enclave_protocol_utils.cc | Explore in Territory

// Copyright 2023 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifdef UNSAFE_BUFFERS_BUILD
// TODO(crbug.com/351564777): Remove this and convert code to safer constructs.
#pragma allow_unsafe_buffers
#endif

#include "device/fido/enclave/enclave_protocol_utils.h"

#include <array>

#include "base/functional/callback.h"
#include "base/json/json_reader.h"
#include "base/json/json_writer.h"
#include "base/numerics/safe_conversions.h"
#include "base/rand_util.h"
#include "base/strings/strcat.h"
#include "base/strings/string_number_conversions.h"
#include "base/task/thread_pool.h"
#include "base/time/time.h"
#include "base/values.h"
#include "components/cbor/reader.h"
#include "components/cbor/values.h"
#include "components/cbor/writer.h"
#include "components/device_event_log/device_event_log.h"
#include "components/sync/protocol/webauthn_credential_specifics.pb.h"
#include "crypto/random.h"
#include "device/fido/attestation_statement.h"
#include "device/fido/authenticator_data.h"
#include "device/fido/enclave/constants.h"
#include "device/fido/enclave/types.h"
#include "device/fido/fido_constants.h"
#include "device/fido/fido_parsing_utils.h"
#include "device/fido/fido_transport_protocol.h"
#include "device/fido/json_request.h"
#include "device/fido/p256_public_key.h"
#include "device/fido/public_key.h"
#include "device/fido/public_key_credential_descriptor.h"
#include "device/fido/public_key_credential_user_entity.h"

namespace device::enclave {

namespace {

// AAGUID value for GPM.
constexpr std::array<uint8_t, 16> kAaguid = …;

// These need to match the expected sizes in PasskeySyncBridge.
const size_t kSyncIdSize = …;
const size_t kCredentialIdSize = …;

// JSON keys for request fields used for both GetAssertion and MakeCredential.
const char kRequestDataKey[] = …;
const char kRequestClientDataJSONKey[] = …;
const char kRequestClaimedPINKey[] = …;

// JSON keys for GetAssertion request fields.
const char kGetAssertionRequestProtobufKey[] = …;

// Keys for AddUVKey fields.
const char kAddUVKeyPubKey[] = …;

// JSON keys for GetAssertion response fields.
const char kGetAssertionResponseKey[] = …;
const char kGetAssertionResponsePrfKey[] = …;

// JSON keys for MakeCredential response fields.
const char kMakeCredentialResponseEncryptedKey[] = …;
const char kMakeCredentialResponsePubKeyKey[] = …;
const char kMakeCredentialResponsePrfKey[] = …;

// Specific command names recognizable by the enclave processor.
const char kGetAssertionCommandName[] = …;
const char kMakeCredentialCommandName[] = …;
const char kAddUVKeyCommandName[] = …;

// Keys in a PRF response structure
const char kPrfFirst[] = …;
const char kPrfSecond[] = …;

const cbor::Value::MapValue* cborFindMap(const cbor::Value::MapValue& map,
                                         std::string key) { … }

const std::vector<uint8_t>* cborFindBytestring(const cbor::Value::MapValue& map,
                                               std::string key) { … }

cbor::Value toCbor(const base::Value& json) { … }

const char* ToString(ClientKeyType key_type) { … }

std::optional<AuthenticatorData> ReadAuthenticatorData(
    const cbor::Value::MapValue& map) { … }

std::optional<AuthenticatorGetAssertionResponse>
AuthenticatorGetAssertionResponseFromValue(const cbor::Value::MapValue& map) { … }

std::optional<std::vector<uint8_t>> ParsePrfResponse(const cbor::Value& v) { … }

}  // namespace

ErrorResponse::ErrorResponse(std::string error)
    : … { … }

ErrorResponse::ErrorResponse(int ind, int code)
    : … { … }

ErrorResponse::ErrorResponse(int ind, std::string error)
    : … { … }

ErrorResponse::~ErrorResponse() = default;

ErrorResponse::ErrorResponse(ErrorResponse&) = default;

ErrorResponse::ErrorResponse(ErrorResponse&&) = default;

absl::variant<AuthenticatorGetAssertionResponse, ErrorResponse>
ParseGetAssertionResponse(cbor::Value response_value,
                          base::span<const uint8_t> credential_id) { … }

absl::variant<std::pair<AuthenticatorMakeCredentialResponse,
                        sync_pb::WebauthnCredentialSpecifics>,
              ErrorResponse>
ParseMakeCredentialResponse(cbor::Value response_value,
                            const CtapMakeCredentialRequest& request,
                            int32_t wrapped_secret_version,
                            bool user_verified) { … }

cbor::Value BuildGetAssertionCommand(
    const sync_pb::WebauthnCredentialSpecifics& passkey,
    scoped_refptr<JSONRequest> request,
    std::string client_data_json,
    std::unique_ptr<ClaimedPIN> claimed_pin,
    std::optional<std::vector<uint8_t>> wrapped_secret,
    std::optional<std::vector<uint8_t>> secret) { … }

cbor::Value BuildMakeCredentialCommand(
    scoped_refptr<JSONRequest> request,
    std::unique_ptr<ClaimedPIN> claimed_pin,
    std::optional<std::vector<uint8_t>> wrapped_secret,
    std::optional<std::vector<uint8_t>> secret) { … }

cbor::Value BuildAddUVKeyCommand(base::span<const uint8_t> uv_public_key) { … }

void BuildCommandRequestBody(
    cbor::Value command,
    SigningCallback signing_callback,
    base::span<const uint8_t, crypto::kSHA256Length> handshake_hash,
    base::OnceCallback<void(std::optional<std::vector<uint8_t>>)>
        complete_callback) { … }

}  // namespace device::enclave
chromium/device/fido/enclave/enclave_protocol_utils.cc
