Title: [252297] trunk/Source
- Revision
- 252297
- Author
- jiewen_...@apple.com
- Date
- 2019-11-08 17:09:19 -0800 (Fri, 08 Nov 2019)
Log Message
[WebAuthn] Add quirk needed to support legacy Google NFC Titan security keys
https://bugs.webkit.org/show_bug.cgi?id=204024
<rdar://problem/56962320>
Reviewed by Brent Fulgham.
Source/WebCore:
Covered by manual tests.
* Modules/webauthn/fido/FidoConstants.h:
Source/WebKit:
Some legacy U2F keys such as Google T1 Titan don't understand the FIDO applet command. Instead,
they are configured to only have the FIDO applet. Therefore, when the above command fails, we
use U2F_VERSION command to double check if the connected tag can actually speak U2F, indicating
we are interacting with one of these legacy keys.
* UIProcess/WebAuthentication/Cocoa/NfcConnection.mm:
(WebKit::fido::compareVersion):
(WebKit::fido::trySelectFidoApplet):
(WebKit::NfcConnection::transact const):
(WebKit::NfcConnection::didDetectTags):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (252296 => 252297)
--- trunk/Source/WebCore/ChangeLog 2019-11-09 00:52:39 UTC (rev 252296)
+++ trunk/Source/WebCore/ChangeLog 2019-11-09 01:09:19 UTC (rev 252297)
@@ -1,3 +1,15 @@
+2019-11-08 Jiewen Tan <jiewen_...@apple.com>
+
+ [WebAuthn] Add quirk needed to support legacy Google NFC Titan security keys
+ https://bugs.webkit.org/show_bug.cgi?id=204024
+ <rdar://problem/56962320>
+
+ Reviewed by Brent Fulgham.
+
+ Covered by manual tests.
+
+ * Modules/webauthn/fido/FidoConstants.h:
+
2019-11-08 Peng Liu <peng.l...@apple.com>
Entering/Exiting Picture-in-Picture mode through webkitSetPresentationMode() does not fire events (enterpictureinpicture and leavepictureinpicture) defined in the spec
Modified: trunk/Source/WebCore/Modules/webauthn/fido/FidoConstants.h (252296 => 252297)
--- trunk/Source/WebCore/Modules/webauthn/fido/FidoConstants.h 2019-11-09 00:52:39 UTC (rev 252296)
+++ trunk/Source/WebCore/Modules/webauthn/fido/FidoConstants.h 2019-11-09 01:09:19 UTC (rev 252297)
@@ -223,6 +223,13 @@
const uint32_t kCtapHidUsagePage = 0xF1D0;
const uint32_t kCtapHidUsage = 0x01;
+// U2F_VERSION command
+// https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-raw-message-formats-v1.2-ps-20170411.html#getversion-request-and-response---u2f_version
+const uint8_t kCtapNfcU2fVersionCommand[] = {
+ 0x00, 0x03, 0x00, 0x00, // CLA, INS, P1, P2
+ 0x00, // L
+};
+
// CTAPNFC Applet selection command and responses
// https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#nfc-applet-selection
const uint8_t kCtapNfcAppletSelectionCommand[] = {
Modified: trunk/Source/WebKit/ChangeLog (252296 => 252297)
--- trunk/Source/WebKit/ChangeLog 2019-11-09 00:52:39 UTC (rev 252296)
+++ trunk/Source/WebKit/ChangeLog 2019-11-09 01:09:19 UTC (rev 252297)
@@ -1,3 +1,22 @@
+2019-11-08 Jiewen Tan <jiewen_...@apple.com>
+
+ [WebAuthn] Add quirk needed to support legacy Google NFC Titan security keys
+ https://bugs.webkit.org/show_bug.cgi?id=204024
+ <rdar://problem/56962320>
+
+ Reviewed by Brent Fulgham.
+
+ Some legacy U2F keys such as Google T1 Titan don't understand the FIDO applet command. Instead,
+ they are configured to only have the FIDO applet. Therefore, when the above command fails, we
+ use U2F_VERSION command to double check if the connected tag can actually speak U2F, indicating
+ we are interacting with one of these legacy keys.
