-
Martin Kreichgauer authored
Cryptotoken used to tolerate challenges and key handles encoded in either regular base64 or base64url, despite the spec only allowing base64url. With the WebAuthenticationProxyCryptotoken feature enabled, this is no longer the case: WebAuthn takes challenges and key handles as raw byte inputs, and re-encodes them to base64url prior to signing. Until now, if cryptotoken failed to base64url-decode a challenge for keyHandle before sending it to WebAuthn, it would send an empty byte sequence instead. Hence, if a non-compliant passed a challenge encoded in regular base64, it would subsequently receive a response, but the challenge field in the response would be empty and signature would be over the empty challenge. This change makes the failure to decode more explicit. If a challenge (or keyHandle) fails to decode, cryptotoken will not forward the request. Rather it will return a BAD_REQUEST error with a descriptive error message. Bug: 925738 Change-Id: I7e1d0bfca55765ccdfaf7b9762c8b79352fb2856 Reviewed-on: https://chromium-review.googlesource.com/c/1450400 Commit-Queue: Martin Kreichgauer <martinkr@google.com> Reviewed-by:
Adam Langley <agl@chromium.org> Cr-Commit-Position: refs/heads/master@{#628508}
ceb92979
