Add regular fido service

[p1gp1g]

It adds support for regular FIDO service.

Edit: This PR is not based on the other PR (#2183) any more. Old branch can be found here: p1gp1g:feat/regular_fido_v1

[p1gp1g]

I have updated the feature for the privileged fido api and use static features. I have not yet tested the later change, I'll do it later if I've time (and if no one else can)

I have seen that the libraries doesn't use the features for the request.

Side note: Some actions I have seen that aren't in microG:

• com.google.android.gms.fido.fido2.zeroparty.START
• com.google.android.gms.fido.fido2.firstparty.START
• com.google.android.gms.fido.u2f.privileged.START
• com.google.android.gms.fido.u2f.thirdparty.START
• com.google.android.gms.fido.u2f.zeroparty.START

[ale5000-git]

@p1gp1g
You have defined 4 features in FidoFeatures.java but you have used only 3 in Fido2PrivilegedService.kt, is it an oversight?

[p1gp1g]

@ale5000-git 3 features for the privileged service, 2 for the regular one, 1 in common : there are 4 features :)

[mar-v-in]

@p1gp1g when I was asking for them to be static, I was thinking of how we do it at other places like

GmsCore/play-services-core/src/main/kotlin/org/microg/gms/auth/account/data/GoogleAuthService.kt

Lines 28 to 44 in df6f331

	val FEATURES = arrayOf(
	Feature("auth_suw", 224516000),
	Feature("account_capability_api", 1),
	Feature("account_data_service", 6),
	Feature("account_data_service_legacy", 1),
	Feature("account_data_service_token", 8),
	Feature("account_data_service_visibility", 1),
	Feature("config_sync", 1),
	Feature("device_account_api", 1),
	Feature("device_account_jwt_creation", 1),
	Feature("gaiaid_primary_email_api", 1),
	Feature("google_auth_service_accounts", 2),
	Feature("google_auth_service_token", 3),
	Feature("hub_mode_api", 1),
	Feature("user_service_account_management", 1),
	Feature("work_account_client_is_whitelisted", 1),
	)

which is shared between GoogleAuthService and AccountDataService.

It may seem weird to declare features to a service that are not provided by it, but Google does the same in original Play Services (services are declared in groups that share their set of features) and in the past Google was even requiring this for some APIs (the client library was requiring that service A announced a feature of service B). We want to prevent a small update to the client library breaking support because of not announcing a feature (we had those issues in the past).

I can check the full list of services that Google announces on FIDO APIs later and provide it here (it can be extracted from the chimera manifest in the assets of play services apk).

[p1gp1g]

The full set of feature is not used by these 2 services. There is a declaration of the full set, and it is used for the zeroparty or the firstparty one. I haven't added other features because I though it would better fit a PR introducing those services (if needed).

Regular Fido and Privileged Fido use the set with respectively 2 and 3 features

[mar-v-in]

Here's the content of the chimera manifest of play services 24.05.15, with the module for the fido already highlighted: https://gist.github.com/mar-v-in/1cb40abe41ed751d3ab8f78ef6843b7f#file-chimeramanifest-L12804-L13243

When connecting to this version of play services, all the API services listed in the module (with prefix 13 {) would consider the features listed in the module (with prefix 15 {) as available. The list of provided features is not per api service, but per module.

[mar-v-in]

I'm a little confused about these interfaces, because they don't match what Google's services expect:

• The name should be IFido2AppService (IFido2AppCallbacks respectively)
• The AIDL shouldn't carry a getCredentialList function on the regular service (such function also doesn't exist in the corresponding public API)

Not sure where this mismatch comes from. If you only ever tested the client library from this PR against the service from this PR, it would certainly work, but would be incompatible with Google's client library or service.

[p1gp1g]

That may be why. I have converted to a draft until this is tested against a google client lib, and this fixed.

