Commit 554f453a authored by Yicheng Li's avatar Yicheng Li Committed by Chromium LUCI CQ

webauth: Do not ignore u2fhid on ChromeOS

Since u2f credentials are not handled properly on ChromeOS, we
decided to disable platform authenticator when U2F is enabled.
This is done by making ChromeOS Authenticator return IsUvpaa=false
when U2F is enabled. Thus ChromeOS platform authenticator and
u2fhid are mutually exclusive for WebAuthn.

Bug: 1155335, b/174709984
TEST=Enable U2F and enable ChromeOS WebAuthn feature flag, register PIN,
     ==> PublicKeyCredential
         .isUserVerifyingPlatformAuthenticatorAvailable()
         .then(console.log) returns false even if PIN is available.
     ==> When attachment=undefined or cross-platform, can use u2fhid to
         do WebAuthn MakeCredential and GetAssertion.
     ==> When attachment=platform, "Your device doesn't support the type
         of security key requested by this site".
TEST=Disable U2F and enable ChromeOS WebAuthn feature flag,
     register PIN,
     => PublicKeyCredential
        .isUserVerifyingPlatformAuthenticatorAvailable()
        .then(console.log) returns true.
     => When attachment=undefined or cross-platform, u2fhid doesn't show
        up.
     => When attachment=platform, can use ChromeOS PIN to do
        MakeCredential and GetAssertion.

Change-Id: I4ce5c9de4aecaa5c1569101065a1278576c9d0cc
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2572130
Commit-Queue: Yicheng Li <yichengli@chromium.org>
Reviewed-by: default avatarMartin Kreichgauer <martinkr@google.com>
Cr-Commit-Position: refs/heads/master@{#833570}
parent ff65e810
......@@ -641,13 +641,7 @@ std::unique_ptr<device::FidoDiscoveryFactory> MakeDiscoveryFactory(
#endif // defined(OS_WIN)
#if BUILDFLAG(IS_CHROMEOS_ASH)
// Ignore the ChromeOS u2fd virtual U2F HID device for WebAuthn requests so
// that it doesn't collide with the ChromeOS platform authenticator, also
// implemented in u2fd.
if (base::FeatureList::IsEnabled(device::kWebAuthCrosPlatformAuthenticator) &&
!is_u2f_api_request) {
constexpr device::VidPid kChromeOsU2fdVidPid{0x18d1, 0x502c};
discovery_factory->set_hid_ignore_list({kChromeOsU2fdVidPid});
if (base::FeatureList::IsEnabled(device::kWebAuthCrosPlatformAuthenticator)) {
discovery_factory->set_generate_request_id_callback(
request_delegate->GetGenerateRequestIdCallback(render_frame_host));
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment