Changeset 258293 in webkit

Timestamp:

Mar 11, 2020 3:42:08 PM (4 years ago)

Author:

jiewen_tan@apple.com

Message:

[WebAuthn] Formalize the Keychain schema
​https://bugs.webkit.org/show_bug.cgi?id=183533
<rdar://problem/43347926>

Reviewed by Brent Fulgham.

Source/WebCore:

Covered by new test contents within existing files.

• Modules/webauthn/AuthenticatorAssertionResponse.cpp:

(WebCore::AuthenticatorAssertionResponse::create):
(WebCore::AuthenticatorAssertionResponse::AuthenticatorAssertionResponse):

• Modules/webauthn/AuthenticatorAssertionResponse.h:

Modifies the constructors to accept userEntity.name.

• Modules/webauthn/cbor/CBORValue.h:

Adds a FIXME.

• testing/MockWebAuthenticationConfiguration.h:

(WebCore::MockWebAuthenticationConfiguration::LocalConfiguration::encode const):
(WebCore::MockWebAuthenticationConfiguration::LocalConfiguration::decode):

• testing/MockWebAuthenticationConfiguration.idl:

Modifies the test infra to use Credential ID as the unique identifier for a credential instead of
the original combination of RP ID and user handle.

Source/WebKit:

This patch formalizes the schema for the Keychain as follows:
kSecAttrLabel: RP ID
kSecAttrApplicationLabel: Credential ID (auto-gen by Keychain)
kSecAttrApplicationTag: { "id": UserEntity.id, "name": UserEntity.name } (CBOR encoded)
Noted, the vale of kSecAttrApplicationLabel is automatically generated by the Keychain, which is a SHA-1 hash of
the public key.

According to the Step 7. from ​https://www.w3.org/TR/webauthn/#op-make-cred, the following fields are mandatory

1. rpId (rpEntity.id);
2. userHandle (userEntity.id), this is required for authenticators that support resident keys;
3. credentialId.

Some other optional fields are:
(from ​https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialrpentity)

1. rpEntity.name;
2. rpEnitty.icon;

(from ​https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialuserentity)

3. userEntity.displayName;
4. userEntity.name;
5. userEntity.icon;

(from ​https://www.w3.org/TR/webauthn/#sign-counter)

6. signature counter.

Among the six possible fields, only 4. is chosen to store. Here is why:
For rpEntity, rpEntity.id which is either the domain or the eTLD + 1 of the website is
sufficient enough to either classify the credential or serving the UI. Also, this is the only
trustworthy information that the UserAgent produce. Others could potentially be used by
malicious websites for attacking the Keychain or spoofing/phishing users when being displayed
in the UI. Also, rpEnitty.icon is a URL to the website's favicon, which if not implemented
correctly can be used for tracking.

For userEntity, userEntity.name is the human readable version of userEntity.id, and therefore
is chosen to store such that later on WebKit can pass it to UI client to help users disambiguate
different credentials. And it is necessary as userEntity.id is not guaranteed to be human
readable. Others are abandoned for the very same reason as above.

We hard code a zero value for 'signature counter'. While this is a theoretically interesting
technique for a RP to detect private key cloning, it is unlikely to be useful in practice.
We store the private keys in our SEP. This counter would only be a meaningful protection if
adversaries were able to extract private key data from the SEP without Apple noticing, but
were not able to manipulate this counter to fool the RP.

In terms of the schema,
1) RP ID is needed to query all credentials related, and therefore it needs a column and kSecAttrLabel
is supposed to be human readable;
2) kSecAttrApplicationLabel is the auto generated programmatical identifier for a SecItem, and
therefore is suitable as the credential ID. Given the input to the SHA-1 is generated by us, and
it is only needed to be powerful enough to be unique across the keychain within a device, and potentially
to be unique across different other credential ID for the same user. The SHA-1 collision attack
doesn't seem valid here.
3) kSecAttrApplicationTag is the only other column Keychain allows applications to modify. Therefore,
UserEntity.id and UserEntity.name is bundled to use this slot. The reason to use CBOR here is that
it is more friendly then JSON to encode binaries, and it is used widely in WebAuthn.

• UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.h:
• UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm:

(WebKit::LocalAuthenticatorInternal::toArrayBuffer):
(WebKit::LocalAuthenticatorInternal::getExistingCredentials):
(WebKit::LocalAuthenticator::makeCredential):
(WebKit::LocalAuthenticator::continueMakeCredentialAfterUserVerification):
(WebKit::LocalAuthenticator::continueMakeCredentialAfterAttested):
(WebKit::LocalAuthenticator::getAssertion):
(WebKit::LocalAuthenticator::deleteDuplicateCredential const):

• UIProcess/WebAuthentication/Mock/MockLocalConnection.mm:

(WebKit::MockLocalConnection::filterResponses const):

Tools:

Modifies the test infra to use Credential ID as the unique identifier for a credential instead of
the original combination of RP ID and user handle.

• WebKitTestRunner/InjectedBundle/Bindings/TestRunner.idl:
• WebKitTestRunner/InjectedBundle/TestRunner.cpp:

(WTR::TestRunner::cleanUpKeychain):
(WTR::TestRunner::keyExistsInKeychain):

• WebKitTestRunner/InjectedBundle/TestRunner.h:
• WebKitTestRunner/TestController.h:
• WebKitTestRunner/TestInvocation.cpp:

(WTR::TestInvocation::didReceiveSynchronousMessageFromInjectedBundle):

• WebKitTestRunner/cocoa/TestControllerCocoa.mm:

(WTR::TestController::cleanUpKeychain):
(WTR::TestController::keyExistsInKeychain):

LayoutTests:

New tests are added and all tests are modified to use Credential ID to identify a credential instead
of { RP ID, user handle }.

• http/wpt/webauthn/public-key-credential-create-failure-local-silent.https-expected.txt:
• http/wpt/webauthn/public-key-credential-create-failure-local-silent.https.html:
• http/wpt/webauthn/public-key-credential-create-failure-local.https-expected.txt:
• http/wpt/webauthn/public-key-credential-create-failure-local.https.html:
• http/wpt/webauthn/public-key-credential-create-success-local.https-expected.txt:
• http/wpt/webauthn/public-key-credential-create-success-local.https.html:
• http/wpt/webauthn/public-key-credential-get-failure-local-silent.https-expected.txt:
• http/wpt/webauthn/public-key-credential-get-failure-local-silent.https.html:
• http/wpt/webauthn/public-key-credential-get-failure-local.https.html:
• http/wpt/webauthn/public-key-credential-get-success-local.https.html:
• http/wpt/webauthn/resources/util.js:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-local-silent.https-expected.txt (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-local-silent.https.html (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-local.https-expected.txt (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-local.https.html (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/public-key-credential-create-success-local.https-expected.txt (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/public-key-credential-create-success-local.https.html (modified) (2 diffs)
• LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-local-silent.https-expected.txt (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-local-silent.https.html (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-local.https.html (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/public-key-credential-get-success-local.https.html (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/resources/util.js (modified) (3 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/Modules/webauthn/AuthenticatorAssertionResponse.cpp (modified) (2 diffs)
• Source/WebCore/Modules/webauthn/AuthenticatorAssertionResponse.h (modified) (2 diffs)
• Source/WebCore/Modules/webauthn/cbor/CBORValue.h (modified) (1 diff)
• Source/WebCore/testing/MockWebAuthenticationConfiguration.h (modified) (3 diffs)
• Source/WebCore/testing/MockWebAuthenticationConfiguration.idl (modified) (1 diff)
• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.h (modified) (1 diff)
• Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm (modified) (19 diffs)
• Source/WebKit/UIProcess/WebAuthentication/Mock/MockLocalConnection.mm (modified) (1 diff)
• Tools/ChangeLog (modified) (1 diff)
• Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm (modified) (3 diffs)
• Tools/WebKitTestRunner/InjectedBundle/Bindings/TestRunner.idl (modified) (1 diff)
• Tools/WebKitTestRunner/InjectedBundle/TestRunner.cpp (modified) (4 diffs)
• Tools/WebKitTestRunner/InjectedBundle/TestRunner.h (modified) (1 diff)
• Tools/WebKitTestRunner/TestController.h (modified) (1 diff)
• Tools/WebKitTestRunner/TestInvocation.cpp (modified) (2 diffs)
• Tools/WebKitTestRunner/cocoa/TestControllerCocoa.mm (modified) (3 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2020-03-11  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthn] Formalize the Keychain schema
+        https://bugs.webkit.org/show_bug.cgi?id=183533
+        <rdar://problem/43347926>
+
+        Reviewed by Brent Fulgham.
+
+        New tests are added and all tests are modified to use Credential ID to identify a credential instead
+        of { RP ID, user handle }.
+
+        * http/wpt/webauthn/public-key-credential-create-failure-local-silent.https-expected.txt:
+        * http/wpt/webauthn/public-key-credential-create-failure-local-silent.https.html:
+        * http/wpt/webauthn/public-key-credential-create-failure-local.https-expected.txt:
+        * http/wpt/webauthn/public-key-credential-create-failure-local.https.html:
+        * http/wpt/webauthn/public-key-credential-create-success-local.https-expected.txt:
+        * http/wpt/webauthn/public-key-credential-create-success-local.https.html:
+        * http/wpt/webauthn/public-key-credential-get-failure-local-silent.https-expected.txt:
+        * http/wpt/webauthn/public-key-credential-get-failure-local-silent.https.html:
+        * http/wpt/webauthn/public-key-credential-get-failure-local.https.html:
+        * http/wpt/webauthn/public-key-credential-get-success-local.https.html:
+        * http/wpt/webauthn/resources/util.js:
+
 2020-03-11  Myles C. Maxfield  <mmaxfield@apple.com>
 

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-local-silent.https-expected.txt

@@ -1 +1 @@
 
-PASS PublicKeyCredential's [[create]] with silent failure in a mock local authenticator. 
-PASS PublicKeyCredential's [[create]] with silent failure in a mock local authenticator. 2 
-PASS PublicKeyCredential's [[create]] with silent failure in a mock local authenticator. 3 
-PASS PublicKeyCredential's [[create]] with silent failure in a mock local authenticator. 4 
-PASS PublicKeyCredential's [[create]] with silent failure in a mock local authenticator. 5 
-PASS PublicKeyCredential's [[create]] with silent failure in a mock local authenticator. 6 
+PASS PublicKeyCredential's [[create]] with unsupported public key credential parameters in a mock local authenticator. 
+PASS PublicKeyCredential's [[create]] with matched exclude credentials in a mock local authenticator. 
+PASS PublicKeyCredential's [[create]] with matched exclude credentials in a mock local authenticator. 2nd 
+PASS PublicKeyCredential's [[create]] without user consent in a mock local authenticator. 
+PASS PublicKeyCredential's [[create]] without private keys in a mock local authenticator. 
+PASS PublicKeyCredential's [[create]] without attestation in a mock local authenticator. 
 

