[webkit-changes] [289482] trunk

Wed, 09 Feb 2022 10:18:42 -0800

Title: [289482] trunk
Revision
289482
Author
j_pas...@apple.com
Date
2022-02-09 10:17:43 -0800 (Wed, 09 Feb 2022)

Log Message

[WebAuthn] Specify LocalAuthenticatorAccessGroup when importing credentials
https://bugs.webkit.org/show_bug.cgi?id=236311
rdar://88394179

Reviewed by Brent Fulgham.

Source/WebKit:

Tested on device and added check for accessGroup in API test.

* UIProcess/API/Cocoa/_WKWebAuthenticationPanel.h:
* UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm:
(+[_WKWebAuthenticationPanel importLocalAuthenticatorCredential:error:]):
(+[_WKWebAuthenticationPanel importLocalAuthenticatorWithAccessGroup:credential:error:]):

Tools:

Added check for accessGroup to API test.

* TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm:
(TestWebKitAPI::WebCore::addKeyToKeychain):
(TestWebKitAPI::TEST):

Modified Paths

Diff

Modified: trunk/Source/WebKit/ChangeLog (289481 => 289482)


--- trunk/Source/WebKit/ChangeLog	2022-02-09 18:16:32 UTC (rev 289481)
+++ trunk/Source/WebKit/ChangeLog	2022-02-09 18:17:43 UTC (rev 289482)
@@ -1,3 +1,18 @@
+2022-02-09  J Pascoe  <j_pas...@apple.com>
+
+        [WebAuthn] Specify LocalAuthenticatorAccessGroup when importing credentials
+        https://bugs.webkit.org/show_bug.cgi?id=236311
+        rdar://88394179
+
+        Reviewed by Brent Fulgham.
+
+        Tested on device and added check for accessGroup in API test.
+
+        * UIProcess/API/Cocoa/_WKWebAuthenticationPanel.h:
+        * UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm:
+        (+[_WKWebAuthenticationPanel importLocalAuthenticatorCredential:error:]):
+        (+[_WKWebAuthenticationPanel importLocalAuthenticatorWithAccessGroup:credential:error:]):
+
 2022-02-09  Sihui Liu  <sihui_...@apple.com>
 
         Manage IndexedDB storage by origin

Modified: trunk/Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.h (289481 => 289482)


--- trunk/Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.h	2022-02-09 18:16:32 UTC (rev 289481)
+++ trunk/Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.h	2022-02-09 18:17:43 UTC (rev 289482)
@@ -119,6 +119,7 @@
 
 + (NSData *)exportLocalAuthenticatorCredentialWithID:(NSData *)credentialID error:(NSError **)error WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
 + (NSData *)importLocalAuthenticatorCredential:(NSData *)credentialBlob error:(NSError **)error WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
++ (NSData *)importLocalAuthenticatorWithAccessGroup:(NSString *)accessGroup credential:(NSData *)credentialBlob error:(NSError **)error WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
 
 + (BOOL)isUserVerifyingPlatformAuthenticatorAvailable WK_API_AVAILABLE(macos(12.0), ios(15.0));

Modified: trunk/Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm (289481 => 289482)


--- trunk/Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm	2022-02-09 18:16:32 UTC (rev 289481)
+++ trunk/Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm	2022-02-09 18:17:43 UTC (rev 289482)
@@ -398,6 +398,11 @@
 
 + (NSData *)importLocalAuthenticatorCredential:(NSData *)credentialBlob error:(NSError **)error
 {
+    return [self importLocalAuthenticatorWithAccessGroup:@(WebCore::LocalAuthenticatorAccessGroup) credential:credentialBlob error:error];
+}
+
++ (NSData *)importLocalAuthenticatorWithAccessGroup:(NSString *)accessGroup credential:(NSData *)credentialBlob error:(NSError **)error
+{
 #if ENABLE(WEB_AUTHN)
     auto credential = cbor::CBORReader::read(vectorFromNSData(credentialBlob));
     if (!credential || !credential->isMap()) {
@@ -481,6 +486,9 @@
     ]);
     updateQueryIfNecessary(query.get());
 
+    if (accessGroup != nil)
+        [query setObject:accessGroup forKey:(__bridge id)kSecAttrAccessGroup];
+
     OSStatus status = SecItemCopyMatching(bridge_cast(query.get()), nullptr);
     if (!status) {
         // Credential with same id already exists, duplicate key.
@@ -489,15 +497,22 @@
     }
 
     auto secAttrApplicationTag = adoptNS([[NSData alloc] initWithBytes:keyTag->data() length:keyTag->size()]);
-    NSDictionary *addQuery = @{
-        (id)kSecValueRef: (id)key.get(),
-        (id)kSecAttrKeyClass: (id)kSecAttrKeyClassPrivate,
-        (id)kSecAttrLabel: rp,
-        (id)kSecAttrApplicationTag: secAttrApplicationTag.get(),
-        (id)kSecUseDataProtectionKeychain: @YES,
-        (id)kSecAttrAccessible: (id)kSecAttrAccessibleAfterFirstUnlock
-    };
-    status = SecItemAdd(bridge_cast(addQuery), NULL);
+
+    auto addQuery = adoptNS([[NSMutableDictionary alloc] initWithObjectsAndKeys:
+        (id)key.get(), (id)kSecValueRef,
+        (id)kSecAttrKeyClassPrivate, (id)kSecAttrKeyClass,
+        (id)rp, (id)kSecAttrLabel,
+        secAttrApplicationTag.get(), (id)kSecAttrApplicationTag,
+        @YES, (id)kSecUseDataProtectionKeychain,
+        (id)kSecAttrAccessibleAfterFirstUnlock, (id)kSecAttrAccessible,
+        nil
+    ]);
+    updateQueryIfNecessary(addQuery.get());
+
+    if (accessGroup != nil)
+        [query setObject:accessGroup forKey:(__bridge id)kSecAttrAccessGroup];
+
+    status = SecItemAdd(bridge_cast(addQuery.get()), NULL);
     if (status) {
         createNSErrorFromWKErrorIfNecessary(error, WKErrorUnknown);
         return nullptr;

Modified: trunk/Tools/ChangeLog (289481 => 289482)


--- trunk/Tools/ChangeLog	2022-02-09 18:16:32 UTC (rev 289481)
+++ trunk/Tools/ChangeLog	2022-02-09 18:17:43 UTC (rev 289482)
@@ -1,3 +1,17 @@
+2022-02-09  J Pascoe  <j_pas...@apple.com>
+
+        [WebAuthn] Specify LocalAuthenticatorAccessGroup when importing credentials
+        https://bugs.webkit.org/show_bug.cgi?id=236311
+        rdar://88394179
+
+        Reviewed by Brent Fulgham.
+
+        Added check for accessGroup to API test.
+
+        * TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm:
+        (TestWebKitAPI::WebCore::addKeyToKeychain):
+        (TestWebKitAPI::TEST):
+
 2022-02-09  Sihui Liu  <sihui_...@apple.com>
 
         Manage IndexedDB storage by origin

Modified: trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm (289481 => 289482)


--- trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm	2022-02-09 18:16:32 UTC (rev 289481)
+++ trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm	2022-02-09 18:17:43 UTC (rev 289482)
@@ -82,6 +82,7 @@
     "RQ==";
 static String testUserEntityBundleBase64 = "omJpZEoAAQIDBAUGBwgJZG5hbWVkSm9obg=="; // { "id": h'00010203040506070809', "name": "John" }
 static String webAuthenticationPanelSelectedCredentialName;
+static String testWebKitAPIAccessGroup = "com.apple.TestWebKitAPI";
 static bool laContextRequested = false;
 
