Context Navigation

← Previous Changeset
Next Changeset →

Changeset 254439 in webkit

Timestamp:

Jan 13, 2020 10:53:59 AM (4 years ago)

Author:

jiewen_tan@apple.com

Message:

[WebAuthn] Support CTAP Client Pin
https://bugs.webkit.org/show_bug.cgi?id=191516
<rdar://problem/56558558>

Reviewed by Brent Fulgham.

Source/WebCore:

Covered by API tests.

Modules/webauthn/fido/DeviceRequestConverter.cpp:

(fido::encodeMakeCredenitalRequestAsCBOR):
(fido::encodeGetAssertionRequestAsCBOR):

Modules/webauthn/fido/Pin.cpp:

(fido::pin::RetriesResponse::parse):
(fido::pin::TokenResponse::parse):
(fido::pin::TokenRequest::tryCreate):
(fido::pin::encodeAsCBOR):

Modules/webauthn/fido/Pin.h:
crypto/algorithms/CryptoAlgorithmAES_CBC.h:
crypto/gcrypt/CryptoAlgorithmAES_CBCGCrypt.cpp:

(WebCore::CryptoAlgorithmAES_CBC::platformEncrypt):
(WebCore::CryptoAlgorithmAES_CBC::platformDecrypt):

crypto/mac/CryptoAlgorithmAES_CBCMac.cpp:

(WebCore::transformAES_CBC):
(WebCore::CryptoAlgorithmAES_CBC::platformEncrypt):
(WebCore::CryptoAlgorithmAES_CBC::platformDecrypt):

testing/MockWebAuthenticationConfiguration.h:

(WebCore::MockWebAuthenticationConfiguration::HidConfiguration::encode const):
(WebCore::MockWebAuthenticationConfiguration::HidConfiguration::decode):

testing/MockWebAuthenticationConfiguration.idl:

Source/WebKit:

This patch implements authenticatorClientPIN from the spec:
https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#authenticatorClientPIN
Specifically, it implements section 5.5.1, 5.5.3, 5.5.4, 5.5.7, and 5.5.8.

Here is the flow how makeCredential/getAssertion works with a PIN in our implementation:

Determine if the connected authenticator has a PIN;
If yes, send the makeCredential/getAssertion request to the authenticator with an empty pinAuth

such that the authenticator will wink for user gestures. This step intends to confirm the authenticator
is the one the user wants to use. Otherwise, we don't know which authenticator to send the PIN
if multiple are connected;

Once the user confirms the authetnicator, it will return either CTAP2_ERR_PIN_INVALID or

CTAP2_ERR_PIN_AUTH_INVALID. Some authenticators return CTAP2_ERR_PIN_AUTH_INVALID even though
it is not suggested by the spec;

Get retries from the authenticator;
Get key agreement from the authenticator;
Ask the UI client for the PIN and at the meantime inform it the retries;
Get pin token from the authenticator;
Resend the makeCredential/getAssertion request with the desired pinAuth.

Besides implementating the above flow, this patch also fixes some bugs within the PIN commands encoder:

pinAuth/pinProtocol are wrongly encoded for makeCredential/getAssertion;
AES CBC should be called without any padding. Therefore, CryptoAlgorithmAES_CBC adds a no padding mode;
The sharedSecret is the SHA256 digest of the ECDH key agreement instead of the raw key agreement.

UIProcess/API/APIWebAuthenticationPanelClient.h:

(API::WebAuthenticationPanelClient::requestPin const):

UIProcess/WebAuthentication/Authenticator.h:
UIProcess/WebAuthentication/AuthenticatorManager.cpp:

(WebKit::AuthenticatorManager::requestPin):

UIProcess/WebAuthentication/AuthenticatorManager.h:
UIProcess/WebAuthentication/Cocoa/WebAuthenticationPanelClient.h:
UIProcess/WebAuthentication/Cocoa/WebAuthenticationPanelClient.mm:

(WebKit::WebAuthenticationPanelClient::WebAuthenticationPanelClient):
(WebKit::WebAuthenticationPanelClient::requestPin const):

UIProcess/WebAuthentication/Mock/MockHidConnection.cpp:

(WebKit::MockHidConnection::feedReports):

UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp:

(WebKit::CtapAuthenticator::makeCredential):
(WebKit::CtapAuthenticator::continueMakeCredentialAfterResponseReceived):
(WebKit::CtapAuthenticator::getAssertion):
(WebKit::CtapAuthenticator::continueGetAssertionAfterResponseReceived):
(WebKit::CtapAuthenticator::getRetries):
(WebKit::CtapAuthenticator::continueGetKeyAgreementAfterGetRetries):
(WebKit::CtapAuthenticator::continueRequestPinAfterGetKeyAgreement):
(WebKit::CtapAuthenticator::continueGetPinTokenAfterRequestPin):
(WebKit::CtapAuthenticator::continueRequestAfterGetPinToken):
(WebKit::CtapAuthenticator::continueMakeCredentialAfterResponseReceived const): Deleted.

UIProcess/WebAuthentication/fido/CtapAuthenticator.h:

Tools:

TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
TestWebKitAPI/Tests/WebCore/CtapPinTest.cpp:

(TestWebKitAPI::TEST):

TestWebKitAPI/Tests/WebCore/FidoTestData.h:
TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm:

(-[TestWebAuthenticationPanelDelegate panel:requestPINWithRemainingRetries:completionHandler:]):
(TestWebKitAPI::TEST):

TestWebKitAPI/Tests/WebKitCocoa/web-authentication-get-assertion-hid-pin.html: Added.
TestWebKitAPI/Tests/WebKitCocoa/web-authentication-make-credential-hid-pin-get-key-agreement-error.html: Added.
TestWebKitAPI/Tests/WebKitCocoa/web-authentication-make-credential-hid-pin-get-pin-token-error.html: Added.
TestWebKitAPI/Tests/WebKitCocoa/web-authentication-make-credential-hid-pin-get-retries-error.html: Added.
TestWebKitAPI/Tests/WebKitCocoa/web-authentication-make-credential-hid-pin.html: Added.

Location:

trunk

Files:

: 5 added
: 24 edited

Source/WebCore/ChangeLog (modified) (1 diff)
Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.cpp (modified) (2 diffs)
Source/WebCore/Modules/webauthn/fido/Pin.cpp (modified) (5 diffs)
Source/WebCore/Modules/webauthn/fido/Pin.h (modified) (3 diffs)
Source/WebCore/crypto/algorithms/CryptoAlgorithmAES_CBC.h (modified) (2 diffs)
Source/WebCore/crypto/gcrypt/CryptoAlgorithmAES_CBCGCrypt.cpp (modified) (2 diffs)
Source/WebCore/crypto/mac/CryptoAlgorithmAES_CBCMac.cpp (modified) (3 diffs)
Source/WebCore/testing/MockWebAuthenticationConfiguration.h (modified) (3 diffs)
Source/WebCore/testing/MockWebAuthenticationConfiguration.idl (modified) (1 diff)
Source/WebKit/ChangeLog (modified) (1 diff)
Source/WebKit/UIProcess/API/APIWebAuthenticationPanelClient.h (modified) (2 diffs)
Source/WebKit/UIProcess/WebAuthentication/Authenticator.h (modified) (1 diff)
Source/WebKit/UIProcess/WebAuthentication/AuthenticatorManager.cpp (modified) (1 diff)
Source/WebKit/UIProcess/WebAuthentication/AuthenticatorManager.h (modified) (1 diff)
Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticationPanelClient.h (modified) (2 diffs)
Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticationPanelClient.mm (modified) (3 diffs)
Source/WebKit/UIProcess/WebAuthentication/Mock/MockHidConnection.cpp (modified) (2 diffs)
Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp (modified) (7 diffs)
Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.h (modified) (3 diffs)
Tools/ChangeLog (modified) (1 diff)
Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj (modified) (8 diffs)
Tools/TestWebKitAPI/Tests/WebCore/CtapPinTest.cpp (modified) (8 diffs)
Tools/TestWebKitAPI/Tests/WebCore/FidoTestData.h (modified) (4 diffs)
Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm (modified) (3 diffs)
Tools/TestWebKitAPI/Tests/WebKitCocoa/web-authentication-get-assertion-hid-pin.html (added)
Tools/TestWebKitAPI/Tests/WebKitCocoa/web-authentication-make-credential-hid-pin-get-key-agreement-error.html (added)
Tools/TestWebKitAPI/Tests/WebKitCocoa/web-authentication-make-credential-hid-pin-get-pin-token-error.html (added)
Tools/TestWebKitAPI/Tests/WebKitCocoa/web-authentication-make-credential-hid-pin-get-retries-error.html (added)
Tools/TestWebKitAPI/Tests/WebKitCocoa/web-authentication-make-credential-hid-pin.html (added)

Legend:

: Unmodified
: Added
: Removed

trunk/Source/WebCore/ChangeLog

-                      r254438
+                      r254439
+-01-06  Jiewen Tan  <jiewen_tan@apple.com>
+        [WebAuthn] Support CTAP Client Pin
+        https://bugs.webkit.org/show_bug.cgi?id=191516
+        <rdar://problem/56558558>
+        Reviewed by Brent Fulgham.
+        Covered by API tests.
+        * Modules/webauthn/fido/DeviceRequestConverter.cpp:
+        (fido::encodeMakeCredenitalRequestAsCBOR):
+        (fido::encodeGetAssertionRequestAsCBOR):
+        * Modules/webauthn/fido/Pin.cpp:
+        (fido::pin::RetriesResponse::parse):
+        (fido::pin::TokenResponse::parse):
+        (fido::pin::TokenRequest::tryCreate):
+        (fido::pin::encodeAsCBOR):
+        * Modules/webauthn/fido/Pin.h:
+        * crypto/algorithms/CryptoAlgorithmAES_CBC.h:
+        * crypto/gcrypt/CryptoAlgorithmAES_CBCGCrypt.cpp:
+        (WebCore::CryptoAlgorithmAES_CBC::platformEncrypt):
+        (WebCore::CryptoAlgorithmAES_CBC::platformDecrypt):
+        * crypto/mac/CryptoAlgorithmAES_CBCMac.cpp:
+        (WebCore::transformAES_CBC):
+        (WebCore::CryptoAlgorithmAES_CBC::platformEncrypt):
+        (WebCore::CryptoAlgorithmAES_CBC::platformDecrypt):
+        * testing/MockWebAuthenticationConfiguration.h:
+        (WebCore::MockWebAuthenticationConfiguration::HidConfiguration::encode const):
+        (WebCore::MockWebAuthenticationConfiguration::HidConfiguration::decode):
+        * testing/MockWebAuthenticationConfiguration.idl:
 -01-13  Zalan Bujtas  <zalan@apple.com>

trunk/Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.cpp

-                      r253811
+                      r254439
     if (pin) {
         ASSERT(pin->protocol >= 0);
         cborMap[CBORValue(8)] = CBORValue(pin->protocol);
         cborMap[CBORValue(9)] = CBORValue(WTFMove(pin->auth));
+        cborMap[CBORValue(8)] = CBORValue(WTFMove(pin->auth));
+        cborMap[CBORValue(9)] = CBORValue(pin->protocol);
+    }
 …
     if (pin) {
         ASSERT(pin->protocol >= 0);
         cborMap[CBORValue(8)] = CBORValue(pin->protocol);
         cborMap[CBORValue(9)] = CBORValue(WTFMove(pin->auth));
+        cborMap[CBORValue(6)] = CBORValue(WTFMove(pin->auth));
+        cborMap[CBORValue(7)] = CBORValue(pin->protocol);
+    }

trunk/Source/WebCore/Modules/webauthn/fido/Pin.cpp

-                      r254079
+                      r254439
     RetriesResponse ret;
     ret.retries = static_cast<int64_t>(it->second.getUnsigned());
+    ret.retries = static_cast<uint64_t>(it->second.getUnsigned());
     return ret;
+}
 …
     const auto& encryptedToken = it->second.getByteString();
     auto tokenResult = CryptoAlgorithmAES_CBC::platformDecrypt({ }, sharedKey, encryptedToken);
+    auto tokenResult = CryptoAlgorithmAES_CBC::platformDecrypt({ }, sharedKey, encryptedToken, CryptoAlgorithmAES_CBC::Padding::No);
     if (tokenResult.hasException())
         return WTF::nullopt;
 …
     auto keyPair = keyPairResult.releaseReturnValue();
     // 2. Use ECDH to compute the shared AES-CBC key.
+    // 2. Use ECDH and SHA-256 to compute the shared AES-CBC key.
     auto sharedKeyResult = CryptoAlgorithmECDH::platformDeriveBits(downcast<CryptoKeyEC>(*keyPair.privateKey), peerKey);
     if (!sharedKeyResult)
         return WTF::nullopt;
+    auto sharedKey = CryptoKeyAES::importRaw(CryptoAlgorithmIdentifier::AES_CBC, WTFMove(*sharedKeyResult), true, CryptoKeyUsageEncrypt | CryptoKeyUsageDecrypt);
+    auto crypto = PAL::CryptoDigest::create(PAL::CryptoDigest::Algorithm::SHA_256);
+    crypto->addBytes(sharedKeyResult->data(), sharedKeyResult->size());
+    auto sharedKeyHash = crypto->computeHash();
+    auto sharedKey = CryptoKeyAES::importRaw(CryptoAlgorithmIdentifier::AES_CBC, WTFMove(sharedKeyHash), true, CryptoKeyUsageEncrypt | CryptoKeyUsageDecrypt);
     ASSERT(sharedKey);
 …
     // The following calculates a SHA-256 digest of the PIN, and shrink to the left 16 bytes.
     auto crypto = PAL::CryptoDigest::create(PAL::CryptoDigest::Algorithm::SHA_256);
+    crypto = PAL::CryptoDigest::create(PAL::CryptoDigest::Algorithm::SHA_256);
     crypto->addBytes(pin.data(), pin.length());
     auto pinHash = crypto->computeHash();
 …
 Vector<uint8_t> encodeAsCBOR(const TokenRequest& request)
+{
     auto result = CryptoAlgorithmAES_CBC::platformEncrypt({ }, request.sharedKey(), request.m_pinHash);
+    auto result = CryptoAlgorithmAES_CBC::platformEncrypt({ }, request.sharedKey(), request.m_pinHash, CryptoAlgorithmAES_CBC::Padding::No);
     ASSERT(!result.hasException());

trunk/Source/WebCore/Modules/webauthn/fido/Pin.h

-                      r253811
+                      r254439
 // kProtocolVersion is the version of the PIN protocol that this code
 // implements.
 constexpr int kProtocolVersion = 1;
+constexpr int64_t kProtocolVersion = 1;
 // encodeCOSEPublicKey takes a raw ECDH256 public key and returns it as a COSE structure.
 …
     // retries is the number of PIN attempts remaining before the authenticator
     // locks.
     int retries;
+    uint64_t retries;
 private:
 …
     // sharedKey returns the shared ECDH key that was used to encrypt the PIN.
     // This is needed to decrypt the response.
     const WebCore::CryptoKeyAES& sharedKey() const;
+    WEBCORE_EXPORT const WebCore::CryptoKeyAES& sharedKey() const;
     friend Vector<uint8_t> encodeAsCBOR(const TokenRequest&);

trunk/Source/WebCore/crypto/algorithms/CryptoAlgorithmAES_CBC.h

-                      r253811
+                      r254439
 class CryptoAlgorithmAES_CBC final : public CryptoAlgorithm {
 public:
+    enum class Padding : uint8_t {
+        Yes,
+        No
+    };
     static constexpr const char* s_name = "AES-CBC";
     static constexpr CryptoAlgorithmIdentifier s_identifier = CryptoAlgorithmIdentifier::AES_CBC;
 …
     // Operations can be performed directly.
     WEBCORE_EXPORT static ExceptionOr<Vector<uint8_t>> platformEncrypt(const CryptoAlgorithmAesCbcCfbParams&, const CryptoKeyAES&, const Vector<uint8_t>&);
     WEBCORE_EXPORT static ExceptionOr<Vector<uint8_t>> platformDecrypt(const CryptoAlgorithmAesCbcCfbParams&, const CryptoKeyAES&, const Vector<uint8_t>&);
+    WEBCORE_EXPORT static ExceptionOr<Vector<uint8_t>> platformEncrypt(const CryptoAlgorithmAesCbcCfbParams&, const CryptoKeyAES&, const Vector<uint8_t>&, Padding padding = Padding::Yes);
+    WEBCORE_EXPORT static ExceptionOr<Vector<uint8_t>> platformDecrypt(const CryptoAlgorithmAesCbcCfbParams&, const CryptoKeyAES&, const Vector<uint8_t>&, Padding padding = Padding::Yes);
 private:

trunk/Source/WebCore/crypto/gcrypt/CryptoAlgorithmAES_CBCGCrypt.cpp

r239427	r254439
167	167	}
168	168
169		ExceptionOr<Vector<uint8_t>> CryptoAlgorithmAES_CBC::platformEncrypt(const CryptoAlgorithmAesCbcCfbParams& parameters, const CryptoKeyAES& key, const Vector<uint8_t>& plainText)
	169	ExceptionOr<Vector<uint8_t>> CryptoAlgorithmAES_CBC::platformEncrypt(const CryptoAlgorithmAesCbcCfbParams& parameters, const CryptoKeyAES& key, const Vector<uint8_t>& plainText, Padding)
170	170	{
171	171	auto output = gcryptEncrypt(key.key(), parameters.ivVector(), Vector<uint8_t>(plainText));
…	…
175	175	}
176	176
177		ExceptionOr<Vector<uint8_t>> CryptoAlgorithmAES_CBC::platformDecrypt(const CryptoAlgorithmAesCbcCfbParams& parameters, const CryptoKeyAES& key, const Vector<uint8_t>& cipherText)
	177	ExceptionOr<Vector<uint8_t>> CryptoAlgorithmAES_CBC::platformDecrypt(const CryptoAlgorithmAesCbcCfbParams& parameters, const CryptoKeyAES& key, const Vector<uint8_t>& cipherText, Padding)
178	178	{
179	179	auto output = gcryptDecrypt(key.key(), parameters.ivVector(), cipherText);

trunk/Source/WebCore/crypto/mac/CryptoAlgorithmAES_CBCMac.cpp

-                      r253811
+                      r254439
 namespace WebCore {
 static ExceptionOr<Vector<uint8_t>> transformAES_CBC(CCOperation operation, const Vector<uint8_t>& iv, const Vector<uint8_t>& key, const Vector<uint8_t>& data)
+static ExceptionOr<Vector<uint8_t>> transformAES_CBC(CCOperation operation, const Vector<uint8_t>& iv, const Vector<uint8_t>& key, const Vector<uint8_t>& data, CryptoAlgorithmAES_CBC::Padding padding)
+{
+    CCOptions options = padding == CryptoAlgorithmAES_CBC::Padding::Yes ? kCCOptionPKCS7Padding : 0;
     CCCryptorRef cryptor;
     CCCryptorStatus status = CCCryptorCreate(operation, kCCAlgorithmAES, kCCOptionPKCS7Padding, key.data(), key.size(), iv.data(), &cryptor);
+    CCCryptorStatus status = CCCryptorCreate(operation, kCCAlgorithmAES, options, key.data(), key.size(), iv.data(), &cryptor);
     if (status)
         return Exception { OperationError };
 …
     uint8_t* p = result.data() + bytesWritten;
+    status = CCCryptorFinal(cryptor, p, result.end() - p, &bytesWritten);
+    p += bytesWritten;
+    if (status)
+        return Exception { OperationError };
+    if (padding == CryptoAlgorithmAES_CBC::Padding::Yes) {
+        status = CCCryptorFinal(cryptor, p, result.end() - p, &bytesWritten);
+        p += bytesWritten;
+        if (status)
+            return Exception { OperationError };
+    }
     ASSERT(p <= result.end());
 …
+}
 ExceptionOr<Vector<uint8_t>> CryptoAlgorithmAES_CBC::platformEncrypt(const CryptoAlgorithmAesCbcCfbParams& parameters, const CryptoKeyAES& key, const Vector<uint8_t>& plainText)
+ExceptionOr<Vector<uint8_t>> CryptoAlgorithmAES_CBC::platformEncrypt(const CryptoAlgorithmAesCbcCfbParams& parameters, const CryptoKeyAES& key, const Vector<uint8_t>& plainText, Padding padding)
+{
     ASSERT(parameters.ivVector().size() == kCCBlockSizeAES128 || parameters.ivVector().isEmpty());
+    return transformAES_CBC(kCCEncrypt, parameters.ivVector(), key.key(), plainText);
+    ASSERT(padding == Padding::Yes || !(plainText.size() % kCCBlockSizeAES128));
+    return transformAES_CBC(kCCEncrypt, parameters.ivVector(), key.key(), plainText, padding);
+}
 ExceptionOr<Vector<uint8_t>> CryptoAlgorithmAES_CBC::platformDecrypt(const CryptoAlgorithmAesCbcCfbParams& parameters, const CryptoKeyAES& key, const Vector<uint8_t>& cipherText)
+ExceptionOr<Vector<uint8_t>> CryptoAlgorithmAES_CBC::platformDecrypt(const CryptoAlgorithmAesCbcCfbParams& parameters, const CryptoKeyAES& key, const Vector<uint8_t>& cipherText, Padding padding)
+{
     ASSERT(parameters.ivVector().size() == kCCBlockSizeAES128 || parameters.ivVector().isEmpty());
+    return transformAES_CBC(kCCDecrypt, parameters.ivVector(), key.key(), cipherText);
+    ASSERT(padding == Padding::Yes || !(cipherText.size() % kCCBlockSizeAES128));
+    return transformAES_CBC(kCCDecrypt, parameters.ivVector(), key.key(), cipherText, padding);
+}

trunk/Source/WebCore/testing/MockWebAuthenticationConfiguration.h

-                      r251645
+                      r254439
         bool canDowngrade { false };
         bool expectCancel { false };
+        bool supportClientPin { false };
         template<class Encoder> void encode(Encoder&) const;
 …
 void MockWebAuthenticationConfiguration::HidConfiguration::encode(Encoder& encoder) const
+{
     encoder << payloadBase64 << stage << subStage << error << isU2f << keepAlive << fastDataArrival << continueAfterErrorData << canDowngrade << expectCancel;
+    encoder << payloadBase64 << stage << subStage << error << isU2f << keepAlive << fastDataArrival << continueAfterErrorData << canDowngrade << expectCancel << supportClientPin;
+}
 …
         return WTF::nullopt;
     if (!decoder.decode(result.expectCancel))
+        return WTF::nullopt;
+    if (!decoder.decode(result.supportClientPin))
         return WTF::nullopt;
     return result;

trunk/Source/WebCore/testing/MockWebAuthenticationConfiguration.idl

r251645	r254439
93	93	boolean canDowngrade = false;
94	94	boolean expectCancel = false;
	95	boolean supportClientPin = false;
95	96	};
96	97

trunk/Source/WebKit/ChangeLog

-                      r254436
+                      r254439
+-01-06  Jiewen Tan  <jiewen_tan@apple.com>
+        [WebAuthn] Support CTAP Client Pin
+        https://bugs.webkit.org/show_bug.cgi?id=191516
+        <rdar://problem/56558558>
+        Reviewed by Brent Fulgham.
+        This patch implements authenticatorClientPIN from the spec:
+        https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#authenticatorClientPIN
+        Specifically, it implements section 5.5.1, 5.5.3, 5.5.4, 5.5.7, and 5.5.8.
+        Here is the flow how makeCredential/getAssertion works with a PIN in our implementation:
+. Determine if the connected authenticator has a PIN;
+. If yes, send the makeCredential/getAssertion request to the authenticator with an empty pinAuth
+        such that the authenticator will wink for user gestures. This step intends to confirm the authenticator
+        is the one the user wants to use. Otherwise, we don't know which authenticator to send the PIN
+        if multiple are connected;
+. Once the user confirms the authetnicator, it will return either CTAP2_ERR_PIN_INVALID or
+        CTAP2_ERR_PIN_AUTH_INVALID. Some authenticators return CTAP2_ERR_PIN_AUTH_INVALID even though
+        it is not suggested by the spec;
+. Get retries from the authenticator;
+. Get key agreement from the authenticator;
+. Ask the UI client for the PIN and at the meantime inform it the retries;
+. Get pin token from the authenticator;
+. Resend the makeCredential/getAssertion request with the desired pinAuth.
+        Besides implementating the above flow, this patch also fixes some bugs within the PIN commands encoder:
+. pinAuth/pinProtocol are wrongly encoded for makeCredential/getAssertion;
+. AES CBC should be called without any padding. Therefore, CryptoAlgorithmAES_CBC adds a no padding mode;
+. The sharedSecret is the SHA256 digest of the ECDH key agreement instead of the raw key agreement.
+        * UIProcess/API/APIWebAuthenticationPanelClient.h:
+        (API::WebAuthenticationPanelClient::requestPin const):
+        * UIProcess/WebAuthentication/Authenticator.h:
+        * UIProcess/WebAuthentication/AuthenticatorManager.cpp:
+        (WebKit::AuthenticatorManager::requestPin):
+        * UIProcess/WebAuthentication/AuthenticatorManager.h:
+        * UIProcess/WebAuthentication/Cocoa/WebAuthenticationPanelClient.h:
+        * UIProcess/WebAuthentication/Cocoa/WebAuthenticationPanelClient.mm:
+        (WebKit::WebAuthenticationPanelClient::WebAuthenticationPanelClient):
+        (WebKit::WebAuthenticationPanelClient::requestPin const):
+        * UIProcess/WebAuthentication/Mock/MockHidConnection.cpp:
+        (WebKit::MockHidConnection::feedReports):
+        * UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp:
+        (WebKit::CtapAuthenticator::makeCredential):
+        (WebKit::CtapAuthenticator::continueMakeCredentialAfterResponseReceived):
+        (WebKit::CtapAuthenticator::getAssertion):
+        (WebKit::CtapAuthenticator::continueGetAssertionAfterResponseReceived):
+        (WebKit::CtapAuthenticator::getRetries):
+        (WebKit::CtapAuthenticator::continueGetKeyAgreementAfterGetRetries):
+        (WebKit::CtapAuthenticator::continueRequestPinAfterGetKeyAgreement):
+        (WebKit::CtapAuthenticator::continueGetPinTokenAfterRequestPin):
+        (WebKit::CtapAuthenticator::continueRequestAfterGetPinToken):
+        (WebKit::CtapAuthenticator::continueMakeCredentialAfterResponseReceived const): Deleted.
+        * UIProcess/WebAuthentication/fido/CtapAuthenticator.h:
 -01-13  Brent Fulgham  <bfulgham@apple.com>

trunk/Source/WebKit/UIProcess/API/APIWebAuthenticationPanelClient.h

-                      r254356
+                      r254439
 #include <wtf/HashSet.h>
 #include <wtf/RefCounted.h>
+#include <wtf/text/WTFString.h>
 namespace WebCore {
 …
     virtual void dismissPanel(WebKit::WebAuthenticationResult) const { }
     virtual void selectAssertionResponses(const HashSet<Ref<WebCore::AuthenticatorAssertionResponse>>& responses, CompletionHandler<void(const Ref<WebCore::AuthenticatorAssertionResponse>&)>&& completionHandler) const { completionHandler(*responses.begin()); }
+    virtual void requestPin(uint64_t, CompletionHandler<void(const WTF::String&)>&& completionHandler) const { completionHandler(emptyString()); }
 };

trunk/Source/WebKit/UIProcess/WebAuthentication/Authenticator.h

r254356	r254439
53	53	virtual void authenticatorStatusUpdated(WebAuthenticationStatus) = 0;
54	54	virtual void selectAssertionResponses(const HashSet<Ref<WebCore::AuthenticatorAssertionResponse>>&, CompletionHandler<void(const Ref<WebCore::AuthenticatorAssertionResponse>&)>&&) = 0;
	55	virtual void requestPin(uint64_t retries, CompletionHandler<void(const WTF::String&)>&&) = 0;
55	56	};
56	57

trunk/Source/WebKit/UIProcess/WebAuthentication/AuthenticatorManager.cpp

r254356	r254439
280	280	}
281	281
	282	void AuthenticatorManager::requestPin(uint64_t retries, CompletionHandler<void(const WTF::String&)>&& completionHandler)
	283	{
	284	if (auto* panel = m_pendingRequestData.panel.get())
	285	panel->client().requestPin(retries, WTFMove(completionHandler));
	286	}
	287
282	288	UniqueRef<AuthenticatorTransportService> AuthenticatorManager::createService(AuthenticatorTransport transport, AuthenticatorTransportService::Observer& observer) const
283	289	{

trunk/Source/WebKit/UIProcess/WebAuthentication/AuthenticatorManager.h

r254356	r254439
83	83	void authenticatorStatusUpdated(WebAuthenticationStatus) final;
84	84	void selectAssertionResponses(const HashSet<Ref<WebCore::AuthenticatorAssertionResponse>>&, CompletionHandler<void(const Ref<WebCore::AuthenticatorAssertionResponse>&)>&&) final;
	85	void requestPin(uint64_t retries, CompletionHandler<void(const WTF::String&)>&&) final;
85	86
86	87	// Overriden by MockAuthenticatorManager.

trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticationPanelClient.h

-                      r251317
+                      r254439
     void updatePanel(WebAuthenticationStatus) const final;
     void dismissPanel(WebAuthenticationResult) const final;
+    void requestPin(uint64_t, CompletionHandler<void(const WTF::String&)>&&) const final;
     _WKWebAuthenticationPanel *m_panel;
 …
         bool panelUpdateWebAuthenticationPanel : 1;
         bool panelDismissWebAuthenticationPanelWithResult : 1;
+        bool panelRequestPinWithRemainingRetriesCompletionHandler : 1;
     } m_delegateMethods;
 };

trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticationPanelClient.mm

-                      r252035
+                      r254439
 #if ENABLE(WEB_AUTHN)
+#import "CompletionHandlerCallChecker.h"
 #import "WebAuthenticationFlags.h"
 #import "_WKWebAuthenticationPanel.h"
+#import <wtf/BlockPtr.h>
 #import <wtf/RunLoop.h>
 …
     m_delegateMethods.panelUpdateWebAuthenticationPanel = [delegate respondsToSelector:@selector(panel:updateWebAuthenticationPanel:)];
     m_delegateMethods.panelDismissWebAuthenticationPanelWithResult = [delegate respondsToSelector:@selector(panel:dismissWebAuthenticationPanelWithResult:)];
+    m_delegateMethods.panelRequestPinWithRemainingRetriesCompletionHandler = [delegate respondsToSelector:@selector(panel:requestPINWithRemainingRetries:completionHandler:)];
+}
 …
+}
+void WebAuthenticationPanelClient::requestPin(uint64_t retries, CompletionHandler<void(const WTF::String&)>&& completionHandler) const
+{
+    // Call delegates in the next run loop to prevent clients' reentrance that would potentially modify the state
+    // of the current run loop in unexpected ways.
+    RunLoop::main().dispatch([weakThis = makeWeakPtr(*this), this, retries, completionHandler = WTFMove(completionHandler)] () mutable {
+        if (!weakThis) {
+            completionHandler(emptyString());
+            return;
+        }
+        if (!m_delegateMethods.panelRequestPinWithRemainingRetriesCompletionHandler) {
+            completionHandler(emptyString());
+            return;
+        }
+        auto delegate = m_delegate.get();
+        if (!delegate) {
+            completionHandler(emptyString());
+            return;
+        }
+        auto checker = CompletionHandlerCallChecker::create(delegate.get(), @selector(panel:requestPINWithRemainingRetries:completionHandler:));
+        [delegate panel:m_panel requestPINWithRemainingRetries:retries completionHandler:makeBlockPtr([completionHandler = WTFMove(completionHandler), checker = WTFMove(checker)](NSString *pin) mutable {
+            if (checker->completionHandlerHasBeenCalled())
+                return;
+            checker->didCallCompletionHandler();
+            completionHandler(pin);
+        }).get()];
+    });
+}
 } // namespace WebKit

trunk/Source/WebKit/UIProcess/WebAuthentication/Mock/MockHidConnection.cpp

-                      r254356
+                      r254439
 #include <WebCore/CBORReader.h>
 #include <WebCore/FidoConstants.h>
+#include <WebCore/Pin.h>
 #include <WebCore/WebAuthenticationConstants.h>
 #include <wtf/BlockPtr.h>
 …
     Optional<FidoHidMessage> message;
     if (m_stage == Mock::HidStage::Info && m_subStage == Mock::HidSubStage::Msg) {
+        // FIXME(205839):
         Vector<uint8_t> infoData;
         if (m_configuration.hid->canDowngrade)
             infoData = encodeAsCBOR(AuthenticatorGetInfoResponse({ ProtocolVersion::kCtap, ProtocolVersion::kU2f }, Vector<uint8_t>(aaguidLength, 0u)));
+        else
+        else if (m_configuration.hid->supportClientPin) {
+            AuthenticatorGetInfoResponse infoResponse({ ProtocolVersion::kCtap }, Vector<uint8_t>(aaguidLength, 0u));
+            infoResponse.setPinProtocols({ pin::kProtocolVersion });
+            AuthenticatorSupportedOptions options;
+            options.setClientPinAvailability(AuthenticatorSupportedOptions::ClientPinAvailability::kSupportedAndPinSet);
+            infoResponse.setOptions(WTFMove(options));
+            infoData = encodeAsCBOR(infoResponse);
+        } else
             infoData = encodeAsCBOR(AuthenticatorGetInfoResponse({ ProtocolVersion::kCtap }, Vector<uint8_t>(aaguidLength, 0u)));
         infoData.insert(0, static_cast<uint8_t>(CtapDeviceResponseCode::kSuccess)); // Prepend status code.

trunk/Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp

-                      r254356
+                      r254439
 #include "CtapHidDriver.h"
 #include "U2fAuthenticator.h"
+#include <WebCore/CryptoKeyAES.h>
+#include <WebCore/CryptoKeyEC.h>
+#include <WebCore/CryptoKeyHMAC.h>
 #include <WebCore/DeviceRequestConverter.h>
 #include <WebCore/DeviceResponseConverter.h>
 #include <WebCore/ExceptionData.h>
+#include <WebCore/Pin.h>
 #include <WebCore/U2fCommandConstructor.h>
 #include <wtf/RunLoop.h>
 …
     if (processGoogleLegacyAppIdSupportExtension())
         return;
+    auto cborCmd = encodeMakeCredenitalRequestAsCBOR(requestData().hash, WTF::get<PublicKeyCredentialCreationOptions>(requestData().options), m_info.options().userVerificationAvailability());
+    Vector<uint8_t> cborCmd;
+    if (m_info.options().clientPinAvailability() == AuthenticatorSupportedOptions::ClientPinAvailability::kSupportedAndPinSet)
+        cborCmd = encodeMakeCredenitalRequestAsCBOR(requestData().hash, WTF::get<PublicKeyCredentialCreationOptions>(requestData().options), m_info.options().userVerificationAvailability(), PinParameters { pin::kProtocolVersion, m_pinAuth });
+    else
+        cborCmd = encodeMakeCredenitalRequestAsCBOR(requestData().hash, WTF::get<PublicKeyCredentialCreationOptions>(requestData().options), m_info.options().userVerificationAvailability());
     driver().transact(WTFMove(cborCmd), [weakThis = makeWeakPtr(*this)](Vector<uint8_t>&& data) {
         ASSERT(RunLoop::isMain());
 …
+}
 void CtapAuthenticator::continueMakeCredentialAfterResponseReceived(Vector<uint8_t>&& data) const
+void CtapAuthenticator::continueMakeCredentialAfterResponseReceived(Vector<uint8_t>&& data)
+{
     auto response = readCTAPMakeCredentialResponse(data, WTF::get<PublicKeyCredentialCreationOptions>(requestData().options).attestation);
 …
         if (error == CtapDeviceResponseCode::kCtap2ErrCredentialExcluded)
             receiveRespond(ExceptionData { InvalidStateError, "At least one credential matches an entry of the excludeCredentials list in the authenticator."_s });
+        // FIXME(205837)
+        else if (error == CtapDeviceResponseCode::kCtap2ErrPinInvalid || error == CtapDeviceResponseCode::kCtap2ErrPinAuthInvalid)
+            getRetries();
         else
             receiveRespond(ExceptionData { UnknownError, makeString("Unknown internal error. Error code: ", static_cast<uint8_t>(error)) });
 …
+{
     ASSERT(!m_isDowngraded);
+    auto cborCmd = encodeGetAssertionRequestAsCBOR(requestData().hash, WTF::get<PublicKeyCredentialRequestOptions>(requestData().options), m_info.options().userVerificationAvailability());
+    Vector<uint8_t> cborCmd;
+    if (m_info.options().clientPinAvailability() == AuthenticatorSupportedOptions::ClientPinAvailability::kSupportedAndPinSet)
+        cborCmd = encodeGetAssertionRequestAsCBOR(requestData().hash, WTF::get<PublicKeyCredentialRequestOptions>(requestData().options), m_info.options().userVerificationAvailability(), PinParameters { pin::kProtocolVersion, m_pinAuth });
+    else
+        cborCmd = encodeGetAssertionRequestAsCBOR(requestData().hash, WTF::get<PublicKeyCredentialRequestOptions>(requestData().options), m_info.options().userVerificationAvailability());
     driver().transact(WTFMove(cborCmd), [weakThis = makeWeakPtr(*this)](Vector<uint8_t>&& data) {
         ASSERT(RunLoop::isMain());
 …
     if (!response) {
         auto error = getResponseCode(data);
+        // FIXME(205837)
+        if (error == CtapDeviceResponseCode::kCtap2ErrPinInvalid || error == CtapDeviceResponseCode::kCtap2ErrPinAuthInvalid) {
+            getRetries();
+            return;
+        }
         if (error != CtapDeviceResponseCode::kCtap2ErrInvalidCBOR && tryDowngrade())
             return;
 …
+}
+void CtapAuthenticator::getRetries()
+{
+    auto cborCmd = encodeAsCBOR(pin::RetriesRequest { });
+    driver().transact(WTFMove(cborCmd), [weakThis = makeWeakPtr(*this)](Vector<uint8_t>&& data) {
+        ASSERT(RunLoop::isMain());
+        if (!weakThis)
+            return;
+        weakThis->continueGetKeyAgreementAfterGetRetries(WTFMove(data));
+    });
+}
+void CtapAuthenticator::continueGetKeyAgreementAfterGetRetries(Vector<uint8_t>&& data)
+{
+    auto retries = pin::RetriesResponse::parse(data);
+    if (!retries) {
+        auto error = getResponseCode(data);
+        receiveRespond(ExceptionData { UnknownError, makeString("Unknown internal error. Error code: ", static_cast<uint8_t>(error)) });
+        return;
+    }
+    auto cborCmd = encodeAsCBOR(pin::KeyAgreementRequest { });
+    driver().transact(WTFMove(cborCmd), [weakThis = makeWeakPtr(*this), retries = retries->retries] (Vector<uint8_t>&& data) {
+        ASSERT(RunLoop::isMain());
+        if (!weakThis)
+            return;
+        weakThis->continueRequestPinAfterGetKeyAgreement(WTFMove(data), retries);
+    });
+}
+void CtapAuthenticator::continueRequestPinAfterGetKeyAgreement(Vector<uint8_t>&& data, uint64_t retries)
+{
+    auto keyAgreement = pin::KeyAgreementResponse::parse(data);
+    if (!keyAgreement) {
+        auto error = getResponseCode(data);
+        receiveRespond(ExceptionData { UnknownError, makeString("Unknown internal error. Error code: ", static_cast<uint8_t>(error)) });
+        return;
+    }
+    if (auto* observer = this->observer()) {
+        observer->requestPin(retries, [weakThis = makeWeakPtr(*this), keyAgreement = WTFMove(*keyAgreement)] (const String& pin) {
+            ASSERT(RunLoop::isMain());
+            if (!weakThis)
+                return;
+            weakThis->continueGetPinTokenAfterRequestPin(pin, keyAgreement.peerKey);
+        });
+    }
+}
+void CtapAuthenticator::continueGetPinTokenAfterRequestPin(const String& pin, const CryptoKeyEC& peerKey)
+{
+    auto pinUtf8 = pin::validateAndConvertToUTF8(pin);
+    if (!pinUtf8) {
+        receiveRespond(ExceptionData { UnknownError, makeString("Pin is not valid: ", pin) });
+        return;
+    }
+    auto tokenRequest = pin::TokenRequest::tryCreate(*pinUtf8, peerKey);
+    if (!tokenRequest) {
+        receiveRespond(ExceptionData { UnknownError, "Cannot create a TokenRequest."_s });
+        return;
+    }
+    auto cborCmd = encodeAsCBOR(*tokenRequest);
+    driver().transact(WTFMove(cborCmd), [weakThis = makeWeakPtr(*this), tokenRequest = WTFMove(*tokenRequest)] (Vector<uint8_t>&& data) {
+        ASSERT(RunLoop::isMain());
+        if (!weakThis)
+            return;
+        weakThis->continueRequestAfterGetPinToken(WTFMove(data), tokenRequest);
+    });
+}
+void CtapAuthenticator::continueRequestAfterGetPinToken(Vector<uint8_t>&& data, const fido::pin::TokenRequest& tokenRequest)
+{
+    auto token = pin::TokenResponse::parse(tokenRequest.sharedKey(), data);
+    if (!token) {
+        auto error = getResponseCode(data);
+        receiveRespond(ExceptionData { UnknownError, makeString("Unknown internal error. Error code: ", static_cast<uint8_t>(error)) });
+        return;
+    }
+    m_pinAuth = token->pinAuth(requestData().hash);
+    WTF::switchOn(requestData().options, [&](const PublicKeyCredentialCreationOptions& options) {
+        makeCredential();
+    }, [&](const PublicKeyCredentialRequestOptions& options) {
+        getAssertion();
+    });
+}
 bool CtapAuthenticator::tryDowngrade()
+{

trunk/Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.h

-                      r254356
+                      r254439
 #include <WebCore/AuthenticatorGetInfoResponse.h>
+namespace fido {
+namespace pin {
+class TokenRequest;
+}
+}
+namespace WebCore {
+class CryptoKeyEC;
+}
 namespace WebKit {
 …
     void makeCredential() final;
     void continueMakeCredentialAfterResponseReceived(Vector<uint8_t>&&) const;
+    void continueMakeCredentialAfterResponseReceived(Vector<uint8_t>&&);
     void getAssertion() final;
     void continueGetAssertionAfterResponseReceived(Vector<uint8_t>&&);
     void continueGetNextAssertionAfterResponseReceived(Vector<uint8_t>&&);
+    void getRetries();
+    void continueGetKeyAgreementAfterGetRetries(Vector<uint8_t>&&);
+    void continueRequestPinAfterGetKeyAgreement(Vector<uint8_t>&&, uint64_t retries);
+    void continueGetPinTokenAfterRequestPin(const String& pin, const CryptoKeyEC&);
+    void continueRequestAfterGetPinToken(Vector<uint8_t>&&, const fido::pin::TokenRequest&);
     bool tryDowngrade();
 …
     size_t m_remainingAssertionResponses { 0 };
     HashSet<Ref<WebCore::AuthenticatorAssertionResponse>> m_assertionResponses;
+    Vector<uint8_t> m_pinAuth;
 };

