/* * Copyright (C) 2019 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS'' * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF * THE POSSIBILITY OF SUCH DAMAGE. */ #import "config.h" #import "NfcConnection.h" #if ENABLE(WEB_AUTHN) && HAVE(NEAR_FIELD) #import "NfcService.h" #import "WKNFReaderSessionDelegate.h" #import <WebCore/FidoConstants.h> #import <wtf/text/Base64.h> namespace WebKit { using namespace fido; namespace { inline bool compareVersion(NSData *data, const uint8_t version[], size_t versionSize) { if (!data) return false; if (data.length != versionSize) return false; return !memcmp(data.bytes, version, versionSize); } // Confirm the FIDO applet is avaliable. // https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#nfc-applet-selection static bool trySelectFidoApplet(NFReaderSession *session) { auto *versionData = [session transceive:adoptNS([[NSData alloc] initWithBytes:kCtapNfcAppletSelectionCommand length:sizeof(kCtapNfcAppletSelectionCommand)]).get()]; if (compareVersion(versionData, kCtapNfcAppletSelectionU2f, sizeof(kCtapNfcAppletSelectionU2f)) || compareVersion(versionData, kCtapNfcAppletSelectionCtap, sizeof(kCtapNfcAppletSelectionCtap))) return true; // Some legacy U2F keys such as Google T1 Titan don't understand the FIDO applet command. Instead, // they are configured to only have the FIDO applet. Therefore, when the above command fails, we // use U2F_VERSION command to double check if the connected tag can actually speak U2F, indicating // we are interacting with one of these legacy keys. versionData = [session transceive:adoptNS([[NSData alloc] initWithBytes:kCtapNfcU2fVersionCommand length:sizeof(kCtapNfcU2fVersionCommand)]).get()]; if (compareVersion(versionData, kCtapNfcAppletSelectionU2f, sizeof(kCtapNfcAppletSelectionU2f))) return true; return false; } } // namespace Ref<NfcConnection> NfcConnection::create(RetainPtr<NFReaderSession>&& session, NfcService& service) { return adoptRef(*new NfcConnection(WTFMove(session), service)); } NfcConnection::NfcConnection(RetainPtr<NFReaderSession>&& session, NfcService& service) : m_session(WTFMove(session)) , m_delegate(adoptNS([[WKNFReaderSessionDelegate alloc] initWithConnection:*this])) , m_service(makeWeakPtr(service)) , m_retryTimer(RunLoop::main(), this, &NfcConnection::startPolling) { [m_session setDelegate:m_delegate.get()]; startPolling(); } NfcConnection::~NfcConnection() { stop(); } Vector<uint8_t> NfcConnection::transact(Vector<uint8_t>&& data) const { Vector<uint8_t> response; // The method will return an empty NSData if the tag is disconnected. auto *responseData = [m_session transceive:adoptNS([[NSData alloc] initWithBytes:data.data() length:data.size()]).get()]; response.append(reinterpret_cast<const uint8_t*>(responseData.bytes), responseData.length); return response; } void NfcConnection::stop() const { [m_session disconnectTag]; [m_session stopPolling]; [m_session endSession]; } void NfcConnection::didDetectTags(NSArray *tags) { if (!m_service || !tags.count) return; // A physical NFC tag could have multiple interfaces. // Therefore, we use tagID to detect if there are multiple physical tags. NSData *tagID = ((NFTag *)tags[0]).tagID; for (NFTag *tag : tags) { if ([tagID isEqualToData:tag.tagID]) continue; m_service->didDetectMultipleTags(); restartPolling(); return; } // FIXME(203234): Tell users to switch to a different tag if the tag is not of type NFTagTypeGeneric4A // or can't speak U2F/FIDO2. for (NFTag *tag : tags) { if (tag.type != NFTagTypeGeneric4A || ![m_session connectTag:tag]) continue; if (!trySelectFidoApplet(m_session.get())) { [m_session disconnectTag]; continue; } m_service->didConnectTag(); return; } restartPolling(); } // NearField polling is a one shot polling. It halts after tags are detected. // Therefore, a restart process is needed to resume polling after error. void NfcConnection::restartPolling() { [m_session stopPolling]; m_retryTimer.startOneShot(1_s); // Magic number to give users enough time for reactions. } void NfcConnection::startPolling() { NSError *error = nil; [m_session startPollingWithError:&error]; if (error) LOG_ERROR("Couldn't start NFC reader polling: %@", error); } } // namespace WebKit #endif // ENABLE(WEB_AUTHN) && HAVE(NEAR_FIELD)