fido: Implement SupportsEpAtt for CrOS authenticator

Currently CrOS authenticator doesn't override the SupportsEnterpriseAttestation method, so it always returns false. Under this condition Chrome will never send a request with attestation preference = "enterprise". The CrOS authenticator actually supports enterprise attestation when U2F/G2F mode is enabled, which is determined by policy and device capability. Check whether U2F mode is enabled when initializing the authenticator and cache the result, and returns it in SupportsEnterpriseAttestation. Bug: b:226453823, 1328415 Test: manual test along with daemon side changes that a MakeCredential request that wants enterprise attestation will get a valid G2F cert instead of a software generated cert. Test: CQ (cherry picked from commit 7c4abaf) Change-Id: I33804907e7ce48534a553200d7a27c0fad222d52 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3659142 Commit-Queue: Martin Kreichgauer <martinkr@google.com> Reviewed-by: Adam Langley <agl@chromium.org> Reviewed-by: Martin Kreichgauer <martinkr@google.com> Cr-Original-Commit-Position: refs/heads/main@{#1006584} Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3685870 Auto-Submit: Howard Yang <hcyang@google.com> Cr-Commit-Position: refs/branch-heads/5060@{#492} Cr-Branched-From: b83393d-refs/heads/main@{#1002911}
chromium · Jun 2, 2022 · f6514de · f6514de
1 parent 2053302
commit f6514de
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 2 deletions.
diff --git a/device/fido/cros/authenticator.cc b/device/fido/cros/authenticator.cc
@@ -9,6 +9,7 @@
 #include <utility>
 #include <vector>
 
+#include "base/barrier_closure.h"
 #include "base/bind.h"
 #include "base/containers/span.h"
 #include "base/strings/string_number_conversions.h"
@@ -74,10 +75,16 @@ ChromeOSAuthenticator::AuthenticatorTransport() const {
 
 void ChromeOSAuthenticator::InitializeAuthenticator(
     base::OnceClosure callback) {
+  auto barrier = base::BarrierClosure(2, std::move(callback));
+
   u2f::GetAlgorithmsRequest request;
   chromeos::U2FClient::Get()->GetAlgorithms(
       request, base::BindOnce(&ChromeOSAuthenticator::OnGetAlgorithmsResponse,
-                              weak_factory_.GetWeakPtr(), std::move(callback)));
+                              weak_factory_.GetWeakPtr(), barrier));
+
+  IsPowerButtonModeEnabled(
+      base::BindOnce(&ChromeOSAuthenticator::OnIsPowerButtonModeEnabled,
+                     weak_factory_.GetWeakPtr(), barrier));
 }
 
 void ChromeOSAuthenticator::OnGetAlgorithmsResponse(
@@ -99,6 +106,13 @@ void ChromeOSAuthenticator::OnGetAlgorithmsResponse(
   std::move(callback).Run();
 }
 
+void ChromeOSAuthenticator::OnIsPowerButtonModeEnabled(
+    base::OnceClosure callback,
+    bool enabled) {
+  u2f_enabled_ = enabled;
+  std::move(callback).Run();
+}
+
 absl::optional<base::span<const int32_t>>
 ChromeOSAuthenticator::GetAlgorithms() {
   if (supported_algorithms_) {
@@ -438,6 +452,12 @@ bool ChromeOSAuthenticator::RequiresBlePairingPin() const {
   return false;
 }
 
+bool ChromeOSAuthenticator::SupportsEnterpriseAttestation() const {
+  // Enterprise attestation is enabled in the authenticator if its U2F/G2F mode
+  // is enabled.
+  return u2f_enabled_;
+}
+
 base::WeakPtr<FidoAuthenticator> ChromeOSAuthenticator::GetWeakPtr() {
   return weak_factory_.GetWeakPtr();
 }

diff --git a/device/fido/cros/authenticator.h b/device/fido/cros/authenticator.h
@@ -91,16 +91,20 @@ class COMPONENT_EXPORT(DEVICE_FIDO) ChromeOSAuthenticator
   bool IsInPairingMode() const override;
   bool IsPaired() const override;
   bool RequiresBlePairingPin() const override;
+  bool SupportsEnterpriseAttestation() const override;
 
   void GetTouch(base::OnceClosure callback) override {}
   base::WeakPtr<FidoAuthenticator> GetWeakPtr() override;
 
  private:
-  // Cache the supported algorithms in response, and run the completion callback
+  // Cache the supported algorithms in response, and run the barrier callback
   // of `InitializeAuthenticator`.
   void OnGetAlgorithmsResponse(
       base::OnceClosure callback,
       absl::optional<u2f::GetAlgorithmsResponse> response);
+  // Cache whether power button is enabled, and run the barrier callback
+  // of `InitializeAuthenticator`.
+  void OnIsPowerButtonModeEnabled(base::OnceClosure callback, bool enabled);
   void OnMakeCredentialResponse(
       CtapMakeCredentialRequest request,
       MakeCredentialCallback callback,
@@ -122,6 +126,7 @@ class COMPONENT_EXPORT(DEVICE_FIDO) ChromeOSAuthenticator
   base::RepeatingCallback<std::string()> generate_request_id_callback_;
   const Config config_;
   absl::optional<std::vector<int32_t>> supported_algorithms_;
+  bool u2f_enabled_ = false;
   base::WeakPtrFactory<ChromeOSAuthenticator> weak_factory_;
 };