[PM-11922] Handle apk key hash as origin

crates/bitwarden-fido/Cargo.toml

@@ -30,7 +30,10 @@ coset = { version = "0.3.7" }
 itertools = "0.13.0"
 log = ">=0.4.18, <0.5"
 p256 = { version = ">=0.13.2, <0.14" }
-passkey = { git = "https://github.com/bitwarden/passkey-rs", rev = "ae08e2cb7dd3d44d915caed395c0cdc56b50fa27" }
+passkey = { git = "https://github.com/bitwarden/passkey-rs", rev = "ff757604cd7b4e8f321ed1616fef7e40e21ac5df" }
+passkey-client = { git = "https://github.com/bitwarden/passkey-rs", rev = "ff757604cd7b4e8f321ed1616fef7e40e21ac5df", features = [
+    "android-asset-validation",
+] }
 reqwest = { version = ">=0.12.5, <0.13", default-features = false }
 schemars = { version = "0.8.21", features = ["uuid1", "chrono"] }
 serde = { version = ">=1.0, <2.0", features = ["derive"] }

crates/bitwarden-fido/src/client.rs

@@ -1,21 +1,17 @@
 use passkey::client::WebauthnError;
-use reqwest::Url;
 use thiserror::Error;
 
 use super::{
     authenticator::GetSelectedCredentialError,
     get_string_name_from_enum,
     types::{
         AuthenticatorAssertionResponse, AuthenticatorAttestationResponse, ClientData,
-        ClientExtensionResults, CredPropsResult,
+        ClientExtensionResults, CredPropsResult, Origin,
     },
     Fido2Authenticator, PublicKeyCredentialAuthenticatorAssertionResponse,
     PublicKeyCredentialAuthenticatorAttestationResponse,
 };
-
-#[derive(Debug, Error)]
-#[error("Invalid origin: {0}")]
-pub struct InvalidOriginError(String);
+use crate::types::InvalidOriginError;
 
 #[derive(Debug, Error)]
 pub enum Fido2ClientError {
@@ -43,12 +39,11 @@
 impl<'a> Fido2Client<'a> {
     pub async fn register(
         &mut self,
-        origin: String,
+        origin: Origin,
         request: String,
         client_data: ClientData,
     ) -> Result<PublicKeyCredentialAuthenticatorAttestationResponse, Fido2ClientError> {
-        let origin = Url::parse(&origin).map_err(|e| InvalidOriginError(format!("{}", e)))?;
-
+        let origin: passkey::client::Origin = origin.try_into()?;
         let request: passkey::types::webauthn::CredentialCreationOptions =
             serde_json::from_str(&request)?;
 
@@ -67,7 +62,7 @@
         let rp_id = request.public_key.rp.id.clone();
 
         let mut client = passkey::client::Client::new(self.authenticator.get_authenticator(true));
-        let result = client.register(&origin, request, client_data).await?;
+        let result = client.register(origin, request, client_data).await?;
 
         Ok(PublicKeyCredentialAuthenticatorAttestationResponse {
             id: result.id,
@@ -98,12 +93,11 @@
 
     pub async fn authenticate(
         &mut self,
-        origin: String,
+        origin: Origin,
         request: String,
         client_data: ClientData,
     ) -> Result<PublicKeyCredentialAuthenticatorAssertionResponse, Fido2ClientError> {
-        let origin = Url::parse(&origin).map_err(|e| InvalidOriginError(format!("{}", e)))?;
-
+        let origin: passkey::client::Origin = origin.try_into()?;
         let request: passkey::types::webauthn::CredentialRequestOptions =
             serde_json::from_str(&request)?;
 
@@ -116,7 +110,7 @@
             .replace(uv);
 
         let mut client = passkey::client::Client::new(self.authenticator.get_authenticator(false));
-        let result = client.authenticate(&origin, request, client_data).await?;
+        let result = client.authenticate(origin, request, client_data).await?;
 
         Ok(PublicKeyCredentialAuthenticatorAssertionResponse {
             id: result.id,

crates/bitwarden-fido/src/lib.rs

@@ -32,10 +32,10 @@ pub use traits::{
 pub use types::{
     AuthenticatorAssertionResponse, AuthenticatorAttestationResponse, ClientData,
     Fido2CredentialAutofillView, Fido2CredentialAutofillViewError, GetAssertionRequest,
-    GetAssertionResult, MakeCredentialRequest, MakeCredentialResult, Options,
+    GetAssertionResult, MakeCredentialRequest, MakeCredentialResult, Options, Origin,
     PublicKeyCredentialAuthenticatorAssertionResponse,
     PublicKeyCredentialAuthenticatorAttestationResponse, PublicKeyCredentialRpEntity,
-    PublicKeyCredentialUserEntity,
+    PublicKeyCredentialUserEntity, UnverifiedAssetLink,
 };
 
 use self::crypto::{cose_key_to_pkcs8, pkcs8_to_cose_key};

crates/bitwarden-fido/src/types.rs

@@ -1,7 +1,10 @@
+use std::borrow::Cow;
+
 use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
 use bitwarden_crypto::KeyContainer;
 use bitwarden_vault::{CipherError, CipherView};
 use passkey::types::webauthn::UserVerificationRequirement;
+use reqwest::Url;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 use thiserror::Error;
@@ -359,6 +362,67 @@
     pub user_handle: Vec<u8>,
 }
 
+#[derive(Debug, Error)]
+#[error("Invalid origin: {0}")]
+pub struct InvalidOriginError(String);
+
+#[cfg_attr(feature = "uniffi", derive(uniffi::Record))]
+/// An Unverified asset link.
+pub struct UnverifiedAssetLink {
+    /// Application package name.
+    package_name: String,
+    /// Fingerprint to compare.
+    sha256_cert_fingerprint: String,
+    /// Host to lookup the well known asset link.
+    host: String,
+    /// When sourced from the application statement list or parsed from host for passkeys.
+    /// Will be generated from `host` if not provided.
+    asset_link_url: Option<String>,
+}
+
+#[cfg_attr(feature = "uniffi", derive(uniffi::Enum))]
+/// The origin of a WebAuthn request.
+pub enum Origin {
+    /// A Url, meant for a request in the web browser.
+    Web(String),
+    /// An android digital asset fingerprint.
+    /// Meant for a request coming from an android application.
+    Android(UnverifiedAssetLink),
+}
+
+impl<'a> TryFrom<Origin> for passkey::client::Origin<'a> {
+    type Error = InvalidOriginError;
+
+    fn try_from(value: Origin) -> Result<Self, Self::Error> {
+        Ok(match value {
+            Origin::Web(url) => {
+                let url = Url::parse(&url).map_err(|e| InvalidOriginError(format!("{}", e)))?;
+                passkey::client::Origin::Web(Cow::Owned(url))
+            }
+            Origin::Android(link) => passkey::client::Origin::Android(link.try_into()?),
+        })
+    }
+}
+
+impl<'a> TryFrom<UnverifiedAssetLink> for passkey::client::UnverifiedAssetLink<'a> {
+    type Error = InvalidOriginError;
+
+    fn try_from(value: UnverifiedAssetLink) -> Result<Self, Self::Error> {
+        let asset_link_url = match value.asset_link_url {
+            Some(url) => Some(Url::parse(&url).map_err(|e| InvalidOriginError(format!("{}", e)))?),
+            None => None,
+        };
+
+        passkey::client::UnverifiedAssetLink::new(
+            Cow::from(value.package_name),
+            value.sha256_cert_fingerprint.as_str(),
+            Cow::from(value.host),
+            asset_link_url,
+        )
+        .map_err(|e| InvalidOriginError(format!("{:?}", e)))
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use serde::{Deserialize, Serialize};

crates/bitwarden-uniffi/src/platform/fido2.rs

@@ -11,7 +11,7 @@
     },
     vault::{Cipher, CipherView, Fido2CredentialNewView},
 };
-use bitwarden_fido::Fido2CredentialAutofillView;
+use bitwarden_fido::{Fido2CredentialAutofillView, Origin};
 
 use crate::{error::Result, Client};
 
@@ -135,7 +135,7 @@
 impl ClientFido2Client {
     pub async fn register(
         &self,
-        origin: String,
+        origin: Origin,
         request: String,
         client_data: ClientData,
     ) -> Result<PublicKeyCredentialAuthenticatorAttestationResponse> {
@@ -153,7 +153,7 @@
 
     pub async fn authenticate(
         &self,
-        origin: String,
+        origin: Origin,
         request: String,
         client_data: ClientData,
     ) -> Result<PublicKeyCredentialAuthenticatorAssertionResponse> {