fido/win: work around a bug in Windows' handling of CTAP1 devices

The Windows WebAuthNGetAssertion API call allows setting the allow list parameter via two separate fields/types: `WEBAUTHN_CREDENTIALS CredentialList` and `PWEBAUTHN_CREDENTIAL_LIST pAllowCredentialList`. The latter is newer and allows setting transport restrictions on each credential descriptor. However, using it appears to prevent GetAssertion from falling back to the CTAP1 device protocol in cases where (a) the authenticator does not speak CTAP2, or (b) it speaks CTAP1 and CTAP2 but the credential was created via CTAP1. This change works around the issue by using the older field instead. WebAuthNMakeCredential does not seem to suffer from the same issue and reliably sticks to U2F if the authenticator is CTAP1-only or dwAuthenticatorAttachment is WEBAUTHN_AUTHENTICATOR_ATTACHMENT_CROSS_PLATFORM_U2F_V2. Hence, nothing changes for it. Bug: 898718 Change-Id: I5e06cd48a3dd424b4763753d8e4d41d8c6680c68 Reviewed-on: https://chromium-review.googlesource.com/c/1357621 Commit-Queue: Martin Kreichgauer <martinkr@chromium.org> Reviewed-by: Adam Langley <agl@chromium.org> Cr-Commit-Position: refs/heads/master@{#613248}

fido/win: work around a bug in Windows' handling of CTAP1 devices
The Windows WebAuthNGetAssertion API call allows setting the allow list parameter via two separate fields/types: `WEBAUTHN_CREDENTIALS CredentialList` and `PWEBAUTHN_CREDENTIAL_LIST pAllowCredentialList`. The latter is newer and allows setting transport restrictions on each credential descriptor. However, using it appears to prevent GetAssertion from falling back to the CTAP1 device protocol in cases where (a) the authenticator does not speak CTAP2, or (b) it speaks CTAP1 and CTAP2 but the credential was created via CTAP1. This change works around the issue by using the older field instead. WebAuthNMakeCredential does not seem to suffer from the same issue and reliably sticks to U2F if the authenticator is CTAP1-only or dwAuthenticatorAttachment is WEBAUTHN_AUTHENTICATOR_ATTACHMENT_CROSS_PLATFORM_U2F_V2. Hence, nothing changes for it. Bug: 898718 Change-Id: I5e06cd48a3dd424b4763753d8e4d41d8c6680c68 Reviewed-on: https://chromium-review.googlesource.com/c/1357621 Commit-Queue: Martin Kreichgauer <martinkr@chromium.org> Reviewed-by: Adam Langley <agl@chromium.org> Cr-Commit-Position: refs/heads/master@{#613248}
f1b46d7a · Martin Kreichgauer · Commit Bot · 05fed45d · f1b46d7a · f1b46d7a
Commit f1b46d7a authored Dec 03, 2018 by Martin Kreichgauer Committed by Commit Bot Dec 03, 2018
3 changed files
--- a/device/fido/win/type_conversions.cc
+++ b/device/fido/win/type_conversions.cc
@@ -133,18 +133,38 @@ static uint32_t ToWinTransportsMask(
  return result;
 }

-std::vector<WEBAUTHN_CREDENTIAL_EX> ToWinCredentialExVector(
+std::vector<WEBAUTHN_CREDENTIAL> ToWinCredentialVector(
    const base::Optional<std::vector<PublicKeyCredentialDescriptor>>&
        credentials) {
-  std::vector<WEBAUTHN_CREDENTIAL_EX> result;
  if (!credentials) {
    return {};
  }
+  std::vector<WEBAUTHN_CREDENTIAL> result;
  for (const auto& credential : *credentials) {
    if (credential.credential_type() != CredentialType::kPublicKey) {
      continue;
    }
+    result.push_back(WEBAUTHN_CREDENTIAL{
+        WEBAUTHN_CREDENTIAL_CURRENT_VERSION,
+        credential.id().size(),
+        const_cast<unsigned char*>(credential.id().data()),
+        WEBAUTHN_CREDENTIAL_TYPE_PUBLIC_KEY,
+    });
+  }
+  return result;
+}

+std::vector<WEBAUTHN_CREDENTIAL_EX> ToWinCredentialExVector(
+    const base::Optional<std::vector<PublicKeyCredentialDescriptor>>&
+        credentials) {
+  if (!credentials) {
+    return {};
+  }
+  std::vector<WEBAUTHN_CREDENTIAL_EX> result;
+  for (const auto& credential : *credentials) {
+    if (credential.credential_type() != CredentialType::kPublicKey) {
+      continue;
+    }
    result.push_back(WEBAUTHN_CREDENTIAL_EX{
        WEBAUTHN_CREDENTIAL_EX_CURRENT_VERSION, credential.id().size(),
        const_cast<unsigned char*>(credential.id().data()),

--- a/device/fido/win/type_conversions.h
+++ b/device/fido/win/type_conversions.h
@@ -36,7 +36,12 @@ uint32_t ToWinAuthenticatorAttachment(
    AuthenticatorAttachment authenticator_attachment);

 COMPONENT_EXPORT(DEVICE_FIDO)
-std::vector<_WEBAUTHN_CREDENTIAL_EX> ToWinCredentialExVector(
+std::vector<WEBAUTHN_CREDENTIAL> ToWinCredentialVector(
+    const base::Optional<std::vector<PublicKeyCredentialDescriptor>>&
+        credentials);
+
+COMPONENT_EXPORT(DEVICE_FIDO)
+std::vector<WEBAUTHN_CREDENTIAL_EX> ToWinCredentialExVector(
    const base::Optional<std::vector<PublicKeyCredentialDescriptor>>&
        credentials);


--- a/device/fido/win/webauthn_api.cc
+++ b/device/fido/win/webauthn_api.cc
@@ -237,11 +237,15 @@ class WinWebAuthnApiImpl : public WinWebAuthnApi {
    }
    options.pCancellationId = &cancellation_id;

-    auto allow_list_credentials = ToWinCredentialExVector(allow_list);
-    auto* allow_list_ptr = allow_list_credentials.data();
-    WEBAUTHN_CREDENTIAL_LIST credential_list{allow_list_credentials.size(),
-                                             &allow_list_ptr};
-    options.pAllowCredentialList = &credential_list;
+    // As of Nov 2018, the WebAuthNAuthenticatorGetAssertion method will fail
+    // to challenge credentials via CTAP1 if the allowList is passed in the
+    // extended form in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS (i.e.
+    // pAllowCredentialList instead of CredentialList). The older field we
+    // use here as a work-around does not allow setting transport
+    // restrictions on the credential descriptor.
+    auto credentials = ToWinCredentialVector(allow_list);
+    options.CredentialList =
+        WEBAUTHN_CREDENTIALS{credentials.size(), credentials.data()};

    WEBAUTHN_CLIENT_DATA client_data{
        WEBAUTHN_CLIENT_DATA_CURRENT_VERSION, client_data_json.size(),