 @interface TestWebAuthenticationPanelDelegate : NSObject <_WKWebAuthenticationPanelDelegate>
@@ -385,7 +386,8 @@
         (id)kSecAttrLabel: rpId,
         (id)kSecAttrApplicationTag: adoptNS([[NSData alloc] initWithBase64EncodedString:userHandleBase64 options:NSDataBase64DecodingIgnoreUnknownCharacters]).get(),
         (id)kSecAttrAccessible: (id)kSecAttrAccessibleAfterFirstUnlock,
-        (id)kSecUseDataProtectionKeychain: @YES
+        (id)kSecUseDataProtectionKeychain: @YES,
+        (id)kSecAttrAccessGroup: testWebKitAPIAccessGroup,
     }];
     if (synchronizable)
         [addQuery.get() setObject:@YES forKey:(__bridge id)kSecAttrSynchronizable];
@@ -2266,7 +2268,7 @@
 
     addKeyToKeychain(testES256PrivateKeyBase64, "example.com", testUserEntityBundleBase64);
 
-    auto *credentials = [_WKWebAuthenticationPanel getAllLocalAuthenticatorCredentialsWithAccessGroup:@"com.apple.TestWebKitAPI"];
+    auto *credentials = [_WKWebAuthenticationPanel getAllLocalAuthenticatorCredentialsWithAccessGroup:testWebKitAPIAccessGroup];
     EXPECT_NOT_NULL(credentials);
     EXPECT_EQ([credentials count], 1lu);
 
@@ -2276,9 +2278,13 @@
     
     cleanUpKeychain("example.com");
 
-    auto credentialId = [_WKWebAuthenticationPanel importLocalAuthenticatorCredential:exportedKey error:&error];
+    EXPECT_EQ([[_WKWebAuthenticationPanel getAllLocalAuthenticatorCredentialsWithAccessGroup:testWebKitAPIAccessGroup] count], 0lu);
+
+    auto credentialId = [_WKWebAuthenticationPanel importLocalAuthenticatorWithAccessGroup:testWebKitAPIAccessGroup credential:exportedKey error:&error];
     EXPECT_WK_STREQ([[credentials firstObject][_WKLocalAuthenticatorCredentialIDKey] base64EncodedStringWithOptions:0], [credentialId base64EncodedStringWithOptions:0]);
 
+    EXPECT_EQ([[_WKWebAuthenticationPanel getAllLocalAuthenticatorCredentialsWithAccessGroup:testWebKitAPIAccessGroup] count], 1lu);
+
     cleanUpKeychain("example.com");
 }
 
@@ -2289,7 +2295,7 @@
 
     addKeyToKeychain(testES256PrivateKeyBase64, "example.com", testUserEntityBundleBase64);
 
-    auto *credentials = [_WKWebAuthenticationPanel getAllLocalAuthenticatorCredentialsWithAccessGroup:@"com.apple.TestWebKitAPI"];
+    auto *credentials = [_WKWebAuthenticationPanel getAllLocalAuthenticatorCredentialsWithAccessGroup:testWebKitAPIAccessGroup];
     EXPECT_NOT_NULL(credentials);
     EXPECT_EQ([credentials count], 1lu);
 
@@ -2297,7 +2303,7 @@
     NSError *error = nil;
     auto exportedKey = [_WKWebAuthenticationPanel exportLocalAuthenticatorCredentialWithID:[credentials firstObject][_WKLocalAuthenticatorCredentialIDKey] error:&error];
 
-    auto credentialId = [_WKWebAuthenticationPanel importLocalAuthenticatorCredential:exportedKey error:&error];
+    auto credentialId = [_WKWebAuthenticationPanel importLocalAuthenticatorWithAccessGroup:testWebKitAPIAccessGroup credential:exportedKey error:&error];
     EXPECT_EQ(credentialId, nil);
     EXPECT_EQ(error.code, WKErrorDuplicateCredential);
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to