chrome/browser/resources/cryptotoken/webrequest.js - platform/external/chromium_org - Git at Google

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 /**
  * @fileoverview Does common handling for requests coming from web pages and
  * routes them to the provided handler.
  */

 /**
  * Gets the scheme + origin from a web url.
  * @param {string} url Input url
  * @return {?string} Scheme and origin part if url parses
  */
 function getOriginFromUrl(url) {
   var re = new RegExp('^(https?://)[^/]*/?');
   var originarray = re.exec(url);
   if (originarray == null) return originarray;
   var origin = originarray[0];
   while (origin.charAt(origin.length - 1) == '/') {
     origin = origin.substring(0, origin.length - 1);
   }
   if (origin == 'http:' || origin == 'https:')
     return null;
   return origin;
 }

 /**
  * Parses the text as JSON and returns it as an array of strings.
  * @param {string} text Input JSON
  * @return {Array.<string>} Array of origins
  */
 function getOriginsFromJson(text) {
   try {
     var urls = JSON.parse(text);
     var origins = [];
     for (var i = 0, url; url = urls[i]; i++) {
       var origin = getOriginFromUrl(url);
       if (origin)
         origins.push(origin);
     }
     return origins;
   } catch (e) {
     console.log(UTIL_fmt('could not parse ' + text));
     return [];
   }
 }

 /**
  * Fetches the app id, and calls a callback with list of allowed origins for it.
  * @param {string} appId the app id to fetch.
  * @param {Function} cb called with a list of allowed origins for the app id.
  */
 function fetchAppId(appId, cb) {
   var origin = getOriginFromUrl(appId);
   if (!origin) {
     cb(404, appId);
     return;
   }
   var xhr = new XMLHttpRequest();
   var origins = [];
   xhr.open('GET', appId, true);
   xhr.onloadend = function() {
     if (xhr.status != 200) {
       cb(xhr.status, appId);
       return;
     }
     cb(xhr.status, appId, getOriginsFromJson(xhr.responseText));
   };
   xhr.send();
 }

 /**
  * Retrieves a set of distinct app ids from the SignData.
  * @param {SignData=} signData Input signature data
  * @return {Array.<string>} array of distinct app ids.
  */
 function getDistinctAppIds(signData) {
   var appIds = [];
   if (!signData) {
     return appIds;
   }
   for (var i = 0, request; request = signData[i]; i++) {
     var appId = request['appId'];
     if (appId && appIds.indexOf(appId) == -1) {
       appIds.push(appId);
     }
   }
   return appIds;
 }

 /**
  * Reorganizes the requests from the SignData to an array of
  * (appId, [Request]) tuples.
  * @param {SignData} signData Input signature data
  * @return {Array.<[string, Array.<Request>]>} array of
  *     (appId, [Request]) tuples.
  */
 function requestsByAppId(signData) {
   var requests = {};
   var appIdOrder = {};
   var orderToAppId = {};
   var lastOrder = 0;
   for (var i = 0, request; request = signData[i]; i++) {
     var appId = request['appId'];
     if (appId) {
       if (!appIdOrder.hasOwnProperty(appId)) {
         appIdOrder[appId] = lastOrder;
         orderToAppId[lastOrder] = appId;
         lastOrder++;
       }
       if (requests[appId]) {
         requests[appId].push(request);
       } else {
         requests[appId] = [request];
       }
     }
   }
   var orderedRequests = [];
   for (var order = 0; order < lastOrder; order++) {
     appId = orderToAppId[order];
     orderedRequests.push([appId, requests[appId]]);
   }
   return orderedRequests;
 }

