feat: Support AAGUID for PassKey devices (#3508)

<!-- Make sure you talk to us before submitting changes. See
CONTRIBUTING.md. -->

# Motivation

Store AAGUID for passkey devices in order to remind users where a
particular passkey is coming from.

# Changes

* Added API field AuthnMethod.aaguid.
* Extended the Device layout to store 16 bytes per passkey `aaguid`.
* Since `aaguid` is an optional filed (both in the API and storage), we
benefit from Candid type compatibility.

# Tests

<!-- Please provide any information or screenshots about the tests that
have been done -->






<!-- SCREENSHOTS REPORT START -->

<!-- SCREENSHOTS REPORT STOP -->

Author: aterga

src/frontend/src/lib/flows/migrationFlow.svelte.ts

@@ -152,6 +152,7 @@ export class MigrationFlow {
                 new Uint8Array(passkeyIdentity.getPublicKey().toDer()),
               ),
               credential_id: Array.from(new Uint8Array(credentialId)),
+              aaguid: [],
             },
           },
         })

src/frontend/src/lib/generated/internet_identity_idl.js

@@ -97,6 +97,7 @@ export const idlFactory = ({ IDL }) => {
     'protection' : DeviceProtection,
     'pubkey' : DeviceKey,
     'key_type' : KeyType,
+    'aaguid' : IDL.Opt(IDL.Vec(IDL.Nat8)),
     'purpose' : Purpose,
     'credential_id' : IDL.Opt(CredentialId),
   });
@@ -137,6 +138,7 @@ export const idlFactory = ({ IDL }) => {
   const PublicKeyAuthn = IDL.Record({ 'pubkey' : PublicKey });
   const WebAuthn = IDL.Record({
     'pubkey' : PublicKey,
+    'aaguid' : IDL.Opt(IDL.Vec(IDL.Nat8)),
     'credential_id' : CredentialId,
   });
   const AuthnMethod = IDL.Variant({
@@ -273,6 +275,7 @@ export const idlFactory = ({ IDL }) => {
     'protection' : DeviceProtection,
     'pubkey' : DeviceKey,
     'key_type' : KeyType,
+    'aaguid' : IDL.Opt(IDL.Vec(IDL.Nat8)),
     'purpose' : Purpose,
     'credential_id' : IDL.Opt(CredentialId),
   });

src/frontend/src/lib/generated/internet_identity_types.d.ts

@@ -347,6 +347,7 @@ export interface DeviceData {
   'protection' : DeviceProtection,
   'pubkey' : DeviceKey,
   'key_type' : KeyType,
+  'aaguid' : [] | [Uint8Array | number[]],
   'purpose' : Purpose,
   'credential_id' : [] | [CredentialId],
 }
@@ -394,6 +395,7 @@ export interface DeviceWithUsage {
   'protection' : DeviceProtection,
   'pubkey' : DeviceKey,
   'key_type' : KeyType,
+  'aaguid' : [] | [Uint8Array | number[]],
   'purpose' : Purpose,
   'credential_id' : [] | [CredentialId],
 }
@@ -952,6 +954,10 @@ export type VerifyTentativeDeviceResponse = {
  */
 export interface WebAuthn {
   'pubkey' : PublicKey,
+  /**
+   * Authenticator Attestation Global Unique Identifier (AAGUID)
+   */
+  'aaguid' : [] | [Uint8Array | number[]],
   'credential_id' : CredentialId,
 }
 export interface WebAuthnCredential {

src/frontend/src/lib/legacy/flows/addDevice/welcomeView/registerTentativeDevice.ts

@@ -92,6 +92,7 @@ export const registerTentativeDevice = async (
       ),
       purpose: { authentication: null },
       credential_id: [Array.from(new Uint8Array(result.rawId))],
+      aaguid: [],
       metadata: [],
     };
   const addResponse = await addTentativeDevice({

src/frontend/src/lib/legacy/flows/manage/devicesFromDevicesWithUsage.test.ts

@@ -39,6 +39,7 @@ describe("devicesFromDevicesWithUsage", () => {
     key_type: { platform: null },
     purpose: { authentication: null },
     credential_id: [],
+    aaguid: [],
   });
 
   describe("domains compatibility flag disabled", () => {

src/frontend/src/lib/legacy/flows/manage/migration.test.ts

@@ -11,6 +11,7 @@ const recoveryPhrase: DeviceData = {
   key_type: { seed_phrase: null },
   purpose: { recovery: null },
   credential_id: [],
+  aaguid: [],
   metadata: [],
 };
 
@@ -23,6 +24,7 @@ const authenticator: DeviceData = {
   key_type: { unknown: null },
   purpose: { authentication: null },
   credential_id: [],
+  aaguid: [],
   metadata: [],
 };
 

src/frontend/src/lib/legacy/flows/recovery/recoveryWizard.test.ts

@@ -20,6 +20,7 @@ const recoveryPhrase: Omit<DeviceData, "alias"> = {
   key_type: { seed_phrase: null },
   purpose: { recovery: null },
   credential_id: [],
+  aaguid: [],
   metadata: [],
 };
 
@@ -31,6 +32,7 @@ const device: Omit<DeviceData, "alias"> = {
   key_type: { unknown: null },
   purpose: { authentication: null },
   credential_id: [],
+  aaguid: [],
   metadata: [],
 };
 
@@ -42,6 +44,7 @@ const recoveryDevice: Omit<DeviceData, "alias"> = {
   key_type: { cross_platform: null },
   purpose: { recovery: null },
   credential_id: [Uint8Array.from([0, 0, 0, 0, 0])],
+  aaguid: [],
 };
 
 const oneDeviceOnly: Omit<DeviceData, "alias">[] = [device];

src/frontend/src/lib/utils/accessMethods.test.ts

@@ -67,7 +67,11 @@ const makeAuthnMethodWithOrigin = (origin?: string): AuthnMethodData => {
     },
     metadata,
     authn_method: {
-      WebAuthn: { pubkey: new Uint8Array(), credential_id: new Uint8Array() },
+      WebAuthn: {
+        pubkey: new Uint8Array(),
+        credential_id: new Uint8Array(),
+        aaguid: [],
+      },
     },
   } as AuthnMethodData;
 };
@@ -260,7 +264,11 @@ describe("getOrigin", () => {
       },
       metadata: [],
       authn_method: {
-        WebAuthn: { pubkey: new Uint8Array(), credential_id: new Uint8Array() },
+        WebAuthn: {
+          pubkey: new Uint8Array(),
+          credential_id: new Uint8Array(),
+          aaguid: [],
+        },
       },
     } as AuthnMethodData;
     expect(getOrigin(method)).toBeUndefined();
@@ -276,7 +284,11 @@ describe("getOrigin", () => {
       },
       metadata: [["origin", { Bytes: [1, 2, 3] }]],
       authn_method: {
-        WebAuthn: { pubkey: new Uint8Array(), credential_id: new Uint8Array() },
+        WebAuthn: {
+          pubkey: new Uint8Array(),
+          credential_id: new Uint8Array(),
+          aaguid: [],
+        },
       },
     } as AuthnMethodData;
     expect(getOrigin(method)).toBeUndefined();
@@ -362,7 +374,11 @@ describe("isLegacyAuthnMethod", () => {
       },
       metadata,
       authn_method: {
-        WebAuthn: { pubkey: new Uint8Array(), credential_id: new Uint8Array() },
+        WebAuthn: {
+          pubkey: new Uint8Array(),
+          credential_id: new Uint8Array(),
+          aaguid: [],
+        },
       },
     } as AuthnMethodData;
   };
@@ -477,6 +493,7 @@ describe("isSameAccessMethod", () => {
         WebAuthn: {
           pubkey: new Uint8Array(pubkeyBytes),
           credential_id: new Uint8Array([1, 2, 3]),
+          aaguid: [],
         },
       },
     } as AuthnMethodData;

src/frontend/src/lib/utils/authnMethodData.ts

@@ -69,6 +69,7 @@ export const passkeyAuthnMethodData = ({
       WebAuthn: {
         pubkey: new Uint8Array(pubKey),
         credential_id: new Uint8Array(credentialId),
+        aaguid: [],
       },
     },
     security_settings: defaultSecuritySettings(),

src/frontend/src/lib/utils/credential-devices.test.ts

@@ -13,6 +13,7 @@ describe("credetial-devices test", () => {
       key_type: { unknown: null },
       purpose: { authentication: null },
       credential_id: [],
+      aaguid: [],
       metadata: [],
     });