chromium/src
0
Fork 0
Code Activity

Check RP ID hash returned from CTAP tokens

Browse Source 
CTAP HID transport protocol uses 4 byte channel ID to check that the
message sent by the authenticator is only received and processed by the
correct client process. On the other hand, CTAP BLE transport protocol
defines no such mechanism to differentiate incoming BLE fragments. This,
under some circumstances, enables relying parties to receive
response from authenticators that was intended for different site.

In order to prevent malicious RP from receiving authenticator response
intended for different site, check relying party ID hash returned from
the authenticator in response to MakeCredential and GetAssertion
response.

Bug: 828507
Change-Id: I3b743fc9b9f79284ab4b979d17c75ccc9e5a889c
Reviewed-on: https://chromium-review.googlesource.com/1004118
Commit-Queue: Jun Choi <hongjunchoi@chromium.org>
Reviewed-by: Balazs Engedy <engedy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#551789}
This commit is contained in:
Jun Choi
2018-04-18 19:49:42 +00:00
committed by Commit Bot
parent 5fe14697a2
commit 23bef1af56
16 changed files with 268 additions and 89 deletions

20
content/browser/webauth/webauth_browsertest.cc

@ -59,7 +59,7 @@ using TestGetCallbackReceiver = ::device::test::StatusAndValueCallbackReceiver<
constexpr char kRelyingPartySecurityErrorMessage[] =
"SecurityError: The relying party ID 'localhost' is not a registrable "
"domain suffix of, nor equal to 'https://www.example.com";
"domain suffix of, nor equal to 'https://www.acme.com";
constexpr char kAlgorithmUnsupportedErrorMessage[] =
"NotSupportedError: None of the algorithms specified in "
@ -114,7 +114,7 @@ constexpr char kRequiredVerification[] = "required";
// Default values for kCreatePublicKeyTemplate.
struct CreateParameters {
const char* rp_id = "example.com";
const char* rp_id = "acme.com";
bool require_resident_key = false;
const char* user_verification = kPreferredVerification;
const char* authenticator_attachment = kCrossPlatform;
@ -135,7 +135,7 @@ std::string BuildCreateCallWithParameters(const CreateParameters& parameters) {
constexpr char kGetPublicKeyTemplate[] =
"navigator.credentials.get({ publicKey: {"
" challenge: new TextEncoder().encode('climb a mountain'),"
" rp: 'example.com',"
" rp: 'acme.com',"
" timeout: 60000,"
" userVerification: '$1',"
" $2}"
@ -234,7 +234,7 @@ class WebAuthBrowserTestBase : public content::ContentBrowserTest {
https_server().ServeFilesFromSourceDirectory("content/test/data");
ASSERT_TRUE(https_server().Start());
NavigateToURL(shell(), GetHttpsURL("www.example.com", "/title1.html"));
NavigateToURL(shell(), GetHttpsURL("www.acme.com", "/title1.html"));
}
GURL GetHttpsURL(const std::string& hostname,
@ -293,7 +293,7 @@ class WebAuthLocalClientBrowserTest : public WebAuthBrowserTestBase {
webauth::mojom::PublicKeyCredentialCreationOptionsPtr
BuildBasicCreateOptions() {
auto rp = webauth::mojom::PublicKeyCredentialRpEntity::New(
"example.com", "example.com", base::nullopt);
"acme.com", "acme.com", base::nullopt);
std::vector<uint8_t> kTestUserId{0, 0, 0};
auto user = webauth::mojom::PublicKeyCredentialUserEntity::New(
@ -331,7 +331,7 @@ class WebAuthLocalClientBrowserTest : public WebAuthBrowserTestBase {
std::vector<uint8_t> kTestChallenge{0, 0, 0};
auto mojo_options = webauth::mojom::PublicKeyCredentialRequestOptions::New(
kTestChallenge, base::TimeDelta::FromSeconds(30), "example.com",
kTestChallenge, base::TimeDelta::FromSeconds(30), "acme.com",
std::move(credentials),
webauth::mojom::UserVerificationRequirement::PREFERRED, base::nullopt);
@ -367,7 +367,7 @@ IN_PROC_BROWSER_TEST_F(WebAuthLocalClientBrowserTest,
create_callback_receiver.callback());
fake_hid_discovery->WaitForCallToStartAndSimulateSuccess();
NavigateToURL(shell(), GetHttpsURL("www.example.com", "/title2.html"));
NavigateToURL(shell(), GetHttpsURL("www.acme.com", "/title2.html"));
WaitForConnectionError();
// The next active document should be able to successfully call
@ -389,7 +389,7 @@ IN_PROC_BROWSER_TEST_F(WebAuthLocalClientBrowserTest,
get_callback_receiver.callback());
fake_hid_discovery->WaitForCallToStartAndSimulateSuccess();
NavigateToURL(shell(), GetHttpsURL("www.example.com", "/title2.html"));
NavigateToURL(shell(), GetHttpsURL("www.acme.com", "/title2.html"));
WaitForConnectionError();
// The next active document should be able to successfully call
@ -408,7 +408,7 @@ IN_PROC_BROWSER_TEST_F(WebAuthLocalClientBrowserTest,
ScopedNavigationCancellingThrottleInstaller navigation_canceller(
shell()->web_contents());
NavigateToURL(shell(), GetHttpsURL("www.example.com", "/title2.html"));
NavigateToURL(shell(), GetHttpsURL("www.acme.com", "/title2.html"));
auto* fake_hid_discovery = discovery_factory()->ForgeNextHidDiscovery();
TestCreateCallbackReceiver create_callback_receiver;
@ -432,7 +432,7 @@ IN_PROC_BROWSER_TEST_F(WebAuthLocalClientBrowserTest,
}));
auto* fake_hid_discovery = discovery_factory()->ForgeNextHidDiscovery();
NavigateToURL(shell(), GetHttpsURL("www.example.com", "/title2.html"));
NavigateToURL(shell(), GetHttpsURL("www.acme.com", "/title2.html"));
WaitForConnectionError();
// Normally, when the request is serviced, the implementation retrieves the

