-
Martin Kreichgauer authored
Add high-level methods for interacting with Touch ID authenticator credentials to the existing TouchIdCredentialStore class, and replace code in TouchIdAuthenticator and {GetAssertion,MakeCredential}Operation that currently interacts with the macOS keychain API directly. Also make TouchIdAuthenticator and the Operation classes hold a TouchIdCredentialStore member, rather than the AuthenticatorConfig that they previously required to perform operations on the Keychain API directly. The FindCredentialsInKeychain() and FindResidentCredentialsInKeychain() non-member methods in keychain.h are made obsolete by the new TouchIdCredentialStore member methods and deleted. This is mostly a refactoring, with a few minor functional changes: - When looking for credentials from |exclude_list|, MakeCredentialOperation now ignores credential descriptors with a transports() set that explicitly excludes platform authenticators (even if the descriptor's ID matches a known credential). This is equivalent to how allow_list is handled in GetAssertionOperation. - The new CredentialStore methods explicitly signal unexpected macOS Keychain API errors in the return value, whereas with Find{Resident,}CredentialsInKeychain() was indistinguishable from the case where no matching credentials were found. Hence, when encountering an error while querying an exclude list e.g. a MakeCredential operation would have previously been allowed to proceed, but now the authenticator will return a CTAP error to the request handler instead. Change-Id: Ib3a0a881d06fe0e20822281cbb0e3dac66b9399f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1984468 Commit-Queue: Martin Kreichgauer <martinkr@google.com> Reviewed-by:Adam Langley <agl@chromium.org> Cr-Commit-Position: refs/heads/master@{#728713}
aa2481c4
