diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 00:47:55 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 00:47:55 +0000 |
| commit | 26a029d407be480d791972afb5975cf62c9360a6 (patch) | |
| tree | f435a8308119effd964b339f76abb83a57c29483 /dom/webauthn/authrs_bridge | |
| parent | Initial commit. (diff) | |
| download | firefox-26a029d407be480d791972afb5975cf62c9360a6.tar.xz firefox-26a029d407be480d791972afb5975cf62c9360a6.zip | |
Adding upstream version 124.0.1.upstream/124.0.1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'dom/webauthn/authrs_bridge')
| -rw-r--r-- | dom/webauthn/authrs_bridge/Cargo.toml | 24 | ||||
| -rw-r--r-- | dom/webauthn/authrs_bridge/src/about_webauthn_controller.rs | 166 | ||||
| -rw-r--r-- | dom/webauthn/authrs_bridge/src/lib.rs | 1534 | ||||
| -rw-r--r-- | dom/webauthn/authrs_bridge/src/test_token.rs | 974 |
4 files changed, 2698 insertions, 0 deletions
diff --git a/dom/webauthn/authrs_bridge/Cargo.toml b/dom/webauthn/authrs_bridge/Cargo.toml new file mode 100644 index 0000000000..44c690a2b1 --- /dev/null +++ b/dom/webauthn/authrs_bridge/Cargo.toml @@ -0,0 +1,24 @@ +[package] +name = "authrs_bridge" +version = "0.1.0" +edition = "2021" +authors = ["Martin Sirringhaus", "John Schanck"] + +[dependencies] +authenticator = { version = "0.4.0-alpha.24", features = ["gecko"] } +base64 = "^0.21" +cstr = "0.2" +log = "0.4" +moz_task = { path = "../../../xpcom/rust/moz_task" } +nserror = { path = "../../../xpcom/rust/nserror" } +nsstring = { path = "../../../xpcom/rust/nsstring" } +rand = "0.8" +serde = { version = "1", features = ["derive"] } +serde_cbor = "0.11" +serde_json = "1.0" +static_prefs = { path = "../../../modules/libpref/init/static_prefs" } +thin-vec = { version = "0.2.1", features = ["gecko-ffi"] } +xpcom = { path = "../../../xpcom/rust/xpcom" } + +[features] +fuzzing = [] diff --git a/dom/webauthn/authrs_bridge/src/about_webauthn_controller.rs b/dom/webauthn/authrs_bridge/src/about_webauthn_controller.rs new file mode 100644 index 0000000000..8d77a62df4 --- /dev/null +++ b/dom/webauthn/authrs_bridge/src/about_webauthn_controller.rs @@ -0,0 +1,166 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +use super::*; +use authenticator::{ + ctap2::commands::{PinUvAuthResult, StatusCode}, + errors::{CommandError, HIDError}, + BioEnrollmentCmd, CredManagementCmd, InteractiveRequest, InteractiveUpdate, PinError, +}; +use serde::{Deserialize, Serialize}; + +pub(crate) type InteractiveManagementReceiver = Option<Sender<InteractiveRequest>>; +pub(crate) fn send_about_prompt(prompt: &BrowserPromptType) -> Result<(), nsresult> { + let json = nsString::from(&serde_json::to_string(&prompt).unwrap_or_default()); + notify_observers(PromptTarget::AboutPage, json) +} + +// A wrapper around InteractiveRequest, that leaves out the PUAT +// so that we can easily de/serialize it to/from JSON for the JS-side +// and then add our cached PUAT, if we have one. +#[derive(Debug, Serialize, Deserialize)] +pub enum RequestWrapper { + Quit, + ChangePIN(Pin, Pin), + SetPIN(Pin), + CredentialManagement(CredManagementCmd), + BioEnrollment(BioEnrollmentCmd), +} + +pub(crate) fn authrs_to_prompt<'a>(e: AuthenticatorError) -> BrowserPromptType<'a> { + match e { + AuthenticatorError::PinError(PinError::PinIsTooShort) => BrowserPromptType::PinIsTooShort, + AuthenticatorError::PinError(PinError::PinNotSet) => BrowserPromptType::PinNotSet, + AuthenticatorError::PinError(PinError::PinRequired) => BrowserPromptType::PinRequired, + AuthenticatorError::PinError(PinError::PinIsTooLong(_)) => BrowserPromptType::PinIsTooLong, + AuthenticatorError::PinError(PinError::InvalidPin(r)) => { + BrowserPromptType::PinInvalid { retries: r } + } + AuthenticatorError::PinError(PinError::PinAuthBlocked) => BrowserPromptType::PinAuthBlocked, + AuthenticatorError::PinError(PinError::PinBlocked) => BrowserPromptType::DeviceBlocked, + AuthenticatorError::PinError(PinError::UvBlocked) => BrowserPromptType::UvBlocked, + AuthenticatorError::PinError(PinError::InvalidUv(r)) => { + BrowserPromptType::UvInvalid { retries: r } + } + AuthenticatorError::CancelledByUser + | AuthenticatorError::HIDError(HIDError::Command(CommandError::StatusCode( + StatusCode::KeepaliveCancel, + _, + ))) => BrowserPromptType::Cancel, + _ => BrowserPromptType::UnknownError, + } +} + +pub(crate) fn cache_puat( + transaction: Arc<Mutex<Option<TransactionState>>>, + puat: Option<PinUvAuthResult>, +) { + let mut guard = transaction.lock().unwrap(); + if let Some(transaction) = guard.as_mut() { + transaction.puat_cache = puat; + }; +} + +pub(crate) fn interactive_status_callback( + status_rx: Receiver<StatusUpdate>, + transaction: Arc<Mutex<Option<TransactionState>>>, /* Shared with an AuthrsTransport */ + upcoming_error: Arc<Mutex<Option<AuthenticatorError>>>, +) -> Result<(), nsresult> { + loop { + match status_rx.recv() { + Ok(StatusUpdate::InteractiveManagement(InteractiveUpdate::StartManagement(( + tx, + auth_info, + )))) => { + let mut guard = transaction.lock().unwrap(); + let Some(transaction) = guard.as_mut() else { + warn!("STATUS: received status update after end of transaction."); + break; + }; + transaction.interactive_receiver.replace(tx); + let prompt = BrowserPromptType::SelectedDevice { auth_info }; + send_about_prompt(&prompt)?; + } + Ok(StatusUpdate::InteractiveManagement( + InteractiveUpdate::CredentialManagementUpdate((cfg_result, puat_res)), + )) => { + cache_puat(transaction.clone(), puat_res); // We don't care if we fail here. Worst-case: User has to enter PIN more often. + let prompt = BrowserPromptType::CredentialManagementUpdate { result: cfg_result }; + send_about_prompt(&prompt)?; + continue; + } + Ok(StatusUpdate::InteractiveManagement(InteractiveUpdate::BioEnrollmentUpdate(( + bio_res, + puat_res, + )))) => { + cache_puat(transaction.clone(), puat_res); // We don't care if we fail here. Worst-case: User has to enter PIN more often. + let prompt = BrowserPromptType::BioEnrollmentUpdate { result: bio_res }; + send_about_prompt(&prompt)?; + continue; + } + Ok(StatusUpdate::SelectDeviceNotice) => { + info!("STATUS: Please select a device by touching one of them."); + let prompt = BrowserPromptType::SelectDevice; + send_about_prompt(&prompt)?; + } + Ok(StatusUpdate::PinUvError(e)) => { + let mut guard = transaction.lock().unwrap(); + let Some(transaction) = guard.as_mut() else { + warn!("STATUS: received status update after end of transaction."); + break; + }; + let autherr = match e { + StatusPinUv::PinRequired(pin_sender) => { + transaction.pin_receiver.replace((0, pin_sender)); + send_about_prompt(&BrowserPromptType::PinRequired)?; + continue; + } + StatusPinUv::InvalidPin(pin_sender, r) => { + transaction.pin_receiver.replace((0, pin_sender)); + send_about_prompt(&BrowserPromptType::PinInvalid { retries: r })?; + continue; + } + StatusPinUv::PinIsTooShort => { + AuthenticatorError::PinError(PinError::PinIsTooShort) + } + StatusPinUv::PinIsTooLong(s) => { + AuthenticatorError::PinError(PinError::PinIsTooLong(s)) + } + StatusPinUv::InvalidUv(r) => { + send_about_prompt(&BrowserPromptType::UvInvalid { retries: r })?; + continue; + } + StatusPinUv::PinAuthBlocked => { + AuthenticatorError::PinError(PinError::PinAuthBlocked) + } + StatusPinUv::PinBlocked => AuthenticatorError::PinError(PinError::PinBlocked), + StatusPinUv::PinNotSet => AuthenticatorError::PinError(PinError::PinNotSet), + StatusPinUv::UvBlocked => AuthenticatorError::PinError(PinError::UvBlocked), + }; + // We will cause auth-rs to return an error, once we leave this block + // due to us 'hanging up'. Before we do that, we will safe the actual + // error that caused this, so our callback-function can return the true + // error to JS, instead of "cancelled by user". + let guard = upcoming_error.lock(); + if let Ok(mut entry) = guard { + entry.replace(autherr); + } else { + return Err(NS_ERROR_DOM_INVALID_STATE_ERR); + } + warn!("STATUS: Pin Error {:?}", e); + break; + } + + Ok(_) => { + // currently not handled + continue; + } + Err(RecvError) => { + info!("STATUS: end"); + break; + } + } + } + Ok(()) +} diff --git a/dom/webauthn/authrs_bridge/src/lib.rs b/dom/webauthn/authrs_bridge/src/lib.rs new file mode 100644 index 0000000000..353e1e89a4 --- /dev/null +++ b/dom/webauthn/authrs_bridge/src/lib.rs @@ -0,0 +1,1534 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#[macro_use] +extern crate log; + +#[macro_use] +extern crate xpcom; + +use authenticator::{ + authenticatorservice::{RegisterArgs, SignArgs}, + ctap2::attestation::AttestationObject, + ctap2::commands::{get_info::AuthenticatorVersion, PinUvAuthResult}, + ctap2::server::{ + AuthenticationExtensionsClientInputs, AuthenticatorAttachment, + PublicKeyCredentialDescriptor, PublicKeyCredentialParameters, + PublicKeyCredentialUserEntity, RelyingParty, ResidentKeyRequirement, + UserVerificationRequirement, + }, + errors::AuthenticatorError, + statecallback::StateCallback, + AuthenticatorInfo, BioEnrollmentResult, CredentialManagementResult, InteractiveRequest, + ManageResult, Pin, RegisterResult, SignResult, StateMachine, StatusPinUv, StatusUpdate, +}; +use base64::Engine; +use cstr::cstr; +use moz_task::{get_main_thread, RunnableBuilder}; +use nserror::{ + nsresult, NS_ERROR_DOM_ABORT_ERR, NS_ERROR_DOM_INVALID_STATE_ERR, NS_ERROR_DOM_NOT_ALLOWED_ERR, + NS_ERROR_DOM_OPERATION_ERR, NS_ERROR_FAILURE, NS_ERROR_INVALID_ARG, NS_ERROR_NOT_AVAILABLE, + NS_ERROR_NOT_IMPLEMENTED, NS_ERROR_NULL_POINTER, NS_OK, +}; +use nsstring::{nsACString, nsAString, nsCString, nsString}; +use serde::Serialize; +use serde_cbor; +use serde_json::json; +use std::fmt::Write; +use std::sync::mpsc::{channel, Receiver, RecvError, Sender}; +use std::sync::{Arc, Mutex, MutexGuard}; +use thin_vec::{thin_vec, ThinVec}; +use xpcom::interfaces::{ + nsICredentialParameters, nsIObserverService, nsIWebAuthnAttObj, nsIWebAuthnAutoFillEntry, + nsIWebAuthnRegisterArgs, nsIWebAuthnRegisterPromise, nsIWebAuthnRegisterResult, + nsIWebAuthnService, nsIWebAuthnSignArgs, nsIWebAuthnSignPromise, nsIWebAuthnSignResult, +}; +use xpcom::{xpcom_method, RefPtr}; +mod about_webauthn_controller; +use about_webauthn_controller::*; +mod test_token; +use test_token::TestTokenManager; + +fn authrs_to_nserror(e: AuthenticatorError) -> nsresult { + match e { + AuthenticatorError::CredentialExcluded => NS_ERROR_DOM_INVALID_STATE_ERR, + _ => NS_ERROR_DOM_NOT_ALLOWED_ERR, + } +} + +fn