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-local-silent.https.html

@@ -5 +5 @@
 <script src="./resources/util.js"></script>
 <script>
-    (async function() {
-        const userhandleBase64 = generateUserhandleBase64();
+    // Default mock configuration. Tests need to override if they need different configuration.
+    if (window.internals)
+        internals.setMockWebAuthenticationConfiguration({ silentFailure: true, local: { acceptAuthentication: false, acceptAttestation: false } });
+
+    promise_test(t => {
+        const options = {
+            publicKey: {
+                rp: {
+                    name: "example.com"
+                },
+                user: {
+                    name: "John Appleseed",
+                    id: Base64URL.parse(testUserhandleBase64),
+                    displayName: "John",
+                },
+                challenge: asciiToUint8Array("123456"),
+                pubKeyCredParams: [{ type: "public-key", alg: -35 }, { type: "public-key", alg: -257 }], // ES384, RS256
+                timeout: 10
+            }
+        };
+        return promiseRejects(t, "NotAllowedError", navigator.credentials.create(options), "Operation timed out.");
+    }, "PublicKeyCredential's [[create]] with unsupported public key credential parameters in a mock local authenticator.");
+
+    promise_test(async t => {
         const privateKeyBase64 = await generatePrivateKeyBase64();
         const credentialID = await calculateCredentialID(privateKeyBase64);
-        // Default mock configuration. Tests need to override if they need different configuration.
+        const credentialIDBase64 = base64encode(credentialID);
+
+        const options = {
+            publicKey: {
+                rp: {
+                    name: "example.com"
+                },
+                user: {
+                    name: "John Appleseed",
+                    id: Base64URL.parse(testUserhandleBase64),
+                    displayName: "John",
+                },
+                challenge: asciiToUint8Array("123456"),
+                pubKeyCredParams: [{ type: "public-key", alg: -7 }],
+                excludeCredentials: [{ type: "public-key", id: credentialID }],
+                timeout: 10
+            }
+        };
+        if (window.testRunner)
+            testRunner.addTestKeyToKeychain(privateKeyBase64, testRpId, testUserEntityBundleBase64);
+        return promiseRejects(t, "NotAllowedError", navigator.credentials.create(options), "Operation timed out.").then(() => {
+            if (window.testRunner)
+                testRunner.cleanUpKeychain(testRpId, credentialIDBase64);
+        });
+    }, "PublicKeyCredential's [[create]] with matched exclude credentials in a mock local authenticator.");
+
+    promise_test(async t => {
+        const privateKeyBase64 = await generatePrivateKeyBase64();
+        const credentialID = await calculateCredentialID(privateKeyBase64);
+        const credentialIDBase64 = base64encode(credentialID);
+
+        const options = {
+            publicKey: {
+                rp: {
+                    name: "example.com"
+                },
+                user: {
+                    name: "John Appleseed",
+                    id: Base64URL.parse(testUserhandleBase64),
+                    displayName: "John",
+                },
+                challenge: asciiToUint8Array("123456"),
+                pubKeyCredParams: [{ type: "public-key", alg: -7 }],
+                excludeCredentials: [
+                    { type: "public-key", id: credentialID, transports: ["usb"] },
+                    { type: "public-key", id: credentialID, transports: ["nfc"] },
+                    { type: "public-key", id: credentialID, transports: ["ble"] },
+                    { type: "public-key", id: credentialID, transports: ["internal"] }
+                ],
+                timeout: 10
+            }
+        };
+        if (window.testRunner)
+            testRunner.addTestKeyToKeychain(privateKeyBase64, testRpId, testUserEntityBundleBase64);
+        return promiseRejects(t, "NotAllowedError", navigator.credentials.create(options), "Operation timed out.").then(() => {
+            if (window.testRunner)
+                testRunner.cleanUpKeychain(testRpId, credentialIDBase64);
+        });
+    }, "PublicKeyCredential's [[create]] with matched exclude credentials in a mock local authenticator. 2nd");
+
+    promise_test(t => {
+        const options = {
+            publicKey: {
+                rp: {
+                    name: "example.com"
+                },
+                user: {
+                    name: "John Appleseed",
+                    id: Base64URL.parse(testUserhandleBase64),
+                    displayName: "John",
+                },
+                challenge: asciiToUint8Array("123456"),
+                pubKeyCredParams: [{ type: "public-key", alg: -7 }],
+                timeout: 10
+            }
+        };
+        return promiseRejects(t, "NotAllowedError", navigator.credentials.create(options), "Operation timed out.");
+    }, "PublicKeyCredential's [[create]] without user consent in a mock local authenticator.");
+
+    promise_test(t => {
+        const options = {
+            publicKey: {
+                rp: {
+                    name: "example.com"
+                },
+                user: {
+                    name: "John Appleseed",
+                    id: Base64URL.parse(testUserhandleBase64),
+                    displayName: "John",
+                },
+                challenge: asciiToUint8Array("123456"),
+                pubKeyCredParams: [{ type: "public-key", alg: -7 }],
+                timeout: 10
+            }
+        };
         if (window.internals)
-            internals.setMockWebAuthenticationConfiguration({ silentFailure: true, local: { acceptAuthentication: false, acceptAttestation: false } });
+            internals.setMockWebAuthenticationConfiguration({ silentFailure: true, local: { acceptAuthentication: true, acceptAttestation: false } });
+        return promiseRejects(t, "NotAllowedError", navigator.credentials.create(options), "Operation timed out.");
+    }, "PublicKeyCredential's [[create]] without private keys in a mock local authenticator.");
 
-        promise_test(t => {
-            const options = {
-                publicKey: {
-                    rp: {
-                        name: "example.com"
-                    },
-                    user: {
-                        name: "John Appleseed",
-                        id: Base64URL.parse(testUserhandleBase64),
-                        displayName: "John",
-                    },
-                    challenge: asciiToUint8Array("123456"),
-                    pubKeyCredParams: [{ type: "public-key", alg: -35 }, { type: "public-key", alg: -257 }], // ES384, RS256
-                    timeout: 10
-                }
-            };
-            return promiseRejects(t, "NotAllowedError", navigator.credentials.create(options), "Operation timed out.");
-        }, "PublicKeyCredential's [[create]] with silent failure in a mock local authenticator.");
+    promise_test(async t => {
+        const privateKeyBase64 = await generatePrivateKeyBase64();
+        const credentialID = await calculateCredentialID(privateKeyBase64);
+        const credentialIDBase64 = base64encode(credentialID);
 
-        promise_test(t => {
-            const options = {
-                publicKey: {
-                    rp: {
-                        name: "example.com"
-                    },
-                    user: {
-                        name: "John Appleseed",
-                        id: Base64URL.parse(userhandleBase64),
-                        displayName: "John",
-                    },
-                    challenge: asciiToUint8Array("123456"),
-                    pubKeyCredParams: [{ type: "public-key", alg: -7 }],
-                    excludeCredentials: [{ type: "public-key", id: Base64URL.parse(testCredentialIdBase64) }],
-                    timeout: 10
-                }
-            };
+        const options = {
+            publicKey: {
+                rp: {
+                    name: "example.com"
+                },
+                user: {
+                    name: "John Appleseed",
+                    id: Base64URL.parse(testUserhandleBase64),
+                    displayName: "John",
+                },
+                challenge: asciiToUint8Array("123456"),
+                pubKeyCredParams: [{ type: "public-key", alg: -7 }],
+                attestation: "direct",
+                timeout: 10
+            }
+        };
+        if (window.internals)
+            internals.setMockWebAuthenticationConfiguration({ silentFailure: true, local: { acceptAuthentication: true, acceptAttestation: false, privateKeyBase64: privateKeyBase64 } });
+        return promiseRejects(t, "NotAllowedError", navigator.credentials.create(options), "Operation timed out.").then(() => {
             if (window.testRunner)
-                testRunner.addTestKeyToKeychain(privateKeyBase64, testRpId, userhandleBase64);
-            return promiseRejects(t, "NotAllowedError", navigator.credentials.create(options), "Operation timed out.").then(() => {
-                if (window.testRunner)
-                    testRunner.cleanUpKeychain(testRpId, userhandleBase64);
-            });
-        }, "PublicKeyCredential's [[create]] with silent failure in a mock local authenticator. 2");
-
-        promise_test(t => {
-            const options = {
-                publicKey: {
-                    rp: {
-                        name: "example.com"
-                    },
-                    user: {
-                        name: "John Appleseed",
-                        id: Base64URL.parse(userhandleBase64),
-                        displayName: "John",
-                    },
-                    challenge: asciiToUint8Array("123456"),
-                    pubKeyCredParams: [{ type: "public-key", alg: -7 }],
-                    excludeCredentials: [
-                        { type: "public-key", id: credentialID, transports: ["usb"] },
-                        { type: "public-key", id: credentialID, transports: ["nfc"] },
-                        { type: "public-key", id: credentialID, transports: ["ble"] },
-                        { type: "public-key", id: credentialID, transports: ["internal"] }
-                    ],
-                    timeout: 10
-                }
-            };
-            if (window.testRunner)
-                testRunner.addTestKeyToKeychain(privateKeyBase64, testRpId, userhandleBase64);
-            return promiseRejects(t, "NotAllowedError", navigator.credentials.create(options), "Operation timed out.").then(() => {
-                if (window.testRunner)
-                    testRunner.cleanUpKeychain(testRpId, userhandleBase64);
-            });
-        }, "PublicKeyCredential's [[create]] with silent failure in a mock local authenticator. 3");
-
-        promise_test(t => {
-            const options = {
-                publicKey: {
-                    rp: {
-                        name: "example.com"
-                    },
-                    user: {
-                        name: "John Appleseed",
-                        id: Base64URL.parse(testUserhandleBase64),
-                        displayName: "John",
-                    },
-                    challenge: asciiToUint8Array("123456"),
-                    pubKeyCredParams: [{ type: "public-key", alg: -7 }],
-                    timeout: 10
-                }
-            };
-            return promiseRejects(t, "NotAllowedError", navigator.credentials.create(options), "Operation timed out.");
-        }, "PublicKeyCredential's [[create]] with silent failure in a mock local authenticator. 4");
-
-        promise_test(t => {
-            const options = {
-                publicKey: {
-                    rp: {
-                        name: "example.com"
-                    },
-                    user: {
-                        name: "John Appleseed",
-                        id: Base64URL.parse(testUserhandleBase64),
-                        displayName: "John",
-                    },
-                    challenge: asciiToUint8Array("123456"),
-                    pubKeyCredParams: [{ type: "public-key", alg: -7 }],
-                    timeout: 10
-                }
-            };
-            if (window.internals)
-                internals.setMockWebAuthenticationConfiguration({ silentFailure: true, local: { acceptAuthentication: true, acceptAttestation: false } });
-            return promiseRejects(t, "NotAllowedError", navigator.credentials.create(options), "Operation timed out.");
-        }, "PublicKeyCredential's [[create]] with silent failure in a mock local authenticator. 5");
-
-        promise_test(t => {
-            const options = {
-                publicKey: {
-                    rp: {
-                        name: "example.com"
-                    },
-                    user: {
-                        name: "John Appleseed",
-                        id: Base64URL.parse(userhandleBase64),
-                        displayName: "John",
-                    },
-                    challenge: asciiToUint8Array("123456"),
-                    pubKeyCredParams: [{ type: "public-key", alg: -7 }],
-                    timeout: 10
-                }
-            };
-            if (window.internals) {
-                internals.setMockWebAuthenticationConfiguration({ silentFailure: true, local: { acceptAuthentication: true, acceptAttestation: false } });
-                testRunner.addTestKeyToKeychain(privateKeyBase64, testRpId, userhandleBase64);
-            }
-            return promiseRejects(t, "NotAllowedError", navigator.credentials.create(options), "Operation timed out.").then(() => {
-                if (window.testRunner)
-                    assert_false(testRunner.keyExistsInKeychain(testRpId, userhandleBase64));
-            });
-        }, "PublicKeyCredential's [[create]] with silent failure in a mock local authenticator. 6");
-    })();
+                testRunner.cleanUpKeychain(testRpId, credentialIDBase64);
+        });
+    }, "PublicKeyCredential's [[create]] without attestation in a mock local authenticator.");
 </script>