4
device/fido/attestation_object.h

@ -50,6 +50,10 @@ class COMPONENT_EXPORT(DEVICE_FIDO) AttestationObject {
// "attStmt": attestation statement bytes }
std::vector<uint8_t> SerializeToCBOREncodedBytes() const;
const std::vector<uint8_t>& rp_id_hash() const {
return authenticator_data_.application_parameter();
}
private:
AuthenticatorData authenticator_data_;
std::unique_ptr<AttestationStatement> attestation_statement_;

5
device/fido/authenticator_data.h

@ -60,6 +60,10 @@ class COMPONENT_EXPORT(DEVICE_FIDO) AuthenticatorData {
return attested_data_;
}
const std::vector<uint8_t>& application_parameter() const {
return application_parameter_;
}
bool obtained_user_presence() const {
return flags_ & base::strict_cast<uint8_t>(Flag::kTestOfUserPresence);
}
@ -79,6 +83,7 @@ class COMPONENT_EXPORT(DEVICE_FIDO) AuthenticatorData {
private:
// The application parameter: a SHA-256 hash of either the RP ID or the AppID
// associated with the credential.
// TODO(hongjunchoi): Replace fixed size vector components with std::array.
std::vector<uint8_t> application_parameter_;
// Flags (bit 0 is the least significant bit):

9
device/fido/authenticator_get_assertion_response.cc

@ -48,8 +48,8 @@ AuthenticatorGetAssertionResponse::CreateFromU2fSignResponse(
if (signature.empty())
return base::nullopt;
auto response = AuthenticatorGetAssertionResponse(
std::move(authenticator_data), std::move(signature));
AuthenticatorGetAssertionResponse response(std::move(authenticator_data),
std::move(signature));
response.SetCredential(PublicKeyCredentialDescriptor(
to_string(CredentialType::kPublicKey), key_handle));
@ -71,6 +71,11 @@ AuthenticatorGetAssertionResponse& AuthenticatorGetAssertionResponse::operator=(
AuthenticatorGetAssertionResponse::~AuthenticatorGetAssertionResponse() =
default;
const std::vector<uint8_t>& AuthenticatorGetAssertionResponse::GetRpIdHash()
const {
return authenticator_data_.application_parameter();
}
AuthenticatorGetAssertionResponse&
AuthenticatorGetAssertionResponse::SetCredential(
PublicKeyCredentialDescriptor credential) {

5
device/fido/authenticator_get_assertion_response.h

@ -36,7 +36,10 @@ class COMPONENT_EXPORT(DEVICE_FIDO) AuthenticatorGetAssertionResponse
AuthenticatorGetAssertionResponse(AuthenticatorGetAssertionResponse&& that);
AuthenticatorGetAssertionResponse& operator=(
AuthenticatorGetAssertionResponse&& other);
~AuthenticatorGetAssertionResponse();
~AuthenticatorGetAssertionResponse() override;
// ResponseData:
const std::vector<uint8_t>& GetRpIdHash() const override;
AuthenticatorGetAssertionResponse& SetCredential(
PublicKeyCredentialDescriptor credential);

5
device/fido/authenticator_make_credential_response.cc

@ -85,4 +85,9 @@ bool AuthenticatorMakeCredentialResponse::
.IsAttestationCertificateInappropriatelyIdentifying();
}
const std::vector<uint8_t>& AuthenticatorMakeCredentialResponse::GetRpIdHash()
const {
return attestation_object_.rp_id_hash();
}
} // namespace device

5
device/fido/authenticator_make_credential_response.h

@ -36,7 +36,7 @@ class COMPONENT_EXPORT(DEVICE_FIDO) AuthenticatorMakeCredentialResponse
AuthenticatorMakeCredentialResponse&& that);
AuthenticatorMakeCredentialResponse& operator=(
AuthenticatorMakeCredentialResponse&& other);
~AuthenticatorMakeCredentialResponse();
~AuthenticatorMakeCredentialResponse() override;
std::vector<uint8_t> GetCBOREncodedAttestationObject() const;
@ -51,6 +51,9 @@ class COMPONENT_EXPORT(DEVICE_FIDO) AuthenticatorMakeCredentialResponse
// not indended to be trackable.)
bool IsAttestationCertificateInappropriatelyIdentifying();
// ResponseData:
const std::vector<uint8_t>& GetRpIdHash() const override;
private:
AttestationObject attestation_object_;