should_cancel_prompts<T>(result: &Result<T, AuthenticatorError>) -> bool { + match result { + Err(AuthenticatorError::CredentialExcluded) | Err(AuthenticatorError::PinError(_)) => false, + _ => true, + } +} + +// Using serde(tag="type") makes it so that, for example, BrowserPromptType::Cancel is serialized +// as '{ type: "cancel" }', and BrowserPromptType::PinInvalid { retries: 5 } is serialized as +// '{type: "pin-invalid", retries: 5}'. +#[derive(Serialize)] +#[serde(tag = "type", rename_all = "kebab-case")] +enum BrowserPromptType<'a> { + AlreadyRegistered, + Cancel, + DeviceBlocked, + PinAuthBlocked, + PinNotSet, + Presence, + SelectDevice, + UvBlocked, + PinRequired, + SelectedDevice { + auth_info: Option<AuthenticatorInfo>, + }, + PinInvalid { + retries: Option<u8>, + }, + PinIsTooLong, + PinIsTooShort, + RegisterDirect, + UvInvalid { + retries: Option<u8>, + }, + SelectSignResult { + entities: &'a [PublicKeyCredentialUserEntity], + }, + ListenSuccess, + ListenError { + error: Box<BrowserPromptType<'a>>, + }, + CredentialManagementUpdate { + result: CredentialManagementResult, + }, + BioEnrollmentUpdate { + result: BioEnrollmentResult, + }, + UnknownError, +} + +#[derive(Debug)] +enum PromptTarget { + Browser, + AboutPage, +} + +#[derive(Serialize)] +struct BrowserPromptMessage<'a> { + prompt: BrowserPromptType<'a>, + tid: u64, + origin: Option<&'a str>, + #[serde(rename = "browsingContextId")] + browsing_context_id: Option<u64>, +} + +fn notify_observers(prompt_target: PromptTarget, json: nsString) -> Result<(), nsresult> { + let main_thread = get_main_thread()?; + let target = match prompt_target { + PromptTarget::Browser => cstr!("webauthn-prompt"), + PromptTarget::AboutPage => cstr!("about-webauthn-prompt"), + }; + + RunnableBuilder::new("AuthrsService::send_prompt", move || { + if let Ok(obs_svc) = xpcom::components::Observer::service::<nsIObserverService>() { + unsafe { + obs_svc.NotifyObservers(std::ptr::null(), target.as_ptr(), json.as_ptr()); + } + } + }) + .dispatch(main_thread.coerce()) +} + +fn send_prompt( + prompt: BrowserPromptType, + tid: u64, + origin: Option<&str>, + browsing_context_id: Option<u64>, +) -> Result<(), nsresult> { + let mut json = nsString::new(); + write!( + json, + "{}", + json!(&BrowserPromptMessage { + prompt, + tid, + origin, + browsing_context_id + }) + ) + .or(Err(NS_ERROR_FAILURE))?; + notify_observers(PromptTarget::Browser, json) +} + +fn cancel_prompts(tid: u64) -> Result<(), nsresult> { + send_prompt(BrowserPromptType::Cancel, tid, None, None)?; + Ok(()) +} + +#[xpcom(implement(nsIWebAuthnRegisterResult), atomic)] +pub struct WebAuthnRegisterResult { + result: RegisterResult, +} + +impl WebAuthnRegisterResult { + xpcom_method!(get_client_data_json => GetClientDataJSON() -> nsACString); + fn get_client_data_json(&self) -> Result<nsCString, nsresult> { + Err(NS_ERROR_NOT_AVAILABLE) + } + + xpcom_method!(get_attestation_object => GetAttestationObject() -> ThinVec<u8>); + fn get_attestation_object(&self) -> Result<ThinVec<u8>, nsresult> { + let mut out = ThinVec::new(); + serde_cbor::to_writer(&mut out, &self.result.att_obj).or(Err(NS_ERROR_FAILURE))?; + Ok(out) + } + + xpcom_method!(get_credential_id => GetCredentialId() -> ThinVec<u8>); + fn get_credential_id(&self) -> Result<ThinVec<u8>, nsresult> { + let Some(credential_data) = &self.result.att_obj.auth_data.credential_data else { + return Err(NS_ERROR_FAILURE); + }; + Ok(credential_data.credential_id.as_slice().into()) + } + + xpcom_method!(get_transports => GetTransports() -> ThinVec<nsString>); + fn get_transports(&self) -> Result<ThinVec<nsString>, nsresult> { + // The list that we return here might be included in a future GetAssertion request as a + // hint as to which transports to try. In production, we only support the "usb" transport. + // In tests, the result is not very important, but we can at least return "internal" if + // we're simulating platform attachment. + if static_prefs::pref!("security.webauth.webauthn_enable_softtoken") + && self.result.attachment == AuthenticatorAttachment::Platform + { + Ok(thin_vec![nsString::from("internal")]) + } else { + Ok(thin_vec![nsString::from("usb")]) + } + } + + xpcom_method!(get_hmac_create_secret => GetHmacCreateSecret() -> bool); + fn get_hmac_create_secret(&self) -> Result<bool, nsresult> { + let Some(hmac_create_secret) = self.result.extensions.hmac_create_secret else { + return Err(NS_ERROR_NOT_AVAILABLE); + }; + Ok(hmac_create_secret) + } + + xpcom_method!(get_cred_props_rk => GetCredPropsRk() -> bool); + fn get_cred_props_rk(&self) -> Result<bool, nsresult> { + let Some(cred_props) = &self.result.extensions.cred_props else { + return Err(NS_ERROR_NOT_AVAILABLE); + }; + Ok(cred_props.rk) + } + + xpcom_method!(set_cred_props_rk => SetCredPropsRk(aCredPropsRk: bool)); + fn set_cred_props_rk(&self, _cred_props_rk: bool) -> Result<(), nsresult> { + Err(NS_ERROR_NOT_IMPLEMENTED) + } + + xpcom_method!(get_authenticator_attachment => GetAuthenticatorAttachment() -> nsAString); + fn get_authenticator_attachment(&self) -> Result<nsString, nsresult> { + match self.result.attachment { + AuthenticatorAttachment::CrossPlatform => Ok(nsString::from("cross-platform")), + AuthenticatorAttachment::Platform => Ok(nsString::from("platform")), + AuthenticatorAttachment::Unknown => Err(NS_ERROR_NOT_AVAILABLE), + } + } +} + +#[xpcom(implement(nsIWebAuthnAttObj), atomic)] +pub struct WebAuthnAttObj { + att_obj: AttestationObject, +} + +impl WebAuthnAttObj { + xpcom_method!(get_attestation_object => GetAttestationObject() -> ThinVec<u8>); + fn get_attestation_object(&self) -> Result<ThinVec<u8>, nsresult> { + let mut out = ThinVec::new(); + serde_cbor::to_writer(&mut out, &self.att_obj).or(Err(NS_ERROR_FAILURE))?; + Ok(out) + } + + xpcom_method!(get_authenticator_data => GetAuthenticatorData() -> ThinVec<u8>); + fn get_authenticator_data(&self) -> Result<ThinVec<u8>, nsresult> { + // TODO(https://github.com/mozilla/authenticator-rs/issues/302) use to_writer + Ok(self.att_obj.auth_data.to_vec().into()) + } + + xpcom_method!(get_public_key => GetPublicKey() -> ThinVec<u8>); + fn get_public_key(&self) -> Result<ThinVec<u8>, nsresult> { + let Some(credential_data) = &self.att_obj.auth_data.credential_data else { + return Err(NS_ERROR_FAILURE); + }; + Ok(credential_data + .credential_public_key + .der_spki() + .or(Err(NS_ERROR_NOT_AVAILABLE))? + .into()) + } + + xpcom_method!(get_public_key_algorithm => GetPublicKeyAlgorithm() -> i32); + fn get_public_key_algorithm(&self) -> Result<i32, nsresult> { + let Some(credential_data) = &self.att_obj.auth_data.credential_data else { + return Err(NS_ERROR_FAILURE); + }; + // safe to cast to i32 by inspection of defined values + Ok(credential_data.credential_public_key.alg as i32) + } +} + +#[xpcom(implement(nsIWebAuthnSignResult), atomic)] +pub struct WebAuthnSignResult { + result: SignResult, +} + +impl WebAuthnSignResult { + xpcom_method!(get_client_data_json => GetClientDataJSON() -> nsACString); + fn get_client_data_json(&self) -> Result<nsCString, nsresult> { + Err(NS_ERROR_NOT_AVAILABLE) + } + + xpcom_method!(get_credential_id => GetCredentialId() -> ThinVec<u8>); + fn get_credential_id(&self) -> Result<ThinVec<u8>, nsresult> { + let Some(cred) = &self.result.assertion.credentials else { + return Err(NS_ERROR_FAILURE); + }; + Ok(cred.id.as_slice().into()) + } + + xpcom_method!(get_signature => GetSignature() -> ThinVec<u8>); + fn get_signature(&self) -> Result<ThinVec<u8>, nsresult> { + Ok(self.result.assertion.signature.as_slice().into()) + } + + xpcom_method!(get_authenticator_data => GetAuthenticatorData() -> ThinVec<u8>); + fn get_authenticator_data(&self) -> Result<ThinVec<u8>, nsresult> { + Ok(self.result.assertion.auth_data.to_vec().into()) + } + + xpcom_method!(get_user_handle => GetUserHandle() -> ThinVec<u8>); + fn get_user_handle(&self) -> Result<ThinVec<u8>, nsresult> { + let Some(user) = &self.result.assertion.user else { + return Err(NS_ERROR_NOT_AVAILABLE); + }; + Ok(user.id.as_slice().into()) + } + + xpcom_method!(get_user_name => GetUserName() -> nsACString); + fn get_user_name(&self) -> Result<nsCString, nsresult> { + let Some(user) = &self.result.assertion.user else { + return Err(NS_ERROR_NOT_AVAILABLE); + }; + let Some(name) = &user.name else { + return Err(NS_ERROR_NOT_AVAILABLE); + }; + Ok(nsCString::from(name)) + } + + xpcom_method!(get_authenticator_attachment => GetAuthenticatorAttachment() -> nsAString); + fn get_authenticator_attachment(&self) -> Result<nsString, nsresult> { + match self.result.attachment { + AuthenticatorAttachment::CrossPlatform => Ok(nsString::from("cross-platform")), + AuthenticatorAttachment::Platform => Ok(nsString::from("platform")), + AuthenticatorAttachment::Unknown => Err(NS_ERROR_NOT_AVAILABLE), + } + } + + xpcom_method!(get_used_app_id => GetUsedAppId() -> bool); + fn get_used_app_id(&self) -> Result<bool, nsresult> { + self.result.extensions.app_id.ok_or(NS_ERROR_NOT_AVAILABLE) + } + + xpcom_method!(set_used_app_id => SetUsedAppId(aUsedAppId: bool)); + fn set_used_app_id(&self, _used_app_id: bool) -> Result<(), nsresult> { + Err(NS_ERROR_NOT_IMPLEMENTED) + } +} + +// A transaction may create a channel to ask a user for additional input, e.g. a PIN. The Sender +// component of this channel is sent to an AuthrsServide in a StatusUpdate. AuthrsService +// caches the sender along with the expected (u64) transaction ID, which is used as a consistency +// check in callbacks. +type PinReceiver = Option<(u64, Sender<Pin>)>; +type SelectionReceiver = Option<(u64, Sender<Option<usize>>)>; + +fn status_callback( + status_rx: Receiver<StatusUpdate>, + tid: u64, + origin: &String, + browsing_context_id: u64, + transaction: Arc<Mutex<Option<TransactionState>>>, /* Shared with an AuthrsService */ +) -> Result<(), nsresult> { + let origin = Some(origin.as_str()); + let browsing_context_id = Some(browsing_context_id); + loop { + match status_rx.recv() { + Ok(StatusUpdate::SelectDeviceNotice) => { + debug!("STATUS: Please select a device by touching one of them."); + send_prompt( + BrowserPromptType::SelectDevice, + tid, + origin, + browsing_context_id, + )?; + } + Ok(StatusUpdate::PresenceRequired) => { + debug!("STATUS: Waiting for user presence"); + send_prompt( + BrowserPromptType::Presence, + tid, + origin, + browsing_context_id, + )?; + } + Ok(StatusUpdate::PinUvError(StatusPinUv::PinRequired(sender))) => { + let mut guard = transaction.lock().unwrap(); + let Some(transaction) = guard.as_mut() else { + warn!("STATUS: received status update after end of transaction."); + break; + }; + transaction.pin_receiver.replace((tid, sender)); + send_prompt( + BrowserPromptType::PinRequired, + tid, + origin, + browsing_context_id, + )?; + } + Ok(StatusUpdate::PinUvError(StatusPinUv::InvalidPin(sender, retries))) => { + let mut guard = transaction.lock().unwrap(); + let Some(transaction) = guard.as_mut() else { + warn!("STATUS: received status update after end of transaction."); + break; + }; + transaction.pin_receiver.replace((tid, sender)); + send_prompt( + BrowserPromptType::PinInvalid { retries }, + tid, + origin, + browsing_context_id, + )?; + } + Ok(StatusUpdate::PinUvError(StatusPinUv::PinAuthBlocked)) => { + send_prompt( + BrowserPromptType::PinAuthBlocked, + tid, + origin, + browsing_context_id, + )?; + } + Ok(StatusUpdate::PinUvError(StatusPinUv::PinBlocked)) => { + send_prompt( + BrowserPromptType::DeviceBlocked, + tid, + origin, + browsing_context_id, + )?; + } + Ok(StatusUpdate::PinUvError(StatusPinUv::PinNotSet)) => { + send_prompt( + BrowserPromptType::PinNotSet, + tid, + origin, + browsing_context_id, + )?; + } + Ok(StatusUpdate::PinUvError(StatusPinUv::InvalidUv(retries))) => { + send_prompt( + BrowserPromptType::UvInvalid { retries }, + tid, + origin, + browsing_context_id, + )?; + } + Ok(StatusUpdate::PinUvError(StatusPinUv::UvBlocked)) => { + send_prompt( + BrowserPromptType::UvBlocked, + tid, + origin, + browsing_context_id, + )?; + } + Ok(StatusUpdate::PinUvError(StatusPinUv::PinIsTooShort)) + | Ok(StatusUpdate::PinUvError(StatusPinUv::PinIsTooLong(..))) => { + // These should never happen. + warn!("STATUS: Got unexpected StatusPinUv-error."); + } + Ok(StatusUpdate::InteractiveManagement(_)) => { + debug!("STATUS: interactive management"); + } + Ok(StatusUpdate::SelectResultNotice(sender, entities)) => { + debug!("STATUS: select result notice"); + let mut guard = transaction.lock().unwrap(); + let Some(transaction) = guard.as_mut() else { + warn!("STATUS: received status update after end of transaction."); + break; + }; + transaction.selection_receiver.replace((tid, sender)); + send_prompt( + BrowserPromptType::SelectSignResult { + entities: &entities, + }, + tid, + origin, + browsing_context_id, + )?; + } + Err(RecvError) => { + debug!("STATUS: end"); + break; + } + } + } + Ok(()) +} + +#[derive(Clone)] +struct RegisterPromise(RefPtr<nsIWebAuthnRegisterPromise>); + +impl RegisterPromise { + fn resolve_or_reject(&self, result: Result<RegisterResult, nsresult>) -> Result<(), nsresult> { + match result { + Ok(result) => { + let wrapped_result = + WebAuthnRegisterResult::allocate(InitWebAuthnRegisterResult { result }) + .query_interface::<nsIWebAuthnRegisterResult>() + .ok_or(NS_ERROR_FAILURE)?; + unsafe { self.0.Resolve(wrapped_result.coerce()) }; + } + Err(result) => { + unsafe { self.0.Reject(result) }; + } + } + Ok(()) + } +} + +#[derive(Clone)] +struct SignPromise(RefPtr<nsIWebAuthnSignPromise>); + +impl SignPromise { + fn resolve_or_reject(&self, result: Result<SignResult, nsresult>) -> Result<(), nsresult> { + match result { + Ok(result) => { + let wrapped_result = + WebAuthnSignResult::allocate(InitWebAuthnSignResult { result }) + .query_interface::<nsIWebAuthnSignResult>() + .ok_or(NS_ERROR_FAILURE)?; + unsafe { self.0.Resolve(wrapped_result.coerce()) }; + } + Err(result) => { + unsafe { self.0.Reject(result) }; + } + } + Ok(()) + } +} + +#[derive(Clone)] +enum TransactionPromise { + Listen, + Register(RegisterPromise), + Sign(SignPromise), +} + +impl TransactionPromise { + fn reject(&self, err: nsresult) -> Result<(), nsresult> { + match self { + TransactionPromise::Listen => Ok(()), + TransactionPromise::Register(promise) => promise.resolve_or_reject(Err(err)), + TransactionPromise::Sign(promise) => promise.resolve_or_reject(Err(err)), + } + } +} + +enum TransactionArgs { + Register(/* timeout */ u64, RegisterArgs), + Sign(/* timeout */ u64, SignArgs), +} + +struct TransactionState { + tid: u64, + browsing_context_id: u64, + pending_args: Option<TransactionArgs>, + promise: TransactionPromise, + pin_receiver: PinReceiver, + selection_receiver: SelectionReceiver, + interactive_receiver: InteractiveManagementReceiver, + puat_cache: Option<PinUvAuthResult>, // Cached credential to avoid repeated PIN-entries +} + +// AuthrsService provides an nsIWebAuthnService built on top of authenticator-rs. +#[xpcom(implement(nsIWebAuthnService), atomic)] +pub struct AuthrsService { + usb_token_manager: Mutex<StateMachine>, + test_token_manager: TestTokenManager, + transaction: Arc<Mutex<Option<TransactionState>>>, +} + +impl AuthrsService { + xpcom_method!(pin_callback => PinCallback(aTransactionId: u64, aPin: *const nsACString)); + fn pin_callback(&self, transaction_id: u64, pin: &nsACString) -> Result<(), nsresult> { + if static_prefs::pref!("security.webauth.webauthn_enable_usbtoken") { + let mut guard = self.transaction.lock().unwrap(); + let Some(transaction) = guard.as_mut() else { + // No ongoing transaction + return Err(NS_ERROR_FAILURE); + }; + let Some((tid, channel)) = transaction.pin_receiver.take() else { + // We weren't expecting a pin. + return Err(NS_ERROR_FAILURE); + }; + if tid != transaction_id { + // The browser is confused about which transaction is active. + // This shouldn't happen + return Err(NS_ERROR_FAILURE); + } + channel + .send(Pin::new(&pin.to_string())) + .or(Err(NS_ERROR_FAILURE)) + } else { + // Silently accept request, if all webauthn-options are disabled. + // Used for testing. + Ok(()) + } + } + + xpcom_method!(selection_callback => SelectionCallback(aTransactionId: u64, aSelection: u64)); + fn selection_callback(&self, transaction_id: u64, selection: u64) -> Result<(), nsresult> { + let mut guard = self.transaction.lock().unwrap(); + let Some(transaction) = guard.as_mut() else { + // No ongoing transaction + return Err(NS_ERROR_FAILURE); + }; + let Some((tid, channel)) = transaction.selection_receiver.take() else { + // We weren't expecting a selection. + return Err(NS_ERROR_FAILURE); + }; + if tid != transaction_id { + // The browser is confused about which transaction is active. + // This shouldn't happen + return Err(NS_ERROR_FAILURE); + } + channel + .send(Some(selection as usize)) + .or(Err(NS_ERROR_FAILURE)) + } + + xpcom_method!(get_is_uvpaa => GetIsUVPAA() -> bool); + fn get_is_uvpaa(&self) -> Result<bool, nsresult> { + if static_prefs::pref!("security.webauth.webauthn_enable_usbtoken") { + Ok(false) + } else if static_prefs::pref!("security.webauth.webauthn_enable_softtoken") { + Ok(self.test_token_manager.has_platform_authenticator()) + } else { + Err(NS_ERROR_NOT_AVAILABLE) + } + } + + xpcom_method!(make_credential => MakeCredential(aTid: u64, aBrowsingContextId: u64, aArgs: *const nsIWebAuthnRegisterArgs, aPromise: *const nsIWebAuthnRegisterPromise)); + fn make_credential( + &self, + tid: u64, + browsing_context_id: u64, + args: &nsIWebAuthnRegisterArgs, + promise: &nsIWebAuthnRegisterPromise, + ) -> Result<(), nsresult> { + self.reset()?; + + let promise = RegisterPromise(RefPtr::new(promise)); + + let mut origin = nsString::new(); + unsafe { args.GetOrigin(&mut *origin) }.to_result()?; + + let mut relying_party_id = nsString::new(); + unsafe { args.GetRpId(&mut *relying_party_id) }.to_result()?; + + let mut client_data_hash = ThinVec::new(); + unsafe { args.GetClientDataHash(&mut client_data_hash) }.to_result()?; + let mut client_data_hash_arr = [0u8; 32]; + client_data_hash_arr.copy_from_slice(&client_data_hash); + + let mut timeout_ms = 0u32; + unsafe { args.GetTimeoutMS(&mut timeout_ms) }.to_result()?; + + let mut exclude_list = ThinVec::new(); + unsafe { args.GetExcludeList(&mut exclude_list) }.to_result()?; + let exclude_list = exclude_list + .iter_mut() + .map(|id| PublicKeyCredentialDescriptor { + id: id.to_vec(), + transports: vec![], + }) + .collect(); + + let mut relying_party_name = nsString::new(); + unsafe { args.GetRpName(&mut *relying_party_name) }.to_result()?; + + let mut user_id = ThinVec::new(); + unsafe { args.GetUserId(&mut user_id) }.to_result()?; + + let mut user_name = nsString::new(); + unsafe { args.GetUserName(&mut *user_name) }.to_result()?; + + let mut user_display_name = nsString::new(); + unsafe { args.GetUserDisplayName(&mut *user_display_name) }.to_result()?; + + let mut cose_algs = ThinVec::new(); + unsafe { args.GetCoseAlgs(&mut cose_algs) }.to_result()?; + let pub_cred_params = cose_algs + .iter() + .filter_map(|alg| PublicKeyCredentialParameters::try_from(*alg).ok()) + .collect(); + + let mut resident_key = nsString::new(); + unsafe { args.GetResidentKey(&mut *resident_key) }.to_result()?; + let resident_key_req = if resident_key.eq("required") { + ResidentKeyRequirement::Required + } else if resident_key.eq("preferred") { + ResidentKeyRequirement::Preferred + } else if resident_key.eq("discouraged") { + ResidentKeyRequirement::Discouraged + } else { + return Err(NS_ERROR_FAILURE); + }; + + let mut user_verification = nsString::new(); + unsafe { args.GetUserVerification(&mut *user_verification) }.to_result()?; + let user_verification_req = if user_verification.eq("required") { + UserVerificationRequirement::Required + } else if user_verification.eq("discouraged") { + UserVerificationRequirement::Discouraged + } else { + UserVerificationRequirement::Preferred + }; + + let mut authenticator_attachment = nsString::new(); + if unsafe { args.GetAuthenticatorAttachment(&mut *authenticator_attachment) } + .to_result() + .is_ok() + { + if authenticator_attachment.eq("platform") { + return Err(NS_ERROR_FAILURE); + } + } + + let mut attestation_conveyance_preference = nsString::new(); + unsafe { args.GetAttestationConveyancePreference(&mut *attestation_conveyance_preference) } + .to_result()?; + let none_attestation = !(attestation_conveyance_preference.eq("indirect") + || attestation_conveyance_preference.eq("direct") + || attestation_conveyance_preference.eq("enterprise")); + + let mut cred_props = false; + unsafe { args.GetCredProps(&mut cred_props) }.to_result()?; + + let mut min_pin_length = false; + unsafe { args.GetMinPinLength(&mut min_pin_length) }.to_result()?; + + // TODO(Bug 1593571) - Add this to the extensions + // let mut hmac_create_secret = None; + // let mut maybe_hmac_create_secret = false; + // match unsafe { args.GetHmacCreateSecret(&mut maybe_hmac_create_secret) }.to_result() { + // Ok(_) => hmac_create_secret = Some(maybe_hmac_create_secret), + // _ => (), + // } + + let origin = origin.to_string(); + let info = RegisterArgs { + client_data_hash: client_data_hash_arr, + relying_party: RelyingParty { + id: relying_party_id.to_string(), + name: None, + }, + origin: origin.clone(), + user: PublicKeyCredentialUserEntity { + id: user_id.to_vec(), + name: Some(user_name.to_string()), + display_name: None, + }, + pub_cred_params, + exclude_list, + user_verification_req, + resident_key_req, + extensions: AuthenticationExtensionsClientInputs { + cred_props: cred_props.then_some(true), + min_pin_length: min_pin_length.then_some(true), + ..Default::default() + }, + pin: None, + use_ctap1_fallback: !static_prefs::pref!("security.webauthn.ctap2"), + }; + + *self.transaction.lock().unwrap() = Some(TransactionState { + tid, + browsing_context_id, + pending_args: Some(TransactionArgs::Register(timeout_ms as u64, info)), + promise: TransactionPromise::Register(promise), + pin_receiver: None, + selection_receiver: None, + interactive_receiver: None, + puat_cache: None, + }); + + if none_attestation + || static_prefs::pref!("security.webauth.webauthn_testing_allow_direct_attestation") + { + self.resume_make_credential(tid, none_attestation) + } else { + send_prompt( + BrowserPromptType::RegisterDirect, + tid, + Some(&origin), + Some(browsing_context_id), + ) + } + } + + xpcom_method!(resume_make_credential => ResumeMakeCredential(aTid: u64, aForceNoneAttestation: bool)); + fn resume_make_credential( + &self, + tid: u64, + force_none_attestation: bool, + ) -> Result<(), nsresult> { + let mut guard = self.transaction.lock().unwrap(); + let Some(state) = guard.as_mut() else { + return Err(NS_ERROR_FAILURE); + }; + if state.tid != tid { + return Err(NS_ERROR_FAILURE); + }; + let browsing_context_id = state.browsing_context_id; + let Some(TransactionArgs::Register(timeout_ms, info)) = state.pending_args.take() else { + return Err(NS_ERROR_FAILURE); + }; + // We have to drop the guard here, as there _may_ still be another operation + // ongoing and `register()` below will try to cancel it. This will call the state + // callback of that operation, which in turn may try to access `transaction`, deadlocking. + drop(guard); + + let (status_tx, status_rx) = channel::<StatusUpdate>(); + let status_transaction = self.transaction.clone(); + let status_origin = info.origin.clone(); + RunnableBuilder::new("AuthrsService::MakeCredential::StatusReceiver", move || { + let _ = status_callback( + status_rx, + tid, + &status_origin, + browsing_context_id, + status_transaction, + ); + }) + .may_block(true) + .dispatch_background_task()?; + + let callback_transaction = self.transaction.clone(); + let callback_origin = info.origin.clone(); + let state_callback = StateCallback::<Result<RegisterResult, AuthenticatorError>>::new( + Box::new(move |mut result| { + let mut guard = callback_transaction.lock().unwrap(); + let Some(state) = guard.as_mut() else { + return; + }; + if state.tid != tid { + return; + } + let TransactionPromise::Register(ref promise) = state.promise else { + return; + }; + if let Ok(inner) = result.as_mut() { + // Tokens always provide attestation, but the user may have asked we not + // include the attestation statement in the response. + if force_none_attestation { + inner.att_obj.anonymize(); + } + } + if let Err(AuthenticatorError::CredentialExcluded) = result { + let _ = send_prompt( + BrowserPromptType::AlreadyRegistered, + tid, + Some(&callback_origin), + Some(browsing_context_id), + ); + } + if should_cancel_prompts(&result) { + // Some errors are accompanied by prompts that should persist after the + // operation terminates. + let _ = cancel_prompts(tid); + } + let _ = promise.resolve_or_reject(result.map_err(authrs_to_nserror)); + *guard = None; + }), + ); + + // The authenticator crate provides an `AuthenticatorService` which can dispatch a request + // in parallel to any number of transports. We only support the USB transport in production + // configurations, so we do not need the full generality of `AuthenticatorService` here. + // We disable the USB transport in tests that use virtual devices. + if static_prefs::pref!("security.webauth.webauthn_enable_usbtoken") { + // TODO(Bug 1855290) Remove this presence prompt + send_prompt( + BrowserPromptType::Presence, + tid, + Some(&info.origin), + Some(browsing_context_id), + )?; + self.usb_token_manager.lock().unwrap().register( + timeout_ms, + info, + status_tx, + state_callback, + ); + } else if static_prefs::pref!("security.webauth.webauthn_enable_softtoken") { + self.test_token_manager + .register(timeout_ms, info, status_tx, state_callback); + } else { + return Err(NS_ERROR_FAILURE); + } + + Ok(()) + } + + xpcom_method!(get_assertion => GetAssertion(aTid: u64, aBrowsingContextId: u64, aArgs: *const nsIWebAuthnSignArgs, aPromise: *const nsIWebAuthnSignPromise)); + fn get_assertion( + &self, + tid: u64, + browsing_context_id: u64, + args: &nsIWebAuthnSignArgs, + promise: &nsIWebAuthnSignPromise, + ) -> Result<(), nsresult> { + self.reset()?; + + let promise = SignPromise(RefPtr::new(promise)); + + let mut origin = nsString::new(); + unsafe { args.GetOrigin(&mut *origin) }.to_result()?; + + let mut relying_party_id = nsString::new(); + unsafe { args.GetRpId(&mut *relying_party_id) }.to_result()?; + + let mut client_data_hash = ThinVec::new(); + unsafe { args.GetClientDataHash(&mut client_data_hash) }.to_result()?; + let mut client_data_hash_arr = [0u8; 32]; + client_data_hash_arr.copy_from_slice(&client_data_hash); + + let mut timeout_ms = 0u32; + unsafe { args.GetTimeoutMS(&mut timeout_ms) }.to_result()?; + + let mut allow_list = ThinVec::new(); + unsafe { args.GetAllowList(&mut allow_list) }.to_result()?; + let allow_list = allow_list + .iter() + .map(|id| PublicKeyCredentialDescriptor { + id: id.to_vec(), + transports: vec![], + }) + .collect(); + + let mut user_verification = nsString::new(); + unsafe { args.GetUserVerification(&mut *user_verification) }.to_result()?; + let user_verification_req = if user_verification.eq("required") { + UserVerificationRequirement::Required + } else if user_verification.eq("discouraged") { + UserVerificationRequirement::Discouraged + } else { + UserVerificationRequirement::Preferred + }; + + let mut app_id = None; + let mut maybe_app_id = nsString::new(); + match unsafe { args.GetAppId(&mut *maybe_app_id) }.to_result() { + Ok(_) => app_id = Some(maybe_app_id.to_string()), + _ => (), + } + + let mut conditionally_mediated = false; + unsafe { args.GetConditionallyMediated(&mut conditionally_mediated) }.to_result()?; + + let info = SignArgs { + client_data_hash: client_data_hash_arr, + relying_party_id: relying_party_id.to_string(), + origin: origin.to_string(), + allow_list, + user_verification_req, + user_presence_req: true, + extensions: AuthenticationExtensionsClientInputs { + app_id, + ..Default::default() + }, + pin: None, + use_ctap1_fallback: !static_prefs::pref!("security.webauthn.ctap2"), + }; + + let mut guard = self.transaction.lock().unwrap(); + *guard = Some(TransactionState { + tid, + browsing_context_id, + pending_args: Some(TransactionArgs::Sign(timeout_ms as u64, info)), + promise: TransactionPromise::Sign(promise), + pin_receiver: None, + selection_receiver: None, + interactive_receiver: None, + puat_cache: None, + }); + + if !conditionally_mediated { + // Immediately proceed to the modal UI flow. + self.do_get_assertion(None, guard) + } else { + // Cache the request and wait for the conditional UI to request autofill entries, etc. + Ok(()) + } + } + + fn do_get_assertion( + &self, + mut selected_credential_id: Option<Vec<u8>>, + mut guard: MutexGuard<Option<TransactionState>>, + ) -> Result<(), nsresult> { + let Some(state) = guard.as_mut() else { + return Err(NS_ERROR_FAILURE); + }; + let browsing_context_id = state.browsing_context_id; + let tid = state.tid; + let (timeout_ms, mut info) = match state.pending_args.take() { + Some(TransactionArgs::Sign(timeout_ms, info)) => (timeout_ms, info), + _ => return Err(NS_ERROR_FAILURE), + }; + + if let Some(id) = selected_credential_id.take() { + if info.allow_list.is_empty() { + info.allow_list.push(PublicKeyCredentialDescriptor { + id, + transports: vec![], + }); + } else { + // We need to ensure that the selected credential id + // was in the original allow_list. + info.allow_list.retain(|cred| cred.id == id); + if info.allow_list.is_empty() { + return Err(NS_ERROR_FAILURE); + } + } + } + + let (status_tx, status_rx) = channel::<StatusUpdate>(); + let status_transaction = self.transaction.clone(); + let status_origin = info.origin.to_string(); + RunnableBuilder::new("AuthrsService::GetAssertion::StatusReceiver", move || { + let _ = status_callback( + status_rx, + tid, + &status_origin, + browsing_context_id, + status_transaction, + ); + }) + .may_block(true) + .dispatch_background_task()?; + + let uniq_allowed_cred = if info.allow_list.len() == 1 { + info.allow_list.first().cloned() + } else { + None + }; + + let callback_transaction = self.transaction.clone(); + let state_callback = StateCallback::<Result<SignResult, AuthenticatorError>>::new( + Box::new(move |mut result| { + let mut guard = callback_transaction.lock().unwrap(); + let Some(state) = guard.as_mut() else { + return; + }; + if state.tid != tid { + return; + } + let TransactionPromise::Sign(ref promise) = state.promise else { + return; + }; + if uniq_allowed_cred.is_some() { + // In CTAP 2.0, but not CTAP 2.1, the assertion object's credential field + // "May be omitted if the allowList has exactly one credential." If we had + // a unique allowed credential, then copy its descriptor to the output. + if let Ok(inner) = result.as_mut() { + inner.assertion.credentials = uniq_allowed_cred; + } + } + if should_cancel_prompts(&result) { + // Some errors are accompanied by prompts that should persist after the + // operation terminates. + let _ = cancel_prompts(tid); + } + let _ = promise.resolve_or_reject(result.map_err(authrs_to_nserror)); + *guard = None; + }), + ); + + // TODO(Bug 1855290) Remove this presence prompt + send_prompt( + BrowserPromptType::Presence, + tid, + Some(&info.origin), + Some(browsing_context_id), + )?; + + // As in `register`, we are intentionally avoiding `AuthenticatorService` here. + if static_prefs::pref!("security.webauth.webauthn_enable_usbtoken") { + self.usb_token_manager.lock().unwrap().sign( + timeout_ms as u64, + info, + status_tx, + state_callback, + ); + } else if static_prefs::pref!("security.webauth.webauthn_enable_softtoken") { + self.test_token_manager + .sign(timeout_ms as u64, info, status_tx, state_callback); + } else { + return Err(NS_ERROR_FAILURE); + } + + Ok(()) + } + + xpcom_method!(has_pending_conditional_get => HasPendingConditionalGet(aBrowsingContextId: u64, aOrigin: *const nsAString) -> u64); + fn has_pending_conditional_get( + &self, + browsing_context_id: u64, + origin: &nsAString, + ) -> Result<u64, nsresult> { + let mut guard = self.transaction.lock().unwrap(); + let Some(state) = guard.as_mut() else { + return Ok(0); + }; + let Some(TransactionArgs::Sign(_, info)) = state.pending_args.as_ref() else { + return Ok(0); + }; + if state.browsing_context_id != browsing_context_id { + return Ok(0); + } + if !info.origin.eq(&origin.to_string()) { + return Ok(0); + } + Ok(state.tid) + } + + xpcom_method!(get_autofill_entries => GetAutoFillEntries(aTransactionId: u64) -> ThinVec<Option<RefPtr<nsIWebAuthnAutoFillEntry>>>); + fn get_autofill_entries( + &self, + tid: u64, + ) -> Result<ThinVec<Option<RefPtr<nsIWebAuthnAutoFillEntry>>>, nsresult> { + let mut guard = self.transaction.lock().unwrap(); + let Some(state) = guard.as_mut() else { + return Err(NS_ERROR_NOT_AVAILABLE); + }; + if state.tid != tid { + return Err(NS_ERROR_NOT_AVAILABLE); + } + let Some(TransactionArgs::Sign(_, info)) = state.pending_args.as_ref() else { + return Err(NS_ERROR_NOT_AVAILABLE); + }; + if static_prefs::pref!("security.webauth.webauthn_enable_usbtoken") { + // We don't currently support silent discovery for credentials on USB tokens. + return Ok(thin_vec![]); + } else if static_prefs::pref!("security.webauth.webauthn_enable_softtoken") { + return self + .test_token_manager + .get_autofill_entries(&info.relying_party_id, &info.allow_list); + } else { + return Err(NS_ERROR_FAILURE); + } + } + + xpcom_method!(select_autofill_entry => SelectAutoFillEntry(aTid: u64, aCredentialId: *const ThinVec<u8>)); + fn select_autofill_entry(&self, tid: u64, credential_id: &ThinVec<u8>) -> Result<(), nsresult> { + let mut guard = self.transaction.lock().unwrap(); + let Some(state) = guard.as_mut() else { + return Err(NS_ERROR_FAILURE); + }; + if tid != state.tid { + return Err(NS_ERROR_FAILURE); + } + self.do_get_assertion(Some(credential_id.to_vec()), guard) + } + + xpcom_method!(resume_conditional_get => ResumeConditionalGet(aTid: u64)); + fn resume_conditional_get(&self, tid: u64) -> Result<(), nsresult> { + let mut guard = self.transaction.lock().unwrap(); + let Some(state) = guard.as_mut() else { + return Err(NS_ERROR_FAILURE); + }; + if tid != state.tid { + return Err(NS_ERROR_FAILURE); + } + self.do_get_assertion(None, guard) + } + + // Clears the transaction state if tid matches the ongoing transaction ID. + // Returns whether the tid was a match. + fn clear_transaction(&self, tid: u64) -> bool { + let mut guard = self.transaction.lock().unwrap(); + let Some(state) = guard.as_ref() else { + return true; // workaround for Bug 1864526. + }; + if state.tid != tid { + // Ignore the cancellation request if the transaction + // ID does not match. + return false; + } + // It's possible that we haven't dispatched the request to the usb_token_manager yet, + // e.g. if we're waiting for resume_make_credential. So reject the promise and drop the + // state here rather than from the StateCallback + let _ = state.promise.reject(NS_ERROR_DOM_NOT_ALLOWED_ERR); + *guard = None; + true + } + + xpcom_method!(cancel => Cancel(aTransactionId: u64)); + fn cancel(&self, tid: u64) -> Result<(), nsresult> { + if self.clear_transaction(tid) { + self.usb_token_manager.lock().unwrap().cancel(); + } + Ok(()) + } + + xpcom_method!(reset => Reset()); + fn reset(&self) -> Result<(), nsresult> { + { + if let Some(state) = self.transaction.lock().unwrap().take() { + cancel_prompts(state.tid)?; + state.promise.reject(NS_ERROR_DOM_ABORT_ERR)?; + } + } // release the transaction lock so a StateCallback can take it + self.usb_token_manager.lock().unwrap().cancel(); + Ok(()) + } + + xpcom_method!( + add_virtual_authenticator => AddVirtualAuthenticator( + protocol: *const nsACString, + transport: *const nsACString, + hasResidentKey: bool, + hasUserVerification: bool, + isUserConsenting: bool, + isUserVerified: bool) -> u64 + ); + fn add_virtual_authenticator( + &self, + protocol: &nsACString, + transport: &nsACString, + has_resident_key: bool, + has_user_verification: bool, + is_user_consenting: bool, + is_user_verified: bool, + ) -> Result<u64, nsresult> { + let protocol = match protocol.to_string().as_str() { + "ctap1/u2f" => AuthenticatorVersion::U2F_V2, + "ctap2" => AuthenticatorVersion::FIDO_2_0, + "ctap2_1" => AuthenticatorVersion::FIDO_2_1, + _ => return Err(NS_ERROR_INVALID_ARG), + }; + let transport = transport.to_string(); + match transport.as_str() { + "usb" | "nfc" | "ble" | "smart-card" | "hybrid" | "internal" => (), + _ => return Err(NS_ERROR_INVALID_ARG), + }; + self.test_token_manager.add_virtual_authenticator( + protocol, + transport, + has_resident_key, + has_user_verification, + is_user_consenting, + is_user_verified, + ) + } + + xpcom_method!(remove_virtual_authenticator => RemoveVirtualAuthenticator(authenticatorId: u64)); + fn remove_virtual_authenticator(&self, authenticator_id: u64) -> Result<(), nsresult> { + self.test_token_manager + .remove_virtual_authenticator(authenticator_id) + } + + xpcom_method!( + add_credential => AddCredential( + authenticatorId: u64, + credentialId: *const nsACString, + isResidentCredential: bool, + rpId: *const nsACString, + privateKey: *const nsACString, + userHandle: *const nsACString, + signCount: u32) + ); + fn add_credential( + &self, + authenticator_id: u64, + credential_id: &nsACString, + is_resident_credential: bool, + rp_id: &nsACString, + private_key: &nsACString, + user_handle: &nsACString, + sign_count: u32, + ) -> Result<(), nsresult> { + let credential_id = base64::engine::general_purpose::URL_SAFE_NO_PAD + .decode(credential_id) + .or(Err(NS_ERROR_INVALID_ARG))?; + let private_key = base64::engine::general_purpose::URL_SAFE_NO_PAD + .decode(private_key) + .or(Err(NS_ERROR_INVALID_ARG))?; + let user_handle = base64::engine::general_purpose::URL_SAFE_NO_PAD + .decode(user_handle) + .or(Err(NS_ERROR_INVALID_ARG))?; + self.test_token_manager.add_credential( + authenticator_id, + &credential_id, + &private_key, + &user_handle, + sign_count, + rp_id.to_string(), + is_resident_credential, + ) + } + + xpcom_method!(get_credentials => GetCredentials(authenticatorId: u64) -> ThinVec<Option<RefPtr<nsICredentialParameters>>>); + fn get_credentials( + &self, + authenticator_id: u64, + ) -> Result<ThinVec<Option<RefPtr<nsICredentialParameters>>>, nsresult> { + self.test_token_manager.get_credentials(authenticator_id) + } + + xpcom_method!(remove_credential => RemoveCredential(authenticatorId: u64, credentialId: *const nsACString)); + fn remove_credential( + &self, + authenticator_id: u64, + credential_id: &nsACString, + ) -> Result<(), nsresult> { + let credential_id = base64::engine::general_purpose::URL_SAFE_NO_PAD + .decode(credential_id) + .or(Err(NS_ERROR_INVALID_ARG))?; + self.test_token_manager + .remove_credential(authenticator_id, credential_id.as_ref()) + } + + xpcom_method!(remove_all_credentials => RemoveAllCredentials(authenticatorId: u64)); + fn remove_all_credentials(&self, authenticator_id: u64) -> Result<(), nsresult> { + self.test_token_manager + .remove_all_credentials(authenticator_id) + } + + xpcom_method!(set_user_verified => SetUserVerified(authenticatorId: u64, isUserVerified: bool)); + fn set_user_verified( + &self, + authenticator_id: u64, + is_user_verified: bool, + ) -> Result<(), nsresult> { + self.test_token_manager + .set_user_verified(authenticator_id, is_user_verified) + } + + xpcom_method!(listen => Listen()); + pub(crate) fn listen(&self) -> Result<(), nsresult> { + // For now, we don't support softtokens + if static_prefs::pref!("security.webauth.webauthn_enable_softtoken") { + return Ok(()); + } + + { + let mut guard = self.transaction.lock().unwrap(); + if guard.as_ref().is_some() { + // ignore listen() and continue with ongoing transaction + return Ok(()); + } + *guard = Some(TransactionState { + tid: 0, + browsing_context_id: 0, + pending_args: None, + promise: TransactionPromise::Listen, + pin_receiver: None, + selection_receiver: None, + interactive_receiver: None, + puat_cache: None, + }); + } + + // We may get from status_updates info about certain errors (e.g. PinErrors) + // which we want to present to the user. We will ignore the following error + // which is caused by us "hanging up" on the StatusUpdate-channel and return + // the PinError instead, via `upcoming_error`. + let upcoming_error = Arc::new(Mutex::new(None)); + let upcoming_error_c = upcoming_error.clone(); + let callback_transaction = self.transaction.clone(); + let state_callback = StateCallback::<Result<ManageResult, AuthenticatorError>>::new( + Box::new(move |result| { + let mut guard = callback_transaction.lock().unwrap(); + match guard.as_mut() { + Some(state) => { + match state.promise { + TransactionPromise::Listen => (), + _ => return, + } + *guard = None; + } + // We have no transaction anymore, this means cancel() was called + None => (), + } + let msg = match result { + Ok(_) => BrowserPromptType::ListenSuccess, + Err(e) => { + // See if we have a cached error that should replace this error + let replacement = if let Ok(mut x) = upcoming_error_c.lock() { + x.take() + } else { + None + }; + let replaced_err = replacement.unwrap_or(e); + let err = authrs_to_prompt(replaced_err); + BrowserPromptType::ListenError { + error: Box::new(err), + } + } + }; + let _ = send_about_prompt(&msg); + }), + ); + + // Calling `manage()` within the lock, to avoid race conditions + // where we might check listen_blocked, see that it's false, + // continue along, but in parallel `make_credential()` aborts the + // interactive process shortly after, setting listen_blocked to true, + // then accessing usb_token_manager afterwards and at the same time + // we do it here, causing a runtime crash for trying to mut-borrow it twice. + let (status_tx, status_rx) = channel::<StatusUpdate>(); + let status_transaction = self.transaction.clone(); + RunnableBuilder::new( + "AuthrsTransport::AboutWebauthn::StatusReceiver", + move || { + let _ = interactive_status_callback(status_rx, status_transaction, upcoming_error); + }, + ) + .may_block(true) + .dispatch_background_task()?; + if static_prefs::pref!("security.webauth.webauthn_enable_usbtoken") { + self.usb_token_manager.lock().unwrap().manage( + 60 * 1000 * 1000, + status_tx, + state_callback, + ); + } else if static_prefs::pref!("security.webauth.webauthn_enable_softtoken") { + // We don't yet support softtoken + } else { + // Silently accept request, if all webauthn-options are disabled. + // Used for testing. + } + Ok(()) + } + + xpcom_method!(run_command => RunCommand(c_cmd: *const nsACString)); + pub fn run_command(&self, c_cmd: &nsACString) -> Result<(), nsresult> { + // Always test if it can be parsed from incoming JSON (even for tests) + let incoming: RequestWrapper = + serde_json::from_str(&c_cmd.to_utf8()).or(Err(NS_ERROR_DOM_OPERATION_ERR))?; + if static_prefs::pref!("security.webauth.webauthn_enable_usbtoken") { + let guard = self.transaction.lock().unwrap(); + let puat = guard.as_ref().and_then(|g| g.puat_cache.clone()); + let command = match incoming { + RequestWrapper::Quit => InteractiveRequest::Quit, + RequestWrapper::ChangePIN(a, b) => InteractiveRequest::ChangePIN(a, b), + RequestWrapper::SetPIN(a) => InteractiveRequest::SetPIN(a), + RequestWrapper::CredentialManagement(c) => { + InteractiveRequest::CredentialManagement(c, puat) + } + RequestWrapper::BioEnrollment(c) => InteractiveRequest::BioEnrollment(c, puat), + }; + match &guard.as_ref().unwrap().interactive_receiver { + Some(channel) => channel.send(command).or(Err(NS_ERROR_FAILURE)), + // Either we weren't expecting a pin, or the controller is confused + // about which transaction is active. Neither is recoverable, so it's + // OK to drop the PinReceiver here. + _ => Err(NS_ERROR_FAILURE), + } + } else if static_prefs::pref!("security.webauth.webauthn_enable_softtoken") { + // We don't yet support softtoken + Ok(()) + } else { + // Silently accept request, if all webauthn-options are disabled. + // Used for testing. + Ok(()) + } + } +} + +#[no_mangle] +pub extern "C" fn authrs_service_constructor(result: *mut *const nsIWebAuthnService) -> nsresult { + let wrapper = AuthrsService::allocate(InitAuthrsService { + usb_token_manager: Mutex::new(StateMachine::new()), + test_token_manager: TestTokenManager::new(), + transaction: Arc::new(Mutex::new(None)), + }); + + #[cfg(feature = "fuzzing")] + { + let fuzzing_config = static_prefs::pref!("fuzzing.webauthn.authenticator_config"); + if fuzzing_config != 0 { + let is_user_verified = (fuzzing_config & 0x01) != 0; + let is_user_consenting = (fuzzing_config & 0x02) != 0; + let has_user_verification = (fuzzing_config & 0x04) != 0; + let has_resident_key = (fuzzing_config & 0x08) != 0; + let transport = nsCString::from(match (fuzzing_config & 0x10) >> 4 { + 0 => "usb", + 1 => "internal", + _ => unreachable!(), + }); + let protocol = nsCString::from(match (fuzzing_config & 0x60) >> 5 { + 0 => "", // reserved + 1 => "ctap1/u2f", + 2 => "ctap2", + 3 => "ctap2_1", + _ => unreachable!(), + }); + // If this fails it's probably because the protocol bits were zero, + // we'll just ignore it. + let _ = wrapper.add_virtual_authenticator( + &protocol, + &transport, + has_resident_key, + has_user_verification, + is_user_consenting, + is_user_verified, + ); + } + } + + unsafe { + RefPtr::new(wrapper.coerce::<nsIWebAuthnService>()).forget(&mut *result); + } + NS_OK +} + +#[no_mangle] +pub extern "C" fn authrs_webauthn_att_obj_constructor( + att_obj_bytes: &ThinVec<u8>, + anonymize: bool, + result: *mut *const nsIWebAuthnAttObj, +) -> nsresult { + if result.is_null() { + return NS_ERROR_NULL_POINTER; + } + + let mut att_obj: AttestationObject = match serde_cbor::from_slice(att_obj_bytes) { + Ok(att_obj) => att_obj, + Err(_) => return NS_ERROR_INVALID_ARG, + }; + + if anonymize { + att_obj.anonymize(); + } + + let wrapper = WebAuthnAttObj::allocate(InitWebAuthnAttObj { att_obj }); + + unsafe { + RefPtr::new(wrapper.coerce::<nsIWebAuthnAttObj>()).forget(&mut *result); + } + + NS_OK +} diff --git a/dom/webauthn/authrs_bridge/src/test_token.rs b/dom/webauthn/authrs_bridge/src/test_token.rs new file mode 100644 index 0000000000..afc2ddbc75 --- /dev/null +++ b/dom/webauthn/authrs_bridge/src/test_token.rs @@ -0,0 +1,974 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +use authenticator::authenticatorservice::{RegisterArgs, SignArgs}; +use authenticator::crypto::{ecdsa_p256_sha256_sign_raw, COSEAlgorithm, COSEKey, SharedSecret}; +use authenticator::ctap2::{ + attestation::{ + AAGuid, AttestationObject, AttestationStatement, AttestationStatementPacked, + AttestedCredentialData, AuthenticatorData, AuthenticatorDataFlags, Extension, + }, + client_data::ClientDataHash, + commands::{ + client_pin::{ClientPIN, ClientPinResponse, PINSubcommand}, + get_assertion::{GetAssertion, GetAssertionResponse, GetAssertionResult}, + get_info::{AuthenticatorInfo, AuthenticatorOptions, AuthenticatorVersion}, + get_version::{GetVersion, U2FInfo}, + make_credentials::{MakeCredentials, MakeCredentialsResult}, + reset::Reset, + selection::Selection, + RequestCtap1, RequestCtap2, StatusCode, + }, + preflight::CheckKeyHandle, + server::{ + AuthenticatorAttachment, PublicKeyCredentialDescriptor, PublicKeyCredentialUserEntity, + RelyingParty, + }, +}; +use authenticator::errors::{AuthenticatorError, CommandError, HIDError, U2FTokenError}; +use authenticator::{ctap2, statecallback::StateCallback}; +use authenticator::{FidoDevice, FidoDeviceIO, FidoProtocol, VirtualFidoDevice}; +use authenticator::{RegisterResult, SignResult, StatusUpdate}; +use base64::Engine; +use moz_task::RunnableBuilder; +use nserror::{nsresult, NS_ERROR_FAILURE, NS_ERROR_INVALID_ARG, NS_OK}; +use nsstring::{nsACString, nsAString, nsCString, nsString}; +use rand::{thread_rng, RngCore}; +use std::cell::{Ref, RefCell}; +use std::collections::{hash_map::Entry, HashMap}; +use std::ops::{Deref, DerefMut}; +use std::sync::atomic::{AtomicU32, Ordering}; +use std::sync::mpsc::Sender; +use std::sync::{Arc, Mutex}; +use thin_vec::ThinVec; +use xpcom::interfaces::{nsICredentialParameters, nsIWebAuthnAutoFillEntry}; +use xpcom::{xpcom_method, RefPtr}; + +// All TestTokens use this fixed, randomly generated, AAGUID +const VIRTUAL_TOKEN_AAGUID: AAGuid = AAGuid([ + 0x68, 0xe1, 0x00, 0xa5, 0x0b, 0x47, 0x91, 0x04, 0xb8, 0x54, 0x97, 0xa9, 0xba, 0x51, 0x06, 0x38, +]); + +#[derive(Debug)] +struct TestTokenCredential { + id: Vec<u8>, + privkey: Vec<u8>, + user_handle: Vec<u8>, + sign_count: AtomicU32, + is_discoverable_credential: bool, + rp: RelyingParty, +} + +impl TestTokenCredential { + fn assert( + &self, + client_data_hash: &ClientDataHash, + flags: AuthenticatorDataFlags, + ) -> Result<GetAssertionResponse, HIDError> { + let credentials = Some(PublicKeyCredentialDescriptor { + id: self.id.clone(), + transports: vec![], + }); + + let auth_data = AuthenticatorData { + rp_id_hash: self.rp.hash(), + flags, + counter: self.sign_count.fetch_add(1, Ordering::Relaxed), + credential_data: None, + extensions: Extension::default(), + }; + + let user = Some(PublicKeyCredentialUserEntity { + id: self.user_handle.clone(), + ..Default::default() + }); + + let mut data = auth_data.to_vec(); + data.extend_from_slice(client_data_hash.as_ref()); + let signature = + ecdsa_p256_sha256_sign_raw(&self.privkey, &data).or(Err(HIDError::DeviceError))?; + + Ok(GetAssertionResponse { + credentials, + auth_data, + signature, + user, + number_of_credentials: Some(1), + }) + } +} + +#[derive(Debug)] +struct TestToken { + protocol: FidoProtocol, + transport: String, + versions: Vec<AuthenticatorVersion>, + has_resident_key: bool, + has_user_verification: bool, + is_user_consenting: bool, + is_user_verified: bool, + // This is modified in `make_credentials` which takes a &TestToken, but we only allow one transaction at a time. + credentials: RefCell<Vec<TestTokenCredential>>, + pin_token: [u8; 32], + shared_secret: Option<SharedSecret>, + authenticator_info: Option<AuthenticatorInfo>, +} + +impl TestToken { + fn new( + versions: Vec<AuthenticatorVersion>, + transport: String, + has_resident_key: bool, + has_user_verification: bool, + is_user_consenting: bool, + is_user_verified: bool, + ) -> TestToken { + let mut pin_token = [0u8; 32]; + thread_rng().fill_bytes(&mut pin_token); + Self { + protocol: FidoProtocol::CTAP2, + transport, + versions, + has_resident_key, + has_user_verification, + is_user_consenting, + is_user_verified, + credentials: RefCell::new(vec![]), + pin_token, + shared_secret: None, + authenticator_info: None, + } + } + + fn insert_credential( + &self, + id: &[u8], + privkey: &[u8], + rp: &RelyingParty, + is_discoverable_credential: bool, + user_handle: &[u8], + sign_count: u32, + ) { + let c = TestTokenCredential { + id: id.to_vec(), + privkey: privkey.to_vec(), + rp: rp.clone(), + is_discoverable_credential, + user_handle: user_handle.to_vec(), + sign_count: AtomicU32::new(sign_count), + }; + + let mut credlist = self.credentials.borrow_mut(); + + match credlist.binary_search_by_key(&id, |probe| &probe.id) { + Ok(_) => {} + Err(idx) => credlist.insert(idx, c), + } + } + + fn get_credentials(&self) -> Ref<Vec<TestTokenCredential>> { + self.credentials.borrow() + } + + fn delete_credential(&mut self, id: &[u8]) -> bool { + let mut credlist = self.credentials.borrow_mut(); + if let Ok(idx) = credlist.binary_search_by_key(&id, |probe| &probe.id) { + credlist.remove(idx); + return true; + } + + false + } + + fn delete_all_credentials(&mut self) { + self.credentials.borrow_mut().clear(); + } + + fn has_credential(&self, id: &[u8]) -> bool { + self.credentials + .borrow() + .binary_search_by_key(&id, |probe| &probe.id) + .is_ok() + } + + fn max_supported_version(&self) -> AuthenticatorVersion { + self.authenticator_info + .as_ref() + .map_or(AuthenticatorVersion::U2F_V2, |info| { + info.max_supported_version() + }) + } +} + +impl FidoDevice for TestToken { + fn pre_init(&mut self) -> Result<(), HIDError> { + Ok(()) + } + + fn should_try_ctap2(&self) -> bool { + true + } + + fn initialized(&self) -> bool { + true + } + + fn is_u2f(&mut self) -> bool { + true + } + + fn get_shared_secret(&self) -> Option<&SharedSecret> { + self.shared_secret.as_ref() + } + + fn set_shared_secret(&mut self, shared_secret: SharedSecret) { + self.shared_secret = Some(shared_secret); + } + + fn get_authenticator_info(&self) -> Option<&AuthenticatorInfo> { + self.authenticator_info.as_ref() + } + + fn set_authenticator_info(&mut self, authenticator_info: AuthenticatorInfo) { + self.authenticator_info = Some(authenticator_info); + } + + fn get_protocol(&self) -> FidoProtocol { + self.protocol + } + + fn downgrade_to_ctap1(&mut self) { + self.protocol = FidoProtocol::CTAP1 + } +} + +impl FidoDeviceIO for TestToken { + fn send_msg_cancellable<Out, Req: RequestCtap1<Output = Out> + RequestCtap2<Output = Out>>( + &mut self, + msg: &Req, + keep_alive: &dyn Fn() -> bool, + ) -> Result<Out, HIDError> { + if !self.initialized() { + return Err(HIDError::DeviceNotInitialized); + } + + match self.get_protocol() { + FidoProtocol::CTAP1 => self.send_ctap1_cancellable(msg, keep_alive), + FidoProtocol::CTAP2 => self.send_cbor_cancellable(msg, keep_alive), + } + } + + fn send_cbor_cancellable<Req: RequestCtap2>( + &mut self, + msg: &Req, + _keep_alive: &dyn Fn() -> bool, + ) -> Result<Req::Output, HIDError> { + msg.send_to_virtual_device(self) + } + + fn send_ctap1_cancellable<Req: RequestCtap1>( + &mut self, + msg: &Req, + _keep_alive: &dyn Fn() -> bool, + ) -> Result<Req::Output, HIDError> { + msg.send_to_virtual_device(self) + } +} + +impl VirtualFidoDevice for TestToken { + fn check_key_handle(&self, req: &CheckKeyHandle) -> Result<(), HIDError> { + let credlist = self.credentials.borrow(); + let req_rp_hash = req.rp.hash(); + let eligible_cred_iter = credlist.iter().filter(|x| x.rp.hash() == req_rp_hash); + for credential in eligible_cred_iter { + if req.key_handle == credential.id { + return Ok(()); + } + } + Err(HIDError::DeviceError) + } + + fn client_pin(&self, req: &ClientPIN) -> Result<ClientPinResponse, HIDError> { + match req.subcommand { + PINSubcommand::GetKeyAgreement => { + // We don't need to save, or even know, the private key for the public key returned + // here because we have access to the shared secret derived on the client side. + let (_private, public) = COSEKey::generate(COSEAlgorithm::ECDH_ES_HKDF256) + .map_err(|_| HIDError::DeviceError)?; + Ok(ClientPinResponse { + key_agreement: Some(public), + ..Default::default() + }) + } + PINSubcommand::GetPinUvAuthTokenUsingUvWithPermissions => { + // TODO: permissions + if !self.is_user_consenting || !self.is_user_verified { + return Err(HIDError::Command(CommandError::StatusCode( + StatusCode::OperationDenied, + None, + ))); + } + let secret = match self.shared_secret.as_ref() { + Some(secret) => secret, + _ => return Err(HIDError::DeviceError), + }; + let encrypted_pin_token = match secret.encrypt(&self.pin_token) { + Ok(token) => token, + _ => return Err(HIDError::DeviceError), + }; + Ok(ClientPinResponse { + pin_token: Some(encrypted_pin_token), + ..Default::default() + }) + } + _ => Err(HIDError::UnsupportedCommand), + } + } + + fn get_assertion(&self, req: &GetAssertion) -> Result<Vec<GetAssertionResult>, HIDError> { + // Algorithm 6.2.2 from CTAP 2.1 + // https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#sctn-makeCred-authnr-alg + + // 1. zero length pinUvAuthParam + // (not implemented) + + // 2. Validate pinUvAuthParam + // Handled by caller + + // 3. Initialize "uv" and "up" bits to false + let mut flags = AuthenticatorDataFlags::empty(); + + // 4. Handle all options + // 4.1 and 4.2 + let effective_uv_opt = + req.options.user_verification.unwrap_or(false) && req.pin_uv_auth_param.is_none(); + + // 4.3 + if effective_uv_opt && !self.has_user_verification { + return Err(HIDError::Command(CommandError::StatusCode( + StatusCode::InvalidOption, + None, + ))); + } + + // 4.4 rk + // (not implemented, we don't encode it) + + // 4.5 + let effective_up_opt = req.options.user_presence.unwrap_or(true); + + // 5. alwaysUv + // (not implemented) + + // 6. User verification + // TODO: Permissions, (maybe) validate pinUvAuthParam + if self.is_user_verified && (effective_uv_opt || req.pin_uv_auth_param.is_some()) { + flags |= AuthenticatorDataFlags::USER_VERIFIED; + } + + // 7. Locate credentials + let credlist = self.credentials.borrow(); + let req_rp_hash = req.rp.hash(); + let eligible_cred_iter = credlist.iter().filter(|x| x.rp.hash() == req_rp_hash); + + // 8. Set up=true if evidence of user interaction was provided in step 6. + // (not applicable, we use pinUvAuthParam) + + // 9. User presence test + if effective_up_opt { + if self.is_user_consenting { + flags |= AuthenticatorDataFlags::USER_PRESENT; + } else { + return Err(HIDError::Command(CommandError::StatusCode( + StatusCode::UpRequired, + None, + ))); + } + } + + // 10. Extensions + // (not implemented) + + let mut assertions: Vec<GetAssertionResult> = vec![]; + if !req.allow_list.is_empty() { + // 11. Non-discoverable credential case + // return at most one assertion matching an allowed credential ID + for credential in eligible_cred_iter { + if req.allow_list.iter().any(|x| x.id == credential.id) { + let mut assertion: GetAssertionResponse = + credential.assert(&req.client_data_hash, flags)?; + if req.allow_list.len() == 1 + && self.max_supported_version() == AuthenticatorVersion::FIDO_2_0 + { + // CTAP 2.0 authenticators are allowed to omit the credential ID in the + // response if the allow list contains exactly one entry. This behavior is + // a common source of bugs, e.g. Bug 1864504, so we'll exercise it here. + assertion.credentials = None; + } + assertions.push(GetAssertionResult { + assertion: assertion.into(), + attachment: AuthenticatorAttachment::Unknown, + extensions: Default::default(), + }); + break; + } + } + } else { + // 12. Discoverable credential case + // return any number of assertions from credentials bound to this RP ID + for credential in eligible_cred_iter.filter(|x| x.is_discoverable_credential) { + let assertion = credential.assert(&req.client_data_hash, flags)?.into(); + assertions.push(GetAssertionResult { + assertion, + attachment: AuthenticatorAttachment::Unknown, + extensions: Default::default(), + }); + } + } + + if assertions.is_empty() { + return Err(HIDError::Command(CommandError::StatusCode( + StatusCode::NoCredentials, + None, + ))); + } + + Ok(assertions) + } + + fn get_info(&self) -> Result<AuthenticatorInfo, HIDError> { + // This is a CTAP2.1 device with internal user verification support + Ok(AuthenticatorInfo { + versions: self.versions.clone(), + options: AuthenticatorOptions { + platform_device: self.transport == "internal", + resident_key: self.has_resident_key, + pin_uv_auth_token: Some(self.has_user_verification), + user_verification: Some(self.has_user_verification), + ..Default::default() + }, + ..Default::default() + }) + } + + fn get_version(&self, _req: &GetVersion) -> Result<U2FInfo, HIDError> { + Err(HIDError::UnsupportedCommand) + } + + fn make_credentials(&self, req: &MakeCredentials) -> Result<MakeCredentialsResult, HIDError> { + // Algorithm 6.1.2 from CTAP 2.1 + // https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#sctn-makeCred-authnr-alg + + // 1. zero length pinUvAuthParam + // (not implemented) + + // 2. Validate pinUvAuthParam + // Handled by caller + + // 3. Validate pubKeyCredParams + if !req + .pub_cred_params + .iter() + .any(|x| x.alg == COSEAlgorithm::ES256) + { + return Err(HIDError::Command(CommandError::StatusCode( + StatusCode::UnsupportedAlgorithm, + None, + ))); + } + + // 4. initialize "uv" and "up" bits to false + let mut flags = AuthenticatorDataFlags::empty(); + + // 5. process all options + + // 5.1 and 5.2 + let effective_uv_opt = + req.options.user_verification.unwrap_or(false) && req.pin_uv_auth_param.is_none(); + + // 5.3 + if effective_uv_opt && !self.has_user_verification { + return Err(HIDError::Command(CommandError::StatusCode( + StatusCode::InvalidOption, + None, + ))); + } + + // 5.4 + if req.options.resident_key.unwrap_or(false) && !self.has_resident_key { + return Err(HIDError::Command(CommandError::StatusCode( + StatusCode::UnsupportedOption, + None, + ))); + } + + // 5.6 and 5.7 + // Nothing to do. We don't provide a way to set up=false. + + // 6. alwaysUv option ID + // (not implemented) + + // 7. and 8. makeCredUvNotRqd option ID + // (not implemented) + + // 9. enterprise attestation + // (not implemented) + + // 11. User verification + // TODO: Permissions, (maybe) validate pinUvAuthParam + if self.is_user_verified { + flags |= AuthenticatorDataFlags::USER_VERIFIED; + } + + // 12. exclude list + // TODO: credProtect + if req.exclude_list.iter().any(|x| self.has_credential(&x.id)) { + return Err(HIDError::Command(CommandError::StatusCode( + StatusCode::CredentialExcluded, + None, + ))); + } + + // 13. Set up=true if evidence of user interaction was provided in step 11. + // (not applicable, we use pinUvAuthParam) + + // 14. User presence test + if self.is_user_consenting { + flags |= AuthenticatorDataFlags::USER_PRESENT; + } else { + return Err(HIDError::Command(CommandError::StatusCode( + StatusCode::UpRequired, + None, + ))); + } + + // 15. process extensions + let mut extensions = Extension::default(); + if req.extensions.min_pin_length == Some(true) { + // a real authenticator would + // 1) return an actual minimum pin length, and + // 2) check the RP ID against an allowlist before providing any data + extensions.min_pin_length = Some(4); + } + + if extensions.has_some() { + flags |= AuthenticatorDataFlags::EXTENSION_DATA; + } + + // 16. Generate a new credential. + let (private, public) = + COSEKey::generate(COSEAlgorithm::ES256).map_err(|_| HIDError::DeviceError)?; + let counter = 0; + + // 17. and 18. Store credential + // + // All of the credentials that we create are "resident"---we store the private key locally, + // and use a random value for the credential ID. The `req.options.resident_key` field + // determines whether we make the credential "discoverable". + let mut id = [0u8; 32]; + thread_rng().fill_bytes(&mut id); + self.insert_credential( + &id, + &private, + &req.rp, + req.options.resident_key.unwrap_or(false), + &req.user.clone().unwrap_or_default().id, + counter, + ); + + // 19. Generate attestation statement + flags |= AuthenticatorDataFlags::ATTESTED; + + let auth_data = AuthenticatorData { + rp_id_hash: req.rp.hash(), + flags, + counter, + credential_data: Some(AttestedCredentialData { + aaguid: VIRTUAL_TOKEN_AAGUID, + credential_id: id.to_vec(), + credential_public_key: public, + }), + extensions, + }; + + let mut data = auth_data.to_vec(); + data.extend_from_slice(req.client_data_hash.as_ref()); + + let sig = ecdsa_p256_sha256_sign_raw(&private, &data).or(Err(HIDError::DeviceError))?; + + let att_stmt = AttestationStatement::Packed(AttestationStatementPacked { + alg: COSEAlgorithm::ES256, + sig: sig.as_slice().into(), + attestation_cert: vec![], + }); + + let result = MakeCredentialsResult { + attachment: AuthenticatorAttachment::Unknown, + att_obj: AttestationObject { + att_stmt, + auth_data, + }, + extensions: Default::default(), + }; + Ok(result) + } + + fn reset(&self, _req: &Reset) -> Result<(), HIDError> { + Err(HIDError::UnsupportedCommand) + } + + fn selection(&self, _req: &Selection) -> Result<(), HIDError> { + Err(HIDError::UnsupportedCommand) + } +} + +#[xpcom(implement(nsICredentialParameters), atomic)] +struct CredentialParameters { + credential_id: Vec<u8>, + is_resident_credential: bool, + rp_id: String, + private_key: Vec<u8>, + user_handle: Vec<u8>, + sign_count: u32, +} + +impl CredentialParameters { + xpcom_method!(get_credential_id => GetCredentialId() -> nsACString); + fn get_credential_id(&self) -> Result<nsCString, nsresult> { + Ok(base64::engine::general_purpose::URL_SAFE_NO_PAD + .encode(&self.credential_id) + .into()) + } + + xpcom_method!(get_is_resident_credential => GetIsResidentCredential() -> bool); + fn get_is_resident_credential(&self) -> Result<bool, nsresult> { + Ok(self.is_resident_credential) + } + + xpcom_method!(get_rp_id => GetRpId() -> nsACString); + fn get_rp_id(&self) -> Result<nsCString, nsresult> { + Ok(nsCString::from(&self.rp_id)) + } + + xpcom_method!(get_private_key => GetPrivateKey() -> nsACString); + fn get_private_key(&self) -> Result<nsCString, nsresult> { + Ok(base64::engine::general_purpose::URL_SAFE_NO_PAD + .encode(&self.private_key) + .into()) + } + + xpcom_method!(get_user_handle => GetUserHandle() -> nsACString); + fn get_user_handle(&self) -> Result<nsCString, nsresult> { + Ok(base64::engine::general_purpose::URL_SAFE_NO_PAD + .encode(&self.user_handle) + .into()) + } + + xpcom_method!(get_sign_count => GetSignCount() -> u32); + fn get_sign_count(&self) -> Result<u32, nsresult> { + Ok(self.sign_count) + } +} + +#[xpcom(implement(nsIWebAuthnAutoFillEntry), atomic)] +struct WebAuthnAutoFillEntry { + rp: String, + credential_id: Vec<u8>, +} + +impl WebAuthnAutoFillEntry { + xpcom_method!(get_provider => GetProvider() -> u8); + fn get_provider(&self) -> Result<u8, nsresult> { + Ok(nsIWebAuthnAutoFillEntry::PROVIDER_TEST_TOKEN) + } + + xpcom_method!(get_user_name => GetUserName() -> nsAString); + fn get_user_name(&self) -> Result<nsString, nsresult> { + Ok(nsString::from("Test User")) + } + + xpcom_method!(get_rp_id => GetRpId() -> nsAString); + fn get_rp_id(&self) -> Result<nsString, nsresult> { + Ok(nsString::from(&self.rp)) + } + + xpcom_method!(get_credential_id => GetCredentialId() -> ThinVec<u8>); + fn get_credential_id(&self) -> Result<ThinVec<u8>, nsresult> { + Ok(self.credential_id.as_slice().into()) + } +} + +#[derive(Default)] +pub(crate) struct TestTokenManager { + state: Arc<Mutex<HashMap<u64, TestToken>>>, +} + +impl TestTokenManager { + pub fn new() -> Self { + Default::default() + } + + pub fn add_virtual_authenticator( + &self, + protocol: AuthenticatorVersion, + transport: String, + has_resident_key: bool, + has_user_verification: bool, + is_user_consenting: bool, + is_user_verified: bool, + ) -> Result<u64, nsresult> { + let mut guard = self.state.lock().map_err(|_| NS_ERROR_FAILURE)?; + let token = TestToken::new( + vec![protocol], + transport, + has_resident_key, + has_user_verification, + is_user_consenting, + is_user_verified, + ); + loop { + let id = rand::random::<u64>() & 0x1f_ffff_ffff_ffffu64; // Make the id safe for JS (53 bits) + match guard.deref_mut().entry(id) { + Entry::Occupied(_) => continue, + Entry::Vacant(v) => { + v.insert(token); + return Ok(id); + } + }; + } + } + + pub fn remove_virtual_authenticator(&self, authenticator_id: u64) -> Result<(), nsresult> { + let mut guard = self.state.lock().map_err(|_| NS_ERROR_FAILURE)?; + guard + .deref_mut() + .remove(&authenticator_id) + .ok_or(NS_ERROR_INVALID_ARG)?; + Ok(()) + } + + pub fn add_credential( + &self, + authenticator_id: u64, + id: &[u8], + privkey: &[u8], + user_handle: &[u8], + sign_count: u32, + rp_id: String, + is_resident_credential: bool, + ) -> Result<(), nsresult> { + let mut guard = self.state.lock().map_err(|_| NS_ERROR_FAILURE)?; + let token = guard + .deref_mut() + .get_mut(&authenticator_id) + .ok_or(NS_ERROR_INVALID_ARG)?; + let rp = RelyingParty::from(rp_id); + token.insert_credential( + id, + privkey, + &rp, + is_resident_credential, + user_handle, + sign_count, + ); + Ok(()) + } + + pub fn get_credentials( + &self, + authenticator_id: u64, + ) -> Result<ThinVec<Option<RefPtr<nsICredentialParameters>>>, nsresult> { + let mut guard = self.state.lock().map_err(|_| NS_ERROR_FAILURE)?; + let token = guard + .get_mut(&authenticator_id) + .ok_or(NS_ERROR_INVALID_ARG)?; + let credentials = token.get_credentials(); + let mut credentials_parameters = ThinVec::with_capacity(credentials.len()); + for credential in credentials.deref() { + // CTAP1 credentials are not currently supported here. + let credential_parameters = CredentialParameters::allocate(InitCredentialParameters { + credential_id: credential.id.clone(), + is_resident_credential: credential.is_discoverable_credential, + rp_id: credential.rp.id.clone(), + private_key: credential.privkey.clone(), + user_handle: credential.user_handle.clone(), + sign_count: credential.sign_count.load(Ordering::Relaxed), + }) + .query_interface::<nsICredentialParameters>() + .ok_or(NS_ERROR_FAILURE)?; + credentials_parameters.push(Some(credential_parameters)); + } + Ok(credentials_parameters) + } + + pub fn remove_credential(&self, authenticator_id: u64, id: &[u8]) -> Result<(), nsresult> { + let mut guard = self.state.lock().map_err(|_| NS_ERROR_FAILURE)?; + let token = guard + .deref_mut() + .get_mut(&authenticator_id) + .ok_or(NS_ERROR_INVALID_ARG)?; + if token.delete_credential(id) { + Ok(()) + } else { + Err(NS_ERROR_INVALID_ARG) + } + } + + pub fn remove_all_credentials(&self, authenticator_id: u64) -> Result<(), nsresult> { + let mut guard = self.state.lock().map_err(|_| NS_ERROR_FAILURE)?; + let token = guard + .deref_mut() + .get_mut(&authenticator_id) + .ok_or(NS_ERROR_INVALID_ARG)?; + token.delete_all_credentials(); + Ok(()) + } + + pub fn set_user_verified( + &self, + authenticator_id: u64, + is_user_verified: bool, + ) -> Result<(), nsresult> { + let mut guard = self.state.lock().map_err(|_| NS_ERROR_FAILURE)?; + let token = guard + .deref_mut() + .get_mut(&authenticator_id) + .ok_or(NS_ERROR_INVALID_ARG)?; + token.is_user_verified = is_user_verified; + Ok(()) + } + + pub fn register( + &self, + _timeout_ms: u64, + ctap_args: RegisterArgs, + status: Sender<StatusUpdate>, + callback: StateCallback<Result<RegisterResult, AuthenticatorError>>, + ) { + if !static_prefs::pref!("security.webauth.webauthn_enable_softtoken") { + return; + } + + let state_obj = self.state.clone(); + + // Registration doesn't currently block, but it might in a future version, so we run it on + // a background thread. + let _ = RunnableBuilder::new("TestTokenManager::register", move || { + // TODO(Bug 1854278) We should actually run one thread per token here + // and attempt to fulfill this request in parallel. + for token in state_obj.lock().unwrap().values_mut() { + let _ = token.init(); + if ctap2::register( + token, + ctap_args.clone(), + status.clone(), + callback.clone(), + &|| true, + ) { + // callback was called + return; + } + } + + // Send an error, if the callback wasn't called already. + callback.call(Err(AuthenticatorError::U2FToken(U2FTokenError::NotAllowed))); + }) + .may_block(true) + .dispatch_background_task(); + } + + pub fn sign( + &self, + _timeout_ms: u64, + ctap_args: SignArgs, + status: Sender<StatusUpdate>, + callback: StateCallback<Result<SignResult, AuthenticatorError>>, + ) { + if !static_prefs::pref!("security.webauth.webauthn_enable_softtoken") { + return; + } + + let state_obj = self.state.clone(); + + // Signing can block during signature selection, so we need to run it on a background thread. + let _ = RunnableBuilder::new("TestTokenManager::sign", move || { + // TODO(Bug 1854278) We should actually run one thread per token here + // and attempt to fulfill this request in parallel. + for token in state_obj.lock().unwrap().values_mut() { + let _ = token.init(); + if ctap2::sign( + token, + ctap_args.clone(), + status.clone(), + callback.clone(), + &|| true, + ) { + // callback was called + return; + } + } + + // Send an error, if the callback wasn't called already. + callback.call(Err(AuthenticatorError::U2FToken(U2FTokenError::NotAllowed))); + }) + .may_block(true) + .dispatch_background_task(); + } + + pub fn has_platform_authenticator(&self) -> bool { + if !static_prefs::pref!("security.webauth.webauthn_enable_softtoken") { + return false; + } + + for token in self.state.lock().unwrap().values_mut() { + let _ = token.init(); + if token.transport.as_str() == "internal" { + return true; + } + } + + false + } + + pub fn get_autofill_entries( + &self, + rp_id: &str, + credential_filter: &Vec<PublicKeyCredentialDescriptor>, + ) -> Result<ThinVec<Option<RefPtr<nsIWebAuthnAutoFillEntry>>>, nsresult> { + let guard = self.state.lock().map_err(|_| NS_ERROR_FAILURE)?; + let mut entries = ThinVec::new(); + + for token in guard.values() { + let credentials = token.get_credentials(); + for credential in credentials.deref() { + // The relying party ID must match. + if !rp_id.eq(&credential.rp.id) { + continue; + } + // Only discoverable credentials are admissible. + if !credential.is_discoverable_credential { + continue; + } + // Only credentials listed in the credential filter (if it is + // non-empty) are admissible. + if credential_filter.len() > 0 + && credential_filter + .iter() + .find(|cred| cred.id == credential.id) + .is_none() + { + continue; + } + let entry = WebAuthnAutoFillEntry::allocate(InitWebAuthnAutoFillEntry { + rp: credential.rp.id.clone(), + credential_id: credential.id.clone(), + }) + .query_interface::<nsIWebAuthnAutoFillEntry>() + .ok_or(NS_ERROR_FAILURE)?; + entries.push(Some(entry)); + } + } + Ok(entries) + } +} |