trunk/Tools/ChangeLog

-                      r254409
+                      r254439
+-01-06  Jiewen Tan  <jiewen_tan@apple.com>
+        [WebAuthn] Support CTAP Client Pin
+        https://bugs.webkit.org/show_bug.cgi?id=191516
+        <rdar://problem/56558558>
+        Reviewed by Brent Fulgham.
+        * TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
+        * TestWebKitAPI/Tests/WebCore/CtapPinTest.cpp:
+        (TestWebKitAPI::TEST):
+        * TestWebKitAPI/Tests/WebCore/FidoTestData.h:
+        * TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm:
+        (-[TestWebAuthenticationPanelDelegate panel:requestPINWithRemainingRetries:completionHandler:]):
+        (TestWebKitAPI::TEST):
+        * TestWebKitAPI/Tests/WebKitCocoa/web-authentication-get-assertion-hid-pin.html: Added.
+        * TestWebKitAPI/Tests/WebKitCocoa/web-authentication-make-credential-hid-pin-get-key-agreement-error.html: Added.
+        * TestWebKitAPI/Tests/WebKitCocoa/web-authentication-make-credential-hid-pin-get-pin-token-error.html: Added.
+        * TestWebKitAPI/Tests/WebKitCocoa/web-authentication-make-credential-hid-pin-get-retries-error.html: Added.
+        * TestWebKitAPI/Tests/WebKitCocoa/web-authentication-make-credential-hid-pin.html: Added.
 -01-11  Alex Christensen  <achristensen@webkit.org>

trunk/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj

-                      r254389
+                      r254439
 A81800218102210004A39A /* 400x400-green.png in Copy Resources */ = {isa = PBXBuildFile; fileRef = 55A817FD218101DF0004A39A /* 400x400-green.png */; };
 F9D2E52205031800A9AB38 /* AdditionalSupportedImageTypes.mm in Sources */ = {isa = PBXBuildFile; fileRef = 55F9D2E42205031800A9AB38 /* AdditionalSupportedImageTypes.mm */; };
+D26F423C3CA6A00D5CF67 /* web-authentication-make-credential-hid-pin-get-key-agreement-error.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 570D26F323C3CA5500D5CF67 /* web-authentication-make-credential-hid-pin-get-key-agreement-error.html */; };
+D26F623C3D33000D5CF67 /* web-authentication-make-credential-hid-pin.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 570D26F523C3D32700D5CF67 /* web-authentication-make-credential-hid-pin.html */; };
+D26FA23C3F25100D5CF67 /* web-authentication-make-credential-hid-pin-get-pin-token-error.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 570D26F923C3F24500D5CF67 /* web-authentication-make-credential-hid-pin-get-pin-token-error.html */; };
+D26FC23C3F87000D5CF67 /* web-authentication-get-assertion-hid-pin.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 570D26FB23C3F86500D5CF67 /* web-authentication-get-assertion-hid-pin.html */; };
 ECB91CA8B5B000051AC8 /* DownloadRequestOriginalURL.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 5714ECB81CA8B58800051AC8 /* DownloadRequestOriginalURL.html */; };
 ECBB1CA8BFE400051AC8 /* DownloadRequestOriginalURLFrame.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 5714ECBA1CA8BFD100051AC8 /* DownloadRequestOriginalURLFrame.html */; };
 …
 F55D2204D47F0002948C6 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 574F55D0204D471C002948C6 /* Security.framework */; };
                 5758597F23A2527A00C74572 /* CtapPinTest.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 5758597E23A2527A00C74572 /* CtapPinTest.cpp */; };
+                5758598423C3C3A400C74572 /* web-authentication-make-credential-hid-pin-get-retries-error.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 5758598323C3C36200C74572 /* web-authentication-make-credential-hid-pin-get-retries-error.html */; };
 E211F07191900A3FB8C /* IndexedDBStructuredCloneBackwardCompatibility.mm in Sources */ = {isa = PBXBuildFile; fileRef = 57599E201F07191700A3FB8C /* IndexedDBStructuredCloneBackwardCompatibility.mm */; };
 E271F071AA000A3FB8C /* IndexedDBStructuredCloneBackwardCompatibility.sqlite3 in Copy Resources */ = {isa = PBXBuildFile; fileRef = 57599E241F07192C00A3FB8C /* IndexedDBStructuredCloneBackwardCompatibility.sqlite3 */; };
 …
 DF32357E48900E85E09 /* web-authentication-get-assertion-hid-cancel.html in Copy Resources */,
 D02359B378008E1ED7 /* web-authentication-get-assertion-hid-no-credentials.html in Copy Resources */,
+D26FC23C3F87000D5CF67 /* web-authentication-get-assertion-hid-pin.html in Copy Resources */,
 DEC234F1F9300E85E09 /* web-authentication-get-assertion-hid.html in Copy Resources */,
                                 579833922368FA37008E5547 /* web-authentication-get-assertion-nfc-multiple-tags.html in Copy Resources */,
 …
 D22359BB01008E1ED7 /* web-authentication-get-assertion-u2f-no-credentials.html in Copy Resources */,
 C624502346C21E00383FE7 /* web-authentication-get-assertion.html in Copy Resources */,
+D26F423C3CA6A00D5CF67 /* web-authentication-make-credential-hid-pin-get-key-agreement-error.html in Copy Resources */,
+D26FA23C3F25100D5CF67 /* web-authentication-make-credential-hid-pin-get-pin-token-error.html in Copy Resources */,
+                                5758598423C3C3A400C74572 /* web-authentication-make-credential-hid-pin-get-retries-error.html in Copy Resources */,
+D26F623C3D33000D5CF67 /* web-authentication-make-credential-hid-pin.html in Copy Resources */,
                                 5798337E236019A4008E5547 /* web-authentication-make-credential-hid.html in Copy Resources */,
 C2B81861C89259D00A5529F /* webfont.html in Copy Resources */,
 …
 A817FE218101DF0004A39A /* 100x100-red.tga */ = {isa = PBXFileReference; lastKnownFileType = file; path = "100x100-red.tga"; sourceTree = "<group>"; };
 F9D2E42205031800A9AB38 /* AdditionalSupportedImageTypes.mm */ = {isa = PBXFileReference; explicitFileType = sourcecode.cpp.objcpp; path = AdditionalSupportedImageTypes.mm; sourceTree = "<group>"; };
+D26F323C3CA5500D5CF67 /* web-authentication-make-credential-hid-pin-get-key-agreement-error.html */ = {isa = PBXFileReference; lastKnownFileType = text.html; path = "web-authentication-make-credential-hid-pin-get-key-agreement-error.html"; sourceTree = "<group>"; };
+D26F523C3D32700D5CF67 /* web-authentication-make-credential-hid-pin.html */ = {isa = PBXFileReference; lastKnownFileType = text.html; path = "web-authentication-make-credential-hid-pin.html"; sourceTree = "<group>"; };
+D26F923C3F24500D5CF67 /* web-authentication-make-credential-hid-pin-get-pin-token-error.html */ = {isa = PBXFileReference; lastKnownFileType = text.html; path = "web-authentication-make-credential-hid-pin-get-pin-token-error.html"; sourceTree = "<group>"; };
+D26FB23C3F86500D5CF67 /* web-authentication-get-assertion-hid-pin.html */ = {isa = PBXFileReference; lastKnownFileType = text.html; path = "web-authentication-get-assertion-hid-pin.html"; sourceTree = "<group>"; };
 ECB81CA8B58800051AC8 /* DownloadRequestOriginalURL.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = DownloadRequestOriginalURL.html; sourceTree = "<group>"; };
 ECBA1CA8BFD100051AC8 /* DownloadRequestOriginalURLFrame.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = DownloadRequestOriginalURLFrame.html; sourceTree = "<group>"; };
 …
                 5758597D23A2527A00C74572 /* CtapPinTest.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = CtapPinTest.h; sourceTree = "<group>"; };
                 5758597E23A2527A00C74572 /* CtapPinTest.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = CtapPinTest.cpp; sourceTree = "<group>"; };
+                5758598323C3C36200C74572 /* web-authentication-make-credential-hid-pin-get-retries-error.html */ = {isa = PBXFileReference; lastKnownFileType = text.html; path = "web-authentication-make-credential-hid-pin-get-retries-error.html"; sourceTree = "<group>"; };
 E201F07191700A3FB8C /* IndexedDBStructuredCloneBackwardCompatibility.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = IndexedDBStructuredCloneBackwardCompatibility.mm; sourceTree = "<group>"; };
 E231F07192C00A3FB8C /* IndexedDBStructuredCloneBackwardCompatibilityWrite.html */ = {isa = PBXFileReference; lastKnownFileType = text.html; path = IndexedDBStructuredCloneBackwardCompatibilityWrite.html; sourceTree = "<group>"; };
 …
 DF22357E45D00E85E09 /* web-authentication-get-assertion-hid-cancel.html */,
 CF2359B338008E1ED7 /* web-authentication-get-assertion-hid-no-credentials.html */,
+D26FB23C3F86500D5CF67 /* web-authentication-get-assertion-hid-pin.html */,
 DEB234F1F8000E85E09 /* web-authentication-get-assertion-hid.html */,
                                 5798337B235EB65C008E5547 /* web-authentication-get-assertion-nfc-multiple-tags.html */,
 …
 D12359BAD5008E1ED7 /* web-authentication-get-assertion-u2f-no-credentials.html */,
 C6244F2346C1EC00383FE7 /* web-authentication-get-assertion.html */,
+D26F323C3CA5500D5CF67 /* web-authentication-make-credential-hid-pin-get-key-agreement-error.html */,
+D26F923C3F24500D5CF67 /* web-authentication-make-credential-hid-pin-get-pin-token-error.html */,
+                                5758598323C3C36200C74572 /* web-authentication-make-credential-hid-pin-get-retries-error.html */,
+D26F523C3D32700D5CF67 /* web-authentication-make-credential-hid-pin.html */,
                                 5798337D2360196D008E5547 /* web-authentication-make-credential-hid.html */,
 EB21CF8C761004723C4 /* WebProcessKillIDBCleanup-1.html */,

trunk/Tools/TestWebKitAPI/Tests/WebCore/CtapPinTest.cpp

-                      r253811
+                      r254439
 #include <WebCore/WebAuthenticationConstants.h>
 #include <WebCore/WebAuthenticationUtils.h>
 #include <wtf/text/Base64.h>
+#include <pal/crypto/CryptoDigest.h>
 namespace TestWebKitAPI {
 …
     result = RetriesResponse::parse(convertBytesToVector(TestData::kCtapClientPinRetriesResponse, sizeof(TestData::kCtapClientPinRetriesResponse)));
     EXPECT_TRUE(result);
     EXPECT_EQ(result->retries, 8);
+    EXPECT_EQ(result->retries, 8u);
+}
 …
     result = KeyAgreementResponse::parse(convertBytesToVector(TestData::kCtapClientPinTokenResponse, sizeof(TestData::kCtapClientPinTokenResponse))); // wrong response
     EXPECT_FALSE(result);
+#if (PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101400) || PLATFORM(IOS)
+    result = KeyAgreementResponse::parse(convertBytesToVector(TestData::kCtapClientPinInvalidKeyAgreementResponse, sizeof(TestData::kCtapClientPinInvalidKeyAgreementResponse))); // The point is not on the curve.
+    EXPECT_FALSE(result);
+#endif
     // Test COSE
 …
     EXPECT_TRUE(token);
     auto result = encodeAsCBOR(*token);
     EXPECT_EQ(result.size(), 120u);
+    EXPECT_EQ(result.size(), 103u);
     EXPECT_EQ(result[0], static_cast<uint8_t>(CtapRequestCommand::kAuthenticatorClientPin));
 …
     auto sharedKeyResult = CryptoAlgorithmECDH::platformDeriveBits(downcast<CryptoKeyEC>(*keyPair.privateKey), *cosePublicKey);
     EXPECT_TRUE(sharedKeyResult);
+    auto aesKey = CryptoKeyAES::importRaw(CryptoAlgorithmIdentifier::AES_CBC, WTFMove(*sharedKeyResult), true, CryptoKeyUsageDecrypt);
+    auto crypto = PAL::CryptoDigest::create(PAL::CryptoDigest::Algorithm::SHA_256);
+    crypto->addBytes(sharedKeyResult->data(), sharedKeyResult->size());
+    auto sharedKeyHash = crypto->computeHash();
+    auto aesKey = CryptoKeyAES::importRaw(CryptoAlgorithmIdentifier::AES_CBC, WTFMove(sharedKeyHash), true, CryptoKeyUsageDecrypt);
     EXPECT_TRUE(aesKey);
     const auto& it6 = responseMap.find(CBORValue(static_cast<uint8_t>(RequestKey::kPinHashEnc)));
     EXPECT_NE(it6, responseMap.end());
     auto pinHashResult = CryptoAlgorithmAES_CBC::platformDecrypt({ }, *aesKey, it6->second.getByteString());
+    auto pinHashResult = CryptoAlgorithmAES_CBC::platformDecrypt({ }, *aesKey, it6->second.getByteString(), CryptoAlgorithmAES_CBC::Padding::No);
     EXPECT_FALSE(pinHashResult.hasException());
     auto pinHash = pinHashResult.releaseReturnValue();
 …
+{
     const uint8_t sharedKeyData[] = {
 x03, 0xac, 0x67, 0x42, 0x16, 0xf3, 0xe1, 0x5c,
 x76, 0x1e, 0xe1, 0xa5, 0xe2, 0x55, 0xf0, 0x67,
 x95, 0x36, 0x23, 0xc8, 0xb3, 0x88, 0xb4, 0x45,
 x9e, 0x13, 0xf9, 0x78, 0xd7, 0xc8, 0x46, 0xf4, };
+x29, 0x9E, 0x65, 0xB8, 0xE7, 0x71, 0xB8, 0x1D,
+xB1, 0xC4, 0x8D, 0xBE, 0xCE, 0x50, 0x2A, 0x84,
+x05, 0x44, 0x7F, 0x46, 0x2D, 0xE6, 0x81, 0xFA,
+xEF, 0x0A, 0x6C, 0x67, 0xA7, 0x2B, 0xB5, 0x0F, };
     auto sharedKey = CryptoKeyAES::importRaw(CryptoAlgorithmIdentifier::AES_CBC, convertBytesToVector(sharedKeyData, sizeof(sharedKeyData)), true, CryptoKeyUsageEncrypt | CryptoKeyUsageDecrypt);
     ASSERT_TRUE(sharedKey);
 …
     // 1. Generate the token.
     const uint8_t sharedKeyData[] = {
 x03, 0xac, 0x67, 0x42, 0x16, 0xf3, 0xe1, 0x5c,
 x76, 0x1e, 0xe1, 0xa5, 0xe2, 0x55, 0xf0, 0x67,
 x95, 0x36, 0x23, 0xc8, 0xb3, 0x88, 0xb4, 0x45,
 x9e, 0x13, 0xf9, 0x78, 0xd7, 0xc8, 0x46, 0xf4, };
+x29, 0x9E, 0x65, 0xB8, 0xE7, 0x71, 0xB8, 0x1D,
+xB1, 0xC4, 0x8D, 0xBE, 0xCE, 0x50, 0x2A, 0x84,
+x05, 0x44, 0x7F, 0x46, 0x2D, 0xE6, 0x81, 0xFA,
+xEF, 0x0A, 0x6C, 0x67, 0xA7, 0x2B, 0xB5, 0x0F, };
     auto sharedKey = CryptoKeyAES::importRaw(CryptoAlgorithmIdentifier::AES_CBC, convertBytesToVector(sharedKeyData, sizeof(sharedKeyData)), true, CryptoKeyUsageEncrypt | CryptoKeyUsageDecrypt);
     ASSERT_TRUE(sharedKey);
 …
     // 2. Generate the pinAuth.
     auto pinAuth = result->pinAuth(convertBytesToVector(sharedKeyData, sizeof(sharedKeyData))); // sharedKeyData pretends to be clientDataHash
     const uint8_t expectedPinAuth[] = { 0xb3, 0xc2, 0x65, 0x1c, 0xfd, 0xc8, 0x42, 0xb4, 0x60, 0x16, 0xed, 0x20, 0x64, 0x53, 0xaf, 0x84 };
+    const uint8_t expectedPinAuth[] = { 0x0b, 0xec, 0x9d, 0xba, 0x69, 0xb0, 0x0f, 0x45, 0x0b, 0xec, 0x66, 0xb4, 0x75, 0x7f, 0x93, 0x85 };
     EXPECT_EQ(pinAuth.size(), 16u);
     EXPECT_EQ(memcmp(pinAuth.data(), expectedPinAuth, pinAuth.size()), 0);