[ale5000-git]

@p1gp1g

Build fails:

2024-02-23T12:39:12.3567512Z e: file:///home/runner/work/GmsCore/GmsCore/play-services-fido/core/src/main/kotlin/org/microg/gms/fido/core/regular/Fido2RegularService.kt:29:59 Unresolved reference: IFido2RegularCallbacks
2024-02-23T12:39:12.3569500Z 
2024-02-23T12:39:12.3572526Z e: file:///home/runner/work/GmsCore/GmsCore/play-services-fido/core/src/main/kotlin/org/microg/gms/fido/core/regular/Fido2RegularService.kt:30:59 Unresolved reference: IFido2RegularService
2024-02-23T12:39:12.3576523Z e: file:///home/runner/work/GmsCore/GmsCore/play-services-fido/core/src/main/kotlin/org/microg/gms/fido/core/regular/Fido2RegularService.kt:51:54 Unresolved reference: asBinder
2024-02-23T12:39:12.3580719Z e: file:///home/runner/work/GmsCore/GmsCore/play-services-fido/core/src/main/kotlin/org/microg/gms/fido/core/regular/Fido2RegularService.kt:57:61 Cannot weaken access privilege 'public' for 'lifecycle' in 'LifecycleOwner'
2024-02-23T12:39:12.3585399Z e: file:///home/runner/work/GmsCore/GmsCore/play-services-fido/core/src/main/kotlin/org/microg/gms/fido/core/regular/Fido2RegularService.kt:57:73 'lifecycle' hides member of supertype 'LifecycleOwner' and needs 'override' modifier
2024-02-23T12:39:12.3588308Z > Task :play-services-fido-core:compileDebugKotlin FAILED
2024-02-23T12:39:12.3590694Z e: file:///home/runner/work/GmsCore/GmsCore/play-services-fido/core/src/main/kotlin/org/microg/gms/fido/core/regular/Fido2RegularService.kt:58:5 Unresolved reference: IFido2RegularService
2024-02-23T12:39:12.3594692Z e: file:///home/runner/work/GmsCore/GmsCore/play-services-fido/core/src/main/kotlin/org/microg/gms/fido/core/regular/Fido2RegularService.kt:59:5 'getRegisterPendingIntent' overrides nothing
2024-02-23T12:39:12.3598221Z e: file:///home/runner/work/GmsCore/GmsCore/play-services-fido/core/src/main/kotlin/org/microg/gms/fido/core/regular/Fido2RegularService.kt:59:54 Unresolved reference: IFido2RegularCallbacks
2024-02-23T12:39:12.3601674Z e: file:///home/runner/work/GmsCore/GmsCore/play-services-fido/core/src/main/kotlin/org/microg/gms/fido/core/regular/Fido2RegularService.kt:73:5 'getSignPendingIntent' overrides nothing
2024-02-23T12:39:12.3605116Z e: file:///home/runner/work/GmsCore/GmsCore/play-services-fido/core/src/main/kotlin/org/microg/gms/fido/core/regular/Fido2RegularService.kt:73:50 Unresolved reference: IFido2RegularCallbacks
2024-02-23T12:39:12.3608831Z e: file:///home/runner/work/GmsCore/GmsCore/play-services-fido/core/src/main/kotlin/org/microg/gms/fido/core/regular/Fido2RegularService.kt:87:5 'isUserVerifyingPlatformAuthenticatorAvailable' overrides nothing
2024-02-23T12:39:12.3612498Z e: file:///home/runner/work/GmsCore/GmsCore/play-services-fido/core/src/main/kotlin/org/microg/gms/fido/core/regular/Fido2RegularService.kt:98:5 'getCredentialList' overrides nothing
2024-02-23T12:39:12.3616109Z e: file:///home/runner/work/GmsCore/GmsCore/play-services-fido/core/src/main/kotlin/org/microg/gms/fido/core/regular/Fido2RegularService.kt:104:5 'getLifecycle' overrides nothing
2024-02-23T12:39:12.3619372Z e: file:///home/runner/work/GmsCore/GmsCore/play-services-fido/core/src/main/kotlin/org/microg/gms/fido/core/regular/Fido2RegularService.kt:106:5 'onTransact' overrides nothing
2024-02-23T12:39:12.3623253Z e: file:///home/runner/work/GmsCore/GmsCore/play-services-fido/core/src/main/kotlin/org/microg/gms/fido/core/regular/Fido2RegularService.kt:107:9 Unresolved reference. None of the following candidates is applicable because of receiver type mismatch: 
2024-02-23T12:39:12.3626799Z public fun IBinder.warnOnTransactionIssues(code: Int, reply: Parcel?, flags: Int, tag: String = ..., base: () -> Boolean): Boolean defined in org.microg.gms.utils
2024-02-23T12:39:12.3629662Z e: file:///home/runner/work/GmsCore/GmsCore/play-services-fido/core/src/main/kotlin/org/microg/gms/fido/core/regular/Fido2RegularService.kt:107:66 Unresolved reference: onTransact

