional& extensions() const { return extensions_; } const std::array& application_parameter() const { return application_parameter_; } bool obtained_user_presence() const { return flags_ & base::strict_cast(Flag::kTestOfUserPresence); } bool obtained_user_verification() const { return flags_ & base::strict_cast(Flag::kTestOfUserVerification); } bool attestation_credential_included() const { return flags_ & base::strict_cast(Flag::kAttestation); } bool extension_data_included() const { return flags_ & base::strict_cast(Flag::kExtensionDataIncluded); } base::span counter() const { return counter_; } private: // The application parameter: a SHA-256 hash of either the RP ID or the AppID // associated with the credential. std::array application_parameter_; // Flags (bit 0 is the least significant bit): // [ED | AT | RFU | RFU | RFU | RFU | RFU | UP ] // * Bit 0: Test of User Presence (TUP) result. // * Bits 1-5: Reserved for future use (RFU). // * Bit 6: Attestation data included (AT). // * Bit 7: Extension data included (ED). uint8_t flags_; // Signature counter, 32-bit unsigned big-endian integer. std::array counter_; base::Optional attested_data_; // If |extensions_| has a value, then it will be a CBOR map. base::Optional extensions_; DISALLOW_COPY_AND_ASSIGN(AuthenticatorData); }; } // namespace device #endif // DEVICE_FIDO_AUTHENTICATOR_DATA_H_