Update cryptotoken to 0.8.63

chrome/browser/resources/cryptotoken/enroller.js

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 /**
  * @fileoverview Handles web page requests for gnubby enrollment.
  */
 
 'use strict';
 
@@ skipping 65 matching lines @@
     var responseData =
         makeEnrollResponseData(enrollChallenge, u2fVersion,
             'registrationData', info, 'clientData', browserData);
     var response = makeU2fSuccessResponse(request, responseData);
     sendResponseOnce(sentResponse, closeable, response, sendResponse);
   }
 
   closeable =
       validateAndBeginEnrollRequest(
           sender, request, 'registerRequests', 'signRequests',
-          sendErrorResponse, sendSuccessResponse);
+          sendErrorResponse, sendSuccessResponse, 'registeredKeys');
   return closeable;
 }
 
 /**
  * Validates an enroll request using the given parameters, and, if valid, begins
- * handling the enroll request.
+ * handling the enroll request. (The enroll request may be modified as a result
+ * of handling it.)
  * @param {MessageSender} sender The sender of the message.
  * @param {Object} request The web page's enroll request.
  * @param {string} enrollChallengesName The name of the enroll challenges value
  *     in the request.
  * @param {string} signChallengesName The name of the sign challenges value in
  *     the request.
  * @param {function(ErrorCodes)} errorCb Error callback.
  * @param {function(string, string, (string|undefined))} successCb Success
  *     callback.
+ * @param {string=} opt_registeredKeysName The name of the registered keys
+ *     value in the request.
  * @return {Closeable} Request handler that should be closed when the browser
  *     message channel is closed.
  */
 function validateAndBeginEnrollRequest(sender, request,
-    enrollChallengesName, signChallengesName, errorCb, successCb) {
+    enrollChallengesName, signChallengesName, errorCb, successCb,
+    opt_registeredKeysName) {
   var origin = getOriginFromUrl(/** @type {string} */ (sender.url));
   if (!origin) {
     errorCb(ErrorCodes.BAD_REQUEST);
     return null;
   }
 
   if (!isValidEnrollRequest(request, enrollChallengesName,
-      signChallengesName)) {
+      signChallengesName, opt_registeredKeysName)) {
     errorCb(ErrorCodes.BAD_REQUEST);
     return null;
   }
 
   var enrollChallenges = request[enrollChallengesName];
-  var signChallenges = request[signChallengesName];
+  var signChallenges;
+  if (opt_registeredKeysName &&
+      request.hasOwnProperty(opt_registeredKeysName)) {
+    // Convert registered keys to sign challenges by adding a challenge value.
+    signChallenges = request[opt_registeredKeysName];
+    for (var i = 0; i < signChallenges.length; i++) {
+      // The actual value doesn't matter, as long as it's a string.
+      signChallenges[i]['challenge'] = '';
+    }
+  } else {
+    signChallenges = request[signChallengesName];
+  }
   var logMsgUrl = request['logMsgUrl'];
 
   var timer = createTimerForRequest(
       FACTORY_REGISTRY.getCountdownFactory(), request);
   var enroller = new Enroller(timer, origin, errorCb, successCb,
       sender.tlsChannelId, logMsgUrl);
-  enroller.doEnroll(enrollChallenges, signChallenges);
+  enroller.doEnroll(enrollChallenges, signChallenges, request['appId']);
   return /** @type {Closeable} */ (enroller);
 }
 
 /**
  * Returns whether the request appears to be a valid enroll request.
  * @param {Object} request The request.
  * @param {string} enrollChallengesName The name of the enroll challenges value
  *     in the request.
  * @param {string} signChallengesName The name of the sign challenges value in
  *     the request.
+ * @param {string=} opt_registeredKeysName The name of the registered keys
+ *     value in the request.
  * @return {boolean} Whether the request appears valid.
  */
 function isValidEnrollRequest(request, enrollChallengesName,
-    signChallengesName) {
+    signChallengesName, opt_registeredKeysName) {
   if (!request.hasOwnProperty(enrollChallengesName))
     return false;
   var enrollChallenges = request[enrollChallengesName];
   if (!enrollChallenges.length)
     return false;
-  if (!isValidEnrollChallengeArray(enrollChallenges))
+  var hasAppId = request.hasOwnProperty('appId');
+  if (!isValidEnrollChallengeArray(enrollChallenges, !hasAppId))
     return false;
   var signChallenges = request[signChallengesName];
   // A missing sign challenge array is ok, in the case the user is not already
   // enrolled.
-  if (signChallenges && !isValidSignChallengeArray(signChallenges))
+  if (signChallenges && !isValidSignChallengeArray(signChallenges, !hasAppId))
     return false;
+  if (opt_registeredKeysName) {
+    var registeredKeys = request[opt_registeredKeysName];
+    if (registeredKeys &&
+        !isValidRegisteredKeyArray(registeredKeys, !hasAppId)) {
+      return false;
+    }
+  }
   return true;
 }
 
 /**
  * @typedef {{
  *   version: (string|undefined),
  *   challenge: string,
  *   appId: string
  * }}
  */
 var EnrollChallenge;
 
 /**
  * @param {Array.<EnrollChallenge>} enrollChallenges The enroll challenges to
  *     validate.
+ * @param {boolean} appIdRequired Whether the appId property is required on
+ *     each challenge.
  * @return {boolean} Whether the given array of challenges is a valid enroll
  *     challenges array.
  */
-function isValidEnrollChallengeArray(enrollChallenges) {
+function isValidEnrollChallengeArray(enrollChallenges, appIdRequired) {
   var seenVersions = {};
   for (var i = 0; i < enrollChallenges.length; i++) {
     var enrollChallenge = enrollChallenges[i];
     var version = enrollChallenge['version'];
     if (!version) {
       // Version is implicitly V1 if not specified.
       version = 'U2F_V1';
     }
     if (version != 'U2F_V1' && version != 'U2F_V2') {
       return false;
     }
     if (seenVersions[version]) {
       // Each version can appear at most once.
       return false;
     }
     seenVersions[version] = version;
-    if (!enrollChallenge['appId']) {
+    if (appIdRequired && !enrollChallenge['appId']) {
       return false;
     }
     if (!enrollChallenge['challenge']) {
       // The challenge is required.
       return false;
     }
   }
   return true;
 }
 
@@ skipping 93 matching lines @@
 /**
  * Default timeout value in case the caller never provides a valid timeout.
  */
 Enroller.DEFAULT_TIMEOUT_MILLIS = 30 * 1000;
 
 /**
  * Performs an enroll request with the given enroll and sign challenges.
  * @param {Array.<EnrollChallenge>} enrollChallenges A set of enroll challenges.
  * @param {Array.<SignChallenge>} signChallenges A set of sign challenges for
  *     existing enrollments for this user and appId.
+ * @param {string=} opt_appId The app id for the entire request.
  */
-Enroller.prototype.doEnroll = function(enrollChallenges, signChallenges) {
-  var encodedEnrollChallenges = this.encodeEnrollChallenges_(enrollChallenges);
-  var encodedSignChallenges = encodeSignChallenges(signChallenges);
+Enroller.prototype.doEnroll = function(enrollChallenges, signChallenges,
+    opt_appId) {
+  var encodedEnrollChallenges =
+      this.encodeEnrollChallenges_(enrollChallenges, opt_appId);
+  var encodedSignChallenges = encodeSignChallenges(signChallenges, opt_appId);
   var request = {
     type: 'enroll_helper_request',
     enrollChallenges: encodedEnrollChallenges,
     signData: encodedSignChallenges,
     logMsgUrl: this.logMsgUrl_
   };
   if (!this.timer_.expired()) {
     request.timeout = this.timer_.millisecondsUntilExpired() / 1000.0;
     request.timeoutSeconds = this.timer_.millisecondsUntilExpired() / 1000.0;
   }
 
   // Begin fetching/checking the app ids.
   var enrollAppIds = [];
+  if (opt_appId) {
+    enrollAppIds.push(opt_appId);
+  }
   for (var i = 0; i < enrollChallenges.length; i++) {
-    enrollAppIds.push(enrollChallenges[i]['appId']);
+    if (enrollChallenges[i].hasOwnProperty('appId')) {
+      enrollAppIds.push(enrollChallenges[i]['appId']);
+    }
+  }
+  // Sanity check
+  if (!enrollAppIds.length) {
+    console.warn(UTIL_fmt('empty enroll app ids?'));
+    this.notifyError_(ErrorCodes.BAD_REQUEST);
+    return;
   }
   var self = this;
   this.checkAppIds_(enrollAppIds, signChallenges, function(result) {
     if (result) {
       self.handler_ = FACTORY_REGISTRY.getRequestHelper().getHandler(request);
       if (self.handler_) {
         var helperComplete =
             /** @type {function(HelperReply)} */
             (self.helperComplete_.bind(self));
         self.handler_.run(helperComplete);
       } else {
         self.notifyError_(ErrorCodes.OTHER_ERROR);
       }
     } else {
       self.notifyError_(ErrorCodes.BAD_REQUEST);
     }
   });
 };
 
 /**
  * Encodes the enroll challenge as an enroll helper challenge.
  * @param {EnrollChallenge} enrollChallenge The enroll challenge to encode.
+ * @param {string=} opt_appId The app id for the entire request.
  * @return {EnrollHelperChallenge} The encoded challenge.
  * @private
  */
-Enroller.encodeEnrollChallenge_ = function(enrollChallenge) {
+Enroller.encodeEnrollChallenge_ = function(enrollChallenge, opt_appId) {
   var encodedChallenge = {};
   var version;
   if (enrollChallenge['version']) {
     version = enrollChallenge['version'];
   } else {
     // Version is implicitly V1 if not specified.
     version = 'U2F_V1';
   }
   encodedChallenge['version'] = version;
+  // TODO: remove once external helpers look for challengeHash
   encodedChallenge['challenge'] = enrollChallenge['challenge'];
-  encodedChallenge['appIdHash'] =
-      B64_encode(sha256HashOfString(enrollChallenge['appId']));
+  encodedChallenge['challengeHash'] = enrollChallenge['challenge'];
+  var appId;
+  if (enrollChallenge['appId']) {
+    appId = enrollChallenge['appId'];
+  } else {
+    appId = opt_appId;
+  }
+  if (!appId) {
+    // Sanity check. (Other code should fail if it's not set.)
+    console.warn(UTIL_fmt('No appId?'));
+  }
+  encodedChallenge['appIdHash'] = B64_encode(sha256HashOfString(appId));
   return /** @type {EnrollHelperChallenge} */ (encodedChallenge);
 };
 
 /**
  * Encodes the given enroll challenges using this enroller's state.
  * @param {Array.<EnrollChallenge>} enrollChallenges The enroll challenges.
+ * @param {string=} opt_appId The app id for the entire request.
  * @return {!Array.<EnrollHelperChallenge>} The encoded enroll challenges.
  * @private
  */
-Enroller.prototype.encodeEnrollChallenges_ = function(enrollChallenges) {
+Enroller.prototype.encodeEnrollChallenges_ = function(enrollChallenges,
+    opt_appId) {
   var challenges = [];
   for (var i = 0; i < enrollChallenges.length; i++) {
     var enrollChallenge = enrollChallenges[i];
     var version = enrollChallenge.version;
     if (!version) {
       // Version is implicitly V1 if not specified.
       version = 'U2F_V1';
     }
 
     if (version == 'U2F_V2') {
       var modifiedChallenge = {};
       for (var k in enrollChallenge) {
         modifiedChallenge[k] = enrollChallenge[k];
       }
       // V2 enroll responses contain signatures over a browser data object,
       // which we're constructing here. The browser data object contains, among
       // other things, the server challenge.
       var serverChallenge = enrollChallenge['challenge'];
       var browserData = makeEnrollBrowserData(
           serverChallenge, this.origin_, this.tlsChannelId_);
       // Replace the challenge with the hash of the browser data.
       modifiedChallenge['challenge'] =
           B64_encode(sha256HashOfString(browserData));
       this.browserData_[version] =
           B64_encode(UTIL_StringToBytes(browserData));
       challenges.push(Enroller.encodeEnrollChallenge_(
-          /** @type {EnrollChallenge} */ (modifiedChallenge)));
+          /** @type {EnrollChallenge} */ (modifiedChallenge), opt_appId));
     } else {
-      challenges.push(Enroller.encodeEnrollChallenge_(enrollChallenge));
+      challenges.push(
+          Enroller.encodeEnrollChallenge_(enrollChallenge, opt_appId));
     }
   }
   return challenges;
 };
 
 /**
  * Checks the app ids associated with this enroll request, and calls a callback
  * with the result of the check.
  * @param {!Array.<string>} enrollAppIds The app ids in the enroll challenge
  *     portion of the enroll request.
@@ skipping 89 matching lines @@
       // For U2F_V2, the challenge sent to the gnubby is modified to be the hash
       // of the browser data. Include the browser data.
       browserData = this.browserData_[reply.version];
     }
 
     this.notifySuccess_(/** @type {string} */ (reply.version),
                         /** @type {string} */ (reply.enrollData),
                         browserData);
   }
 };