trunk/Tools/TestWebKitAPI/Tests/WebCore/FidoTestData.h

-                      r254356
+                      r254439
     // True(21)
 xf5,
     // key(8) - pinProtocol
+    // key(8) - pinAuth
 x08,
-    // value - 1
-x01,
-    // key(9) - pinAuth
-x09,
     // bytes(16)
 x50, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
+x0b, 0x0c, 0x0d, 0x0e, 0x0f
+x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+    // key(9) - pinProtocol
+x09,
+    // value - 1
+x01,
 };
 …
     // value - True(21)
 xf5,
+    // key(8) - pinProtocol
+x08,
+    // value - 1
+x01,
+    // key(9) - pinAuth
+x09,
+    // key(6) - pinAuth
+x06,
     // bytes(16)
 x50, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
+x0b, 0x0c, 0x0d, 0x0e, 0x0f
+x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+    // key(7) - pinProtocol
+x07,
+    // value - 1
+x01,
 };
 …
     // key(2) - pinToken
 x02,
     // bytes(32)
 x58, 0x20,
+    // bytes(16)
+x50,
     // encrypted token
+x48, 0xb9, 0x5d, 0x3d, 0x9e, 0xee, 0xe5, 0x00, 0xab, 0x51, 0x13, 0x2b,
+x35, 0x77, 0x66, 0x5c, 0x41, 0x7a, 0x56, 0x3e, 0xb3, 0xe2, 0x3c, 0xb7,
+x6a, 0x37, 0xb3, 0xde, 0x57, 0x2b, 0xca, 0xaa,
+x13, 0xA4, 0xEE, 0xB7, 0x0E, 0xC9, 0x1A, 0xEA, 0x00, 0x1E, 0x93, 0x16,
+xF6, 0x1E, 0x41, 0xF7,
 };
 …
 };
+constexpr uint8_t kCtapClientPinInvalidKeyAgreementResponse[] = {
+    // Success
+x00,
+    // map(1)
+xA1,
+    // key(1) - keyAgreement
+x01,
+    // Map(5)
+xA5,
+    // kty: EC key type
+x01, 0x02,
+    // alg: ECDH256 signature algorithm
+x03, 0x38, 0x18,
+    // crv: P-256 curve
+x20, 0x01,
+    // x-coordinate
+x21,
+    // Bytes(32)
+x58, 0x20,
+    // Byte array content
+xE8, 0x76, 0x25, 0x89, 0x6E, 0xE4, 0xE4, 0x66, 0xC0, 0x32, 0x76, 0x6E,
+x80, 0x87, 0x96, 0x2F, 0x36, 0xDF, 0x9D, 0xFF, 0x8B, 0x56, 0x7F, 0x37,
+x63, 0x01, 0x5B, 0x19, 0x90, 0xA6, 0x0E, 0x14,
+    // y-coordinate
+x22,
+    // Bytes(32)
+x58, 0x20,
+    // Byte array content
+x27, 0xDE, 0x61, 0x2D, 0x66, 0x41, 0x8B, 0xDA, 0x19, 0x50, 0x58, 0x1E,
+xBC, 0x5C, 0x8C, 0x1D, 0xAD, 0x71, 0x0C, 0xB1, 0x4C, 0x22, 0xF8, 0xC9,
+x70, 0x45, 0xF4, 0x61, 0x2F, 0xB2, 0x0C, 0x91,
+};
 constexpr uint8_t kCtapClientPinRetriesResponse[] = {
     // Success

trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm

-                      r252248
+                      r254439
 static bool webAuthenticationPanelUpdateNoCredentialsFound = false;
 static bool webAuthenticationPanelCancelImmediately = false;
+static String webAuthenticationPanelPin;
 @interface TestWebAuthenticationPanelDelegate : NSObject <_WKWebAuthenticationPanelDelegate>
 …
         return;
+    }
+}
+- (void)panel:(_WKWebAuthenticationPanel *)panel requestPINWithRemainingRetries:(NSUInteger)retries completionHandler:(void (^)(NSString *))completionHandler
+{
+    ASSERT_NE(panel, nil);
+    EXPECT_EQ(retries, 8ul);
+    completionHandler(webAuthenticationPanelPin);
+}
 …
+}
+TEST(WebAuthenticationPanel, PinGetRetriesError)
+{
+    reset();
+    RetainPtr<NSURL> testURL = [[NSBundle mainBundle] URLForResource:@"web-authentication-make-credential-hid-pin-get-retries-error" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"];
+    auto *configuration = [WKWebViewConfiguration _test_configurationWithTestPlugInClassName:@"WebProcessPlugInWithInternals" configureJSCForTesting:YES];
+    [[configuration preferences] _setEnabled:YES forExperimentalFeature:webAuthenticationExperimentalFeature()];
+    auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSZeroRect configuration:configuration]);
+    [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
+    [webView waitForMessage:@"Unknown internal error. Error code: 2"];
+}
+TEST(WebAuthenticationPanel, PinGetKeyAgreementError)
+{
+    reset();
+    RetainPtr<NSURL> testURL = [[NSBundle mainBundle] URLForResource:@"web-authentication-make-credential-hid-pin-get-key-agreement-error" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"];
+    auto *configuration = [WKWebViewConfiguration _test_configurationWithTestPlugInClassName:@"WebProcessPlugInWithInternals" configureJSCForTesting:YES];
+    [[configuration preferences] _setEnabled:YES forExperimentalFeature:webAuthenticationExperimentalFeature()];
+    auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSZeroRect configuration:configuration]);
+    [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
+    [webView waitForMessage:@"Unknown internal error. Error code: 2"];
+}
+TEST(WebAuthenticationPanel, PinRequestPinErrorNoDelegate)
+{
+    reset();
+    RetainPtr<NSURL> testURL = [[NSBundle mainBundle] URLForResource:@"web-authentication-make-credential-hid-pin" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"];
+    auto *configuration = [WKWebViewConfiguration _test_configurationWithTestPlugInClassName:@"WebProcessPlugInWithInternals" configureJSCForTesting:YES];
+    [[configuration preferences] _setEnabled:YES forExperimentalFeature:webAuthenticationExperimentalFeature()];
+    auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSZeroRect configuration:configuration]);
+    [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
+    [webView waitForMessage:@"Pin is not valid: "];
+}
+TEST(WebAuthenticationPanel, PinRequestPinErrorNullDelegate)
+{
+    reset();
+    RetainPtr<NSURL> testURL = [[NSBundle mainBundle] URLForResource:@"web-authentication-make-credential-hid-pin" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"];
+    auto *configuration = [WKWebViewConfiguration _test_configurationWithTestPlugInClassName:@"WebProcessPlugInWithInternals" configureJSCForTesting:YES];
+    [[configuration preferences] _setEnabled:YES forExperimentalFeature:webAuthenticationExperimentalFeature()];
+    auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSZeroRect configuration:configuration]);
+    auto delegate = adoptNS([[TestWebAuthenticationPanelUIDelegate alloc] init]);
+    [delegate setIsNull:true];
+    [webView setUIDelegate:delegate.get()];
+    [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
+    [webView waitForMessage:@"Pin is not valid: "];
+}
+TEST(WebAuthenticationPanel, PinRequestPinError)
+{
+    reset();
+    RetainPtr<NSURL> testURL = [[NSBundle mainBundle] URLForResource:@"web-authentication-make-credential-hid-pin" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"];
+    auto *configuration = [WKWebViewConfiguration _test_configurationWithTestPlugInClassName:@"WebProcessPlugInWithInternals" configureJSCForTesting:YES];
+    [[configuration preferences] _setEnabled:YES forExperimentalFeature:webAuthenticationExperimentalFeature()];
+    auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSZeroRect configuration:configuration]);
+    auto delegate = adoptNS([[TestWebAuthenticationPanelUIDelegate alloc] init]);
+    [webView setUIDelegate:delegate.get()];
+    webAuthenticationPanelPin = "123";
+    [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
+    [webView waitForMessage:@"Pin is not valid: 123"];
+}
+TEST(WebAuthenticationPanel, PinGetPinTokenError)
+{
+    reset();
+    RetainPtr<NSURL> testURL = [[NSBundle mainBundle] URLForResource:@"web-authentication-make-credential-hid-pin-get-pin-token-error" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"];
+    auto *configuration = [WKWebViewConfiguration _test_configurationWithTestPlugInClassName:@"WebProcessPlugInWithInternals" configureJSCForTesting:YES];
+    [[configuration preferences] _setEnabled:YES forExperimentalFeature:webAuthenticationExperimentalFeature()];
+    auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSZeroRect configuration:configuration]);
+    auto delegate = adoptNS([[TestWebAuthenticationPanelUIDelegate alloc] init]);
+    [webView setUIDelegate:delegate.get()];
+    webAuthenticationPanelPin = "1234";
+    [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
+    [webView waitForMessage:@"Unknown internal error. Error code: 2"];
+}
+TEST(WebAuthenticationPanel, MakeCredentialPin)
+{
+    reset();
+    RetainPtr<NSURL> testURL = [[NSBundle mainBundle] URLForResource:@"web-authentication-make-credential-hid-pin" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"];
+    auto *configuration = [WKWebViewConfiguration _test_configurationWithTestPlugInClassName:@"WebProcessPlugInWithInternals" configureJSCForTesting:YES];
+    [[configuration preferences] _setEnabled:YES forExperimentalFeature:webAuthenticationExperimentalFeature()];
+    auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSZeroRect configuration:configuration]);
+    auto delegate = adoptNS([[TestWebAuthenticationPanelUIDelegate alloc] init]);
+    [webView setUIDelegate:delegate.get()];
+    webAuthenticationPanelPin = "1234";
+    [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
+    [webView waitForMessage:@"Succeeded!"];
+}
+TEST(WebAuthenticationPanel, GetAssertionPin)
+{
+    reset();
+    RetainPtr<NSURL> testURL = [[NSBundle mainBundle] URLForResource:@"web-authentication-get-assertion-hid-pin" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"];
+    auto *configuration = [WKWebViewConfiguration _test_configurationWithTestPlugInClassName:@"WebProcessPlugInWithInternals" configureJSCForTesting:YES];
+    [[configuration preferences] _setEnabled:YES forExperimentalFeature:webAuthenticationExperimentalFeature()];
+    auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSZeroRect configuration:configuration]);
+    auto delegate = adoptNS([[TestWebAuthenticationPanelUIDelegate alloc] init]);
+    [webView setUIDelegate:delegate.get()];
+    webAuthenticationPanelPin = "1234";
+    [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
+    [webView waitForMessage:@"Succeeded!"];
+}
 } // namespace TestWebKitAPI

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 254439 in webkit

Legend:

Download in other formats: