Changeset 252297 in webkit


Ignore:
Timestamp:
Nov 8, 2019 5:09:19 PM (4 years ago)
Author:
jiewen_tan@apple.com
Message:

[WebAuthn] Add quirk needed to support legacy Google NFC Titan security keys
https://bugs.webkit.org/show_bug.cgi?id=204024
<rdar://problem/56962320>

Reviewed by Brent Fulgham.

Source/WebCore:

Covered by manual tests.

  • Modules/webauthn/fido/FidoConstants.h:

Source/WebKit:

Some legacy U2F keys such as Google T1 Titan don't understand the FIDO applet command. Instead,
they are configured to only have the FIDO applet. Therefore, when the above command fails, we
use U2F_VERSION command to double check if the connected tag can actually speak U2F, indicating
we are interacting with one of these legacy keys.

  • UIProcess/WebAuthentication/Cocoa/NfcConnection.mm:

(WebKit::fido::compareVersion):
(WebKit::fido::trySelectFidoApplet):
(WebKit::NfcConnection::transact const):
(WebKit::NfcConnection::didDetectTags):

Location:
trunk/Source
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/WebCore/ChangeLog

    r252276 r252297  
     12019-11-08  Jiewen Tan  <jiewen_tan@apple.com>
     2
     3        [WebAuthn] Add quirk needed to support legacy Google NFC Titan security keys
     4        https://bugs.webkit.org/show_bug.cgi?id=204024
     5        <rdar://problem/56962320>
     6
     7        Reviewed by Brent Fulgham.
     8
     9        Covered by manual tests.
     10
     11        * Modules/webauthn/fido/FidoConstants.h:
     12
    1132019-11-08  Peng Liu  <peng.liu6@apple.com>
    214
  • trunk/Source/WebCore/Modules/webauthn/fido/FidoConstants.h

    r249059 r252297  
    224224const uint32_t kCtapHidUsage = 0x01;
    225225
     226// U2F_VERSION command
     227// https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-raw-message-formats-v1.2-ps-20170411.html#getversion-request-and-response---u2f_version
     228const uint8_t kCtapNfcU2fVersionCommand[] = {
     229    0x00, 0x03, 0x00, 0x00, // CLA, INS, P1, P2
     230    0x00, // L
     231};
     232
    226233// CTAPNFC Applet selection command and responses
    227234// https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#nfc-applet-selection
  • trunk/Source/WebKit/ChangeLog

    r252274 r252297  
     12019-11-08  Jiewen Tan  <jiewen_tan@apple.com>
     2
     3        [WebAuthn] Add quirk needed to support legacy Google NFC Titan security keys
     4        https://bugs.webkit.org/show_bug.cgi?id=204024
     5        <rdar://problem/56962320>
     6
     7        Reviewed by Brent Fulgham.
     8
     9        Some legacy U2F keys such as Google T1 Titan don't understand the FIDO applet command. Instead,
     10        they are configured to only have the FIDO applet. Therefore, when the above command fails, we
     11        use U2F_VERSION command to double check if the connected tag can actually speak U2F, indicating
     12        we are interacting with one of these legacy keys.
     13
     14        * UIProcess/WebAuthentication/Cocoa/NfcConnection.mm:
     15        (WebKit::fido::compareVersion):
     16        (WebKit::fido::trySelectFidoApplet):
     17        (WebKit::NfcConnection::transact const):
     18        (WebKit::NfcConnection::didDetectTags):
     19
    1202019-11-08  Jonathan Bedard  <jbedard@apple.com>
    221
  • trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/NfcConnection.mm

    r251645 r252297  
    4040inline bool compareVersion(NSData *data, const uint8_t version[], size_t versionSize)
    4141{
     42    if (!data)
     43        return false;
    4244    if (data.length != versionSize)
    4345        return false;
    4446    return !memcmp(data.bytes, version, versionSize);
    4547}
     48
     49// Confirm the FIDO applet is avaliable.
     50// https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#nfc-applet-selection
     51static bool trySelectFidoApplet(NFReaderSession *session)
     52{
     53    auto *versionData = [session transceive:adoptNS([[NSData alloc] initWithBytes:kCtapNfcAppletSelectionCommand length:sizeof(kCtapNfcAppletSelectionCommand)]).get()];
     54    if (compareVersion(versionData, kCtapNfcAppletSelectionU2f, sizeof(kCtapNfcAppletSelectionU2f))
     55        || compareVersion(versionData, kCtapNfcAppletSelectionCtap, sizeof(kCtapNfcAppletSelectionCtap)))
     56        return true;
     57
     58    // Some legacy U2F keys such as Google T1 Titan don't understand the FIDO applet command. Instead,
     59    // they are configured to only have the FIDO applet. Therefore, when the above command fails, we
     60    // use U2F_VERSION command to double check if the connected tag can actually speak U2F, indicating
     61    // we are interacting with one of these legacy keys.
     62    versionData = [session transceive:adoptNS([[NSData alloc] initWithBytes:kCtapNfcU2fVersionCommand length:sizeof(kCtapNfcU2fVersionCommand)]).get()];
     63    if (compareVersion(versionData, kCtapNfcAppletSelectionU2f, sizeof(kCtapNfcAppletSelectionU2f)))
     64        return true;
     65
     66    return false;
     67}
     68
    4669} // namespace
    4770
     
    6992{
    7093    Vector<uint8_t> response;
    71     @autoreleasepool {
    72         auto responseData = [m_session transceive:[NSData dataWithBytes:data.data() length:data.size()]];
    73         response.append(reinterpret_cast<const uint8_t*>(responseData.bytes), responseData.length);
    74     }
     94    auto *responseData = [m_session transceive:adoptNS([[NSData alloc] initWithBytes:data.data() length:data.size()]).get()];
     95    response.append(reinterpret_cast<const uint8_t*>(responseData.bytes), responseData.length);
    7596    return response;
    7697}
     
    105126            continue;
    106127
    107         // Confirm the FIDO applet is avaliable before return.
    108         // https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#nfc-applet-selection
    109         @autoreleasepool {
    110             auto versionData = [m_session transceive:[NSData dataWithBytes:kCtapNfcAppletSelectionCommand length:sizeof(kCtapNfcAppletSelectionCommand)]];
    111             if (!versionData || (!compareVersion(versionData, kCtapNfcAppletSelectionU2f, sizeof(kCtapNfcAppletSelectionU2f)) && !compareVersion(versionData, kCtapNfcAppletSelectionCtap, sizeof(kCtapNfcAppletSelectionCtap)))) {
    112                 [m_session disconnectTag];
    113                 continue;
    114             }
     128        if (!trySelectFidoApplet(m_session.get())) {
     129            [m_session disconnectTag];
     130            continue;
    115131        }
    116132
Note: See TracChangeset for help on using the changeset viewer.