[webauthn] Fix virtual attestation certificate

According to the spec [1], the basic constraints extension MUST have the
CA component set to false for packed attestation certificates. This
patch adds the basic constraints extension to attestation returned by
virtual authenticators and sets CA to false.

[1] https://www.w3.org/TR/webauthn/#packed-attestation-cert-requirements

Fixed: 1090015
Change-Id: I780f2f2482be9c6c5168ed60df23dbf75ce2e2a0
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2264578
Commit-Queue: Nina Satragno <nsatragno@chromium.org>
Commit-Queue: Martin Kreichgauer <martinkr@google.com>
Auto-Submit: Nina Satragno <nsatragno@chromium.org>
Reviewed-by: Martin Kreichgauer <martinkr@google.com>
Cr-Commit-Position: refs/heads/master@{#781987}

device/fido/virtual_ctap2_device_unittest.cc

@@ -17,6 +17,7 @@
 #include "device/fido/fido_parsing_utils.h"
 #include "device/fido/fido_test_data.h"
 #include "device/fido/test_callback_receiver.h"
+#include "net/cert/asn1_util.h"
 #include "net/cert/x509_certificate.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
@@ -186,6 +187,16 @@ TEST_F(VirtualCtap2DeviceTest, AttestationCertificateIsValid) {
   base::Time now = base::Time::Now();
   EXPECT_LT(cert->valid_start(), now);
   EXPECT_GT(cert->valid_expiry(), now);
+
+  bool present;
+  bool critical;
+  base::StringPiece contents;
+  ASSERT_TRUE(net::asn1::ExtractExtensionFromDERCert(
+      net::x509_util::CryptoBufferAsStringPiece(cert->cert_buffer()),
+      base::StringPiece("\x55\x1d\x13"), &present, &critical, &contents));
+  EXPECT_TRUE(present);
+  EXPECT_TRUE(critical);
+  EXPECT_EQ(base::StringPiece("\x30\x03\x01\x01\x00", 5), contents);
 }
 
 }  // namespace device

device/fido/virtual_fido_device.cc

@@ -477,8 +477,21 @@ VirtualFidoDevice::GenerateAttestationCertificate(
       8 - transport_bit - 1,        // trailing bits unused
       0b10000000 >> transport_bit,  // transport
   };
+
+  // https://www.w3.org/TR/webauthn/#packed-attestation-cert-requirements
+  // The Basic Constraints extension MUST have the CA component set to false.
+  static constexpr uint8_t kBasicContraintsOID[] = {0x55, 0x1d, 0x13};
+  static constexpr uint8_t kBasicContraintsContents[] = {
+      0x30,  // SEQUENCE
+      0x03,  // three bytes long
+      0x01,  // BOOLEAN
+      0x01,  // one byte long
+      0x00,  // false
+  };
+
   const std::vector<net::x509_util::Extension> extensions = {
-      {kTransportTypesOID, false /* not critical */, kTransportTypesContents},
+      {kTransportTypesOID, /*critical=*/false, kTransportTypesContents},
+      {kBasicContraintsOID, /*critical=*/true, kBasicContraintsContents},
   };
 
   // https://w3c.github.io/webauthn/#sctn-packed-attestation-cert-requirements