blob: 591d581f31bb2a21a8d4974a42160c0f5d322035 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
|
// Copyright 2017 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef DEVICE_FIDO_ATTESTATION_OBJECT_H_
#define DEVICE_FIDO_ATTESTATION_OBJECT_H_
#include <stdint.h>
#include <array>
#include <memory>
#include <vector>
#include "base/component_export.h"
#include "base/macros.h"
#include "device/fido/authenticator_data.h"
#include "device/fido/fido_constants.h"
namespace device {
class AttestationStatement;
// Object containing the authenticator-provided attestation every time
// a credential is created, per
// https://www.w3.org/TR/2017/WD-webauthn-20170505/#cred-attestation.
class COMPONENT_EXPORT(DEVICE_FIDO) AttestationObject {
public:
static base::Optional<AttestationObject> Parse(const cbor::Value& value);
AttestationObject(AuthenticatorData data,
std::unique_ptr<AttestationStatement> statement);
AttestationObject(AttestationObject&& other);
AttestationObject& operator=(AttestationObject&& other);
~AttestationObject();
std::vector<uint8_t> GetCredentialId() const;
enum class AAGUID {
kErase,
kInclude,
};
// Replaces the attestation statement with a “none” attestation, and replaces
// device AAGUID with zero bytes (unless |erase_aaguid| is kInclude) as
// specified for step 20.3 in
// https://w3c.github.io/webauthn/#createCredential.
void EraseAttestationStatement(AAGUID erase_aaguid);
// Returns true if the attestation is a "self" attestation, i.e. is just the
// private key signing itself to show that it is fresh. See
// https://www.w3.org/TR/webauthn/#self-attestation. Note that self-
// attestation also requires at the AAGUID in the authenticator data be all
// zeros.
bool IsSelfAttestation();
// Returns true if the attestation certificate is known to be inappropriately
// identifying. Some tokens return unique attestation certificates even when
// the bit to request that is not set. (Normal attestation certificates are
// not indended to be trackable.)
bool IsAttestationCertificateInappropriatelyIdentifying();
const std::array<uint8_t, kRpIdHashLength>& rp_id_hash() const {
return authenticator_data_.application_parameter();
}
const AuthenticatorData& authenticator_data() const {
return authenticator_data_;
}
const AttestationStatement& attestation_statement() const {
return *attestation_statement_.get();
}
private:
AuthenticatorData authenticator_data_;
std::unique_ptr<AttestationStatement> attestation_statement_;
DISALLOW_COPY_AND_ASSIGN(AttestationObject);
};
// Produces a WebAuthN style CBOR-encoded byte-array
// in the following format, when written:
// {"authData": authenticator data bytes,
// "fmt": attestation format name,
// "attStmt": attestation statement bytes }
COMPONENT_EXPORT(DEVICE_FIDO)
cbor::Value AsCBOR(const AttestationObject&);
} // namespace device
#endif // DEVICE_FIDO_ATTESTATION_OBJECT_H_
|
