// Copyright 2023 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "components/webauthn/core/browser/passkey_model_utils.h" #include <algorithm> #include <iterator> #include <string> #include <vector> #include "base/check.h" #include "base/containers/flat_set.h" #include "base/containers/span.h" #include "base/logging.h" #include "base/notreached.h" #include "base/rand_util.h" #include "base/strings/strcat.h" #include "base/time/time.h" #include "components/sync/protocol/webauthn_credential_specifics.pb.h" #include "crypto/aead.h" #include "crypto/ec_private_key.h" #include "crypto/ec_signature_creator.h" #include "crypto/hkdf.h" #include "crypto/random.h" #include "crypto/sha2.h" #include "device/fido/attested_credential_data.h" #include "device/fido/authenticator_data.h" #include "device/fido/fido_constants.h" #include "device/fido/p256_public_key.h" #include "device/fido/public_key.h" namespace webauthn::passkey_model_utils { namespace { // The byte length of the WebauthnCredentialSpecifics `sync_id` field. constexpr size_t kSyncIdLength = …; // The byte length of the WebauthnCredentialSpecifics `credential_id` field. constexpr size_t kCredentialIdLength = …; // The length of the nonce prefix used for AES-256-GCM encryption of // `WebAuthnCredentialSpecifics.encrypted_data` (both `private_key` and // `encrypted` oneof cases). constexpr size_t kWebAuthnCredentialSpecificsEncryptedDataNonceLength = …; // The AAD parameter for the AES-256 encryption of // `WebAuthnCredentialSpecifics.encrypted`. constexpr std::string_view kAadWebauthnCredentialSpecificsEncrypted = …; // The AAD parameter for the AES-256 encryption of // `WebAuthnCredentialSpecifics.private_key` (empty). constexpr std::string_view kAadWebauthnCredentialSpecificsPrivateKey = …; struct PasskeyComparator { … }; bool DecryptAes256Gcm(base::span<const uint8_t> key, std::string_view ciphertext, std::string_view nonce, std::string_view aad, std::string* plaintext) { … } bool EncryptAes256Gcm(base::span<const uint8_t> key, std::string_view plaintext, std::string_view nonce, std::string_view aad, std::string* ciphertext) { … } std::vector<uint8_t> DerivePasskeyEncryptionSecret( base::span<const uint8_t> trusted_vault_key) { … } } // namespace std::vector<sync_pb::WebauthnCredentialSpecifics> FilterShadowedCredentials( base::span<const sync_pb::WebauthnCredentialSpecifics> passkeys) { … } std::pair<sync_pb::WebauthnCredentialSpecifics, std::vector<uint8_t>> GeneratePasskeyAndEncryptSecrets(std::string_view rp_id, const PasskeyModel::UserEntity& user_entity, base::span<const uint8_t> trusted_vault_key, int32_t trusted_vault_key_version) { … } bool DecryptWebauthnCredentialSpecificsData( base::span<const uint8_t> trusted_vault_key, const sync_pb::WebauthnCredentialSpecifics& in, sync_pb::WebauthnCredentialSpecifics_Encrypted* out) { … } bool EncryptWebauthnCredentialSpecificsData( base::span<const uint8_t> trusted_vault_key, const sync_pb::WebauthnCredentialSpecifics_Encrypted& in, sync_pb::WebauthnCredentialSpecifics* out) { … } std::vector<uint8_t> MakeAuthenticatorDataForAssertion(std::string_view rp_id) { … } std::vector<uint8_t> MakeAuthenticatorDataForCreation( std::string_view rp_id, base::span<const uint8_t> credential_id, base::span<const uint8_t> public_key_spki_der) { … } std::optional<std::vector<uint8_t>> GenerateEcSignature( base::span<const uint8_t> pkcs8_ec_private_key, base::span<const uint8_t> signed_over_data) { … } bool IsSupportedAlgorithm(int32_t algorithm) { … } } // namespace webauthn::passkey_model_utils
Codebase Browser
chromium