[webkit-changes] [279856] trunk

[commit-queue]

Title: [279856] trunk

Revision

279856

Author

commit-qu...@webkit.org

Date

2021-07-12 16:43:14 -0700 (Mon, 12 Jul 2021)

Log Message

_WKWebAuthenticationPanel escapes slashes in origin
https://bugs.webkit.org/show_bug.cgi?id=227724
rdar://80232742

Patch by Garrett Davidson <garrett_david...@apple.com> on 2021-07-12
Reviewed by Kate Cheney.

Source/WebKit:

Tell NSJSONSerialization not to try to escapes slashes, like those in the scheme of an origin.

* UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm:
(produceClientDataJson):

Tools:

Update both the makeCredential and getAssertion tests to use an origin.

WebAuthenticationPanel.GetAssertionLA:
This test wasn't using an origin or RPID. Update it to use both. This means both
clientDataJSON and authenticatorData changed. Update both to the new expected
values, using as much plaintext as possible.

WebAuthenticationPanel.MakeCredentialLA:
This test should have caught this issue, but the origin being passed here isn't
valid, because it didn't have a scheme. Per the WebAuthn spec, origins used by
WebAuthn MUST start with "https://". Also update this test to use plaintext
instead of base64 for clientDataJSON.

* TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm:
(TestWebKitAPI::TEST):

Modified Paths

• trunk/Source/WebKit/ChangeLog
• trunk/Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm
• trunk/Tools/ChangeLog
• trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm

Diff

Modified: trunk/Source/WebKit/ChangeLog (279855 => 279856)

--- trunk/Source/WebKit/ChangeLog	2021-07-12 23:07:14 UTC (rev 279855)
+++ trunk/Source/WebKit/ChangeLog	2021-07-12 23:43:14 UTC (rev 279856)
@@ -1,3 +1,16 @@
+2021-07-12  Garrett Davidson  <garrett_david...@apple.com>
+
+        _WKWebAuthenticationPanel escapes slashes in origin
+        https://bugs.webkit.org/show_bug.cgi?id=227724
+        rdar://80232742
+
+        Reviewed by Kate Cheney.
+
+        Tell NSJSONSerialization not to try to escapes slashes, like those in the scheme of an origin.
+
+        * UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm:
+        (produceClientDataJson):
+
 2021-07-12  Chris Fleizach  <cfleiz...@apple.com>
 
         AX: Make WebKit observe spatial audio accessibility settings

Modified: trunk/Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm (279855 => 279856)

--- trunk/Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm	2021-07-12 23:07:14 UTC (rev 279855)
+++ trunk/Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm	2021-07-12 23:43:14 UTC (rev 279856)
@@ -73,7 +73,7 @@
     [dictionary setObject:base64URLEncodeToString(challenge.bytes, challenge.length) forKey:@"challenge"];
     [dictionary setObject:origin forKey:@"origin"];
 
-    return [NSJSONSerialization dataWithJSONObject:dictionary.get() options:NSJSONWritingSortedKeys error:nil];
+    return [NSJSONSerialization dataWithJSONObject:dictionary.get() options:(NSJSONWritingSortedKeys | NSJSONWritingWithoutEscapingSlashes) error:nil];
 }
 
 static Vector<uint8_t> produceClientDataJsonHash(NSData *clientDataJson)

Modified: trunk/Tools/ChangeLog (279855 => 279856)

--- trunk/Tools/ChangeLog	2021-07-12 23:07:14 UTC (rev 279855)
+++ trunk/Tools/ChangeLog	2021-07-12 23:43:14 UTC (rev 279856)
@@ -1,3 +1,27 @@
+2021-07-12  Garrett Davidson  <garrett_david...@apple.com>
+
+        _WKWebAuthenticationPanel escapes slashes in origin
+        https://bugs.webkit.org/show_bug.cgi?id=227724
+        rdar://80232742
+
+        Reviewed by Kate Cheney.
+
+        Update both the makeCredential and getAssertion tests to use an origin.
+
+        WebAuthenticationPanel.GetAssertionLA:
+        This test wasn't using an origin or RPID. Update it to use both. This means both
+        clientDataJSON and authenticatorData changed. Update both to the new expected
+        values, using as much plaintext as possible.
+
+        WebAuthenticationPanel.MakeCredentialLA:
+        This test should have caught this issue, but the origin being passed here isn't
+        valid, because it didn't have a scheme. Per the WebAuthn spec, origins used by
+        WebAuthn MUST start with "https://". Also update this test to use plaintext
+        instead of base64 for clientDataJSON.
+
+        * TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm:
+        (TestWebKitAPI::TEST):
+
 2021-07-12  Tim Horton  <timothy_hor...@apple.com>
 
         BifurcatedGraphicsContext can't draw text

Modified: trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm (279855 => 279856)

--- trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm	2021-07-12 23:07:14 UTC (rev 279855)
+++ trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm	2021-07-12 23:43:14 UTC (rev 279856)
@@ -1776,7 +1776,7 @@
     auto delegate = adoptNS([[TestWebAuthenticationPanelDelegate alloc] init]);
     [panel setDelegate:delegate.get()];
 
-    [panel makeCredentialWithChallenge:nsHash.get() origin:@"example.com" options:options.get() completionHandler:^(_WKAuthenticatorAttestationResponse *response, NSError *error) {
+    [panel makeCredentialWithChallenge:nsHash.get() origin:@"https://example.com" options:options.get() completionHandler:^(_WKAuthenticatorAttestationResponse *response, NSError *error) {
         webAuthenticationPanelRan = true;
         cleanUpKeychain("example.com");
 
@@ -1784,7 +1784,7 @@
         EXPECT_NULL(error);
 
         EXPECT_NOT_NULL(response);
-        EXPECT_WK_STREQ([response.clientDataJSON base64EncodedStringWithOptions:0], "eyJjaGFsbGVuZ2UiOiJBUUlEQkFFQ0F3UUJBZ01FQVFJREJBRUNBd1FCQWdNRUFRSURCQUVDQXdRIiwib3JpZ2luIjoiZXhhbXBsZS5jb20iLCJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0=");
+        EXPECT_WK_STREQ([[NSString alloc] initWithData:response.clientDataJSON encoding:NSUTF8StringEncoding], "{\"challenge\":\"AQIDBAECAwQBAgMEAQIDBAECAwQBAgMEAQIDBAECAwQ\",\"origin\":\"https://example.com\",\"type\":\"webauthn.create\"}");
         EXPECT_WK_STREQ([response.rawId base64EncodedStringWithOptions:0], "SMSXHngF7hEOsElA73C3RY+8bR4=");
         EXPECT_NULL(response.extensions);
         EXPECT_WK_STREQ([response.attestationObject base64EncodedStringWithOptions:0], "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YViYo3mm9u6vuaVeN4wRgDTidR5oL6ufLTCrE9ISVYbOGUdFAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEjElx54Be4RDrBJQO9wt0WPvG0epQECAyYgASFYIDj/zxSkzKgaBuS3cdWDF558of8AaIpgFpsjF/Qm1749IlggVBJPgqUIwfhWHJ91nb7UPH76c0+WFOzZKslPyyFse4g=");
@@ -1897,13 +1897,13 @@
 {
     reset();
 
-    ASSERT_TRUE(addKeyToKeychain(testES256PrivateKeyBase64, "", testUserEntityBundleBase64));
+    ASSERT_TRUE(addKeyToKeychain(testES256PrivateKeyBase64, "example.com", testUserEntityBundleBase64));
 
     uint8_t hash[] = { 0x01, 0x02, 0x03, 0x04, 0x01, 0x02, 0x03, 0x04, 0x01, 0x02, 0x03, 0x04, 0x01, 0x02, 0x03, 0x04, 0x01, 0x02, 0x03, 0x04, 0x01, 0x02, 0x03, 0x04, 0x01, 0x02, 0x03, 0x04, 0x01, 0x02, 0x03, 0x04 };
     NSData *nsHash = [NSData dataWithBytes:hash length:sizeof(hash)];
 
     auto options = adoptNS([[_WKPublicKeyCredentialRequestOptions alloc] init]);
-    [options setRelyingPartyIdentifier:@""];
+    [options setRelyingPartyIdentifier:@"example.com"];
 
     auto panel = adoptNS([[_WKWebAuthenticationPanel alloc] init]);
     [panel setMockConfiguration:@{ }];
@@ -1910,17 +1910,32 @@
     auto delegate = adoptNS([[TestWebAuthenticationPanelDelegate alloc] init]);
     [panel setDelegate:delegate.get()];
 
-    [panel getAssertionWithChallenge:nsHash origin:@"" options:options.get() completionHandler:^(_WKAuthenticatorAssertionResponse *response, NSError *error) {
+    [panel getAssertionWithChallenge:nsHash origin:@"https://example.com" options:options.get() completionHandler:^(_WKAuthenticatorAssertionResponse *response, NSError *error) {
         webAuthenticationPanelRan = true;
-        cleanUpKeychain("");
+        cleanUpKeychain("example.com");
 
         EXPECT_NULL(error);
 
         EXPECT_NOT_NULL(response);
-        EXPECT_WK_STREQ([[NSString alloc] initWithData:response.clientDataJSON encoding:NSUTF8StringEncoding], "{\"challenge\":\"AQIDBAECAwQBAgMEAQIDBAECAwQBAgMEAQIDBAECAwQ\",\"origin\":\"\",\"type\":\"webauthn.get\"}");
+        EXPECT_WK_STREQ([[NSString alloc] initWithData:response.clientDataJSON encoding:NSUTF8StringEncoding], "{\"challenge\":\"AQIDBAECAwQBAgMEAQIDBAECAwQBAgMEAQIDBAECAwQ\",\"origin\":\"https://example.com\",\"type\":\"webauthn.get\"}");
         EXPECT_WK_STREQ([response.rawId base64EncodedStringWithOptions:0], "SMSXHngF7hEOsElA73C3RY+8bR4=");
         EXPECT_NULL(response.extensions);
-        EXPECT_WK_STREQ([response.authenticatorData base64EncodedStringWithOptions:0], "47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFUFAAAAAA==");
+
+        // echo -n "example.com" | shasum -a 256 | xxd -r -p | base64
+        NSString *base64RPIDHash = @"o3mm9u6vuaVeN4wRgDTidR5oL6ufLTCrE9ISVYbOGUc=";
+        constexpr uint8_t additionalAuthenticatorData[] = {
+            0x05, // 'flags': UV=1, UP=1
+
+            // 32-bit 'signCount'
+            0x00,
+            0x00,
+            0x00,
+            0x00,
+        };
+        NSMutableData *expectedAuthenticatorData = [[NSMutableData alloc] initWithBase64EncodedString:base64RPIDHash options:0];
+        [expectedAuthenticatorData appendBytes:additionalAuthenticatorData length:sizeof(additionalAuthenticatorData)];
+
+        EXPECT_WK_STREQ([response.authenticatorData base64EncodedStringWithOptions:0], [expectedAuthenticatorData base64EncodedStringWithOptions:0]);
         EXPECT_NOT_NULL(response.signature);
         EXPECT_WK_STREQ([response.userHandle base64EncodedStringWithOptions:0], "AAECAwQFBgcICQ==");
     }];

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes