Changeset 257085 in webkit

Timestamp:

Feb 20, 2020 2:05:59 PM (4 years ago)

Author:

jiewen_tan@apple.com

Message:

[WebAuthn] Replace DeviceIdentity.framework
​https://bugs.webkit.org/show_bug.cgi?id=207985
<rdar://problem/59369223>

Reviewed by Brent Fulgham.

Source/WebKit:

This patch replaces the DeviceIdentity.framework with a new framework that better suits our needs.
The new experimental authentication logic is handled by WebKtAdditions. Please refer to the radar
for detailed information.

Besides the replacement, this patch also:
1) changes how user consent is obtained to avoid multiple prompts for biometric input.
2) removes keychain workarounds for DeviceIdentity given the credential private key is now under our possession.
3) removes everything that is related to DeviceIdentity.

Covered by new tests within existing test files.

• Configurations/WebKit.xcconfig:
• Platform/spi/Cocoa/DeviceIdentitySPI.h: Removed.
• UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.h:
• UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm:

(WebKit::LocalAuthenticatorInternal::toNSData):
(WebKit::LocalAuthenticator::makeCredential):
(WebKit::LocalAuthenticator::continueMakeCredentialAfterUserConsented):
(WebKit::LocalAuthenticator::continueMakeCredentialAfterAttested):
(WebKit::LocalAuthenticator::getAssertion):
(WebKit::LocalAuthenticator::continueGetAssertionAfterUserConsented):

• UIProcess/WebAuthentication/Cocoa/LocalConnection.h:
• UIProcess/WebAuthentication/Cocoa/LocalConnection.mm:

(WebKit::LocalConnection::createCredentialPrivateKey const):
(WebKit::LocalConnection::getAttestation const):

• UIProcess/WebAuthentication/Cocoa/LocalService.mm:

(WebKit::LocalService::isAvailable):

• UIProcess/WebAuthentication/Mock/MockLocalConnection.h:
• UIProcess/WebAuthentication/Mock/MockLocalConnection.mm:

(WebKit::MockLocalConnection::createCredentialPrivateKey const):
(WebKit::MockLocalConnection::getAttestation const):

• WebKit.xcodeproj/project.pbxproj:

Source/WTF:

• wtf/PlatformHave.h:

LayoutTests:

• http/wpt/webauthn/public-key-credential-create-failure-local.https-expected.txt:
• http/wpt/webauthn/public-key-credential-create-failure-local.https.html:
• http/wpt/webauthn/public-key-credential-create-success-local.https.html:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-local.https-expected.txt (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-local.https.html (modified) (2 diffs)
• LayoutTests/http/wpt/webauthn/public-key-credential-create-success-local.https.html (modified) (2 diffs)
• Source/WTF/ChangeLog (modified) (1 diff)
• Source/WTF/wtf/PlatformHave.h (modified) (1 diff)
• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/Configurations/WebKit.xcconfig (modified) (3 diffs)
• Source/WebKit/Platform/spi/Cocoa/DeviceIdentitySPI.h (deleted)
• Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.h (modified) (1 diff)
• Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm (modified) (13 diffs)
• Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalConnection.h (modified) (2 diffs)
• Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalConnection.mm (modified) (2 diffs)
• Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalService.mm (modified) (3 diffs)
• Source/WebKit/UIProcess/WebAuthentication/Mock/MockLocalConnection.h (modified) (1 diff)
• Source/WebKit/UIProcess/WebAuthentication/Mock/MockLocalConnection.mm (modified) (3 diffs)
• Source/WebKit/WebKit.xcodeproj/project.pbxproj (modified) (4 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2020-02-20  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthn] Replace DeviceIdentity.framework
+        https://bugs.webkit.org/show_bug.cgi?id=207985
+        <rdar://problem/59369223>
+
+        Reviewed by Brent Fulgham.
+
+        * http/wpt/webauthn/public-key-credential-create-failure-local.https-expected.txt:
+        * http/wpt/webauthn/public-key-credential-create-failure-local.https.html:
+        * http/wpt/webauthn/public-key-credential-create-success-local.https.html:
+
 2020-02-20  Jason Lawrence  <lawrence.j@apple.com>
 

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-local.https-expected.txt

@@ -4 +4 @@
 PASS PublicKeyCredential's [[create]] with matched exclude credentials in a mock local authenticator. 2nd 
 PASS PublicKeyCredential's [[create]] without user consent in a mock local authenticator. 
+PASS PublicKeyCredential's [[create]] without private keys in a mock local authenticator. 
 PASS PublicKeyCredential's [[create]] without attestation in a mock local authenticator. 
 PASS PublicKeyCredential's [[create]] deleting old credential in a mock local authenticator. 

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-local.https.html

@@ -119 +119 @@
             if (window.internals)
                 internals.setMockWebAuthenticationConfiguration({ local: { acceptAuthentication: true, acceptAttestation: false } });
+            return promiseRejects(t, "UnknownError", navigator.credentials.create(options), "Couldn't create private key.");
+        }, "PublicKeyCredential's [[create]] without private keys in a mock local authenticator.");
+
+        promise_test(t => {
+            const options = {
+                publicKey: {
+                    rp: {
+                        name: "example.com"
+                    },
+                    user: {
+                        name: "John Appleseed",
+                        id: Base64URL.parse(testUserhandleBase64),
+                        displayName: "John",
+                    },
+                    challenge: asciiToUint8Array("123456"),
+                    pubKeyCredParams: [{ type: "public-key", alg: -7 }]
+                }
+            };
+            if (window.internals)
+                internals.setMockWebAuthenticationConfiguration({ local: { acceptAuthentication: true, acceptAttestation: false, privateKeyBase64: privateKeyBase64 } });
             return promiseRejects(t, "UnknownError", navigator.credentials.create(options), "Couldn't attest: The operation couldn't complete.");
         }, "PublicKeyCredential's [[create]] without attestation in a mock local authenticator.");
@@ -141 +161 @@
                 testRunner.addTestKeyToKeychain(privateKeyBase64, testRpId, userhandleBase64);
             }
-            return promiseRejects(t, "UnknownError", navigator.credentials.create(options), "Couldn't attest: The operation couldn't complete.").then(() => {
+            return promiseRejects(t, "UnknownError", navigator.credentials.create(options), "Couldn't create private key.").then(() => {
                 if (window.testRunner)
                     assert_false(testRunner.keyExistsInKeychain(testRpId, userhandleBase64));

