forked from chromium/chromium
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathauthenticator_data.h
133 lines (105 loc) · 4.4 KB
/
authenticator_data.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
// Copyright 2017 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef DEVICE_FIDO_AUTHENTICATOR_DATA_H_
#define DEVICE_FIDO_AUTHENTICATOR_DATA_H_
#include <stdint.h>
#include <array>
#include <string>
#include <vector>
#include "base/component_export.h"
#include "base/containers/span.h"
#include "base/macros.h"
#include "base/numerics/safe_conversions.h"
#include "base/optional.h"
#include "components/cbor/values.h"
#include "device/fido/attested_credential_data.h"
#include "device/fido/fido_constants.h"
namespace device {
// https://www.w3.org/TR/2017/WD-webauthn-20170505/#sec-authenticator-data.
class COMPONENT_EXPORT(DEVICE_FIDO) AuthenticatorData {
public:
enum class Flag : uint8_t {
kTestOfUserPresence = 1u << 0,
kTestOfUserVerification = 1u << 2,
kAttestation = 1u << 6,
kExtensionDataIncluded = 1u << 7,
};
static base::Optional<AuthenticatorData> DecodeAuthenticatorData(
base::span<const uint8_t> auth_data);
// The attested credential |data| must be specified iff |flags| have
// kAttestation set; and |extensions| must be specified iff |flags| have
// kExtensionDataIncluded set.
AuthenticatorData(base::span<const uint8_t, kRpIdHashLength> rp_id_hash,
uint8_t flags,
base::span<const uint8_t, kSignCounterLength> sign_counter,
base::Optional<AttestedCredentialData> data,
base::Optional<cbor::Value> extensions = base::nullopt);
// Creates an AuthenticatorData with flags and signature counter encoded
// according to the supplied arguments.
AuthenticatorData(
base::span<const uint8_t, kRpIdHashLength> rp_id_hash,
bool user_present,
bool user_verified,
uint32_t sign_counter,
base::Optional<AttestedCredentialData> attested_credential_data,
base::Optional<cbor::Value> extensions);
AuthenticatorData(AuthenticatorData&& other);
AuthenticatorData& operator=(AuthenticatorData&& other);
~AuthenticatorData();
// Replaces device AAGUID in attested credential data section with zeros.
// https://w3c.github.io/webauthn/#attested-credential-data
void DeleteDeviceAaguid();
// Produces a byte array consisting of:
// * hash(relying_party_id / appid)
// * flags
// * counter
// * attestation_data.
std::vector<uint8_t> SerializeToByteArray() const;
// Retrieve credential ID from attested credential data section of the
// authenticator data.
std::vector<uint8_t> GetCredentialId() const;
const base::Optional<AttestedCredentialData>& attested_data() const {
return attested_data_;
}
// If a value is returned then the result of calling |is_map()| on it can be
// assumed to be true.
const base::Optional<cbor::Value>& extensions() const { return extensions_; }
const std::array<uint8_t, kRpIdHashLength>& application_parameter() const {
return application_parameter_;
}
bool obtained_user_presence() const {
return flags_ & base::strict_cast<uint8_t>(Flag::kTestOfUserPresence);
}
bool obtained_user_verification() const {
return flags_ & base::strict_cast<uint8_t>(Flag::kTestOfUserVerification);
}
bool attestation_credential_included() const {
return flags_ & base::strict_cast<uint8_t>(Flag::kAttestation);
}
bool extension_data_included() const {
return flags_ & base::strict_cast<uint8_t>(Flag::kExtensionDataIncluded);
}
base::span<const uint8_t, kSignCounterLength> counter() const {
return counter_;
}
private:
// The application parameter: a SHA-256 hash of either the RP ID or the AppID
// associated with the credential.
std::array<uint8_t, kRpIdHashLength> application_parameter_;
// Flags (bit 0 is the least significant bit):
// [ED | AT | RFU | RFU | RFU | RFU | RFU | UP ]
// * Bit 0: Test of User Presence (TUP) result.
// * Bits 1-5: Reserved for future use (RFU).
// * Bit 6: Attestation data included (AT).
// * Bit 7: Extension data included (ED).
uint8_t flags_;
// Signature counter, 32-bit unsigned big-endian integer.
std::array<uint8_t, kSignCounterLength> counter_;
base::Optional<AttestedCredentialData> attested_data_;
// If |extensions_| has a value, then it will be a CBOR map.
base::Optional<cbor::Value> extensions_;
DISALLOW_COPY_AND_ASSIGN(AuthenticatorData);
};
} // namespace device
#endif // DEVICE_FIDO_AUTHENTICATOR_DATA_H_