1 // Copyright 2017 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef DEVICE_FIDO_ATTESTATION_OBJECT_H_
6 #define DEVICE_FIDO_ATTESTATION_OBJECT_H_
7 
8 #include <stdint.h>
9 
10 #include <array>
11 #include <memory>
12 #include <vector>
13 
14 #include "base/component_export.h"
15 #include "base/macros.h"
16 #include "device/fido/authenticator_data.h"
17 #include "device/fido/fido_constants.h"
18 
19 namespace device {
20 
21 class AttestationStatement;
22 
23 // Object containing the authenticator-provided attestation every time
24 // a credential is created, per
25 // https://www.w3.org/TR/2017/WD-webauthn-20170505/#cred-attestation.
COMPONENT_EXPORT(DEVICE_FIDO)26 class COMPONENT_EXPORT(DEVICE_FIDO) AttestationObject {
27  public:
28   static base::Optional<AttestationObject> Parse(const cbor::Value& value);
29 
30   AttestationObject(AuthenticatorData data,
31                     std::unique_ptr<AttestationStatement> statement);
32   AttestationObject(AttestationObject&& other);
33   AttestationObject& operator=(AttestationObject&& other);
34   ~AttestationObject();
35 
36   std::vector<uint8_t> GetCredentialId() const;
37 
38   enum class AAGUID {
39     kErase,
40     kInclude,
41   };
42 
43   // Replaces the attestation statement with a “none” attestation, and replaces
44   // device AAGUID with zero bytes (unless |erase_aaguid| is kInclude) as
45   // specified for step 20.3 in
46   // https://w3c.github.io/webauthn/#createCredential.
47   void EraseAttestationStatement(AAGUID erase_aaguid);
48 
49   // Returns true if the attestation is a "self" attestation, i.e. is just the
50   // private key signing itself to show that it is fresh. See
51   // https://www.w3.org/TR/webauthn/#self-attestation. Note that self-
52   // attestation also requires at the AAGUID in the authenticator data be all
53   // zeros.
54   bool IsSelfAttestation();
55 
56   // Returns true if the attestation certificate is known to be inappropriately
57   // identifying. Some tokens return unique attestation certificates even when
58   // the bit to request that is not set. (Normal attestation certificates are
59   // not indended to be trackable.)
60   bool IsAttestationCertificateInappropriatelyIdentifying();
61 
62   const std::array<uint8_t, kRpIdHashLength>& rp_id_hash() const {
63     return authenticator_data_.application_parameter();
64   }
65 
66   const AuthenticatorData& authenticator_data() const {
67     return authenticator_data_;
68   }
69 
70   const AttestationStatement& attestation_statement() const {
71     return *attestation_statement_.get();
72   }
73 
74  private:
75   AuthenticatorData authenticator_data_;
76   std::unique_ptr<AttestationStatement> attestation_statement_;
77 
78   DISALLOW_COPY_AND_ASSIGN(AttestationObject);
79 };
80 
81 // Produces a WebAuthN style CBOR-encoded byte-array
82 // in the following format, when written:
83 // {"authData": authenticator data bytes,
84 //  "fmt": attestation format name,
85 //  "attStmt": attestation statement bytes }
86 COMPONENT_EXPORT(DEVICE_FIDO)
87 cbor::Value AsCBOR(const AttestationObject&);
88 
89 }  // namespace device
90 
91 #endif  // DEVICE_FIDO_ATTESTATION_OBJECT_H_
92