fido: disable Touch ID for makeCredential with AuthenticatorAttachment::kAny

This disables platform authenticators (i.e. Touch ID) for makeCredential
requests with an unset AuthenticatorAttachment value in
AuthenticatorSelectionCriteria. This is done to prevent Touch ID
fingerprint prompts for requests that could be handled by external
authenticators, as long as Touch ID is not integrated with UI.

Filed crbug.com/873710 to track reversal of this change once UI
integration is there.

Bug: 678128
Change-Id: I7aaffe53dfca7ee14b5a94f9ead2027ab370c35c
Reviewed-on: https://chromium-review.googlesource.com/1172912
Commit-Queue: Martin Kreichgauer <martinkr@google.com>
Reviewed-by: Balazs Engedy <engedy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#583020}

device/fido/ctap_response_unittest.cc

@@ -544,7 +544,7 @@ TEST(CTAPResponseTest, TestParseU2fSignWithNullCorruptedSignature) {
 
 TEST(CTAPResponseTest, TestReadGetInfoResponse) {
   auto get_info_response =
-      ReadCTAPGetInfoResponse(test_data::kTestAuthenticatorGetInfoResponse);
+      ReadCTAPGetInfoResponse(test_data::kTestGetInfoResponsePlatformDevice);
   ASSERT_TRUE(get_info_response);
   ASSERT_TRUE(get_info_response->max_msg_size());
   EXPECT_EQ(*get_info_response->max_msg_size(), 1200u);
@@ -592,7 +592,7 @@ TEST(CTAPResponseTest, TestSerializeGetInfoResponse) {
 
   EXPECT_THAT(EncodeToCBOR(response),
               ::testing::ElementsAreArray(
-                  base::make_span(test_data::kTestAuthenticatorGetInfoResponse)
+                  base::make_span(test_data::kTestGetInfoResponsePlatformDevice)
                       .subspan(1)));
 }
 

device/fido/fido_test_data.h

@@ -981,8 +981,8 @@ constexpr uint8_t kCtapGetAssertionRequest[] = {
 
 // CTAP responses --------------------------------------------------------------
 
-// A sample well formed response to CTAP AuthenticatorGetInfo request. Supports
-// platform device, resident key, and user verification.
+// A sample well formed response to CTAP AuthenticatorGetInfo request. Cross
+// platform device that supports resident key, and user verification.
 constexpr uint8_t kTestAuthenticatorGetInfoResponse[] = {
     0x00, 0xA6, 0x01, 0x82, 0x68, 0x46, 0x49, 0x44, 0x4F, 0x5F, 0x32, 0x5F,
     0x30, 0x66, 0x55, 0x32, 0x46, 0x5F, 0x56, 0x32, 0x02, 0x82, 0x63, 0x75,
@@ -990,7 +990,7 @@ constexpr uint8_t kTestAuthenticatorGetInfoResponse[] = {
     0x65, 0x74, 0x03, 0x50, 0xF8, 0xA0, 0x11, 0xF3, 0x8C, 0x0A, 0x4D, 0x15,
     0x80, 0x06, 0x17, 0x11, 0x1F, 0x9E, 0xDC, 0x7D, 0x04, 0xA5, 0x62, 0x72,
     0x6B, 0xF5, 0x62, 0x75, 0x70, 0xF5, 0x62, 0x75, 0x76, 0xF5, 0x64, 0x70,
-    0x6C, 0x61, 0x74, 0xF5, 0x69, 0x63, 0x6C, 0x69, 0x65, 0x6E, 0x74, 0x50,
+    0x6C, 0x61, 0x74, 0xF4, 0x69, 0x63, 0x6C, 0x69, 0x65, 0x6E, 0x74, 0x50,
     0x69, 0x6E, 0xF4, 0x05, 0x19, 0x04, 0xB0, 0x06, 0x81, 0x01,
 };
 
@@ -1030,16 +1030,16 @@ constexpr uint8_t kTestGetInfoResponseWithoutResidentKeySupport[] = {
 
 // AuthenticatorGetInfo request with all configurations equal to that of
 // kTestAuthenticatorGetInfoResponse except platform device option is set to
-// false.
-constexpr uint8_t kTestGetInfoResponseCrossPlatformDevice[] = {
+// true.
+constexpr uint8_t kTestGetInfoResponsePlatformDevice[] = {
     0x00, 0xA6, 0x01, 0x82, 0x68, 0x46, 0x49, 0x44, 0x4F, 0x5F, 0x32, 0x5F,
     0x30, 0x66, 0x55, 0x32, 0x46, 0x5F, 0x56, 0x32, 0x02, 0x82, 0x63, 0x75,
     0x76, 0x6D, 0x6B, 0x68, 0x6D, 0x61, 0x63, 0x2D, 0x73, 0x65, 0x63, 0x72,
     0x65, 0x74, 0x03, 0x50, 0xF8, 0xA0, 0x11, 0xF3, 0x8C, 0x0A, 0x4D, 0x15,
     0x80, 0x06, 0x17, 0x11, 0x1F, 0x9E, 0xDC, 0x7D, 0x04, 0xA5, 0x62, 0x72,
     0x6B, 0xF5, 0x62, 0x75, 0x70, 0xF5, 0x62, 0x75, 0x76, 0xF5, 0x64, 0x70,
-    // platform device : false
-    0x6C, 0x61, 0x74, 0xF4,
+    // platform device : true
+    0x6C, 0x61, 0x74, 0xF5,
     // End of platform_device setting.
     0x69, 0x63, 0x6C, 0x69, 0x65, 0x6E, 0x74, 0x50, 0x69, 0x6E, 0xF4, 0x05,
     0x19, 0x04, 0xB0, 0x06, 0x81, 0x01,

device/fido/make_credential_handler_unittest.cc

@@ -203,6 +203,49 @@ TEST_F(FidoMakeCredentialHandlerTest,
   EXPECT_FALSE(callback().was_called());
 }
 
+// TODO(crbug.com/873710): Platform authenticators are temporarily disabled if
+// AuthenticatorAttachment is unset (kAny).
+TEST_F(FidoMakeCredentialHandlerTest,
+       PlatformDeviceAuthenticatorSelectionCriteriaAnyAttachmentPlatform) {
+  auto request_handler =
+      CreateMakeCredentialHandlerWithAuthenticatorSelectionCriteria(
+          AuthenticatorSelectionCriteria(
+              AuthenticatorSelectionCriteria::AuthenticatorAttachment::kAny,
+              false /* require_resident_key */,
+              UserVerificationRequirement::kPreferred));
+  discovery()->WaitForCallToStartAndSimulateSuccess();
+
+  auto device = MockFidoDevice::MakeCtapWithGetInfoExpectation(
+      test_data::kTestGetInfoResponsePlatformDevice);
+  discovery()->AddDevice(std::move(device));
+
+  scoped_task_environment_.FastForwardUntilNoTasksRemain();
+  EXPECT_FALSE(callback().was_called());
+}
+
+// A cross-platform authenticator can respond to a request with
+// AuthenticatorAttachment::kAny.
+TEST_F(FidoMakeCredentialHandlerTest,
+       PlatformDeviceAuthenticatorSelectionCriteriaAnyAttachmentCrossPlatform) {
+  auto request_handler =
+      CreateMakeCredentialHandlerWithAuthenticatorSelectionCriteria(
+          AuthenticatorSelectionCriteria(
+              AuthenticatorSelectionCriteria::AuthenticatorAttachment::kAny,
+              false /* require_resident_key */,
+              UserVerificationRequirement::kPreferred));
+  discovery()->WaitForCallToStartAndSimulateSuccess();
+
+  auto device = MockFidoDevice::MakeCtapWithGetInfoExpectation(
+      test_data::kTestAuthenticatorGetInfoResponse);
+  device->ExpectCtap2CommandAndRespondWith(
+      CtapRequestCommand::kAuthenticatorMakeCredential,
+      test_data::kTestMakeCredentialResponse);
+  discovery()->AddDevice(std::move(device));
+
+  scoped_task_environment_.FastForwardUntilNoTasksRemain();
+  EXPECT_TRUE(callback().was_called());
+}
+
 TEST_F(FidoMakeCredentialHandlerTest,
        PlatformDeviceAuthenticatorSelectionCriteria) {
   auto request_handler =
@@ -215,7 +258,7 @@ TEST_F(FidoMakeCredentialHandlerTest,
   discovery()->WaitForCallToStartAndSimulateSuccess();
 
   auto device = MockFidoDevice::MakeCtapWithGetInfoExpectation(
-      test_data::kTestGetInfoResponseCrossPlatformDevice);
+      test_data::kTestAuthenticatorGetInfoResponse);
   discovery()->AddDevice(std::move(device));
 
   scoped_task_environment_.FastForwardUntilNoTasksRemain();
@@ -251,7 +294,8 @@ TEST_F(FidoMakeCredentialHandlerTest,
               UserVerificationRequirement::kRequired));
   discovery()->WaitForCallToStartAndSimulateSuccess();
 
-  auto device = MockFidoDevice::MakeCtapWithGetInfoExpectation();
+  auto device = MockFidoDevice::MakeCtapWithGetInfoExpectation(
+      test_data::kTestGetInfoResponsePlatformDevice);
   device->ExpectCtap2CommandAndRespondWith(
       CtapRequestCommand::kAuthenticatorMakeCredential,
       test_data::kTestMakeCredentialResponse);

device/fido/make_credential_request_handler.cc

@@ -34,6 +34,11 @@ bool CheckIfAuthenticatorSelectionCriteriaAreSatisfied(
        !options.is_platform_device()) ||
       (authenticator_selection_criteria.authenticator_attachement() ==
            AuthenticatorAttachment::kCrossPlatform &&
+       options.is_platform_device()) ||
+      // TODO(crbug.com/873710): Reenable platform authenticators for kAny,
+      // once Touch ID is integrated into the UI.
+      (authenticator_selection_criteria.authenticator_attachement() ==
+           AuthenticatorAttachment::kAny &&
        options.is_platform_device())) {
     return false;
   }