New issue
Advanced search Search tips

Issue 898233 link

Starred by 1 user
Status: Fixed
Owner:
martinkr@google.com
Closed: Oct 30
Cc:
cbrand@google.com
agl@chromium.org
kenrb@chromium.org
martinkr@google.com
engedy@chromium.org
ssoneff@google.com
kpaulhamus@chromium.org
jdoerrie@chromium.org
mknowles@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Feature



Sign in to add a comment

Return an AAGUID for platform authenticators

Project Member Reported by martinkr@google.com, Oct 23 
We want to make the following changes to AAGUID handling of platform authenticators:

- AttestedCredentialData for platform authenticators may include an AAGUID, even if no attestation statement is requested/returned
- Touch ID should get its non-zero AAGUID back
Project Member

Comment 1 by bugdroid1@chromium.org, Oct 30 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2c9e535f42f689db377ff26a351eec5b834d43ea

commit 2c9e535f42f689db377ff26a351eec5b834d43ea
Author: Martin Kreichgauer <martinkr@google.com>
Date: Tue Oct 30 23:28:53 2018

fido: changes to attestation handling for platform authenticators

This changes AuthenticatorImpl to not erase the AAGUID from attestation
statements (but do erase the attestation object) whenever the request
was handled by a platform authenticator and
attestationConveyancePreference = "none".

Further, The TouchIdAuthenticator gets back its non-zero AAGUID that was
erased in 73a4f93cf24731ce084bbb7acddd72b740cc5376. Note that this means
TouchIdAuthenticator no longer performs "true" Self Attestation in the
sense of the WebAuthn spec or
AuthenticatorMakeCredentialResponse::IsSelfAttestation.

Hence, the existing behavior that self-attestation statments never get
erased, even if attestationConveyancePreference = "none", no longer
applies to Touch ID. Instead the new behavior applies, i.e. the
attestation object is erased but not the AAGUID.

Bug:  898233 
Change-Id: I79f7957679c661a6d3b0fb54a3a48163b387d764
Reviewed-on: https://chromium-review.googlesource.com/c/1300687
Commit-Queue: Martin Kreichgauer <martinkr@google.com>
Reviewed-by: Kim Paulhamus <kpaulhamus@chromium.org>
Reviewed-by: Adam Langley <agl@chromium.org>
Cr-Commit-Position: refs/heads/master@{#604055}
[modify] https://crrev.com/2c9e535f42f689db377ff26a351eec5b834d43ea/content/browser/webauth/authenticator_impl.cc
[modify] https://crrev.com/2c9e535f42f689db377ff26a351eec5b834d43ea/content/browser/webauth/authenticator_impl_unittest.cc
[modify] https://crrev.com/2c9e535f42f689db377ff26a351eec5b834d43ea/device/fido/attestation_object.cc
[modify] https://crrev.com/2c9e535f42f689db377ff26a351eec5b834d43ea/device/fido/attestation_object.h
[modify] https://crrev.com/2c9e535f42f689db377ff26a351eec5b834d43ea/device/fido/authenticator_make_credential_response.cc
[modify] https://crrev.com/2c9e535f42f689db377ff26a351eec5b834d43ea/device/fido/authenticator_make_credential_response.h
[modify] https://crrev.com/2c9e535f42f689db377ff26a351eec5b834d43ea/device/fido/ctap_response_fuzzer.cc
[modify] https://crrev.com/2c9e535f42f689db377ff26a351eec5b834d43ea/device/fido/ctap_response_unittest.cc
[modify] https://crrev.com/2c9e535f42f689db377ff26a351eec5b834d43ea/device/fido/mac/util.mm
[modify] https://crrev.com/2c9e535f42f689db377ff26a351eec5b834d43ea/device/fido/virtual_fido_device.cc
[modify] https://crrev.com/2c9e535f42f689db377ff26a351eec5b834d43ea/device/fido/virtual_fido_device.h

Comment 2 by martinkr@google.com, Oct 30

Description: Show this description

Comment 3 by martinkr@google.com, Oct 30

Status: Fixed (was: Assigned)

Sign in to add a comment