Create objects to encapsulate CTAP device reponse

Added classes to encapsulate response data received from CTAP
devices as specified by the CTAP protocol.

https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-client-to-authenticator-protocol-v2.0-rd-20170927.html#authenticatorMakeCredential

Bug: 796782
Change-Id: If5a80846d565ab6a7919aa3236ff78e22b5209ae
Reviewed-on: https://chromium-review.googlesource.com/850895
Commit-Queue: Jun Choi <hongjunchoi@chromium.org>
Reviewed-by: Jan Wilken Dörrie <jdoerrie@chromium.org>
Reviewed-by: Kim Paulhamus <kpaulhamus@chromium.org>
Reviewed-by: Reilly Grant <reillyg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#531932}

device/ctap/BUILD.gn

@@ -6,15 +6,22 @@ import("//build/config/features.gni")
 
 source_set("ctap") {
   sources = [
-    "ctap_device_command.h",
+    "authenticator_get_assertion_response.cc",
+    "authenticator_get_assertion_response.h",
+    "authenticator_get_info_response.cc",
+    "authenticator_get_info_response.h",
+    "authenticator_make_credential_response.cc",
+    "authenticator_make_credential_response.h",
+    "authenticator_supported_options.cc",
+    "authenticator_supported_options.h",
+    "ctap_constants.cc",
+    "ctap_constants.h",
     "ctap_get_assertion_request_param.cc",
     "ctap_get_assertion_request_param.h",
     "ctap_make_credential_request_param.cc",
     "ctap_make_credential_request_param.h",
-    "ctap_request_command.h",
     "ctap_request_param.cc",
     "ctap_request_param.h",
-    "ctap_response_code.h",
     "public_key_credential_descriptor.cc",
     "public_key_credential_descriptor.h",
     "public_key_credential_params.cc",

device/ctap/authenticator_get_assertion_response.cc

+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "device/ctap/authenticator_get_assertion_response.h"
+
+#include <utility>
+
+namespace device {
+
+AuthenticatorGetAssertionResponse::AuthenticatorGetAssertionResponse(
+    CTAPDeviceResponseCode response_code,
+    std::vector<uint8_t> auth_data,
+    std::vector<uint8_t> signature,
+    PublicKeyCredentialUserEntity user)
+    : response_code_(response_code),
+      auth_data_(std::move(auth_data)),
+      signature_(std::move(signature)),
+      user_(std::move(user)) {}
+
+AuthenticatorGetAssertionResponse::AuthenticatorGetAssertionResponse(
+    AuthenticatorGetAssertionResponse&& that) = default;
+
+AuthenticatorGetAssertionResponse& AuthenticatorGetAssertionResponse::operator=(
+    AuthenticatorGetAssertionResponse&& other) = default;
+
+AuthenticatorGetAssertionResponse::~AuthenticatorGetAssertionResponse() =
+    default;
+
+AuthenticatorGetAssertionResponse&
+AuthenticatorGetAssertionResponse::SetNumCredentials(uint8_t num_credentials) {
+  num_credentials_ = num_credentials;
+  return *this;
+}
+
+AuthenticatorGetAssertionResponse&
+AuthenticatorGetAssertionResponse::SetCredential(
+    PublicKeyCredentialDescriptor credential) {
+  credential_ = std::move(credential);
+  return *this;
+}
+
+}  // namespace device

device/ctap/authenticator_get_assertion_response.h

+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef DEVICE_CTAP_AUTHENTICATOR_GET_ASSERTION_RESPONSE_H_
+#define DEVICE_CTAP_AUTHENTICATOR_GET_ASSERTION_RESPONSE_H_
+
+#include <stdint.h>
+
+#include <vector>
+
+#include "base/macros.h"
+#include "base/optional.h"
+#include "device/ctap/ctap_constants.h"
+#include "device/ctap/public_key_credential_descriptor.h"
+#include "device/ctap/public_key_credential_user_entity.h"
+
+namespace device {
+
+// Represents response from authenticators for AuthenticatorGetAssertion and
+// AuthenticatorGetNextAssertion requests.
+// https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-client-to-authenticator-protocol-v2.0-rd-20170927.html#authenticatorGetAssertion
+class AuthenticatorGetAssertionResponse {
+ public:
+  AuthenticatorGetAssertionResponse(CTAPDeviceResponseCode response_code,
+                                    std::vector<uint8_t> auth_data,
+                                    std::vector<uint8_t> signature,
+                                    PublicKeyCredentialUserEntity user);
+  AuthenticatorGetAssertionResponse(AuthenticatorGetAssertionResponse&& that);
+  AuthenticatorGetAssertionResponse& operator=(
+      AuthenticatorGetAssertionResponse&& other);
+  ~AuthenticatorGetAssertionResponse();
+
+  AuthenticatorGetAssertionResponse& SetNumCredentials(uint8_t num_credentials);
+  AuthenticatorGetAssertionResponse& SetCredential(
+      PublicKeyCredentialDescriptor credential);
+
+  CTAPDeviceResponseCode response_code() const { return response_code_; }
+  const std::vector<uint8_t>& auth_data() const { return auth_data_; }
+  const std::vector<uint8_t>& signature() const { return signature_; }
+  const PublicKeyCredentialUserEntity& user() const { return user_; }
+  const base::Optional<uint8_t>& num_credentials() const {
+    return num_credentials_;
+  }
+  const base::Optional<PublicKeyCredentialDescriptor>& credential() const {
+    return credential_;
+  }
+
+ private:
+  CTAPDeviceResponseCode response_code_;
+  std::vector<uint8_t> auth_data_;
+  std::vector<uint8_t> signature_;
+  PublicKeyCredentialUserEntity user_;
+  base::Optional<uint8_t> num_credentials_;
+  base::Optional<PublicKeyCredentialDescriptor> credential_;
+
+  DISALLOW_COPY_AND_ASSIGN(AuthenticatorGetAssertionResponse);
+};
+
+}  // namespace device
+
+#endif  // DEVICE_CTAP_AUTHENTICATOR_GET_ASSERTION_RESPONSE_H_

device/ctap/authenticator_get_info_response.cc

+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "device/ctap/authenticator_get_info_response.h"
+
+#include <utility>
+
+namespace device {
+
+AuthenticatorGetInfoResponse::AuthenticatorGetInfoResponse(
+    CTAPDeviceResponseCode response_code,
+    std::vector<std::string> versions,
+    std::vector<uint8_t> aaguid)
+    : response_code_(response_code),
+      versions_(std::move(versions)),
+      aaguid_(std::move(aaguid)) {}
+
+AuthenticatorGetInfoResponse::AuthenticatorGetInfoResponse(
+    AuthenticatorGetInfoResponse&& that) = default;
+
+AuthenticatorGetInfoResponse& AuthenticatorGetInfoResponse::operator=(
+    AuthenticatorGetInfoResponse&& other) = default;
+
+AuthenticatorGetInfoResponse::~AuthenticatorGetInfoResponse() = default;
+
+AuthenticatorGetInfoResponse& AuthenticatorGetInfoResponse::SetMaxMsgSize(
+    uint8_t max_msg_size) {
+  max_msg_size_ = max_msg_size;
+  return *this;
+}
+
+AuthenticatorGetInfoResponse& AuthenticatorGetInfoResponse::SetPinProtocols(
+    std::vector<uint8_t> pin_protocols) {
+  pin_protocols_ = std::move(pin_protocols);
+  return *this;
+}
+
+AuthenticatorGetInfoResponse& AuthenticatorGetInfoResponse::SetExtensions(
+    std::vector<std::string> extensions) {
+  extensions_ = std::move(extensions);
+  return *this;
+}
+
+AuthenticatorGetInfoResponse& AuthenticatorGetInfoResponse::SetOptions(
+    AuthenticatorSupportedOptions options) {
+  options_ = std::move(options);
+  return *this;
+}
+
+}  // namespace device

device/ctap/authenticator_get_info_response.h

+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef DEVICE_CTAP_AUTHENTICATOR_GET_INFO_RESPONSE_H_
+#define DEVICE_CTAP_AUTHENTICATOR_GET_INFO_RESPONSE_H_
+
+#include <stdint.h>
+
+#include <string>
+#include <vector>
+
+#include "base/macros.h"
+#include "base/optional.h"
+#include "device/ctap/authenticator_supported_options.h"
+#include "device/ctap/ctap_constants.h"
+
+namespace device {
+
+// Authenticator response for AuthenticatorGetInfo request that encapsulates
+// versions, options, AAGUID(Authenticator Attestation GUID), other
+// authenticator device information.
+// https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-client-to-authenticator-protocol-v2.0-rd-20170927.html#authenticatorGetInfo
+class AuthenticatorGetInfoResponse {
+ public:
+  AuthenticatorGetInfoResponse(CTAPDeviceResponseCode response_code,
+                               std::vector<std::string> versions,
+                               std::vector<uint8_t> aaguid);
+  AuthenticatorGetInfoResponse(AuthenticatorGetInfoResponse&& that);
+  AuthenticatorGetInfoResponse& operator=(AuthenticatorGetInfoResponse&& other);
+  ~AuthenticatorGetInfoResponse();
+
+  AuthenticatorGetInfoResponse& SetMaxMsgSize(uint8_t max_msg_size);
+  AuthenticatorGetInfoResponse& SetPinProtocols(
+      std::vector<uint8_t> pin_protocols);
+  AuthenticatorGetInfoResponse& SetExtensions(
+      std::vector<std::string> extensions);
+  AuthenticatorGetInfoResponse& SetOptions(
+      AuthenticatorSupportedOptions options);
+
+  CTAPDeviceResponseCode response_code() const { return response_code_; }
+  const std::vector<std::string>& versions() { return versions_; }
+  const std::vector<uint8_t>& aaguid() const { return aaguid_; }
+  const base::Optional<uint8_t>& max_msg_size() const { return max_msg_size_; }
+  const base::Optional<std::vector<uint8_t>>& pin_protocol() const {
+    return pin_protocols_;
+  }
+  const base::Optional<std::vector<std::string>>& extensions() const {
+    return extensions_;
+  }
+  const base::Optional<AuthenticatorSupportedOptions>& options() const {
+    return options_;
+  }
+
+ private:
+  CTAPDeviceResponseCode response_code_;
+  std::vector<std::string> versions_;
+  std::vector<uint8_t> aaguid_;
+  base::Optional<uint8_t> max_msg_size_;
+  base::Optional<std::vector<uint8_t>> pin_protocols_;
+  base::Optional<std::vector<std::string>> extensions_;
+  base::Optional<AuthenticatorSupportedOptions> options_;
+
+  DISALLOW_COPY_AND_ASSIGN(AuthenticatorGetInfoResponse);
+};
+
+}  // namespace device
+
+#endif  // DEVICE_CTAP_AUTHENTICATOR_GET_INFO_RESPONSE_H_

device/ctap/authenticator_make_credential_response.cc

+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "device/ctap/authenticator_make_credential_response.h"
+
+#include <utility>
+
+namespace device {
+
+AuthenticatorMakeCredentialResponse::AuthenticatorMakeCredentialResponse(
+    CTAPDeviceResponseCode response_code,
+    std::vector<uint8_t> attestation_object)
+    : response_code_(response_code),
+      attestation_object_(std::move(attestation_object)) {}
+
+AuthenticatorMakeCredentialResponse::AuthenticatorMakeCredentialResponse(
+    AuthenticatorMakeCredentialResponse&& that) = default;
+
+AuthenticatorMakeCredentialResponse& AuthenticatorMakeCredentialResponse::
+operator=(AuthenticatorMakeCredentialResponse&& other) = default;
+
+AuthenticatorMakeCredentialResponse::~AuthenticatorMakeCredentialResponse() =
+    default;
+
+}  // namespace device

device/ctap/authenticator_make_credential_response.h

+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef DEVICE_CTAP_AUTHENTICATOR_MAKE_CREDENTIAL_RESPONSE_H_
+#define DEVICE_CTAP_AUTHENTICATOR_MAKE_CREDENTIAL_RESPONSE_H_
+
+#include <stdint.h>
+
+#include <vector>
+
+#include "base/macros.h"
+#include "device/ctap/ctap_constants.h"
+
+namespace device {
+
+// Attestation object which includes attestation format, authentication
+// data, and attestation statement returned by the authenticator as a response
+// to MakeCredential request.
+// https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-client-to-authenticator-protocol-v2.0-rd-20170927.html#authenticatorMakeCredential
+class AuthenticatorMakeCredentialResponse {
+ public:
+  AuthenticatorMakeCredentialResponse(CTAPDeviceResponseCode response_code,
+                                      std::vector<uint8_t> attestation_object);
+
+  AuthenticatorMakeCredentialResponse(
+      AuthenticatorMakeCredentialResponse&& that);
+  AuthenticatorMakeCredentialResponse& operator=(
+      AuthenticatorMakeCredentialResponse&& other);
+  ~AuthenticatorMakeCredentialResponse();
+
+  CTAPDeviceResponseCode response_code() const { return response_code_; }
+  const std::vector<uint8_t>& attestation_object() const {
+    return attestation_object_;
+  }
+
+ private:
+  CTAPDeviceResponseCode response_code_;
+  std::vector<uint8_t> attestation_object_;
+
+  DISALLOW_COPY_AND_ASSIGN(AuthenticatorMakeCredentialResponse);
+};
+
+}  // namespace device
+
+#endif  // DEVICE_CTAP_AUTHENTICATOR_MAKE_CREDENTIAL_RESPONSE_H_

device/ctap/authenticator_supported_options.cc

+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "device/ctap/authenticator_supported_options.h"
+
+namespace device {
+
+AuthenticatorSupportedOptions::AuthenticatorSupportedOptions() = default;
+
+AuthenticatorSupportedOptions::AuthenticatorSupportedOptions(
+    AuthenticatorSupportedOptions&& other) = default;
+
+AuthenticatorSupportedOptions& AuthenticatorSupportedOptions::operator=(
+    AuthenticatorSupportedOptions&& other) = default;
+
+AuthenticatorSupportedOptions::~AuthenticatorSupportedOptions() = default;
+
+AuthenticatorSupportedOptions&
+AuthenticatorSupportedOptions::SetIsPlatformDevice(bool is_platform_device) {
+  is_platform_device_ = is_platform_device;
+  return *this;
+}
+
+AuthenticatorSupportedOptions&
+AuthenticatorSupportedOptions::SetSupportsResidentKey(
+    bool supports_resident_key) {
+  supports_resident_key_ = supports_resident_key;
+  return *this;
+}
+
+AuthenticatorSupportedOptions&
+AuthenticatorSupportedOptions::SetUserVerificationRequired(
+    bool user_verification_required) {
+  user_verification_required_ = user_verification_required;
+  return *this;
+}
+
+AuthenticatorSupportedOptions&
+AuthenticatorSupportedOptions::SetUserPresenceRequired(
+    bool user_presence_required) {
+  user_presence_required_ = user_presence_required;
+  return *this;
+}
+
+AuthenticatorSupportedOptions&
+AuthenticatorSupportedOptions::SetClientPinStored(bool client_pin_stored) {
+  client_pin_stored_ = client_pin_stored;
+  return *this;
+}
+
+}  // namespace device

device/ctap/authenticator_supported_options.h

+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef DEVICE_CTAP_AUTHENTICATOR_SUPPORTED_OPTIONS_H_
+#define DEVICE_CTAP_AUTHENTICATOR_SUPPORTED_OPTIONS_H_
+
+#include "base/macros.h"
+#include "base/optional.h"
+#include "components/cbor/cbor_values.h"
+
+namespace device {
+
+// Represents CTAP device properties and capabilities received as a response to
+// AuthenticatorGetInfo command.
+class AuthenticatorSupportedOptions {
+ public:
+  AuthenticatorSupportedOptions();
+  AuthenticatorSupportedOptions(AuthenticatorSupportedOptions&& other);
+  AuthenticatorSupportedOptions& operator=(
+      AuthenticatorSupportedOptions&& other);
+  ~AuthenticatorSupportedOptions();
+
+  cbor::CBORValue ConvertToCBOR() const;
+  AuthenticatorSupportedOptions& SetIsPlatformDevice(bool is_platform_device);
+  AuthenticatorSupportedOptions& SetSupportsResidentKey(
+      bool supports_resident_key);
+  AuthenticatorSupportedOptions& SetUserVerificationRequired(
+      bool user_verification_required);
+  AuthenticatorSupportedOptions& SetUserPresenceRequired(
+      bool user_presence_required);
+  AuthenticatorSupportedOptions& SetClientPinStored(bool client_pin_stored);
+
+  bool is_platform_device() const { return is_platform_device_; }
+  bool supports_resident_key() const { return supports_resident_key_; }
+  bool user_verification_required() const {
+    return user_verification_required_;
+  }
+  bool user_presence_required() const { return user_presence_required_; }
+  const base::Optional<bool>& client_pin_stored() const {
+    return client_pin_stored_;
+  }
+
+ private:
+  // Indicates that the device is attached to the client and therefore can't be
+  // removed and used on another client.
+  bool is_platform_device_ = false;
+  // Indicates that the device is capable of storing keys on the device itself
+  // and therefore can satisfy the authenticatorGetAssertion request with
+  // allowList parameter not specified or empty.
+  bool supports_resident_key_ = false;
+  bool user_verification_required_ = false;
+  bool user_presence_required_ = true;
+  // Represents whether client pin in set and stored in device. Set as null
+  // optional if client pin capability is not supported by the authenticator.
+  base::Optional<bool> client_pin_stored_;
+
+  DISALLOW_COPY_AND_ASSIGN(AuthenticatorSupportedOptions);
+};
+
+}  // namespace device
+
+#endif  // DEVICE_CTAP_AUTHENTICATOR_SUPPORTED_OPTIONS_H_

device/ctap/ctap_constants.cc

+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "device/ctap/ctap_constants.h"
+
+namespace device {
+
+const char kResidentKeyMapKey[] = "rk";
+const char kUserVerificationMapKey[] = "uv";
+const char kUserPresenceMapKey[] = "up";
+
+}  // namespace device

device/ctap/ctap_response_code.h → device/ctap/ctap_constants.h

-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef DEVICE_CTAP_CTAP_RESPONSE_CODE_H_
-#define DEVICE_CTAP_CTAP_RESPONSE_CODE_H_
+#ifndef DEVICE_CTAP_CTAP_CONSTANTS_H_
+#define DEVICE_CTAP_CTAP_CONSTANTS_H_
 
 #include <stdint.h>
+
+#include <array>
 #include <vector>
 
 namespace device {
 
 // CTAP protocol device response code, as specified in
 // https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-client-to-authenticator-protocol-v2.0-rd-20170927.html#authenticator-api
-enum class CTAPResponseCode : uint8_t {
+enum class CTAPDeviceResponseCode : uint8_t {
   kSuccess = 0x00,
   kCtap1ErrInvalidCommand = 0x01,
   kCtap1ErrInvalidParameter = 0x02,
@@ -66,6 +68,90 @@ enum class CTAPResponseCode : uint8_t {
   kCtap2ErrVendorLast = 0xFF
 };
 
+// Commands supported by CTAPHID device as specified in
+// https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-client-to-authenticator-protocol-v2.0-rd-20170927.html#ctaphid-commands
+enum class CTAPHIDDeviceCommand : uint8_t {
+  kCtapHidMsg = 0x03,
+  kCtapHidCBOR = 0x10,
+  kCtapHidInit = 0x06,
+  kCtapHidPing = 0x01,
+  kCtapHidCancel = 0x11,
+  kCtapHidError = 0x3F,
+  kCtapHidKeepAlive = 0x3B,
+  kCtapHidWink = 0x08,
+  kCtapHidLock = 0x04,
+};
+
+// Authenticator API commands supported by CTAP devices, as specified in
+// https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-client-to-authenticator-protocol-v2.0-rd-20170927.html#authenticator-api
+enum class CTAPRequestCommand : uint8_t {
+  kAuthenticatorMakeCredential = 0x01,
+  kAuthenticatorGetAssertion = 0x02,
+  kAuthenticatorGetNextAssertion = 0x08,
+  kAuthenticatorCancel = 0x03,
+  kAuthenticatorGetInfo = 0x04,
+  kAuthenticatorClientPin = 0x06,
+  kAuthenticatorReset = 0x07,
+};
+
+constexpr std::array<CTAPDeviceResponseCode, 51> GetCTAPResponseCodeList() {
+  return {CTAPDeviceResponseCode::kSuccess,
+          CTAPDeviceResponseCode::kCtap1ErrInvalidCommand,
+          CTAPDeviceResponseCode::kCtap1ErrInvalidParameter,
+          CTAPDeviceResponseCode::kCtap1ErrInvalidLength,
+          CTAPDeviceResponseCode::kCtap1ErrInvalidSeq,
+          CTAPDeviceResponseCode::kCtap1ErrTimeout,
+          CTAPDeviceResponseCode::kCtap1ErrChannelBusy,
+          CTAPDeviceResponseCode::kCtap1ErrLockRequired,
+          CTAPDeviceResponseCode::kCtap1ErrInvalidChannel,
+          CTAPDeviceResponseCode::kCtap2ErrCBORParsing,
+          CTAPDeviceResponseCode::kCtap2ErrUnexpectedType,
+          CTAPDeviceResponseCode::kCtap2ErrInvalidCBOR,
+          CTAPDeviceResponseCode::kCtap2ErrInvalidCBORType,
+          CTAPDeviceResponseCode::kCtap2ErrMissingParameter,
+          CTAPDeviceResponseCode::kCtap2ErrLimitExceeded,
+          CTAPDeviceResponseCode::kCtap2ErrUnsupportedExtension,
+          CTAPDeviceResponseCode::kCtap2ErrTooManyElements,
+          CTAPDeviceResponseCode::kCtap2ErrExtensionNotSupported,
+          CTAPDeviceResponseCode::kCtap2ErrCredentialExcluded,
+          CTAPDeviceResponseCode::kCtap2ErrCredentialNotValid,
+          CTAPDeviceResponseCode::kCtap2ErrProcesssing,
+          CTAPDeviceResponseCode::kCtap2ErrInvalidCredential,
+          CTAPDeviceResponseCode::kCtap2ErrUserActionPending,
+          CTAPDeviceResponseCode::kCtap2ErrOperationPending,
+          CTAPDeviceResponseCode::kCtap2ErrNoOperations,
+          CTAPDeviceResponseCode::kCtap2ErrUnsupportedAlgorithms,
+          CTAPDeviceResponseCode::kCtap2ErrOperationDenied,
+          CTAPDeviceResponseCode::kCtap2ErrKeyStoreFull,
+          CTAPDeviceResponseCode::kCtap2ErrNotBusy,
+          CTAPDeviceResponseCode::kCtap2ErrNoOperationPending,
+          CTAPDeviceResponseCode::kCtap2ErrUnsupportedOption,
+          CTAPDeviceResponseCode::kCtap2ErrInvalidOption,
+          CTAPDeviceResponseCode::kCtap2ErrKeepAliveCancel,
+          CTAPDeviceResponseCode::kCtap2ErrNoCredentials,
+          CTAPDeviceResponseCode::kCtap2ErrUserActionTimeout,
+          CTAPDeviceResponseCode::kCtap2ErrNotAllowed,
+          CTAPDeviceResponseCode::kCtap2ErrPinInvalid,
+          CTAPDeviceResponseCode::kCtap2ErrPinBlocked,
+          CTAPDeviceResponseCode::kCtap2ErrPinAuthInvalid,
+          CTAPDeviceResponseCode::kCtap2ErrPinAuthBlocked,
+          CTAPDeviceResponseCode::kCtap2ErrPinNotSet,
+          CTAPDeviceResponseCode::kCtap2ErrPinRequired,
+          CTAPDeviceResponseCode::kCtap2ErrPinPolicyViolation,
+          CTAPDeviceResponseCode::kCtap2ErrPinTokenExpired,
+          CTAPDeviceResponseCode::kCtap2ErrRequestTooLarge,
+          CTAPDeviceResponseCode::kCtap2ErrOther,
+          CTAPDeviceResponseCode::kCtap2ErrSpecLast,
+          CTAPDeviceResponseCode::kCtap2ErrExtensionFirst,
+          CTAPDeviceResponseCode::kCtap2ErrExtensionLast,
+          CTAPDeviceResponseCode::kCtap2ErrVendorFirst,
+          CTAPDeviceResponseCode::kCtap2ErrVendorLast};
+}
+
+extern const char kResidentKeyMapKey[];
+extern const char kUserVerificationMapKey[];
+extern const char kUserPresenceMapKey[];
+
 }  // namespace device
 
-#endif  // DEVICE_CTAP_CTAP_RESPONSE_CODE_H_
+#endif  // DEVICE_CTAP_CTAP_CONSTANTS_H_

device/ctap/ctap_device_command.h

-// Copyright 2017 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef DEVICE_CTAP_CTAP_DEVICE_COMMAND_H_
-#define DEVICE_CTAP_CTAP_DEVICE_COMMAND_H_
-
-#include <stdint.h>
-
-namespace device {
-
-// Commands supported by CTAPHID device as specified in
-// https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-client-to-authenticator-protocol-v2.0-rd-20170927.html#ctaphid-commands
-enum class CTAPHIDDeviceCommand : uint8_t {
-  kCtapHidMsg = 0x03,
-  kCtapHidCBOR = 0x10,
-  kCtapHidInit = 0x06,
-  kCtapHidPing = 0x01,
-  kCtapHidCancel = 0x11,
-  kCtapHidError = 0x3F,
-  kCtapHidKeepAlive = 0x3B,
-  kCtapHidWink = 0x08,
-  kCtapHidLock = 0x04,
-};
-
-}  // namespace device
-
-#endif  // DEVICE_CTAP_CTAP_DEVICE_COMMAND_H_

device/ctap/ctap_get_assertion_request_param.cc

@@ -8,7 +8,7 @@
 
 #include "base/numerics/safe_conversions.h"
 #include "components/cbor/cbor_writer.h"
-#include "device/ctap/ctap_request_command.h"
+#include "device/ctap/ctap_constants.h"
 
 namespace device {
 
@@ -48,11 +48,24 @@ CTAPGetAssertionRequestParam::SerializeToCBOR() const {
     cbor_map[cbor::CBORValue(7)] = cbor::CBORValue(*pin_protocol_);
   }
 
+  auto user_presence = user_presence_required_
+                           ? cbor::CBORValue::SimpleValue::TRUE_VALUE
+                           : cbor::CBORValue::SimpleValue::FALSE_VALUE;
+  auto user_verification = user_verification_required_
+                               ? cbor::CBORValue::SimpleValue::TRUE_VALUE
+                               : cbor::CBORValue::SimpleValue::FALSE_VALUE;
+
+  cbor::CBORValue::MapValue option_map;
+  option_map[cbor::CBORValue(kUserPresenceMapKey)] =
+      cbor::CBORValue(user_presence);
+  option_map[cbor::CBORValue(kUserVerificationMapKey)] =
+      cbor::CBORValue(user_verification);
+  cbor_map[cbor::CBORValue(7)] = cbor::CBORValue(std::move(option_map));
+
   auto serialized_param =
       cbor::CBORWriter::Write(cbor::CBORValue(std::move(cbor_map)));
-  if (!serialized_param) {
+  if (!serialized_param)
     return base::nullopt;
-  }
 
   std::vector<uint8_t> cbor_request({base::strict_cast<uint8_t>(
       CTAPRequestCommand::kAuthenticatorGetAssertion)});
@@ -61,6 +74,20 @@ CTAPGetAssertionRequestParam::SerializeToCBOR() const {
   return cbor_request;
 }
 
+CTAPGetAssertionRequestParam&
+CTAPGetAssertionRequestParam::SetUserVerificationRequired(
+    bool user_verification_required) {
+  user_verification_required_ = user_verification_required;
+  return *this;
+}
+
+CTAPGetAssertionRequestParam&
+CTAPGetAssertionRequestParam::SetUserPresenceRequired(
+    bool user_presence_required) {
+  user_presence_required_ = user_presence_required;
+  return *this;
+}
+
 CTAPGetAssertionRequestParam& CTAPGetAssertionRequestParam::SetAllowList(
     std::vector<PublicKeyCredentialDescriptor> allow_list) {
   allow_list_ = std::move(allow_list);

device/ctap/ctap_get_assertion_request_param.h

@@ -6,6 +6,7 @@
 #define DEVICE_CTAP_CTAP_GET_ASSERTION_REQUEST_PARAM_H_
 
 #include <stdint.h>
+
 #include <string>
 #include <vector>
 
@@ -26,6 +27,10 @@ class CTAPGetAssertionRequestParam : public CTAPRequestParam {
   ~CTAPGetAssertionRequestParam() override;
 
   base::Optional<std::vector<uint8_t>> SerializeToCBOR() const override;
+  CTAPGetAssertionRequestParam& SetUserVerificationRequired(
+      bool user_verfication_required);
+  CTAPGetAssertionRequestParam& SetUserPresenceRequired(
+      bool user_presence_required);
   CTAPGetAssertionRequestParam& SetAllowList(
       std::vector<PublicKeyCredentialDescriptor> allow_list);
   CTAPGetAssertionRequestParam& SetPinAuth(std::vector<uint8_t> pin_auth);
@@ -34,6 +39,9 @@ class CTAPGetAssertionRequestParam : public CTAPRequestParam {
  private:
   std::string rp_id_;
   std::vector<uint8_t> client_data_hash_;
+  bool user_verification_required_ = false;
+  bool user_presence_required_ = true;
+
   base::Optional<std::vector<PublicKeyCredentialDescriptor>> allow_list_;
   base::Optional<std::vector<uint8_t>> pin_auth_;
   base::Optional<uint8_t> pin_protocol_;

device/ctap/ctap_make_credential_request_param.cc

@@ -8,7 +8,7 @@
 
 #include "base/numerics/safe_conversions.h"
 #include "components/cbor/cbor_writer.h"
-#include "device/ctap/ctap_request_command.h"
+#include "device/ctap/ctap_constants.h"
 
 namespace device {
 
@@ -53,8 +53,22 @@ CTAPMakeCredentialRequestParam::SerializeToCBOR() const {
     cbor_map[cbor::CBORValue(9)] = cbor::CBORValue(*pin_protocol_);
   }
 
+  auto resident_key = resident_key_ ? cbor::CBORValue::SimpleValue::TRUE_VALUE
+                                    : cbor::CBORValue::SimpleValue::FALSE_VALUE;
+  auto user_verification_required =
+      user_verification_required_ ? cbor::CBORValue::SimpleValue::TRUE_VALUE
+                                  : cbor::CBORValue::SimpleValue::FALSE_VALUE;
+
+  cbor::CBORValue::MapValue option_map;
+  option_map[cbor::CBORValue(kResidentKeyMapKey)] =
+      cbor::CBORValue(resident_key);
+  option_map[cbor::CBORValue(kUserVerificationMapKey)] =
+      cbor::CBORValue(user_verification_required);
+  cbor_map[cbor::CBORValue(7)] = cbor::CBORValue(std::move(option_map));
+
   auto serialized_param =
       cbor::CBORWriter::Write(cbor::CBORValue(std::move(cbor_map)));
+
   if (!serialized_param)
     return base::nullopt;
 
@@ -65,6 +79,19 @@ CTAPMakeCredentialRequestParam::SerializeToCBOR() const {
   return cbor_request;
 }
 
+CTAPMakeCredentialRequestParam&
+CTAPMakeCredentialRequestParam::SetUserVerificationRequired(
+    bool user_verification_required) {
+  user_verification_required_ = user_verification_required;
+  return *this;
+}
+
+CTAPMakeCredentialRequestParam& CTAPMakeCredentialRequestParam::SetResidentKey(
+    bool resident_key) {
+  resident_key_ = resident_key;
+  return *this;
+}
+
 CTAPMakeCredentialRequestParam& CTAPMakeCredentialRequestParam::SetExcludeList(
     std::vector<PublicKeyCredentialDescriptor> exclude_list) {
   exclude_list_ = std::move(exclude_list);

device/ctap/ctap_make_credential_request_param.h

@@ -34,6 +34,9 @@ class CTAPMakeCredentialRequestParam : public CTAPRequestParam {
   ~CTAPMakeCredentialRequestParam() override;
 
   base::Optional<std::vector<uint8_t>> SerializeToCBOR() const override;
+  CTAPMakeCredentialRequestParam& SetUserVerificationRequired(
+      bool user_verfication_required);
+  CTAPMakeCredentialRequestParam& SetResidentKey(bool resident_key);
   CTAPMakeCredentialRequestParam& SetExcludeList(
       std::vector<PublicKeyCredentialDescriptor> exclude_list);
   CTAPMakeCredentialRequestParam& SetPinAuth(std::vector<uint8_t> pin_auth);
@@ -44,6 +47,9 @@ class CTAPMakeCredentialRequestParam : public CTAPRequestParam {
   PublicKeyCredentialRPEntity rp_;
   PublicKeyCredentialUserEntity user_;
   PublicKeyCredentialParams public_key_credentials_;
+  bool user_verification_required_ = false;
+  bool resident_key_ = false;
+
   base::Optional<std::vector<PublicKeyCredentialDescriptor>> exclude_list_;
   base::Optional<std::vector<uint8_t>> pin_auth_;
   base::Optional<uint8_t> pin_protocol_;

device/ctap/ctap_request_command.h

-// Copyright 2017 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef DEVICE_CTAP_CTAP_REQUEST_COMMAND_H_
-#define DEVICE_CTAP_CTAP_REQUEST_COMMAND_H_
-
-#include <stdint.h>
-
-namespace device {
-
-// Authenticator API commands supported by CTAP devices, as specified in
-// https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-client-to-authenticator-protocol-v2.0-rd-20170927.html#authenticator-api
-enum class CTAPRequestCommand : uint8_t {
-  kAuthenticatorMakeCredential = 0x01,
-  kAuthenticatorGetAssertion = 0x02,
-  kAuthenticatorGetNextAssertion = 0x08,
-  kAuthenticatorCancel = 0x03,
-  kAuthenticatorGetInfo = 0x04,
-  kAuthenticatorClientPin = 0x06,
-  kAuthenticatorReset = 0x07,
-};
-
-}  // namespace device
-
-#endif  // DEVICE_CTAP_CTAP_REQUEST_COMMAND_H_

device/ctap/ctap_request_unittest.cc

@@ -26,7 +26,7 @@ TEST(CTAPRequestTest, TestConstructMakeCredentialRequestParam) {
   const std::vector<uint8_t> kSerializedRequest = {
       // clang format-off
       0x01,        // authenticatorMakeCredential command
-      0xa4,        // map(4)
+      0xa5,        // map(5)
       0x01,        //  clientDataHash
       0x58, 0x20,  // bytes(32)
       0x68, 0x71, 0x34, 0x96, 0x82, 0x22, 0xec, 0x17, 0x20, 0x2e, 0x42, 0x50,
@@ -94,7 +94,17 @@ TEST(CTAPRequestTest, TestConstructMakeCredentialRequestParam) {
       0x74, 0x79, 0x70, 0x65,  // "type"
       0x6a,                    // text(10)
       // "public-key"
-      0x70, 0x75, 0x62, 0x6C, 0x69, 0x63, 0x2D, 0x6B, 0x65, 0x79
+      0x70, 0x75, 0x62, 0x6C, 0x69, 0x63, 0x2D, 0x6B, 0x65, 0x79,
+
+      0x07,        // unsigned(7) - options
+      0xa2,        // map(2)
+      0x62,        // text(2)
+      0x72, 0x6b,  // "rk"
+      0xf5,        // True(21)
+      0x62,        // text(2)
+      0x75, 0x76,  // "uv"
+      0xf5         // True(21)
+
       // clang format-on
   };
 
@@ -109,7 +119,9 @@ TEST(CTAPRequestTest, TestConstructMakeCredentialRequestParam) {
   CTAPMakeCredentialRequestParam make_credential_param(
       kClientDataHash, std::move(rp), std::move(user),
       PublicKeyCredentialParams({{"public-key", 7}, {"public-key", 257}}));
-  auto serialized_data = make_credential_param.SerializeToCBOR();
+  auto serialized_data = make_credential_param.SetResidentKey(true)
+                             .SetUserVerificationRequired(true)
+                             .SerializeToCBOR();
   ASSERT_TRUE(serialized_data);
   EXPECT_THAT(*serialized_data, testing::ElementsAreArray(kSerializedRequest));
 }
@@ -123,7 +135,7 @@ TEST(CTAPRequestTest, TestConstructGetAssertionRequest) {
   static const uint8_t kSerializedRequest[] = {
       // clang format-off
       0x02,  // authenticatorGetAssertion command
-      0xa3,  // map(3)
+      0xa4,  // map(4)
 
       0x01,  // rpId
       0x68,  // text(8)
@@ -170,6 +182,16 @@ TEST(CTAPRequestTest, TestConstructGetAssertionRequest) {
       0x6a,                    // text(10)
       // "public-key"
       0x70, 0x75, 0x62, 0x6C, 0x69, 0x63, 0x2D, 0x6B, 0x65, 0x79,
+
+      0x07,        // unsigned(7) - options
+      0xa2,        // map(2)
+      0x62,        // text(2)
+      0x75, 0x70,  // "up"
+      0xf5,        // True(21)
+      0x62,        // text(2)
+      0x75, 0x76,  // "uv"
+      0xf5         // True(21)
+
       // clang format-on
   };
 
@@ -191,7 +213,9 @@ TEST(CTAPRequestTest, TestConstructGetAssertionRequest) {
        0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
        0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03}));
 
-  get_assertion_req.SetAllowList(std::move(allowed_list));
+  get_assertion_req.SetAllowList(std::move(allowed_list))
+      .SetUserPresenceRequired(true)
+      .SetUserVerificationRequired(true);
 
   auto serialized_data = get_assertion_req.SerializeToCBOR();
   ASSERT_TRUE(serialized_data);