Changeset 239752 in webkit

Timestamp:

Jan 8, 2019 4:35:39 PM (5 years ago)

Author:

jiewen_tan@apple.com

Message:

[WebAuthN] Support U2F HID Authenticators on macOS
​https://bugs.webkit.org/show_bug.cgi?id=191535
<rdar://problem/47102027>

Reviewed by Brent Fulgham.

Source/WebCore:

This patch changes U2fCommandConstructor to produce register commands with
enforcing test of user presence. Otherwise, authenticators would silently
generate credentials. It also renames readFromU2fSignResponse to
readU2fSignResponse.

Tests: http/wpt/webauthn/public-key-credential-create-failure-u2f-silent.https.html

http/wpt/webauthn/public-key-credential-create-failure-u2f.https.html
http/wpt/webauthn/public-key-credential-create-success-u2f.https.html
http/wpt/webauthn/public-key-credential-get-failure-u2f-silent.https.html
http/wpt/webauthn/public-key-credential-get-failure-u2f.https.html
http/wpt/webauthn/public-key-credential-get-success-u2f.https.html

• Modules/webauthn/fido/U2fCommandConstructor.cpp:

(fido::WebCore::constructU2fRegisterCommand):

• Modules/webauthn/fido/U2fResponseConverter.cpp:

(fido::readU2fSignResponse):
(fido::readFromU2fSignResponse): Deleted.

• Modules/webauthn/fido/U2fResponseConverter.h:

Source/WebKit:

This patch implements the support for U2F authenticators, and enables it for hid devices.
It follows the CTAP spec to map WebAuthN requests to U2F commands and return the responses:
​https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html#u2f-interoperability
Most of the parts are done before this patch, this patch focues on: 7.2.2 and 7.3.2.

Besides implementing the U2fHidAuthenticator, this patch also adds support in the mocking
environment for U2F authenticators. It is done by extending the stages in MockHidConnection
from 4 to indefinite as multi-round communications are expected to map WebAuthN requests
to U2F requests.

• Sources.txt:
• UIProcess/API/C/WKWebsiteDataStoreRef.cpp:

(WKWebsiteDataStoreSetWebAuthenticationMockConfiguration):

• UIProcess/WebAuthentication/Cocoa/HidService.mm:

(WebKit::HidService::continueAddDeviceAfterGetInfo):

• UIProcess/WebAuthentication/fido/CtapHidDriver.cpp:

(WebKit::CtapHidDriver::continueAfterChannelAllocated):

• UIProcess/WebAuthentication/fido/CtapHidDriver.h:

(WebKit::CtapHidDriver::setProtocol):

• UIProcess/WebAuthentication/fido/U2fHidAuthenticator.cpp: Added.

(WebKit::U2fHidAuthenticator::U2fHidAuthenticator):
(WebKit::U2fHidAuthenticator::makeCredential):
(WebKit::U2fHidAuthenticator::checkExcludeList):
(WebKit::U2fHidAuthenticator::issueRegisterCommand):
(WebKit::U2fHidAuthenticator::getAssertion):
(WebKit::U2fHidAuthenticator::issueSignCommand):
(WebKit::U2fHidAuthenticator::issueNewCommand):
(WebKit::U2fHidAuthenticator::issueCommand):
(WebKit::U2fHidAuthenticator::responseReceived):
(WebKit::U2fHidAuthenticator::continueRegisterCommandAfterResponseReceived):
(WebKit::U2fHidAuthenticator::continueCheckOnlyCommandAfterResponseReceived):
(WebKit::U2fHidAuthenticator::continueBogusCommandAfterResponseReceived):
(WebKit::U2fHidAuthenticator::continueSignCommandAfterResponseReceived):

• UIProcess/WebAuthentication/fido/U2fHidAuthenticator.h: Added.
• UIProcess/WebAuthentication/Mock/MockHidConnection.cpp:

(WebKit::MockHidConnection::parseRequest):
(WebKit::MockHidConnection::feedReports):

• UIProcess/WebAuthentication/Mock/MockHidConnection.h:
• UIProcess/WebAuthentication/Mock/MockWebAuthenticationConfiguration.h:
• WebKit.xcodeproj/project.pbxproj:

Tools:

This patch:
1) adds support for U2F mocking mechanism;
2) updates tests to reflect U2fCommandConstructor changes.

• TestWebKitAPI/Tests/WebCore/CtapResponseTest.cpp:

(TestWebKitAPI::TEST):

• TestWebKitAPI/Tests/WebCore/FidoTestData.h:
• WebKitTestRunner/InjectedBundle/TestRunner.cpp:

(WTR::TestRunner::setWebAuthenticationMockConfiguration):

LayoutTests:

Besiding adding tests for U2F authenticators, it also changes payloadBase64 from
a string to a vector of strings. New tests are skipped for iOS.

• http/wpt/webauthn/ctap-hid-failure.https.html:
• http/wpt/webauthn/ctap-hid-success.https.html:
• http/wpt/webauthn/public-key-credential-create-failure-hid-silent.https.html:
• http/wpt/webauthn/public-key-credential-create-failure-hid.https.html:
• http/wpt/webauthn/public-key-credential-create-failure-u2f-silent.https-expected.txt: Added.
• http/wpt/webauthn/public-key-credential-create-failure-u2f-silent.https.html: Added.
• http/wpt/webauthn/public-key-credential-create-failure-u2f.https-expected.txt: Added.
• http/wpt/webauthn/public-key-credential-create-failure-u2f.https.html: Added.
• http/wpt/webauthn/public-key-credential-create-success-hid.https.html:
• http/wpt/webauthn/public-key-credential-create-success-u2f.https-expected.txt: Added.
• http/wpt/webauthn/public-key-credential-create-success-u2f.https.html: Copied from LayoutTests/http/wpt/webauthn/public-key-credential-create-success-hid.https.html.
• http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https.html:
• http/wpt/webauthn/public-key-credential-get-failure-hid.https.html:
• http/wpt/webauthn/public-key-credential-get-failure-u2f-silent.https-expected.txt: Added.
• http/wpt/webauthn/public-key-credential-get-failure-u2f-silent.https.html: Added.
• http/wpt/webauthn/public-key-credential-get-failure-u2f.https-expected.txt: Added.
• http/wpt/webauthn/public-key-credential-get-failure-u2f.https.html: Added.
• http/wpt/webauthn/public-key-credential-get-success-hid.https.html:
• http/wpt/webauthn/public-key-credential-get-success-u2f.https-expected.txt: Added.
• http/wpt/webauthn/public-key-credential-get-success-u2f.https.html: Added.
• http/wpt/webauthn/resources/util.js:
• platform/ios-wk2/TestExpectations:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/ctap-hid-failure.https.html (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/ctap-hid-success.https.html (modified) (5 diffs)
• LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid-silent.https.html (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid.https.html (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-u2f-silent.https-expected.txt (added)
• LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-u2f-silent.https.html (added)
• LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-u2f.https-expected.txt (added)
• LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-u2f.https.html (added)
• LayoutTests/http/wpt/webauthn/public-key-credential-create-success-hid.https.html (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/public-key-credential-create-success-u2f.https-expected.txt (added)
• LayoutTests/http/wpt/webauthn/public-key-credential-create-success-u2f.https.html (copied) (copied from trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-success-hid.https.html) (7 diffs)
• LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https.html (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid.https.html (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-u2f-silent.https-expected.txt (added)
• LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-u2f-silent.https.html (added)
• LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-u2f.https-expected.txt (added)
• LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-u2f.https.html (added)
• LayoutTests/http/wpt/webauthn/public-key-credential-get-success-hid.https.html (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/public-key-credential-get-success-u2f.https-expected.txt (added)
• LayoutTests/http/wpt/webauthn/public-key-credential-get-success-u2f.https.html (added)
• LayoutTests/http/wpt/webauthn/resources/util.js (modified) (1 diff)
• LayoutTests/platform/ios-wk2/TestExpectations (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/Modules/webauthn/fido/U2fCommandConstructor.cpp (modified) (1 diff)
• Source/WebCore/Modules/webauthn/fido/U2fResponseConverter.cpp (modified) (1 diff)
• Source/WebCore/Modules/webauthn/fido/U2fResponseConverter.h (modified) (1 diff)
• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/Sources.txt (modified) (1 diff)
• Source/WebKit/UIProcess/API/C/WKWebsiteDataStoreRef.cpp (modified) (1 diff)
• Source/WebKit/UIProcess/WebAuthentication/Cocoa/HidService.mm (modified) (3 diffs)
• Source/WebKit/UIProcess/WebAuthentication/Mock/MockHidConnection.cpp (modified) (3 diffs)
• Source/WebKit/UIProcess/WebAuthentication/Mock/MockHidConnection.h (modified) (1 diff)
• Source/WebKit/UIProcess/WebAuthentication/Mock/MockWebAuthenticationConfiguration.h (modified) (1 diff)
• Source/WebKit/UIProcess/WebAuthentication/fido/CtapHidDriver.cpp (modified) (1 diff)
• Source/WebKit/UIProcess/WebAuthentication/fido/CtapHidDriver.h (modified) (2 diffs)
• Source/WebKit/UIProcess/WebAuthentication/fido/U2fHidAuthenticator.cpp (added)
• Source/WebKit/UIProcess/WebAuthentication/fido/U2fHidAuthenticator.h (added)
• Source/WebKit/WebKit.xcodeproj/project.pbxproj (modified) (6 diffs)
• Tools/ChangeLog (modified) (1 diff)
• Tools/TestWebKitAPI/Tests/WebCore/CtapResponseTest.cpp (modified) (5 diffs)
• Tools/TestWebKitAPI/Tests/WebCore/FidoTestData.h (modified) (2 diffs)
• Tools/WebKitTestRunner/InjectedBundle/TestRunner.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2019-01-08  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthN] Support U2F HID Authenticators on macOS
+        https://bugs.webkit.org/show_bug.cgi?id=191535
+        <rdar://problem/47102027>
+
+        Reviewed by Brent Fulgham.
+
+        Besiding adding tests for U2F authenticators, it also changes payloadBase64 from
+        a string to a vector of strings. New tests are skipped for iOS.
+
+        * http/wpt/webauthn/ctap-hid-failure.https.html:
+        * http/wpt/webauthn/ctap-hid-success.https.html:
+        * http/wpt/webauthn/public-key-credential-create-failure-hid-silent.https.html:
+        * http/wpt/webauthn/public-key-credential-create-failure-hid.https.html:
+        * http/wpt/webauthn/public-key-credential-create-failure-u2f-silent.https-expected.txt: Added.
+        * http/wpt/webauthn/public-key-credential-create-failure-u2f-silent.https.html: Added.
+        * http/wpt/webauthn/public-key-credential-create-failure-u2f.https-expected.txt: Added.
+        * http/wpt/webauthn/public-key-credential-create-failure-u2f.https.html: Added.
+        * http/wpt/webauthn/public-key-credential-create-success-hid.https.html:
+        * http/wpt/webauthn/public-key-credential-create-success-u2f.https-expected.txt: Added.
+        * http/wpt/webauthn/public-key-credential-create-success-u2f.https.html: Copied from LayoutTests/http/wpt/webauthn/public-key-credential-create-success-hid.https.html.
+        * http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https.html:
+        * http/wpt/webauthn/public-key-credential-get-failure-hid.https.html:
+        * http/wpt/webauthn/public-key-credential-get-failure-u2f-silent.https-expected.txt: Added.
+        * http/wpt/webauthn/public-key-credential-get-failure-u2f-silent.https.html: Added.
+        * http/wpt/webauthn/public-key-credential-get-failure-u2f.https-expected.txt: Added.
+        * http/wpt/webauthn/public-key-credential-get-failure-u2f.https.html: Added.
+        * http/wpt/webauthn/public-key-credential-get-success-hid.https.html:
+        * http/wpt/webauthn/public-key-credential-get-success-u2f.https-expected.txt: Added.
+        * http/wpt/webauthn/public-key-credential-get-success-u2f.https.html: Added.
+        * http/wpt/webauthn/resources/util.js:
+        * platform/ios-wk2/TestExpectations:
+
 2019-01-08  Youenn Fablet  <youenn@apple.com>
 

trunk/LayoutTests/http/wpt/webauthn/ctap-hid-failure.https.html

@@ -65 +65 @@
     promise_test(function(t) {
         if (window.testRunner)
-            testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "wrong-channel-id", payloadBase64:testDummyMessagePayloadBase64 } });
+            testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "wrong-channel-id", payloadBase64:[testDummyMessagePayloadBase64] } });
         return promiseRejects(t, "UnknownError", navigator.credentials.create(defaultOptions), "Unknown internal error. Error code: -1");
     }, "CTAP HID with request::msg stage wrong channel id error in a mock hid authenticator.");

trunk/LayoutTests/http/wpt/webauthn/ctap-hid-success.https.html

@@ -22 +22 @@
     promise_test(function(t) {
         if (window.testRunner)
-            testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "success", payloadBase64: testCreationMessageBase64, keepAlive: true } });
+            testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "success", payloadBase64: [testCreationMessageBase64], keepAlive: true } });
         return navigator.credentials.create(defaultOptions).then(credential => {
             assert_not_equals(credential, undefined);
@@ -31 +31 @@
     promise_test(function(t) {
         if (window.testRunner)
-            testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "success", payloadBase64: testCreationMessageBase64, fastDataArrival: true } });
+            testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "success", payloadBase64: [testCreationMessageBase64], fastDataArrival: true } });
         return navigator.credentials.create(defaultOptions).then(credential => {
             assert_not_equals(credential, undefined);
@@ -40 +40 @@
     promise_test(function(t) {
         if (window.testRunner)
-            testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "info", subStage: "init", error: "empty-report", payloadBase64: testCreationMessageBase64, continueAfterErrorData: true } });
+            testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "info", subStage: "init", error: "empty-report", payloadBase64: [testCreationMessageBase64], continueAfterErrorData: true } });
         return navigator.credentials.create(defaultOptions).then(credential => {
             assert_not_equals(credential, undefined);
@@ -49 +49 @@
     promise_test(function(t) {
         if (window.testRunner)
-            testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "info", subStage: "init", error: "wrong-channel-id", payloadBase64: testCreationMessageBase64, continueAfterErrorData: true } });
+            testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "info", subStage: "init", error: "wrong-channel-id", payloadBase64: [testCreationMessageBase64], continueAfterErrorData: true } });
         return navigator.credentials.create(defaultOptions).then(credential => {
             assert_not_equals(credential, undefined);
@@ -58 +58 @@
     promise_test(function(t) {
         if (window.testRunner)
-            testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "info", subStage: "init", error: "wrong-nonce", payloadBase64: testCreationMessageBase64, continueAfterErrorData: true } });
+            testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "info", subStage: "init", error: "wrong-nonce", payloadBase64: [testCreationMessageBase64], continueAfterErrorData: true } });
         return navigator.credentials.create(defaultOptions).then(credential => {
             assert_not_equals(credential, undefined);

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid-silent.https.html

@@ -23 +23 @@
 
         if (window.testRunner)
-            testRunner.setWebAuthenticationMockConfiguration({ silentFailure: true, hid: { stage: "request", subStage: "msg", error: "malicious-payload", payloadBase64: testDummyMessagePayloadBase64 } });
+            testRunner.setWebAuthenticationMockConfiguration({ silentFailure: true, hid: { stage: "request", subStage: "msg", error: "malicious-payload", payloadBase64: [testDummyMessagePayloadBase64] } });
         return promiseRejects(t, "NotAllowedError", navigator.credentials.create(options), "Operation timed out.");
     }, "PublicKeyCredential's [[create]] with malicious payload in a mock hid authenticator.");

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid.https.html

@@ -47 +47 @@
 
         if (window.testRunner)
-            testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "malicious-payload", payloadBase64: testDummyMessagePayloadBase64 } });
+            testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "malicious-payload", payloadBase64: [testDummyMessagePayloadBase64] } });
         return promiseRejects(t, "UnknownError", navigator.credentials.create(options), "Unknown internal error. Error code: -1");
     }, "PublicKeyCredential's [[create]] with malicious payload in a mock hid authenticator.");

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-success-hid.https.html

@@ -8 +8 @@
     // Default mock configuration. Tests need to override if they need different configuration.
     if (window.testRunner)
-        testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "success", payloadBase64: testCreationMessageBase64 } });
+        testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "success", payloadBase64: [testCreationMessageBase64] } });
 
     function checkResult(credential)

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-success-u2f.https.html

@@ -1 +1 @@
 <!DOCTYPE html>
-<title>Web Authentication API: PublicKeyCredential's [[create]] success cases with a mock hid authenticator.</title>
+<title>Web Authentication API: PublicKeyCredential's [[create]] success cases with a mock u2f authenticator.</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
@@ -6 +6 @@
 <script src="./resources/cbor.js"></script>
 <script>
-    // Default mock configuration. Tests need to override if they need different configuration.
-    if (window.testRunner)
-        testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "success", payloadBase64: testCreationMessageBase64 } });
-
     function checkResult(credential)
     {
         // Check response
-        assert_array_equals(Base64URL.parse(credential.id), Base64URL.parse(testHidCredentialIdBase64));
+        assert_array_equals(Base64URL.parse(credential.id), Base64URL.parse(testU2fCredentialIdBase64));
         assert_equals(credential.type, 'public-key');
-        assert_array_equals(new Uint8Array(credential.rawId), Base64URL.parse(testHidCredentialIdBase64));
+        assert_array_equals(new Uint8Array(credential.rawId), Base64URL.parse(testU2fCredentialIdBase64));
         assert_equals(bytesToASCIIString(credential.response.clientDataJSON), '{"type":"webauthn.create","challenge":"MTIzNDU2","origin":"https://localhost:9443"}');
         assert_throws("NotSupportedError", () => { credential.getClientExtensionResults() });
@@ -21 +17 @@
         // Check attestation
         const attestationObject = CBOR.decode(credential.response.attestationObject);
-        assert_equals(attestationObject.fmt, "packed");
+        assert_equals(attestationObject.fmt, "fido-u2f");
         // Check authData
         const authData = decodeAuthData(attestationObject.authData);
-        assert_equals(bytesToHexString(authData.rpIdHash), "46cc7fb9679d55b2db9092e1c8d9e5e1d02b7580f0b4812c770962e1e48f5ad8");
+        assert_equals(bytesToHexString(authData.rpIdHash), "49960de5880e8c687434170f6476605b8fe4aeb9a28632c7995cf3ba831d9763");
         assert_equals(authData.flags, 65);
-        assert_equals(authData.counter, 78);
-        assert_equals(bytesToHexString(authData.aaguid), "f8a011f38c0a4d15800617111f9edc7d");
-        assert_array_equals(authData.credentialID, Base64URL.parse(testHidCredentialIdBase64));
-        // Check packed attestation
-        assert_equals(attestationObject.attStmt.alg, -7);
+        assert_equals(authData.counter, 0);
+        assert_equals(bytesToHexString(authData.aaguid), "00000000000000000000000000000000");
+        assert_array_equals(authData.credentialID, Base64URL.parse(testU2fCredentialIdBase64));
+        // Check fido-u2f attestation
         assert_true(checkPublicKey(authData.publicKey));
         assert_equals(attestationObject.attStmt.x5c.length, 1);
@@ -52 +47 @@
         };
 
+        if (window.testRunner)
+            testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "success", isU2f: true, payloadBase64: [testU2fRegisterResponse] } });
         return navigator.credentials.create(options).then(credential => {
             checkResult(credential);
         });
-    }, "PublicKeyCredential's [[create]] with minimum options in a mock local authenticator.");
+    }, "PublicKeyCredential's [[create]] with minimum options in a mock u2f authenticator.");
 
     promise_test(t => {
@@ -70 +67 @@
                 challenge: Base64URL.parse("MTIzNDU2"),
                 pubKeyCredParams: [{ type: "public-key", alg: -7 }],
-                authenticatorSelection: { authenticatorAttachment: "cross-platform" },
+                excludeCredentials: [{ type: "public-key", id: Base64URL.parse(testCredentialIdBase64) }],
                 timeout: 10
             }
         };
 
+        if (window.testRunner)
+            testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "success", isU2f: true, payloadBase64: [testU2fApduWrongDataOnlyResponseBase64, testU2fRegisterResponse] } });
         return navigator.credentials.create(options).then(credential => {
             checkResult(credential);
         });
-    }, "PublicKeyCredential's [[create]] with authenticatorSelection { 'cross-platform' } in a mock local authenticator.");
+    }, "PublicKeyCredential's [[create]] with excludeCredentials in a mock u2f authenticator.");
 
     promise_test(t => {
@@ -93 +92 @@
                 challenge: Base64URL.parse("MTIzNDU2"),
                 pubKeyCredParams: [{ type: "public-key", alg: -7 }],
-                authenticatorSelection: { requireResidentKey: false },
+                excludeCredentials: [{ type: "public-key", id: Base64URL.parse(testCredentialIdBase64) }, { type: "public-key", id: Base64URL.parse(testCredentialIdBase64) }], // The content doesn't matter.
                 timeout: 10
             }
         };
 
+        if (window.testRunner)
+            testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "success", isU2f: true, payloadBase64: [testU2fApduWrongDataOnlyResponseBase64, testU2fApduWrongDataOnlyResponseBase64, testU2fRegisterResponse] } });
         return navigator.credentials.create(options).then(credential => {
             checkResult(credential);
         });
-    }, "PublicKeyCredential's [[create]] with requireResidentKey { false } in a mock local authenticator.");
+    }, "PublicKeyCredential's [[create]] with excludeCredentials in a mock u2f authenticator. 2");
 
     promise_test(t => {
@@ -116 +117 @@
                 challenge: Base64URL.parse("MTIzNDU2"),
                 pubKeyCredParams: [{ type: "public-key", alg: -7 }],
-                authenticatorSelection: { userVerification: "preferred" },
-                timeout: 10
+                timeout: 500
             }
         };
 
+        if (window.testRunner)
+            testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "success", isU2f: true, payloadBase64: [testU2fApduConditionsNotSatisfiedOnlyResponseBase64, testU2fApduConditionsNotSatisfiedOnlyResponseBase64, testU2fRegisterResponse] } });
         return navigator.credentials.create(options).then(credential => {
             checkResult(credential);
         });
-    }, "PublicKeyCredential's [[create]] with userVerification { 'preferred' } in a mock local authenticator.");
-
-    promise_test(t => {
-        const options = {
-            publicKey: {
-                rp: {
-                    name: "localhost",
-                },
-                user: {
-                    name: "John Appleseed",
-                    id: Base64URL.parse(testUserhandleBase64),
-                    displayName: "Appleseed",
-                },
-                challenge: Base64URL.parse("MTIzNDU2"),
-                pubKeyCredParams: [{ type: "public-key", alg: -7 }],
-                authenticatorSelection: { userVerification: "discouraged" },
-                timeout: 10
-            }
-        };
-
-        return navigator.credentials.create(options).then(credential => {
-            checkResult(credential);
-        });
-    }, "PublicKeyCredential's [[create]] with userVerification { 'discouraged' } in a mock local authenticator.");
-
-    promise_test(t => {
-        const options = {
-            publicKey: {
-                rp: {
-                    name: "localhost",
-                },
-                user: {
-                    name: "John Appleseed",
-                    id: Base64URL.parse(testUserhandleBase64),
-                    displayName: "Appleseed",
-                },
-                challenge: Base64URL.parse("MTIzNDU2"),
-                pubKeyCredParams: [{ type: "public-key", alg: -7 }],
-                authenticatorSelection: { authenticatorAttachment: "cross-platform", requireResidentKey: false, userVerification: "preferred" },
-                timeout: 10
-            }
-        };
-
-        return navigator.credentials.create(options).then(credential => {
-            checkResult(credential);
-        });
-    }, "PublicKeyCredential's [[create]] with mixed options in a mock local authenticator.");
+    }, "PublicKeyCredential's [[create]] with test of user presence in a mock u2f authenticator.");
 </script>

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https.html

@@ -14 +14 @@
 
         if (window.testRunner)
-            testRunner.setWebAuthenticationMockConfiguration({ silentFailure: true, hid: { stage: "request", subStage: "msg", error: "malicious-payload", payloadBase64: testDummyMessagePayloadBase64 } });
+            testRunner.setWebAuthenticationMockConfiguration({ silentFailure: true, hid: { stage: "request", subStage: "msg", error: "malicious-payload", payloadBase64: [testDummyMessagePayloadBase64] } });
         return promiseRejects(t, "NotAllowedError", navigator.credentials.get(options), "Operation timed out.");
     }, "PublicKeyCredential's [[get]] with malicious payload in a mock hid authenticator.");

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid.https.html

@@ -33 +33 @@
 
         if (window.testRunner)
-            testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "malicious-payload", payloadBase64: testDummyMessagePayloadBase64 } });
+            testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "malicious-payload", payloadBase64: [testDummyMessagePayloadBase64] } });
         return promiseRejects(t, "UnknownError", navigator.credentials.get(options), "Unknown internal error. Error code: -1");
     }, "PublicKeyCredential's [[get]] with malicious payload in a mock hid authenticator.");

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-success-hid.https.html

@@ -7 +7 @@
     // Default mock configuration. Tests need to override if they need different configuration.
     if (window.testRunner)
-        testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "success", payloadBase64: testAssertionMessageBase64 } });
+        testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "success", payloadBase64: [testAssertionMessageBase64] } });
 
     function checkResult(credential)

trunk/LayoutTests/http/wpt/webauthn/resources/util.js

@@ -70 +70 @@
     "4/F0VB7DlUVM09IHPmxe1MzHUwRoCRZbCAIgGKov6xoAx2MEf6/6qNs8OutzhP2C" +
     "QoJ1L7Fe64G9uBc=";
+const testU2fApduNoErrorOnlyResponseBase64 = "kAA=";
+const testU2fApduInsNotSupportedOnlyResponseBase64 = "bQA=";
+const testU2fApduWrongDataOnlyResponseBase64 = "aoA=";
+const testU2fApduConditionsNotSatisfiedOnlyResponseBase64 = "aYU=";
+const testU2fRegisterResponse =
+    "BQTodiWJbuTkbcAydm6Ah5YvNt+d/otWfzdjAVsZkKYOFCfeYS1mQYvaGVBYHrxc" +
+    "jB2tcQyxTCL4yXBF9GEvsgyRQD69ib937FCXVe6cJjXvqqx7K5xc7xc2w3F9pIU0" +
+    "yMa2VNf/lF9QtcxOeAVb3TlrZPeNosX5YgDM1BXNCP5CADgwggJKMIIBMqADAgEC" +
+    "AgQEbIgiMA0GCSqGSIb3DQEBCwUAMC4xLDAqBgNVBAMTI1l1YmljbyBVMkYgUm9v" +
+    "dCBDQSBTZXJpYWwgNDU3MjAwNjMxMCAXDTE0MDgwMTAwMDAwMFoYDzIwNTAwOTA0" +
+    "MDAwMDAwWjAsMSowKAYDVQQDDCFZdWJpY28gVTJGIEVFIFNlcmlhbCAyNDkxODIz" +
+    "MjQ3NzAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ8yrksy5cofujmOUN+IfzW" +
+    "tvFlstWj89sTHTHBa3QrtHbY0emQgOtUbJu99VbmIQ/UJ4WJnnjMWJ6+MQ9s25/0" +
+    "ozswOTAiBgkrBgEEAYLECgIEFTEuMy42LjEuNC4xLjQxNDgyLjEuMjATBgsrBgEE" +
+    "AYLlHAIBAQQEAwIEMDANBgkqhkiG9w0BAQsFAAOCAQEAn5sFIki8TPQsxZkfyqus" +
+    "m2Ubvlvc3I7wrSwcH/s20YcV1C54skkiT5LH5uegXEnw5+TIgb8ulPReSiGDPXRW" +
+    "hR0PbBRaKVQMh08wksk0tD0iK4liwPQQzvHbdYkq8Ra0Spb101reo4IvxxRvYAQ4" +
+    "W8tptlyZ5+tpGXhnA8DYzUHo91zKRKqKtyWtjnmf86hpam8bJlbmMbHkAYPAj9pT" +
+    "+kqPhaBWk5RK4XmhM50ALRXKvYEAkOxyLvXe+ZZaNx1BXWJLaKJwfK2XvN0Xha+X" +
+    "4ljzPfVqAxqgNW2OjV68rcdOBxY2xrEQrOXMm5Df6srmQP8bsPH+XbTv96lfBgcz" +
+    "9TBFAiAyR3nGjzOAKIoRl7YJX3puubGxwSf2auEqmf6FMuwjuQIhAOOVFqxNYe5k" +
+    "BE1QtBWmpNTYS6bYlctat6GqfQgd40H6kAA=";
+const testU2fCredentialIdBase64 =
+    "Pr2Jv3fsUJdV7pwmNe-qrHsrnFzvFzbDcX2khTTIxrZU1_-UX1C1zE54BVvdOWtk" +
+    "942ixfliAMzUFc0I_kIAOA";
+const testU2fSignResponse =
+    "AQAAADswRAIge94KUqwfTIsn4AOjcM1mpMcRjdItVEeDX0W5nGhCP/cCIDxRe0eH" +
+    "f4V4LeEAhqeD0effTjY553H19q+jWq1Tc4WOkAA=";
 
 const RESOURCES_DIR = "/WebKit/webauthn/resources/";

trunk/LayoutTests/platform/ios-wk2/TestExpectations

@@ -1326 +1326 @@
 http/wpt/webauthn/public-key-credential-get-failure-hid.https.html [ Skip ]
 http/wpt/webauthn/public-key-credential-get-success-hid.https.html [ Skip ]
+http/wpt/webauthn/public-key-credential-create-failure-u2f-silent.https.html [ Skip ]
+http/wpt/webauthn/public-key-credential-create-failure-u2f.https.html [ Skip ]
+http/wpt/webauthn/public-key-credential-create-success-u2f.https.html [ Skip ]
+http/wpt/webauthn/public-key-credential-get-failure-u2f-silent.https.html [ Skip ]
+http/wpt/webauthn/public-key-credential-get-failure-u2f.https.html [ Skip ]
+http/wpt/webauthn/public-key-credential-get-success-u2f.https.html [ Skip ]
 
 # FIXME: Unskip these tests once we have the fix for <rdar://problem/44930119>.

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2019-01-08  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthN] Support U2F HID Authenticators on macOS
+        https://bugs.webkit.org/show_bug.cgi?id=191535
+        <rdar://problem/47102027>
+
+        Reviewed by Brent Fulgham.
+
+        This patch changes U2fCommandConstructor to produce register commands with
+        enforcing test of user presence. Otherwise, authenticators would silently
+        generate credentials. It also renames readFromU2fSignResponse to
+        readU2fSignResponse.
+
+        Tests: http/wpt/webauthn/public-key-credential-create-failure-u2f-silent.https.html
+               http/wpt/webauthn/public-key-credential-create-failure-u2f.https.html
+               http/wpt/webauthn/public-key-credential-create-success-u2f.https.html
+               http/wpt/webauthn/public-key-credential-get-failure-u2f-silent.https.html
+               http/wpt/webauthn/public-key-credential-get-failure-u2f.https.html
+               http/wpt/webauthn/public-key-credential-get-success-u2f.https.html
+
+        * Modules/webauthn/fido/U2fCommandConstructor.cpp:
+        (fido::WebCore::constructU2fRegisterCommand):
+        * Modules/webauthn/fido/U2fResponseConverter.cpp:
+        (fido::readU2fSignResponse):
+        (fido::readFromU2fSignResponse): Deleted.
+        * Modules/webauthn/fido/U2fResponseConverter.h:
+
 2019-01-08  Wenson Hsieh  <wenson_hsieh@apple.com>
 

trunk/Source/WebCore/Modules/webauthn/fido/U2fCommandConstructor.cpp

@@ -55 +55 @@
     apdu::ApduCommand command;
     command.setIns(static_cast<uint8_t>(U2fApduInstruction::kRegister));
+    // This is needed for test of user presence even though the spec doesn't specify it.
+    command.setP1(kP1EnforceUserPresenceAndSign);
     command.setData(WTFMove(data));
     command.setResponseLength(apdu::ApduCommand::kApduMaxResponseLength);

trunk/Source/WebCore/Modules/webauthn/fido/U2fResponseConverter.cpp

@@ -174 +174 @@
 }
 
-Optional<PublicKeyCredentialData> readFromU2fSignResponse(const String& rpId, const Vector<uint8_t>& keyHandle, const Vector<uint8_t>& u2fData)
+Optional<PublicKeyCredentialData> readU2fSignResponse(const String& rpId, const Vector<uint8_t>& keyHandle, const Vector<uint8_t>& u2fData)
 {
     if (keyHandle.isEmpty() || u2fData.size() <= signatureIndex)

trunk/Source/WebCore/Modules/webauthn/fido/U2fResponseConverter.h

@@ -43 +43 @@
 // Converts a U2F authentication response to WebAuthN getAssertion response.
 // https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html#u2f-authenticatorGetAssertion-interoperability
-WEBCORE_EXPORT Optional<WebCore::PublicKeyCredentialData> readFromU2fSignResponse(const String& rpId, const Vector<uint8_t>& keyHandle, const Vector<uint8_t>& u2fData);
+WEBCORE_EXPORT Optional<WebCore::PublicKeyCredentialData> readU2fSignResponse(const String& rpId, const Vector<uint8_t>& keyHandle, const Vector<uint8_t>& u2fData);
 
 } // namespace fido

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2019-01-08  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthN] Support U2F HID Authenticators on macOS
+        https://bugs.webkit.org/show_bug.cgi?id=191535
+        <rdar://problem/47102027>
+
+        Reviewed by Brent Fulgham.
+
+        This patch implements the support for U2F authenticators, and enables it for hid devices.
+        It follows the CTAP spec to map WebAuthN requests to U2F commands and return the responses:
+        https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html#u2f-interoperability
+        Most of the parts are done before this patch, this patch focues on: 7.2.2 and 7.3.2.
+
+        Besides implementing the U2fHidAuthenticator, this patch also adds support in the mocking
+        environment for U2F authenticators. It is done by extending the stages in MockHidConnection
+        from 4 to indefinite as multi-round communications are expected to map WebAuthN requests
+        to U2F requests.
+
+        * Sources.txt:
+        * UIProcess/API/C/WKWebsiteDataStoreRef.cpp:
+        (WKWebsiteDataStoreSetWebAuthenticationMockConfiguration):
+        * UIProcess/WebAuthentication/Cocoa/HidService.mm:
+        (WebKit::HidService::continueAddDeviceAfterGetInfo):
+        * UIProcess/WebAuthentication/fido/CtapHidDriver.cpp:
+        (WebKit::CtapHidDriver::continueAfterChannelAllocated):
+        * UIProcess/WebAuthentication/fido/CtapHidDriver.h:
+        (WebKit::CtapHidDriver::setProtocol):
+        * UIProcess/WebAuthentication/fido/U2fHidAuthenticator.cpp: Added.
+        (WebKit::U2fHidAuthenticator::U2fHidAuthenticator):
+        (WebKit::U2fHidAuthenticator::makeCredential):
+        (WebKit::U2fHidAuthenticator::checkExcludeList):
+        (WebKit::U2fHidAuthenticator::issueRegisterCommand):
+        (WebKit::U2fHidAuthenticator::getAssertion):
+        (WebKit::U2fHidAuthenticator::issueSignCommand):
+        (WebKit::U2fHidAuthenticator::issueNewCommand):
+        (WebKit::U2fHidAuthenticator::issueCommand):
+        (WebKit::U2fHidAuthenticator::responseReceived):
+        (WebKit::U2fHidAuthenticator::continueRegisterCommandAfterResponseReceived):
+        (WebKit::U2fHidAuthenticator::continueCheckOnlyCommandAfterResponseReceived):
+        (WebKit::U2fHidAuthenticator::continueBogusCommandAfterResponseReceived):
+        (WebKit::U2fHidAuthenticator::continueSignCommandAfterResponseReceived):
+        * UIProcess/WebAuthentication/fido/U2fHidAuthenticator.h: Added.
+        * UIProcess/WebAuthentication/Mock/MockHidConnection.cpp:
+        (WebKit::MockHidConnection::parseRequest):
+        (WebKit::MockHidConnection::feedReports):
+        * UIProcess/WebAuthentication/Mock/MockHidConnection.h:
+        * UIProcess/WebAuthentication/Mock/MockWebAuthenticationConfiguration.h:
+        * WebKit.xcodeproj/project.pbxproj:
+
 2019-01-08  Youenn Fablet  <youenn@apple.com>
 

trunk/Source/WebKit/Sources.txt

@@ -386 +386 @@
 UIProcess/UserContent/WebUserContentControllerProxy.cpp
 
+UIProcess/WebAuthentication/fido/CtapHidAuthenticator.cpp
+UIProcess/WebAuthentication/fido/CtapHidDriver.cpp
+UIProcess/WebAuthentication/fido/U2fHidAuthenticator.cpp
+
 UIProcess/WebAuthentication/Mock/MockAuthenticatorManager.cpp
 UIProcess/WebAuthentication/Mock/MockHidConnection.cpp

trunk/Source/WebKit/UIProcess/API/C/WKWebsiteDataStoreRef.cpp

@@ -628 +628 @@
             hid.error = WebKit::MockWebAuthenticationConfiguration::Hid::Error::WrongNonce;
 
-        if (auto payloadBase64 = static_cast<WKStringRef>(WKDictionaryGetItemForKey(hidRef, adoptWK(WKStringCreateWithUTF8CString("PayloadBase64")).get())))
-            hid.payloadBase64 = WebKit::toImpl(payloadBase64)->string();
+        if (auto payloadBase64 = static_cast<WKArrayRef>(WKDictionaryGetItemForKey(hidRef, adoptWK(WKStringCreateWithUTF8CString("PayloadBase64")).get())))
+            hid.payloadBase64 = WebKit::toImpl(payloadBase64)->toStringVector();
+
+        if (auto isU2f = static_cast<WKBooleanRef>(WKDictionaryGetItemForKey(hidRef, adoptWK(WKStringCreateWithUTF8CString("IsU2f")).get())))
+            hid.isU2f = WKBooleanGetValue(isU2f);
 
         if (auto keepAlive = static_cast<WKBooleanRef>(WKDictionaryGetItemForKey(hidRef, adoptWK(WKStringCreateWithUTF8CString("KeepAlive")).get())))

trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/HidService.mm

@@ -32 +32 @@
 #import "CtapHidDriver.h"
 #import "HidConnection.h"
+#import "U2fHidAuthenticator.h"
 #import <WebCore/DeviceRequestConverter.h>
 #import <WebCore/DeviceResponseConverter.h>
@@ -109 +110 @@
 {
     std::unique_ptr<CtapHidDriver> driver = m_drivers.take(ptr);
-    if (!driver || !observer())
+    if (!driver || !observer() || response.isEmpty())
         return;
 
@@ -117 +118 @@
         return;
     }
-    // FIXME(191535): Support U2F authenticators.
     LOG_ERROR("Couldn't parse a ctap get info response.");
+    driver->setProtocol(ProtocolVersion::kU2f);
+    observer()->authenticatorAdded(U2fHidAuthenticator::create(WTFMove(driver)));
 }
 

trunk/Source/WebKit/UIProcess/WebAuthentication/Mock/MockHidConnection.cpp

@@ -128 +128 @@
             m_stage = Mock::Stage::Request;
     }
-    if (m_requestMessage->cmd() == FidoHidDeviceCommand::kCbor)
+    if (m_requestMessage->cmd() == FidoHidDeviceCommand::kCbor || m_requestMessage->cmd() == FidoHidDeviceCommand::kMsg)
         m_subStage = Mock::SubStage::Msg;
 
-    // Set options.
     if (m_stage == Mock::Stage::Request && m_subStage == Mock::SubStage::Msg) {
-        m_requireResidentKey = false;
-        m_requireUserVerification = false;
-
-        auto payload = m_requestMessage->getMessagePayload();
-        ASSERT(payload.size());
-        auto cmd = static_cast<CtapRequestCommand>(payload[0]);
-        payload.remove(0);
-        auto requestMap = CBORReader::read(payload);
-        ASSERT(requestMap);
-
-        if (cmd == CtapRequestCommand::kAuthenticatorMakeCredential) {
-            auto it = requestMap->getMap().find(CBORValue(CtapMakeCredentialRequestOptionsKey)); // Find options.
-            if (it != requestMap->getMap().end()) {
-                auto& optionMap = it->second.getMap();
-
-                auto itr = optionMap.find(CBORValue(kResidentKeyMapKey));
-                if (itr != optionMap.end())
-                    m_requireResidentKey = itr->second.getBool();
-
-                itr = optionMap.find(CBORValue(kUserVerificationMapKey));
-                if (itr != optionMap.end())
-                    m_requireUserVerification = itr->second.getBool();
+        // Make sure we issue different msg cmd for CTAP and U2F.
+        ASSERT(m_configuration.hid->isU2f ^ (m_requestMessage->cmd() != FidoHidDeviceCommand::kMsg));
+
+        // Set options.
+        if (m_requestMessage->cmd() == FidoHidDeviceCommand::kCbor) {
+            m_requireResidentKey = false;
+            m_requireUserVerification = false;
+
+            auto payload = m_requestMessage->getMessagePayload();
+            ASSERT(payload.size());
+            auto cmd = static_cast<CtapRequestCommand>(payload[0]);
+            payload.remove(0);
+            auto requestMap = CBORReader::read(payload);
+            ASSERT(requestMap);
+
+            if (cmd == CtapRequestCommand::kAuthenticatorMakeCredential) {
+                auto it = requestMap->getMap().find(CBORValue(CtapMakeCredentialRequestOptionsKey)); // Find options.
+                if (it != requestMap->getMap().end()) {
+                    auto& optionMap = it->second.getMap();
+
+                    auto itr = optionMap.find(CBORValue(kResidentKeyMapKey));
+                    if (itr != optionMap.end())
+                        m_requireResidentKey = itr->second.getBool();
+
+                    itr = optionMap.find(CBORValue(kUserVerificationMapKey));
+                    if (itr != optionMap.end())
+                        m_requireUserVerification = itr->second.getBool();
+                }
             }
-        }
-
-        if (cmd == CtapRequestCommand::kAuthenticatorGetAssertion) {
-            auto it = requestMap->getMap().find(CBORValue(CtapGetAssertionRequestOptionsKey)); // Find options.
-            if (it != requestMap->getMap().end()) {
-                auto& optionMap = it->second.getMap();
-                auto itr = optionMap.find(CBORValue(kUserVerificationMapKey));
-                if (itr != optionMap.end())
-                    m_requireUserVerification = itr->second.getBool();
+
+            if (cmd == CtapRequestCommand::kAuthenticatorGetAssertion) {
+                auto it = requestMap->getMap().find(CBORValue(CtapGetAssertionRequestOptionsKey)); // Find options.
+                if (it != requestMap->getMap().end()) {
+                    auto& optionMap = it->second.getMap();
+                    auto itr = optionMap.find(CBORValue(kUserVerificationMapKey));
+                    if (itr != optionMap.end())
+                        m_requireUserVerification = itr->second.getBool();
+                }
             }
         }
@@ -208 +213 @@
         if (stagesMatch() && m_configuration.hid->error == Mock::Error::WrongChannelId)
             message = FidoHidMessage::create(m_currentChannel - 1, FidoHidDeviceCommand::kCbor, infoData);
-        else
-            message = FidoHidMessage::create(m_currentChannel, FidoHidDeviceCommand::kCbor, infoData);
+        else {
+            if (!m_configuration.hid->isU2f)
+                message = FidoHidMessage::create(m_currentChannel, FidoHidDeviceCommand::kCbor, infoData);
+            else
+                message = FidoHidMessage::create(m_currentChannel, FidoHidDeviceCommand::kError, { static_cast<uint8_t>(CtapDeviceResponseCode::kCtap1ErrInvalidCommand) });
+        }
     }
 
@@ -224 +233 @@
         else {
             Vector<uint8_t> payload;
-            auto status = base64Decode(m_configuration.hid->payloadBase64, payload);
+            ASSERT(!m_configuration.hid->payloadBase64.isEmpty());
+            auto status = base64Decode(m_configuration.hid->payloadBase64[0], payload);
+            m_configuration.hid->payloadBase64.remove(0);
             ASSERT_UNUSED(status, status);
-            message = FidoHidMessage::create(m_currentChannel, FidoHidDeviceCommand::kCbor, payload);
+            if (!m_configuration.hid->isU2f)
+                message = FidoHidMessage::create(m_currentChannel, FidoHidDeviceCommand::kCbor, payload);
+            else
+                message = FidoHidMessage::create(m_currentChannel, FidoHidDeviceCommand::kMsg, payload);
         }
     }

trunk/Source/WebKit/UIProcess/WebAuthentication/Mock/MockHidConnection.h

@@ -36 +36 @@
 
 // The following basically simulates an external HID token that:
-//    1. Only supports CTAP2 protocol,
+//    1. Supports only one protocol, either CTAP2 or U2F.
 //    2. Doesn't support resident keys,
 //    3. Doesn't support user verification.
-// There are four stages for each WebAuthN request:
+// There are four stages for each CTAP request:
 // FSM: Info::Init => Info::Msg => Request::Init => Request::Msg
+// There are indefinite stages for each U2F request:
+// FSM: Info::Init => Info::Msg => [Request::Init => Request::Msg]+
 // According to different combinations of error and stages, error will manifest differently.
 class MockHidConnection final : public CanMakeWeakPtr<MockHidConnection>, public HidConnection {

trunk/Source/WebKit/UIProcess/WebAuthentication/Mock/MockWebAuthenticationConfiguration.h

@@ -62 +62 @@
         };
 
-        String payloadBase64;
+        Vector<String> payloadBase64;
         Stage stage { Stage::Info };
         SubStage subStage { SubStage::Init };
         Error error { Error::Success };
+        bool isU2f { false };
         bool keepAlive { false };
         bool fastDataArrival { false };

trunk/Source/WebKit/UIProcess/WebAuthentication/fido/CtapHidDriver.cpp

@@ -198 +198 @@
     // FIXME(192061)
     LOG_ERROR("Start sending the request.");
-    auto cmd = FidoHidMessage::create(m_channelId, FidoHidDeviceCommand::kCbor, m_requestData);
+    auto cmd = FidoHidMessage::create(m_channelId, m_protocol == ProtocolVersion::kCtap ? FidoHidDeviceCommand::kCbor : FidoHidDeviceCommand::kMsg, m_requestData);
     ASSERT(cmd);
     m_worker->transact(WTFMove(*cmd), [weakThis = makeWeakPtr(*this)](Optional<FidoHidMessage>&& response) mutable {

trunk/Source/WebKit/UIProcess/WebAuthentication/fido/CtapHidDriver.h

@@ -58 +58 @@
     explicit CtapHidDriver(UniqueRef<HidConnection>&&);
 
+    void setProtocol(fido::ProtocolVersion protocol) { m_protocol = protocol; }
     void transact(Vector<uint8_t>&& data, ResponseCallback&&);
 
@@ -104 +105 @@
     ResponseCallback m_responseCallback;
     Vector<uint8_t> m_nonce;
+    fido::ProtocolVersion m_protocol { fido::ProtocolVersion::kCtap };
 };
 

trunk/Source/WebKit/WebKit.xcodeproj/project.pbxproj

@@ -1014 +1014 @@
                 57597EB921811D9A0037F924 /* CtapHidDriver.h in Headers */ = {isa = PBXBuildFile; fileRef = 57597EB721811D9A0037F924 /* CtapHidDriver.h */; };
                 57597EBD218184900037F924 /* CtapHidAuthenticator.h in Headers */ = {isa = PBXBuildFile; fileRef = 57597EBB2181848F0037F924 /* CtapHidAuthenticator.h */; };
-                57597EBE218184900037F924 /* CtapHidAuthenticator.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 57597EBC2181848F0037F924 /* CtapHidAuthenticator.cpp */; };
-                57597EC121818BE20037F924 /* CtapHidDriver.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 57597EC021818BE20037F924 /* CtapHidDriver.cpp */; };
                 5772F206217DBD6A0056BF2C /* HidService.h in Headers */ = {isa = PBXBuildFile; fileRef = 5772F204217DBD6A0056BF2C /* HidService.h */; };
                 578DC2982155A0020074E815 /* LocalAuthenticationSoftLink.h in Headers */ = {isa = PBXBuildFile; fileRef = 578DC2972155A0010074E815 /* LocalAuthenticationSoftLink.h */; };
@@ -1037 +1035 @@
                 57DCEDC7214F18300016B847 /* MockLocalConnection.h in Headers */ = {isa = PBXBuildFile; fileRef = 57DCEDC5214F18300016B847 /* MockLocalConnection.h */; };
                 57DCEDCB214F4E420016B847 /* MockAuthenticatorManager.h in Headers */ = {isa = PBXBuildFile; fileRef = 57DCEDC9214F4E420016B847 /* MockAuthenticatorManager.h */; };
+                57EB2E3A21E1983E00B89CDF /* U2fHidAuthenticator.h in Headers */ = {isa = PBXBuildFile; fileRef = 57EB2E3821E1983E00B89CDF /* U2fHidAuthenticator.h */; };
                 587743A621C30BBE00AE9084 /* HTTPSUpgradeList.db in Resources */ = {isa = PBXBuildFile; fileRef = 587743A421C30AD800AE9084 /* HTTPSUpgradeList.db */; };
                 58E977DF21C49A00005D92A6 /* NetworkHTTPSUpgradeChecker.h in Headers */ = {isa = PBXBuildFile; fileRef = 58E977DD21C49A00005D92A6 /* NetworkHTTPSUpgradeChecker.h */; };
@@ -3405 +3404 @@
                 57DCEDC9214F4E420016B847 /* MockAuthenticatorManager.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MockAuthenticatorManager.h; sourceTree = "<group>"; };
                 57DCEDCD214F51680016B847 /* MockAuthenticatorManager.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = MockAuthenticatorManager.cpp; sourceTree = "<group>"; };
+                57EB2E3821E1983E00B89CDF /* U2fHidAuthenticator.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = U2fHidAuthenticator.h; sourceTree = "<group>"; };
+                57EB2E3921E1983E00B89CDF /* U2fHidAuthenticator.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = U2fHidAuthenticator.cpp; sourceTree = "<group>"; };
                 587743A421C30AD800AE9084 /* HTTPSUpgradeList.db */ = {isa = PBXFileReference; lastKnownFileType = file; name = HTTPSUpgradeList.db; path = DerivedSources/WebKit2/HTTPSUpgradeList.db; sourceTree = BUILT_PRODUCTS_DIR; };
                 58E977DC21C499FE005D92A6 /* NetworkHTTPSUpgradeChecker.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = NetworkHTTPSUpgradeChecker.cpp; sourceTree = "<group>"; };
@@ -6715 +6716 @@
                                 57597EC021818BE20037F924 /* CtapHidDriver.cpp */,
                                 57597EB721811D9A0037F924 /* CtapHidDriver.h */,
+                                57EB2E3921E1983E00B89CDF /* U2fHidAuthenticator.cpp */,
+                                57EB2E3821E1983E00B89CDF /* U2fHidAuthenticator.h */,
                         );
                         path = fido;
@@ -9324 +9327 @@
                                 1AF05D8714688348008B1E81 /* TiledCoreAnimationDrawingAreaProxy.h in Headers */,
                                 2F8336861FA139DF00C6E080 /* TouchBarMenuData.h in Headers */,
+                                57EB2E3A21E1983E00B89CDF /* U2fHidAuthenticator.h in Headers */,
                                 1AFE436618B6C081009C7A48 /* UIDelegate.h in Headers */,
                                 515BE1B51D5917FF00DD7C68 /* UIGamepad.h in Headers */,
@@ -10755 +10759 @@
                                 51FAEC3B1B0657680009C4E7 /* ChildProcessMessageReceiver.cpp in Sources */,
                                 2D92A77D212B6A7100F493FD /* Connection.cpp in Sources */,
-                                57597EBE218184900037F924 /* CtapHidAuthenticator.cpp in Sources */,
-                                57597EC121818BE20037F924 /* CtapHidDriver.cpp in Sources */,
                                 2D92A77E212B6A7100F493FD /* DataReference.cpp in Sources */,
                                 2D92A77F212B6A7100F493FD /* Decoder.cpp in Sources */,

trunk/Tools/ChangeLog

@@ +1 @@
+2019-01-08  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthN] Support U2F HID Authenticators on macOS
+        https://bugs.webkit.org/show_bug.cgi?id=191535
+        <rdar://problem/47102027>
+
+        Reviewed by Brent Fulgham.
+
+        This patch:
+        1) adds support for U2F mocking mechanism;
+        2) updates tests to reflect U2fCommandConstructor changes.
+
+        * TestWebKitAPI/Tests/WebCore/CtapResponseTest.cpp:
+        (TestWebKitAPI::TEST):
+        * TestWebKitAPI/Tests/WebCore/FidoTestData.h:
+        * WebKitTestRunner/InjectedBundle/TestRunner.cpp:
+        (WTR::TestRunner::setWebAuthenticationMockConfiguration):
+
 2019-01-08  Wenson Hsieh  <wenson_hsieh@apple.com>
 

trunk/Tools/TestWebKitAPI/Tests/WebCore/CtapResponseTest.cpp

@@ -521 +521 @@
 TEST(CTAPResponseTest, TestParseSignResponseData)
 {
-    auto response = readFromU2fSignResponse(TestData::kRelyingPartyId, getTestCredentialRawIdBytes(), getTestSignResponse());
+    auto response = readU2fSignResponse(TestData::kRelyingPartyId, getTestCredentialRawIdBytes(), getTestSignResponse());
     ASSERT_TRUE(response);
     EXPECT_EQ(response->rawId->byteLength(), sizeof(TestData::kU2fSignKeyHandle));
@@ -534 +534 @@
 TEST(CTAPResponseTest, TestParseU2fSignWithNullKeyHandle)
 {
-    auto response = readFromU2fSignResponse(TestData::kRelyingPartyId, Vector<uint8_t>(), getTestSignResponse());
+    auto response = readU2fSignResponse(TestData::kRelyingPartyId, Vector<uint8_t>(), getTestSignResponse());
     EXPECT_FALSE(response);
 }
@@ -540 +540 @@
 TEST(CTAPResponseTest, TestParseU2fSignWithNullResponse)
 {
-    auto response = readFromU2fSignResponse(TestData::kRelyingPartyId, getTestCredentialRawIdBytes(), Vector<uint8_t>());
+    auto response = readU2fSignResponse(TestData::kRelyingPartyId, getTestCredentialRawIdBytes(), Vector<uint8_t>());
     EXPECT_FALSE(response);
 }
@@ -547 +547 @@
 {
     // A sign response of less than 5 bytes.
-    auto response = readFromU2fSignResponse(TestData::kRelyingPartyId, getTestCredentialRawIdBytes(), getTestCorruptedSignResponse(3));
+    auto response = readU2fSignResponse(TestData::kRelyingPartyId, getTestCredentialRawIdBytes(), getTestCorruptedSignResponse(3));
     EXPECT_FALSE(response);
 }
@@ -554 +554 @@
 {
     // A sign response no more than 5 bytes.
-    auto response = readFromU2fSignResponse(TestData::kRelyingPartyId, getTestCredentialRawIdBytes(), getTestCorruptedSignResponse(5));
+    auto response = readU2fSignResponse(TestData::kRelyingPartyId, getTestCredentialRawIdBytes(), getTestCorruptedSignResponse(5));
     EXPECT_FALSE(response);
 }

trunk/Tools/TestWebKitAPI/Tests/WebCore/FidoTestData.h

@@ -52 +52 @@
 constexpr uint8_t kU2fRegisterCommandApdu[] = {
     // CLA, INS, P1, P2 APDU instructions
-    0x00, 0x01, 0x00, 0x00,
+    0x00, 0x01, 0x03, 0x00,
     // Data length in 3 bytes in big endian order.
     0x00, 0x00, 0x40,
@@ -142 +142 @@
 constexpr uint8_t kU2fFakeRegisterCommand[] = {
     // CLA, INS, P1, P2 APDU instructions
-    0x00, 0x01, 0x00, 0x00,
+    0x00, 0x01, 0x03, 0x00,
     // Data length in 3 bytes in big endian order.
     0x00, 0x00, 0x40,

trunk/Tools/WebKitTestRunner/InjectedBundle/TestRunner.cpp

@@ -2510 +2510 @@
         JSValueRef payloadBase64Value = JSObjectGetProperty(context, hid, payloadBase64PropertyName.get(), 0);
         if (!JSValueIsUndefined(context, payloadBase64Value) && !JSValueIsNull(context, payloadBase64Value)) {
-            if (!JSValueIsString(context, payloadBase64Value))
+            if (!JSValueIsArray(context, payloadBase64Value))
                 return;
+
+            JSObjectRef payloadBase64 = JSValueToObject(context, payloadBase64Value, nullptr);
+            static auto lengthProperty = adopt(JSStringCreateWithUTF8CString("length"));
+            JSValueRef payloadBase64LengthValue = JSObjectGetProperty(context, payloadBase64, lengthProperty.get(), nullptr);
+            if (!JSValueIsNumber(context, payloadBase64LengthValue))
+                return;
+
+            auto payloadBase64s = adoptWK(WKMutableArrayCreate());
+            auto payloadBase64Length = static_cast<size_t>(JSValueToNumber(context, payloadBase64LengthValue, nullptr));
+            for (size_t i = 0; i < payloadBase64Length; ++i) {
+                JSValueRef payloadBase64Value = JSObjectGetPropertyAtIndex(context, payloadBase64, i, nullptr);
+                if (!JSValueIsString(context, payloadBase64Value))
+                    continue;
+                WKArrayAppendItem(payloadBase64s.get(), toWK(adopt(JSValueToStringCopy(context, payloadBase64Value, 0)).get()).get());
+            }
+
             hidKeys.append({ AdoptWK, WKStringCreateWithUTF8CString("PayloadBase64") });
-            hidValues.append(toWK(adopt(JSValueToStringCopy(context, payloadBase64Value, 0)).get()));
+            hidValues.append(payloadBase64s);
+        }
+
+        JSRetainPtr<JSStringRef> isU2fPropertyName(Adopt, JSStringCreateWithUTF8CString("isU2f"));
+        JSValueRef isU2fValue = JSObjectGetProperty(context, hid, isU2fPropertyName.get(), 0);
+        if (!JSValueIsUndefined(context, isU2fValue) && !JSValueIsNull(context, isU2fValue)) {
+            if (!JSValueIsBoolean(context, isU2fValue))
+                return;
+            bool isU2f = JSValueToBoolean(context, isU2fValue);
+            hidKeys.append({ AdoptWK, WKStringCreateWithUTF8CString("IsU2f") });
+            hidValues.append(adoptWK(WKBooleanCreate(isU2f)).get());
         }