Context Navigation

← Previous Changeset
Next Changeset →

Changeset 254710 in webkit

Timestamp:

Jan 16, 2020 2:54:02 PM (4 years ago)

Author:

jiewen_tan@apple.com

Message:

[WebAuthn] User Verification (UV) option present on a CTAP2 authenticatorMakeCredential while the authenticator has not advertised support for it
https://bugs.webkit.org/show_bug.cgi?id=204111
<rdar://problem/57019604>

Reviewed by Brent Fulgham.

Source/WebCore:

Covered by API tests.

Modules/webauthn/fido/DeviceRequestConverter.cpp:

(fido::encodeMakeCredenitalRequestAsCBOR):
(fido::encodeGetAssertionRequestAsCBOR):
Only set UV if RP requires it.

Tools:

TestWebKitAPI/Tests/WebCore/CtapRequestTest.cpp:

(TestWebKitAPI::TEST):

TestWebKitAPI/Tests/WebCore/FidoTestData.h:

Location:

trunk

Files:

: 5 edited

Source/WebCore/ChangeLog (modified) (1 diff)
Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.cpp (modified) (2 diffs)
Tools/ChangeLog (modified) (1 diff)
Tools/TestWebKitAPI/Tests/WebCore/CtapRequestTest.cpp (modified) (3 diffs)
Tools/TestWebKitAPI/Tests/WebCore/FidoTestData.h (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/Source/WebCore/ChangeLog

-                      r254704
+                      r254710
+-01-16  Jiewen Tan  <jiewen_tan@apple.com>
+        [WebAuthn] User Verification (UV) option present on a CTAP2 authenticatorMakeCredential while the authenticator has not advertised support for it
+        https://bugs.webkit.org/show_bug.cgi?id=204111
+        <rdar://problem/57019604>
+        Reviewed by Brent Fulgham.
+        Covered by API tests.
+        * Modules/webauthn/fido/DeviceRequestConverter.cpp:
+        (fido::encodeMakeCredenitalRequestAsCBOR):
+        (fido::encodeGetAssertionRequestAsCBOR):
+        Only set UV if RP requires it.
 -01-16  Brady Eidson  <beidson@apple.com>

trunk/Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.cpp

-                      r254439
+                      r254710
             requireUserVerification = false;
+        }
+        optionMap[CBORValue(kUserVerificationMapKey)] = CBORValue(requireUserVerification);
+        if (requireUserVerification)
+            optionMap[CBORValue(kUserVerificationMapKey)] = CBORValue(requireUserVerification);
+    }
     if (!optionMap.empty())
 …
         requireUserVerification = false;
+    }
+    optionMap[CBORValue(kUserVerificationMapKey)] = CBORValue(requireUserVerification);
+    if (requireUserVerification)
+        optionMap[CBORValue(kUserVerificationMapKey)] = CBORValue(requireUserVerification);
     optionMap[CBORValue(kUserPresenceMapKey)] = CBORValue(true);

trunk/Tools/ChangeLog

-                      r254708
+                      r254710
+-01-16  Jiewen Tan  <jiewen_tan@apple.com>
+        [WebAuthn] User Verification (UV) option present on a CTAP2 authenticatorMakeCredential while the authenticator has not advertised support for it
+        https://bugs.webkit.org/show_bug.cgi?id=204111
+        <rdar://problem/57019604>
+        Reviewed by Brent Fulgham.
+        * TestWebKitAPI/Tests/WebCore/CtapRequestTest.cpp:
+        (TestWebKitAPI::TEST):
+        * TestWebKitAPI/Tests/WebCore/FidoTestData.h:
 -01-16  Yusuke Suzuki  <ysuzuki@apple.com>

trunk/Tools/TestWebKitAPI/Tests/WebCore/CtapRequestTest.cpp

-                      r253811
+                      r254710
+}
+TEST(CTAPRequestTest, TestConstructMakeCredentialRequestParamNoUVNoRK)
+{
+    PublicKeyCredentialCreationOptions::RpEntity rp;
+    rp.name = "Acme";
+    rp.id = "acme.com";
+    PublicKeyCredentialCreationOptions::UserEntity user;
+    user.name = "johnpsmith@example.com";
+    user.icon = "https://pics.acme.com/00/p/aBjjjpqPb.png";
+    user.idVector.append(TestData::kUserId, sizeof(TestData::kUserId));
+    user.displayName = "John P. Smith";
+    Vector<PublicKeyCredentialCreationOptions::Parameters> params { { PublicKeyCredentialType::PublicKey, 7 }, { PublicKeyCredentialType::PublicKey, 257 } };
+    PublicKeyCredentialCreationOptions::AuthenticatorSelectionCriteria selection { PublicKeyCredentialCreationOptions::AuthenticatorAttachment::Platform, false, UserVerificationRequirement::Discouraged };
+    PublicKeyCredentialCreationOptions options { rp, user, { }, params, WTF::nullopt, { }, selection, AttestationConveyancePreference::None, WTF::nullopt };
+    Vector<uint8_t> hash;
+    hash.append(TestData::kClientDataHash, sizeof(TestData::kClientDataHash));
+    auto serializedData = encodeMakeCredenitalRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedButNotConfigured);
+    EXPECT_EQ(serializedData.size(), sizeof(TestData::kCtapMakeCredentialRequestShort));
+    EXPECT_EQ(memcmp(serializedData.data(), TestData::kCtapMakeCredentialRequestShort, serializedData.size()), 0);
+}
 TEST(CTAPRequestTest, TestConstructMakeCredentialRequestParamWithPin)
+{
 …
+}
 TEST(CTAPRequestTest, TestConstructGetAssertionRequestWithPin)
+TEST(CTAPRequestTest, TestConstructGetAssertionRequestNoUV)
+{
     PublicKeyCredentialRequestOptions options;
 …
     options.allowCredentials.append(descriptor2);
+    options.userVerification = UserVerificationRequirement::Discouraged;
+    Vector<uint8_t> hash;
+    hash.append(TestData::kClientDataHash, sizeof(TestData::kClientDataHash));
+    auto serializedData = encodeGetAssertionRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedButNotConfigured);
+    EXPECT_EQ(serializedData.size(), sizeof(TestData::kTestComplexCtapGetAssertionRequestShort));
+    EXPECT_EQ(memcmp(serializedData.data(), TestData::kTestComplexCtapGetAssertionRequestShort, serializedData.size()), 0);
+}
+TEST(CTAPRequestTest, TestConstructGetAssertionRequestWithPin)
+{
+    PublicKeyCredentialRequestOptions options;
+    options.rpId = "acme.com";
+    PublicKeyCredentialDescriptor descriptor1;
+    descriptor1.type = PublicKeyCredentialType::PublicKey;
+    const uint8_t id1[] = {
+xf2, 0x20, 0x06, 0xde, 0x4f, 0x90, 0x5a, 0xf6, 0x8a, 0x43, 0x94,
+x2f, 0x02, 0x4f, 0x2a, 0x5e, 0xce, 0x60, 0x3d, 0x9c, 0x6d, 0x4b,
+x3d, 0xf8, 0xbe, 0x08, 0xed, 0x01, 0xfc, 0x44, 0x26, 0x46, 0xd0,
+x34, 0x85, 0x8a, 0xc7, 0x5b, 0xed, 0x3f, 0xd5, 0x80, 0xbf, 0x98,
+x08, 0xd9, 0x4f, 0xcb, 0xee, 0x82, 0xb9, 0xb2, 0xef, 0x66, 0x77,
+xaf, 0x0a, 0xdc, 0xc3, 0x58, 0x52, 0xea, 0x6b, 0x9e };
+    descriptor1.idVector.append(id1, sizeof(id1));
+    options.allowCredentials.append(descriptor1);
+    PublicKeyCredentialDescriptor descriptor2;
+    descriptor2.type = PublicKeyCredentialType::PublicKey;
+    const uint8_t id2[] = {
+x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03 };
+    descriptor2.idVector.append(id2, sizeof(id2));
+    options.allowCredentials.append(descriptor2);
     options.userVerification = UserVerificationRequirement::Required;

trunk/Tools/TestWebKitAPI/Tests/WebCore/FidoTestData.h

-                      r254439
+                      r254710
 };
 constexpr uint8_t kCtapMakeCredentialRequestWithPin[] = {
+constexpr uint8_t kCtapMakeCredentialRequestShort[] = {
     // authenticatorMakeCredential command
 x01,
     // map(7)
 xa7,
+    // map(4)
+xa4,
     // key(1) - clientDataHash
 x01,
 …
     // value - "public-key"
 x6a, 0x70, 0x75, 0x62, 0x6C, 0x69, 0x63, 0x2D, 0x6B, 0x65, 0x79,
+};
+constexpr uint8_t kCtapMakeCredentialRequestWithPin[] = {
+    // authenticatorMakeCredential command
+x01,
+    // map(7)
+xa7,
+    // key(1) - clientDataHash
+x01,
+    // bytes(32)
+x58, 0x20, 0x68, 0x71, 0x34, 0x96, 0x82, 0x22, 0xec, 0x17, 0x20, 0x2e,
+x42, 0x50, 0x5f, 0x8e, 0xd2, 0xb1, 0x6a, 0xe2, 0x2f, 0x16, 0xbb, 0x05,
+xb8, 0x8c, 0x25, 0xdb, 0x9e, 0x60, 0x26, 0x45, 0xf1, 0x41,
+    // key(2) - rp
+x02,
+    // map(2)
+xa2,
+    // key - "id"
+x62, 0x69, 0x64,
+    // value - "acme.com"
+x68, 0x61, 0x63, 0x6d, 0x65, 0x2e, 0x63, 0x6f, 0x6d,
+    // key -  "name"
+x64, 0x6e, 0x61, 0x6d, 0x65,
+    // value - "Acme"
+x64, 0x41, 0x63, 0x6d, 0x65,
+    // key(3) - user
+x03,
+    // map(4)
+xa4,
+    // key - "id"
+x62, 0x69, 0x64,
+    // value - user id
+x48, 0x10, 0x98, 0x23, 0x72, 0x35, 0x40, 0x98, 0x72,
+    // key - "icon"
+x64, 0x69, 0x63, 0x6f, 0x6e,
+    // value - "https://pics.acme.com/00/p/aBjjjpqPb.png"
+x78, 0x28, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x70, 0x69,
+x63, 0x73, 0x2e, 0x61, 0x63, 0x6d, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
+x30, 0x30, 0x2f, 0x70, 0x2f, 0x61, 0x42, 0x6a, 0x6a, 0x6a, 0x70, 0x71,
+x50, 0x62, 0x2e, 0x70, 0x6e, 0x67,
+    // key - "name"
+x64, 0x6e, 0x61, 0x6d, 0x65,
+    // value - "johnpsmith@example.com"
+x76, 0x6a, 0x6f, 0x68, 0x6e, 0x70, 0x73, 0x6d, 0x69, 0x74, 0x68, 0x40,
+x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d,
+    // key - "displayName"
+x6b, 0x64, 0x69, 0x73, 0x70, 0x6c, 0x61, 0x79, 0x4e, 0x61, 0x6d, 0x65,
+    // value - "John P. Smith"
+x6d, 0x4a, 0x6f, 0x68, 0x6e, 0x20, 0x50, 0x2e, 0x20, 0x53, 0x6d, 0x69,
+x74, 0x68,
+    // key(4) - pubKeyCredParams
+x04,
+    // array(2)
+x82,
+    // map(2)
+xa2,
+    // key - "alg"
+x63, 0x61, 0x6c, 0x67,
+    // value - 7
+x07,
+    // key - "type"
+x64, 0x74, 0x79, 0x70, 0x65,
+    // value - "public-key"
+x6a, 0x70, 0x75, 0x62, 0x6C, 0x69, 0x63, 0x2D, 0x6B, 0x65, 0x79,
+    // map(2)
+xa2,
+    // key - "alg"
+x63, 0x61, 0x6c, 0x67,
+    // value - 257
+x19, 0x01, 0x01,
+    // key - "type"
+x64, 0x74, 0x79, 0x70, 0x65, // "type"
+    // value - "public-key"
+x6a, 0x70, 0x75, 0x62, 0x6C, 0x69, 0x63, 0x2D, 0x6B, 0x65, 0x79,
     // key(7) - options
 x07,
 …
     // key - "uv"
 x62, 0x75, 0x76,
+    // value - True(21)
+xf5,
+};
+constexpr uint8_t kTestComplexCtapGetAssertionRequestShort[] = {
+    // authenticatorGetAssertion command
+x02,
+    // map(4)
+xa4,
+    // key(01) -rpId
+x01,
+    // value - "acme.com"
+x68, 0x61, 0x63, 0x6d, 0x65, 0x2e, 0x63, 0x6f, 0x6d,
+    // key(02) - client data hash
+x02,
+    // value - bytes(32)
+x58, 0x20, 0x68, 0x71, 0x34, 0x96, 0x82, 0x22, 0xec, 0x17, 0x20, 0x2e,
+x42, 0x50, 0x5f, 0x8e, 0xd2, 0xb1, 0x6a, 0xe2, 0x2f, 0x16, 0xbb, 0x05,
+xb8, 0x8c, 0x25, 0xdb, 0x9e, 0x60, 0x26, 0x45, 0xf1, 0x41,
+    // key(03) - allow list
+x03,
+    // value - array(2)
+x82,
+    // map(2)
+xa2,
+    // key - "id"
+x62, 0x69, 0x64,
+    // value - credential ID
+x58, 0x40, 0xf2, 0x20, 0x06, 0xde, 0x4f, 0x90, 0x5a, 0xf6, 0x8a, 0x43,
+x94, 0x2f, 0x02, 0x4f, 0x2a, 0x5e, 0xce, 0x60, 0x3d, 0x9c, 0x6d, 0x4b,
+x3d, 0xf8, 0xbe, 0x08, 0xed, 0x01, 0xfc, 0x44, 0x26, 0x46, 0xd0, 0x34,
+x85, 0x8a, 0xc7, 0x5b, 0xed, 0x3f, 0xd5, 0x80, 0xbf, 0x98, 0x08, 0xd9,
+x4f, 0xcb, 0xee, 0x82, 0xb9, 0xb2, 0xef, 0x66, 0x77, 0xaf, 0x0a, 0xdc,
+xc3, 0x58, 0x52, 0xea, 0x6b, 0x9e,
+    // key - "type"
+x64, 0x74, 0x79, 0x70, 0x65,
+    // value - "public-key"
+x6a, 0x70, 0x75, 0x62, 0x6C, 0x69, 0x63, 0x2D, 0x6B, 0x65, 0x79,
+    // map(2)
+xa2,
+    // key - "id"
+x62, 0x69, 0x64,
+    // value - credential ID
+x58, 0x32, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+x03, 0x03, 0x03, 0x03,
+    // key - "type"
+x64, 0x74, 0x79, 0x70, 0x65,
+    // value - "public-key"
+x6a, 0x70, 0x75, 0x62, 0x6C, 0x69, 0x63, 0x2D, 0x6B, 0x65, 0x79,
+    // unsigned(5) - options
+x05,
+    // map(1)
+xa1,
+    // key -"up"
+x62, 0x75, 0x70,
     // value - True(21)
 xf5,

Note: See TracChangeset for help on using the changeset viewer.