bitwarden · vvolkgang · Apr 9, 2024 · Feb 21, 2024 · Feb 21, 2024 · Feb 21, 2024
diff --git a/src/App/Platforms/Android/Autofill/CredentialHelpers.cs b/src/App/Platforms/Android/Autofill/CredentialHelpers.cs
@@ -0,0 +1,159 @@
+using Android.App;
+using Android.Content;
+using Android.OS;
+using AndroidX.Credentials;
+using AndroidX.Credentials.Exceptions;
+using AndroidX.Credentials.Provider;
+using AndroidX.Credentials.WebAuthn;
+using Bit.Core.Abstractions;
+using Bit.Core.Utilities;
+using Bit.Droid;
+using Org.Json;
+using Activity = Android.App.Activity;
+using Drawables = Android.Graphics.Drawables;
+
+namespace Bit.App.Platforms.Android.Autofill
+{
+    public static class CredentialHelpers
+    {
+        public static async Task<List<CredentialEntry>> PopulatePasskeyDataAsync(CallingAppInfo callingAppInfo,
+            BeginGetPublicKeyCredentialOption option, Context context, bool hasVaultBeenUnlockedInThisTransaction)
+        {
+            var passkeyEntries = new List<CredentialEntry>();
+            var requestOptions = new PublicKeyCredentialRequestOptions(option.RequestJson);
+
+            var authenticator = Bit.Core.Utilities.ServiceContainer.Resolve<IFido2AuthenticatorService>();
+            var credentials = await authenticator.SilentCredentialDiscoveryAsync(requestOptions.RpId);
+
+            passkeyEntries = credentials.Select(credential => MapCredential(credential, option, context, hasVaultBeenUnlockedInThisTransaction) as CredentialEntry).ToList();
+
+            return passkeyEntries;
+        }
+
+        private static PublicKeyCredentialEntry MapCredential(Fido2AuthenticatorDiscoverableCredentialMetadata credential, BeginGetPublicKeyCredentialOption option, Context context, bool hasVaultBeenUnlockedInThisTransaction)
+        {
+            var credDataBundle = new Bundle();
+            credDataBundle.PutByteArray(Bit.Core.Utilities.Fido2.CredentialProviderConstants.CredentialIdIntentExtra, credential.Id);
+
+            var intent = new Intent(context, typeof(Bit.Droid.Autofill.CredentialProviderSelectionActivity))
+                .SetAction(Bit.Droid.Autofill.CredentialProviderService.GetFido2IntentAction).SetPackage(Constants.PACKAGE_NAME);
+            intent.PutExtra(Bit.Core.Utilities.Fido2.CredentialProviderConstants.CredentialDataIntentExtra, credDataBundle);
+            intent.PutExtra(Bit.Core.Utilities.Fido2.CredentialProviderConstants.CredentialProviderCipherId, credential.CipherId);
+            intent.PutExtra(Bit.Core.Utilities.Fido2.CredentialProviderConstants.CredentialHasVaultBeenUnlockedInThisTransactionExtra, hasVaultBeenUnlockedInThisTransaction);
+            var pendingIntent = PendingIntent.GetActivity(context, Bit.Droid.Autofill.CredentialProviderService.UniqueGetRequestCode, intent,
+                PendingIntentFlags.Mutable | PendingIntentFlags.UpdateCurrent);
+
+            return new PublicKeyCredentialEntry.Builder(
+                        context,
+                        credential.UserName ?? "No username",
+                        pendingIntent,
+                        option)
+                    .SetDisplayName(credential.UserName ?? "No username")
+                    .SetIcon(Drawables.Icon.CreateWithResource(context, Microsoft.Maui.Resource.Drawable.icon))
+                    .Build();
+        }
+
+        public static async Task CreateCipherPasskeyAsync(ProviderCreateCredentialRequest getRequest, Activity activity)
+        {
+            var callingRequest = getRequest?.CallingRequest as CreatePublicKeyCredentialRequest;
+            var origin = callingRequest.Origin;
+            var credentialCreationOptions = new PublicKeyCredentialCreationOptions(callingRequest.RequestJson);
+
+            var rp = new Core.Utilities.Fido2.PublicKeyCredentialRpEntity()
+            {
+                Id = credentialCreationOptions.Rp.Id,
+                Name = credentialCreationOptions.Rp.Name
+            };
+
+            var user = new Core.Utilities.Fido2.PublicKeyCredentialUserEntity()
+            {
+                Id = credentialCreationOptions.User.GetId(),
+                Name = credentialCreationOptions.User.Name,
+                DisplayName = credentialCreationOptions.User.DisplayName
+            };
+
+            var pubKeyCredParams = new List<Core.Utilities.Fido2.PublicKeyCredentialParameters>();
+            foreach (var pubKeyCredParam in credentialCreationOptions.PubKeyCredParams)
+            {
+                pubKeyCredParams.Add(new Core.Utilities.Fido2.PublicKeyCredentialParameters() { Alg = Convert.ToInt32(pubKeyCredParam.Alg), Type = pubKeyCredParam.Type });
+            }
+
+            var excludeCredentials = new List<Core.Utilities.Fido2.PublicKeyCredentialDescriptor>();
+            foreach (var excludeCred in credentialCreationOptions.ExcludeCredentials)
+            {
+                excludeCredentials.Add(new Core.Utilities.Fido2.PublicKeyCredentialDescriptor(){ Id = excludeCred.GetId(), Type = excludeCred.Type, Transports = excludeCred.Transports.ToArray() });
+            }
+
+            var authenticatorSelection = new Core.Utilities.Fido2.AuthenticatorSelectionCriteria()
+            {
+                UserVerification = credentialCreationOptions.AuthenticatorSelection.UserVerification,
+                ResidentKey = credentialCreationOptions.AuthenticatorSelection.ResidentKey,
+                RequireResidentKey = credentialCreationOptions.AuthenticatorSelection.RequireResidentKey
+            };
+
+            var timeout = Convert.ToInt32(credentialCreationOptions.Timeout);
+
+            var credentialCreateParams = new Bit.Core.Utilities.Fido2.Fido2ClientCreateCredentialParams()
+            {
+                Challenge = credentialCreationOptions.GetChallenge(),
+                Origin = origin,
+                PubKeyCredParams = pubKeyCredParams.ToArray(),
+                Rp = rp,
+                User = user,
+                Timeout = timeout,
+                Attestation = credentialCreationOptions.Attestation,
+                AuthenticatorSelection = authenticatorSelection,
+                ExcludeCredentials = excludeCredentials.ToArray(),
+                //Extensions = // Can be improved later to add support for 'credProps'
+                SameOriginWithAncestors = true
+            };
+
+            var fido2MediatorService = ServiceContainer.Resolve<IFido2MediatorService>();
+            var clientCreateCredentialResult = await fido2MediatorService.CreateCredentialAsync(credentialCreateParams);
+            if (clientCreateCredentialResult == null)
+            {
+                var resultErrorIntent = new Intent();
+                PendingIntentHandler.SetCreateCredentialException(resultErrorIntent, new CreateCredentialUnknownException());
+                activity.SetResult(Result.Ok, resultErrorIntent);
+                activity.Finish();
+                return;
+            }
+
+            var transportsArray = new JSONArray();
+            if (clientCreateCredentialResult.Transports != null)
+            {
+                foreach (var transport in clientCreateCredentialResult.Transports)
+                {
+                    transportsArray.Put(transport);
+                }
+            }
+
+            var responseInnerAndroidJson = new JSONObject();
+            responseInnerAndroidJson.Put("clientDataJSON", CoreHelpers.Base64UrlEncode(clientCreateCredentialResult.ClientDataJSON));
+            responseInnerAndroidJson.Put("authenticatorData", CoreHelpers.Base64UrlEncode(clientCreateCredentialResult.AuthData));
+            responseInnerAndroidJson.Put("attestationObject", CoreHelpers.Base64UrlEncode(clientCreateCredentialResult.AttestationObject));
+            responseInnerAndroidJson.Put("transports", transportsArray);
+            responseInnerAndroidJson.Put("publicKeyAlgorithm", clientCreateCredentialResult.PublicKeyAlgorithm);
+            responseInnerAndroidJson.Put("publicKey", CoreHelpers.Base64UrlEncode(clientCreateCredentialResult.PublicKey));
+
+            var rootAndroidJson = new JSONObject();
+            rootAndroidJson.Put("id", CoreHelpers.Base64UrlEncode(clientCreateCredentialResult.CredentialId));
+            rootAndroidJson.Put("rawId", CoreHelpers.Base64UrlEncode(clientCreateCredentialResult.CredentialId));
+            rootAndroidJson.Put("authenticatorAttachment", "platform");
+            rootAndroidJson.Put("type", "public-key");
+            rootAndroidJson.Put("clientExtensionResults", new JSONObject());
+            rootAndroidJson.Put("response", responseInnerAndroidJson);
+
+            var responseAndroidJson = rootAndroidJson.ToString();
+
+            System.Diagnostics.Debug.WriteLine(responseAndroidJson);
+
+            var result = new Intent();
+            var publicKeyResponse = new CreatePublicKeyCredentialResponse(responseAndroidJson);
+            PendingIntentHandler.SetCreateCredentialResponse(result, publicKeyResponse);
+
+            activity.SetResult(Result.Ok, result);
+            activity.Finish();
+        }
+    }
+}
diff --git a/src/App/Platforms/Android/Autofill/CredentialProviderConstants.cs b/src/App/Platforms/Android/Autofill/CredentialProviderConstants.cs
diff --git a/src/App/Platforms/Android/Autofill/CredentialProviderSelectionActivity.cs b/src/App/Platforms/Android/Autofill/CredentialProviderSelectionActivity.cs
@@ -1,12 +1,18 @@
-using System.Threading.Tasks;
-using Android.App;
+using Android.App;
+using Android.Content;
 using Android.Content.PM;
 using Android.OS;
+using AndroidX.Credentials;
 using AndroidX.Credentials.Provider;
 using AndroidX.Credentials.WebAuthn;
+using Bit.App.Abstractions;
 using Bit.Core.Abstractions;
 using Bit.Core.Utilities;
 using Bit.App.Droid.Utilities;
+using Bit.Core.Resources.Localization;
+using Bit.Core.Utilities.Fido2;
+using Java.Security;
+using Bit.Core.Services;
 
 namespace Bit.Droid.Autofill
 {
@@ -15,6 +21,13 @@ namespace Bit.Droid.Autofill
         LaunchMode = LaunchMode.SingleTop)]
     public class CredentialProviderSelectionActivity : MauiAppCompatActivity
     {
+        private LazyResolve<IFido2MediatorService> _fido2MediatorService = new LazyResolve<IFido2MediatorService>();
+        private LazyResolve<IVaultTimeoutService> _vaultTimeoutService = new LazyResolve<IVaultTimeoutService>();
+        private LazyResolve<IStateService> _stateService = new LazyResolve<IStateService>();
+        private LazyResolve<ICipherService> _cipherService = new LazyResolve<ICipherService>();
+        private LazyResolve<IUserVerificationMediatorService> _userVerificationMediatorService = new LazyResolve<IUserVerificationMediatorService>();
+        private LazyResolve<IDeviceActionService> _deviceActionService = new LazyResolve<IDeviceActionService>();
+
         protected override void OnCreate(Bundle bundle)
         {
             Intent?.Validate();
@@ -23,43 +36,142 @@ protected override void OnCreate(Bundle bundle)
             var cipherId = Intent?.GetStringExtra(CredentialProviderConstants.CredentialProviderCipherId);
             if (string.IsNullOrEmpty(cipherId))
             {
-                SetResult(Result.Canceled);
                 Finish();
                 return;
             }
 
-            GetCipherAndPerformPasskeyAuthAsync(cipherId).FireAndForget();
+            GetCipherAndPerformFido2AuthAsync(cipherId).FireAndForget();
+        }
+
+        //Used to avoid crash on MAUI when doing back
+        public override void OnBackPressed()
+        {
+            Finish();
         }
 
-        private async Task GetCipherAndPerformPasskeyAuthAsync(string cipherId)
+        private async Task GetCipherAndPerformFido2AuthAsync(string cipherId)
         {
-            // TODO this is a work in progress
-            // https://developer.android.com/training/sign-in/credential-provider#passkeys-implement
+            string RpId = string.Empty;
+            try
+            {
+                var getRequest = PendingIntentHandler.RetrieveProviderGetCredentialRequest(Intent);
+
+                var credentialOption = getRequest?.CredentialOptions.FirstOrDefault();
+                var credentialPublic = credentialOption as GetPublicKeyCredentialOption;
+
+                var requestOptions = new PublicKeyCredentialRequestOptions(credentialPublic.RequestJson);
+                RpId = requestOptions.RpId;
 
-            var getRequest = PendingIntentHandler.RetrieveProviderGetCredentialRequest(Intent);
-            // var publicKeyRequest = getRequest?.CredentialOptions as PublicKeyCredentialRequestOptions;
+                var requestInfo = Intent.GetBundleExtra(CredentialProviderConstants.CredentialDataIntentExtra);
+                var credentialId = requestInfo?.GetByteArray(CredentialProviderConstants.CredentialIdIntentExtra);
+                var hasVaultBeenUnlockedInThisTransaction = Intent.GetBooleanExtra(CredentialProviderConstants.CredentialHasVaultBeenUnlockedInThisTransactionExtra, false);
 
-            var requestInfo = Intent.GetBundleExtra(CredentialProviderConstants.CredentialDataIntentExtra);
-            var credIdEnc = requestInfo?.GetString(CredentialProviderConstants.CredentialIdIntentExtra);
+                var androidOrigin = AppInfoToOrigin(getRequest?.CallingAppInfo);
+                var packageName = getRequest?.CallingAppInfo.PackageName;
 
-            var cipherService = ServiceContainer.Resolve<ICipherService>();
-            var cipher = await cipherService.GetAsync(cipherId);
-            var decCipher = await cipher.DecryptAsync();
+                var userInterface = new Fido2GetAssertionUserInterface(
+                    cipherId: cipherId,
+                    userVerified: false,
+                    ensureUnlockedVaultCallback: EnsureUnlockedVaultAsync,
+                    hasVaultBeenUnlockedInThisTransaction: () => hasVaultBeenUnlockedInThisTransaction,
+                    verifyUserCallback: (cipherId, uvPreference) => VerifyUserAsync(cipherId, uvPreference, RpId, hasVaultBeenUnlockedInThisTransaction));
 
-            var passkey = decCipher.Login.Fido2Credentials.Find(f => f.CredentialId == credIdEnc);
+                var assertParams = new Fido2AuthenticatorGetAssertionParams
+                {
+                    Challenge = requestOptions.GetChallenge(),
+                    RpId = RpId,
+                    UserVerificationPreference = Fido2UserVerificationPreferenceExtensions.ToFido2UserVerificationPreference(requestOptions.UserVerification),
+                    Hash = credentialPublic.GetClientDataHash(),
+                    AllowCredentialDescriptorList = new Core.Utilities.Fido2.PublicKeyCredentialDescriptor[] { new Core.Utilities.Fido2.PublicKeyCredentialDescriptor { Id = credentialId } },
+                    Extensions = new object()
+                };
+
+                var assertResult = await _fido2MediatorService.Value.GetAssertionAsync(assertParams, userInterface);
+
+                var response = new AuthenticatorAssertionResponse(
+                    requestOptions,
+                    assertResult.SelectedCredential.Id,
+                    androidOrigin,
+                    false, // These flags have no effect, we set our own within `SetAuthenticatorData`
+                    false,
+                    false,
+                    false,
+                    assertResult.SelectedCredential.UserHandle,
+                    packageName,
+                    credentialPublic.GetClientDataHash() //clientDataHash
+                );
+                response.SetAuthenticatorData(assertResult.AuthenticatorData);
+                response.SetSignature(assertResult.Signature);
+
+                var result = new Intent();
+                var fidoCredential = new FidoPublicKeyCredential(assertResult.SelectedCredential.Id, response, "platform");
+                var cred = new PublicKeyCredential(fidoCredential.Json());
+                var credResponse = new GetCredentialResponse(cred);
+                PendingIntentHandler.SetGetCredentialResponse(result, credResponse);
+
+                await MainThread.InvokeOnMainThreadAsync(() =>
+                {
+                    SetResult(Result.Ok, result);
+                    Finish();
+                });
+            }
+            catch (NotAllowedError)
+            {
+                await MainThread.InvokeOnMainThreadAsync(async() =>
+                {
+                    await _deviceActionService.Value.DisplayAlertAsync(AppResources.ErrorReadingPasskey, string.Format(AppResources.ThereWasAProblemReadingAPasskeyForXTryAgainLater, RpId), AppResources.Ok);
+                    Finish();
+                });
+            }
+            catch (Exception ex)
+            {
+                LoggerHelper.LogEvenIfCantBeResolved(ex);
+                await MainThread.InvokeOnMainThreadAsync(async() =>
+                {
+                    await _deviceActionService.Value.DisplayAlertAsync(AppResources.ErrorReadingPasskey, string.Format(AppResources.ThereWasAProblemReadingAPasskeyForXTryAgainLater, RpId), AppResources.Ok);
+                    Finish();
+                });
+            }
+        }
 
-            var credId = Convert.FromBase64String(credIdEnc);
-            // var privateKey = Convert.FromBase64String(passkey.PrivateKey);
-            // var uid = Convert.FromBase64String(passkey.uid);
+        private async Task EnsureUnlockedVaultAsync()
+        {
+            if (!await _stateService.Value.IsAuthenticatedAsync() || await _vaultTimeoutService.Value.IsLockedAsync())
+            {
+                // this should never happen but just in case.
+                throw new InvalidOperationException("Not authed or vault locked");
+            }
+        }
 
-            var origin = getRequest?.CallingAppInfo.Origin;
-            var packageName = getRequest?.CallingAppInfo.PackageName;
+        internal async Task<bool> VerifyUserAsync(string selectedCipherId, Fido2UserVerificationPreference userVerificationPreference, string rpId, bool vaultUnlockedDuringThisTransaction)
+        {
+            try
+            {
+                var encrypted = await _cipherService.Value.GetAsync(selectedCipherId);
+                var cipher = await encrypted.DecryptAsync();
 
-            // --- continue WIP here (save TOTP copy as last step) ---
+                var userVerification = await _userVerificationMediatorService.Value.VerifyUserForFido2Async(
+                    new Fido2UserVerificationOptions(
+                        cipher?.Reprompt == Bit.Core.Enums.CipherRepromptType.Password,
+                        userVerificationPreference,
+                        vaultUnlockedDuringThisTransaction,
+                        rpId)
+                    );
+                return !userVerification.IsCancelled && userVerification.Result;
+            }
+            catch (Exception ex)
+            {
+                LoggerHelper.LogEvenIfCantBeResolved(ex);
+                return false;
+            }
+        }
 
-            // Copy TOTP if needed
-            var autofillHandler = ServiceContainer.Resolve<IAutofillHandler>();
-            autofillHandler.Autofill(decCipher);
+        private string AppInfoToOrigin(CallingAppInfo info)
+        {
+            var cert = info.SigningInfo.GetApkContentsSigners()[0].ToByteArray();
+            var md = MessageDigest.GetInstance("SHA-256");
+            var certHash = md.Digest(cert);
+            return $"android:apk-key-hash:${CoreHelpers.Base64UrlEncode(certHash)}";
         }
     }
 }