Log Message
Cherry-pick r267369. rdar://problem/69594300
[WebAuthn] Don't set the UV option if the authenticator doesn't support it
https://bugs.webkit.org/show_bug.cgi?id=215836
<rdar://problem/67817359>
Reviewed by Darin Adler.
Source/WebCore:
Covered by new API tests.
UV in the the CTAP 2.0 spec only means internal UV:
https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#authenticatorGetInfo
If an authenticator supports ClientPin, it can set the uv bit in the responses to true but it
will not advertise itself supporting internal UV, which is the uv in the options.
https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#authenticatorMakeCredential
Hence, setting it to true could result in error if the authenticator doesn't support internal UV even if it supports ClientPin.
It's not a way to ask the authenticator to set the uv bit in the response.
* Modules/webauthn/fido/DeviceRequestConverter.cpp:
(fido::encodeMakeCredenitalRequestAsCBOR):
(fido::encodeGetAssertionRequestAsCBOR):
Tools:
* TestWebKitAPI/Tests/WebCore/CtapRequestTest.cpp:
(TestWebKitAPI::TEST):
LayoutTests:
* http/wpt/webauthn/public-key-credential-create-failure-hid-silent.https.html:
* http/wpt/webauthn/public-key-credential-create-failure-hid.https.html:
* http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https.html:
* http/wpt/webauthn/public-key-credential-get-failure-hid.https.html:
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@267369 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
- branches/safari-610-branch/LayoutTests/ChangeLog
- branches/safari-610-branch/LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid-silent.https-expected.txt
- branches/safari-610-branch/LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid-silent.https.html
- branches/safari-610-branch/LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid.https-expected.txt
- branches/safari-610-branch/LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid.https.html
- branches/safari-610-branch/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https-expected.txt
- branches/safari-610-branch/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https.html
- branches/safari-610-branch/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid.https-expected.txt
- branches/safari-610-branch/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid.https.html
- branches/safari-610-branch/Source/WebCore/ChangeLog
- branches/safari-610-branch/Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.cpp
- branches/safari-610-branch/Tools/ChangeLog
- branches/safari-610-branch/Tools/TestWebKitAPI/Tests/WebCore/CtapRequestTest.cpp
Diff
Modified: branches/safari-610-branch/LayoutTests/ChangeLog (267680 => 267681)
--- branches/safari-610-branch/LayoutTests/ChangeLog 2020-09-27 20:00:32 UTC (rev 267680)
+++ branches/safari-610-branch/LayoutTests/ChangeLog 2020-09-27 20:00:37 UTC (rev 267681)
@@ -1,5 +1,61 @@
2020-09-27 Alan Coon <[email protected]>
+ Cherry-pick r267369. rdar://problem/69594300
+
+ [WebAuthn] Don't set the UV option if the authenticator doesn't support it
+ https://bugs.webkit.org/show_bug.cgi?id=215836
+ <rdar://problem/67817359>
+
+ Reviewed by Darin Adler.
+
+ Source/WebCore:
+
+ Covered by new API tests.
+
+ UV in the the CTAP 2.0 spec only means internal UV:
+ https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#authenticatorGetInfo
+
+ If an authenticator supports ClientPin, it can set the uv bit in the responses to true but it
+ will not advertise itself supporting internal UV, which is the uv in the options.
+ https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#authenticatorMakeCredential
+
+ Hence, setting it to true could result in error if the authenticator doesn't support internal UV even if it supports ClientPin.
+ It's not a way to ask the authenticator to set the uv bit in the response.
+
+ * Modules/webauthn/fido/DeviceRequestConverter.cpp:
+ (fido::encodeMakeCredenitalRequestAsCBOR):
+ (fido::encodeGetAssertionRequestAsCBOR):
+
+ Tools:
+
+ * TestWebKitAPI/Tests/WebCore/CtapRequestTest.cpp:
+ (TestWebKitAPI::TEST):
+
+ LayoutTests:
+
+ * http/wpt/webauthn/public-key-credential-create-failure-hid-silent.https.html:
+ * http/wpt/webauthn/public-key-credential-create-failure-hid.https.html:
+ * http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https.html:
+ * http/wpt/webauthn/public-key-credential-get-failure-hid.https.html:
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@267369 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-09-21 Jiewen Tan <[email protected]>
+
+ [WebAuthn] Don't set the UV option if the authenticator doesn't support it
+ https://bugs.webkit.org/show_bug.cgi?id=215836
+ <rdar://problem/67817359>
+
+ Reviewed by Darin Adler.
+
+ * http/wpt/webauthn/public-key-credential-create-failure-hid-silent.https.html:
+ * http/wpt/webauthn/public-key-credential-create-failure-hid.https.html:
+ * http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https.html:
+ * http/wpt/webauthn/public-key-credential-get-failure-hid.https.html:
+
+2020-09-27 Alan Coon <[email protected]>
+
Cherry-pick r267092. rdar://problem/69594199
REGRESSION (r267002): ASSERTION FAILED:[ iOS wk2 Debug ] !HashTranslator::equal(KeyTraits::emptyValue(), key) on compositing/ios/overflow-scroll-update-overlap.html
Modified: branches/safari-610-branch/LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid-silent.https-expected.txt (267680 => 267681)
--- branches/safari-610-branch/LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid-silent.https-expected.txt 2020-09-27 20:00:32 UTC (rev 267680)
+++ branches/safari-610-branch/LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid-silent.https-expected.txt 2020-09-27 20:00:37 UTC (rev 267681)
@@ -2,11 +2,9 @@
CONSOLE MESSAGE: User gesture is not detected. To use the platform authenticator, call 'navigator.credentials.create' within user activated events.
CONSOLE MESSAGE: User gesture is not detected. To use the platform authenticator, call 'navigator.credentials.create' within user activated events.
CONSOLE MESSAGE: User gesture is not detected. To use the platform authenticator, call 'navigator.credentials.create' within user activated events.
-CONSOLE MESSAGE: User gesture is not detected. To use the platform authenticator, call 'navigator.credentials.create' within user activated events.
PASS PublicKeyCredential's [[create]] with malicious payload in a mock hid authenticator.
PASS PublicKeyCredential's [[create]] with unsupported options in a mock hid authenticator.
-PASS PublicKeyCredential's [[create]] with unsupported options in a mock hid authenticator. 2
PASS PublicKeyCredential's [[create]] with mixed options in a mock hid authenticator.
PASS PublicKeyCredential's [[create]] with InvalidStateError in a mock hid authenticator.
Modified: branches/safari-610-branch/LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid-silent.https.html (267680 => 267681)
--- branches/safari-610-branch/LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid-silent.https.html 2020-09-27 20:00:32 UTC (rev 267680)
+++ branches/safari-610-branch/LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid-silent.https.html 2020-09-27 20:00:37 UTC (rev 267681)
@@ -62,29 +62,6 @@
},
challenge: asciiToUint8Array("123456"),
pubKeyCredParams: [{ type: "public-key", alg: -7 }],
- authenticatorSelection: { userVerification: "required" },
- timeout: 10
- }
- };
-
- if (window.internals)
- internals.setMockWebAuthenticationConfiguration({ silentFailure: true, hid: { stage: "request", subStage: "msg", error: "unsupported-options" } });
- return promiseRejects(t, "NotAllowedError", navigator.credentials.create(options), "Operation timed out.");
- }, "PublicKeyCredential's [[create]] with unsupported options in a mock hid authenticator. 2");
-
- promise_test(function(t) {
- const options = {
- publicKey: {
- rp: {
- name: "example.com"
- },
- user: {
- name: "John Appleseed",
- id: asciiToUint8Array("123456"),
- displayName: "John",
- },
- challenge: asciiToUint8Array("123456"),
- pubKeyCredParams: [{ type: "public-key", alg: -7 }],
authenticatorSelection: { authenticatorAttachment: "cross-platform", requireResidentKey: true, userVerification: "required" },
timeout: 10
}
Modified: branches/safari-610-branch/LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid.https-expected.txt (267680 => 267681)
--- branches/safari-610-branch/LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid.https-expected.txt 2020-09-27 20:00:32 UTC (rev 267680)
+++ branches/safari-610-branch/LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid.https-expected.txt 2020-09-27 20:00:37 UTC (rev 267681)
@@ -4,12 +4,10 @@
CONSOLE MESSAGE: User gesture is not detected. To use the platform authenticator, call 'navigator.credentials.create' within user activated events.
CONSOLE MESSAGE: User gesture is not detected. To use the platform authenticator, call 'navigator.credentials.create' within user activated events.
CONSOLE MESSAGE: User gesture is not detected. To use the platform authenticator, call 'navigator.credentials.create' within user activated events.
-CONSOLE MESSAGE: User gesture is not detected. To use the platform authenticator, call 'navigator.credentials.create' within user activated events.
PASS PublicKeyCredential's [[create]] with timeout in a mock hid authenticator.
PASS PublicKeyCredential's [[create]] with malicious payload in a mock hid authenticator.
PASS PublicKeyCredential's [[create]] with unsupported options in a mock hid authenticator.
-PASS PublicKeyCredential's [[create]] with unsupported options in a mock hid authenticator. 2
PASS PublicKeyCredential's [[create]] with mixed options in a mock hid authenticator.
PASS PublicKeyCredential's [[create]] with mixed options in a mock hid authenticator. 2
PASS PublicKeyCredential's [[create]] with InvalidStateError in a mock hid authenticator.
Modified: branches/safari-610-branch/LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid.https.html (267680 => 267681)
--- branches/safari-610-branch/LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid.https.html 2020-09-27 20:00:32 UTC (rev 267680)
+++ branches/safari-610-branch/LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid.https.html 2020-09-27 20:00:37 UTC (rev 267681)
@@ -85,28 +85,6 @@
},
challenge: asciiToUint8Array("123456"),
pubKeyCredParams: [{ type: "public-key", alg: -7 }],
- authenticatorSelection: { userVerification: "required" }
- }
- };
-
- if (window.internals)
- internals.setMockWebAuthenticationConfiguration({ hid: { stage: "request", subStage: "msg", error: "unsupported-options" } });
- return promiseRejects(t, "UnknownError", navigator.credentials.create(options), "Unknown internal error. Error code: 43");
- }, "PublicKeyCredential's [[create]] with unsupported options in a mock hid authenticator. 2");
-
- promise_test(function(t) {
- const options = {
- publicKey: {
- rp: {
- name: "example.com"
- },
- user: {
- name: "John Appleseed",
- id: asciiToUint8Array("123456"),
- displayName: "John",
- },
- challenge: asciiToUint8Array("123456"),
- pubKeyCredParams: [{ type: "public-key", alg: -7 }],
timeout: 10,
authenticatorSelection: { authenticatorAttachment: "platform", requireResidentKey: true, userVerification: "required" }
}
Modified: branches/safari-610-branch/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https-expected.txt (267680 => 267681)
--- branches/safari-610-branch/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https-expected.txt 2020-09-27 20:00:32 UTC (rev 267680)
+++ branches/safari-610-branch/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https-expected.txt 2020-09-27 20:00:37 UTC (rev 267681)
@@ -2,10 +2,8 @@
CONSOLE MESSAGE: User gesture is not detected. To use the platform authenticator, call 'navigator.credentials.get' within user activated events.
CONSOLE MESSAGE: User gesture is not detected. To use the platform authenticator, call 'navigator.credentials.get' within user activated events.
CONSOLE MESSAGE: User gesture is not detected. To use the platform authenticator, call 'navigator.credentials.get' within user activated events.
-CONSOLE MESSAGE: User gesture is not detected. To use the platform authenticator, call 'navigator.credentials.get' within user activated events.
PASS PublicKeyCredential's [[get]] with malicious payload in a mock hid authenticator.
-PASS PublicKeyCredential's [[get]] with unsupported options in a mock hid authenticator.
PASS PublicKeyCredential's [[get]] with invalid credential in a mock hid authenticator.
PASS PublicKeyCredential's [[get]] with authenticator downgrade in a mock hid authenticator.
PASS PublicKeyCredential's [[get]] with authenticator downgrade in a mock hid authenticator. 2
Modified: branches/safari-610-branch/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https.html (267680 => 267681)
--- branches/safari-610-branch/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https.html 2020-09-27 20:00:32 UTC (rev 267680)
+++ branches/safari-610-branch/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https.html 2020-09-27 20:00:37 UTC (rev 267681)
@@ -21,25 +21,11 @@
const options = {
publicKey: {
challenge: asciiToUint8Array("123456"),
- userVerification: "required",
timeout: 10
}
};
if (window.internals)
- internals.setMockWebAuthenticationConfiguration({ silentFailure: true, hid: { stage: "request", subStage: "msg", error: "unsupported-options" } });
- return promiseRejects(t, "NotAllowedError", navigator.credentials.get(options), "Operation timed out.");
- }, "PublicKeyCredential's [[get]] with unsupported options in a mock hid authenticator.");
-
- promise_test(function(t) {
- const options = {
- publicKey: {
- challenge: asciiToUint8Array("123456"),
- timeout: 10
- }
- };
-
- if (window.internals)
internals.setMockWebAuthenticationConfiguration({ silentFailure: true, hid: { stage: "request", subStage: "msg", error: "malicious-payload", payloadBase64: [testCtapErrInvalidCredentialResponseBase64] } });
return promiseRejects(t, "NotAllowedError", navigator.credentials.get(options), "Operation timed out.");
}, "PublicKeyCredential's [[get]] with invalid credential in a mock hid authenticator.");
Modified: branches/safari-610-branch/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid.https-expected.txt (267680 => 267681)
--- branches/safari-610-branch/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid.https-expected.txt 2020-09-27 20:00:32 UTC (rev 267680)
+++ branches/safari-610-branch/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid.https-expected.txt 2020-09-27 20:00:37 UTC (rev 267681)
@@ -4,11 +4,9 @@
CONSOLE MESSAGE: User gesture is not detected. To use the platform authenticator, call 'navigator.credentials.get' within user activated events.
CONSOLE MESSAGE: User gesture is not detected. To use the platform authenticator, call 'navigator.credentials.get' within user activated events.
CONSOLE MESSAGE: User gesture is not detected. To use the platform authenticator, call 'navigator.credentials.get' within user activated events.
-CONSOLE MESSAGE: User gesture is not detected. To use the platform authenticator, call 'navigator.credentials.get' within user activated events.
PASS PublicKeyCredential's [[get]] with timeout in a mock hid authenticator.
PASS PublicKeyCredential's [[get]] with malicious payload in a mock hid authenticator.
-PASS PublicKeyCredential's [[get]] with unsupported options in a mock hid authenticator.
PASS PublicKeyCredential's [[get]] with authenticator downgrade failed in a mock hid authenticator.
PASS PublicKeyCredential's [[get]] with authenticator downgrade failed in a mock hid authenticator. 2
PASS PublicKeyCredential's [[get]] with authenticator downgrade succeeded and then U2F failed in a mock hid authenticator.
Modified: branches/safari-610-branch/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid.https.html (267680 => 267681)
--- branches/safari-610-branch/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid.https.html 2020-09-27 20:00:32 UTC (rev 267680)
+++ branches/safari-610-branch/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid.https.html 2020-09-27 20:00:37 UTC (rev 267681)
@@ -39,19 +39,6 @@
promise_test(function(t) {
const options = {
publicKey: {
- challenge: asciiToUint8Array("123456"),
- userVerification: "required"
- }
- };
-
- if (window.internals)
- internals.setMockWebAuthenticationConfiguration({ hid: { stage: "request", subStage: "msg", error: "unsupported-options" } });
- return promiseRejects(t, "UnknownError", navigator.credentials.get(options), "Unknown internal error. Error code: 43");
- }, "PublicKeyCredential's [[get]] with unsupported options in a mock hid authenticator.");
-
- promise_test(function(t) {
- const options = {
- publicKey: {
challenge: asciiToUint8Array("123456")
}
};
Modified: branches/safari-610-branch/Source/WebCore/ChangeLog (267680 => 267681)
--- branches/safari-610-branch/Source/WebCore/ChangeLog 2020-09-27 20:00:32 UTC (rev 267680)
+++ branches/safari-610-branch/Source/WebCore/ChangeLog 2020-09-27 20:00:37 UTC (rev 267681)
@@ -1,5 +1,72 @@
2020-09-27 Alan Coon <[email protected]>
+ Cherry-pick r267369. rdar://problem/69594300
+
+ [WebAuthn] Don't set the UV option if the authenticator doesn't support it
+ https://bugs.webkit.org/show_bug.cgi?id=215836
+ <rdar://problem/67817359>
+
+ Reviewed by Darin Adler.
