Bug 1554397 - Implement residentKey support on GeckoView. r=jschanck,geckoview-reviewers,owlish

GMS's FIDO2 19.0.x supports residentKey values. So let's implement it for Android's native token manager. But when implementing it, GMS's FIDO2 will synchronize key via Google's account Passkey. So this is experimental by preferences. Differential Revision: https://phabricator.services.mozilla.com/D176391
2023-05-03 14:54:52 +00:00 · 2023-05-03 14:54:52 +00:00 · 393b07fc97
--- a/dom/webauthn/AndroidWebAuthnTokenManager.cpp
+++ b/dom/webauthn/AndroidWebAuthnTokenManager.cpp
@ -13,6 +13,7 @@
 #include "JavaExceptions.h"
 #include "mozilla/java/WebAuthnTokenManagerWrappers.h"
 #include "mozilla/jni/Conversions.h"
+#include "mozilla/StaticPrefs_security.h"
 #include "WebAuthnEnumStrings.h"

 namespace mozilla {
@ -156,10 +157,13 @@ RefPtr<U2FRegisterPromise> AndroidWebAuthnTokenManager::Register(

          const WebAuthnAuthenticatorSelection& sel =
              extra.AuthenticatorSelection();
-          if (sel.residentKey().EqualsLiteral(
-                  MOZ_WEBAUTHN_RESIDENT_KEY_REQUIREMENT_REQUIRED)) {
-            GECKOBUNDLE_PUT(authSelBundle, "requireResidentKey",
-                            java::sdk::Integer::ValueOf(1));
+          // Unfortunately, GMS's FIDO2 API has no option for Passkey. If using
+          // residentKey, credential will be synced with Passkey via Google
+          // account or credential provider service. So this is experimental.
+          if (StaticPrefs::
+                  security_webauthn_webauthn_enable_android_fido2_residentkey()) {
+            GECKOBUNDLE_PUT(authSelBundle, "residentKey",
+                            jni::StringParam(sel.residentKey()));
          }

          if (sel.userVerificationRequirement().EqualsLiteral(
--- a/mobile/android/geckoview/build.gradle
+++ b/mobile/android/geckoview/build.gradle
@ -222,7 +222,7 @@ dependencies {
    implementation "androidx.annotation:annotation:1.3.0"
    implementation "androidx.legacy:legacy-support-v4:1.0.0"

-    implementation "com.google.android.gms:play-services-fido:18.1.0"
+    implementation "com.google.android.gms:play-services-fido:20.0.1"
    implementation "org.yaml:snakeyaml:1.24:android"

    implementation "androidx.lifecycle:lifecycle-extensions:2.2.0"
--- a/mobile/android/geckoview/src/main/java/org/mozilla/geckoview/WebAuthnTokenManager.java
+++ b/mobile/android/geckoview/src/main/java/org/mozilla/geckoview/WebAuthnTokenManager.java
@ -34,6 +34,7 @@ import com.google.android.gms.fido.fido2.api.common.PublicKeyCredentialRpEntity;
 import com.google.android.gms.fido.fido2.api.common.PublicKeyCredentialType;
 import com.google.android.gms.fido.fido2.api.common.PublicKeyCredentialUserEntity;
 import com.google.android.gms.fido.fido2.api.common.RSAAlgorithm;
+import com.google.android.gms.fido.fido2.api.common.ResidentKeyRequirement;
 import com.google.android.gms.tasks.Task;
 import java.nio.ByteBuffer;
 import java.util.ArrayList;
@ -188,6 +189,20 @@ import org.mozilla.gecko.util.GeckoBundle;
    if (authenticatorSelection.getInt("requireCrossPlatformAttachment", 0) == 1) {
      selBuild.setAttachment(Attachment.CROSS_PLATFORM);
    }
+    final String residentKey = authenticatorSelection.getString("residentKey", "");
+    if (residentKey.equals("required")) {
+      selBuild
+          .setRequireResidentKey(true)
+          .setResidentKeyRequirement(ResidentKeyRequirement.RESIDENT_KEY_REQUIRED);
+    } else if (residentKey.equals("preferred")) {
+      selBuild
+          .setRequireResidentKey(false)
+          .setResidentKeyRequirement(ResidentKeyRequirement.RESIDENT_KEY_PREFERRED);
+    } else if (residentKey.equals("discouraged")) {
+      selBuild
+          .setRequireResidentKey(false)
+          .setResidentKeyRequirement(ResidentKeyRequirement.RESIDENT_KEY_DISCOURAGED);
+    }
    final AuthenticatorSelectionCriteria sel = selBuild.build();

    final AuthenticationExtensions.Builder extBuilder = new AuthenticationExtensions.Builder();
@ -196,8 +211,7 @@ import org.mozilla.gecko.util.GeckoBundle;
    }
    final AuthenticationExtensions ext = extBuilder.build();

-    // requireResidentKey andrequireUserVerification are not yet
-    // consumed by Android's API
+    // requireUserVerification are not yet consumed by Android's API

    final List<PublicKeyCredentialDescriptor> excludedList =
        new ArrayList<PublicKeyCredentialDescriptor>();
--- a/modules/libpref/init/StaticPrefList.yaml
+++ b/modules/libpref/init/StaticPrefList.yaml
@ -13719,6 +13719,12 @@
  value: @IS_ANDROID@
  mirror: always

+# residentKey support when using Android platform API
+- name: security.webauthn.webauthn_enable_android_fido2.residentkey
+  type: RelaxedAtomicBool
+  value: false
+  mirror: always
+
 # Dispatch WebAuthn requests to authenticator-rs
 - name: security.webauth.webauthn_enable_usbtoken
  type: RelaxedAtomicBool