 /**
  * Fetches the allowed origins for an appId.
  * @param {string} appId Application id
  * @param {boolean} allowHttp Whether http is a valid scheme for an appId.
  *     (This should be false except on test domains.)
  * @param {function(number, !Array.<string>)} cb Called back with an HTTP
  *     response code and a list of allowed origins for appId.
  */
 function fetchAllowedOriginsForAppId(appId, allowHttp, cb) {
   var allowedOrigins = [];
   if (!appId) {
     cb(200, allowedOrigins);
     return;
   }
   if (appId.indexOf('http://') == 0 && !allowHttp) {
     console.log(UTIL_fmt('http app ids disallowed, ' + appId + ' requested'));
     cb(200, allowedOrigins);
     return;
   }
   // TODO: hack for old enrolled gnubbies, don't treat
   // accounts.google.com/login.corp.google.com specially when cryptauth server
   // stops reporting them as appId.
   if (appId == 'https://accounts.google.com') {
     allowedOrigins = ['https://login.corp.google.com'];
     cb(200, allowedOrigins);
     return;
   }
   if (appId == 'https://login.corp.google.com') {
     allowedOrigins = ['https://accounts.google.com'];
     cb(200, allowedOrigins);
     return;
   }
   // Termination of this function relies in fetchAppId completing.
   // (Not completing would be a bug in XMLHttpRequest.)
   // TODO: provide a termination guarantee, e.g. with a timer?
   fetchAppId(appId, function(rc, fetchedAppId, origins) {
     if (rc != 200) {
       console.log(UTIL_fmt('fetching ' + fetchedAppId + ' failed: ' + rc));
       allowedOrigins = [];
     } else {
       allowedOrigins = origins;
     }
     cb(rc, allowedOrigins);
   });
 }

 /**
  * Checks whether an appId is valid for a given origin.
  * @param {!string} appId Application id
  * @param {!string} origin Origin
  * @param {!Array.<string>} allowedOrigins the list of allowed origins for each
  *    appId.
  * @return {boolean} whether the appId is allowed for the origin.
  */
 function isValidAppIdForOrigin(appId, origin, allowedOrigins) {
   if (!appId)
     return false;
   if (appId == origin) {
     // trivially allowed
     return true;
   }
   if (!allowedOrigins)
     return false;
   return allowedOrigins.indexOf(origin) >= 0;
 }

 /**
  * Returns whether the signData object appears to be valid.
  * @param {Array.<Object>} signData the signData object.
  * @return {boolean} whether the object appears valid.
  */
 function isValidSignData(signData) {
   for (var i = 0; i < signData.length; i++) {
     var incomingChallenge = signData[i];
     if (!incomingChallenge.hasOwnProperty('challenge'))
       return false;
     if (!incomingChallenge.hasOwnProperty('appId')) {
       return false;
     }
     if (!incomingChallenge.hasOwnProperty('keyHandle'))
       return false;
     if (incomingChallenge['version']) {
       if (incomingChallenge['version'] != 'U2F_V1' &&
           incomingChallenge['version'] != 'U2F_V2') {
         return false;
       }
     }
   }
   return true;
 }

 /** Posts the log message to the log url.
  * @param {string} logMsg the log message to post.
  * @param {string=} opt_logMsgUrl the url to post log messages to.
  */
 function logMessage(logMsg, opt_logMsgUrl) {
   console.log(UTIL_fmt('logMessage("' + logMsg + '")'));

   if (!opt_logMsgUrl) {
     return;
   }
   // Image fetching is not allowed per packaged app CSP.
   // But video and audio is.
   var audio = new Audio();
   audio.src = opt_logMsgUrl + logMsg;
 }

 /**
  * Logs the result of fetching an appId.
  * @param {!string} appId Application Id
  * @param {number} millis elapsed time while fetching the appId.
  * @param {Array.<string>} allowedOrigins the allowed origins retrieved.
  * @param {string=} opt_logMsgUrl the url to post log messages to.
  */
 function logFetchAppIdResult(appId, millis, allowedOrigins, opt_logMsgUrl) {
   var logMsg = 'log=fetchappid&appid=' + appId + '&millis=' + millis +
       '&numorigins=' + allowedOrigins.length;
   logMessage(logMsg, opt_logMsgUrl);
 }

 /**
  * Logs a mismatch between an origin and an appId.
  * @param {string} origin Origin
  * @param {!string} appId Application id
  * @param {string=} opt_logMsgUrl the url to post log messages to
  */
 function logInvalidOriginForAppId(origin, appId, opt_logMsgUrl) {
   var logMsg = 'log=originrejected&origin=' + origin + '&appid=' + appId;
   logMessage(logMsg, opt_logMsgUrl);
 }

 /**
  * Formats response parameters as an object.
  * @param {string} type type of the post message.
  * @param {number} code status code of the operation.
  * @param {Object=} responseData the response data of the operation.
  * @return {Object} formatted response.
  */
 function formatWebPageResponse(type, code, responseData) {
   var responseJsonObject = {};
   responseJsonObject['type'] = type;
   responseJsonObject['code'] = code;
   if (responseData)
     responseJsonObject['responseData'] = responseData;
   return responseJsonObject;
 }

