Index: components/webauth/authenticator_impl.cc |
diff --git a/components/webauth/authenticator_impl.cc b/components/webauth/authenticator_impl.cc |
new file mode 100644 |
index 0000000000000000000000000000000000000000..20e64a1422e3f931d827d0beb918cb7a60a0dd8b |
--- /dev/null |
+++ b/components/webauth/authenticator_impl.cc |
@@ -0,0 +1,147 @@ |
+// Copyright 2017 The Chromium Authors. All rights reserved. |
+// Use of this source code is governed by a BSD-style license that can be |
+// found in the LICENSE file. |
+ |
+#include "components/webauth/authenticator_impl.h" |
+ |
+#include <memory> |
+ |
+#include "base/json/json_writer.h" |
+#include "base/memory/ptr_util.h" |
+#include "content/public/browser/render_frame_host.h" |
+#include "content/public/browser/web_contents.h" |
+#include "crypto/sha2.h" |
+#include "mojo/public/cpp/bindings/strong_binding.h" |
+ |
+using content::RenderFrameHost; |
+using content::WebContents; |
+ |
+namespace webauth { |
+ |
+const char kGetAssertionType[] = "navigator.id.getAssertion"; |
+ |
+// JSON key values |
+const char kTypeKey[] = "type"; |
+const char kChallengeKey[] = "challenge"; |
+const char kOriginKey[] = "origin"; |
+const char kCidPubkeyKey[] = "cid_pubkey"; |
+ |
+// Serializes the |value| to a JSON string and returns the result. |
+std::string SerializeValueToJson(const base::Value& value) { |
+ std::string json; |
+ base::JSONWriter::Write(value, &json); |
+ return json; |
+} |
+ |
+// static |
+void AuthenticatorImpl::Create(RenderFrameHost* render_frame_host, |
+ mojom::AuthenticatorRequest request) { |
+ auto authenticator_impl = |
+ base::WrapUnique(new AuthenticatorImpl(render_frame_host)); |
+ mojo::MakeStrongBinding(std::move(authenticator_impl), std::move(request)); |
+} |
+ |
+AuthenticatorImpl::~AuthenticatorImpl() { |
+ if (!connection_error_handler_.is_null()) |
+ connection_error_handler_.Run(); |
+} |
+ |
+AuthenticatorImpl::AuthenticatorImpl(RenderFrameHost* render_frame_host) { |
+ DCHECK(render_frame_host); |
+ set_connection_error_handler(base::Bind( |
+ &AuthenticatorImpl::OnConnectionTerminated, base::Unretained(this))); |
+ caller_origin_ = render_frame_host->GetLastCommittedOrigin(); |
+} |
+ |
+// mojom:Authenticator |
+void AuthenticatorImpl::MakeCredential( |
+ mojom::RelyingPartyAccountPtr account, |
+ std::vector<mojom::ScopedCredentialParametersPtr> parameters, |
+ const std::vector<uint8_t>& challenge, |
+ mojom::ScopedCredentialOptionsPtr options, |
+ MakeCredentialCallback callback) { |
+ std::string effective_domain; |
+ std::string relying_party_id; |
+ std::string client_data_json; |
+ base::DictionaryValue client_data; |
+ |
+ // Steps 3 & 4 of https://w3c.github.io/webauthn/#makeCredential |
+ // opaque origin |
+ if (caller_origin_.unique()) { |
+ std::move(callback).Run(mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR, |
+ NULL); |
+ return; |
+ } |
+ |
+ if (!options->relying_party_id) { |
+ relying_party_id = caller_origin_.Serialize(); |
+ } else { |
+ effective_domain = caller_origin_.host(); |
+ |
+ if (effective_domain.empty()) { |
+ std::move(callback).Run(mojom::AuthenticatorStatus::SECURITY_ERROR, NULL); |
+ return; |
+ } |
+ // TODO(kpaulhamus): Check if relyingPartyId is a registrable domain |
+ // suffix of and equal to effectiveDomain and set relyingPartyId |
+ // appropriately. |
+ relying_party_id = options->relying_party_id.value_or(std::string()); |
+ } |
+ |
+ // TODO(kpaulhamus): Check ScopedCredentialParameter's type and |
+ // algorithmIdentifier after algorithmIdentifier is added to mojom to |
+ // make sure it is U2F_V2. |
+ |
+ client_data.SetString(kTypeKey, kGetAssertionType); |
+ client_data.SetString( |
+ kChallengeKey, |
+ base::StringPiece(reinterpret_cast<const char*>(challenge.data()), |
+ challenge.size())); |
+ client_data.SetString(kOriginKey, relying_party_id); |
+ // Channel ID is optional, and missing if the browser doesn't support it. |
+ // It is present and set to the constant "unused" if the browser |
+ // supports Channel ID but is not using it to talk to the origin. |
+ // TODO(kpaulhamus): Fetch and add the Channel ID public key used to |
+ // communicate with the origin. |
+ client_data.SetString(kCidPubkeyKey, "unused"); |
+ |
+ // SHA-256 hash the JSON data structure |
+ client_data_json = SerializeValueToJson(client_data); |
+ std::string client_data_hash = crypto::SHA256HashString(client_data_json); |
+ |
+ auto copyable_callback = base::AdaptCallbackForRepeating(std::move(callback)); |
+ |
+ // Step 16 of https://w3c.github.io/webauthn/#makeCredential |
+ timeout_callback_.Reset(base::Bind(&AuthenticatorImpl::OnTimeout, |
+ base::Unretained(this), |
+ copyable_callback)); |
+ |
+ base::ThreadTaskRunnerHandle::Get()->PostDelayedTask( |
+ FROM_HERE, timeout_callback_.callback(), |
+ base::TimeDelta::FromSecondsD(options->adjusted_timeout)); |
+ |
+ timeout_callback_.Cancel(); |
+ std::move(callback).Run(mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR, NULL); |
+} |
+ |
+// Callback to handle the async response from a U2fDevice. |
+void AuthenticatorImpl::OnRegister(MakeCredentialCallback callback, |
+ std::string& client_data_json, |
+ uint8_t status_code, |
+ std::vector<uint8_t> data) { |
+ timeout_callback_.Cancel(); |
+ std::move(callback).Run(mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR, NULL); |
+} |
+ |
+// Runs when timer expires and cancels all issued requests to a U2fDevice. |
+void AuthenticatorImpl::OnTimeout(MakeCredentialCallback callback) { |
+ std::move(callback).Run(mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR, NULL); |
+} |
+ |
+void AuthenticatorImpl::OnConnectionTerminated() { |
+ // Closures and cleanup due to either a browser-side error or |
+ // as a result of the connection_error_handler, which can mean |
+ // that the renderer has decided to close the pipe for various |
+ // reasons. |
+} |
+} // namespace webauth |