208
device/fido/fido_test_data.h

@ -614,65 +614,124 @@ constexpr uint8_t kTestGetInfoResponseCrossPlatformDevice[] = {
// A Sample well formed response to CTAP MakeCredential request.
constexpr uint8_t kTestMakeCredentialResponse[] = {
0x00, 0xA3, 0x01, 0x66, 0x70, 0x61, 0x63, 0x6B, 0x65, 0x64, 0x02, 0x58,
0xC4, 0x46, 0xCC, 0x7F, 0xB9, 0x67, 0x9D, 0x55, 0xB2, 0xDB, 0x90, 0x92,
0xE1, 0xC8, 0xD9, 0xE5, 0xE1, 0xD0, 0x2B, 0x75, 0x80, 0xF0, 0xB4, 0x81,
0x2C, 0x77, 0x09, 0x62, 0xE1, 0xE4, 0x8F, 0x5A, 0xD8, 0x41, 0x00, 0x00,
0x00, 0x52, 0xF8, 0xA0, 0x11, 0xF3, 0x8C, 0x0A, 0x4D, 0x15, 0x80, 0x06,
0x17, 0x11, 0x1F, 0x9E, 0xDC, 0x7D, 0x00, 0x40, 0x2C, 0xC4, 0x73, 0x23,
0xA0, 0xEE, 0x0D, 0x5F, 0x66, 0x35, 0x4A, 0x2B, 0x35, 0xC5, 0xFA, 0xFB,
0xE7, 0x3D, 0x98, 0x18, 0xB4, 0xC0, 0x53, 0xE9, 0x29, 0x19, 0xAE, 0x3B,
0x67, 0xD7, 0xAF, 0x4F, 0x15, 0x6E, 0x67, 0xD0, 0x46, 0x5B, 0x39, 0x06,
0x70, 0x93, 0x2F, 0xCE, 0x79, 0x33, 0xDD, 0xD5, 0x96, 0x8F, 0xD0, 0xBF,
0xFF, 0x85, 0x62, 0x1F, 0xFD, 0x12, 0x95, 0xBD, 0x0A, 0x41, 0x81, 0x24,
0xA5, 0x01, 0x02, 0x03, 0x26, 0x20, 0x01, 0x21, 0x58, 0x20, 0xEB, 0x78,
0x4F, 0x0B, 0x6C, 0x78, 0x1E, 0xA1, 0x1E, 0xC8, 0x14, 0x24, 0x36, 0x66,
0x07, 0x2F, 0x4B, 0xDB, 0x53, 0xF6, 0x95, 0x8D, 0xDF, 0xC2, 0xCB, 0x6B,
0xA0, 0xC2, 0x69, 0xA4, 0x16, 0x03, 0x22, 0x58, 0x20, 0xD4, 0xC3, 0xDC,
0xD9, 0x3D, 0xF9, 0x60, 0x9A, 0xF8, 0x56, 0x96, 0xE2, 0xA6, 0x62, 0xF1,
0x05, 0xAE, 0x9C, 0x76, 0x9A, 0x0B, 0x3F, 0xFA, 0x5C, 0x05, 0xED, 0xE5,
0x7C, 0x64, 0x0A, 0x60, 0x28, 0x03, 0xA3, 0x63, 0x61, 0x6C, 0x67, 0x26,
0x63, 0x73, 0x69, 0x67, 0x58, 0x47, 0x30, 0x45, 0x02, 0x21, 0x00, 0xA2,
0xA4, 0x1B, 0x2A, 0xE3, 0xA2, 0x0D, 0xFA, 0xF8, 0x0B, 0xB6, 0x96, 0xA0,
0x9A, 0xC4, 0x37, 0x84, 0xA7, 0x96, 0x08, 0x90, 0xB8, 0x96, 0xA1, 0x52,
0xC8, 0x59, 0x19, 0x68, 0xA3, 0xED, 0x6D, 0x02, 0x20, 0x4B, 0xD3, 0x1E,
0xBF, 0x6B, 0xA0, 0x05, 0x5A, 0x73, 0x12, 0x6F, 0x3E, 0x4B, 0xC2, 0x7D,
0xA1, 0xCD, 0x68, 0x5E, 0xBB, 0x86, 0x77, 0x8C, 0xC0, 0x7F, 0x8E, 0xA3,
0x91, 0x44, 0x19, 0x50, 0x19, 0x63, 0x78, 0x35, 0x63, 0x81, 0x59, 0x01,
0x97, 0x30, 0x82, 0x01, 0x93, 0x30, 0x82, 0x01, 0x38, 0xA0, 0x03, 0x02,
0x01, 0x02, 0x02, 0x09, 0x00, 0x85, 0x9B, 0x72, 0x6C, 0xB2, 0x4B, 0x4C,
0x29, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03,
0x02, 0x30, 0x47, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
0x13, 0x02, 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04,
0x0A, 0x0C, 0x0B, 0x59, 0x75, 0x62, 0x69, 0x63, 0x6F, 0x20, 0x54, 0x65,
0x73, 0x74, 0x31, 0x22, 0x30, 0x20, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C,
0x19, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6E, 0x74, 0x69, 0x63, 0x61, 0x74,
0x6F, 0x72, 0x20, 0x41, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69,
0x6F, 0x6E, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x36, 0x31, 0x32, 0x30, 0x34,
0x31, 0x31, 0x35, 0x35, 0x30, 0x30, 0x5A, 0x17, 0x0D, 0x32, 0x36, 0x31,
0x32, 0x30, 0x32, 0x31, 0x31, 0x35, 0x35, 0x30, 0x30, 0x5A, 0x30, 0x47,
0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x0B,
0x59, 0x75, 0x62, 0x69, 0x63, 0x6F, 0x20, 0x54, 0x65, 0x73, 0x74, 0x31,
0x22, 0x30, 0x20, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x19, 0x41, 0x75,
0x74, 0x68, 0x65, 0x6E, 0x74, 0x69, 0x63, 0x61, 0x74, 0x6F, 0x72, 0x20,
0x41, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x30,
0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01,
0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x03, 0x42,
0x00, 0x04, 0xAD, 0x11, 0xEB, 0x0E, 0x88, 0x52, 0xE5, 0x3A, 0xD5, 0xDF,
0xED, 0x86, 0xB4, 0x1E, 0x61, 0x34, 0xA1, 0x8E, 0xC4, 0xE1, 0xAF, 0x8F,
0x22, 0x1A, 0x3C, 0x7D, 0x6E, 0x63, 0x6C, 0x80, 0xEA, 0x13, 0xC3, 0xD5,
0x04, 0xFF, 0x2E, 0x76, 0x21, 0x1B, 0xB4, 0x45, 0x25, 0xB1, 0x96, 0xC4,
0x4C, 0xB4, 0x84, 0x99, 0x79, 0xCF, 0x6F, 0x89, 0x6E, 0xCD, 0x2B, 0xB8,
0x60, 0xDE, 0x1B, 0xF4, 0x37, 0x6B, 0xA3, 0x0D, 0x30, 0x0B, 0x30, 0x09,
0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x0A, 0x06,
0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x03, 0x49, 0x00,
0x30, 0x46, 0x02, 0x21, 0x00, 0xE9, 0xA3, 0x9F, 0x1B, 0x03, 0x19, 0x75,
0x25, 0xF7, 0x37, 0x3E, 0x10, 0xCE, 0x77, 0xE7, 0x80, 0x21, 0x73, 0x1B,
0x94, 0xD0, 0xC0, 0x3F, 0x3F, 0xDA, 0x1F, 0xD2, 0x2D, 0xB3, 0xD0, 0x30,
0xE7, 0x02, 0x21, 0x00, 0xC4, 0xFA, 0xEC, 0x34, 0x45, 0xA8, 0x20, 0xCF,
0x43, 0x12, 0x9C, 0xDB, 0x00, 0xAA, 0xBE, 0xFD, 0x9A, 0xE2, 0xD8, 0x74,
0xF9, 0xC5, 0xD3, 0x43, 0xCB, 0x2F, 0x11, 0x3D, 0xA2, 0x37, 0x23, 0xF3,
0x00, 0xa3, 0x01, 0x66, 0x70, 0x61, 0x63, 0x6b, 0x65, 0x64, 0x02, 0x58,
0x9a, 0x11, 0x94, 0x22, 0x8d, 0xa8, 0xfd, 0xbd, 0xee, 0xfd, 0x26, 0x1b,
0xd7, 0xb6, 0x59, 0x5c, 0xfd, 0x70, 0xa5, 0x0d, 0x70, 0xc6, 0x40, 0x7b,
0xcf, 0x01, 0x3d, 0xe9, 0x6d, 0x4e, 0xfb, 0x17, 0xde, 0x41, 0x00, 0x00,
0x00, 0x0b, 0xf8, 0xa0, 0x11, 0xf3, 0x8c, 0x0a, 0x4d, 0x15, 0x80, 0x06,
0x17, 0x11, 0x1f, 0x9e, 0xdc, 0x7d, 0x00, 0x10, 0x89, 0x59, 0xce, 0xad,
0x5b, 0x5c, 0x48, 0x16, 0x4e, 0x8a, 0xbc, 0xd6, 0xd9, 0x43, 0x5c, 0x6f,
0xa3, 0x63, 0x61, 0x6c, 0x67, 0x65, 0x45, 0x53, 0x32, 0x35, 0x36, 0x61,
0x78, 0x58, 0x20, 0xf7, 0xc4, 0xf4, 0xa6, 0xf1, 0xd7, 0x95, 0x38, 0xdf,
0xa4, 0xc9, 0xac, 0x50, 0x84, 0x8d, 0xf7, 0x08, 0xbc, 0x1c, 0x99, 0xf5,
0xe6, 0x0e, 0x51, 0xb4, 0x2a, 0x52, 0x1b, 0x35, 0xd3, 0xb6, 0x9a, 0x61,
0x79, 0x58, 0x20, 0xde, 0x7b, 0x7d, 0x6c, 0xa5, 0x64, 0xe7, 0x0e, 0xa3,
0x21, 0xa4, 0xd5, 0xd9, 0x6e, 0xa0, 0x0e, 0xf0, 0xe2, 0xdb, 0x89, 0xdd,
0x61, 0xd4, 0x89, 0x4c, 0x15, 0xac, 0x58, 0x5b, 0xd2, 0x36, 0x84, 0x03,
0xa3, 0x63, 0x61, 0x6c, 0x67, 0x26, 0x63, 0x73, 0x69, 0x67, 0x58, 0x47,
0x30, 0x45, 0x02, 0x20, 0x13, 0xf7, 0x3c, 0x5d, 0x9d, 0x53, 0x0e, 0x8c,
0xc1, 0x5c, 0xc9, 0xbd, 0x96, 0xad, 0x58, 0x6d, 0x39, 0x36, 0x64, 0xe4,
0x62, 0xd5, 0xf0, 0x56, 0x12, 0x35, 0xe6, 0x35, 0x0f, 0x2b, 0x72, 0x89,
0x02, 0x21, 0x00, 0x90, 0x35, 0x7f, 0xf9, 0x10, 0xcc, 0xb5, 0x6a, 0xc5,
0xb5, 0x96, 0x51, 0x19, 0x48, 0x58, 0x1c, 0x8f, 0xdd, 0xb4, 0xa2, 0xb7,
0x99, 0x59, 0x94, 0x80, 0x78, 0xb0, 0x9f, 0x4b, 0xdc, 0x62, 0x29, 0x63,
0x78, 0x35, 0x63, 0x81, 0x59, 0x01, 0x97, 0x30, 0x82, 0x01, 0x93, 0x30,
0x82, 0x01, 0x38, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0x85,
0x9b, 0x72, 0x6c, 0xb2, 0x4b, 0x4c, 0x29, 0x30, 0x0a, 0x06, 0x08, 0x2a,
0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x47, 0x31, 0x0b, 0x30,
0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14,
0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x59, 0x75, 0x62,
0x69, 0x63, 0x6f, 0x20, 0x54, 0x65, 0x73, 0x74, 0x31, 0x22, 0x30, 0x20,
0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x19, 0x41, 0x75, 0x74, 0x68, 0x65,
0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x6f, 0x72, 0x20, 0x41, 0x74, 0x74,
0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x30, 0x1e, 0x17, 0x0d,
0x31, 0x36, 0x31, 0x32, 0x30, 0x34, 0x31, 0x31, 0x35, 0x35, 0x30, 0x30,
0x5a, 0x17, 0x0d, 0x32, 0x36, 0x31, 0x32, 0x30, 0x32, 0x31, 0x31, 0x35,
0x35, 0x30, 0x30, 0x5a, 0x30, 0x47, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06,
0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x59, 0x75, 0x62, 0x69, 0x63, 0x6f,
0x20, 0x54, 0x65, 0x73, 0x74, 0x31, 0x22, 0x30, 0x20, 0x06, 0x03, 0x55,
0x04, 0x0b, 0x0c, 0x19, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69,
0x63, 0x61, 0x74, 0x6f, 0x72, 0x20, 0x41, 0x74, 0x74, 0x65, 0x73, 0x74,
0x61, 0x74, 0x69, 0x6f, 0x6e, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a,
0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce,
0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0xad, 0x11, 0xeb, 0x0e,
0x88, 0x52, 0xe5, 0x3a, 0xd5, 0xdf, 0xed, 0x86, 0xb4, 0x1e, 0x61, 0x34,
0xa1, 0x8e, 0xc4, 0xe1, 0xaf, 0x8f, 0x22, 0x1a, 0x3c, 0x7d, 0x6e, 0x63,
0x6c, 0x80, 0xea, 0x13, 0xc3, 0xd5, 0x04, 0xff, 0x2e, 0x76, 0x21, 0x1b,
0xb4, 0x45, 0x25, 0xb1, 0x96, 0xc4, 0x4c, 0xb4, 0x84, 0x99, 0x79, 0xcf,
0x6f, 0x89, 0x6e, 0xcd, 0x2b, 0xb8, 0x60, 0xde, 0x1b, 0xf4, 0x37, 0x6b,
0xa3, 0x0d, 0x30, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04,
0x02, 0x30, 0x00, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,
0x04, 0x03, 0x02, 0x03, 0x49, 0x00, 0x30, 0x46, 0x02, 0x21, 0x00, 0xe9,
0xa3, 0x9f, 0x1b, 0x03, 0x19, 0x75, 0x25, 0xf7, 0x37, 0x3e, 0x10, 0xce,
0x77, 0xe7, 0x80, 0x21, 0x73, 0x1b, 0x94, 0xd0, 0xc0, 0x3f, 0x3f, 0xda,
0x1f, 0xd2, 0x2d, 0xb3, 0xd0, 0x30, 0xe7, 0x02, 0x21, 0x00, 0xc4, 0xfa,
0xec, 0x34, 0x45, 0xa8, 0x20, 0xcf, 0x43, 0x12, 0x9c, 0xdb, 0x00, 0xaa,
0xbe, 0xfd, 0x9a, 0xe2, 0xd8, 0x74, 0xf9, 0xc5, 0xd3, 0x43, 0xcb, 0x2f,
0x11, 0x3d, 0xa2, 0x37, 0x23, 0xf3,
};
constexpr uint8_t kTestMakeCredentialResponseWithIncorrectRpIdHash[] = {
0x00, 0xa3, 0x01, 0x66, 0x70, 0x61, 0x63, 0x6b, 0x65, 0x64, 0x02, 0x58,
0x9a,
// Incorrect relying party ID hash
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
// End of relying party ID hash
0x41, 0x00, 0x00, 0x00, 0x0b, 0xf8, 0xa0, 0x11, 0xf3, 0x8c, 0x0a, 0x4d,
0x15, 0x80, 0x06, 0x17, 0x11, 0x1f, 0x9e, 0xdc, 0x7d, 0x00, 0x10, 0x89,
0x59, 0xce, 0xad, 0x5b, 0x5c, 0x48, 0x16, 0x4e, 0x8a, 0xbc, 0xd6, 0xd9,
0x43, 0x5c, 0x6f, 0xa3, 0x63, 0x61, 0x6c, 0x67, 0x65, 0x45, 0x53, 0x32,
0x35, 0x36, 0x61, 0x78, 0x58, 0x20, 0xf7, 0xc4, 0xf4, 0xa6, 0xf1, 0xd7,
0x95, 0x38, 0xdf, 0xa4, 0xc9, 0xac, 0x50, 0x84, 0x8d, 0xf7, 0x08, 0xbc,
0x1c, 0x99, 0xf5, 0xe6, 0x0e, 0x51, 0xb4, 0x2a, 0x52, 0x1b, 0x35, 0xd3,
0xb6, 0x9a, 0x61, 0x79, 0x58, 0x20, 0xde, 0x7b, 0x7d, 0x6c, 0xa5, 0x64,
0xe7, 0x0e, 0xa3, 0x21, 0xa4, 0xd5, 0xd9, 0x6e, 0xa0, 0x0e, 0xf0, 0xe2,
0xdb, 0x89, 0xdd, 0x61, 0xd4, 0x89, 0x4c, 0x15, 0xac, 0x58, 0x5b, 0xd2,
0x36, 0x84, 0x03, 0xa3, 0x63, 0x61, 0x6c, 0x67, 0x26, 0x63, 0x73, 0x69,
0x67, 0x58, 0x47, 0x30, 0x45, 0x02, 0x20, 0x13, 0xf7, 0x3c, 0x5d, 0x9d,
0x53, 0x0e, 0x8c, 0xc1, 0x5c, 0xc9, 0xbd, 0x96, 0xad, 0x58, 0x6d, 0x39,
0x36, 0x64, 0xe4, 0x62, 0xd5, 0xf0, 0x56, 0x12, 0x35, 0xe6, 0x35, 0x0f,
0x2b, 0x72, 0x89, 0x02, 0x21, 0x00, 0x90, 0x35, 0x7f, 0xf9, 0x10, 0xcc,
0xb5, 0x6a, 0xc5, 0xb5, 0x96, 0x51, 0x19, 0x48, 0x58, 0x1c, 0x8f, 0xdd,
0xb4, 0xa2, 0xb7, 0x99, 0x59, 0x94, 0x80, 0x78, 0xb0, 0x9f, 0x4b, 0xdc,
0x62, 0x29, 0x63, 0x78, 0x35, 0x63, 0x81, 0x59, 0x01, 0x97, 0x30, 0x82,
0x01, 0x93, 0x30, 0x82, 0x01, 0x38, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02,
0x09, 0x00, 0x85, 0x9b, 0x72, 0x6c, 0xb2, 0x4b, 0x4c, 0x29, 0x30, 0x0a,
0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x47,
0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b,
0x59, 0x75, 0x62, 0x69, 0x63, 0x6f, 0x20, 0x54, 0x65, 0x73, 0x74, 0x31,
0x22, 0x30, 0x20, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x19, 0x41, 0x75,
0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x6f, 0x72, 0x20,
0x41, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x30,
0x1e, 0x17, 0x0d, 0x31, 0x36, 0x31, 0x32, 0x30, 0x34, 0x31, 0x31, 0x35,
0x35, 0x30, 0x30, 0x5a, 0x17, 0x0d, 0x32, 0x36, 0x31, 0x32, 0x30, 0x32,
0x31, 0x31, 0x35, 0x35, 0x30, 0x30, 0x5a, 0x30, 0x47, 0x31, 0x0b, 0x30,
0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14,
0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x59, 0x75, 0x62,
0x69, 0x63, 0x6f, 0x20, 0x54, 0x65, 0x73, 0x74, 0x31, 0x22, 0x30, 0x20,
0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x19, 0x41, 0x75, 0x74, 0x68, 0x65,
0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x6f, 0x72, 0x20, 0x41, 0x74, 0x74,
0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x30, 0x59, 0x30, 0x13,
0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a,
0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0xad,
0x11, 0xeb, 0x0e, 0x88, 0x52, 0xe5, 0x3a, 0xd5, 0xdf, 0xed, 0x86, 0xb4,
0x1e, 0x61, 0x34, 0xa1, 0x8e, 0xc4, 0xe1, 0xaf, 0x8f, 0x22, 0x1a, 0x3c,
0x7d, 0x6e, 0x63, 0x6c, 0x80, 0xea, 0x13, 0xc3, 0xd5, 0x04, 0xff, 0x2e,
0x76, 0x21, 0x1b, 0xb4, 0x45, 0x25, 0xb1, 0x96, 0xc4, 0x4c, 0xb4, 0x84,
0x99, 0x79, 0xcf, 0x6f, 0x89, 0x6e, 0xcd, 0x2b, 0xb8, 0x60, 0xde, 0x1b,
0xf4, 0x37, 0x6b, 0xa3, 0x0d, 0x30, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86,
0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x49, 0x00, 0x30, 0x46, 0x02,
0x21, 0x00, 0xe9, 0xa3, 0x9f, 0x1b, 0x03, 0x19, 0x75, 0x25, 0xf7, 0x37,
0x3e, 0x10, 0xce, 0x77, 0xe7, 0x80, 0x21, 0x73, 0x1b, 0x94, 0xd0, 0xc0,
0x3f, 0x3f, 0xda, 0x1f, 0xd2, 0x2d, 0xb3, 0xd0, 0x30, 0xe7, 0x02, 0x21,
0x00, 0xc4, 0xfa, 0xec, 0x34, 0x45, 0xa8, 0x20, 0xcf, 0x43, 0x12, 0x9c,
0xdb, 0x00, 0xaa, 0xbe, 0xfd, 0x9a, 0xe2, 0xd8, 0x74, 0xf9, 0xc5, 0xd3,
0x43, 0xcb, 0x2f, 0x11, 0x3d, 0xa2, 0x37, 0x23, 0xf3,
};
// Credential ID to be used in a request to yield the below
@ -694,10 +753,10 @@ constexpr uint8_t kTestGetAssertionResponse[] = {
0x45, 0x2C, 0x0F, 0xE4, 0x67, 0x29, 0x0C, 0x1B, 0xDA, 0xBE, 0x7C, 0xEB,
0xE5, 0xAD, 0x7A, 0xCA, 0x6F, 0x76, 0x89, 0x38, 0x83, 0x2E, 0x65, 0x85,
0x1E, 0x64, 0x74, 0x79, 0x70, 0x65, 0x6A, 0x70, 0x75, 0x62, 0x6C, 0x69,
0x63, 0x2D, 0x6B, 0x65, 0x79, 0x02, 0x58, 0x25, 0x46, 0xCC, 0x7F, 0xB9,
0x67, 0x9D, 0x55, 0xB2, 0xDB, 0x90, 0x92, 0xE1, 0xC8, 0xD9, 0xE5, 0xE1,
0xD0, 0x2B, 0x75, 0x80, 0xF0, 0xB4, 0x81, 0x2C, 0x77, 0x09, 0x62, 0xE1,
0xE4, 0x8F, 0x5A, 0xD8, 0x01, 0x00, 0x00, 0x00, 0x5F, 0x03, 0x58, 0x46,
0x63, 0x2D, 0x6B, 0x65, 0x79, 0x02, 0x58, 0x25, 0x11, 0x94, 0x22, 0x8d,
0xa8, 0xfd, 0xbd, 0xee, 0xfd, 0x26, 0x1b, 0xd7, 0xb6, 0x59, 0x5c, 0xfd,
0x70, 0xa5, 0x0d, 0x70, 0xc6, 0x40, 0x7b, 0xcf, 0x01, 0x3d, 0xe9, 0x6d,
0x4e, 0xfb, 0x17, 0xde, 0x01, 0x00, 0x00, 0x00, 0x5F, 0x03, 0x58, 0x46,
0x30, 0x44, 0x02, 0x20, 0x62, 0xB8, 0xC4, 0x37, 0xB0, 0xB6, 0xFC, 0x89,
0x37, 0xF6, 0x45, 0xC0, 0x1E, 0x26, 0xCE, 0x0E, 0x26, 0x58, 0x38, 0xFE,
0xC4, 0xA8, 0x74, 0xC5, 0x5D, 0xDD, 0x6D, 0xEC, 0xF0, 0xA0, 0x83, 0xD3,
@ -706,6 +765,29 @@ constexpr uint8_t kTestGetAssertionResponse[] = {
0xB2, 0x17, 0x6B, 0xBD, 0x30, 0x36, 0x59, 0xC9, 0xCD, 0x92,
};
constexpr uint8_t kTestGetAssertionResponseWithIncorrectRpIdHash[] = {
0x00, 0xA3, 0x01, 0xA2, 0x62, 0x69, 0x64, 0x58, 0x40, 0x9C, 0x06, 0x98,
0x05, 0xA7, 0xE9, 0x0C, 0xED, 0xF9, 0x24, 0xAC, 0x5A, 0x29, 0x36, 0x95,
0xE0, 0x15, 0x46, 0x95, 0xBF, 0xFF, 0x99, 0x1A, 0xA5, 0x40, 0xA8, 0x84,
0xAE, 0xF5, 0x42, 0xF3, 0x17, 0x78, 0x51, 0xBE, 0x8A, 0x15, 0x2D, 0x48,
0x45, 0x2C, 0x0F, 0xE4, 0x67, 0x29, 0x0C, 0x1B, 0xDA, 0xBE, 0x7C, 0xEB,
0xE5, 0xAD, 0x7A, 0xCA, 0x6F, 0x76, 0x89, 0x38, 0x83, 0x2E, 0x65, 0x85,
0x1E, 0x64, 0x74, 0x79, 0x70, 0x65, 0x6A, 0x70, 0x75, 0x62, 0x6C, 0x69,
0x63, 0x2D, 0x6B, 0x65, 0x79, 0x02, 0x58, 0x25,
// Incorrect relying party ID hash
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
// End of relying party ID hash
0x01, 0x00, 0x00, 0x00, 0x5F, 0x03, 0x58, 0x46, 0x30, 0x44, 0x02, 0x20,
0x62, 0xB8, 0xC4, 0x37, 0xB0, 0xB6, 0xFC, 0x89, 0x37, 0xF6, 0x45, 0xC0,
0x1E, 0x26, 0xCE, 0x0E, 0x26, 0x58, 0x38, 0xFE, 0xC4, 0xA8, 0x74, 0xC5,
0x5D, 0xDD, 0x6D, 0xEC, 0xF0, 0xA0, 0x83, 0xD3, 0x02, 0x20, 0x7C, 0xD4,
0x1C, 0xAF, 0x4F, 0xD8, 0x7F, 0x73, 0xBF, 0x01, 0x25, 0x06, 0x78, 0x11,
0x45, 0x2B, 0x5F, 0xB8, 0x17, 0xA3, 0xFA, 0x73, 0xB2, 0x17, 0x6B, 0xBD,
0x30, 0x36, 0x59, 0xC9, 0xCD, 0x92,
};
} // namespace test_data
} // namespace device

2
device/fido/get_assertion_handler_unittest.cc

@ -24,7 +24,7 @@ namespace device {
namespace {
constexpr uint8_t kClientDataHash[] = {0x01, 0x02, 0x03};
constexpr char kRpId[] = "google.com";
constexpr char kRpId[] = "acme.com";
using TestGetAssertionRequestCallback = test::StatusAndValueCallbackReceiver<
FidoReturnCode,

2
device/fido/get_assertion_task.cc

@ -121,7 +121,7 @@ void GetAssertionTask::OnCtapGetAssertionResponseReceived(
}
auto parsed_response = ReadCTAPGetAssertionResponse(*device_response);
if (!parsed_response ||
if (!parsed_response || !parsed_response->CheckRpIdHash(request_.rp_id()) ||
!CheckRequirementsOnReturnedCredentialId(*parsed_response) ||
!CheckRequirementsOnReturnedUserEntities(*parsed_response)) {
std::move(callback_).Run(CtapDeviceResponseCode::kCtap2ErrOther,

26
device/fido/get_assertion_task_unittest.cc

@ -28,7 +28,7 @@ namespace device {
namespace {
constexpr uint8_t kClientDataHash[] = {0x01, 0x02, 0x03};
constexpr char kRpId[] = "google.com";
constexpr char kRpId[] = "acme.com";
using TestGetAssertionTaskCallbackReceiver =
::device::test::StatusAndValueCallbackReceiver<
@ -127,6 +127,30 @@ TEST_F(FidoGetAssertionTaskTest, TestGetAsserionIncorrectUserEntity) {
EXPECT_FALSE(get_assertion_callback_receiver().value());
}
TEST_F(FidoGetAssertionTaskTest, TestGetAsserionIncorrectRpIdHash) {
auto device = std::make_unique<MockFidoDevice>();
device->ExpectCtap2CommandAndRespondWith(
CtapRequestCommand::kAuthenticatorGetInfo,
test_data::kTestAuthenticatorGetInfoResponse);
device->ExpectCtap2CommandAndRespondWith(
CtapRequestCommand::kAuthenticatorGetAssertion,
test_data::kTestGetAssertionResponseWithIncorrectRpIdHash);
auto task = std::make_unique<GetAssertionTask>(
device.get(),
CtapGetAssertionRequest(kRpId,
u2f_parsing_utils::Materialize(kClientDataHash)),
get_assertion_callback_receiver().callback());
get_assertion_callback_receiver().WaitForCallback();
EXPECT_EQ(device->supported_protocol(), ProtocolVersion::kCtap);
EXPECT_TRUE(device->device_info());
EXPECT_EQ(CtapDeviceResponseCode::kCtap2ErrOther,
get_assertion_callback_receiver().status());
EXPECT_FALSE(get_assertion_callback_receiver().value());
}
TEST_F(FidoGetAssertionTaskTest, TestIncorrectGetAssertionResponse) {
auto device = std::make_unique<MockFidoDevice>();

2
device/fido/make_credential_handler_unittest.cc

@ -29,7 +29,7 @@ namespace {
constexpr uint8_t kClientDataHash[] = {0x01, 0x02, 0x03};
constexpr uint8_t kUserId[] = {0x01, 0x02, 0x03};
constexpr char kRpId[] = "google.com";
constexpr char kRpId[] = "acme.com";
using TestMakeCredentialRequestCallback = test::StatusAndValueCallbackReceiver<
FidoReturnCode,

17
device/fido/make_credential_task.cc

@ -63,8 +63,21 @@ void MakeCredentialTask::OnCtapMakeCredentialResponseReceived(
return;
}
std::move(callback_).Run(GetResponseCode(*device_response),
ReadCTAPMakeCredentialResponse(*device_response));
auto response_code = GetResponseCode(*device_response);
if (response_code != CtapDeviceResponseCode::kSuccess) {
std::move(callback_).Run(response_code, base::nullopt);
return;
}
auto parsed_response = ReadCTAPMakeCredentialResponse(*device_response);
if (!parsed_response ||
!parsed_response->CheckRpIdHash(request_parameter_.rp().rp_id())) {
std::move(callback_).Run(CtapDeviceResponseCode::kCtap2ErrOther,
base::nullopt);
return;
}
std::move(callback_).Run(response_code, std::move(parsed_response));
}
bool MakeCredentialTask::CheckIfAuthenticatorSelectionCriteriaAreSatisfied() {

19
device/fido/make_credential_task_unittest.cc

@ -29,7 +29,7 @@ namespace {
constexpr uint8_t kClientDataHash[] = {0x01, 0x02, 0x03};
constexpr uint8_t kUserId[] = {0x01, 0x02, 0x03};
constexpr char kRpId[] = "google.com";
constexpr char kRpId[] = "acme.com";
using TestMakeCredentialTaskCallback =
::device::test::StatusAndValueCallbackReceiver<
@ -117,6 +117,23 @@ TEST_F(FidoMakeCredentialTaskTest, TestIncorrectAuthenticatorGetInfoResponse) {
EXPECT_FALSE(device->device_info());
}
TEST_F(FidoMakeCredentialTaskTest, TestMakeCredentialWithIncorrectRpIdHash) {
auto device = std::make_unique<MockFidoDevice>();
device->ExpectCtap2CommandAndRespondWith(
CtapRequestCommand::kAuthenticatorGetInfo,
test_data::kTestAuthenticatorGetInfoResponse);
device->ExpectCtap2CommandAndRespondWith(
CtapRequestCommand::kAuthenticatorMakeCredential,
test_data::kTestMakeCredentialResponseWithIncorrectRpIdHash);
const auto task = CreateMakeCredentialTask(device.get());
make_credential_callback_receiver().WaitForCallback();
EXPECT_EQ(CtapDeviceResponseCode::kCtap2ErrOther,
make_credential_callback_receiver().status());
}
TEST_F(FidoMakeCredentialTaskTest,
TestUserVerificationAuthenticatorSelectionCriteria) {
auto device = std::make_unique<MockFidoDevice>();

13
device/fido/response_data.cc

@ -8,9 +8,12 @@
#include "base/base64url.h"
#include "base/strings/string_piece.h"
#include "crypto/sha2.h"
namespace device {
ResponseData::~ResponseData() = default;
ResponseData::ResponseData() = default;
ResponseData::ResponseData(std::vector<uint8_t> raw_credential_id)
@ -20,8 +23,6 @@ ResponseData::ResponseData(ResponseData&& other) = default;
ResponseData& ResponseData::operator=(ResponseData&& other) = default;
ResponseData::~ResponseData() = default;
std::string ResponseData::GetId() const {
std::string id;
base::Base64UrlEncode(base::StringPiece(reinterpret_cast<const char*>(
@ -31,4 +32,12 @@ std::string ResponseData::GetId() const {
return id;
}
bool ResponseData::CheckRpIdHash(const std::string& rp_id) const {
const auto& response_rp_id_hash = GetRpIdHash();
std::vector<uint8_t> request_rp_id_hash(crypto::kSHA256Length);
crypto::SHA256HashString(rp_id, request_rp_id_hash.data(),
request_rp_id_hash.size());
return response_rp_id_hash == request_rp_id_hash;
}
} // namespace device

15
device/fido/response_data.h

@ -15,10 +15,21 @@
namespace device {
// Base class for RegisterResponseData and SignResponseData.
// Base class for AuthenticatorMakeCredentialResponse and
// AuthenticatorGetAssertionResponse.
class COMPONENT_EXPORT(DEVICE_FIDO) ResponseData {
public:
virtual ~ResponseData();
virtual const std::vector<uint8_t>& GetRpIdHash() const = 0;
std::string GetId() const;
// Checks that the SHA256 hash of the relying party id obtained from the
// request parameter matches the application parameter returned from the
// authenticator.
bool CheckRpIdHash(const std::string& rp_id) const;
const std::vector<uint8_t>& raw_credential_id() const {
return raw_credential_id_;
}
@ -31,8 +42,6 @@ class COMPONENT_EXPORT(DEVICE_FIDO) ResponseData {
ResponseData(ResponseData&& other);
ResponseData& operator=(ResponseData&& other);
~ResponseData();
std::vector<uint8_t> raw_credential_id_;
private: