device/fido/mac: move keychain-access-group into //content/browser.

This moves the definition of the concrete keychain-access-group value
into AuthenticatorRequestClientDelegate, rather than hard-coding it in
the TouchIdAuthenticator. In the process, TouchIdAuthenticator creation
is moved out of //device/fido and into AuthenticatorImpl because of the
dependency on values from //content/browser.

For Chrome specifically, also update the keychain-access-group value to
match what we're setting it to in official builds since
crrev.com/c/1079833.

Bug: 837392, 848052
Change-Id: I97ef8972fed7ee29c597b9ab510d4a642b5a165a
Reviewed-on: https://chromium-review.googlesource.com/1083712
Commit-Queue: Martin Kreichgauer <martinkr@google.com>
Reviewed-by: John Abd-El-Malek <jam@chromium.org>
Reviewed-by: Balazs Engedy <engedy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#567349}

chrome/browser/webauthn/chrome_authenticator_request_delegate.cc

@@ -156,6 +156,18 @@ bool ChromeAuthenticatorRequestDelegate::IsFocused() {
 #endif
 }
 
+#if defined(OS_MACOSX)
+base::StringPiece
+ChromeAuthenticatorRequestDelegate::TouchIdAuthenticatorKeychainAccessGroup() {
+  // This exact value must be whitelisted in the keychain-access-group section
+  // of the entitlements plist file with which Chrome is signed. Note that
+  // even though the bundle identifier for the Canary channel differs from that
+  // of the other channels, Canary still uses the same keychain access group.
+  static const char* access_group = "EQHXZ8M8AV.com.google.Chrome.webauthn";
+  return access_group;
+}
+#endif
+
 void ChromeAuthenticatorRequestDelegate::OnModelDestroyed() {
   DCHECK(weak_dialog_model_);
   weak_dialog_model_ = nullptr;

chrome/browser/webauthn/chrome_authenticator_request_delegate.h

@@ -6,6 +6,7 @@
 #define CHROME_BROWSER_WEBAUTHN_CHROME_AUTHENTICATOR_REQUEST_DELEGATE_H_
 
 #include "base/memory/weak_ptr.h"
+#include "build/build_config.h"
 #include "chrome/browser/webauthn/authenticator_request_dialog_model.h"
 #include "content/public/browser/authenticator_request_client_delegate.h"
 
@@ -39,6 +40,9 @@ class ChromeAuthenticatorRequestDelegate
       const std::string& relying_party_id,
       base::OnceCallback<void(bool)> callback) override;
   bool IsFocused() override;
+#if defined(OS_MACOSX)
+  base::StringPiece TouchIdAuthenticatorKeychainAccessGroup() override;
+#endif
 
   // AuthenticatorRequestDialogModel::Observer:
   void OnModelDestroyed() override;

content/browser/webauth/authenticator_impl.cc

@@ -32,6 +32,7 @@
 #include "device/fido/authenticator_selection_criteria.h"
 #include "device/fido/ctap_get_assertion_request.h"
 #include "device/fido/ctap_make_credential_request.h"
+#include "device/fido/fido_authenticator.h"
 #include "device/fido/fido_transport_protocol.h"
 #include "device/fido/get_assertion_request_handler.h"
 #include "device/fido/make_credential_request_handler.h"
@@ -44,6 +45,10 @@
 #include "url/url_constants.h"
 #include "url/url_util.h"
 
+#if defined(OS_MACOSX)
+#include "device/fido/mac/authenticator.h"
+#endif
+
 namespace content {
 
 namespace client_data {
@@ -327,11 +332,6 @@ AuthenticatorImpl::AuthenticatorImpl(RenderFrameHost* render_frame_host,
     protocols_.insert(
         device::FidoTransportProtocol::kCloudAssistedBluetoothLowEnergy);
   }
-#if defined(OS_MACOSX)
-  if (base::FeatureList::IsEnabled(features::kWebAuthTouchId)) {
-    protocols_.insert(device::FidoTransportProtocol::kInternal);
-  }
-#endif
 }
 
 AuthenticatorImpl::~AuthenticatorImpl() {
@@ -487,20 +487,22 @@ void AuthenticatorImpl::MakeCredential(
   protocols_.erase(
       device::FidoTransportProtocol::kCloudAssistedBluetoothLowEnergy);
 
-    auto authenticator_selection_criteria =
-        options->authenticator_selection
-            ? mojo::ConvertTo<device::AuthenticatorSelectionCriteria>(
-                  options->authenticator_selection)
-            : device::AuthenticatorSelectionCriteria();
-
-    request_ = std::make_unique<device::MakeCredentialRequestHandler>(
-        connector_, protocols_,
-        CreateCtapMakeCredentialRequest(
-            ConstructClientDataHash(client_data_json_), options,
-            individual_attestation),
-        std::move(authenticator_selection_criteria),
-        base::BindOnce(&AuthenticatorImpl::OnRegisterResponse,
-                       weak_factory_.GetWeakPtr()));
+  auto authenticator_selection_criteria =
+      options->authenticator_selection
+          ? mojo::ConvertTo<device::AuthenticatorSelectionCriteria>(
+                options->authenticator_selection)
+          : device::AuthenticatorSelectionCriteria();
+
+  request_ = std::make_unique<device::MakeCredentialRequestHandler>(
+      connector_, protocols_,
+      CreateCtapMakeCredentialRequest(
+          ConstructClientDataHash(client_data_json_), options,
+          individual_attestation),
+      std::move(authenticator_selection_criteria),
+      base::BindOnce(&AuthenticatorImpl::OnRegisterResponse,
+                     weak_factory_.GetWeakPtr()),
+      base::BindOnce(&AuthenticatorImpl::MaybeCreatePlatformAuthenticator,
+                     base::Unretained(this)));
 }
 
 // mojom:Authenticator
@@ -585,7 +587,9 @@ void AuthenticatorImpl::GetAssertion(
           ConstructClientDataHash(client_data_json_), std::move(options),
           std::move(alternative_application_parameter)),
       base::BindOnce(&AuthenticatorImpl::OnSignResponse,
-                     weak_factory_.GetWeakPtr()));
+                     weak_factory_.GetWeakPtr()),
+      base::BindOnce(&AuthenticatorImpl::MaybeCreatePlatformAuthenticator,
+                     base::Unretained(this)));
 }
 
 void AuthenticatorImpl::IsUserVerifyingPlatformAuthenticatorAvailable(
@@ -804,4 +808,17 @@ void AuthenticatorImpl::Cleanup() {
   echo_appid_extension_ = false;
 }
 
+std::unique_ptr<device::FidoAuthenticator>
+AuthenticatorImpl::MaybeCreatePlatformAuthenticator() {
+#if defined(OS_MACOSX)
+  if (base::FeatureList::IsEnabled(features::kWebAuthTouchId)) {
+    if (__builtin_available(macOS 10.12.2, *)) {
+      return device::fido::mac::TouchIdAuthenticator::CreateIfAvailable(
+          request_delegate_->TouchIdAuthenticatorKeychainAccessGroup());
+    }
+  }
+#endif
+  return nullptr;
+}
+
 }  // namespace content

content/browser/webauth/authenticator_impl.h

@@ -30,6 +30,7 @@ class OneShotTimer;
 
 namespace device {
 
+class FidoAuthenticator;
 class FidoRequestHandlerBase;
 
 enum class FidoReturnCode : uint8_t;
@@ -142,6 +143,8 @@ class CONTENT_EXPORT AuthenticatorImpl : public webauth::mojom::Authenticator,
       webauth::mojom::GetAssertionAuthenticatorResponsePtr response);
   void Cleanup();
 
+  std::unique_ptr<device::FidoAuthenticator> MaybeCreatePlatformAuthenticator();
+
   RenderFrameHost* const render_frame_host_;
   service_manager::Connector* connector_ = nullptr;
   base::flat_set<device::FidoTransportProtocol> protocols_;

content/public/browser/authenticator_request_client_delegate.cc

@@ -5,6 +5,7 @@
 #include "content/public/browser/authenticator_request_client_delegate.h"
 
 #include "base/callback.h"
+#include "base/strings/string_piece.h"
 
 namespace content {
 
@@ -30,4 +31,12 @@ bool AuthenticatorRequestClientDelegate::IsFocused() {
   return true;
 }
 
+#if defined(OS_MACOSX)
+base::StringPiece
+AuthenticatorRequestClientDelegate::TouchIdAuthenticatorKeychainAccessGroup() {
+  static const char* access_group = "not-implemented";
+  return access_group;
+}
+#endif
+
 }  // namespace content

content/public/browser/authenticator_request_client_delegate.h

@@ -9,6 +9,8 @@
 
 #include "base/callback_forward.h"
 #include "base/macros.h"
+#include "base/strings/string_piece_forward.h"
+#include "build/build_config.h"
 #include "content/common/content_export.h"
 
 namespace content {
@@ -53,6 +55,15 @@ class CONTENT_EXPORT AuthenticatorRequestClientDelegate {
   // that testing is possible.
   virtual bool IsFocused();
 
+#if defined(OS_MACOSX)
+  // Returns the kechain-access-group value used for WebAuthn credentials
+  // stored in the macOS keychain by the built-in Touch ID authenticator. For
+  // more information on this, refer to |device::fido::TouchIdAuthenticator|.
+  // This method may to return empty string or some other placeholder value on
+  // platforms where |TouchIdAuthenticator| is not used.
+  virtual base::StringPiece TouchIdAuthenticatorKeychainAccessGroup();
+#endif
+
  private:
   DISALLOW_COPY_AND_ASSIGN(AuthenticatorRequestClientDelegate);
 };

device/fido/fido_request_handler.h

@@ -32,7 +32,18 @@ class FidoRequestHandler : public FidoRequestHandlerBase {
   FidoRequestHandler(service_manager::Connector* connector,
                      const base::flat_set<FidoTransportProtocol>& transports,
                      CompletionCallback completion_callback)
-      : FidoRequestHandlerBase(connector, transports),
+      : FidoRequestHandler(connector,
+                           transports,
+                           std::move(completion_callback),
+                           AddPlatformAuthenticatorCallback()) {}
+  FidoRequestHandler(
+      service_manager::Connector* connector,
+      const base::flat_set<FidoTransportProtocol>& transports,
+      CompletionCallback completion_callback,
+      AddPlatformAuthenticatorCallback add_platform_authenticator)
+      : FidoRequestHandlerBase(connector,
+                               transports,
+                               std::move(add_platform_authenticator)),
         completion_callback_(std::move(completion_callback)) {}
   ~FidoRequestHandler() override {
     if (!is_complete())

device/fido/fido_request_handler_base.cc

@@ -6,21 +6,27 @@
 
 #include <utility>
 
+#include "base/logging.h"
 #include "base/strings/string_piece.h"
 #include "build/build_config.h"
 #include "device/fido/fido_device.h"
 #include "device/fido/fido_task.h"
 #include "services/service_manager/public/cpp/connector.h"
 
-#if defined(OS_MACOSX)
-#include "device/fido/mac/authenticator.h"
-#endif
-
 namespace device {
 
 FidoRequestHandlerBase::FidoRequestHandlerBase(
     service_manager::Connector* connector,
-    const base::flat_set<FidoTransportProtocol>& transports) {
+    const base::flat_set<FidoTransportProtocol>& transports)
+    : FidoRequestHandlerBase(connector,
+                             transports,
+                             AddPlatformAuthenticatorCallback()) {}
+
+FidoRequestHandlerBase::FidoRequestHandlerBase(
+    service_manager::Connector* connector,
+    const base::flat_set<FidoTransportProtocol>& transports,
+    AddPlatformAuthenticatorCallback add_platform_authenticator)
+    : add_platform_authenticator_(std::move(add_platform_authenticator)) {
   for (const auto transport : transports) {
     // Construction of CaBleDiscovery is handled by the implementing class as it
     // requires an extension passed on from the relying party.
@@ -28,7 +34,9 @@ FidoRequestHandlerBase::FidoRequestHandlerBase(
       continue;
 
     if (transport == FidoTransportProtocol::kInternal) {
-      use_platform_authenticator_ = true;
+      // Internal authenticators are injected through
+      // AddPlatformAuthenticatorCallback.
+      NOTREACHED();
       continue;
     }
 
@@ -64,21 +72,18 @@ void FidoRequestHandlerBase::Start() {
   for (const auto& discovery : discoveries_) {
     discovery->Start();
   }
-  if (use_platform_authenticator_) {
-    MaybeAddPlatformAuthenticator();
-  }
+  MaybeAddPlatformAuthenticator();
 }
 
 void FidoRequestHandlerBase::MaybeAddPlatformAuthenticator() {
-#if defined(OS_MACOSX)
-  if (__builtin_available(macOS 10.12.2, *)) {
-    auto authenticator = fido::mac::TouchIdAuthenticator::CreateIfAvailable();
-    if (!authenticator) {
-      return;
-    }
-    AddAuthenticator(std::move(authenticator));
+  if (!add_platform_authenticator_) {
+    return;
+  }
+  auto authenticator = std::move(add_platform_authenticator_).Run();
+  if (!authenticator) {
+    return;
   }
-#endif
+  AddAuthenticator(std::move(authenticator));
 }
 
 void FidoRequestHandlerBase::DiscoveryStarted(FidoDiscovery* discovery,

device/fido/fido_request_handler_base.h

@@ -11,6 +11,7 @@
 #include <string>
 #include <vector>
 
+#include "base/callback.h"
 #include "base/component_export.h"
 #include "base/containers/flat_set.h"
 #include "base/macros.h"
@@ -39,12 +40,18 @@ class COMPONENT_EXPORT(DEVICE_FIDO) FidoRequestHandlerBase
  public:
   using AuthenticatorMap =
       std::map<std::string, std::unique_ptr<FidoAuthenticator>, std::less<>>;
+  using AddPlatformAuthenticatorCallback =
+      base::OnceCallback<std::unique_ptr<FidoAuthenticator>()>;
 
   // TODO(https://crbug.com/769631): Remove the dependency on Connector once
   // device/fido is servicified.
   FidoRequestHandlerBase(
       service_manager::Connector* connector,
       const base::flat_set<FidoTransportProtocol>& transports);
+  FidoRequestHandlerBase(
+      service_manager::Connector* connector,
+      const base::flat_set<FidoTransportProtocol>& transports,
+      AddPlatformAuthenticatorCallback add_platform_authenticator);
   ~FidoRequestHandlerBase() override;
 
   // Triggers cancellation of all per-device FidoTasks, except for the device
@@ -89,11 +96,7 @@ class COMPONENT_EXPORT(DEVICE_FIDO) FidoRequestHandlerBase
   AuthenticatorMap active_authenticators_;
   std::vector<std::unique_ptr<FidoDiscovery>> discoveries_;
 
-  // If set to true at any point before calling Start(), the request handler
-  // will try to create a platform authenticator to handle the request
-  // (currently only TouchIdAuthenticator on macOS).
-  bool use_platform_authenticator_ = false;
-
+  AddPlatformAuthenticatorCallback add_platform_authenticator_;
   DISALLOW_COPY_AND_ASSIGN(FidoRequestHandlerBase);
 };
 

device/fido/fido_request_handler_unittest.cc

@@ -96,11 +96,15 @@ class FakeFidoAuthenticator : public FidoDeviceAuthenticator {
 
 class FakeFidoRequestHandler : public FidoRequestHandler<std::vector<uint8_t>> {
  public:
-  FakeFidoRequestHandler(const base::flat_set<FidoTransportProtocol>& protocols,
-                         FakeHandlerCallback callback)
+  FakeFidoRequestHandler(
+      const base::flat_set<FidoTransportProtocol>& protocols,
+      FakeHandlerCallback callback,
+      AddPlatformAuthenticatorCallback add_platform_authenticator =
+          AddPlatformAuthenticatorCallback())
       : FidoRequestHandler(nullptr /* connector */,
                            protocols,
-                           std::move(callback)),
+                           std::move(callback),
+                           std::move(add_platform_authenticator)),
         weak_factory_(this) {
     Start();
   }
@@ -151,6 +155,15 @@ class FidoRequestHandlerTest : public ::testing::Test {
         cb_.callback());
   }
 
+  std::unique_ptr<FakeFidoRequestHandler>
+  CreateFakeHandlerWithPlatformAuthenticatorCallback(
+      FidoRequestHandlerBase::AddPlatformAuthenticatorCallback
+          add_platform_authenticator) {
+    return std::make_unique<FakeFidoRequestHandler>(
+        base::flat_set<FidoTransportProtocol>(), cb_.callback(),
+        std::move(add_platform_authenticator));
+  }
+
   test::FakeFidoDiscovery* discovery() const { return discovery_; }
   FakeHandlerCallbackReceiver& callback() { return cb_; }
 
@@ -314,4 +327,31 @@ TEST_F(FidoRequestHandlerTest, TestRequestWithMultipleFailureResponses) {
             callback().status());
 }
 
+// Requests should be dispatched to the authenticator returned from the
+// AddPlatformAuthenticatorCallback if one is passed.
+TEST_F(FidoRequestHandlerTest, TestPlatformAuthenticatorCallback) {
+  // A platform authenticator usually wouldn't usually use a FidoDevice, but
+  // that's not the point of the test here. The test is only trying to ensure
+  // the authenticator gets injected and used.
+  auto device = std::make_unique<MockFidoDevice>();
+  EXPECT_CALL(*device, GetId()).WillRepeatedly(testing::Return("device0"));
+  // Device returns success response.
+  device->ExpectRequestAndRespondWith(std::vector<uint8_t>(),
+                                      CreateFakeSuccessDeviceResponse());
+
+  FidoRequestHandlerBase::AddPlatformAuthenticatorCallback
+      make_platform_authenticator = base::BindOnce(
+          [](FidoDevice* device) -> std::unique_ptr<FidoAuthenticator> {
+            return std::make_unique<FakeFidoAuthenticator>(device);
+          },
+          device.get());
+  auto request_handler = CreateFakeHandlerWithPlatformAuthenticatorCallback(
+      std::move(make_platform_authenticator));
+
+  scoped_task_environment_.FastForwardUntilNoTasksRemain();
+  callback().WaitForCallback();
+  EXPECT_TRUE(request_handler->is_complete());
+  EXPECT_EQ(FidoReturnCode::kSuccess, callback().status());
+}
+
 }  // namespace device

device/fido/get_assertion_request_handler.cc

@@ -19,7 +19,22 @@ GetAssertionRequestHandler::GetAssertionRequestHandler(
     const base::flat_set<FidoTransportProtocol>& protocols,
     CtapGetAssertionRequest request,
     SignResponseCallback completion_callback)
-    : FidoRequestHandler(connector, protocols, std::move(completion_callback)),
+    : GetAssertionRequestHandler(connector,
+                                 protocols,
+                                 std::move(request),
+                                 std::move(completion_callback),
+                                 AddPlatformAuthenticatorCallback()) {}
+
+GetAssertionRequestHandler::GetAssertionRequestHandler(
+    service_manager::Connector* connector,
+    const base::flat_set<FidoTransportProtocol>& protocols,
+    CtapGetAssertionRequest request,
+    SignResponseCallback completion_callback,
+    AddPlatformAuthenticatorCallback add_platform_authenticator)
+    : FidoRequestHandler(connector,
+                         protocols,
+                         std::move(completion_callback),
+                         std::move(add_platform_authenticator)),
       request_(std::move(request)),
       weak_factory_(this) {
   if (base::ContainsKey(

device/fido/get_assertion_request_handler.h

@@ -37,6 +37,12 @@ class COMPONENT_EXPORT(DEVICE_FIDO) GetAssertionRequestHandler
       const base::flat_set<FidoTransportProtocol>& protocols,
       CtapGetAssertionRequest request_parameter,
       SignResponseCallback completion_callback);
+  GetAssertionRequestHandler(
+      service_manager::Connector* connector,
+      const base::flat_set<FidoTransportProtocol>& protocols,
+      CtapGetAssertionRequest request_parameter,
+      SignResponseCallback completion_callback,
+      AddPlatformAuthenticatorCallback add_platform_authenticator);
   ~GetAssertionRequestHandler() override;
 
  private:

device/fido/mac/authenticator.h

@@ -15,7 +15,8 @@ namespace device {
 namespace fido {
 namespace mac {
 
-class API_AVAILABLE(macosx(10.12.2)) TouchIdAuthenticator
+class API_AVAILABLE(macosx(10.12.2))
+    COMPONENT_EXPORT(DEVICE_FIDO) TouchIdAuthenticator
     : public FidoAuthenticator {
  public:
   // IsAvailable returns true iff Touch ID is enabled and enrolled on the
@@ -24,7 +25,8 @@ class API_AVAILABLE(macosx(10.12.2)) TouchIdAuthenticator
 
   // CreateIfAvailable returns a TouchIdAuthenticator if IsAvailable() returns
   // true and nullptr otherwise.
-  static std::unique_ptr<TouchIdAuthenticator> CreateIfAvailable();
+  static std::unique_ptr<TouchIdAuthenticator> CreateIfAvailable(
+      base::StringPiece keychain_access_group);
 
   ~TouchIdAuthenticator() override;
 
@@ -40,20 +42,19 @@ class API_AVAILABLE(macosx(10.12.2)) TouchIdAuthenticator
   std::string GetId() const override;
 
  private:
-  TouchIdAuthenticator();
+  TouchIdAuthenticator(base::StringPiece keychain_access_group);
 
   // The profile ID identifies the user profile from which the request
   // originates. It is used to scope credentials to the profile under which they
   // were created.
   base::StringPiece GetOrInitializeProfileId();
 
-  // The keychain access group is a string value related to the Apple developer
-  // ID under which the binary gets signed that the Keychain Services API use
-  // for access control. See
+  // The keychain access group under which credentials are stored in the macOS
+  // keychain for access control. The set of all access groups that the
+  // application belongs to is stored in the entitlements file that gets
+  // embedded into the application during code signing. For more information see
   // https://developer.apple.com/documentation/security/ksecattraccessgroup?language=objc.
-  base::StringPiece keychain_access_group() {
-    return "EQHXZ8M8AV.com.google.chrome.webauthn";
-  }
+  std::string keychain_access_group_;
 
   std::unique_ptr<Operation> operation_;
 

device/fido/mac/authenticator.mm

@@ -33,9 +33,11 @@ bool TouchIdAuthenticator::IsAvailable() {
 }
 
 // static
-std::unique_ptr<TouchIdAuthenticator>
-TouchIdAuthenticator::CreateIfAvailable() {
-  return IsAvailable() ? base::WrapUnique(new TouchIdAuthenticator()) : nullptr;
+std::unique_ptr<TouchIdAuthenticator> TouchIdAuthenticator::CreateIfAvailable(
+    base::StringPiece keychain_access_group) {
+  return IsAvailable()
+             ? base::WrapUnique(new TouchIdAuthenticator(keychain_access_group))
+             : nullptr;
 }
 
 TouchIdAuthenticator::~TouchIdAuthenticator() = default;
@@ -47,7 +49,7 @@ void TouchIdAuthenticator::MakeCredential(
   DCHECK(!operation_);
   operation_ = std::make_unique<MakeCredentialOperation>(
       std::move(request), GetOrInitializeProfileId().as_string(),
-      keychain_access_group().as_string(), std::move(callback));
+      keychain_access_group_, std::move(callback));
   operation_->Run();
 }
 
@@ -56,7 +58,7 @@ void TouchIdAuthenticator::GetAssertion(CtapGetAssertionRequest request,
   DCHECK(!operation_);
   operation_ = std::make_unique<GetAssertionOperation>(
       std::move(request), GetOrInitializeProfileId().as_string(),
-      keychain_access_group().as_string(), std::move(callback));
+      keychain_access_group_, std::move(callback));
   operation_->Run();
 }
 
@@ -72,7 +74,9 @@ std::string TouchIdAuthenticator::GetId() const {
   return "TouchIdAuthenticator";
 }
 
-TouchIdAuthenticator::TouchIdAuthenticator() = default;
+TouchIdAuthenticator::TouchIdAuthenticator(
+    base::StringPiece keychain_access_group)
+    : keychain_access_group_(keychain_access_group.as_string()) {}
 
 base::StringPiece TouchIdAuthenticator::GetOrInitializeProfileId() {
   // TODO(martinkr): Implement.

device/fido/make_credential_request_handler.cc

@@ -17,11 +17,28 @@ namespace device {
 MakeCredentialRequestHandler::MakeCredentialRequestHandler(
     service_manager::Connector* connector,
     const base::flat_set<FidoTransportProtocol>& protocols,
-    CtapMakeCredentialRequest request_parameter,
+    CtapMakeCredentialRequest request,
     AuthenticatorSelectionCriteria authenticator_selection_criteria,
     RegisterResponseCallback completion_callback)
-    : FidoRequestHandler(connector, protocols, std::move(completion_callback)),
-      request_parameter_(std::move(request_parameter)),
+    : MakeCredentialRequestHandler(connector,
+                                   protocols,
+                                   std::move(request),
+                                   authenticator_selection_criteria,
+                                   std::move(completion_callback),
+                                   AddPlatformAuthenticatorCallback()) {}
+
+MakeCredentialRequestHandler::MakeCredentialRequestHandler(
+    service_manager::Connector* connector,
+    const base::flat_set<FidoTransportProtocol>& protocols,
+    CtapMakeCredentialRequest request,
+    AuthenticatorSelectionCriteria authenticator_selection_criteria,
+    RegisterResponseCallback completion_callback,
+    AddPlatformAuthenticatorCallback add_platform_authenticator)
+    : FidoRequestHandler(connector,
+                         protocols,
+                         std::move(completion_callback),
+                         std::move(add_platform_authenticator)),
+      request_parameter_(std::move(request)),
       authenticator_selection_criteria_(
           std::move(authenticator_selection_criteria)),
       weak_factory_(this) {

device/fido/make_credential_request_handler.h

@@ -39,6 +39,13 @@ class COMPONENT_EXPORT(DEVICE_FIDO) MakeCredentialRequestHandler
       CtapMakeCredentialRequest request_parameter,
       AuthenticatorSelectionCriteria authenticator_criteria,
       RegisterResponseCallback completion_callback);
+  MakeCredentialRequestHandler(
+      service_manager::Connector* connector,
+      const base::flat_set<FidoTransportProtocol>& protocols,
+      CtapMakeCredentialRequest request_parameter,
+      AuthenticatorSelectionCriteria authenticator_criteria,
+      RegisterResponseCallback completion_callback,
+      AddPlatformAuthenticatorCallback add_platform_authenticator);
   ~MakeCredentialRequestHandler() override;
 
  private: