Replace hard-coded attachment modality

Author: msirringhaus

webext/add-on/content.js

@@ -35,8 +35,7 @@ async function cloneCredentialResponse(credential) {
         const obj = {}
         obj.id = credential.id;
         obj.rawId = cloneInto(Uint8Array.fromBase64(credential.rawId, options), obj)
-        // TODO: get authenticator attachment
-        obj.authenticatorAttachment = undefined
+        obj.authenticatorAttachment = credential.authenticatorAttachment;
         const response = {}
         // credential registration response
         if (credential.response.attestationObject) {

xyz-iinuwa-credential-manager-portal-gtk/src/credential_service/mod.rs

@@ -22,7 +22,10 @@ use tokio::runtime::Runtime;
 use tracing::{debug, warn};
 
 use crate::{
-    dbus::{CredentialRequest, CredentialResponse, MakeCredentialResponseInternal},
+    dbus::{
+        CredentialRequest, CredentialResponse, GetAssertionResponseInternal,
+        MakeCredentialResponseInternal,
+    },
     view_model::{Device, InternalPinState, Transport},
 };
 
@@ -203,7 +206,8 @@ impl CredentialService {
                                     CredentialResponse::CreatePublicKeyCredentialResponse(
                                         MakeCredentialResponseInternal::new(
                                             r,
-                                            vec![String::from("usb"), String::from("usb")],
+                                            vec![String::from("usb")],
+                                            String::from("cross-platform"),
                                         ),
                                     ),
                                 );
@@ -216,7 +220,10 @@ impl CredentialService {
                                     let mut cred_response = self.cred_response.lock().unwrap();
                                     cred_response.replace(
                                         CredentialResponse::GetPublicKeyCredentialResponse(
-                                            r.assertions[0].clone(),
+                                            GetAssertionResponseInternal::new(
+                                                r.assertions[0].clone(),
+                                                String::from("cross-platform"),
+                                            ),
                                         ),
                                     );
                                     Ok(UsbState::Completed)
@@ -257,6 +264,7 @@ impl CredentialService {
                                         MakeCredentialResponseInternal::new(
                                             r,
                                             vec![String::from("usb")],
+                                            String::from("cross-platform"),
                                         ),
                                     ),
                                 );
@@ -269,7 +277,10 @@ impl CredentialService {
                                     let mut cred_response = self.cred_response.lock().unwrap();
                                     cred_response.replace(
                                         CredentialResponse::GetPublicKeyCredentialResponse(
-                                            r.assertions[0].clone(),
+                                            GetAssertionResponseInternal::new(
+                                                r.assertions[0].clone(),
+                                                String::from("cross-platform"),
+                                            ),
                                         ),
                                     );
                                     Ok(UsbState::Completed)

xyz-iinuwa-credential-manager-portal-gtk/src/dbus.rs

@@ -291,20 +291,41 @@ pub(crate) enum CredentialRequest {
 #[derive(Clone, Debug)]
 pub(crate) enum CredentialResponse {
     CreatePublicKeyCredentialResponse(MakeCredentialResponseInternal),
-    GetPublicKeyCredentialResponse(Assertion),
+    GetPublicKeyCredentialResponse(GetAssertionResponseInternal),
 }
 
 #[derive(Clone, Debug)]
 pub(crate) struct MakeCredentialResponseInternal {
     ctap: MakeCredentialResponse,
     transport: Vec<String>,
+    attachment_modality: String,
 }
 
 impl MakeCredentialResponseInternal {
-    pub(crate) fn new(response: MakeCredentialResponse, transport: Vec<String>) -> Self {
+    pub(crate) fn new(
+        response: MakeCredentialResponse,
+        transport: Vec<String>,
+        attachment_modality: String,
+    ) -> Self {
         Self {
             ctap: response,
             transport,
+            attachment_modality,
+        }
+    }
+}
+
+#[derive(Clone, Debug)]
+pub(crate) struct GetAssertionResponseInternal {
+    ctap: Assertion,
+    attachment_modality: String,
+}
+
+impl GetAssertionResponseInternal {
+    pub(crate) fn new(ctap: Assertion, attachment_modality: String) -> Self {
+        Self {
+            ctap,
+            attachment_modality,
         }
     }
 }
@@ -516,6 +537,7 @@ impl CreatePublicKeyCredentialResponse {
             client_data_json,
             Some(response.transport.clone()),
             None,
+            response.attachment_modality.clone(),
         )
         .to_json();
         let response = CreatePublicKeyCredentialResponse {
@@ -678,10 +700,10 @@ pub struct GetPublicKeyCredentialRequest {
 
 impl GetPublicKeyCredentialResponse {
     fn try_from_ctap2_response(
-        response: &Assertion,
+        response: &GetAssertionResponseInternal,
         client_data_json: String,
     ) -> std::result::Result<Self, fdo::Error> {
-        let auth_data = &response.authenticator_data;
+        let auth_data = &response.ctap.authenticator_data;
         let attested_credential_data = match &auth_data.attested_credential {
             None => None,
             Some(att) => {
@@ -719,12 +741,14 @@ impl GetPublicKeyCredentialResponse {
         let authentication_response_json = webauthn::GetPublicKeyCredentialResponse::new(
             client_data_json,
             response
+                .ctap
                 .credential_id
                 .as_ref()
                 .map(|c| c.id.clone().into_vec()),
             authenticator_data_blob,
-            response.signature.clone(),
-            response.user.as_ref().map(|u| u.id.clone().into_vec()),
+            response.ctap.signature.clone(),
+            response.ctap.user.as_ref().map(|u| u.id.clone().into_vec()),
+            response.attachment_modality.clone(),
         )
         .to_json();
         let response = GetPublicKeyCredentialResponse {

xyz-iinuwa-credential-manager-portal-gtk/src/platform_authenticator/mod.rs

@@ -378,6 +378,7 @@ pub(crate) fn make_credential(
         client_data_json,
         None,
         None,
+        String::from("platform"),
     );
     Ok((response, credential_source))
 }
@@ -548,6 +549,7 @@ fn get_credential(
         // selectedCredential.userHandle
         // Note: In cases where allowCredentialDescriptorList was supplied the returned userHandle value may be null, see: userHandleResult.
         user_handle: selected_credential.user_handle.clone(),
+        attachment_modality: String::from("platform"),
     };
     Ok(response)
     // If the authenticator cannot find any credential corresponding to the specified Relying Party that matches the specified criteria, it terminates the operation and returns an error.

xyz-iinuwa-credential-manager-portal-gtk/src/webauthn.rs

@@ -438,6 +438,9 @@ pub struct CreatePublicKeyCredentialResponse {
 
     /// JSON string of extension output
     extensions: Option<String>,
+
+    /// If the device used is builtin ("platform") or removable ("cross-platform", aka "roaming")
+    attachment_modality: String,
 }
 
 /// Returned from a creation of a new public key credential.
@@ -473,6 +476,7 @@ impl CreatePublicKeyCredentialResponse {
         client_data_json: String,
         transports: Option<Vec<String>>,
         extension_output_json: Option<String>,
+        attachment_modality: String,
     ) -> Self {
         Self {
             cred_type: "public-key".to_string(),
@@ -484,6 +488,7 @@ impl CreatePublicKeyCredentialResponse {
                 authenticator_data,
             },
             extensions: extension_output_json,
+            attachment_modality,
         }
     }
 
@@ -500,7 +505,8 @@ impl CreatePublicKeyCredentialResponse {
         let mut output = json!({
             "id": self.get_id(),
             "rawId": self.get_id(),
-            "response": response
+            "response": response,
+            "authenticatorAttachment": self.attachment_modality,
         });
         if let Some(extensions) = &self.extensions {
             let extension_value =
@@ -534,17 +540,29 @@ pub struct GetPublicKeyCredentialResponse {
     /// created. This item is nullable, however user handle MUST always be
     /// populated for discoverable credentials.
     pub(crate) user_handle: Option<Vec<u8>>,
+
+    /// Whether the used device is "cross-platform" (aka "roaming", i.e.: can be
+    /// removed from the platform) or is built-in ("platform").
+    pub(crate) attachment_modality: String,
 }
 
 impl GetPublicKeyCredentialResponse {
-    pub(crate) fn new(client_data_json: String, id: Option<Vec<u8>>, authenticator_data: Vec<u8>, signature: Vec<u8>, user_handle: Option<Vec<u8>>) -> Self {
+    pub(crate) fn new(
+        client_data_json: String,
+        id: Option<Vec<u8>>,
+        authenticator_data: Vec<u8>,
+        signature: Vec<u8>,
+        user_handle: Option<Vec<u8>>,
+        attachment_modality: String,
+    ) -> Self {
         Self {
             cred_type: "public-key".to_string(),
             client_data_json,
             raw_id: id,
             authenticator_data,
             signature,
             user_handle,
+            attachment_modality,
         }
     }
     pub fn to_json(&self) -> String {
@@ -560,12 +578,10 @@ impl GetPublicKeyCredentialResponse {
         // This means we'll have to remember the ID on the request if the allow-list has exactly one
         // credential descriptor, then we'll need. This should probably be done in libwebauthn.
         let id = self.raw_id.as_ref().map(|id| URL_SAFE_NO_PAD.encode(id));
-        // TODO: Fix for platorm authenticator
-        let attachment = "cross-platform";
         let output = json!({
             "id": id,
             "rawId": id,
-            "authenticatorAttachment": attachment,
+            "authenticatorAttachment": self.attachment_modality,
             "response": response
         });
         // TODO: support client extensions