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-success-local.https.html

@@ -42 +42 @@
                 assert_equals(attestationObject.fmt, "none");
             else
-                assert_equals(attestationObject.fmt, "Apple");
+                assert_equals(attestationObject.fmt, "apple");
             // Check authData
             const authData = decodeAuthData(attestationObject.authData);
@@ -59 +59 @@
                 assert_array_equals(attestationObject.attStmt.x5c[0], Base64URL.parse(testAttestationCertificateBase64));
                 assert_array_equals(attestationObject.attStmt.x5c[1], Base64URL.parse(testAttestationIssuingCACertificateBase64));
-
-                // Check signature
-                let publicKeyData = new Uint8Array(65);
-                publicKeyData[0] = 0x04;
-                publicKeyData.set(authData.publicKey['-2'], 1);
-                publicKeyData.set(authData.publicKey['-3'], 33);
-                return crypto.subtle.importKey("raw", publicKeyData, {
-                    name: "ECDSA",
-                    namedCurve: "P-256"
-                }, false, ['verify']).then(publicKey => {
-                    return crypto.subtle.verify({
-                        name: "ECDSA",
-                        hash: "SHA-256"
-                    }, publicKey, extractRawSignature(attestationObject.attStmt.sig), attestationObject.authData).then(verified => {
-                        assert_true(verified);
-                    });
-                });
             }
         }

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2020-02-20  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthn] Replace DeviceIdentity.framework
+        https://bugs.webkit.org/show_bug.cgi?id=207985
+        <rdar://problem/59369223>
+
+        Reviewed by Brent Fulgham.
+
+        * wtf/PlatformHave.h:
+
 2020-02-20  Eric Liang  <ericliang@apple.com>
 

trunk/Source/WTF/wtf/PlatformHave.h

@@ -558 +558 @@
 #endif
 
-#if (PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101400) || (PLATFORM(IOS) && !PLATFORM(IOS_SIMULATOR))
-#define HAVE_DEVICE_IDENTITY 1
-#endif
-
 #if (PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101600) || (PLATFORM(IOS_FAMILY) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 140000)
 #define HAVE_COOKIE_CHANGE_LISTENER_API 1

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2020-02-20  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthn] Replace DeviceIdentity.framework
+        https://bugs.webkit.org/show_bug.cgi?id=207985
+        <rdar://problem/59369223>
+
+        Reviewed by Brent Fulgham.
+
+        This patch replaces the DeviceIdentity.framework with a new framework that better suits our needs.
+        The new experimental authentication logic is handled by WebKtAdditions. Please refer to the radar
+        for detailed information.
+
+        Besides the replacement, this patch also:
+        1) changes how user consent is obtained to avoid multiple prompts for biometric input.
+        2) removes keychain workarounds for DeviceIdentity given the credential private key is now under our possession.
+        3) removes everything that is related to DeviceIdentity.
+
+        Covered by new tests within existing test files.
+
+        * Configurations/WebKit.xcconfig:
+        * Platform/spi/Cocoa/DeviceIdentitySPI.h: Removed.
+        * UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.h:
+        * UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm:
+        (WebKit::LocalAuthenticatorInternal::toNSData):
+        (WebKit::LocalAuthenticator::makeCredential):
+        (WebKit::LocalAuthenticator::continueMakeCredentialAfterUserConsented):
+        (WebKit::LocalAuthenticator::continueMakeCredentialAfterAttested):
+        (WebKit::LocalAuthenticator::getAssertion):
+        (WebKit::LocalAuthenticator::continueGetAssertionAfterUserConsented):
+        * UIProcess/WebAuthentication/Cocoa/LocalConnection.h:
+        * UIProcess/WebAuthentication/Cocoa/LocalConnection.mm:
+        (WebKit::LocalConnection::createCredentialPrivateKey const):
+        (WebKit::LocalConnection::getAttestation const):
+        * UIProcess/WebAuthentication/Cocoa/LocalService.mm:
+        (WebKit::LocalService::isAvailable):
+        * UIProcess/WebAuthentication/Mock/MockLocalConnection.h:
+        * UIProcess/WebAuthentication/Mock/MockLocalConnection.mm:
+        (WebKit::MockLocalConnection::createCredentialPrivateKey const):
+        (WebKit::MockLocalConnection::getAttestation const):
+        * WebKit.xcodeproj/project.pbxproj:
+
 2020-02-20  Eric Liang  <ericliang@apple.com>
 

trunk/Source/WebKit/Configurations/WebKit.xcconfig

@@ -61 +61 @@
 WK_CORE_SERVICES_LDFLAGS_macosx = -framework CoreServices;
 
-WK_DEVICE_IDENTITY_LDFLAGS = $(WK_DEVICE_IDENTITY_LDFLAGS_$(WK_HAVE_DEVICE_IDENTITY));
-WK_DEVICE_IDENTITY_LDFLAGS_YES = -framework DeviceIdentity;
-
 WK_GRAPHICS_SERVICES_LDFLAGS = $(WK_GRAPHICS_SERVICES_LDFLAGS_$(WK_COCOA_TOUCH));
 WK_GRAPHICS_SERVICES_LDFLAGS_cocoatouch = -framework GraphicsServices;
@@ -124 +121 @@
 WK_AUTHKIT_LDFLAGS_MACOS_SINCE_1015 = -framework AuthKit;
 
-FRAMEWORK_AND_LIBRARY_LDFLAGS = -lobjc -framework CFNetwork -framework CoreAudio -framework CoreFoundation -framework CoreGraphics -framework CoreText -framework Foundation -framework ImageIO -framework IOKit -framework IOSurface -framework WebKitLegacy -lnetwork $(WK_ACCESSIBILITY_LDFLAGS) $(WK_APPKIT_LDFLAGS) $(WK_ASSERTION_SERVICES_LDFLAGS) $(WK_AUTHKIT_LDFLAGS) $(WK_CARBON_LDFLAGS) $(WK_CORE_PREDICTION_LDFLAGS) $(WK_CORE_SERVICES_LDFLAGS) $(WK_DEVICE_IDENTITY_LDFLAGS) $(WK_GRAPHICS_SERVICES_LDFLAGS) $(WK_LIBSANDBOX_LDFLAGS) $(WK_LIBWEBRTC_LDFLAGS) $(WK_MOBILE_CORE_SERVICES_LDFLAGS) $(WK_MOBILE_GESTALT_LDFLAGS) $(WK_OPENGL_LDFLAGS) $(WK_PDFKIT_LDFLAGS) $(WK_SAFE_BROWSING_LDFLAGS) $(WK_SECURITY_INTERFACE_LDFLAGS) $(WK_UIKIT_LDFLAGS) $(WK_URL_FORMATTING_LDFLAGS) $(WK_WEBINSPECTORUI_LDFLAGS);
+FRAMEWORK_AND_LIBRARY_LDFLAGS = -lobjc -framework CFNetwork -framework CoreAudio -framework CoreFoundation -framework CoreGraphics -framework CoreText -framework Foundation -framework ImageIO -framework IOKit -framework IOSurface -framework WebKitLegacy -lnetwork $(WK_ACCESSIBILITY_LDFLAGS) $(WK_APPKIT_LDFLAGS) $(WK_ASSERTION_SERVICES_LDFLAGS) $(WK_AUTHKIT_LDFLAGS) $(WK_CARBON_LDFLAGS) $(WK_CORE_PREDICTION_LDFLAGS) $(WK_CORE_SERVICES_LDFLAGS) $(WK_GRAPHICS_SERVICES_LDFLAGS) $(WK_LIBSANDBOX_LDFLAGS) $(WK_LIBWEBRTC_LDFLAGS) $(WK_MOBILE_CORE_SERVICES_LDFLAGS) $(WK_MOBILE_GESTALT_LDFLAGS) $(WK_OPENGL_LDFLAGS) $(WK_PDFKIT_LDFLAGS) $(WK_SAFE_BROWSING_LDFLAGS) $(WK_SECURITY_INTERFACE_LDFLAGS) $(WK_UIKIT_LDFLAGS) $(WK_URL_FORMATTING_LDFLAGS) $(WK_WEBINSPECTORUI_LDFLAGS);
 
 // Prevent C++ standard library basic_stringstream, operator new, delete and their related exception types from being exported as weak symbols.
@@ -162 +159 @@
 WK_RELOCATABLE_FRAMEWORK_LDFLAGS_YES_macosx = -Wl,-not_for_dyld_shared_cache;
 
-WK_HAVE_DEVICE_IDENTITY = $(WK_HAVE_DEVICE_IDENTITY_$(WK_PLATFORM_NAME));
-WK_HAVE_DEVICE_IDENTITY_iphoneos = YES;
-WK_HAVE_DEVICE_IDENTITY_macosx = $(WK_HAVE_DEVICE_IDENTITY$(WK_MACOS_1014));
-WK_HAVE_DEVICE_IDENTITY_MACOS_SINCE_1014 = YES;
-
 WK_HAVE_URL_FORMATTING = $(WK_HAVE_URL_FORMATTING_$(WK_PLATFORM_NAME));
 WK_HAVE_URL_FORMATTING_iphoneos = $(WK_HAVE_URL_FORMATTING$(WK_IOS_12));

trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.h

@@ -57 +57 @@
 
     void makeCredential() final;
-    void continueMakeCredentialAfterUserConsented(LocalConnection::UserConsent);
-    void continueMakeCredentialAfterAttested(SecKeyRef, NSArray *certificates, NSError *);
+    void continueMakeCredentialAfterUserConsented(SecAccessControlRef, LocalConnection::UserConsent, LAContext *);
+    void continueMakeCredentialAfterAttested(SecKeyRef, Vector<uint8_t>&& credentialId, Vector<uint8_t>&& authData, NSArray *certificates, NSError *);
 
     void getAssertion() final;

trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm

@@ -81 +81 @@
 }
 
+static inline RetainPtr<NSData> toNSData(const Vector<uint8_t>& data)
+{
+    // FIXME(183534): Consider using initWithBytesNoCopy.
+    return adoptNS([[NSData alloc] initWithBytes:data.data() length:data.size()]);
+}
+
 } // LocalAuthenticatorInternal
 
@@ -100 +106 @@
     // Step 8 is implicitly captured by all UnknownError exception receiveResponds.
     // Step 2.
-    bool canFullfillPubKeyCredParams = false;
-    for (auto& pubKeyCredParam : creationOptions.pubKeyCredParams) {
-        if (pubKeyCredParam.type == PublicKeyCredentialType::PublicKey && pubKeyCredParam.alg == COSE::ES256) {
-            canFullfillPubKeyCredParams = true;
-            break;
-        }
-    }
-    if (!canFullfillPubKeyCredParams) {
+    if (notFound == creationOptions.pubKeyCredParams.findMatching([] (auto& pubKeyCredParam) {
+        return pubKeyCredParam.type == PublicKeyCredentialType::PublicKey && pubKeyCredParam.alg == COSE::ES256;
+    })) {
         receiveRespond(ExceptionData { NotSupportedError, "The platform attached authenticator doesn't support any provided PublicKeyCredentialParameters."_s });
         return;
@@ -137 +138 @@
         auto retainAttributesArray = adoptCF(attributesArrayRef);
 
+        // FIXME(rdar://problem/35900593): Need to obtain user consent and then return different error according to the result.
         for (NSDictionary *nsAttributes in (NSArray *)attributesArrayRef) {
             NSData *nsCredentialId = nsAttributes[(id)kSecAttrApplicationLabel];
@@ -149 +151 @@
     // FIXME(rdar://problem/35900593): Update to a formal UI.
     // Get user consent.
-    auto callback = [weakThis = makeWeakPtr(*this)](LocalConnection::UserConsent consent) {
+    RetainPtr<SecAccessControlRef> accessControl;
+    {
+        CFErrorRef errorRef = nullptr;
+        accessControl = adoptCF(SecAccessControlCreateWithFlags(NULL, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, kSecAccessControlPrivateKeyUsage | kSecAccessControlUserPresence, &errorRef));
+        auto retainError = adoptCF(errorRef);
+        if (errorRef) {
+            LOG_ERROR("Couldn't create access control: %@", (NSError *)errorRef);
+            receiveRespond(ExceptionData { UnknownError, makeString("Couldn't create access control: ", String(((NSError*)errorRef).localizedDescription)) });
+            return;
+        }
+    }
+
+    SecAccessControlRef accessControlRef = accessControl.get();
+    auto callback = [accessControl = WTFMove(accessControl), weakThis = makeWeakPtr(*this)] (LocalConnection::UserConsent consent, LAContext *context) {
         ASSERT(RunLoop::isMain());
         if (!weakThis)
             return;
 
-        weakThis->continueMakeCredentialAfterUserConsented(consent);
+        weakThis->continueMakeCredentialAfterUserConsented(accessControl.get(), consent, context);
     };
     m_connection->getUserConsent(
-        "allow " + creationOptions.rp.id + " to create a public key credential for " + creationOptions.user.name,
+        makeString("allow "_s, creationOptions.rp.id, " to create a public key credential for "_s, creationOptions.user.name),
+        accessControlRef,
         WTFMove(callback));
 }
 
-void LocalAuthenticator::continueMakeCredentialAfterUserConsented(LocalConnection::UserConsent consent)
-{
+void LocalAuthenticator::continueMakeCredentialAfterUserConsented(SecAccessControlRef accessControlRef, LocalConnection::UserConsent consent, LAContext *context)
+{
+    using namespace LocalAuthenticatorInternal;
+
     ASSERT(m_state == State::RequestReceived);
     m_state = State::UserConsented;
@@ -172 +190 @@
     }
 
+    // FIXME(183533): A single kSecClassKey item couldn't store all meta data. The following schema is a tentative solution
+    // to accommodate the most important meta data, i.e. RP ID, Credential ID, and userhandle.
+    // kSecAttrLabel: RP ID
+    // kSecAttrApplicationLabel: Credential ID (auto-gen by Keychain)
+    // kSecAttrApplicationTag: userhandle
+    // Noted, the vale of kSecAttrApplicationLabel is automatically generated by the Keychain, which is a SHA-1 hash of
+    // the public key. We borrow it directly for now to workaround the stated limitations.
+    const auto& secAttrLabel = creationOptions.rp.id;
+    auto secAttrApplicationTag = toNSData(creationOptions.user.idVector);
+
     // Step 7.5.
-    // Userhandle is stored in kSecAttrApplicationTag attribute.
     // Failures after this point could block users' accounts forever. Should we follow the spec?
     NSDictionary* deleteQuery = @{
         (id)kSecClass: (id)kSecClassKey,
-        (id)kSecAttrLabel: creationOptions.rp.id,
-        (id)kSecAttrApplicationTag: [NSData dataWithBytes:creationOptions.user.idVector.data() length:creationOptions.user.idVector.size()],
+        (id)kSecAttrLabel: secAttrLabel,
+        (id)kSecAttrApplicationTag: secAttrApplicationTag.get(),
 #if HAVE(DATA_PROTECTION_KEYCHAIN)
         (id)kSecUseDataProtectionKeychain: @YES
@@ -192 +219 @@
     }
 
-    // Step 7.1, 13. Apple Attestation
-    auto callback = [weakThis = makeWeakPtr(*this)](SecKeyRef _Nullable privateKey, NSArray * _Nullable certificates, NSError * _Nullable error) {
-        ASSERT(RunLoop::isMain());
-        if (!weakThis)
-            return;
-        weakThis->continueMakeCredentialAfterAttested(privateKey, certificates, error);
-    };
-    m_connection->getAttestation(creationOptions.rp.id, creationOptions.user.name, requestData().hash, WTFMove(callback));
-}
-
-void LocalAuthenticator::continueMakeCredentialAfterAttested(SecKeyRef privateKey, NSArray *certificates, NSError *error)
-{
-    using namespace LocalAuthenticatorInternal;
-
-    ASSERT(m_state == State::UserConsented);
-    m_state = State::Attested;
-    auto& creationOptions = WTF::get<PublicKeyCredentialCreationOptions>(requestData().options);
-
-    if (error) {
-        LOG_ERROR("Couldn't attest: %@", error);
-        receiveRespond(ExceptionData { UnknownError, makeString("Couldn't attest: ", String(error.localizedDescription)) });
-        return;
-    }
-    // Attestation Certificate and Attestation Issuing CA
-    ASSERT(certificates && ([certificates count] == 2));
-
-    // Step 7.2-7.4.
-    // FIXME(183533): A single kSecClassKey item couldn't store all meta data. The following schema is a tentative solution
-    // to accommodate the most important meta data, i.e. RP ID, Credential ID, and userhandle.
-    // kSecAttrLabel: RP ID
-    // kSecAttrApplicationLabel: Credential ID (auto-gen by Keychain)
-    // kSecAttrApplicationTag: userhandle
-    // Noted, the current DeviceIdentity.Framework would only allow us to pass the kSecAttrLabel as the inital attribute
-    // for the Keychain item. Since that's the only clue we have to locate the unique item, we use the pattern username@rp.id
-    // as the initial value.
-    // Also noted, the vale of kSecAttrApplicationLabel is automatically generated by the Keychain, which is a SHA-1 hash of
-    // the public key. We borrow it directly for now to workaround the stated limitations.
-    // Update the Keychain item to the above schema.
-    // FIXME(183533): DeviceIdentity.Framework would insert certificates into Keychain as well. We should update those as well.
+    // Step 7.1-7.4.
+    // The above-to-create private key will be inserted into keychain while using SEP.
+    auto privateKey = m_connection->createCredentialPrivateKey(context, accessControlRef, secAttrLabel, secAttrApplicationTag.get());
+    if (!privateKey) {
+        receiveRespond(ExceptionData { UnknownError, "Couldn't create private key."_s });
+        return;
+    }
+
     Vector<uint8_t> credentialId;
     {
-        // -rk-ucrt is added by DeviceIdentity.Framework.
-        String label = makeString(creationOptions.user.name, "@", creationOptions.rp.id, "-rk-ucrt");
         NSDictionary *credentialIdQuery = @{
             (id)kSecClass: (id)kSecClassKey,
             (id)kSecAttrKeyClass: (id)kSecAttrKeyClassPrivate,
-            (id)kSecAttrLabel: label,
+            (id)kSecAttrLabel: secAttrLabel,
+            (id)kSecAttrApplicationTag: secAttrApplicationTag.get(),
             (id)kSecReturnAttributes: @YES,
 #if HAVE(DATA_PROTECTION_KEYCHAIN)
@@ -257 +252 @@
         NSDictionary *nsAttributes = (NSDictionary *)attributesRef;
         credentialId = toVector(nsAttributes[(id)kSecAttrApplicationLabel]);
-
-        NSDictionary *updateQuery = @{
-            (id)kSecClass: (id)kSecClassKey,
-            (id)kSecAttrKeyClass: (id)kSecAttrKeyClassPrivate,
-            (id)kSecAttrApplicationLabel: nsAttributes[(id)kSecAttrApplicationLabel],
-#if HAVE(DATA_PROTECTION_KEYCHAIN)
-            (id)kSecUseDataProtectionKeychain: @YES
-#else
-            (id)kSecAttrNoLegacy: @YES
-#endif
-        };
-        NSDictionary *updateParams = @{
-            (id)kSecAttrLabel: creationOptions.rp.id,
-            (id)kSecAttrApplicationTag: [NSData dataWithBytes:creationOptions.user.idVector.data() length:creationOptions.user.idVector.size()],
-        };
-        status = SecItemUpdate((__bridge CFDictionaryRef)updateQuery, (__bridge CFDictionaryRef)updateParams);
-        if (status) {
-            LOG_ERROR("Couldn't update the Keychain item: %d", status);
-            receiveRespond(ExceptionData { UnknownError, makeString("Couldn't update the Keychain item: ", status) });
-            return;
-        }
     }
 
@@ -290 +264 @@
         RetainPtr<CFDataRef> publicKeyDataRef;
         {
-            auto publicKey = adoptCF(SecKeyCopyPublicKey(privateKey));
+            auto publicKey = adoptCF(SecKeyCopyPublicKey(privateKey.get()));
             CFErrorRef errorRef = nullptr;
             publicKeyDataRef = adoptCF(SecKeyCopyExternalRepresentation(publicKey.get(), &errorRef));
@@ -315 +289 @@
     auto authData = buildAuthData(creationOptions.rp.id, makeCredentialFlags, counter, attestedCredentialData);
 
+    // Step 13. Apple Attestation
+    auto *privateKeyRef = privateKey.get();
+    auto nsAuthData = toNSData(authData);
+    auto callback = [privateKey = WTFMove(privateKey), credentialId = WTFMove(credentialId), authData = WTFMove(authData), weakThis = makeWeakPtr(*this)] (NSArray * _Nullable certificates, NSError * _Nullable error) mutable {
+        ASSERT(RunLoop::isMain());
+        if (!weakThis)
+            return;
+        weakThis->continueMakeCredentialAfterAttested(privateKey.get(), WTFMove(credentialId), WTFMove(authData), certificates, error);
+    };
+    m_connection->getAttestation(privateKeyRef, nsAuthData.get(), toNSData(requestData().hash).get(), WTFMove(callback));
+}
+
+void LocalAuthenticator::continueMakeCredentialAfterAttested(SecKeyRef privateKey, Vector<uint8_t>&& credentialId, Vector<uint8_t>&& authData, NSArray *certificates, NSError *error)
+{
+    using namespace LocalAuthenticatorInternal;
+
+    ASSERT(m_state == State::UserConsented);
+    m_state = State::Attested;
+    auto& creationOptions = WTF::get<PublicKeyCredentialCreationOptions>(requestData().options);
+
+    if (error) {
+        LOG_ERROR("Couldn't attest: %@", error);
+        receiveRespond(ExceptionData { UnknownError, makeString("Couldn't attest: ", String(error.localizedDescription)) });
+        return;
+    }
+    // Attestation Certificate and Attestation Issuing CA
+    ASSERT(certificates && ([certificates count] == 2));
+
     // Step 13. Apple Attestation Cont'
     // Assemble the attestation object:
@@ -320 +322 @@
     cbor::CBORValue::MapValue attestationStatementMap;
     {
-        Vector<uint8_t> signature;
-        {
-            CFErrorRef errorRef = nullptr;
-            // FIXME(183652): Reduce prompt for biometrics
-            auto signatureRef = adoptCF(SecKeyCreateSignature(privateKey, kSecKeyAlgorithmECDSASignatureMessageX962SHA256, (__bridge CFDataRef)[NSData dataWithBytes:authData.data() length:authData.size()], &errorRef));
-            auto retainError = adoptCF(errorRef);
-            if (errorRef) {
-                LOG_ERROR("Couldn't generate the signature: %@", (NSError*)errorRef);
-                receiveRespond(ExceptionData { UnknownError, makeString("Couldn't generate the signature: ", String(((NSError*)errorRef).localizedDescription)) });
-                return;
-            }
-            signature = toVector((NSData *)signatureRef.get());
-        }
         attestationStatementMap[cbor::CBORValue("alg")] = cbor::CBORValue(COSE::ES256);
-        attestationStatementMap[cbor::CBORValue("sig")] = cbor::CBORValue(signature);
         Vector<cbor::CBORValue> cborArray;
         for (size_t i = 0; i < [certificates count]; i++)
@@ -340 +328 @@
         attestationStatementMap[cbor::CBORValue("x5c")] = cbor::CBORValue(WTFMove(cborArray));
     }
-    auto attestationObject = buildAttestationObject(WTFMove(authData), "Apple", WTFMove(attestationStatementMap), creationOptions.attestation);
+    auto attestationObject = buildAttestationObject(WTFMove(authData), "apple", WTFMove(attestationStatementMap), creationOptions.attestation);
 
     receiveRespond(AuthenticatorAttestationResponse::create(credentialId, attestationObject));
@@ -357 +345 @@
     // Step 12 is implicitly captured by all UnknownError exception callbacks.
     // Step 3-5. Unlike the spec, if an allow list is provided and there is no intersection between existing ones and the allow list, we always return NotAllowedError.
+    // FIXME(rdar://problem/35900593): Need to inform users.
     auto allowCredentialIds = produceHashSet(requestOptions.allowCredentials);
     if (!requestOptions.allowCredentials.isEmpty() && allowCredentialIds.isEmpty()) {
@@ -449 +438 @@
             (id)kSecClass: (id)kSecClassKey,
             (id)kSecAttrKeyClass: (id)kSecAttrKeyClassPrivate,
-            (id)kSecAttrApplicationLabel: [NSData dataWithBytes:credentialId.data() length:credentialId.size()],
+            (id)kSecAttrApplicationLabel: toNSData(credentialId).get(),
             (id)kSecUseAuthenticationContext: context,
             (id)kSecReturnRef: @YES,

trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalConnection.h

@@ -52 +52 @@
     };
 
-    using AttestationCallback = CompletionHandler<void(SecKeyRef, NSArray *, NSError *)>;
+    using AttestationCallback = CompletionHandler<void(NSArray *, NSError *)>;
     using UserConsentCallback = CompletionHandler<void(UserConsent)>;
     using UserConsentContextCallback = CompletionHandler<void(UserConsent, LAContext *)>;
@@ -60 +60 @@
 
     // Overrided by MockLocalConnection.
-    virtual void getUserConsent(const String& reason, UserConsentCallback&&) const;
     virtual void getUserConsent(const String& reason, SecAccessControlRef, UserConsentContextCallback&&) const;
-    virtual void getAttestation(const String& rpId, const String& username, const Vector<uint8_t>& hash, AttestationCallback&&) const;
+    virtual RetainPtr<SecKeyRef> createCredentialPrivateKey(LAContext *, SecAccessControlRef, const String& secAttrLabel, NSData *secAttrApplicationTag) const;
+    virtual void getAttestation(SecKeyRef, NSData *authData, NSData *hash, AttestationCallback&&) const;
     virtual NSDictionary *selectCredential(const NSArray *) const;
 };

trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalConnection.mm

@@ -29 +29 @@
 #if ENABLE(WEB_AUTHN)
 
-#import "DeviceIdentitySPI.h"
-#import <WebCore/ExceptionData.h>
 #import <wtf/BlockPtr.h>
 #import <wtf/RunLoop.h>
+
+#if USE(APPLE_INTERNAL_SDK)
+#import <WebKitAdditions/LocalConnectionAdditions.h>
+#endif
 
 #import "LocalAuthenticationSoftLink.h"
 
 namespace WebKit {
-
-void LocalConnection::getUserConsent(const String& reason, UserConsentCallback&& completionHandler) const
-{
-    auto context = adoptNS([allocLAContextInstance() init]);
-    auto reply = makeBlockPtr([completionHandler = WTFMove(completionHandler)] (BOOL success, NSError *error) mutable {
-        ASSERT(!RunLoop::isMain());
-
-        UserConsent consent = UserConsent::Yes;
-        if (!success || error) {
-            LOG_ERROR("Couldn't authenticate with biometrics: %@", error);
-            consent = UserConsent::No;
-        }
-        RunLoop::main().dispatch([completionHandler = WTFMove(completionHandler), consent]() mutable {
-            completionHandler(consent);
-        });
-    });
-    [context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:reason reply:reply.get()];
-}
 
 void LocalConnection::getUserConsent(const String& reason, SecAccessControlRef accessControl, UserConsentContextCallback&& completionHandler) const
@@ -74 +58 @@
 }
 
-void LocalConnection::getAttestation(const String& rpId, const String& username, const Vector<uint8_t>& hash, AttestationCallback&& completionHandler) const
+RetainPtr<SecKeyRef> LocalConnection::createCredentialPrivateKey(LAContext *context, SecAccessControlRef accessControlRef, const String& secAttrLabel, NSData *secAttrApplicationTag) const
 {
-#if HAVE(DEVICE_IDENTITY)
-    // Apple Attestation
-    ASSERT(hash.size() <= 32);
+    NSDictionary *attributes = @{
+        (id)kSecAttrTokenID: (id)kSecAttrTokenIDSecureEnclave,
+        (id)kSecAttrKeyType: (id)kSecAttrKeyTypeECSECPrimeRandom,
+        (id)kSecAttrKeySizeInBits: @256,
+        (id)kSecPrivateKeyAttrs: @{
+            (id)kSecUseAuthenticationContext: context,
+            (id)kSecAttrAccessControl: (id)accessControlRef,
+            (id)kSecAttrIsPermanent: @YES,
+            (id)kSecAttrAccessGroup: @"com.apple.webkit.webauthn",
+            (id)kSecAttrLabel: secAttrLabel,
+            (id)kSecAttrApplicationTag: secAttrApplicationTag,
+        }};
+    CFErrorRef errorRef = nullptr;
+    auto credentialPrivateKey = adoptCF(SecKeyCreateRandomKey((__bridge CFDictionaryRef)attributes, &errorRef));
+    auto retainError = adoptCF(errorRef);
+    if (errorRef) {
+        LOG_ERROR("Couldn't create private key: %@", (NSError *)errorRef);
+        return nullptr;
+    }
+    return credentialPrivateKey;
+}
 
-    RetainPtr<SecAccessControlRef> accessControlRef;
-    {
-        CFErrorRef errorRef = nullptr;
-        accessControlRef = adoptCF(SecAccessControlCreateWithFlags(NULL, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, kSecAccessControlPrivateKeyUsage | kSecAccessControlUserPresence, &errorRef));
-        auto retainError = adoptCF(errorRef);
-        if (errorRef) {
-            LOG_ERROR("Couldn't create ACL: %@", (NSError *)errorRef);
-            completionHandler(NULL, NULL, [NSError errorWithDomain:@"com.apple.WebKit.WebAuthN" code:1 userInfo:nil]);
-            return;
-        }
-    }
-
-    String label = makeString(username, "@", rpId);
-    NSDictionary *options = @{
-        kMAOptionsBAAKeychainLabel: label,
-        // FIXME(rdar://problem/38489134): Need a formal name.
-        kMAOptionsBAAKeychainAccessGroup: @"com.apple.safari.WebAuthN.credentials",
-        kMAOptionsBAAIgnoreExistingKeychainItems: @YES,
-        // FIXME(rdar://problem/38489134): Determine a proper lifespan.
-        kMAOptionsBAAValidity: @(1440), // Last one day.
-        kMAOptionsBAASCRTAttestation: @NO,
-        kMAOptionsBAANonce: [NSData dataWithBytes:hash.data() length:hash.size()],
-        kMAOptionsBAAAccessControls: (id)accessControlRef.get(),
-        kMAOptionsBAAOIDSToInclude: @[kMAOptionsBAAOIDNonce]
-    };
-
-    // FIXME(183652): Reduce prompt for biometrics
-    DeviceIdentityIssueClientCertificateWithCompletion(dispatch_get_main_queue(), options, makeBlockPtr(WTFMove(completionHandler)).get());
-#endif // HAVE(DEVICE_IDENTITY)
+void LocalConnection::getAttestation(SecKeyRef privateKey, NSData *authData, NSData *hash, AttestationCallback&& completionHandler) const
+{
+#if defined(LOCALCONNECTION_ADDITIONS)
+LOCALCONNECTION_ADDITIONS
+#endif
 }
 

trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalService.mm

@@ -32 +32 @@
 #import "LocalConnection.h"
 
+#if USE(APPLE_INTERNAL_SDK)
+#import <WebKitAdditions/LocalServiceAdditions.h>
+#endif
+
 #import "LocalAuthenticationSoftLink.h"
 
@@ -41 +45 @@
 }
 
-// FIXME(rdar://problem/51048542)
 bool LocalService::isAvailable()
 {
@@ -50 +53 @@
         return false;
     }
+
+#if defined(LOCALSERVICE_ADDITIONS)
+LOCALSERVICE_ADDITIONS
+#endif
+
     return true;
 }

trunk/Source/WebKit/UIProcess/WebAuthentication/Mock/MockLocalConnection.h

@@ -38 +38 @@
 
 private:
-    void getUserConsent(const String& reason, UserConsentCallback&&) const final;
     void getUserConsent(const String& reason, SecAccessControlRef, UserConsentContextCallback&&) const final;
-    void getAttestation(const String& rpId, const String& username, const Vector<uint8_t>& hash, AttestationCallback&&) const final;
+    RetainPtr<SecKeyRef> createCredentialPrivateKey(LAContext *, SecAccessControlRef, const String& secAttrLabel, NSData *secAttrApplicationTag) const final;
+    void getAttestation(SecKeyRef, NSData *authData, NSData *hash, AttestationCallback&&) const final;
     NSDictionary *selectCredential(const NSArray *) const final;
 

trunk/Source/WebKit/UIProcess/WebAuthentication/Mock/MockLocalConnection.mm

@@ -44 +44 @@
 }
 
-void MockLocalConnection::getUserConsent(const String&, UserConsentCallback&& callback) const
-{
-    // Mock async operations.
-    RunLoop::main().dispatch([configuration = m_configuration, callback = WTFMove(callback)]() mutable {
-        ASSERT(configuration.local);
-        if (!configuration.local->acceptAuthentication) {
-            callback(UserConsent::No);
-            return;
-        }
-        callback(UserConsent::Yes);
-    });
-}
-
 void MockLocalConnection::getUserConsent(const String&, SecAccessControlRef, UserConsentContextCallback&& callback) const
 {
@@ -70 +57 @@
 }
 
-void MockLocalConnection::getAttestation(const String& rpId, const String& username, const Vector<uint8_t>& hash, AttestationCallback&& callback) const
+RetainPtr<SecKeyRef> MockLocalConnection::createCredentialPrivateKey(LAContext *, SecAccessControlRef, const String& secAttrLabel, NSData *secAttrApplicationTag) const
+{
+    ASSERT(m_configuration.local);
+
+    // Get Key and add it to Keychain.
+    NSDictionary* options = @{
+        (id)kSecAttrKeyType: (id)kSecAttrKeyTypeECSECPrimeRandom,
+        (id)kSecAttrKeyClass: (id)kSecAttrKeyClassPrivate,
+        (id)kSecAttrKeySizeInBits: @256,
+    };
+    CFErrorRef errorRef = nullptr;
+    auto key = adoptCF(SecKeyCreateWithData(
+        (__bridge CFDataRef)adoptNS([[NSData alloc] initWithBase64EncodedString:m_configuration.local->privateKeyBase64 options:NSDataBase64DecodingIgnoreUnknownCharacters]).get(),
+        (__bridge CFDictionaryRef)options,
+        &errorRef
+    ));
+    if (errorRef)
+        return nullptr;
+
+    NSDictionary* addQuery = @{
+        (id)kSecValueRef: (id)key.get(),
+        (id)kSecClass: (id)kSecClassKey,
+        (id)kSecAttrLabel: secAttrLabel,
+        (id)kSecAttrApplicationTag: secAttrApplicationTag,
+        (id)kSecAttrAccessible: (id)kSecAttrAccessibleAfterFirstUnlock,
+#if HAVE(DATA_PROTECTION_KEYCHAIN)
+        (id)kSecUseDataProtectionKeychain: @YES
+#else
+        (id)kSecAttrNoLegacy: @YES
+#endif
+    };
+    OSStatus status = SecItemAdd((__bridge CFDictionaryRef)addQuery, NULL);
+    if (status) {
+        LOG_ERROR("Couldn't add the key to the keychain. %d", status);
+        return nullptr;
+    }
+
+    return key;
+}
+
+void MockLocalConnection::getAttestation(SecKeyRef, NSData *, NSData *, AttestationCallback&& callback) const
 {
     // Mock async operations.
-    RunLoop::main().dispatch([configuration = m_configuration, rpId, username, hash, callback = WTFMove(callback)]() mutable {
+    RunLoop::main().dispatch([configuration = m_configuration, callback = WTFMove(callback)]() mutable {
         ASSERT(configuration.local);
         if (!configuration.local->acceptAttestation) {
-            callback(NULL, NULL, [NSError errorWithDomain:@"WebAuthentication" code:-1 userInfo:@{ NSLocalizedDescriptionKey: @"The operation couldn't complete." }]);
-            return;
-        }
-
-        // Get Key and add it to Keychain.
-        NSDictionary* options = @{
-            (id)kSecAttrKeyType: (id)kSecAttrKeyTypeECSECPrimeRandom,
-            (id)kSecAttrKeyClass: (id)kSecAttrKeyClassPrivate,
-            (id)kSecAttrKeySizeInBits: @256,
-        };
-        CFErrorRef errorRef = nullptr;
-        auto key = adoptCF(SecKeyCreateWithData(
-            (__bridge CFDataRef)adoptNS([[NSData alloc] initWithBase64EncodedString:configuration.local->privateKeyBase64 options:NSDataBase64DecodingIgnoreUnknownCharacters]).get(),
-            (__bridge CFDictionaryRef)options,
-            &errorRef
-        ));
-        if (errorRef) {
-            callback(NULL, NULL, (NSError *)errorRef);
-            return;
-        }
-
-        // Mock what DeviceIdentity would do.
-        String label = makeString(username, "@", rpId, "-rk-ucrt");
-        NSDictionary* addQuery = @{
-            (id)kSecValueRef: (id)key.get(),
-            (id)kSecClass: (id)kSecClassKey,
-            (id)kSecAttrLabel: (id)label,
-            (id)kSecAttrAccessible: (id)kSecAttrAccessibleAfterFirstUnlock,
-#if HAVE(DATA_PROTECTION_KEYCHAIN)
-            (id)kSecUseDataProtectionKeychain: @YES
-#else
-            (id)kSecAttrNoLegacy: @YES
-#endif
-        };
-        OSStatus status = SecItemAdd((__bridge CFDictionaryRef)addQuery, NULL);
-        if (status) {
-            callback(NULL, NULL, [NSError errorWithDomain:@"WebAuthentication" code:status userInfo:@{ NSLocalizedDescriptionKey: [NSString stringWithFormat:@"Couldn't add the key to the keychain. %d", status] }]);
+            callback(NULL, [NSError errorWithDomain:@"WebAuthentication" code:-1 userInfo:@{ NSLocalizedDescriptionKey: @"The operation couldn't complete." }]);
             return;
         }
@@ -118 +109 @@
         auto attestationCertificate = adoptCF(SecCertificateCreateWithData(NULL, (__bridge CFDataRef)adoptNS([[NSData alloc] initWithBase64EncodedString:configuration.local->userCertificateBase64 options:NSDataBase64DecodingIgnoreUnknownCharacters]).get()));
         auto attestationIssuingCACertificate = adoptCF(SecCertificateCreateWithData(NULL, (__bridge CFDataRef)adoptNS([[NSData alloc] initWithBase64EncodedString:configuration.local->intermediateCACertificateBase64 options:NSDataBase64DecodingIgnoreUnknownCharacters]).get()));
-
-        callback(key.get(), [NSArray arrayWithObjects: (__bridge id)attestationCertificate.get(), (__bridge id)attestationIssuingCACertificate.get(), nil], NULL);
+        callback([NSArray arrayWithObjects: (__bridge id)attestationCertificate.get(), (__bridge id)attestationIssuingCACertificate.get(), nil], NULL);
     });
 }

trunk/Source/WebKit/WebKit.xcodeproj/project.pbxproj

@@ -1124 +1124 @@
                 57DCED702142EE680016B847 /* WebAuthenticatorCoordinatorProxyMessageReceiver.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 57DCED6C2142EAF90016B847 /* WebAuthenticatorCoordinatorProxyMessageReceiver.cpp */; };
                 57DCED712142EE6C0016B847 /* WebAuthenticatorCoordinatorProxyMessages.h in Headers */ = {isa = PBXBuildFile; fileRef = 57DCED6D2142EAFA0016B847 /* WebAuthenticatorCoordinatorProxyMessages.h */; };
-                57DCEDAB214C60090016B847 /* DeviceIdentitySPI.h in Headers */ = {isa = PBXBuildFile; fileRef = 57DCEDAA214B9B430016B847 /* DeviceIdentitySPI.h */; };
                 57DCEDAC214C60270016B847 /* LocalAuthenticator.h in Headers */ = {isa = PBXBuildFile; fileRef = 57DCEDA12149C1E20016B847 /* LocalAuthenticator.h */; };
                 57DCEDAD214C602C0016B847 /* LocalConnection.h in Headers */ = {isa = PBXBuildFile; fileRef = 57DCEDA7214A568B0016B847 /* LocalConnection.h */; };
@@ -3869 +3868 @@
                 57DCEDA7214A568B0016B847 /* LocalConnection.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = LocalConnection.h; sourceTree = "<group>"; };
                 57DCEDA8214A568B0016B847 /* LocalConnection.mm */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.objcpp; path = LocalConnection.mm; sourceTree = "<group>"; };
-                57DCEDAA214B9B430016B847 /* DeviceIdentitySPI.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = DeviceIdentitySPI.h; sourceTree = "<group>"; };
                 57DCEDC1214F114C0016B847 /* MockLocalService.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MockLocalService.h; sourceTree = "<group>"; };
                 57DCEDC2214F114C0016B847 /* MockLocalService.mm */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.objcpp; path = MockLocalService.mm; sourceTree = "<group>"; };
@@ -6815 +6813 @@
                                 1A5705101BE410E500874AF1 /* BlockSPI.h */,
                                 37C21CAD1E994C0C0029D5F9 /* CorePredictionSPI.h */,
-                                57DCEDAA214B9B430016B847 /* DeviceIdentitySPI.h */,
                                 2DAADA8E2298C21000E36B0C /* DeviceManagementSPI.h */,
                                 57B826402304EB3E00B72EB0 /* NearFieldSPI.h */,
@@ -10246 +10243 @@
                                 99036AE923A970870000B06A /* DebuggableInfoData.h in Headers */,
                                 BC032DA610F437D10058C15A /* Decoder.h in Headers */,
-                                57DCEDAB214C60090016B847 /* DeviceIdentitySPI.h in Headers */,
                                 07297F9F1C17BBEA015F0735 /* DeviceIdHashSaltStorage.h in Headers */,
                                 2D0C56FD229F1DEA00BD33E7 /* DeviceManagementSoftLink.h in Headers */,