Changeset 291176 in webkit

Timestamp:

Mar 11, 2022 9:49:14 AM (4 months ago)

Author:

J Pascoe

Message:

[WebAuthn] Support authenticatorSelection.residentKey ResidentKeyRequirement
​https://bugs.webkit.org/show_bug.cgi?id=237567
rdar://89788378

Reviewed by Brent Fulgham and Chris Dumez.

Source/WebCore:

In Web Authentication level one, relying parties can specify authenticatorSelection.residentKeyRequired,
to signify they require a client-side discoverable credential. However, if the authenticator does not
support client-side discoverable credentials, the rp has no way to clarify they want a client-side
discoverable credential only if available.

This patch implements authenticatorSelection.residentKeyRequired introduced in level 2, which has three
values 'Preferred', 'Required', and 'Discouraged'. This allows RPs to create a client-side discoverable
credential if possible.

• CMakeLists.txt:
• DerivedSources-input.xcfilelist:
• DerivedSources-output.xcfilelist:
• DerivedSources.make:
• Modules/webauthn/PublicKeyCredentialCreationOptions.h:

(WebCore::PublicKeyCredentialCreationOptions::AuthenticatorSelectionCriteria::encode const):
(WebCore::PublicKeyCredentialCreationOptions::AuthenticatorSelectionCriteria::decode):

• Modules/webauthn/PublicKeyCredentialCreationOptions.idl:
• Modules/webauthn/ResidentKeyRequirement.h: Copied from Source/WebKit/UIProcess/API/Cocoa/_WKAuthenticatorSelectionCriteria.mm.
• Modules/webauthn/ResidentKeyRequirement.idl: Copied from Source/WebKit/UIProcess/API/Cocoa/_WKAuthenticatorSelectionCriteria.mm.
• Modules/webauthn/fido/AuthenticatorSupportedOptions.cpp:

(fido::AuthenticatorSupportedOptions::setResidentKeyAvailability):
(fido::convertToCBOR):
(fido::AuthenticatorSupportedOptions::setSupportsResidentKey): Deleted.

• Modules/webauthn/fido/AuthenticatorSupportedOptions.h:
• Modules/webauthn/fido/DeviceRequestConverter.cpp:

(fido::encodeMakeCredenitalRequestAsCBOR):

• Modules/webauthn/fido/DeviceRequestConverter.h:
• Modules/webauthn/fido/DeviceResponseConverter.cpp:

(fido::readCTAPGetInfoResponse):

• Sources.txt:
• WebCore.xcodeproj/project.pbxproj:

Source/WebKit:

In Web Authentication level one, relying parties can specify authenticatorSelection.residentKeyRequired,
to signify they require a client-side discoverable credential. However, if the authenticator does not
support client-side discoverable credentials, the rp has no way to clarify they want a client-side
discoverable credential only if available.

This patch implements authenticatorSelection.residentKeyRequired introduced in level 2, which has three
values 'Preferred', 'Required', and 'Discouraged'. This allows RPs to create a client-side discoverable
credential if possible.

• UIProcess/API/Cocoa/_WKAuthenticatorSelectionCriteria.h:
• UIProcess/API/Cocoa/_WKAuthenticatorSelectionCriteria.mm:

(-[_WKAuthenticatorSelectionCriteria init]):

• UIProcess/API/Cocoa/_WKResidentKeyRequirement.h: Copied from Source/WebKit/UIProcess/API/Cocoa/_WKAuthenticatorSelectionCriteria.mm.
• UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm:

(residentKey):
(authenticatorSelectionCriteria):
(+[_WKWebAuthenticationPanel encodeMakeCredentialCommandWithClientDataJSON:options:userVerificationAvailability:]):
(+[_WKWebAuthenticationPanel encodeMakeCredentialCommandWithClientDataHash:options:userVerificationAvailability:]):

• UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp:

(WebKit::CtapAuthenticator::makeCredential):

• WebKit.xcodeproj/project.pbxproj:

Tools:

Add API tests for authenticatorSelection.residentKey.

• TestWebKitAPI/Tests/WebCore/CtapRequestTest.cpp:

(TestWebKitAPI::TEST):

• TestWebKitAPI/Tests/WebCore/CtapResponseTest.cpp:

(TestWebKitAPI::TEST):

LayoutTests:

Add layout tests using residentKey field.

• http/wpt/webauthn/public-key-credential-create-failure-hid.https-expected.txt:
• http/wpt/webauthn/public-key-credential-create-failure-hid.https.html:
• http/wpt/webauthn/public-key-credential-create-success-hid.https-expected.txt:
• http/wpt/webauthn/public-key-credential-create-success-hid.https.html:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid.https-expected.txt (modified) (2 diffs)
• LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid.https.html (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/public-key-credential-create-success-hid.https-expected.txt (modified) (2 diffs)
• LayoutTests/http/wpt/webauthn/public-key-credential-create-success-hid.https.html (modified) (1 diff)
• Source/WebCore/CMakeLists.txt (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/DerivedSources-input.xcfilelist (modified) (1 diff)
• Source/WebCore/DerivedSources-output.xcfilelist (modified) (1 diff)
• Source/WebCore/DerivedSources.make (modified) (1 diff)
• Source/WebCore/Modules/webauthn/PublicKeyCredentialCreationOptions.h (modified) (4 diffs)
• Source/WebCore/Modules/webauthn/PublicKeyCredentialCreationOptions.idl (modified) (1 diff)
• Source/WebCore/Modules/webauthn/ResidentKeyRequirement.h (copied) (copied from trunk/Source/WebKit/UIProcess/API/Cocoa/_WKAuthenticatorSelectionCriteria.mm) (2 diffs)
• Source/WebCore/Modules/webauthn/ResidentKeyRequirement.idl (copied) (copied from trunk/Source/WebKit/UIProcess/API/Cocoa/_WKAuthenticatorSelectionCriteria.mm) (2 diffs)
• Source/WebCore/Modules/webauthn/fido/AuthenticatorSupportedOptions.cpp (modified) (2 diffs)
• Source/WebCore/Modules/webauthn/fido/AuthenticatorSupportedOptions.h (modified) (4 diffs)
• Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.cpp (modified) (3 diffs)
• Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.h (modified) (1 diff)
• Source/WebCore/Modules/webauthn/fido/DeviceResponseConverter.cpp (modified) (1 diff)
• Source/WebCore/Sources.txt (modified) (1 diff)
• Source/WebCore/WebCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/UIProcess/API/Cocoa/_WKAuthenticatorSelectionCriteria.h (modified) (2 diffs)
• Source/WebKit/UIProcess/API/Cocoa/_WKAuthenticatorSelectionCriteria.mm (modified) (1 diff)
• Source/WebKit/UIProcess/API/Cocoa/_WKResidentKeyRequirement.h (copied) (copied from trunk/Source/WebKit/UIProcess/API/Cocoa/_WKAuthenticatorSelectionCriteria.mm) (2 diffs)
• Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm (modified) (3 diffs)
• Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp (modified) (1 diff)
• Source/WebKit/WebKit.xcodeproj/project.pbxproj (modified) (5 diffs)
• Tools/ChangeLog (modified) (1 diff)
• Tools/TestWebKitAPI/Tests/WebCore/CtapRequestTest.cpp (modified) (5 diffs)
• Tools/TestWebKitAPI/Tests/WebCore/CtapResponseTest.cpp (modified) (3 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2022-03-11  J Pascoe  <j_pascoe@apple.com>
+
+        [WebAuthn] Support authenticatorSelection.residentKey ResidentKeyRequirement
+        https://bugs.webkit.org/show_bug.cgi?id=237567
+        rdar://89788378
+
+        Reviewed by Brent Fulgham and Chris Dumez.
+
+        Add layout tests using residentKey field.
+
+        * http/wpt/webauthn/public-key-credential-create-failure-hid.https-expected.txt:
+        * http/wpt/webauthn/public-key-credential-create-failure-hid.https.html:
+        * http/wpt/webauthn/public-key-credential-create-success-hid.https-expected.txt:
+        * http/wpt/webauthn/public-key-credential-create-success-hid.https.html:
+
 2022-03-11  Don Olmstead  <don.olmstead@sony.com>
 

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid.https-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: User gesture is not detected. To use the WebAuthn API, call 'navigator.credentials.create' or 'navigator.credentials.get' within user activated events.
 CONSOLE MESSAGE: User gesture is not detected. To use the WebAuthn API, call 'navigator.credentials.create' or 'navigator.credentials.get' within user activated events.
 CONSOLE MESSAGE: User gesture is not detected. To use the WebAuthn API, call 'navigator.credentials.create' or 'navigator.credentials.get' within user activated events.
@@ -8 +9 @@
 PASS PublicKeyCredential's [[create]] with malicious payload in a mock hid authenticator.
 PASS PublicKeyCredential's [[create]] with unsupported options in a mock hid authenticator.
+PASS PublicKeyCredential's [[create]] with unsupported options in a mock hid authenticator. 2
 PASS PublicKeyCredential's [[create]] with mixed options in a mock hid authenticator.
 PASS PublicKeyCredential's [[create]] with mixed options in a mock hid authenticator. 2

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid.https.html

@@ -86 +86 @@
                 challenge: asciiToUint8Array("123456"),
                 pubKeyCredParams: [{ type: "public-key", alg: -7 }],
+                authenticatorSelection: { residentKey: "required" }
+            }
+        };
+
+        if (window.internals)
+            internals.setMockWebAuthenticationConfiguration({ hid: { stage: "request", subStage: "msg", error: "unsupported-options" } });
+        return promiseRejects(t, "UnknownError", navigator.credentials.create(options), "Unknown internal error. Error code: 43");
+    }, "PublicKeyCredential's [[create]] with unsupported options in a mock hid authenticator. 2");
+
+    promise_test(function(t) {
+        const options = {
+            publicKey: {
+                rp: {
+                    name: "example.com"
+                },
+                user: {
+                    name: "John Appleseed",
+                    id: asciiToUint8Array("123456"),
+                    displayName: "John",
+                },
+                challenge: asciiToUint8Array("123456"),
+                pubKeyCredParams: [{ type: "public-key", alg: -7 }],
                 timeout: 10,
                 authenticatorSelection: { authenticatorAttachment: "platform", requireResidentKey: true, userVerification: "required" }

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-success-hid.https-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: User gesture is not detected. To use the WebAuthn API, call 'navigator.credentials.create' or 'navigator.credentials.get' within user activated events.
+CONSOLE MESSAGE: User gesture is not detected. To use the WebAuthn API, call 'navigator.credentials.create' or 'navigator.credentials.get' within user activated events.
+CONSOLE MESSAGE: User gesture is not detected. To use the WebAuthn API, call 'navigator.credentials.create' or 'navigator.credentials.get' within user activated events.
 CONSOLE MESSAGE: User gesture is not detected. To use the WebAuthn API, call 'navigator.credentials.create' or 'navigator.credentials.get' within user activated events.
 CONSOLE MESSAGE: User gesture is not detected. To use the WebAuthn API, call 'navigator.credentials.create' or 'navigator.credentials.get' within user activated events.
@@ -17 +20 @@
 PASS PublicKeyCredential's [[create]] with authenticatorSelection { 'cross-platform' } in a mock hid authenticator.
 PASS PublicKeyCredential's [[create]] with requireResidentKey { false } in a mock hid authenticator.
+PASS PublicKeyCredential's [[create]] with residentKey { Discouraged } in a mock hid authenticator.
+PASS PublicKeyCredential's [[create]] with residentKey { Preferred } in a mock hid authenticator.
+PASS PublicKeyCredential's [[create]] with residentKey { Required } in a mock hid authenticator.
 PASS PublicKeyCredential's [[create]] with userVerification { 'preferred' } in a mock hid authenticator.
 PASS PublicKeyCredential's [[create]] with userVerification { 'discouraged' } in a mock hid authenticator.

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-success-hid.https.html

@@ -113 +113 @@
                 challenge: Base64URL.parse("MTIzNDU2"),
                 pubKeyCredParams: [{ type: "public-key", alg: -7 }],
+                authenticatorSelection: { residentKey: "discouraged" },
+                timeout: 100
+            }
+        };
+
+        return navigator.credentials.create(options).then(credential => {
+            checkCtapMakeCredentialResult(credential);
+        });
+    }, "PublicKeyCredential's [[create]] with residentKey { Discouraged } in a mock hid authenticator.");
+
+    promise_test(t => {
+        const options = {
+            publicKey: {
+                rp: {
+                    name: "localhost",
+                },
+                user: {
+                    name: "John Appleseed",
+                    id: Base64URL.parse(testUserhandleBase64),
+                    displayName: "Appleseed",
+                },
+                challenge: Base64URL.parse("MTIzNDU2"),
+                pubKeyCredParams: [{ type: "public-key", alg: -7 }],
+                authenticatorSelection: { residentKey: "preferred" },
+                timeout: 100
+            }
+        };
+
+        return navigator.credentials.create(options).then(credential => {
+            checkCtapMakeCredentialResult(credential);
+        });
+    }, "PublicKeyCredential's [[create]] with residentKey { Preferred } in a mock hid authenticator.");
+
+    promise_test(t => {
+        const options = {
+            publicKey: {
+                rp: {
+                    name: "localhost",
+                },
+                user: {
+                    name: "John Appleseed",
+                    id: Base64URL.parse(testUserhandleBase64),
+                    displayName: "Appleseed",
+                },
+                challenge: Base64URL.parse("MTIzNDU2"),
+                pubKeyCredParams: [{ type: "public-key", alg: -7 }],
+                authenticatorSelection: { residentKey: "required" },
+                timeout: 100
+            }
+        };
+
+        return navigator.credentials.create(options).then(credential => {
+            checkCtapMakeCredentialResult(credential);
+        });
+    }, "PublicKeyCredential's [[create]] with residentKey { Required } in a mock hid authenticator.");
+
+    promise_test(t => {
+        const options = {
+            publicKey: {
+                rp: {
+                    name: "localhost",
+                },
+                user: {
+                    name: "John Appleseed",
+                    id: Base64URL.parse(testUserhandleBase64),
+                    displayName: "Appleseed",
+                },
+                challenge: Base64URL.parse("MTIzNDU2"),
+                pubKeyCredParams: [{ type: "public-key", alg: -7 }],
                 authenticatorSelection: { userVerification: "preferred" },
                 timeout: 100

trunk/Source/WebCore/CMakeLists.txt

@@ -666 +666 @@
     Modules/webauthn/PublicKeyCredentialRequestOptions.idl
     Modules/webauthn/PublicKeyCredentialType.idl
+    Modules/webauthn/ResidentKeyRequirement.idl
     Modules/webauthn/UserVerificationRequirement.idl
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2022-03-11  J Pascoe  <j_pascoe@apple.com>
+
+        [WebAuthn] Support authenticatorSelection.residentKey ResidentKeyRequirement
+        https://bugs.webkit.org/show_bug.cgi?id=237567
+        rdar://89788378
+
+        Reviewed by Brent Fulgham and Chris Dumez.
+
+        In Web Authentication level one, relying parties can specify authenticatorSelection.residentKeyRequired,
+        to signify they require a client-side discoverable credential. However, if the authenticator does not
+        support client-side discoverable credentials, the rp has no way to clarify they want a client-side
+        discoverable credential only if available.
+
+        This patch implements authenticatorSelection.residentKeyRequired introduced in level 2, which has three
+        values 'Preferred', 'Required', and 'Discouraged'. This allows RPs to create a client-side discoverable
+        credential if possible.
+
+        * CMakeLists.txt:
+        * DerivedSources-input.xcfilelist:
+        * DerivedSources-output.xcfilelist:
+        * DerivedSources.make:
+        * Modules/webauthn/PublicKeyCredentialCreationOptions.h:
+        (WebCore::PublicKeyCredentialCreationOptions::AuthenticatorSelectionCriteria::encode const):
+        (WebCore::PublicKeyCredentialCreationOptions::AuthenticatorSelectionCriteria::decode):
+        * Modules/webauthn/PublicKeyCredentialCreationOptions.idl:
+        * Modules/webauthn/ResidentKeyRequirement.h: Copied from Source/WebKit/UIProcess/API/Cocoa/_WKAuthenticatorSelectionCriteria.mm.
+        * Modules/webauthn/ResidentKeyRequirement.idl: Copied from Source/WebKit/UIProcess/API/Cocoa/_WKAuthenticatorSelectionCriteria.mm.
+        * Modules/webauthn/fido/AuthenticatorSupportedOptions.cpp:
+        (fido::AuthenticatorSupportedOptions::setResidentKeyAvailability):
+        (fido::convertToCBOR):
+        (fido::AuthenticatorSupportedOptions::setSupportsResidentKey): Deleted.
+        * Modules/webauthn/fido/AuthenticatorSupportedOptions.h:
+        * Modules/webauthn/fido/DeviceRequestConverter.cpp:
+        (fido::encodeMakeCredenitalRequestAsCBOR):
+        * Modules/webauthn/fido/DeviceRequestConverter.h:
+        * Modules/webauthn/fido/DeviceResponseConverter.cpp:
+        (fido::readCTAPGetInfoResponse):
+        * Sources.txt:
+        * WebCore.xcodeproj/project.pbxproj:
+
 2022-03-11  Ben Nham  <nham@apple.com>
 

trunk/Source/WebCore/DerivedSources-input.xcfilelist

@@ -752 +752 @@
 $(PROJECT_DIR)/Modules/webauthn/PublicKeyCredentialRequestOptions.idl
 $(PROJECT_DIR)/Modules/webauthn/PublicKeyCredentialType.idl
+$(PROJECT_DIR)/Modules/webauthn/ResidentKeyRequirement.idl
 $(PROJECT_DIR)/Modules/webauthn/UserVerificationRequirement.idl
 $(PROJECT_DIR)/Modules/webcodecs/VideoColorPrimaries.idl

trunk/Source/WebCore/DerivedSources-output.xcfilelist

@@ -2116 +2116 @@
 $(BUILT_PRODUCTS_DIR)/DerivedSources/WebCore/JSRequestCookieConsentOptions.cpp
 $(BUILT_PRODUCTS_DIR)/DerivedSources/WebCore/JSRequestCookieConsentOptions.h
+$(BUILT_PRODUCTS_DIR)/DerivedSources/WebCore/JSResidentKeyRequirement.cpp
+$(BUILT_PRODUCTS_DIR)/DerivedSources/WebCore/JSResidentKeyRequirement.h
 $(BUILT_PRODUCTS_DIR)/DerivedSources/WebCore/JSResizeObserver.cpp
 $(BUILT_PRODUCTS_DIR)/DerivedSources/WebCore/JSResizeObserver.h

trunk/Source/WebCore/DerivedSources.make

@@ -648 +648 @@
     $(WebCore)/Modules/webauthn/PublicKeyCredentialRequestOptions.idl \
     $(WebCore)/Modules/webauthn/PublicKeyCredentialType.idl \
+    $(WebCore)/Modules/webauthn/ResidentKeyRequirement.idl \
     $(WebCore)/Modules/webauthn/UserVerificationRequirement.idl \
         $(WebCore)/Modules/webcodecs/VideoColorPrimaries.idl \

trunk/Source/WebCore/Modules/webauthn/PublicKeyCredentialCreationOptions.h

@@ -32 +32 @@
 #include "PublicKeyCredentialDescriptor.h"
 #include "PublicKeyCredentialType.h"
+#include "ResidentKeyRequirement.h"
 #include "UserVerificationRequirement.h"
 #include <wtf/Forward.h>
@@ -66 +67 @@
     struct AuthenticatorSelectionCriteria {
         std::optional<AuthenticatorAttachment> authenticatorAttachment;
+        // residentKey replaces requireResidentKey, see: https://www.w3.org/TR/webauthn-2/#dictionary-authenticatorSelection
+        std::optional<ResidentKeyRequirement> residentKey;
         bool requireResidentKey { false };
         UserVerificationRequirement userVerification { UserVerificationRequirement::Preferred };
@@ -111 +114 @@
 void PublicKeyCredentialCreationOptions::AuthenticatorSelectionCriteria::encode(Encoder& encoder) const
 {
-    encoder << authenticatorAttachment << requireResidentKey << userVerification;
+    encoder << authenticatorAttachment << requireResidentKey << userVerification << residentKey;
 }
 
@@ -133 +136 @@
     if (!decoder.decode(result.userVerification))
         return std::nullopt;
+
+    std::optional<std::optional<ResidentKeyRequirement>> residentKey;
+    decoder >> residentKey;
+    if (!residentKey)
+        return std::nullopt;
+    result.residentKey = *residentKey;
+
     return result;
 }

trunk/Source/WebCore/Modules/webauthn/PublicKeyCredentialCreationOptions.idl

@@ -73 +73 @@
 ] dictionary AuthenticatorSelectionCriteria {
     AuthenticatorAttachment      authenticatorAttachment;
+    ResidentKeyRequirement       residentKey;
     boolean                      requireResidentKey = false;
     UserVerificationRequirement  userVerification = "preferred";

trunk/Source/WebCore/Modules/webauthn/ResidentKeyRequirement.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2020 Apple Inc. All rights reserved.
+ * Copyright (C) 2022 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -24 +24 @@
  */
 
-#import "config.h"
-#import "_WKAuthenticatorSelectionCriteria.h"
+#pragma once
 
-@implementation _WKAuthenticatorSelectionCriteria
+#if ENABLE(WEB_AUTHN)
 
-- (instancetype)init
-{
-    if (!(self = [super init]))
-        return nil;
+#include <wtf/EnumTraits.h>
 
-    self.authenticatorAttachment = _WKAuthenticatorAttachmentAll;
-    self.requireResidentKey = NO;
-    self.userVerification = _WKUserVerificationRequirementPreferred;
-    return self;
-}
+namespace WebCore {
 
-@end
+enum class ResidentKeyRequirement : uint8_t {
+    Required,
+    Preferred,
+    Discouraged
+};
+
+} // namespace WebCore
+
+namespace WTF {
+
+template<> struct EnumTraits<WebCore::ResidentKeyRequirement> {
+    using values = EnumValues<
+        WebCore::ResidentKeyRequirement,
+        WebCore::ResidentKeyRequirement::Required,
+        WebCore::ResidentKeyRequirement::Preferred,
+        WebCore::ResidentKeyRequirement::Discouraged
+    >;
+};
+
+} // namespace WTF
+
+#endif // ENABLE(WEB_AUTHN)

trunk/Source/WebCore/Modules/webauthn/ResidentKeyRequirement.idl

@@ -1 +1 @@
 /*
- * Copyright (C) 2020 Apple Inc. All rights reserved.
+ * Copyright (C) 2022 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -24 +24 @@
  */
 
-#import "config.h"
-#import "_WKAuthenticatorSelectionCriteria.h"
-
-@implementation _WKAuthenticatorSelectionCriteria
-
-- (instancetype)init
-{
-    if (!(self = [super init]))
-        return nil;
-
-    self.authenticatorAttachment = _WKAuthenticatorAttachmentAll;
-    self.requireResidentKey = NO;
-    self.userVerification = _WKUserVerificationRequirementPreferred;
-    return self;
-}
-
-@end
+[
+    Conditional=WEB_AUTHN,
+    ImplementedAs=ResidentKeyRequirement
+] enum ResidentKeyRequirement {
+    "required",
+    "preferred",
+    "discouraged"
+};

trunk/Source/WebCore/Modules/webauthn/fido/AuthenticatorSupportedOptions.cpp

@@ -37 +37 @@
 namespace fido {
 
-AuthenticatorSupportedOptions& AuthenticatorSupportedOptions::setSupportsResidentKey(bool supportsResidentKey)
+AuthenticatorSupportedOptions& AuthenticatorSupportedOptions::setResidentKeyAvailability(ResidentKeyAvailability residentKeyAvailability)
 {
-    m_supportsResidentKey = supportsResidentKey;
+    m_residentKeyAvailability = residentKeyAvailability;
     return *this;
 }
@@ -72 +72 @@
 
     CBORValue::MapValue optionMap;
-    optionMap.emplace(CBORValue(kResidentKeyMapKey), CBORValue(options.supportsResidentKey()));
+    optionMap.emplace(CBORValue(kResidentKeyMapKey), CBORValue(options.residentKeyAvailability() == AuthenticatorSupportedOptions::ResidentKeyAvailability::kSupported));
     optionMap.emplace(CBORValue(kUserPresenceMapKey), CBORValue(options.userPresenceRequired()));
     optionMap.emplace(CBORValue(kPlatformDeviceMapKey), CBORValue(options.isPlatformDevice()));

trunk/Source/WebCore/Modules/webauthn/fido/AuthenticatorSupportedOptions.h

@@ -52 +52 @@
     };
 
+    enum class ResidentKeyAvailability : bool {
+        kSupported,
+        kNotSupported
+    };
+
     enum class ClientPinAvailability {
         kSupportedAndPinSet,
@@ -63 +68 @@
 
     AuthenticatorSupportedOptions& setIsPlatformDevice(bool);
-    AuthenticatorSupportedOptions& setSupportsResidentKey(bool);
+    AuthenticatorSupportedOptions& setResidentKeyAvailability(ResidentKeyAvailability);
     AuthenticatorSupportedOptions& setUserVerificationAvailability(UserVerificationAvailability);
     AuthenticatorSupportedOptions& setUserPresenceRequired(bool);
@@ -69 +74 @@
 
     bool isPlatformDevice() const { return m_isPlatformDevice; }
-    bool supportsResidentKey() const { return m_supportsResidentKey; }
-    UserVerificationAvailability userVerificationAvailability() const { return m_userVerificationAvailability; }
+    ResidentKeyAvailability residentKeyAvailability() const { return m_residentKeyAvailability; };
+    UserVerificationAvailability userVerificationAvailability() const { return m_userVerificationAvailability; };
     bool userPresenceRequired() const { return m_userPresenceRequired; }
     ClientPinAvailability clientPinAvailability() const { return m_clientPinAvailability; }
@@ -81 +86 @@
     // and therefore can satisfy the authenticatorGetAssertion request with
     // allowList parameter not specified or empty.
-    bool m_supportsResidentKey { false };
+    ResidentKeyAvailability m_residentKeyAvailability { ResidentKeyAvailability::kNotSupported };
     // Indicates whether the device is capable of verifying the user on its own.
     UserVerificationAvailability m_userVerificationAvailability { UserVerificationAvailability::kNotSupported };

trunk/Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.cpp

@@ -36 +36 @@
 #include "PublicKeyCredentialCreationOptions.h"
 #include "PublicKeyCredentialRequestOptions.h"
+#include "ResidentKeyRequirement.h"
 #include <wtf/Vector.h>
 
@@ -86 +87 @@
 }
 
-Vector<uint8_t> encodeMakeCredenitalRequestAsCBOR(const Vector<uint8_t>& hash, const PublicKeyCredentialCreationOptions& options, UVAvailability uvCapability, std::optional<PinParameters> pin)
+Vector<uint8_t> encodeMakeCredenitalRequestAsCBOR(const Vector<uint8_t>& hash, const PublicKeyCredentialCreationOptions& options, UVAvailability uvCapability, AuthenticatorSupportedOptions::ResidentKeyAvailability residentKeyAvailability, std::optional<PinParameters> pin)
 {
     CBORValue::MapValue cborMap;
@@ -103 +104 @@
     if (options.authenticatorSelection) {
         // Resident keys are not supported by default.
-        if (options.authenticatorSelection->requireResidentKey)
+        if (options.authenticatorSelection->residentKey) {
+            if (*options.authenticatorSelection->residentKey == ResidentKeyRequirement::Required
+                || (*options.authenticatorSelection->residentKey == ResidentKeyRequirement::Preferred && residentKeyAvailability == AuthenticatorSupportedOptions::ResidentKeyAvailability::kSupported))
+                optionMap[CBORValue(kResidentKeyMapKey)] = CBORValue(true);
+        } else if (options.authenticatorSelection->requireResidentKey)
             optionMap[CBORValue(kResidentKeyMapKey)] = CBORValue(true);
 

trunk/Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.h

@@ -51 +51 @@
 // integer keys and CBOR encoded values as defined by the CTAP spec.
 // https://fidoalliance.org/specs/fido-v2.0-ps-20170927/fido-client-to-authenticator-protocol-v2.0-ps-20170927.html#authenticatorMakeCredential
-WEBCORE_EXPORT Vector<uint8_t> encodeMakeCredenitalRequestAsCBOR(const Vector<uint8_t>& hash, const WebCore::PublicKeyCredentialCreationOptions&, AuthenticatorSupportedOptions::UserVerificationAvailability, std::optional<PinParameters> = std::nullopt);
+WEBCORE_EXPORT Vector<uint8_t> encodeMakeCredenitalRequestAsCBOR(const Vector<uint8_t>& hash, const WebCore::PublicKeyCredentialCreationOptions&, AuthenticatorSupportedOptions::UserVerificationAvailability, AuthenticatorSupportedOptions::ResidentKeyAvailability, std::optional<PinParameters> = std::nullopt);
 
 // Serializes GetAssertion request parameter into CBOR encoded map with

trunk/Source/WebCore/Modules/webauthn/fido/DeviceResponseConverter.cpp

@@ -265 +265 @@
             if (!optionMapIt->second.isBool())
                 return std::nullopt;
-
-            options.setSupportsResidentKey(optionMapIt->second.getBool());
+            if (optionMapIt->second.getBool())
+                options.setResidentKeyAvailability(AuthenticatorSupportedOptions::ResidentKeyAvailability::kSupported);
+            else
+                options.setResidentKeyAvailability(AuthenticatorSupportedOptions::ResidentKeyAvailability::kNotSupported);
         }
 

trunk/Source/WebCore/Sources.txt

@@ -3702 +3702 @@
 JSRequestAnimationFrameCallback.cpp
 JSRequestCookieConsentOptions.cpp
+JSResidentKeyRequirement.cpp
 JSResizeObserver.cpp
 JSResizeObserverBoxOptions.cpp

trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj

@@ -1730 +1730 @@
                 51FB5504113E3E9100821176 /* JSCloseEvent.h in Headers */ = {isa = PBXBuildFile; fileRef = 51FB5502113E3E9100821176 /* JSCloseEvent.h */; };
                 51FB67DC1AE6B82F00D06C5A /* ContentExtensionStyleSheet.h in Headers */ = {isa = PBXBuildFile; fileRef = 51FB67DA1AE6B5E400D06C5A /* ContentExtensionStyleSheet.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                52688AA627D6A7DA003577A2 /* ResidentKeyRequirement.h in Headers */ = {isa = PBXBuildFile; fileRef = 52688AA327D6A7DA003577A2 /* ResidentKeyRequirement.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 5273CC77256103CF00850007 /* PlatformXRCocoa.h in Headers */ = {isa = PBXBuildFile; fileRef = 5273CC75256103CF00850007 /* PlatformXRCocoa.h */; };
                 5273CC8E25637EB500850007 /* WebXRTest.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E18D83E0243F71CE009247D6 /* WebXRTest.cpp */; };
@@ -10067 +10068 @@
                 526724F11CB2FDF60075974D /* TextTrackRepresentationCocoa.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = TextTrackRepresentationCocoa.mm; sourceTree = "<group>"; };
                 526724F21CB2FDF60075974D /* TextTrackRepresentationCocoa.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = TextTrackRepresentationCocoa.h; sourceTree = "<group>"; };
+                52688AA327D6A7DA003577A2 /* ResidentKeyRequirement.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = ResidentKeyRequirement.h; sourceTree = "<group>"; };
+                52688AA527D6A7DA003577A2 /* ResidentKeyRequirement.idl */ = {isa = PBXFileReference; lastKnownFileType = text; path = ResidentKeyRequirement.idl; sourceTree = "<group>"; };
                 5273CC74256103CF00850007 /* PlatformXRCocoa.mm */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.objcpp; path = PlatformXRCocoa.mm; sourceTree = "<group>"; };
                 5273CC75256103CF00850007 /* PlatformXRCocoa.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = PlatformXRCocoa.h; sourceTree = "<group>"; };
@@ -23315 +23318 @@
                                 57303BEA20097F4000355965 /* PublicKeyCredentialType.h */,
                                 57303BF02009846100355965 /* PublicKeyCredentialType.idl */,
+                                52688AA327D6A7DA003577A2 /* ResidentKeyRequirement.h */,
+                                52688AA527D6A7DA003577A2 /* ResidentKeyRequirement.idl */,
                                 572B402321768D85000AD43E /* UserVerificationRequirement.h */,
                                 572B402521768D85000AD43E /* UserVerificationRequirement.idl */,
@@ -37063 +37068 @@
                                 F4034FAC275EAD6E003A81F8 /* RequestCookieConsentOptions.h in Headers */,
                                 F55B3DD01251F12D003EF269 /* ResetInputType.h in Headers */,
+                                52688AA627D6A7DA003577A2 /* ResidentKeyRequirement.h in Headers */,
                                 58B2F9F42232D45300938D63 /* ResizeObservation.h in Headers */,
                                 58B2F9F52232D45800938D63 /* ResizeObserver.h in Headers */,

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2022-03-11  J Pascoe  <j_pascoe@apple.com>
+
+        [WebAuthn] Support authenticatorSelection.residentKey ResidentKeyRequirement
+        https://bugs.webkit.org/show_bug.cgi?id=237567
+        rdar://89788378
+
+        Reviewed by Brent Fulgham and Chris Dumez.
+
+        In Web Authentication level one, relying parties can specify authenticatorSelection.residentKeyRequired,
+        to signify they require a client-side discoverable credential. However, if the authenticator does not
+        support client-side discoverable credentials, the rp has no way to clarify they want a client-side
+        discoverable credential only if available.
+
+        This patch implements authenticatorSelection.residentKeyRequired introduced in level 2, which has three
+        values 'Preferred', 'Required', and 'Discouraged'. This allows RPs to create a client-side discoverable
+        credential if possible.
+
+        * UIProcess/API/Cocoa/_WKAuthenticatorSelectionCriteria.h:
+        * UIProcess/API/Cocoa/_WKAuthenticatorSelectionCriteria.mm:
+        (-[_WKAuthenticatorSelectionCriteria init]):
+        * UIProcess/API/Cocoa/_WKResidentKeyRequirement.h: Copied from Source/WebKit/UIProcess/API/Cocoa/_WKAuthenticatorSelectionCriteria.mm.
+        * UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm:
+        (residentKey):
+        (authenticatorSelectionCriteria):
+        (+[_WKWebAuthenticationPanel encodeMakeCredentialCommandWithClientDataJSON:options:userVerificationAvailability:]):
+        (+[_WKWebAuthenticationPanel encodeMakeCredentialCommandWithClientDataHash:options:userVerificationAvailability:]):
+        * UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp:
+        (WebKit::CtapAuthenticator::makeCredential):
+        * WebKit.xcodeproj/project.pbxproj:
+
 2022-03-11  Fujii Hironori  <Hironori.Fujii@sony.com>
 

trunk/Source/WebKit/UIProcess/API/Cocoa/_WKAuthenticatorSelectionCriteria.h

@@ -30 +30 @@
 #import <Foundation/Foundation.h>
 #import <WebKit/_WKAuthenticatorAttachment.h>
+#import <WebKit/_WKResidentKeyRequirement.h>
+
 #import <WebKit/_WKUserVerificationRequirement.h>
 
@@ -40 +42 @@
 @property (nonatomic) _WKAuthenticatorAttachment authenticatorAttachment;
 
+/* (@discussion The default value is _WKResidentKeyRequirementNotPresent */
+@property (nonatomic) _WKResidentKeyRequirement residentKey WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
+
 /*!@discussion The default value is NO.*/
 @property (nonatomic) BOOL requireResidentKey;

trunk/Source/WebKit/UIProcess/API/Cocoa/_WKAuthenticatorSelectionCriteria.mm

@@ -35 +35 @@
 
     self.authenticatorAttachment = _WKAuthenticatorAttachmentAll;
+    self.residentKey = _WKResidentKeyRequirementNotPresent;
     self.requireResidentKey = NO;
     self.userVerification = _WKUserVerificationRequirementPreferred;

trunk/Source/WebKit/UIProcess/API/Cocoa/_WKResidentKeyRequirement.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2020 Apple Inc. All rights reserved.
+ * Copyright (C) 2022 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -24 +24 @@
  */
 
-#import "config.h"
-#import "_WKAuthenticatorSelectionCriteria.h"
+#pragma once
 
-@implementation _WKAuthenticatorSelectionCriteria
+#import <WebKit/WKFoundation.h>
 
-- (instancetype)init
-{
-    if (!(self = [super init]))
-        return nil;
-
-    self.authenticatorAttachment = _WKAuthenticatorAttachmentAll;
-    self.requireResidentKey = NO;
-    self.userVerification = _WKUserVerificationRequirementPreferred;
-    return self;
-}
-
-@end
+typedef NS_ENUM(NSInteger, _WKResidentKeyRequirement) {
+    _WKResidentKeyRequirementNotPresent,
+    _WKResidentKeyRequirementRequired,
+    _WKResidentKeyRequirementPreferred,
+    _WKResidentKeyRequirementDiscouraged,
+} WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));

trunk/Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm

@@ -736 +736 @@
 }
 
+static std::optional<WebCore::ResidentKeyRequirement> toWebCore(_WKResidentKeyRequirement uv)
+{
+    switch (uv) {
+    case _WKResidentKeyRequirementNotPresent:
+        return std::nullopt;
+    case _WKResidentKeyRequirementRequired:
+        return WebCore::ResidentKeyRequirement::Required;
+    case _WKResidentKeyRequirementPreferred:
+        return WebCore::ResidentKeyRequirement::Preferred;
+    case _WKResidentKeyRequirementDiscouraged:
+        return WebCore::ResidentKeyRequirement::Discouraged;
+    default:
+        ASSERT_NOT_REACHED();
+        return WebCore::ResidentKeyRequirement::Preferred;
+    }
+}
+
 static WebCore::PublicKeyCredentialCreationOptions::AuthenticatorSelectionCriteria authenticatorSelectionCriteria(_WKAuthenticatorSelectionCriteria *authenticatorSelection)
 {
     WebCore::PublicKeyCredentialCreationOptions::AuthenticatorSelectionCriteria result;
     result.authenticatorAttachment = authenticatorAttachment(authenticatorSelection.authenticatorAttachment);
+    result.residentKey = toWebCore(authenticatorSelection.residentKey);
     result.requireResidentKey = authenticatorSelection.requireResidentKey;
     result.userVerification = userVerification(authenticatorSelection.userVerification);
@@ -931 +949 @@
     auto hash = produceClientDataJsonHash(clientDataJSON);
 
-    auto encodedVector = fido::encodeMakeCredenitalRequestAsCBOR(hash, [_WKWebAuthenticationPanel convertToCoreCreationOptionsWithOptions:options], coreUserVerificationAvailability(userVerificationAvailability), std::nullopt);
+    auto encodedVector = fido::encodeMakeCredenitalRequestAsCBOR(hash, [_WKWebAuthenticationPanel convertToCoreCreationOptionsWithOptions:options], coreUserVerificationAvailability(userVerificationAvailability), fido::AuthenticatorSupportedOptions::ResidentKeyAvailability::kSupported, std::nullopt);
     encodedCommand = adoptNS([[NSData alloc] initWithBytes:encodedVector.data() length:encodedVector.size()]);
 #endif
@@ -956 +974 @@
     RetainPtr<NSData> encodedCommand;
 #if ENABLE(WEB_AUTHN)
-    auto encodedVector = fido::encodeMakeCredenitalRequestAsCBOR(vectorFromNSData(clientDataHash), [_WKWebAuthenticationPanel convertToCoreCreationOptionsWithOptions:options], coreUserVerificationAvailability(userVerificationAvailability), std::nullopt);
+    auto encodedVector = fido::encodeMakeCredenitalRequestAsCBOR(vectorFromNSData(clientDataHash), [_WKWebAuthenticationPanel convertToCoreCreationOptionsWithOptions:options], coreUserVerificationAvailability(userVerificationAvailability), fido::AuthenticatorSupportedOptions::ResidentKeyAvailability::kSupported, std::nullopt);
     encodedCommand = adoptNS([[NSData alloc] initWithBytes:encodedVector.data() length:encodedVector.size()]);
 #endif

trunk/Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp

@@ -97 +97 @@
     auto& options = std::get<PublicKeyCredentialCreationOptions>(requestData().options);
     auto internalUVAvailability = m_info.options().userVerificationAvailability();
+    auto residentKeyAvailability = m_info.options().residentKeyAvailability();
     // If UV is required, then either built-in uv or a pin will work.
     if (internalUVAvailability == UVAvailability::kSupportedAndConfigured && (!options.authenticatorSelection || options.authenticatorSelection->userVerification != UserVerificationRequirement::Discouraged) && m_pinAuth.isEmpty())
-        cborCmd = encodeMakeCredenitalRequestAsCBOR(requestData().hash, options, internalUVAvailability);
+        cborCmd = encodeMakeCredenitalRequestAsCBOR(requestData().hash, options, internalUVAvailability, residentKeyAvailability);
     else if (m_info.options().clientPinAvailability() == AuthenticatorSupportedOptions::ClientPinAvailability::kSupportedAndPinSet)
-        cborCmd = encodeMakeCredenitalRequestAsCBOR(requestData().hash, options, internalUVAvailability, PinParameters { pin::kProtocolVersion, m_pinAuth });
+        cborCmd = encodeMakeCredenitalRequestAsCBOR(requestData().hash, options, internalUVAvailability, residentKeyAvailability, PinParameters { pin::kProtocolVersion, m_pinAuth });
     else
-        cborCmd = encodeMakeCredenitalRequestAsCBOR(requestData().hash, options, internalUVAvailability);
+        cborCmd = encodeMakeCredenitalRequestAsCBOR(requestData().hash, options, internalUVAvailability, residentKeyAvailability);
     driver().transact(WTFMove(cborCmd), [weakThis = WeakPtr { *this }](Vector<uint8_t>&& data) {
         ASSERT(RunLoop::isMain());

trunk/Source/WebKit/WebKit.xcodeproj/project.pbxproj

@@ -1082 +1082 @@
                 51FAEC3B1B0657680009C4E7 /* AuxiliaryProcessMessageReceiver.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 51FAEC361B0657310009C4E7 /* AuxiliaryProcessMessageReceiver.cpp */; };
                 51FD18B61651FBAD00DBE1CE /* NetworkResourceLoader.h in Headers */ = {isa = PBXBuildFile; fileRef = 51FD18B41651FBAD00DBE1CE /* NetworkResourceLoader.h */; };
+                52688AB427D7CE40003577A2 /* _WKResidentKeyRequirement.h in Headers */ = {isa = PBXBuildFile; fileRef = 52688AB327D7CE40003577A2 /* _WKResidentKeyRequirement.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 5272D4C91E735F0900EB4290 /* WKProtectionSpaceNS.h in Headers */ = {isa = PBXBuildFile; fileRef = 5272D4C71E735F0900EB4290 /* WKProtectionSpaceNS.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 528C37C1195CBB1A00D8B9CC /* WKBackForwardListPrivate.h in Headers */ = {isa = PBXBuildFile; fileRef = 1A9F28101958F478008CAC72 /* WKBackForwardListPrivate.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -4643 +4644 @@
                 51FD18B31651FBAD00DBE1CE /* NetworkResourceLoader.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = NetworkResourceLoader.cpp; sourceTree = "<group>"; };
                 51FD18B41651FBAD00DBE1CE /* NetworkResourceLoader.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = NetworkResourceLoader.h; sourceTree = "<group>"; };
+                52688AB327D7CE40003577A2 /* _WKResidentKeyRequirement.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = _WKResidentKeyRequirement.h; path = UIProcess/API/Cocoa/_WKResidentKeyRequirement.h; sourceTree = "<group>"; };
                 5272D4C71E735F0900EB4290 /* WKProtectionSpaceNS.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = WKProtectionSpaceNS.h; path = mac/WKProtectionSpaceNS.h; sourceTree = "<group>"; };
                 5272D4C81E735F0900EB4290 /* WKProtectionSpaceNS.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; name = WKProtectionSpaceNS.mm; path = mac/WKProtectionSpaceNS.mm; sourceTree = "<group>"; };
@@ -6981 +6983 @@
                         isa = PBXGroup;
                         children = (
+                                52688AB327D7CE40003577A2 /* _WKResidentKeyRequirement.h */,
                                 5C157A0A2717C9F100ED5280 /* webpushd */,
                                 B396EA5512E0ED2D00F4FEB7 /* config.h */,
@@ -12983 +12986 @@
                                 377216B81A4E6BE000DCA718 /* _WKRenderingProgressEvents.h in Headers */,
                                 1F604BAA1889FBB800EE0395 /* _WKRenderingProgressEventsInternal.h in Headers */,
+                                52688AB427D7CE40003577A2 /* _WKResidentKeyRequirement.h in Headers */,
                                 5CB7AFE023C52CE500E49CF3 /* _WKResourceLoadDelegate.h in Headers */,
                                 5CB7AFE823C69B6100E49CF3 /* _WKResourceLoadInfo.h in Headers */,
@@ -13674 +13678 @@
                                 572EBBC22536A60A000552B3 /* WebAuthnProcessMessages.h in Headers */,
                                 572EBBC92536AFD5000552B3 /* WebAuthnProcessProxy.h in Headers */,
-                                572EBBD02536BB11000552B3 /* WebAuthnProcessProxyMessages.h in Headers */,
                                 F42D634122A0EFDF00D2FB3A /* WebAutocorrectionData.h in Headers */,
                                 990D39F5243BE64800199388 /* WebAutomationDOMWindowObserver.h in Headers */,

trunk/Tools/ChangeLog

@@ +1 @@
+2022-03-11  J Pascoe  <j_pascoe@apple.com>
+
+        [WebAuthn] Support authenticatorSelection.residentKey ResidentKeyRequirement
+        https://bugs.webkit.org/show_bug.cgi?id=237567
+        rdar://89788378
+
+        Reviewed by Brent Fulgham and Chris Dumez.
+
+        Add API tests for authenticatorSelection.residentKey.
+
+        * TestWebKitAPI/Tests/WebCore/CtapRequestTest.cpp:
+        (TestWebKitAPI::TEST):
+        * TestWebKitAPI/Tests/WebCore/CtapResponseTest.cpp:
+        (TestWebKitAPI::TEST):
+
 2022-03-10  Carlos Garcia Campos  <cgarcia@igalia.com>
 

trunk/Tools/TestWebKitAPI/Tests/WebCore/CtapRequestTest.cpp

@@ -61 +61 @@
 
     Vector<PublicKeyCredentialCreationOptions::Parameters> params { { PublicKeyCredentialType::PublicKey, 7 }, { PublicKeyCredentialType::PublicKey, 257 } };
-    PublicKeyCredentialCreationOptions::AuthenticatorSelectionCriteria selection { AuthenticatorAttachment::Platform, true, UserVerificationRequirement::Preferred };
-
-    PublicKeyCredentialCreationOptions options { rp, user, { }, params, std::nullopt, { }, selection, AttestationConveyancePreference::None, std::nullopt };
-    Vector<uint8_t> hash;
-    hash.append(TestData::kClientDataHash, sizeof(TestData::kClientDataHash));
-    auto serializedData = encodeMakeCredenitalRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedAndConfigured);
+    PublicKeyCredentialCreationOptions::AuthenticatorSelectionCriteria selection { AuthenticatorAttachment::Platform, std::nullopt, true, UserVerificationRequirement::Preferred };
+
+    PublicKeyCredentialCreationOptions options { rp, user, { }, params, std::nullopt, { }, selection, AttestationConveyancePreference::None, std::nullopt };
+    Vector<uint8_t> hash;
+    hash.append(TestData::kClientDataHash, sizeof(TestData::kClientDataHash));
+    auto serializedData = encodeMakeCredenitalRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedAndConfigured, AuthenticatorSupportedOptions::ResidentKeyAvailability::kSupported);
     EXPECT_EQ(serializedData.size(), sizeof(TestData::kCtapMakeCredentialRequest));
     EXPECT_EQ(memcmp(serializedData.data(), TestData::kCtapMakeCredentialRequest, serializedData.size()), 0);
@@ -84 +84 @@
 
     Vector<PublicKeyCredentialCreationOptions::Parameters> params { { PublicKeyCredentialType::PublicKey, 7 }, { PublicKeyCredentialType::PublicKey, 257 } };
-    PublicKeyCredentialCreationOptions::AuthenticatorSelectionCriteria selection { AuthenticatorAttachment::Platform, false, UserVerificationRequirement::Discouraged };
-
-    PublicKeyCredentialCreationOptions options { rp, user, { }, params, std::nullopt, { }, selection, AttestationConveyancePreference::None, std::nullopt };
-    Vector<uint8_t> hash;
-    hash.append(TestData::kClientDataHash, sizeof(TestData::kClientDataHash));
-    auto serializedData = encodeMakeCredenitalRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedAndConfigured);
+    PublicKeyCredentialCreationOptions::AuthenticatorSelectionCriteria selection { AuthenticatorAttachment::Platform, std::nullopt, false, UserVerificationRequirement::Discouraged };
+
+    PublicKeyCredentialCreationOptions options { rp, user, { }, params, std::nullopt, { }, selection, AttestationConveyancePreference::None, std::nullopt };
+    Vector<uint8_t> hash;
+    hash.append(TestData::kClientDataHash, sizeof(TestData::kClientDataHash));
+    auto serializedData = encodeMakeCredenitalRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedAndConfigured, AuthenticatorSupportedOptions::ResidentKeyAvailability::kSupported);
     EXPECT_EQ(serializedData.size(), sizeof(TestData::kCtapMakeCredentialRequestShort));
     EXPECT_EQ(memcmp(serializedData.data(), TestData::kCtapMakeCredentialRequestShort, serializedData.size()), 0);
@@ -107 +107 @@
 
     Vector<PublicKeyCredentialCreationOptions::Parameters> params { { PublicKeyCredentialType::PublicKey, 7 }, { PublicKeyCredentialType::PublicKey, 257 } };
-    PublicKeyCredentialCreationOptions::AuthenticatorSelectionCriteria selection { AuthenticatorAttachment::Platform, false, UserVerificationRequirement::Required };
-
-    PublicKeyCredentialCreationOptions options { rp, user, { }, params, std::nullopt, { }, selection, AttestationConveyancePreference::None, std::nullopt };
-    Vector<uint8_t> hash;
-    hash.append(TestData::kClientDataHash, sizeof(TestData::kClientDataHash));
-    auto serializedData = encodeMakeCredenitalRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kNotSupported);
+    PublicKeyCredentialCreationOptions::AuthenticatorSelectionCriteria selection { AuthenticatorAttachment::Platform, std::nullopt, false, UserVerificationRequirement::Required };
+
+    PublicKeyCredentialCreationOptions options { rp, user, { }, params, std::nullopt, { }, selection, AttestationConveyancePreference::None, std::nullopt };
+    Vector<uint8_t> hash;
+    hash.append(TestData::kClientDataHash, sizeof(TestData::kClientDataHash));
+    auto serializedData = encodeMakeCredenitalRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kNotSupported, AuthenticatorSupportedOptions::ResidentKeyAvailability::kSupported);
     EXPECT_EQ(serializedData.size(), sizeof(TestData::kCtapMakeCredentialRequestShort));
     EXPECT_EQ(memcmp(serializedData.data(), TestData::kCtapMakeCredentialRequestShort, serializedData.size()), 0);
@@ -130 +130 @@
 
     Vector<PublicKeyCredentialCreationOptions::Parameters> params { { PublicKeyCredentialType::PublicKey, 7 }, { PublicKeyCredentialType::PublicKey, 257 } };
-    PublicKeyCredentialCreationOptions::AuthenticatorSelectionCriteria selection { AuthenticatorAttachment::Platform, true, UserVerificationRequirement::Preferred };
+    PublicKeyCredentialCreationOptions::AuthenticatorSelectionCriteria selection { AuthenticatorAttachment::Platform, std::nullopt, true, UserVerificationRequirement::Preferred };
 
     PinParameters pin;
@@ -139 +139 @@
     Vector<uint8_t> hash;
     hash.append(TestData::kClientDataHash, sizeof(TestData::kClientDataHash));
-    auto serializedData = encodeMakeCredenitalRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedAndConfigured, pin);
+    auto serializedData = encodeMakeCredenitalRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedAndConfigured, AuthenticatorSupportedOptions::ResidentKeyAvailability::kSupported, pin);
     EXPECT_EQ(serializedData.size(), sizeof(TestData::kCtapMakeCredentialRequestWithPin));
     EXPECT_EQ(memcmp(serializedData.data(), TestData::kCtapMakeCredentialRequestWithPin, serializedData.size()), 0);
+}
+
+TEST(CTAPRequestTest, TestConstructMakeCredentialRequestRKPreferred)
+{
+    PublicKeyCredentialCreationOptions::RpEntity rp;
+    rp.name = "Acme";
+    rp.id = "acme.com";
+
+    PublicKeyCredentialCreationOptions::UserEntity user;
+    user.name = "johnpsmith@example.com";
+    user.icon = "https://pics.acme.com/00/p/aBjjjpqPb.png";
+    user.id = WebCore::toBufferSource(TestData::kUserId, sizeof(TestData::kUserId));
+    user.displayName = "John P. Smith";
+
+    Vector<PublicKeyCredentialCreationOptions::Parameters> params { { PublicKeyCredentialType::PublicKey, 7 }, { PublicKeyCredentialType::PublicKey, 257 } };
+    PublicKeyCredentialCreationOptions::AuthenticatorSelectionCriteria selection { AuthenticatorAttachment::Platform, ResidentKeyRequirement::Preferred, true, UserVerificationRequirement::Preferred };
+
+    PinParameters pin;
+    pin.protocol = pin::kProtocolVersion;
+    pin.auth.append(TestData::kCtap2PinAuth, sizeof(TestData::kCtap2PinAuth));
+
+    PublicKeyCredentialCreationOptions options { rp, user, { }, params, std::nullopt, { }, selection, AttestationConveyancePreference::None, std::nullopt };
+    Vector<uint8_t> hash;
+    hash.append(TestData::kClientDataHash, sizeof(TestData::kClientDataHash));
+    auto serializedData = encodeMakeCredenitalRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedAndConfigured, AuthenticatorSupportedOptions::ResidentKeyAvailability::kSupported, pin);
+    EXPECT_EQ(serializedData.size(), sizeof(TestData::kCtapMakeCredentialRequestWithPin));
+    EXPECT_EQ(memcmp(serializedData.data(), TestData::kCtapMakeCredentialRequestWithPin, serializedData.size()), 0);
+}
+
+TEST(CTAPRequestTest, TestConstructMakeCredentialRequestRKPreferredNotSupported)
+{
+    PublicKeyCredentialCreationOptions::RpEntity rp;
+    rp.name = "Acme";
+    rp.id = "acme.com";
+
+    PublicKeyCredentialCreationOptions::UserEntity user;
+    user.name = "johnpsmith@example.com";
+    user.icon = "https://pics.acme.com/00/p/aBjjjpqPb.png";
+    user.id = WebCore::toBufferSource(TestData::kUserId, sizeof(TestData::kUserId));
+    user.displayName = "John P. Smith";
+
+    Vector<PublicKeyCredentialCreationOptions::Parameters> params { { PublicKeyCredentialType::PublicKey, 7 }, { PublicKeyCredentialType::PublicKey, 257 } };
+    PublicKeyCredentialCreationOptions::AuthenticatorSelectionCriteria selection { AuthenticatorAttachment::Platform, ResidentKeyRequirement::Preferred, true, UserVerificationRequirement::Required };
+
+    PublicKeyCredentialCreationOptions options { rp, user, { }, params, std::nullopt, { }, selection, AttestationConveyancePreference::None, std::nullopt };
+    Vector<uint8_t> hash;
+    hash.append(TestData::kClientDataHash, sizeof(TestData::kClientDataHash));
+    auto serializedData = encodeMakeCredenitalRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kNotSupported, AuthenticatorSupportedOptions::ResidentKeyAvailability::kNotSupported);
+    EXPECT_EQ(serializedData.size(), sizeof(TestData::kCtapMakeCredentialRequestShort));
+    EXPECT_EQ(memcmp(serializedData.data(), TestData::kCtapMakeCredentialRequestShort, serializedData.size()), 0);
+}
+
+TEST(CTAPRequestTest, TestConstructMakeCredentialRequestRKDiscouraged)
+{
+    PublicKeyCredentialCreationOptions::RpEntity rp;
+    rp.name = "Acme";
+    rp.id = "acme.com";
+
+    PublicKeyCredentialCreationOptions::UserEntity user;
+    user.name = "johnpsmith@example.com";
+    user.icon = "https://pics.acme.com/00/p/aBjjjpqPb.png";
+    user.id = WebCore::toBufferSource(TestData::kUserId, sizeof(TestData::kUserId));
+    user.displayName = "John P. Smith";
+
+    Vector<PublicKeyCredentialCreationOptions::Parameters> params { { PublicKeyCredentialType::PublicKey, 7 }, { PublicKeyCredentialType::PublicKey, 257 } };
+    PublicKeyCredentialCreationOptions::AuthenticatorSelectionCriteria selection { AuthenticatorAttachment::Platform, ResidentKeyRequirement::Discouraged, true, UserVerificationRequirement::Required };
+
+    PublicKeyCredentialCreationOptions options { rp, user, { }, params, std::nullopt, { }, selection, AttestationConveyancePreference::None, std::nullopt };
+    Vector<uint8_t> hash;
+    hash.append(TestData::kClientDataHash, sizeof(TestData::kClientDataHash));
+    auto serializedData = encodeMakeCredenitalRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kNotSupported, AuthenticatorSupportedOptions::ResidentKeyAvailability::kSupported);
+    EXPECT_EQ(serializedData.size(), sizeof(TestData::kCtapMakeCredentialRequestShort));
+    EXPECT_EQ(memcmp(serializedData.data(), TestData::kCtapMakeCredentialRequestShort, serializedData.size()), 0);
 }
 

trunk/Tools/TestWebKitAPI/Tests/WebCore/CtapResponseTest.cpp

@@ -590 +590 @@
     EXPECT_NE(getInfoResponse->versions().find(ProtocolVersion::kU2f), getInfoResponse->versions().end());
     EXPECT_TRUE(getInfoResponse->options().isPlatformDevice());
-    EXPECT_TRUE(getInfoResponse->options().supportsResidentKey());
+    EXPECT_EQ(AuthenticatorSupportedOptions::ResidentKeyAvailability::kSupported, getInfoResponse->options().residentKeyAvailability());
     EXPECT_TRUE(getInfoResponse->options().userPresenceRequired());
     EXPECT_EQ(AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedAndConfigured, getInfoResponse->options().userVerificationAvailability());
@@ -605 +605 @@
     EXPECT_NE(getInfoResponse->versions().find(ProtocolVersion::kU2f), getInfoResponse->versions().end());
     EXPECT_TRUE(getInfoResponse->options().isPlatformDevice());
-    EXPECT_TRUE(getInfoResponse->options().supportsResidentKey());
+    EXPECT_EQ(AuthenticatorSupportedOptions::ResidentKeyAvailability::kSupported, getInfoResponse->options().residentKeyAvailability());
     EXPECT_TRUE(getInfoResponse->options().userPresenceRequired());
     EXPECT_EQ(AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedAndConfigured, getInfoResponse->options().userVerificationAvailability());
@@ -623 +623 @@
     response.setExtensions({ "uvm", "hmac-secret" });
     AuthenticatorSupportedOptions options;
-    options.setSupportsResidentKey(true);
+    options.setResidentKeyAvailability(AuthenticatorSupportedOptions::ResidentKeyAvailability::kSupported);
     options.setIsPlatformDevice(true);
     options.setClientPinAvailability(AuthenticatorSupportedOptions::ClientPinAvailability::kSupportedButPinNotSet);