// Copyright 2018 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "device/fido/mac/get_assertion_operation.h" #include #include #import #include "base/mac/foundation_util.h" #include "base/mac/mac_logging.h" #include "base/mac/scoped_cftyperef.h" #include "base/strings/string_number_conversions.h" #include "device/fido/fido_constants.h" #include "device/fido/mac/keychain.h" #include "device/fido/mac/util.h" #include "device/fido/public_key_credential_descriptor.h" #include "device/fido/public_key_credential_user_entity.h" namespace device { namespace fido { namespace mac { using base::ScopedCFTypeRef; GetAssertionOperation::GetAssertionOperation(CtapGetAssertionRequest request, std::string metadata_secret, std::string keychain_access_group, Callback callback) : OperationBase( std::move(request), std::move(metadata_secret), std::move(keychain_access_group), std::move(callback)) {} GetAssertionOperation::~GetAssertionOperation() = default; const std::string& GetAssertionOperation::RpId() const { return request().rp_id(); } void GetAssertionOperation::Run() { if (!Init()) { std::move(callback()) .Run(CtapDeviceResponseCode::kCtap2ErrOther, base::nullopt); return; } // Prompt the user for consent. // TODO(martinkr): Localize reason strings. PromptTouchId("sign in to " + RpId()); } void GetAssertionOperation::PromptTouchIdDone(bool success) { if (!success) { std::move(callback()) .Run(CtapDeviceResponseCode::kCtap2ErrOperationDenied, base::nullopt); return; } // Collect the credential ids from allowList. If allowList is absent, we will // just pick the first available credential for the RP below. std::set> allowed_credential_ids; if (request().allow_list()) { for (const PublicKeyCredentialDescriptor& desc : *request().allow_list()) { if (desc.credential_type() != CredentialType::kPublicKey) { continue; } allowed_credential_ids.insert(desc.id()); } } // Fetch credentials for RP from the request and current user profile. ScopedCFTypeRef keychain_items; base::ScopedCFTypeRef query = DefaultKeychainQuery(); CFDictionarySetValue(query, kSecUseAuthenticationContext, authentication_context()); CFDictionarySetValue(query, kSecReturnRef, @YES); CFDictionarySetValue(query, kSecReturnAttributes, @YES); CFDictionarySetValue(query, kSecMatchLimit, kSecMatchLimitAll); OSStatus status = Keychain::GetInstance().ItemCopyMatching( query, reinterpret_cast(keychain_items.InitializeInto())); if (status == errSecItemNotFound) { DVLOG(1) << "no credentials found for RP"; std::move(callback()) .Run(CtapDeviceResponseCode::kCtap2ErrNoCredentials, base::nullopt); return; } if (status != errSecSuccess) { OSSTATUS_DLOG(ERROR, status) << "SecItemCopyMatching failed"; std::move(callback()) .Run(CtapDeviceResponseCode::kCtap2ErrOther, base::nullopt); return; } SecKeyRef private_key = nil; // Owned by |keychain_items|. std::vector credential_id; for (CFIndex i = 0; i < CFArrayGetCount(keychain_items); ++i) { CFDictionaryRef attributes = base::mac::CFCast( CFArrayGetValueAtIndex(keychain_items, i)); CFDataRef application_label = base::mac::GetValueFromDictionary( attributes, kSecAttrApplicationLabel); SecKeyRef key = base::mac::GetValueFromDictionary(attributes, kSecValueRef); if (!application_label || !key) { // Corrupted keychain? DLOG(ERROR) << "could not find application label or key ref: " << attributes; continue; } std::vector cid(CFDataGetBytePtr(application_label), CFDataGetBytePtr(application_label) + CFDataGetLength(application_label)); if (allowed_credential_ids.empty() || allowed_credential_ids.find(cid) != allowed_credential_ids.end()) { private_key = key; credential_id = std::move(cid); break; } } if (!private_key) { DVLOG(1) << "no allowed credential found"; std::move(callback()) .Run(CtapDeviceResponseCode::kCtap2ErrNoCredentials, base::nullopt); return; } // Decrypt the user entity from the credential ID. base::Optional credential_user = CredentialMetadata::UnsealCredentialId(metadata_secret(), RpId(), credential_id); if (!credential_user) { // The keychain query already filtered for the RP ID encoded under this // operation's metadata secret, so the credential id really should have // been decryptable. DVLOG(1) << "UnsealCredentialId failed"; std::move(callback()) .Run(CtapDeviceResponseCode::kCtap2ErrNoCredentials, base::nullopt); return; } base::ScopedCFTypeRef public_key( Keychain::GetInstance().KeyCopyPublicKey(private_key)); if (!public_key) { DLOG(ERROR) << "failed to get public key for credential id " << base::HexEncode(credential_id.data(), credential_id.size()); std::move(callback()) .Run(CtapDeviceResponseCode::kCtap2ErrOther, base::nullopt); return; } base::Optional authenticator_data = MakeAuthenticatorData( RpId(), credential_id, SecKeyRefToECPublicKey(public_key)); if (!authenticator_data) { DLOG(ERROR) << "MakeAuthenticatorData failed"; std::move(callback()) .Run(CtapDeviceResponseCode::kCtap2ErrOther, base::nullopt); return; } base::Optional> signature = GenerateSignature( *authenticator_data, request().client_data_hash(), private_key); if (!signature) { DLOG(ERROR) << "GenerateSignature failed"; std::move(callback()) .Run(CtapDeviceResponseCode::kCtap2ErrOther, base::nullopt); return; } auto response = AuthenticatorGetAssertionResponse( std::move(*authenticator_data), std::move(*signature)); response.SetCredential(PublicKeyCredentialDescriptor( CredentialType::kPublicKey, std::move(credential_id))); response.SetUserEntity(credential_user->ToPublicKeyCredentialUserEntity()); std::move(callback()) .Run(CtapDeviceResponseCode::kSuccess, std::move(response)); } } // namespace mac } // namespace fido } // namespace device