Google Git
Sign in
webkit / WebKit / refs/heads/master / . / Source / WebCore / Modules / webauthn / WebAuthenticationUtils.cpp
blob: c0f27fa12acb496e2c8d5eddc8a58a4a458ab7f0 [file] [log] [blame]
/*
* Copyright (C) 2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
* THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "config.h"
#include "WebAuthenticationUtils.h"
#if ENABLE(WEB_AUTHN)
#include "CBORReader.h"
#include "CBORWriter.h"
#include "FidoConstants.h"
#include "WebAuthenticationConstants.h"
#include <pal/crypto/CryptoDigest.h>
#include <wtf/JSONValues.h>
#include <wtf/text/Base64.h>
#include <wtf/text/WTFString.h>
namespace WebCore {
Vector<uint8_t> convertBytesToVector(const uint8_t byteArray[], const size_t length)
{
return { byteArray, length };
}
Vector<uint8_t> convertArrayBufferToVector(ArrayBuffer* buffer)
{
return convertBytesToVector(static_cast<uint8_t*>(buffer->data()), buffer->byteLength());
}
Vector<uint8_t> produceRpIdHash(const String& rpId)
{
auto crypto = PAL::CryptoDigest::create(PAL::CryptoDigest::Algorithm::SHA_256);
auto rpIdUtf8 = rpId.utf8();
crypto->addBytes(rpIdUtf8.data(), rpIdUtf8.length());
return crypto->computeHash();
}
Vector<uint8_t> encodeES256PublicKeyAsCBOR(Vector<uint8_t>&& x, Vector<uint8_t>&& y)
{
cbor::CBORValue::MapValue publicKeyMap;
publicKeyMap[cbor::CBORValue(COSE::kty)] = cbor::CBORValue(COSE::EC2);
publicKeyMap[cbor::CBORValue(COSE::alg)] = cbor::CBORValue(COSE::ES256);
publicKeyMap[cbor::CBORValue(COSE::crv)] = cbor::CBORValue(COSE::P_256);
publicKeyMap[cbor::CBORValue(COSE::x)] = cbor::CBORValue(WTFMove(x));
publicKeyMap[cbor::CBORValue(COSE::y)] = cbor::CBORValue(WTFMove(y));
auto cosePublicKey = cbor::CBORWriter::write(cbor::CBORValue(WTFMove(publicKeyMap)));
ASSERT(cosePublicKey);
return *cosePublicKey;
}
Vector<uint8_t> buildAttestedCredentialData(const Vector<uint8_t>& aaguid, const Vector<uint8_t>& credentialId, const Vector<uint8_t>& coseKey)
{
Vector<uint8_t> attestedCredentialData;
attestedCredentialData.reserveInitialCapacity(aaguidLength + credentialIdLengthLength + credentialId.size() + coseKey.size());
// aaguid
ASSERT(aaguid.size() == aaguidLength);
attestedCredentialData.appendVector(aaguid);
// credentialIdLength
ASSERT(credentialId.size() <= std::numeric_limits<uint16_t>::max());
attestedCredentialData.append(credentialId.size() >> 8 & 0xff);
attestedCredentialData.append(credentialId.size() & 0xff);
// credentialId
attestedCredentialData.appendVector(credentialId);
// credentialPublicKey
attestedCredentialData.appendVector(coseKey);
return attestedCredentialData;
}
cbor::CBORValue::MapValue buildUserEntityMap(const Vector<uint8_t>& userId, const String& name, const String& displayName)
{
cbor::CBORValue::MapValue userEntityMap;
userEntityMap[cbor::CBORValue(fido::kEntityIdMapKey)] = cbor::CBORValue(userId);
userEntityMap[cbor::CBORValue(fido::kEntityNameMapKey)] = cbor::CBORValue(name);
userEntityMap[cbor::CBORValue(fido::kDisplayNameMapKey)] = cbor::CBORValue(displayName);
return userEntityMap;
}
cbor::CBORValue::MapValue buildCredentialDescriptor(const Vector<uint8_t>& credentialId)
{
cbor::CBORValue::MapValue credential;
credential[cbor::CBORValue("id")] = cbor::CBORValue(credentialId);
return credential;
}
Vector<uint8_t> buildAuthData(const String& rpId, const uint8_t flags, const uint32_t counter, const Vector<uint8_t>& optionalAttestedCredentialData)
{
Vector<uint8_t> authData;
authData.reserveInitialCapacity(rpIdHashLength + flagsLength + signCounterLength + optionalAttestedCredentialData.size());
// RP ID hash
authData.appendVector(produceRpIdHash(rpId));
// FLAGS
authData.append(flags);
// COUNTER
authData.append(counter >> 24 & 0xff);
authData.append(counter >> 16 & 0xff);
authData.append(counter >> 8 & 0xff);
authData.append(counter & 0xff);
// ATTESTED CRED. DATA
authData.appendVector(optionalAttestedCredentialData);
return authData;
}
cbor::CBORValue::MapValue buildAttestationMap(Vector<uint8_t>&& authData, String&& format, cbor::CBORValue::MapValue&& statementMap, const AttestationConveyancePreference& attestation)
{
cbor::CBORValue::MapValue attestationObjectMap;
// The following implements Step 20 with regard to AttestationConveyancePreference
// of https://www.w3.org/TR/webauthn/#createCredential as of 4 March 2019.
// None attestation is always returned if it is requested to keep consistency, and therefore skip the
// step to return self attestation.
if (attestation == AttestationConveyancePreference::None) {
const size_t aaguidOffset = rpIdHashLength + flagsLength + signCounterLength;
if (authData.size() >= aaguidOffset + aaguidLength)
memset(authData.data() + aaguidOffset, 0, aaguidLength);
format = String::fromLatin1(noneAttestationValue);
statementMap.clear();
}
attestationObjectMap[cbor::CBORValue("authData")] = cbor::CBORValue(WTFMove(authData));
attestationObjectMap[cbor::CBORValue("fmt")] = cbor::CBORValue(WTFMove(format));
attestationObjectMap[cbor::CBORValue("attStmt")] = cbor::CBORValue(WTFMove(statementMap));
return attestationObjectMap;
}
Vector<uint8_t> buildAttestationObject(Vector<uint8_t>&& authData, String&& format, cbor::CBORValue::MapValue&& statementMap, const AttestationConveyancePreference& attestation)
{
cbor::CBORValue::MapValue attestationObjectMap = buildAttestationMap(WTFMove(authData), WTFMove(format), WTFMove(statementMap), attestation);
auto attestationObject = cbor::CBORWriter::write(cbor::CBORValue(WTFMove(attestationObjectMap)));
ASSERT(attestationObject);
return *attestationObject;
}
// FIXME(181948): Add token binding ID.
Ref<ArrayBuffer> buildClientDataJson(ClientDataType type, const BufferSource& challenge, const SecurityOrigin& origin, WebAuthn::Scope scope)
{
auto object = JSON::Object::create();
switch (type) {
case ClientDataType::Create:
object->setString("type"_s, "webauthn.create"_s);
break;
case ClientDataType::Get:
object->setString("type"_s, "webauthn.get"_s);
break;
}
object->setString("challenge"_s, base64URLEncodeToString(challenge.data(), challenge.length()));
object->setString("origin"_s, origin.toRawString());
if (scope != WebAuthn::Scope::SameOrigin)
object->setBoolean("crossOrigin"_s, scope != WebAuthn::Scope::SameOrigin);
auto utf8JSONString = object->toJSONString().utf8();
return ArrayBuffer::create(utf8JSONString.data(), utf8JSONString.length());
}
Vector<uint8_t> buildClientDataJsonHash(const ArrayBuffer& clientDataJson)
{
auto crypto = PAL::CryptoDigest::create(PAL::CryptoDigest::Algorithm::SHA_256);
crypto->addBytes(clientDataJson.data(), clientDataJson.byteLength());
return crypto->computeHash();
}
} // namespace WebCore
#endif // ENABLE(WEB_AUTHN)