+
+ * UIProcess/WebAuthentication/Cocoa/NfcConnection.mm:
+ (WebKit::fido::compareVersion):
+ (WebKit::fido::trySelectFidoApplet):
+ (WebKit::NfcConnection::transact const):
+ (WebKit::NfcConnection::didDetectTags):
+
2019-11-08 Jonathan Bedard <jbed...@apple.com>
Unreviewed, rolling out r252260.
Modified: trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/NfcConnection.mm (252296 => 252297)
--- trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/NfcConnection.mm 2019-11-09 00:52:39 UTC (rev 252296)
+++ trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/NfcConnection.mm 2019-11-09 01:09:19 UTC (rev 252297)
@@ -39,10 +39,33 @@
namespace {
inline bool compareVersion(NSData *data, const uint8_t version[], size_t versionSize)
{
+ if (!data)
+ return false;
if (data.length != versionSize)
return false;
return !memcmp(data.bytes, version, versionSize);
}
+
+// Confirm the FIDO applet is avaliable.
+// https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#nfc-applet-selection
+static bool trySelectFidoApplet(NFReaderSession *session)
+{
+ auto *versionData = [session transceive:adoptNS([[NSData alloc] initWithBytes:kCtapNfcAppletSelectionCommand length:sizeof(kCtapNfcAppletSelectionCommand)]).get()];
+ if (compareVersion(versionData, kCtapNfcAppletSelectionU2f, sizeof(kCtapNfcAppletSelectionU2f))
+ || compareVersion(versionData, kCtapNfcAppletSelectionCtap, sizeof(kCtapNfcAppletSelectionCtap)))
+ return true;
+
+ // Some legacy U2F keys such as Google T1 Titan don't understand the FIDO applet command. Instead,
+ // they are configured to only have the FIDO applet. Therefore, when the above command fails, we
+ // use U2F_VERSION command to double check if the connected tag can actually speak U2F, indicating
+ // we are interacting with one of these legacy keys.
+ versionData = [session transceive:adoptNS([[NSData alloc] initWithBytes:kCtapNfcU2fVersionCommand length:sizeof(kCtapNfcU2fVersionCommand)]).get()];
+ if (compareVersion(versionData, kCtapNfcAppletSelectionU2f, sizeof(kCtapNfcAppletSelectionU2f)))
+ return true;
+
+ return false;
+}
+
} // namespace
Ref<NfcConnection> NfcConnection::create(RetainPtr<NFReaderSession>&& session, NfcService& service)
@@ -68,10 +91,8 @@
Vector<uint8_t> NfcConnection::transact(Vector<uint8_t>&& data) const
{
Vector<uint8_t> response;
- @autoreleasepool {
- auto responseData = [m_session transceive:[NSData dataWithBytes:data.data() length:data.size()]];
- response.append(reinterpret_cast<const uint8_t*>(responseData.bytes), responseData.length);
- }
+ auto *responseData = [m_session transceive:adoptNS([[NSData alloc] initWithBytes:data.data() length:data.size()]).get()];
+ response.append(reinterpret_cast<const uint8_t*>(responseData.bytes), responseData.length);
return response;
}
@@ -104,14 +125,9 @@
if (tag.type != NFTagTypeGeneric4A || ![m_session connectTag:tag])
continue;
- // Confirm the FIDO applet is avaliable before return.
- // https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#nfc-applet-selection
- @autoreleasepool {
- auto versionData = [m_session transceive:[NSData dataWithBytes:kCtapNfcAppletSelectionCommand length:sizeof(kCtapNfcAppletSelectionCommand)]];
- if (!versionData || (!compareVersion(versionData, kCtapNfcAppletSelectionU2f, sizeof(kCtapNfcAppletSelectionU2f)) && !compareVersion(versionData, kCtapNfcAppletSelectionCtap, sizeof(kCtapNfcAppletSelectionCtap)))) {
- [m_session disconnectTag];
- continue;
- }
+ if (!trySelectFidoApplet(m_session.get())) {
+ [m_session disconnectTag];
+ continue;
}
m_service->didConnectTag();
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