+
+ Source/WebCore:
+
+ Covered by new API tests.
+
+ UV in the the CTAP 2.0 spec only means internal UV:
+ https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#authenticatorGetInfo
+
+ If an authenticator supports ClientPin, it can set the uv bit in the responses to true but it
+ will not advertise itself supporting internal UV, which is the uv in the options.
+ https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#authenticatorMakeCredential
+
+ Hence, setting it to true could result in error if the authenticator doesn't support internal UV even if it supports ClientPin.
+ It's not a way to ask the authenticator to set the uv bit in the response.
+
+ * Modules/webauthn/fido/DeviceRequestConverter.cpp:
+ (fido::encodeMakeCredenitalRequestAsCBOR):
+ (fido::encodeGetAssertionRequestAsCBOR):
+
+ Tools:
+
+ * TestWebKitAPI/Tests/WebCore/CtapRequestTest.cpp:
+ (TestWebKitAPI::TEST):
+
+ LayoutTests:
+
+ * http/wpt/webauthn/public-key-credential-create-failure-hid-silent.https.html:
+ * http/wpt/webauthn/public-key-credential-create-failure-hid.https.html:
+ * http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https.html:
+ * http/wpt/webauthn/public-key-credential-get-failure-hid.https.html:
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@267369 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-09-21 Jiewen Tan <[email protected]>
+
+ [WebAuthn] Don't set the UV option if the authenticator doesn't support it
+ https://bugs.webkit.org/show_bug.cgi?id=215836
+ <rdar://problem/67817359>
+
+ Reviewed by Darin Adler.
+
+ Covered by new API tests.
+
+ UV in the the CTAP 2.0 spec only means internal UV:
+ https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#authenticatorGetInfo
+
+ If an authenticator supports ClientPin, it can set the uv bit in the responses to true but it
+ will not advertise itself supporting internal UV, which is the uv in the options.
+ https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#authenticatorMakeCredential
+
+ Hence, setting it to true could result in error if the authenticator doesn't support internal UV even if it supports ClientPin.
+ It's not a way to ask the authenticator to set the uv bit in the response.
+
+ * Modules/webauthn/fido/DeviceRequestConverter.cpp:
+ (fido::encodeMakeCredenitalRequestAsCBOR):
+ (fido::encodeGetAssertionRequestAsCBOR):
+
+2020-09-27 Alan Coon <[email protected]>
+
Cherry-pick r267287. rdar://problem/69594243
Crash under WebCore::shouldResetFocusNavigationStartingNode()
Modified: branches/safari-610-branch/Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.cpp (267680 => 267681)
--- branches/safari-610-branch/Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.cpp 2020-09-27 20:00:32 UTC (rev 267680)
+++ branches/safari-610-branch/Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.cpp 2020-09-27 20:00:37 UTC (rev 267681)
@@ -111,10 +111,8 @@
bool requireUserVerification = false;
switch (options.authenticatorSelection->userVerification) {
case UserVerificationRequirement::Required:
- requireUserVerification = true;
- break;
case UserVerificationRequirement::Preferred:
- requireUserVerification = uvCapability == UVAvailability::kNotSupported ? false : true;
+ requireUserVerification = uvCapability == UVAvailability::kSupportedAndConfigured;
break;
case UserVerificationRequirement::Discouraged:
requireUserVerification = false;
@@ -157,10 +155,8 @@
bool requireUserVerification = false;
switch (options.userVerification) {
case UserVerificationRequirement::Required:
- requireUserVerification = true;
- break;
case UserVerificationRequirement::Preferred:
- requireUserVerification = uvCapability == UVAvailability::kNotSupported ? false : true;
+ requireUserVerification = uvCapability == UVAvailability::kSupportedAndConfigured;
break;
case UserVerificationRequirement::Discouraged:
requireUserVerification = false;
Modified: branches/safari-610-branch/Tools/ChangeLog (267680 => 267681)
--- branches/safari-610-branch/Tools/ChangeLog 2020-09-27 20:00:32 UTC (rev 267680)
+++ branches/safari-610-branch/Tools/ChangeLog 2020-09-27 20:00:37 UTC (rev 267681)
@@ -1,5 +1,59 @@
2020-09-27 Alan Coon <[email protected]>
+ Cherry-pick r267369. rdar://problem/69594300
+
+ [WebAuthn] Don't set the UV option if the authenticator doesn't support it
+ https://bugs.webkit.org/show_bug.cgi?id=215836
+ <rdar://problem/67817359>
+
+ Reviewed by Darin Adler.
+
+ Source/WebCore:
+
+ Covered by new API tests.
+
+ UV in the the CTAP 2.0 spec only means internal UV:
+ https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#authenticatorGetInfo
+
+ If an authenticator supports ClientPin, it can set the uv bit in the responses to true but it
+ will not advertise itself supporting internal UV, which is the uv in the options.
+ https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#authenticatorMakeCredential
+
+ Hence, setting it to true could result in error if the authenticator doesn't support internal UV even if it supports ClientPin.
+ It's not a way to ask the authenticator to set the uv bit in the response.
+
+ * Modules/webauthn/fido/DeviceRequestConverter.cpp:
+ (fido::encodeMakeCredenitalRequestAsCBOR):
+ (fido::encodeGetAssertionRequestAsCBOR):
+
+ Tools:
+
+ * TestWebKitAPI/Tests/WebCore/CtapRequestTest.cpp:
+ (TestWebKitAPI::TEST):
+
+ LayoutTests:
+
+ * http/wpt/webauthn/public-key-credential-create-failure-hid-silent.https.html:
+ * http/wpt/webauthn/public-key-credential-create-failure-hid.https.html:
+ * http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https.html:
+ * http/wpt/webauthn/public-key-credential-get-failure-hid.https.html:
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@267369 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-09-21 Jiewen Tan <[email protected]>
+
+ [WebAuthn] Don't set the UV option if the authenticator doesn't support it
+ https://bugs.webkit.org/show_bug.cgi?id=215836
+ <rdar://problem/67817359>
+
+ Reviewed by Darin Adler.
+
+ * TestWebKitAPI/Tests/WebCore/CtapRequestTest.cpp:
+ (TestWebKitAPI::TEST):
+
+2020-09-27 Alan Coon <[email protected]>
+
Cherry-pick r267305. rdar://problem/69594350
[macOS] REGRESSION (r265702): System Services receive 0 bytes when extracting selected content as rich text data
Modified: branches/safari-610-branch/Tools/TestWebKitAPI/Tests/WebCore/CtapRequestTest.cpp (267680 => 267681)
--- branches/safari-610-branch/Tools/TestWebKitAPI/Tests/WebCore/CtapRequestTest.cpp 2020-09-27 20:00:32 UTC (rev 267680)
+++ branches/safari-610-branch/Tools/TestWebKitAPI/Tests/WebCore/CtapRequestTest.cpp 2020-09-27 20:00:37 UTC (rev 267681)
@@ -64,7 +64,7 @@
PublicKeyCredentialCreationOptions options { rp, user, { }, params, WTF::nullopt, { }, selection, AttestationConveyancePreference::None, WTF::nullopt };
Vector<uint8_t> hash;
hash.append(TestData::kClientDataHash, sizeof(TestData::kClientDataHash));
- auto serializedData = encodeMakeCredenitalRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedButNotConfigured);
+ auto serializedData = encodeMakeCredenitalRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedAndConfigured);
EXPECT_EQ(serializedData.size(), sizeof(TestData::kCtapMakeCredentialRequest));
EXPECT_EQ(memcmp(serializedData.data(), TestData::kCtapMakeCredentialRequest, serializedData.size()), 0);
}
@@ -87,11 +87,34 @@
PublicKeyCredentialCreationOptions options { rp, user, { }, params, WTF::nullopt, { }, selection, AttestationConveyancePreference::None, WTF::nullopt };
Vector<uint8_t> hash;
hash.append(TestData::kClientDataHash, sizeof(TestData::kClientDataHash));
- auto serializedData = encodeMakeCredenitalRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedButNotConfigured);
+ auto serializedData = encodeMakeCredenitalRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedAndConfigured);
EXPECT_EQ(serializedData.size(), sizeof(TestData::kCtapMakeCredentialRequestShort));
EXPECT_EQ(memcmp(serializedData.data(), TestData::kCtapMakeCredentialRequestShort, serializedData.size()), 0);
}
+TEST(CTAPRequestTest, TestConstructMakeCredentialRequestParamUVRequiredButNotSupported)
+{
+ PublicKeyCredentialCreationOptions::RpEntity rp;
+ rp.name = "Acme";
+ rp.id = "acme.com";
+
+ PublicKeyCredentialCreationOptions::UserEntity user;
+ user.name = "[email protected]";
+ user.icon = "https://pics.acme.com/00/p/aBjjjpqPb.png";
+ user.idVector.append(TestData::kUserId, sizeof(TestData::kUserId));
+ user.displayName = "John P. Smith";
+
+ Vector<PublicKeyCredentialCreationOptions::Parameters> params { { PublicKeyCredentialType::PublicKey, 7 }, { PublicKeyCredentialType::PublicKey, 257 } };
+ PublicKeyCredentialCreationOptions::AuthenticatorSelectionCriteria selection { PublicKeyCredentialCreationOptions::AuthenticatorAttachment::Platform, false, UserVerificationRequirement::Required };
+
+ PublicKeyCredentialCreationOptions options { rp, user, { }, params, WTF::nullopt, { }, selection, AttestationConveyancePreference::None, WTF::nullopt };
+ Vector<uint8_t> hash;
+ hash.append(TestData::kClientDataHash, sizeof(TestData::kClientDataHash));
+ auto serializedData = encodeMakeCredenitalRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kNotSupported);
+ EXPECT_EQ(serializedData.size(), sizeof(TestData::kCtapMakeCredentialRequestShort));
+ EXPECT_EQ(memcmp(serializedData.data(), TestData::kCtapMakeCredentialRequestShort, serializedData.size()), 0);
+}
+
TEST(CTAPRequestTest, TestConstructMakeCredentialRequestParamWithPin)
{
PublicKeyCredentialCreationOptions::RpEntity rp;
@@ -114,7 +137,7 @@
PublicKeyCredentialCreationOptions options { rp, user, { }, params, WTF::nullopt, { }, selection, AttestationConveyancePreference::None, WTF::nullopt };
Vector<uint8_t> hash;
hash.append(TestData::kClientDataHash, sizeof(TestData::kClientDataHash));
- auto serializedData = encodeMakeCredenitalRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedButNotConfigured, pin);
+ auto serializedData = encodeMakeCredenitalRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedAndConfigured, pin);
EXPECT_EQ(serializedData.size(), sizeof(TestData::kCtapMakeCredentialRequestWithPin));
EXPECT_EQ(memcmp(serializedData.data(), TestData::kCtapMakeCredentialRequestWithPin, serializedData.size()), 0);
}
@@ -151,7 +174,7 @@
Vector<uint8_t> hash;
hash.append(TestData::kClientDataHash, sizeof(TestData::kClientDataHash));
- auto serializedData = encodeGetAssertionRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedButNotConfigured);
+ auto serializedData = encodeGetAssertionRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedAndConfigured);
EXPECT_EQ(serializedData.size(), sizeof(TestData::kTestComplexCtapGetAssertionRequest));
EXPECT_EQ(memcmp(serializedData.data(), TestData::kTestComplexCtapGetAssertionRequest, serializedData.size()), 0);
}
@@ -188,11 +211,48 @@
Vector<uint8_t> hash;
hash.append(TestData::kClientDataHash, sizeof(TestData::kClientDataHash));
- auto serializedData = encodeGetAssertionRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedButNotConfigured);
+ auto serializedData = encodeGetAssertionRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedAndConfigured);
EXPECT_EQ(serializedData.size(), sizeof(TestData::kTestComplexCtapGetAssertionRequestShort));
EXPECT_EQ(memcmp(serializedData.data(), TestData::kTestComplexCtapGetAssertionRequestShort, serializedData.size()), 0);
}
+TEST(CTAPRequestTest, TestConstructGetAssertionRequestUVRequiredButNotSupported)
+{
+ PublicKeyCredentialRequestOptions options;
+ options.rpId = "acme.com";
+
+ PublicKeyCredentialDescriptor descriptor1;
+ descriptor1.type = PublicKeyCredentialType::PublicKey;
+ const uint8_t id1[] = {
+ 0xf2, 0x20, 0x06, 0xde, 0x4f, 0x90, 0x5a, 0xf6, 0x8a, 0x43, 0x94,
+ 0x2f, 0x02, 0x4f, 0x2a, 0x5e, 0xce, 0x60, 0x3d, 0x9c, 0x6d, 0x4b,
+ 0x3d, 0xf8, 0xbe, 0x08, 0xed, 0x01, 0xfc, 0x44, 0x26, 0x46, 0xd0,
+ 0x34, 0x85, 0x8a, 0xc7, 0x5b, 0xed, 0x3f, 0xd5, 0x80, 0xbf, 0x98,
+ 0x08, 0xd9, 0x4f, 0xcb, 0xee, 0x82, 0xb9, 0xb2, 0xef, 0x66, 0x77,
+ 0xaf, 0x0a, 0xdc, 0xc3, 0x58, 0x52, 0xea, 0x6b, 0x9e };
+ descriptor1.idVector.append(id1, sizeof(id1));
+ options.allowCredentials.append(descriptor1);
+
+ PublicKeyCredentialDescriptor descriptor2;
+ descriptor2.type = PublicKeyCredentialType::PublicKey;
+ const uint8_t id2[] = {
+ 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+ 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+ 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+ 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+ 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03 };
+ descriptor2.idVector.append(id2, sizeof(id2));
+ options.allowCredentials.append(descriptor2);
+
+ options.userVerification = UserVerificationRequirement::Required;
+
+ Vector<uint8_t> hash;
+ hash.append(TestData::kClientDataHash, sizeof(TestData::kClientDataHash));
+ auto serializedData = encodeGetAssertionRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kNotSupported);
+ EXPECT_EQ(serializedData.size(), sizeof(TestData::kTestComplexCtapGetAssertionRequestShort));
+ EXPECT_EQ(memcmp(serializedData.data(), TestData::kTestComplexCtapGetAssertionRequestShort, serializedData.size()), 0);
+}
+
TEST(CTAPRequestTest, TestConstructGetAssertionRequestWithPin)
{
PublicKeyCredentialRequestOptions options;
@@ -229,7 +289,7 @@
Vector<uint8_t> hash;
hash.append(TestData::kClientDataHash, sizeof(TestData::kClientDataHash));
- auto serializedData = encodeGetAssertionRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedButNotConfigured, pin);
+ auto serializedData = encodeGetAssertionRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedAndConfigured, pin);
EXPECT_EQ(serializedData.size(), sizeof(TestData::kTestComplexCtapGetAssertionRequestWithPin));
EXPECT_EQ(memcmp(serializedData.data(), TestData::kTestComplexCtapGetAssertionRequestWithPin, serializedData.size()), 0);
}
_______________________________________________ webkit-changes mailing list [email protected] https://lists.webkit.org/mailman/listinfo/webkit-changes