 /**
  * @param {!string} string Input string
  * @return {Array.<number>} SHA256 hash value of string.
  */
 function sha256HashOfString(string) {
   var s = new SHA256();
   s.update(UTIL_StringToBytes(string));
   return s.digest();
 }

 /**
  * Normalizes the TLS channel ID value:
  * 1. Converts semantically empty values (undefined, null, 0) to the empty
  *     string.
  * 2. Converts valid JSON strings to a JS object.
  * 3. Otherwise, returns the input value unmodified.
  * @param {Object|string|undefined} opt_tlsChannelId TLS Channel id
  * @return {Object|string} The normalized TLS channel ID value.
  */
 function tlsChannelIdValue(opt_tlsChannelId) {
   if (!opt_tlsChannelId) {
     // Case 1: Always set some value for  TLS channel ID, even if it's the empty
     // string: this browser definitely supports them.
     return '';
   }
   if (typeof opt_tlsChannelId === 'string') {
     try {
       var obj = JSON.parse(opt_tlsChannelId);
       if (!obj) {
         // Case 1: The string value 'null' parses as the Javascript object null,
         // so return an empty string: the browser definitely supports TLS
         // channel id.
         return '';
       }
       // Case 2: return the value as a JS object.
       return /** @type {Object} */ (obj);
     } catch (e) {
       console.warn('Unparseable TLS channel ID value ' + opt_tlsChannelId);
       // Case 3: return the value unmodified.
     }
   }
   return opt_tlsChannelId;
 }

 /**
  * Creates a browser data object with the given values.
  * @param {!string} type A string representing the "type" of this browser data
  *     object.
  * @param {!string} serverChallenge The server's challenge, as a base64-
  *     encoded string.
  * @param {!string} origin The server's origin, as seen by the browser.
  * @param {Object|string|undefined} opt_tlsChannelId TLS Channel Id
  * @return {string} A string representation of the browser data object.
  */
 function makeBrowserData(type, serverChallenge, origin, opt_tlsChannelId) {
   var browserData = {
     'typ' : type,
     'challenge' : serverChallenge,
     'origin' : origin
   };
   browserData['cid_pubkey'] = tlsChannelIdValue(opt_tlsChannelId);
   return JSON.stringify(browserData);
 }

 /**
  * Creates a browser data object for an enroll request with the given values.
  * @param {!string} serverChallenge The server's challenge, as a base64-
  *     encoded string.
  * @param {!string} origin The server's origin, as seen by the browser.
  * @param {Object|string|undefined} opt_tlsChannelId TLS Channel Id
  * @return {string} A string representation of the browser data object.
  */
 function makeEnrollBrowserData(serverChallenge, origin, opt_tlsChannelId) {
   return makeBrowserData(
       'navigator.id.finishEnrollment', serverChallenge, origin,
       opt_tlsChannelId);
 }

 /**
  * Creates a browser data object for a sign request with the given values.
  * @param {!string} serverChallenge The server's challenge, as a base64-
  *     encoded string.
  * @param {!string} origin The server's origin, as seen by the browser.
  * @param {Object|string|undefined} opt_tlsChannelId TLS Channel Id
  * @return {string} A string representation of the browser data object.
  */
 function makeSignBrowserData(serverChallenge, origin, opt_tlsChannelId) {
   return makeBrowserData(
       'navigator.id.getAssertion', serverChallenge, origin, opt_tlsChannelId);
 }

 /**
  * @param {string} browserData Browser data as JSON
  * @param {string} appId Application Id
  * @param {string} encodedKeyHandle B64 encoded key handle
  * @param {string=} version Protocol version
  * @return {SignHelperChallenge} Challenge object
  */
 function makeChallenge(browserData, appId, encodedKeyHandle, version) {
   var appIdHash = B64_encode(sha256HashOfString(appId));
   var browserDataHash = B64_encode(sha256HashOfString(browserData));
   var keyHandle = encodedKeyHandle;

   var challenge = {
     'challengeHash': browserDataHash,
     'appIdHash': appIdHash,
     'keyHandle': keyHandle
   };
   // Version is implicitly U2F_V1 if not specified.
   challenge['version'] = (version || 'U2F_V1');
   return challenge;
 }
	// Copyright 2014 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	/**
	* @fileoverview Does common handling for requests coming from web pages and
	* routes them to the provided handler.
	*/

	/**
	* Gets the scheme + origin from a web url.
	* @param {string} url Input url
	* @return {?string} Scheme and origin part if url parses
	*/
	function getOriginFromUrl(url) {
	var re = new RegExp('^(https?://)[^/]*/?');
	var originarray = re.exec(url);
	if (originarray == null) return originarray;
	var origin = originarray[0];
	while (origin.charAt(origin.length - 1) == '/') {
	origin = origin.substring(0, origin.length - 1);
	}
	if (origin == 'http:' \|\| origin == 'https:')
	return null;
	return origin;
	}

	/**
	* Parses the text as JSON and returns it as an array of strings.
	* @param {string} text Input JSON
	* @return {Array.<string>} Array of origins
	*/
	function getOriginsFromJson(text) {
	try {
	var urls = JSON.parse(text);
	var origins = [];
	for (var i = 0, url; url = urls[i]; i++) {
	var origin = getOriginFromUrl(url);
	if (origin)
	origins.push(origin);
	}
	return origins;
	} catch (e) {
	console.log(UTIL_fmt('could not parse ' + text));
	return [];
	}
	}

	/**
	* Fetches the app id, and calls a callback with list of allowed origins for it.
	* @param {string} appId the app id to fetch.
	* @param {Function} cb called with a list of allowed origins for the app id.
	*/
	function fetchAppId(appId, cb) {
	var origin = getOriginFromUrl(appId);
	if (!origin) {
	cb(404, appId);
	return;
	}
	var xhr = new XMLHttpRequest();
	var origins = [];
	xhr.open('GET', appId, true);
	xhr.onloadend = function() {
	if (xhr.status != 200) {
	cb(xhr.status, appId);
	return;
	}
	cb(xhr.status, appId, getOriginsFromJson(xhr.responseText));
	};
	xhr.send();
	}

	/**
	* Retrieves a set of distinct app ids from the SignData.
	* @param {SignData=} signData Input signature data
	* @return {Array.<string>} array of distinct app ids.
	*/
	function getDistinctAppIds(signData) {
	var appIds = [];
	if (!signData) {
	return appIds;
	}
	for (var i = 0, request; request = signData[i]; i++) {
	var appId = request['appId'];
	if (appId && appIds.indexOf(appId) == -1) {
	appIds.push(appId);
	}
	}
	return appIds;
	}

	/**
	* Reorganizes the requests from the SignData to an array of
	* (appId, [Request]) tuples.
	* @param {SignData} signData Input signature data
	* @return {Array.<[string, Array.<Request>]>} array of
	* (appId, [Request]) tuples.
	*/
	function requestsByAppId(signData) {
	var requests = {};
	var appIdOrder = {};
	var orderToAppId = {};
	var lastOrder = 0;
	for (var i = 0, request; request = signData[i]; i++) {
	var appId = request['appId'];
	if (appId) {
	if (!appIdOrder.hasOwnProperty(appId)) {
	appIdOrder[appId] = lastOrder;
	orderToAppId[lastOrder] = appId;
	lastOrder++;
	}
	if (requests[appId]) {
	requests[appId].push(request);
	} else {
	requests[appId] = [request];
	}
	}
	}
	var orderedRequests = [];
	for (var order = 0; order < lastOrder; order++) {
	appId = orderToAppId[order];
	orderedRequests.push([appId, requests[appId]]);
	}
	return orderedRequests;
	}

	/**
	* Fetches the allowed origins for an appId.
	* @param {string} appId Application id
	* @param {boolean} allowHttp Whether http is a valid scheme for an appId.
	* (This should be false except on test domains.)
	* @param {function(number, !Array.<string>)} cb Called back with an HTTP
	* response code and a list of allowed origins for appId.
	*/
	function fetchAllowedOriginsForAppId(appId, allowHttp, cb) {
	var allowedOrigins = [];
	if (!appId) {
	cb(200, allowedOrigins);
	return;
	}
	if (appId.indexOf('http://') == 0 && !allowHttp) {
	console.log(UTIL_fmt('http app ids disallowed, ' + appId + ' requested'));
	cb(200, allowedOrigins);
	return;
	}
	// TODO: hack for old enrolled gnubbies, don't treat
	// accounts.google.com/login.corp.google.com specially when cryptauth server
	// stops reporting them as appId.
	if (appId == 'https://accounts.google.com') {
	allowedOrigins = ['https://login.corp.google.com'];
	cb(200, allowedOrigins);
	return;
	}
	if (appId == 'https://login.corp.google.com') {
	allowedOrigins = ['https://accounts.google.com'];
	cb(200, allowedOrigins);
	return;
	}
	// Termination of this function relies in fetchAppId completing.
	// (Not completing would be a bug in XMLHttpRequest.)
	// TODO: provide a termination guarantee, e.g. with a timer?
	fetchAppId(appId, function(rc, fetchedAppId, origins) {
	if (rc != 200) {
	console.log(UTIL_fmt('fetching ' + fetchedAppId + ' failed: ' + rc));
	allowedOrigins = [];
	} else {
	allowedOrigins = origins;
	}
	cb(rc, allowedOrigins);
	});
	}

	/**
	* Checks whether an appId is valid for a given origin.
	* @param {!string} appId Application id
	* @param {!string} origin Origin
	* @param {!Array.<string>} allowedOrigins the list of allowed origins for each
	* appId.
	* @return {boolean} whether the appId is allowed for the origin.
	*/
	function isValidAppIdForOrigin(appId, origin, allowedOrigins) {
	if (!appId)
	return false;
	if (appId == origin) {
	// trivially allowed
	return true;
	}
	if (!allowedOrigins)
	return false;
	return allowedOrigins.indexOf(origin) >= 0;
	}

	/**
	* Returns whether the signData object appears to be valid.
	* @param {Array.<Object>} signData the signData object.
	* @return {boolean} whether the object appears valid.
	*/
	function isValidSignData(signData) {
	for (var i = 0; i < signData.length; i++) {
	var incomingChallenge = signData[i];
	if (!incomingChallenge.hasOwnProperty('challenge'))
	return false;
	if (!incomingChallenge.hasOwnProperty('appId')) {
	return false;
	}
	if (!incomingChallenge.hasOwnProperty('keyHandle'))
	return false;
	if (incomingChallenge['version']) {
	if (incomingChallenge['version'] != 'U2F_V1' &&
	incomingChallenge['version'] != 'U2F_V2') {
	return false;
	}
	}
	}
	return true;
	}

	/** Posts the log message to the log url.
	* @param {string} logMsg the log message to post.
	* @param {string=} opt_logMsgUrl the url to post log messages to.
	*/
	function logMessage(logMsg, opt_logMsgUrl) {
	console.log(UTIL_fmt('logMessage("' + logMsg + '")'));

	if (!opt_logMsgUrl) {
	return;
	}
	// Image fetching is not allowed per packaged app CSP.
	// But video and audio is.
	var audio = new Audio();
	audio.src = opt_logMsgUrl + logMsg;
	}

	/**
	* Logs the result of fetching an appId.
	* @param {!string} appId Application Id
	* @param {number} millis elapsed time while fetching the appId.
	* @param {Array.<string>} allowedOrigins the allowed origins retrieved.
	* @param {string=} opt_logMsgUrl the url to post log messages to.
	*/
	function logFetchAppIdResult(appId, millis, allowedOrigins, opt_logMsgUrl) {
	var logMsg = 'log=fetchappid&appid=' + appId + '&millis=' + millis +
	'&numorigins=' + allowedOrigins.length;
	logMessage(logMsg, opt_logMsgUrl);
	}

	/**
	* Logs a mismatch between an origin and an appId.
	* @param {string} origin Origin
	* @param {!string} appId Application id
	* @param {string=} opt_logMsgUrl the url to post log messages to
	*/
	function logInvalidOriginForAppId(origin, appId, opt_logMsgUrl) {
	var logMsg = 'log=originrejected&origin=' + origin + '&appid=' + appId;
	logMessage(logMsg, opt_logMsgUrl);
	}

	/**
	* Formats response parameters as an object.
	* @param {string} type type of the post message.
	* @param {number} code status code of the operation.
	* @param {Object=} responseData the response data of the operation.
	* @return {Object} formatted response.
	*/
	function formatWebPageResponse(type, code, responseData) {
	var responseJsonObject = {};
	responseJsonObject['type'] = type;
	responseJsonObject['code'] = code;
	if (responseData)
	responseJsonObject['responseData'] = responseData;
	return responseJsonObject;
	}

	/**
	* @param {!string} string Input string
	* @return {Array.<number>} SHA256 hash value of string.
	*/
	function sha256HashOfString(string) {
	var s = new SHA256();
	s.update(UTIL_StringToBytes(string));
	return s.digest();
	}

	/**
	* Normalizes the TLS channel ID value:
	* 1. Converts semantically empty values (undefined, null, 0) to the empty
	* string.
	* 2. Converts valid JSON strings to a JS object.
	* 3. Otherwise, returns the input value unmodified.
	* @param {Object\|string\|undefined} opt_tlsChannelId TLS Channel id
	* @return {Object\|string} The normalized TLS channel ID value.
	*/
	function tlsChannelIdValue(opt_tlsChannelId) {
	if (!opt_tlsChannelId) {
	// Case 1: Always set some value for TLS channel ID, even if it's the empty
	// string: this browser definitely supports them.
	return '';
	}
	if (typeof opt_tlsChannelId === 'string') {
	try {
	var obj = JSON.parse(opt_tlsChannelId);
	if (!obj) {
	// Case 1: The string value 'null' parses as the Javascript object null,
	// so return an empty string: the browser definitely supports TLS
	// channel id.
	return '';
	}
	// Case 2: return the value as a JS object.
	return /** @type {Object} */ (obj);
	} catch (e) {
	console.warn('Unparseable TLS channel ID value ' + opt_tlsChannelId);
	// Case 3: return the value unmodified.
	}
	}
	return opt_tlsChannelId;
	}

	/**
	* Creates a browser data object with the given values.
	* @param {!string} type A string representing the "type" of this browser data
	* object.
	* @param {!string} serverChallenge The server's challenge, as a base64-
	* encoded string.
	* @param {!string} origin The server's origin, as seen by the browser.
	* @param {Object\|string\|undefined} opt_tlsChannelId TLS Channel Id
	* @return {string} A string representation of the browser data object.
	*/
	function makeBrowserData(type, serverChallenge, origin, opt_tlsChannelId) {
	var browserData = {
	'typ' : type,
	'challenge' : serverChallenge,
	'origin' : origin
	};
	browserData['cid_pubkey'] = tlsChannelIdValue(opt_tlsChannelId);
	return JSON.stringify(browserData);
	}

	/**
	* Creates a browser data object for an enroll request with the given values.
	* @param {!string} serverChallenge The server's challenge, as a base64-
	* encoded string.
	* @param {!string} origin The server's origin, as seen by the browser.
	* @param {Object\|string\|undefined} opt_tlsChannelId TLS Channel Id
	* @return {string} A string representation of the browser data object.
	*/
	function makeEnrollBrowserData(serverChallenge, origin, opt_tlsChannelId) {
	return makeBrowserData(
	'navigator.id.finishEnrollment', serverChallenge, origin,
	opt_tlsChannelId);
	}

	/**
	* Creates a browser data object for a sign request with the given values.
	* @param {!string} serverChallenge The server's challenge, as a base64-
	* encoded string.
	* @param {!string} origin The server's origin, as seen by the browser.
	* @param {Object\|string\|undefined} opt_tlsChannelId TLS Channel Id
	* @return {string} A string representation of the browser data object.
	*/
	function makeSignBrowserData(serverChallenge, origin, opt_tlsChannelId) {
	return makeBrowserData(
	'navigator.id.getAssertion', serverChallenge, origin, opt_tlsChannelId);
	}

	/**
	* @param {string} browserData Browser data as JSON
	* @param {string} appId Application Id
	* @param {string} encodedKeyHandle B64 encoded key handle
	* @param {string=} version Protocol version
	* @return {SignHelperChallenge} Challenge object
	*/
	function makeChallenge(browserData, appId, encodedKeyHandle, version) {
	var appIdHash = B64_encode(sha256HashOfString(appId));
	var browserDataHash = B64_encode(sha256HashOfString(browserData));
	var keyHandle = encodedKeyHandle;

	var challenge = {
	'challengeHash': browserDataHash,
	'appIdHash': appIdHash,
	'keyHandle': keyHandle
	};
	// Version is implicitly U2F_V1 if not specified.
	challenge['version'] = (version \|\| 'U2F_V1');
	return challenge;
	}