[p1gp1g]

Sorry again, I'll take the time to do it properly this weekend --'

[p1gp1g]

I don't know why the CI fails. Is there a cache or something ?

An app using the lib can now communicate with PlayServices for the regular functions. I have tested it until the Play Services failed because of missing authorization server side (the demo I used don't have assetslinks.json). I have to test a proper login tomorrow, with a service I will host.

[ale5000-git]

@p1gp1g

These are the errors:

e: play-services-fido/core/src/main/kotlin/org/microg/gms/fido/core/regular/Fido2AppService.kt:56:57 Cannot weaken access privilege 'public' for 'lifecycle' in 'LifecycleOwner'
e: play-services-fido/core/src/main/kotlin/org/microg/gms/fido/core/regular/Fido2AppService.kt:56:69 'lifecycle' hides member of supertype 'LifecycleOwner' and needs 'override' modifier
e: play-services-fido/core/src/main/kotlin/org/microg/gms/fido/core/regular/Fido2AppService.kt:97:5 'getLifecycle' overrides nothing

[ale5000-git]

I don't know it too much but I think this type of code is deprecated, look at the changes here: 48e0b00#diff-09c7aa118b786f685aa2ead8f15b3824e83a97235b82f5bec93357f0d8959ee3L85

[p1gp1g]

@ale5000-git Thanks I've rebased the branch & updated the code for the lifecycle

[p1gp1g]

Well, after some tests, it doesn't work from this microg fido library (this PR) to the Google Play services.

I don't have a test phone with me atm with signature spoofing to try from GPlay lib to microG. This app makes it easy to test: https://github.com/android/codelab-fido2 . Does someone wants to try ?

I don't have all the internal microG/play services in mind, so help is welcomed. I have observed this difference, I don't know if that's relevant:

with microg lib

BoundBrokerSvc          com.google.android.gms               D  onBind: Intent { act=com.google.android.gms.fido.fido2.regular.START pkg=com.google.android.gms }
BoundBrokerSvc          com.google.android.gms               D  Loading bound service for intent: Intent { act=com.google.android.gms.fido.fido2.regular.START pkg=com.google.android.gms }

with gplay lib

BoundBrokerSvc          com.google.android.gms.persistent    D  onBind: Intent { act=com.google.android.gms.phenotype.service.START dat=chimera-action:/... cmp=com.google.android.gms/.chimera.PersistentApiService }
BoundBrokerSvc          com.google.android.gms.persistent    D  Loading bound service for intent: Intent { act=com.google.android.gms.phenotype.service.START dat=chimera-action:/... cmp=com.google.android.gms/.chimera.PersistentApiService }


BoundBrokerSvc          com.google.android.gms               D  onBind: Intent { act=com.google.android.gms.fido.credentialstore.internal_service.START dat=chimera-action:/... cmp=com.google.android.gms/.chimera.GmsInternalApiService }
BoundBrokerSvc          com.google.android.gms               D  Loading bound service for intent: Intent { act=com.google.android.gms.fido.credentialstore.internal_service.START dat=chimera-action:/... cmp=com.google.android.gms/.chimera.GmsInternalApiService }
[...]

[mar-v-in]

@p1gp1g have you been testing on Android 14? FIDO/Passkeys works entirely different since Android 14 and microG's implementation is currently not fully compatible with the Android 14 APIs.

[p1gp1g]

This check was on Android 13.

[Edit: I said it was on Android 14 but no the last check, sorry]