Title: [295506] trunk/Source
- Revision
- 295506
- Author
- j_pas...@apple.com
- Date
- 2022-06-13 17:21:10 -0700 (Mon, 13 Jun 2022)
Log Message
[WebAuthn] CTAP2_ERR_USER_ACTION_TIMEOUT isn't handled properly
https://bugs.webkit.org/show_bug.cgi?id=241565
rdar://95040155
Reviewed by Brent Fulgham.
Authenticators will time out operations after so many seconds of
waiting for user interaction, returning an error of
CTAP2_ERR_USER_ACTION_TIMEOUT. This patch handles that error
by reissuing the request, instead of letting it go to U2F fallback
and failing there with "no credentials found."
Tested with a Yubikey 5c.
* Source/WebCore/Modules/webauthn/fido/FidoConstants.cpp:
(fido::isCtapDeviceResponseCode):
* Source/WebCore/Modules/webauthn/fido/FidoConstants.h:
* Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp:
(WebKit::CtapAuthenticator::continueMakeCredentialAfterResponseReceived):
(WebKit::CtapAuthenticator::continueGetAssertionAfterResponseReceived):
Canonical link: https://commits.webkit.org/251511@main
Modified Paths
Diff
Modified: trunk/Source/WebCore/Modules/webauthn/fido/FidoConstants.cpp (295505 => 295506)
--- trunk/Source/WebCore/Modules/webauthn/fido/FidoConstants.cpp 2022-06-13 23:42:46 UTC (rev 295505)
+++ trunk/Source/WebCore/Modules/webauthn/fido/FidoConstants.cpp 2022-06-14 00:21:10 UTC (rev 295506)
@@ -82,6 +82,7 @@
case CtapDeviceResponseCode::kCtap2ErrPinPolicyViolation:
case CtapDeviceResponseCode::kCtap2ErrPinTokenExpired:
case CtapDeviceResponseCode::kCtap2ErrRequestTooLarge:
+ case CtapDeviceResponseCode::kCtap2ErrActionTimeout:
case CtapDeviceResponseCode::kCtap2ErrOther:
case CtapDeviceResponseCode::kCtap2ErrSpecLast:
case CtapDeviceResponseCode::kCtap2ErrExtensionFirst:
Modified: trunk/Source/WebCore/Modules/webauthn/fido/FidoConstants.h (295505 => 295506)
--- trunk/Source/WebCore/Modules/webauthn/fido/FidoConstants.h 2022-06-13 23:42:46 UTC (rev 295505)
+++ trunk/Source/WebCore/Modules/webauthn/fido/FidoConstants.h 2022-06-14 00:21:10 UTC (rev 295506)
@@ -98,6 +98,7 @@
kCtap2ErrPinPolicyViolation = 0x37,
kCtap2ErrPinTokenExpired = 0x38,
kCtap2ErrRequestTooLarge = 0x39,
+ kCtap2ErrActionTimeout = 0x3A,
kCtap2ErrOther = 0x7F,
kCtap2ErrSpecLast = 0xDF,
kCtap2ErrExtensionFirst = 0xE0,
Modified: trunk/Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp (295505 => 295506)
--- trunk/Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp 2022-06-13 23:42:46 UTC (rev 295505)
+++ trunk/Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp 2022-06-14 00:21:10 UTC (rev 295506)
@@ -119,6 +119,11 @@
if (!response) {
auto error = getResponseCode(data);
+ if (error == CtapDeviceResponseCode::kCtap2ErrActionTimeout) {
+ makeCredential();
+ return;
+ }
+
if (error == CtapDeviceResponseCode::kCtap2ErrCredentialExcluded) {
receiveRespond(ExceptionData { InvalidStateError, "At least one credential matches an entry of the excludeCredentials list in the authenticator."_s });
return;
@@ -173,6 +178,11 @@
if (!response) {
auto error = getResponseCode(data);
+ if (error == CtapDeviceResponseCode::kCtap2ErrActionTimeout) {
+ getAssertion();
+ return;
+ }
+
if (!isPinError(error) && tryDowngrade())
return;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes