Diff
Modified: trunk/Source/WebKit/ChangeLog (289481 => 289482)
--- trunk/Source/WebKit/ChangeLog 2022-02-09 18:16:32 UTC (rev 289481)
+++ trunk/Source/WebKit/ChangeLog 2022-02-09 18:17:43 UTC (rev 289482)
@@ -1,3 +1,18 @@
+2022-02-09 J Pascoe <j_pas...@apple.com>
+
+ [WebAuthn] Specify LocalAuthenticatorAccessGroup when importing credentials
+ https://bugs.webkit.org/show_bug.cgi?id=236311
+ rdar://88394179
+
+ Reviewed by Brent Fulgham.
+
+ Tested on device and added check for accessGroup in API test.
+
+ * UIProcess/API/Cocoa/_WKWebAuthenticationPanel.h:
+ * UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm:
+ (+[_WKWebAuthenticationPanel importLocalAuthenticatorCredential:error:]):
+ (+[_WKWebAuthenticationPanel importLocalAuthenticatorWithAccessGroup:credential:error:]):
+
2022-02-09 Sihui Liu <sihui_...@apple.com>
Manage IndexedDB storage by origin
Modified: trunk/Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.h (289481 => 289482)
--- trunk/Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.h 2022-02-09 18:16:32 UTC (rev 289481)
+++ trunk/Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.h 2022-02-09 18:17:43 UTC (rev 289482)
@@ -119,6 +119,7 @@
+ (NSData *)exportLocalAuthenticatorCredentialWithID:(NSData *)credentialID error:(NSError **)error WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
+ (NSData *)importLocalAuthenticatorCredential:(NSData *)credentialBlob error:(NSError **)error WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
++ (NSData *)importLocalAuthenticatorWithAccessGroup:(NSString *)accessGroup credential:(NSData *)credentialBlob error:(NSError **)error WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
+ (BOOL)isUserVerifyingPlatformAuthenticatorAvailable WK_API_AVAILABLE(macos(12.0), ios(15.0));
Modified: trunk/Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm (289481 => 289482)
--- trunk/Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm 2022-02-09 18:16:32 UTC (rev 289481)
+++ trunk/Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm 2022-02-09 18:17:43 UTC (rev 289482)
@@ -398,6 +398,11 @@
+ (NSData *)importLocalAuthenticatorCredential:(NSData *)credentialBlob error:(NSError **)error
{
+ return [self importLocalAuthenticatorWithAccessGroup:@(WebCore::LocalAuthenticatorAccessGroup) credential:credentialBlob error:error];
+}
+
++ (NSData *)importLocalAuthenticatorWithAccessGroup:(NSString *)accessGroup credential:(NSData *)credentialBlob error:(NSError **)error
+{
#if ENABLE(WEB_AUTHN)
auto credential = cbor::CBORReader::read(vectorFromNSData(credentialBlob));
if (!credential || !credential->isMap()) {
@@ -481,6 +486,9 @@
]);
updateQueryIfNecessary(query.get());
+ if (accessGroup != nil)
+ [query setObject:accessGroup forKey:(__bridge id)kSecAttrAccessGroup];
+
OSStatus status = SecItemCopyMatching(bridge_cast(query.get()), nullptr);
if (!status) {
// Credential with same id already exists, duplicate key.
@@ -489,15 +497,22 @@
}
auto secAttrApplicationTag = adoptNS([[NSData alloc] initWithBytes:keyTag->data() length:keyTag->size()]);
- NSDictionary *addQuery = @{
- (id)kSecValueRef: (id)key.get(),
- (id)kSecAttrKeyClass: (id)kSecAttrKeyClassPrivate,
- (id)kSecAttrLabel: rp,
- (id)kSecAttrApplicationTag: secAttrApplicationTag.get(),
- (id)kSecUseDataProtectionKeychain: @YES,
- (id)kSecAttrAccessible: (id)kSecAttrAccessibleAfterFirstUnlock
- };
- status = SecItemAdd(bridge_cast(addQuery), NULL);
+
+ auto addQuery = adoptNS([[NSMutableDictionary alloc] initWithObjectsAndKeys:
+ (id)key.get(), (id)kSecValueRef,
+ (id)kSecAttrKeyClassPrivate, (id)kSecAttrKeyClass,
+ (id)rp, (id)kSecAttrLabel,
+ secAttrApplicationTag.get(), (id)kSecAttrApplicationTag,
+ @YES, (id)kSecUseDataProtectionKeychain,
+ (id)kSecAttrAccessibleAfterFirstUnlock, (id)kSecAttrAccessible,
+ nil
+ ]);
+ updateQueryIfNecessary(addQuery.get());
+
+ if (accessGroup != nil)
+ [query setObject:accessGroup forKey:(__bridge id)kSecAttrAccessGroup];
+
+ status = SecItemAdd(bridge_cast(addQuery.get()), NULL);
if (status) {
createNSErrorFromWKErrorIfNecessary(error, WKErrorUnknown);
return nullptr;
Modified: trunk/Tools/ChangeLog (289481 => 289482)
--- trunk/Tools/ChangeLog 2022-02-09 18:16:32 UTC (rev 289481)
+++ trunk/Tools/ChangeLog 2022-02-09 18:17:43 UTC (rev 289482)
@@ -1,3 +1,17 @@
+2022-02-09 J Pascoe <j_pas...@apple.com>
+
+ [WebAuthn] Specify LocalAuthenticatorAccessGroup when importing credentials
+ https://bugs.webkit.org/show_bug.cgi?id=236311
+ rdar://88394179
+
+ Reviewed by Brent Fulgham.
+
+ Added check for accessGroup to API test.
+
+ * TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm:
+ (TestWebKitAPI::WebCore::addKeyToKeychain):
+ (TestWebKitAPI::TEST):
+
2022-02-09 Sihui Liu <sihui_...@apple.com>
Manage IndexedDB storage by origin
Modified: trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm (289481 => 289482)
--- trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm 2022-02-09 18:16:32 UTC (rev 289481)
+++ trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm 2022-02-09 18:17:43 UTC (rev 289482)
@@ -82,6 +82,7 @@
"RQ==";
static String testUserEntityBundleBase64 = "omJpZEoAAQIDBAUGBwgJZG5hbWVkSm9obg=="; // { "id": h'00010203040506070809', "name": "John" }
static String webAuthenticationPanelSelectedCredentialName;
+static String testWebKitAPIAccessGroup = "com.apple.TestWebKitAPI";
static bool laContextRequested = false;
@interface TestWebAuthenticationPanelDelegate : NSObject <_WKWebAuthenticationPanelDelegate>
@@ -385,7 +386,8 @@
(id)kSecAttrLabel: rpId,
(id)kSecAttrApplicationTag: adoptNS([[NSData alloc] initWithBase64EncodedString:userHandleBase64 options:NSDataBase64DecodingIgnoreUnknownCharacters]).get(),
(id)kSecAttrAccessible: (id)kSecAttrAccessibleAfterFirstUnlock,
- (id)kSecUseDataProtectionKeychain: @YES
+ (id)kSecUseDataProtectionKeychain: @YES,
+ (id)kSecAttrAccessGroup: testWebKitAPIAccessGroup,
}];
if (synchronizable)
[addQuery.get() setObject:@YES forKey:(__bridge id)kSecAttrSynchronizable];
@@ -2266,7 +2268,7 @@
addKeyToKeychain(testES256PrivateKeyBase64, "example.com", testUserEntityBundleBase64);
- auto *credentials = [_WKWebAuthenticationPanel getAllLocalAuthenticatorCredentialsWithAccessGroup:@"com.apple.TestWebKitAPI"];
+ auto *credentials = [_WKWebAuthenticationPanel getAllLocalAuthenticatorCredentialsWithAccessGroup:testWebKitAPIAccessGroup];
EXPECT_NOT_NULL(credentials);
EXPECT_EQ([credentials count], 1lu);
@@ -2276,9 +2278,13 @@
cleanUpKeychain("example.com");
- auto credentialId = [_WKWebAuthenticationPanel importLocalAuthenticatorCredential:exportedKey error:&error];
+ EXPECT_EQ([[_WKWebAuthenticationPanel getAllLocalAuthenticatorCredentialsWithAccessGroup:testWebKitAPIAccessGroup] count], 0lu);
+
+ auto credentialId = [_WKWebAuthenticationPanel importLocalAuthenticatorWithAccessGroup:testWebKitAPIAccessGroup credential:exportedKey error:&error];
EXPECT_WK_STREQ([[credentials firstObject][_WKLocalAuthenticatorCredentialIDKey] base64EncodedStringWithOptions:0], [credentialId base64EncodedStringWithOptions:0]);
+ EXPECT_EQ([[_WKWebAuthenticationPanel getAllLocalAuthenticatorCredentialsWithAccessGroup:testWebKitAPIAccessGroup] count], 1lu);
+
cleanUpKeychain("example.com");
}
@@ -2289,7 +2295,7 @@
addKeyToKeychain(testES256PrivateKeyBase64, "example.com", testUserEntityBundleBase64);
- auto *credentials = [_WKWebAuthenticationPanel getAllLocalAuthenticatorCredentialsWithAccessGroup:@"com.apple.TestWebKitAPI"];
+ auto *credentials = [_WKWebAuthenticationPanel getAllLocalAuthenticatorCredentialsWithAccessGroup:testWebKitAPIAccessGroup];
EXPECT_NOT_NULL(credentials);
EXPECT_EQ([credentials count], 1lu);
@@ -2297,7 +2303,7 @@
NSError *error = nil;
auto exportedKey = [_WKWebAuthenticationPanel exportLocalAuthenticatorCredentialWithID:[credentials firstObject][_WKLocalAuthenticatorCredentialIDKey] error:&error];
- auto credentialId = [_WKWebAuthenticationPanel importLocalAuthenticatorCredential:exportedKey error:&error];
+ auto credentialId = [_WKWebAuthenticationPanel importLocalAuthenticatorWithAccessGroup:testWebKitAPIAccessGroup credential:exportedKey error:&error];
EXPECT_EQ(credentialId, nil);
EXPECT_EQ(error.code, WKErrorDuplicateCredential);