1 // Copyright 2017 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #ifndef DEVICE_FIDO_ATTESTATION_OBJECT_H_
6 #define DEVICE_FIDO_ATTESTATION_OBJECT_H_
7
8 #include <stdint.h>
9
10 #include <array>
11 #include <memory>
12 #include <vector>
13
14 #include "base/component_export.h"
15 #include "base/macros.h"
16 #include "device/fido/authenticator_data.h"
17 #include "device/fido/fido_constants.h"
18
19 namespace device {
20
21 class AttestationStatement;
22
23 // Object containing the authenticator-provided attestation every time
24 // a credential is created, per
25 // https://www.w3.org/TR/2017/WD-webauthn-20170505/#cred-attestation.
COMPONENT_EXPORT(DEVICE_FIDO)26 class COMPONENT_EXPORT(DEVICE_FIDO) AttestationObject {
27 public:
28 static base::Optional<AttestationObject> Parse(const cbor::Value& value);
29
30 AttestationObject(AuthenticatorData data,
31 std::unique_ptr<AttestationStatement> statement);
32 AttestationObject(AttestationObject&& other);
33 AttestationObject& operator=(AttestationObject&& other);
34 ~AttestationObject();
35
36 std::vector<uint8_t> GetCredentialId() const;
37
38 enum class AAGUID {
39 kErase,
40 kInclude,
41 };
42
43 // Replaces the attestation statement with a “none” attestation, and replaces
44 // device AAGUID with zero bytes (unless |erase_aaguid| is kInclude) as
45 // specified for step 20.3 in
46 // https://w3c.github.io/webauthn/#createCredential.
47 void EraseAttestationStatement(AAGUID erase_aaguid);
48
49 // Returns true if the attestation is a "self" attestation, i.e. is just the
50 // private key signing itself to show that it is fresh. See
51 // https://www.w3.org/TR/webauthn/#self-attestation. Note that self-
52 // attestation also requires at the AAGUID in the authenticator data be all
53 // zeros.
54 bool IsSelfAttestation();
55
56 // Returns true if the attestation certificate is known to be inappropriately
57 // identifying. Some tokens return unique attestation certificates even when
58 // the bit to request that is not set. (Normal attestation certificates are
59 // not indended to be trackable.)
60 bool IsAttestationCertificateInappropriatelyIdentifying();
61
62 const std::array<uint8_t, kRpIdHashLength>& rp_id_hash() const {
63 return authenticator_data_.application_parameter();
64 }
65
66 const AuthenticatorData& authenticator_data() const {
67 return authenticator_data_;
68 }
69
70 const AttestationStatement& attestation_statement() const {
71 return *attestation_statement_.get();
72 }
73
74 private:
75 AuthenticatorData authenticator_data_;
76 std::unique_ptr<AttestationStatement> attestation_statement_;
77
78 DISALLOW_COPY_AND_ASSIGN(AttestationObject);
79 };
80
81 // Produces a WebAuthN style CBOR-encoded byte-array
82 // in the following format, when written:
83 // {"authData": authenticator data bytes,
84 // "fmt": attestation format name,
85 // "attStmt": attestation statement bytes }
86 COMPONENT_EXPORT(DEVICE_FIDO)
87 cbor::Value AsCBOR(const AttestationObject&);
88
89 } // namespace device
90
91 #endif // DEVICE_FIDO_ATTESTATION_OBJECT_H_
92