1// Copyright 2018 The Chromium Authors. All rights reserved.
2// Copyright (C) 2018 Apple Inc. All rights reserved.
3//
4// Redistribution and use in source and binary forms, with or without
5// modification, are permitted provided that the following conditions are
6// met:
7//
8// * Redistributions of source code must retain the above copyright
9// notice, this list of conditions and the following disclaimer.
10// * Redistributions in binary form must reproduce the above
11// copyright notice, this list of conditions and the following disclaimer
12// in the documentation and/or other materials provided with the
13// distribution.
14// * Neither the name of Google Inc. nor the names of its
15// contributors may be used to endorse or promote products derived from
16// this software without specific prior written permission.
17//
18// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
21// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
22// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
23// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
24// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
25// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
26// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29
30#pragma once
31
32#if ENABLE(WEB_AUTHN)
33
34#include "PublicKeyCredentialType.h"
35
36namespace fido {
37
38enum class ProtocolVersion {
39 kCtap,
40 kU2f,
41 kUnknown,
42};
43
44// Length of the U2F challenge/application parameter:
45// https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-raw-message-formats-v1.2-ps-20170411.html#registration-request-message---u2f_register
46constexpr size_t kU2fChallengeParamLength = 32;
47constexpr size_t kU2fApplicationParamLength = 32;
48// https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-raw-message-formats-v1.2-ps-20170411.html#registration-response-message-success
49constexpr size_t kReservedLength = 1;
50constexpr size_t kU2fKeyHandleLengthOffset = 66;
51constexpr size_t kU2fKeyHandleOffset = 67;
52
53// CTAP protocol device response code, as specified in
54// https://fidoalliance.org/specs/fido-v2.0-ps-20170927/fido-client-to-authenticator-protocol-v2.0-ps-20170927.html#error-responses
55enum class CtapDeviceResponseCode : uint8_t {
56 kSuccess = 0x00,
57 kCtap1ErrInvalidCommand = 0x01,
58 kCtap1ErrInvalidParameter = 0x02,
59 kCtap1ErrInvalidLength = 0x03,
60 kCtap1ErrInvalidSeq = 0x04,
61 kCtap1ErrTimeout = 0x05,
62 kCtap1ErrChannelBusy = 0x06,
63 kCtap1ErrLockRequired = 0x0A,
64 kCtap1ErrInvalidChannel = 0x0B,
65 kCtap2ErrCBORParsing = 0x10,
66 kCtap2ErrUnexpectedType = 0x11,
67 kCtap2ErrInvalidCBOR = 0x12,
68 kCtap2ErrInvalidCBORType = 0x13,
69 kCtap2ErrMissingParameter = 0x14,
70 kCtap2ErrLimitExceeded = 0x15,
71 kCtap2ErrUnsupportedExtension = 0x16,
72 kCtap2ErrTooManyElements = 0x17,
73 kCtap2ErrExtensionNotSupported = 0x18,
74 kCtap2ErrCredentialExcluded = 0x19,
75 kCtap2ErrProcesssing = 0x21,
76 kCtap2ErrInvalidCredential = 0x22,
77 kCtap2ErrUserActionPending = 0x23,
78 kCtap2ErrOperationPending = 0x24,
79 kCtap2ErrNoOperations = 0x25,
80 kCtap2ErrUnsupportedAlgorithms = 0x26,
81 kCtap2ErrOperationDenied = 0x27,
82 kCtap2ErrKeyStoreFull = 0x28,
83 kCtap2ErrNotBusy = 0x29,
84 kCtap2ErrNoOperationPending = 0x2A,
85 kCtap2ErrUnsupportedOption = 0x2B,
86 kCtap2ErrInvalidOption = 0x2C,
87 kCtap2ErrKeepAliveCancel = 0x2D,
88 kCtap2ErrNoCredentials = 0x2E,
89 kCtap2ErrUserActionTimeout = 0x2F,
90 kCtap2ErrNotAllowed = 0x30,
91 kCtap2ErrPinInvalid = 0x31,
92 kCtap2ErrPinBlocked = 0x32,
93 kCtap2ErrPinAuthInvalid = 0x33,
94 kCtap2ErrPinAuthBlocked = 0x34,
95 kCtap2ErrPinNotSet = 0x35,
96 kCtap2ErrPinRequired = 0x36,
97 kCtap2ErrPinPolicyViolation = 0x37,
98 kCtap2ErrPinTokenExpired = 0x38,
99 kCtap2ErrRequestTooLarge = 0x39,
100 kCtap2ErrOther = 0x7F,
101 kCtap2ErrSpecLast = 0xDF,
102 kCtap2ErrExtensionFirst = 0xE0,
103 kCtap2ErrExtensionLast = 0xEF,
104 kCtap2ErrVendorFirst = 0xF0,
105 kCtap2ErrVendorLast = 0xFF
106};
107
108bool isCtapDeviceResponseCode(CtapDeviceResponseCode);
109
110// Commands supported by CTAPHID device as specified in
111// https://fidoalliance.org/specs/fido-v2.0-ps-20170927/fido-client-to-authenticator-protocol-v2.0-ps-20170927.html#ctaphid-commands
112enum class FidoHidDeviceCommand : uint8_t {
113 kMsg = 0x03,
114 kCbor = 0x10,
115 kInit = 0x06,
116 kPing = 0x01,
117 kCancel = 0x11,
118 kError = 0x3F,
119 kKeepAlive = 0x3B,
120 kWink = 0x08,
121 kLock = 0x04,
122};
123
124bool isFidoHidDeviceCommand(FidoHidDeviceCommand);
125
126// Parameters for fake U2F registration used to check for user presence.
127const uint8_t kBogusAppParam[] = {
128 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
129 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
130 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41
131};
132
133const uint8_t kBogusChallenge[] = {
134 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
135 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
136 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42
137};
138
139// String key values for CTAP request optional parameters and
140// AuthenticatorGetInfo response.
141const char kResidentKeyMapKey[] = "rk";
142const char kUserVerificationMapKey[] = "uv";
143const char kUserPresenceMapKey[] = "up";
144const char kClientPinMapKey[] = "clientPin";
145const char kPlatformDeviceMapKey[] = "plat";
146const char kEntityIdMapKey[] = "id";
147const char kEntityNameMapKey[] = "name";
148const char kDisplayNameMapKey[] = "displayName";
149const char kIconUrlMapKey[] = "icon";
150const char kCredentialTypeMapKey[] = "type";
151const char kCredentialAlgorithmMapKey[] = "alg";
152// Keys for storing credential descriptor information in CBOR map.
153const char kCredentialIdKey[] = "id";
154const char kCredentialTypeKey[] = "type";
155
156// HID transport specific constants.
157const size_t kHidPacketSize = 64;
158const uint32_t kHidBroadcastChannel = 0xffffffff;
159const size_t kHidInitPacketHeaderSize = 7;
160const size_t kHidContinuationPacketHeader = 5;
161const size_t kHidMaxPacketSize = 64;
162const size_t kHidInitPacketDataSize = kHidMaxPacketSize - kHidInitPacketHeaderSize;
163const size_t kHidContinuationPacketDataSize = kHidMaxPacketSize - kHidContinuationPacketHeader;
164const size_t kHidInitResponseSize = 17;
165const size_t kHidInitNonceLength = 8;
166
167const uint8_t kHidMaxLockSeconds = 10;
168
169// Messages are limited to an initiation packet and 128 continuation packets.
170const size_t kHidMaxMessageSize = 7609;
171
172// CTAP/U2F devices only provide a single report so specify a report ID of 0 here.
173const uint8_t kHidReportId = 0x00;
174
175// U2F APDU encoding constants, as specified in
176// https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-raw-message-formats-v1.2-ps-20170411.html#authentication-messages
177
178// P1 instructions.
179constexpr uint8_t kP1EnforceUserPresenceAndSign = 0x03;
180constexpr uint8_t kP1CheckOnly = 0x07;
181
182constexpr size_t kMaxKeyHandleLength = 255;
183
184// Authenticator API commands supported by CTAP devices, as specified in
185// https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-client-to-authenticator-protocol-v2.0-rd-20170927.html#authenticator-api
186enum class CtapRequestCommand : uint8_t {
187 kAuthenticatorMakeCredential = 0x01,
188 kAuthenticatorGetAssertion = 0x02,
189 kAuthenticatorGetNextAssertion = 0x08,
190 kAuthenticatorGetInfo = 0x04,
191 kAuthenticatorClientPin = 0x06,
192 kAuthenticatorReset = 0x07,
193};
194
195// APDU instruction code for U2F request encoding.
196// https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-raw-message-formats-v1.2-ps-20170411.html#command-and-parameter-values
197enum class U2fApduInstruction : uint8_t {
198 kRegister = 0x01,
199 kSign = 0x02,
200 kVersion = 0x03,
201 kVendorFirst = 0x40,
202 kVenderLast = 0xBF,
203};
204
205// String key values for attestation object as a response to MakeCredential
206// request.
207const char kFormatKey[] = "fmt";
208const char kAttestationStatementKey[] = "attStmt";
209const char kAuthDataKey[] = "authData";
210const char kNoneAttestationValue[] = "none";
211
212// String representation of public key credential enum.
213// https://w3c.github.io/webauthn/#credentialType
214const char kPublicKey[] = "public-key";
215
216const char* publicKeyCredentialTypeToString(WebCore::PublicKeyCredentialType);
217
218// FIXME: Add url to the official spec once it's standardized.
219const char kCtap2Version[] = "FIDO_2_0";
220const char kU2fVersion[] = "U2F_V2";
221
222// CTAPHID Usage Page and Usage
223// https://fidoalliance.org/specs/fido-v2.0-ps-20170927/fido-client-to-authenticator-protocol-v2.0-ps-20170927.html#hid-report-descriptor-and-device-discovery
224const uint32_t kCTAPHIDUsagePage = 0xF1D0;
225const uint32_t kCTAPHIDUsage = 0x01;
226
227} // namespace fido
228
229#endif // ENABLE(WEB_AUTHN)
230