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-local.https-expected.txt

@@ -6 +6 @@
 PASS PublicKeyCredential's [[create]] without private keys in a mock local authenticator. 
 PASS PublicKeyCredential's [[create]] without attestation in a mock local authenticator. 
-PASS PublicKeyCredential's [[create]] deleting old credential in a mock local authenticator. 
+PASS PublicKeyCredential's [[create]] not deleting old credential in a mock local authenticator. 
 PASS PublicKeyCredential's [[create]] with timeout in a mock local authenticator. 
 

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-local.https.html

@@ -5 +5 @@
 <script src="./resources/util.js"></script>
 <script>
-    (async function() {
-        const userhandleBase64 = generateUserhandleBase64();
-        const privateKeyBase64 = await generatePrivateKeyBase64();
-        const credentialID = await calculateCredentialID(privateKeyBase64);
-        // Default mock configuration. Tests need to override if they need different configuration.
+    // Default mock configuration. Tests need to override if they need different configuration.
+    if (window.internals)
+        internals.setMockWebAuthenticationConfiguration({ local: { acceptAuthentication: false, acceptAttestation: false } });
+
+    promise_test(t => {
+        const options = {
+            publicKey: {
+                rp: {
+                    name: "example.com"
+                },
+                user: {
+                    name: "John Appleseed",
+                    id: Base64URL.parse(testUserhandleBase64),
+                    displayName: "John",
+                },
+                challenge: asciiToUint8Array("123456"),
+                pubKeyCredParams: [{ type: "public-key", alg: -35 }, { type: "public-key", alg: -257 }], // ES384, RS256
+            }
+        };
+        return promiseRejects(t, "NotSupportedError", navigator.credentials.create(options), "The platform attached authenticator doesn't support any provided PublicKeyCredentialParameters.");
+    }, "PublicKeyCredential's [[create]] with unsupported public key credential parameters in a mock local authenticator.");
+
+    promise_test(async t => {
+        const privateKeyBase64 = await generatePrivateKeyBase64();
+        const credentialID = await calculateCredentialID(privateKeyBase64);
+        const credentialIDBase64 = base64encode(credentialID);
+
+        const options = {
+            publicKey: {
+                rp: {
+                    name: "example.com"
+                },
+                user: {
+                    name: "John Appleseed",
+                    id: Base64URL.parse(testUserhandleBase64),
+                    displayName: "John",
+                },
+                challenge: asciiToUint8Array("123456"),
+                pubKeyCredParams: [{ type: "public-key", alg: -7 }],
+                excludeCredentials: [{ type: "public-key", id: credentialID }]
+            }
+        };
+        if (window.testRunner)
+            testRunner.addTestKeyToKeychain(privateKeyBase64, testRpId, testUserEntityBundleBase64);
+        return promiseRejects(t, "NotAllowedError", navigator.credentials.create(options), "At least one credential matches an entry of the excludeCredentials list in the platform attached authenticator.").then(() => {
+            if (window.testRunner)
+                testRunner.cleanUpKeychain(testRpId, credentialIDBase64);
+        });
+    }, "PublicKeyCredential's [[create]] with matched exclude credentials in a mock local authenticator.");
+
+    promise_test(async t => {
+        const privateKeyBase64 = await generatePrivateKeyBase64();
+        const credentialID = await calculateCredentialID(privateKeyBase64);
+        const credentialIDBase64 = base64encode(credentialID);
+
+        const options = {
+            publicKey: {
+                rp: {
+                    name: "example.com"
+                },
+                user: {
+                    name: "John Appleseed",
+                    id: Base64URL.parse(testUserhandleBase64),
+                    displayName: "John",
+                },
+                challenge: asciiToUint8Array("123456"),
+                pubKeyCredParams: [{ type: "public-key", alg: -7 }],
+                excludeCredentials: [
+                    { type: "public-key", id: credentialID, transports: ["usb"] },
+                    { type: "public-key", id: credentialID, transports: ["nfc"] },
+                    { type: "public-key", id: credentialID, transports: ["ble"] },
+                    { type: "public-key", id: credentialID, transports: ["internal"] }
+                ]
+            }
+        };
+        if (window.testRunner)
+            testRunner.addTestKeyToKeychain(privateKeyBase64, testRpId, testUserEntityBundleBase64);
+        return promiseRejects(t, "NotAllowedError", navigator.credentials.create(options), "At least one credential matches an entry of the excludeCredentials list in the platform attached authenticator.").then(() => {
+            if (window.testRunner)
+                testRunner.cleanUpKeychain(testRpId, credentialIDBase64);
+        });
+    }, "PublicKeyCredential's [[create]] with matched exclude credentials in a mock local authenticator. 2nd");
+
+    promise_test(t => {
+        const options = {
+            publicKey: {
+                rp: {
+                    name: "example.com"
+                },
+                user: {
+                    name: "John Appleseed",
+                    id: Base64URL.parse(testUserhandleBase64),
+                    displayName: "John",
+                },
+                challenge: asciiToUint8Array("123456"),
+                pubKeyCredParams: [{ type: "public-key", alg: -7 }]
+            }
+        };
+        return promiseRejects(t, "NotAllowedError", navigator.credentials.create(options), "Couldn't verify user.");
+    }, "PublicKeyCredential's [[create]] without user consent in a mock local authenticator.");
+
+    promise_test(t => {
+        const options = {
+            publicKey: {
+                rp: {
+                    name: "example.com"
+                },
+                user: {
+                    name: "John Appleseed",
+                    id: Base64URL.parse(testUserhandleBase64),
+                    displayName: "John",
+                },
+                challenge: asciiToUint8Array("123456"),
+                pubKeyCredParams: [{ type: "public-key", alg: -7 }]
+            }
+        };
+        if (window.internals)
+            internals.setMockWebAuthenticationConfiguration({ local: { acceptAuthentication: true, acceptAttestation: false } });
+        return promiseRejects(t, "UnknownError", navigator.credentials.create(options), "Couldn't create private key.");
+    }, "PublicKeyCredential's [[create]] without private keys in a mock local authenticator.");
+
+    promise_test(async t => {
+        const privateKeyBase64 = await generatePrivateKeyBase64();
+        const credentialID = await calculateCredentialID(privateKeyBase64);
+        const credentialIDBase64 = base64encode(credentialID);
+
+        const options = {
+            publicKey: {
+                rp: {
+                    name: "example.com"
+                },
+                user: {
+                    name: "John Appleseed",
+                    id: Base64URL.parse(testUserhandleBase64),
+                    displayName: "John",
+                },
+                challenge: asciiToUint8Array("123456"),
+                pubKeyCredParams: [{ type: "public-key", alg: -7 }],
+                attestation: "direct"
+            }
+        };
+        if (window.internals)
+            internals.setMockWebAuthenticationConfiguration({ local: { acceptAuthentication: true, acceptAttestation: false, privateKeyBase64: privateKeyBase64 } });
+        return promiseRejects(t, "UnknownError", navigator.credentials.create(options), "Couldn't attest: The operation couldn't complete.").then(() => {
+            if (window.testRunner)
+                testRunner.cleanUpKeychain(testRpId, credentialIDBase64);
+        });
+    }, "PublicKeyCredential's [[create]] without attestation in a mock local authenticator.");
+
+    promise_test(async t => {
+        const privateKeyBase64 = await generatePrivateKeyBase64();
+        const credentialID = await calculateCredentialID(privateKeyBase64);
+        const credentialIDBase64 = base64encode(credentialID);
+
+        const options = {
+            publicKey: {
+                rp: {
+                    name: "example.com"
+                },
+                user: {
+                    name: testUserhandleBase64,
+                    id: Base64URL.parse(testUserhandleBase64),
+                    displayName: "John",
+                },
+                challenge: asciiToUint8Array("123456"),
+                pubKeyCredParams: [{ type: "public-key", alg: -7 }]
+            }
+        };
+        if (window.internals) {
+            internals.setMockWebAuthenticationConfiguration({ local: { acceptAuthentication: true, acceptAttestation: false } });
+            testRunner.addTestKeyToKeychain(privateKeyBase64, testRpId, testUserEntityBundleBase64);
+        }
+        return promiseRejects(t, "UnknownError", navigator.credentials.create(options), "Couldn't create private key.").then(() => {
+            if (window.testRunner)
+                assert_true(testRunner.keyExistsInKeychain(testRpId, credentialIDBase64));
+                testRunner.cleanUpKeychain(testRpId, credentialIDBase64);
+        });
+    }, "PublicKeyCredential's [[create]] not deleting old credential in a mock local authenticator.");
+
+    promise_test(function(t) {
+        const options = {
+            publicKey: {
+                rp: {
+                    name: "example.com"
+                },
+                user: {
+                    name: "John Appleseed",
+                    id: asciiToUint8Array("123456"),
+                    displayName: "John",
+                },
+                challenge: asciiToUint8Array("123456"),
+                pubKeyCredParams: [{ type: "public-key", alg: -7 }],
+                timeout: 10,
+                authenticatorSelection: { authenticatorAttachment: "cross-platform" }
+            }
+        };
+
         if (window.internals)
             internals.setMockWebAuthenticationConfiguration({ local: { acceptAuthentication: false, acceptAttestation: false } });
-
-        promise_test(t => {
-            const options = {
-                publicKey: {
-                    rp: {
-                        name: "example.com"
-                    },
-                    user: {
-                        name: "John Appleseed",
-                        id: Base64URL.parse(testUserhandleBase64),
-                        displayName: "John",
-                    },
-                    challenge: asciiToUint8Array("123456"),
-                    pubKeyCredParams: [{ type: "public-key", alg: -35 }, { type: "public-key", alg: -257 }], // ES384, RS256
-                }
-            };
-            return promiseRejects(t, "NotSupportedError", navigator.credentials.create(options), "The platform attached authenticator doesn't support any provided PublicKeyCredentialParameters.");
-        }, "PublicKeyCredential's [[create]] with unsupported public key credential parameters in a mock local authenticator.");
-
-        promise_test(t => {
-            const options = {
-                publicKey: {
-                    rp: {
-                        name: "example.com"
-                    },
-                    user: {
-                        name: "John Appleseed",
-                        id: Base64URL.parse(userhandleBase64),
-                        displayName: "John",
-                    },
-                    challenge: asciiToUint8Array("123456"),
-                    pubKeyCredParams: [{ type: "public-key", alg: -7 }],
-                    excludeCredentials: [{ type: "public-key", id: credentialID }]
-                }
-            };
-            if (window.testRunner)
-                testRunner.addTestKeyToKeychain(privateKeyBase64, testRpId, userhandleBase64);
-            return promiseRejects(t, "NotAllowedError", navigator.credentials.create(options), "At least one credential matches an entry of the excludeCredentials list in the platform attached authenticator.").then(() => {
-                if (window.testRunner)
-                    testRunner.cleanUpKeychain(testRpId, userhandleBase64);
-            });
-        }, "PublicKeyCredential's [[create]] with matched exclude credentials in a mock local authenticator.");
-
-        promise_test(t => {
-            const options = {
-                publicKey: {
-                    rp: {
-                        name: "example.com"
-                    },
-                    user: {
-                        name: "John Appleseed",
-                        id: Base64URL.parse(userhandleBase64),
-                        displayName: "John",
-                    },
-                    challenge: asciiToUint8Array("123456"),
-                    pubKeyCredParams: [{ type: "public-key", alg: -7 }],
-                    excludeCredentials: [
-                        { type: "public-key", id: credentialID, transports: ["usb"] },
-                        { type: "public-key", id: credentialID, transports: ["nfc"] },
-                        { type: "public-key", id: credentialID, transports: ["ble"] },
-                        { type: "public-key", id: credentialID, transports: ["internal"] }
-                    ]
-                }
-            };
-            if (window.testRunner)
-                testRunner.addTestKeyToKeychain(privateKeyBase64, testRpId, userhandleBase64);
-            return promiseRejects(t, "NotAllowedError", navigator.credentials.create(options), "At least one credential matches an entry of the excludeCredentials list in the platform attached authenticator.").then(() => {
-                if (window.testRunner)
-                    testRunner.cleanUpKeychain(testRpId, userhandleBase64);
-            });
-        }, "PublicKeyCredential's [[create]] with matched exclude credentials in a mock local authenticator. 2nd");
-
-        promise_test(t => {
-            const options = {
-                publicKey: {
-                    rp: {
-                        name: "example.com"
-                    },
-                    user: {
-                        name: "John Appleseed",
-                        id: Base64URL.parse(testUserhandleBase64),
-                        displayName: "John",
-                    },
-                    challenge: asciiToUint8Array("123456"),
-                    pubKeyCredParams: [{ type: "public-key", alg: -7 }]
-                }
-            };
-            return promiseRejects(t, "NotAllowedError", navigator.credentials.create(options), "Couldn't verify user.");
-        }, "PublicKeyCredential's [[create]] without user consent in a mock local authenticator.");
-
-        promise_test(t => {
-            const options = {
-                publicKey: {
-                    rp: {
-                        name: "example.com"
-                    },
-                    user: {
-                        name: "John Appleseed",
-                        id: Base64URL.parse(testUserhandleBase64),
-                        displayName: "John",
-                    },
-                    challenge: asciiToUint8Array("123456"),
-                    pubKeyCredParams: [{ type: "public-key", alg: -7 }]
-                }
-            };
-            if (window.internals)
-                internals.setMockWebAuthenticationConfiguration({ local: { acceptAuthentication: true, acceptAttestation: false } });
-            return promiseRejects(t, "UnknownError", navigator.credentials.create(options), "Couldn't create private key.");
-        }, "PublicKeyCredential's [[create]] without private keys in a mock local authenticator.");
-
-        promise_test(t => {
-            const options = {
-                publicKey: {
-                    rp: {
-                        name: "example.com"
-                    },
-                    user: {
-                        name: "John Appleseed",
-                        id: Base64URL.parse(userhandleBase64),
-                        displayName: "John",
-                    },
-                    challenge: asciiToUint8Array("123456"),
-                    pubKeyCredParams: [{ type: "public-key", alg: -7 }],
-                    attestation: "direct"
-                }
-            };
-            if (window.internals)
-                internals.setMockWebAuthenticationConfiguration({ local: { acceptAuthentication: true, acceptAttestation: false, privateKeyBase64: privateKeyBase64 } });
-            return promiseRejects(t, "UnknownError", navigator.credentials.create(options), "Couldn't attest: The operation couldn't complete.").then(() => {
-                if (window.testRunner)
-                    testRunner.cleanUpKeychain(testRpId, userhandleBase64);
-            });
-        }, "PublicKeyCredential's [[create]] without attestation in a mock local authenticator.");
-
-        promise_test(t => {
-            const options = {
-                publicKey: {
-                    rp: {
-                        name: "example.com"
-                    },
-                    user: {
-                        name: userhandleBase64,
-                        id: Base64URL.parse(userhandleBase64),
-                        displayName: "John",
-                    },
-                    challenge: asciiToUint8Array("123456"),
-                    pubKeyCredParams: [{ type: "public-key", alg: -7 }]
-                }
-            };
-            if (window.internals) {
-                internals.setMockWebAuthenticationConfiguration({ local: { acceptAuthentication: true, acceptAttestation: false } });
-                testRunner.addTestKeyToKeychain(privateKeyBase64, testRpId, userhandleBase64);
-            }
-            return promiseRejects(t, "UnknownError", navigator.credentials.create(options), "Couldn't create private key.").then(() => {
-                if (window.testRunner)
-                    assert_false(testRunner.keyExistsInKeychain(testRpId, userhandleBase64));
-            });
-        }, "PublicKeyCredential's [[create]] deleting old credential in a mock local authenticator.");
-
-        promise_test(function(t) {
-            const options = {
-                publicKey: {
-                    rp: {
-                        name: "example.com"
-                    },
-                    user: {
-                        name: "John Appleseed",
-                        id: asciiToUint8Array("123456"),
-                        displayName: "John",
-                    },
-                    challenge: asciiToUint8Array("123456"),
-                    pubKeyCredParams: [{ type: "public-key", alg: -7 }],
-                    timeout: 10,
-                    authenticatorSelection: { authenticatorAttachment: "cross-platform" }
-                }
-            };
-
-            if (window.internals)
-                internals.setMockWebAuthenticationConfiguration({ local: { acceptAuthentication: false, acceptAttestation: false } });
-            return promiseRejects(t, "NotAllowedError", navigator.credentials.create(options), "Operation timed out.");
-        }, "PublicKeyCredential's [[create]] with timeout in a mock local authenticator.");
-    })();
+        return promiseRejects(t, "NotAllowedError", navigator.credentials.create(options), "Operation timed out.");
+    }, "PublicKeyCredential's [[create]] with timeout in a mock local authenticator.");
 </script>

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-success-local.https-expected.txt

@@ -6 +6 @@
 PASS PublicKeyCredential's [[create]] with indirect attestation in a mock local authenticator. 
 PASS PublicKeyCredential's [[create]] with direct attestation in a mock local authenticator. 
+PASS PublicKeyCredential's [[create]] with duplicate credential in a mock local authenticator. 
+PASS PublicKeyCredential's [[create]] with duplicate credential in a mock local authenticator. 2 
 

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-success-local.https.html

@@ -6 +6 @@
 <script src="./resources/cbor.js"></script>
 <script>
-    (async function() {
-        const userhandleBase64 = generateUserhandleBase64();
-        const privateKeyBase64 = await generatePrivateKeyBase64();
-        const credentialID = await calculateCredentialID(privateKeyBase64);
-        // Default mock configuration. Tests need to override if they need different configuration.
-        if (window.internals)
-            internals.setMockWebAuthenticationConfiguration({
-                local: {
-                    acceptAuthentication: true,
-                    acceptAttestation: false,
+    function checkResult(credential, credentialID, isNoneAttestation = true)
+    {
+        // Check keychain
+        if (window.testRunner) {
+            assert_true(testRunner.keyExistsInKeychain(testRpId, base64encode(credentialID)));
+            testRunner.cleanUpKeychain(testRpId, base64encode(credentialID));
+        }
+
+        // Check respond
+        assert_array_equals(Base64URL.parse(credential.id), credentialID);
+        assert_equals(credential.type, 'public-key');
+        assert_array_equals(new Uint8Array(credential.rawId), credentialID);
+        assert_equals(bytesToASCIIString(credential.response.clientDataJSON), '{"type":"webauthn.create","challenge":"MTIzNDU2","origin":"https://localhost:9443"}');
+        assert_not_own_property(credential.getClientExtensionResults(), "appid");
+
+        // Check attestation
+        const attestationObject = CBOR.decode(credential.response.attestationObject);
+        if (isNoneAttestation)
+            assert_equals(attestationObject.fmt, "none");
+        else
+            assert_equals(attestationObject.fmt, "apple");
+        // Check authData
+        const authData = decodeAuthData(attestationObject.authData);
+        assert_equals(bytesToHexString(authData.rpIdHash), "49960de5880e8c687434170f6476605b8fe4aeb9a28632c7995cf3ba831d9763");
+        assert_equals(authData.flags, 69);
+        assert_equals(authData.counter, 0);
+        assert_equals(bytesToHexString(authData.aaguid), "00000000000000000000000000000000");
+        assert_array_equals(authData.credentialID, credentialID);
+        // Check self attestation
+        assert_true(checkPublicKey(authData.publicKey));
+        if (isNoneAttestation)
+            assert_object_equals(attestationObject.attStmt, { });
+        else {
+            assert_equals(attestationObject.attStmt.alg, -7);
+            assert_equals(attestationObject.attStmt.x5c.length, 2);
+            assert_array_equals(attestationObject.attStmt.x5c[0], Base64URL.parse(testAttestationCertificateBase64));
+            assert_array_equals(attestationObject.attStmt.x5c[1], Base64URL.parse(testAttestationIssuingCACertificateBase64));
+        }
+    }
+
+    promise_test(async t => {
+        const privateKeyBase64 = await generatePrivateKeyBase64();
+        const credentialID = await calculateCredentialID(privateKeyBase64);
+        const userhandleBase64 = generateUserhandleBase64();
+        if (window.internals)
+            internals.setMockWebAuthenticationConfiguration({
+                local: {
+                    acceptAuthentication: true,
+                    acceptAttestation: false,
+                    privateKeyBase64: privateKeyBase64,
+                }
+            });
+
+        const options = {
+            publicKey: {
+                rp: {
+                    name: "localhost",
+                },
+                user: {
+                    name: userhandleBase64,
+                    id: Base64URL.parse(userhandleBase64),
+                    displayName: "Appleseed",
+                },
+                challenge: Base64URL.parse("MTIzNDU2"),
+                pubKeyCredParams: [{ type: "public-key", alg: -7 }],
+            }
+        };
+
+        return navigator.credentials.create(options).then(credential => {
+            checkResult(credential, credentialID);
+        });
+    }, "PublicKeyCredential's [[create]] with minimum options in a mock local authenticator.");
+
+    promise_test(async t => {
+        const privateKeyBase64 = await generatePrivateKeyBase64();
+        const credentialID = await calculateCredentialID(privateKeyBase64);
+        const userhandleBase64 = generateUserhandleBase64();
+        if (window.internals)
+            internals.setMockWebAuthenticationConfiguration({
+                local: {
+                    acceptAuthentication: true,
+                    acceptAttestation: false,
+                    privateKeyBase64: privateKeyBase64,
+                }
+            });
+
+        const options = {
+            publicKey: {
+                rp: {
+                    name: "localhost",
+                },
+                user: {
+                    name: userhandleBase64,
+                    id: Base64URL.parse(userhandleBase64),
+                    displayName: "Appleseed",
+                },
+                challenge: Base64URL.parse("MTIzNDU2"),
+                pubKeyCredParams: [{ type: "public-key", alg: -7 }],
+                authenticatorSelection: { authenticatorAttachment: "platform" }
+            }
+        };
+
+        return navigator.credentials.create(options).then(credential => {
+            checkResult(credential, credentialID);
+        });
+    }, "PublicKeyCredential's [[create]] with authenticatorSelection { 'platform' } in a mock local authenticator.");
+
+    promise_test(async t => {
+        const privateKeyBase64 = await generatePrivateKeyBase64();
+        const credentialID = await calculateCredentialID(privateKeyBase64);
+        const userhandleBase64 = generateUserhandleBase64();
+        if (window.internals)
+            internals.setMockWebAuthenticationConfiguration({
+                local: {
+                    acceptAuthentication: true,
+                    acceptAttestation: false,
+                    privateKeyBase64: privateKeyBase64,
+                }
+            });
+
+        const anotherPrivateKeyBase64 = await generatePrivateKeyBase64();
+        const anotherCredentialID = await calculateCredentialID(anotherPrivateKeyBase64);
+        const options = {
+            publicKey: {
+                rp: {
+                    name: "example.com"
+                },
+                user: {
+                    name: userhandleBase64,
+                    id: Base64URL.parse(userhandleBase64),
+                    displayName: "John",
+                },
+                challenge: asciiToUint8Array("123456"),
+                pubKeyCredParams: [{ type: "public-key", alg: -7 }],
+                excludeCredentials: [
+                    { type: "public-key", id: anotherCredentialID, transports: ["usb"] },
+                    { type: "public-key", id: anotherCredentialID, transports: ["nfc"] },
+                    { type: "public-key", id: anotherCredentialID, transports: ["ble"] }
+                ]
+            }
+        };
+        if (window.testRunner)
+            testRunner.addTestKeyToKeychain(anotherPrivateKeyBase64, testRpId, testUserEntityBundleBase64);
+
+        return navigator.credentials.create(options).then(credential => {
+            checkResult(credential, credentialID);
+            if (window.testRunner)
+                testRunner.cleanUpKeychain(testRpId, base64encode(anotherCredentialID));
+        });
+    }, "PublicKeyCredential's [[create]] with matched exclude credential ids but not transports in a mock local authenticator.");
+
+    promise_test(async t => {
+        const privateKeyBase64 = await generatePrivateKeyBase64();
+        const credentialID = await calculateCredentialID(privateKeyBase64);
+        const userhandleBase64 = generateUserhandleBase64();
+        if (window.internals)
+            internals.setMockWebAuthenticationConfiguration({
+                local: {
+                    acceptAuthentication: true,
+                    acceptAttestation: false,
+                    privateKeyBase64: privateKeyBase64,
+                }
+            });
+
+        const options = {
+            publicKey: {
+                rp: {
+                    name: "localhost",
+                },
+                user: {
+                    name: userhandleBase64,
+                    id: Base64URL.parse(userhandleBase64),
+                    displayName: "Appleseed",
+                },
+                challenge: Base64URL.parse("MTIzNDU2"),
+                pubKeyCredParams: [{ type: "public-key", alg: -7 }],
+                attestation: "none"
+            }
+        };
+
+        return navigator.credentials.create(options).then(credential => {
+            checkResult(credential, credentialID);
+        });
+    }, "PublicKeyCredential's [[create]] with none attestation in a mock local authenticator.");
+
+    promise_test(async t => {
+        const privateKeyBase64 = await generatePrivateKeyBase64();
+        const credentialID = await calculateCredentialID(privateKeyBase64);
+        const userhandleBase64 = generateUserhandleBase64();
+        if (window.internals)
+            internals.setMockWebAuthenticationConfiguration({
+                local: {
+                    acceptAuthentication: true,
+                    acceptAttestation: true,
                     privateKeyBase64: privateKeyBase64,
                     userCertificateBase64: testAttestationCertificateBase64,
@@ -22 +206 @@
             });
 
-        function checkResult(credential, isNoneAttestation = true)
-        {
-            // Check keychain
-            if (window.testRunner) {
-                assert_true(testRunner.keyExistsInKeychain(testRpId, userhandleBase64));
-                testRunner.cleanUpKeychain(testRpId, userhandleBase64);
-            }
-
-            // Check respond
-            assert_array_equals(Base64URL.parse(credential.id), credentialID);
-            assert_equals(credential.type, 'public-key');
-            assert_array_equals(new Uint8Array(credential.rawId), credentialID);
-            assert_equals(bytesToASCIIString(credential.response.clientDataJSON), '{"type":"webauthn.create","challenge":"MTIzNDU2","origin":"https://localhost:9443"}');
-            assert_not_own_property(credential.getClientExtensionResults(), "appid");
-
-            // Check attestation
-            const attestationObject = CBOR.decode(credential.response.attestationObject);
-            if (isNoneAttestation)
-                assert_equals(attestationObject.fmt, "none");
-            else
-                assert_equals(attestationObject.fmt, "apple");
-            // Check authData
-            const authData = decodeAuthData(attestationObject.authData);
-            assert_equals(bytesToHexString(authData.rpIdHash), "49960de5880e8c687434170f6476605b8fe4aeb9a28632c7995cf3ba831d9763");
-            assert_equals(authData.flags, 69);
-            assert_equals(authData.counter, 0);
-            assert_equals(bytesToHexString(authData.aaguid), "00000000000000000000000000000000");
-            assert_array_equals(authData.credentialID, credentialID);
-            // Check self attestation
-            assert_true(checkPublicKey(authData.publicKey));
-            if (isNoneAttestation)
-                assert_object_equals(attestationObject.attStmt, { });
-            else {
-                assert_equals(attestationObject.attStmt.alg, -7);
-                assert_equals(attestationObject.attStmt.x5c.length, 2);
-                assert_array_equals(attestationObject.attStmt.x5c[0], Base64URL.parse(testAttestationCertificateBase64));
-                assert_array_equals(attestationObject.attStmt.x5c[1], Base64URL.parse(testAttestationIssuingCACertificateBase64));
-            }
-        }
-
-        promise_test(t => {
-            const options = {
-                publicKey: {
-                    rp: {
-                        name: "localhost",
-                    },
-                    user: {
-                        name: userhandleBase64,
-                        id: Base64URL.parse(userhandleBase64),
-                        displayName: "Appleseed",
-                    },
-                    challenge: Base64URL.parse("MTIzNDU2"),
-                    pubKeyCredParams: [{ type: "public-key", alg: -7 }],
-                }
-            };
-
-            return navigator.credentials.create(options).then(credential => {
-                checkResult(credential);
-            });
-        }, "PublicKeyCredential's [[create]] with minimum options in a mock local authenticator.");
-
-        promise_test(t => {
-            const options = {
-                publicKey: {
-                    rp: {
-                        name: "localhost",
-                    },
-                    user: {
-                        name: userhandleBase64,
-                        id: Base64URL.parse(userhandleBase64),
-                        displayName: "Appleseed",
-                    },
-                    challenge: Base64URL.parse("MTIzNDU2"),
-                    pubKeyCredParams: [{ type: "public-key", alg: -7 }],
-                    authenticatorSelection: { authenticatorAttachment: "platform" }
-                }
-            };
-
-            return navigator.credentials.create(options).then(credential => {
-                checkResult(credential);
-            });
-        }, "PublicKeyCredential's [[create]] with authenticatorSelection { 'platform' } in a mock local authenticator.");
-
-        promise_test(t => {
-            const options = {
-                publicKey: {
-                    rp: {
-                        name: "example.com"
-                    },
-                    user: {
-                        name: userhandleBase64,
-                        id: Base64URL.parse(userhandleBase64),
-                        displayName: "John",
-                    },
-                    challenge: asciiToUint8Array("123456"),
-                    pubKeyCredParams: [{ type: "public-key", alg: -7 }],
-                    excludeCredentials: [
-                        { type: "public-key", id: credentialID, transports: ["usb"] },
-                        { type: "public-key", id: credentialID, transports: ["nfc"] },
-                        { type: "public-key", id: credentialID, transports: ["ble"] }
-                    ]
-                }
-            };
-            if (window.testRunner)
-                testRunner.addTestKeyToKeychain(testES256PrivateKeyBase64, testRpId, userhandleBase64);
-
-            return navigator.credentials.create(options).then(credential => {
-                checkResult(credential);
-            });
-        }, "PublicKeyCredential's [[create]] with matched exclude credential ids but not transports in a mock local authenticator.");
-
-        promise_test(t => {
-            const options = {
-                publicKey: {
-                    rp: {
-                        name: "localhost",
-                    },
-                    user: {
-                        name: userhandleBase64,
-                        id: Base64URL.parse(userhandleBase64),
-                        displayName: "Appleseed",
-                    },
-                    challenge: Base64URL.parse("MTIzNDU2"),
-                    pubKeyCredParams: [{ type: "public-key", alg: -7 }],
-                    attestation: "none"
-                }
-            };
-
-            return navigator.credentials.create(options).then(credential => {
-                checkResult(credential);
-            });
-        }, "PublicKeyCredential's [[create]] with none attestation in a mock local authenticator.");
-
-        promise_test(t => {
-            const options = {
-                publicKey: {
-                    rp: {
-                        name: "localhost",
-                    },
-                    user: {
-                        name: userhandleBase64,
-                        id: Base64URL.parse(userhandleBase64),
-                        displayName: "Appleseed",
-                    },
-                    challenge: Base64URL.parse("MTIzNDU2"),
-                    pubKeyCredParams: [{ type: "public-key", alg: -7 }],
-                    attestation: "indirect"
-                }
-            };
-
-            if (window.internals)
-                internals.setMockWebAuthenticationConfiguration({
-                    local: {
-                        acceptAuthentication: true,
-                        acceptAttestation: true,
-                        privateKeyBase64: privateKeyBase64,
-                        userCertificateBase64: testAttestationCertificateBase64,
-                        intermediateCACertificateBase64: testAttestationIssuingCACertificateBase64
-                    }
-                });
-
-            return navigator.credentials.create(options).then(credential => {
-                checkResult(credential, false);
-            });
-        }, "PublicKeyCredential's [[create]] with indirect attestation in a mock local authenticator.");
-
-        promise_test(t => {
-            const options = {
-                publicKey: {
-                    rp: {
-                        name: "localhost",
-                    },
-                    user: {
-                        name: userhandleBase64,
-                        id: Base64URL.parse(userhandleBase64),
-                        displayName: "Appleseed",
-                    },
-                    challenge: Base64URL.parse("MTIzNDU2"),
-                    pubKeyCredParams: [{ type: "public-key", alg: -7 }],
-                    attestation: "direct"
-                }
-            };
-
-            return navigator.credentials.create(options).then(credential => {
-                checkResult(credential, false);
-            });
-        }, "PublicKeyCredential's [[create]] with direct attestation in a mock local authenticator.");
-    })();
+        const options = {
+            publicKey: {
+                rp: {
+                    name: "localhost",
+                },
+                user: {
+                    name: userhandleBase64,
+                    id: Base64URL.parse(userhandleBase64),
+                    displayName: "Appleseed",
+                },
+                challenge: Base64URL.parse("MTIzNDU2"),
+                pubKeyCredParams: [{ type: "public-key", alg: -7 }],
+                attestation: "indirect"
+            }
+        };
+
+        return navigator.credentials.create(options).then(credential => {
+            checkResult(credential, credentialID, false);
+        });
+    }, "PublicKeyCredential's [[create]] with indirect attestation in a mock local authenticator.");
+
+    promise_test(async t => {
+        const privateKeyBase64 = await generatePrivateKeyBase64();
+        const credentialID = await calculateCredentialID(privateKeyBase64);
+        const userhandleBase64 = generateUserhandleBase64();
+        if (window.internals)
+            internals.setMockWebAuthenticationConfiguration({
+                local: {
+                    acceptAuthentication: true,
+                    acceptAttestation: true,
+                    privateKeyBase64: privateKeyBase64,
+                    userCertificateBase64: testAttestationCertificateBase64,
+                    intermediateCACertificateBase64: testAttestationIssuingCACertificateBase64
+                }
+            });
+
+        const options = {
+            publicKey: {
+                rp: {
+                    name: "localhost",
+                },
+                user: {
+                    name: userhandleBase64,
+                    id: Base64URL.parse(userhandleBase64),
+                    displayName: "Appleseed",
+                },
+                challenge: Base64URL.parse("MTIzNDU2"),
+                pubKeyCredParams: [{ type: "public-key", alg: -7 }],
+                attestation: "direct"
+            }
+        };
+
+        return navigator.credentials.create(options).then(credential => {
+            checkResult(credential, credentialID, false);
+        });
+    }, "PublicKeyCredential's [[create]] with direct attestation in a mock local authenticator.");
+
+    promise_test(async t => {
+        const privateKeyBase64 = await generatePrivateKeyBase64();
+        const credentialID = await calculateCredentialID(privateKeyBase64);
+        const userhandleBase64 = generateUserhandleBase64();
+        if (window.internals)
+            internals.setMockWebAuthenticationConfiguration({
+                local: {
+                    acceptAuthentication: true,
+                    acceptAttestation: false,
+                    privateKeyBase64: privateKeyBase64,
+                }
+            });
+
+        const options = {
+            publicKey: {
+                rp: {
+                    name: "localhost",
+                },
+                user: {
+                    name: userhandleBase64,
+                    id: Base64URL.parse(userhandleBase64),
+                    displayName: "Appleseed",
+                },
+                challenge: Base64URL.parse("MTIzNDU2"),
+                pubKeyCredParams: [{ type: "public-key", alg: -7 }],
+            }
+        };
+
+        const anotherPrivateKeyBase64 = await generatePrivateKeyBase64();
+        const anotherCredentialID = await calculateCredentialID(anotherPrivateKeyBase64);
+        if (window.internals)
+            testRunner.addTestKeyToKeychain(anotherPrivateKeyBase64, testRpId, base64encode(CBOR.encode({ "id": Base64URL.parse(userhandleBase64), "name": userhandleBase64 })));
+
+        return navigator.credentials.create(options).then(credential => {
+            checkResult(credential, credentialID);
+            assert_false(testRunner.keyExistsInKeychain(testRpId, base64encode(anotherCredentialID)));
+        });
+    }, "PublicKeyCredential's [[create]] with duplicate credential in a mock local authenticator.");
+
+    promise_test(async t => {
+        const privateKeyBase64 = await generatePrivateKeyBase64();
+        const credentialID = await calculateCredentialID(privateKeyBase64);
+        const userhandleBase64 = generateUserhandleBase64();
+        if (window.internals)
+            internals.setMockWebAuthenticationConfiguration({
+                local: {
+                    acceptAuthentication: true,
+                    acceptAttestation: true,
+                    privateKeyBase64: privateKeyBase64,
+                    userCertificateBase64: testAttestationCertificateBase64,
+                    intermediateCACertificateBase64: testAttestationIssuingCACertificateBase64
+                }
+            });
+
+        const options = {
+            publicKey: {
+                rp: {
+                    name: "localhost",
+                },
+                user: {
+                    name: userhandleBase64,
+                    id: Base64URL.parse(userhandleBase64),
+                    displayName: "Appleseed",
+                },
+                challenge: Base64URL.parse("MTIzNDU2"),
+                pubKeyCredParams: [{ type: "public-key", alg: -7 }],
+                attestation: "direct"
+            }
+        };
+
+        const anotherPrivateKeyBase64 = await generatePrivateKeyBase64();
+        const anotherCredentialID = await calculateCredentialID(anotherPrivateKeyBase64);
+        if (window.internals)
+            testRunner.addTestKeyToKeychain(anotherPrivateKeyBase64, testRpId, base64encode(CBOR.encode({ "id": Base64URL.parse(userhandleBase64), "name": userhandleBase64 })));
+
+        return navigator.credentials.create(options).then(credential => {
+            checkResult(credential, credentialID, false);
+            assert_false(testRunner.keyExistsInKeychain(testRpId, base64encode(anotherCredentialID)));
+        });
+    }, "PublicKeyCredential's [[create]] with duplicate credential in a mock local authenticator. 2");
 </script>

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-local-silent.https-expected.txt

@@ -1 +1 @@
 
-PASS PublicKeyCredential's [[get]] with silent failure in a mock local authenticator. 
-PASS PublicKeyCredential's [[get]] with silent failure in a mock local authenticator. 2 
-PASS PublicKeyCredential's [[get]] with silent failure in a mock local authenticator. 3 
+PASS PublicKeyCredential's [[get]] with no matched credentials in a mock local authenticator. 
+PASS PublicKeyCredential's [[get]] with no matched credentials in a mock local authenticator. 2nd 
+PASS PublicKeyCredential's [[get]] without user consent in a mock local authenticator. 
 

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-local-silent.https.html

@@ -5 +5 @@
 <script src="./resources/util.js"></script>
 <script>
-    (async function() {
-        const userhandleBase64 = generateUserhandleBase64();
+    promise_test(t => {
+        if (window.internals)
+            internals.setMockWebAuthenticationConfiguration({ silentFailure: true, local: { acceptAuthentication: false, acceptAttestation: false } });
+
+        const options = {
+            publicKey: {
+                challenge: asciiToUint8Array("123456"),
+                allowCredentials: [
+                    { type: "public-key", id: Base64URL.parse(testCredentialIdBase64), transports: ["usb"] },
+                    { type: "public-key", id: Base64URL.parse(testCredentialIdBase64), transports: ["nfc"] },
+                    { type: "public-key", id: Base64URL.parse(testCredentialIdBase64), transports: ["ble"] },
+                    { type: "public-key", id: Base64URL.parse(testCredentialIdBase64), transports: ["internal"] }
+                ],
+                timeout: 10
+            }
+        };
+
+        return promiseRejects(t, "NotAllowedError", navigator.credentials.get(options), "Operation timed out.");
+    }, "PublicKeyCredential's [[get]] with no matched credentials in a mock local authenticator.");
+
+    promise_test(async t => {
         const privateKeyBase64 = await generatePrivateKeyBase64();
         const credentialID = await calculateCredentialID(privateKeyBase64);
+        const credentialIDBase64 = btoa(String.fromCharCode.apply(0, credentialID));
         // Default mock configuration. Tests need to override if they need different configuration.
         if (window.internals)
-            internals.setMockWebAuthenticationConfiguration({ silentFailure: true, local: { acceptAuthentication: false, acceptAttestation: false, preferredUserhandleBase64: userhandleBase64 } });
+            internals.setMockWebAuthenticationConfiguration({ silentFailure: true, local: { acceptAuthentication: false, acceptAttestation: false, preferredCredentialIdBase64: credentialIDBase64 } });
 
-        promise_test(t => {
-            const options = {
-                publicKey: {
-                    challenge: asciiToUint8Array("123456"),
-                    allowCredentials: [
-                        { type: "public-key", id: credentialID, transports: ["usb"] },
-                        { type: "public-key", id: credentialID, transports: ["nfc"] },
-                        { type: "public-key", id: credentialID, transports: ["ble"] },
-                        { type: "public-key", id: credentialID, transports: ["internal"] }
-                    ],
-                    timeout: 10
-                }
-            };
+        const options = {
+            publicKey: {
+                challenge: asciiToUint8Array("123456"),
+                allowCredentials: [
+                    { type: "public-key", id: Base64URL.parse(testUserhandleBase64) }
+                ],
+                timeout: 10
+            }
+        };
 
-            return promiseRejects(t, "NotAllowedError", navigator.credentials.get(options), "Operation timed out.");
-        }, "PublicKeyCredential's [[get]] with silent failure in a mock local authenticator.");
+        if (window.testRunner)
+            testRunner.addTestKeyToKeychain(privateKeyBase64, testRpId, testUserEntityBundleBase64);
+        return promiseRejects(t, "NotAllowedError", navigator.credentials.get(options), "Operation timed out.").then(() => {
+                if (window.testRunner)
+                    testRunner.cleanUpKeychain(testRpId, credentialIDBase64);
+            });
+    }, "PublicKeyCredential's [[get]] with no matched credentials in a mock local authenticator. 2nd");
 
-        promise_test(t => {
-            const options = {
-                publicKey: {
-                    challenge: asciiToUint8Array("123456"),
-                    allowCredentials: [
-                        { type: "public-key", id: Base64URL.parse(userhandleBase64) }
-                    ],
-                    timeout: 10
-                }
-            };
+    promise_test(async t => {
+        const privateKeyBase64 = await generatePrivateKeyBase64();
+        const credentialID = await calculateCredentialID(privateKeyBase64);
+        const credentialIDBase64 = btoa(String.fromCharCode.apply(0, credentialID));
+        // Default mock configuration. Tests need to override if they need different configuration.
+        if (window.internals)
+            internals.setMockWebAuthenticationConfiguration({ silentFailure: true, local: { acceptAuthentication: false, acceptAttestation: false, preferredCredentialIdBase64: credentialIDBase64 } });
 
+        const options = {
+            publicKey: {
+                challenge: asciiToUint8Array("123456"),
+                timeout: 10
+            }
+        };
+
+        if (window.testRunner)
+            testRunner.addTestKeyToKeychain(privateKeyBase64, testRpId, testUserEntityBundleBase64);
+        return promiseRejects(t, "NotAllowedError", navigator.credentials.get(options), "Operation timed out.").then(() => {
             if (window.testRunner)
-                testRunner.addTestKeyToKeychain(privateKeyBase64, testRpId, userhandleBase64);
-            return promiseRejects(t, "NotAllowedError", navigator.credentials.get(options), "Operation timed out.").then(() => {
-                    if (window.testRunner)
-                        testRunner.cleanUpKeychain(testRpId, userhandleBase64);
-                });
-        }, "PublicKeyCredential's [[get]] with silent failure in a mock local authenticator. 2");
-
-        promise_test(t => {
-            const options = {
-                publicKey: {
-                    challenge: asciiToUint8Array("123456"),
-                    timeout: 10
-                }
-            };
-
-            if (window.testRunner)
-                testRunner.addTestKeyToKeychain(privateKeyBase64, testRpId, userhandleBase64);
-            return promiseRejects(t, "NotAllowedError", navigator.credentials.get(options), "Operation timed out.").then(() => {
-                if (window.testRunner)
-                    testRunner.cleanUpKeychain(testRpId, userhandleBase64);
-            });
-        }, "PublicKeyCredential's [[get]] with silent failure in a mock local authenticator. 3");
-    })();
+                testRunner.cleanUpKeychain(testRpId, credentialIDBase64);
+        });
+    }, "PublicKeyCredential's [[get]] without user consent in a mock local authenticator.");
 </script>

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-local.https.html

@@ -5 +5 @@
 <script src="./resources/util.js"></script>
 <script>
-    (async function() {
-        const userhandleBase64 = generateUserhandleBase64();
+    promise_test(t => {
+        if (window.internals)
+            internals.setMockWebAuthenticationConfiguration({ local: { acceptAuthentication: false, acceptAttestation: false } });
+
+        const options = {
+            publicKey: {
+                challenge: asciiToUint8Array("123456"),
+                allowCredentials: [
+                    { type: "public-key", id: Base64URL.parse(testCredentialIdBase64), transports: ["usb"] },
+                    { type: "public-key", id: Base64URL.parse(testCredentialIdBase64), transports: ["nfc"] },
+                    { type: "public-key", id: Base64URL.parse(testCredentialIdBase64), transports: ["ble"] },
+                    { type: "public-key", id: Base64URL.parse(testCredentialIdBase64), transports: ["internal"] }
+                ]
+            }
+        };
+
+        return promiseRejects(t, "NotAllowedError", navigator.credentials.get(options), "No matched credentials are found in the platform attached authenticator.");
+    }, "PublicKeyCredential's [[get]] with no matched credentials in a mock local authenticator.");
+
+    promise_test(async t => {
         const privateKeyBase64 = await generatePrivateKeyBase64();
         const credentialID = await calculateCredentialID(privateKeyBase64);
+        const credentialIDBase64 = btoa(String.fromCharCode.apply(0, credentialID));
         // Default mock configuration. Tests need to override if they need different configuration.
         if (window.internals)
-            internals.setMockWebAuthenticationConfiguration({ local: { acceptAuthentication: false, acceptAttestation: false, preferredUserhandleBase64: userhandleBase64 } });
+            internals.setMockWebAuthenticationConfiguration({ local: { acceptAuthentication: false, acceptAttestation: false, preferredCredentialIdBase64: credentialIDBase64 } });
 
-        promise_test(t => {
-            const options = {
-                publicKey: {
-                    challenge: asciiToUint8Array("123456"),
-                    allowCredentials: [
-                        { type: "public-key", id: credentialID, transports: ["usb"] },
-                        { type: "public-key", id: credentialID, transports: ["nfc"] },
-                        { type: "public-key", id: credentialID, transports: ["ble"] },
-                        { type: "public-key", id: credentialID, transports: ["internal"] }
-                    ]
-                }
-            };
+        const options = {
+            publicKey: {
+                challenge: asciiToUint8Array("123456"),
+                allowCredentials: [
+                    { type: "public-key", id: Base64URL.parse(testUserhandleBase64) }
+                ]
+            }
+        };
 
-            return promiseRejects(t, "NotAllowedError", navigator.credentials.get(options), "No matched credentials are found in the platform attached authenticator.");
-        }, "PublicKeyCredential's [[get]] with no matched credentials in a mock local authenticator.");
+        if (window.testRunner)
+            testRunner.addTestKeyToKeychain(privateKeyBase64, testRpId, testUserEntityBundleBase64);
+        return promiseRejects(t, "NotAllowedError", navigator.credentials.get(options), "No matched credentials are found in the platform attached authenticator.").then(() => {
+            if (window.testRunner)
+                testRunner.cleanUpKeychain(testRpId, credentialIDBase64);
+        });
+    }, "PublicKeyCredential's [[get]] with no matched credentials in a mock local authenticator. 2nd");
 
-        promise_test(t => {
-            const options = {
-                publicKey: {
-                    challenge: asciiToUint8Array("123456"),
-                    allowCredentials: [
-                        { type: "public-key", id: Base64URL.parse(userhandleBase64) }
-                    ]
-                }
-            };
+    promise_test(async t => {
+        const privateKeyBase64 = await generatePrivateKeyBase64();
+        const credentialID = await calculateCredentialID(privateKeyBase64);
+        const credentialIDBase64 = btoa(String.fromCharCode.apply(0, credentialID));
+        // Default mock configuration. Tests need to override if they need different configuration.
+        if (window.internals)
+            internals.setMockWebAuthenticationConfiguration({ local: { acceptAuthentication: false, acceptAttestation: false, preferredCredentialIdBase64: credentialIDBase64 } });
 
+        const options = {
+            publicKey: {
+                challenge: asciiToUint8Array("123456")
+            }
+        };
+
+        if (window.testRunner)
+            testRunner.addTestKeyToKeychain(privateKeyBase64, testRpId, testUserEntityBundleBase64);
+        return promiseRejects(t, "NotAllowedError", navigator.credentials.get(options), "Couldn't verify user.").then(() => {
             if (window.testRunner)
-                testRunner.addTestKeyToKeychain(privateKeyBase64, testRpId, userhandleBase64);
-            return promiseRejects(t, "NotAllowedError", navigator.credentials.get(options), "No matched credentials are found in the platform attached authenticator.").then(() => {
-                if (window.testRunner)
-                    testRunner.cleanUpKeychain(testRpId, userhandleBase64);
-            });
-        }, "PublicKeyCredential's [[get]] with no matched credentials in a mock local authenticator. 2nd");
+                testRunner.cleanUpKeychain(testRpId, credentialIDBase64);
+        });
+    }, "PublicKeyCredential's [[get]] without user consent in a mock local authenticator.");
 
-        promise_test(t => {
-            const options = {
-                publicKey: {
-                    challenge: asciiToUint8Array("123456")
-                }
-            };
+    promise_test(t => {
+        const options = {
+            publicKey: {
+                challenge: asciiToUint8Array("123456"),
+                allowCredentials: [
+                    { type: "public-key", id: Base64URL.parse(testCredentialIdBase64), transports: ["usb"] },
+                    { type: "public-key", id: Base64URL.parse(testCredentialIdBase64), transports: ["nfc"] },
+                    { type: "public-key", id: Base64URL.parse(testCredentialIdBase64), transports: ["ble"] }
+                ],
+                timeout: 10
+            }
+        };
 
-            if (window.testRunner)
-                testRunner.addTestKeyToKeychain(privateKeyBase64, testRpId, userhandleBase64);
-            return promiseRejects(t, "NotAllowedError", navigator.credentials.get(options), "Couldn't verify user.").then(() => {
-                if (window.testRunner)
-                    testRunner.cleanUpKeychain(testRpId, userhandleBase64);
-            });
-        }, "PublicKeyCredential's [[get]] without user consent in a mock local authenticator.");
-
-        promise_test(t => {
-            const options = {
-                publicKey: {
-                    challenge: asciiToUint8Array("123456"),
-                    allowCredentials: [
-                        { type: "public-key", id: credentialID, transports: ["usb"] },
-                        { type: "public-key", id: credentialID, transports: ["nfc"] },
-                        { type: "public-key", id: credentialID, transports: ["ble"] }
-                    ],
-                    timeout: 10
-                }
-            };
-
-            return promiseRejects(t, "NotAllowedError", navigator.credentials.get(options), "Operation timed out.");
-        }, "PublicKeyCredential's [[get]] with timeout in a mock local authenticator.");
-    })();
+        return promiseRejects(t, "NotAllowedError", navigator.credentials.get(options), "Operation timed out.");
+    }, "PublicKeyCredential's [[get]] with timeout in a mock local authenticator.");
 </script>

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-success-local.https.html

@@ -5 +5 @@
 <script src="./resources/util.js"></script>
 <script>
-    (async function() {
-        const userhandleBase64 = generateUserhandleBase64();
+    function checkResult(credential, credentialID, privateKeyBase64)
+    {
+        if (window.testRunner)
+            testRunner.cleanUpKeychain(testRpId, base64encode(credentialID));
+
+         // Check respond
+        assert_array_equals(Base64URL.parse(credential.id), credentialID);
+        assert_equals(credential.type, 'public-key');
+        assert_array_equals(new Uint8Array(credential.rawId), credentialID);
+        assert_equals(bytesToASCIIString(credential.response.clientDataJSON), '{"type":"webauthn.get","challenge":"MTIzNDU2","origin":"https://localhost:9443"}');
+        assert_array_equals(new Uint8Array(credential.response.userHandle), Base64URL.parse(testUserhandleBase64));
+        assert_not_own_property(credential.getClientExtensionResults(), "appid");
+
+        // Check authData
+        const authData = decodeAuthData(new Uint8Array(credential.response.authenticatorData));
+        assert_equals(bytesToHexString(authData.rpIdHash), "49960de5880e8c687434170f6476605b8fe4aeb9a28632c7995cf3ba831d9763");
+        assert_equals(authData.flags, 5);
+        assert_equals(authData.counter, 0);
+
+        // Check signature
+        return crypto.subtle.importKey("raw", Base64URL.parse(privateKeyBase64).slice(0, 65), { name: "ECDSA", namedCurve: "P-256" }, false, ['verify']).then( publicKey => {
+            return crypto.subtle.digest("sha-256", credential.response.clientDataJSON).then ( hash => {
+                // credential.response.signature is in ASN.1 and WebCrypto expect signatures provides in r|s.
+                return crypto.subtle.verify({name: "ECDSA", hash: "SHA-256"}, publicKey, extractRawSignature(credential.response.signature), concatenateBuffers(credential.response.authenticatorData, hash)).then( verified => {
+                    assert_true(verified);
+                    assert_not_own_property(credential.getClientExtensionResults(), "appid");
+                });
+            });
+        });
+    }
+
+    promise_test(async t => {
         const privateKeyBase64 = await generatePrivateKeyBase64();
         const credentialID = await calculateCredentialID(privateKeyBase64);
+        const credentialIDBase64 = base64encode(credentialID);
         // Default mock configuration. Tests need to override if they need different configuration.
         if (window.internals)
-            internals.setMockWebAuthenticationConfiguration({ local: { acceptAuthentication: true, acceptAttestation: false, preferredUserhandleBase64: userhandleBase64 } });
+            internals.setMockWebAuthenticationConfiguration({ local: { acceptAuthentication: true, acceptAttestation: false, preferredCredentialIdBase64: credentialIDBase64 } });
 
-        function checkResult(credential)
-        {
-            if (window.testRunner)
-                testRunner.cleanUpKeychain(testRpId, userhandleBase64);
+        const options = {
+            publicKey: {
+                challenge: Base64URL.parse("MTIzNDU2")
+            }
+        };
 
-             // Check respond
-            assert_array_equals(Base64URL.parse(credential.id), credentialID);
-            assert_equals(credential.type, 'public-key');
-            assert_array_equals(new Uint8Array(credential.rawId), credentialID);
-            assert_equals(bytesToASCIIString(credential.response.clientDataJSON), '{"type":"webauthn.get","challenge":"MTIzNDU2","origin":"https://localhost:9443"}');
-            assert_array_equals(new Uint8Array(credential.response.userHandle), Base64URL.parse(userhandleBase64));
-            assert_not_own_property(credential.getClientExtensionResults(), "appid");
+        if (window.testRunner)
+            testRunner.addTestKeyToKeychain(privateKeyBase64, testRpId, testUserEntityBundleBase64);
+        return navigator.credentials.get(options).then(credential => {
+            return checkResult(credential, credentialID, privateKeyBase64);
+        });
+    }, "PublicKeyCredential's [[get]] with minimum options in a mock local authenticator.");
 
-            // Check authData
-            const authData = decodeAuthData(new Uint8Array(credential.response.authenticatorData));
-            assert_equals(bytesToHexString(authData.rpIdHash), "49960de5880e8c687434170f6476605b8fe4aeb9a28632c7995cf3ba831d9763");
-            assert_equals(authData.flags, 5);
-            assert_equals(authData.counter, 0);
+    promise_test(async t => {
+        const privateKeyBase64 = await generatePrivateKeyBase64();
+        const credentialID = await calculateCredentialID(privateKeyBase64);
+        const credentialIDBase64 = base64encode(credentialID);
+        // Default mock configuration. Tests need to override if they need different configuration.
+        if (window.internals)
+            internals.setMockWebAuthenticationConfiguration({ local: { acceptAuthentication: true, acceptAttestation: false, preferredCredentialIdBase64: credentialIDBase64 } });
 
-            // Check signature
-            return crypto.subtle.importKey("raw", Base64URL.parse(privateKeyBase64).slice(0, 65), { name: "ECDSA", namedCurve: "P-256" }, false, ['verify']).then( publicKey => {
-                return crypto.subtle.digest("sha-256", credential.response.clientDataJSON).then ( hash => {
-                    // credential.response.signature is in ASN.1 and WebCrypto expect signatures provides in r|s.
-                    return crypto.subtle.verify({name: "ECDSA", hash: "SHA-256"}, publicKey, extractRawSignature(credential.response.signature), concatenateBuffers(credential.response.authenticatorData, hash)).then( verified => {
-                        assert_true(verified);
-                        assert_not_own_property(credential.getClientExtensionResults(), "appid");
-                    });
-                });
-            });
-        }
+        const options = {
+            publicKey: {
+                challenge: Base64URL.parse("MTIzNDU2"),
+                allowCredentials: [
+                    { type: "public-key", id: Base64URL.parse(testUserhandleBase64), transports: ["internal"] },
+                    { type: "public-key", id: credentialID, transports: ["internal"] }
+                ]
+            }
+        };
 
-        promise_test(t => {
-            const options = {
-                publicKey: {
-                    challenge: Base64URL.parse("MTIzNDU2")
-                }
-            };
-
-            if (window.testRunner)
-                testRunner.addTestKeyToKeychain(privateKeyBase64, testRpId, userhandleBase64);
-            return navigator.credentials.get(options).then(credential => {
-                return checkResult(credential);
-            });
-        }, "PublicKeyCredential's [[get]] with minimum options in a mock local authenticator.");
-
-        promise_test(t => {
-            const options = {
-                publicKey: {
-                    challenge: Base64URL.parse("MTIzNDU2"),
-                    allowCredentials: [
-                        { type: "public-key", id: Base64URL.parse(userhandleBase64), transports: ["internal"] },
-                        { type: "public-key", id: credentialID, transports: ["internal"] }
-                    ]
-                }
-            };
-
-            if (window.testRunner)
-                testRunner.addTestKeyToKeychain(privateKeyBase64, testRpId, userhandleBase64);
-            return navigator.credentials.get(options).then(credential => {
-                return checkResult(credential);
-            });
-        }, "PublicKeyCredential's [[get]] with matched allow credentials in a mock local authenticator.");
-    })();
+        if (window.testRunner)
+            testRunner.addTestKeyToKeychain(privateKeyBase64, testRpId, testUserEntityBundleBase64);
+        return navigator.credentials.get(options).then(credential => {
+            return checkResult(credential, credentialID, privateKeyBase64);
+        });
+    }, "PublicKeyCredential's [[get]] with matched allow credentials in a mock local authenticator.");
 </script>

trunk/LayoutTests/http/wpt/webauthn/resources/util.js

@@ -6 +6 @@
 const testRpId = "localhost";
 const testUserhandleBase64 = "AAECAwQFBgcICQ==";
+const testUserEntityBundleBase64 = "omJpZEoAAQIDBAUGBwgJZG5hbWVwQUFFQ0F3UUZCZ2NJQ1E9PQ==";
 const testAttestationCertificateBase64 =
     "MIIB6jCCAZCgAwIBAgIGAWHAxcjvMAoGCCqGSM49BAMCMFMxJzAlBgNVBAMMHkJh" +
@@ -450 +451 @@
 function generateUserhandleBase64()
 {
-    let buffer = new Uint8Array(16);
+    let buffer = new Uint8Array(8);
     crypto.getRandomValues(buffer);
     return btoa(String.fromCharCode.apply(0, buffer));
@@ -487 +488 @@
     return new Uint8Array(await crypto.subtle.digest("sha-1", publicKey));
 }
+
+function base64encode(binary)
+{
+    const unit8Array = new Uint8Array(binary);
+    return btoa(String.fromCharCode.apply(0, unit8Array));
+}

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2020-03-11  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthn] Formalize the Keychain schema
+        https://bugs.webkit.org/show_bug.cgi?id=183533
+        <rdar://problem/43347926>
+
+        Reviewed by Brent Fulgham.
+
+        Covered by new test contents within existing files.
+
+        * Modules/webauthn/AuthenticatorAssertionResponse.cpp:
+        (WebCore::AuthenticatorAssertionResponse::create):
+        (WebCore::AuthenticatorAssertionResponse::AuthenticatorAssertionResponse):
+        * Modules/webauthn/AuthenticatorAssertionResponse.h:
+        Modifies the constructors to accept userEntity.name.
+
+        * Modules/webauthn/cbor/CBORValue.h:
+        Adds a FIXME.
+
+        * testing/MockWebAuthenticationConfiguration.h:
+        (WebCore::MockWebAuthenticationConfiguration::LocalConfiguration::encode const):
+        (WebCore::MockWebAuthenticationConfiguration::LocalConfiguration::decode):
+        * testing/MockWebAuthenticationConfiguration.idl:
+        Modifies the test infra to use Credential ID as the unique identifier for a credential instead of
+        the original combination of RP ID and user handle.
+
 2020-03-11  Daniel Bates  <dabates@apple.com>
 

trunk/Source/WebCore/Modules/webauthn/AuthenticatorAssertionResponse.cpp

@@ -49 +49 @@
 }
 
-Ref<AuthenticatorAssertionResponse> AuthenticatorAssertionResponse::create(Ref<ArrayBuffer>&& rawId, Ref<ArrayBuffer>&& userHandle, SecAccessControlRef accessControl)
+Ref<AuthenticatorAssertionResponse> AuthenticatorAssertionResponse::create(Ref<ArrayBuffer>&& rawId, Ref<ArrayBuffer>&& userHandle, String&& name, SecAccessControlRef accessControl)
 {
-    return adoptRef(*new AuthenticatorAssertionResponse(WTFMove(rawId), WTFMove(userHandle), accessControl));
+    return adoptRef(*new AuthenticatorAssertionResponse(WTFMove(rawId), WTFMove(userHandle), WTFMove(name), accessControl));
 }
 
@@ -67 +67 @@
 }
 
-AuthenticatorAssertionResponse::AuthenticatorAssertionResponse(Ref<ArrayBuffer>&& rawId, Ref<ArrayBuffer>&& userHandle, SecAccessControlRef accessControl)
+AuthenticatorAssertionResponse::AuthenticatorAssertionResponse(Ref<ArrayBuffer>&& rawId, Ref<ArrayBuffer>&& userHandle, String&& name, SecAccessControlRef accessControl)
     : AuthenticatorResponse(WTFMove(rawId))
     , m_userHandle(WTFMove(userHandle))
+    , m_name(WTFMove(name))
     , m_accessControl(accessControl)
 {

trunk/Source/WebCore/Modules/webauthn/AuthenticatorAssertionResponse.h

@@ -38 +38 @@
     static Ref<AuthenticatorAssertionResponse> create(Ref<ArrayBuffer>&& rawId, Ref<ArrayBuffer>&& authenticatorData, Ref<ArrayBuffer>&& signature, RefPtr<ArrayBuffer>&& userHandle, Optional<AuthenticationExtensionsClientOutputs>&&);
     WEBCORE_EXPORT static Ref<AuthenticatorAssertionResponse> create(const Vector<uint8_t>& rawId, const Vector<uint8_t>& authenticatorData, const Vector<uint8_t>& signature,  const Vector<uint8_t>& userHandle);
-    WEBCORE_EXPORT static Ref<AuthenticatorAssertionResponse> create(Ref<ArrayBuffer>&& rawId, Ref<ArrayBuffer>&& userHandle, SecAccessControlRef);
+    WEBCORE_EXPORT static Ref<AuthenticatorAssertionResponse> create(Ref<ArrayBuffer>&& rawId, Ref<ArrayBuffer>&& userHandle, String&& name, SecAccessControlRef);
     virtual ~AuthenticatorAssertionResponse() = default;
 
@@ -57 +57 @@
 private:
     AuthenticatorAssertionResponse(Ref<ArrayBuffer>&&, Ref<ArrayBuffer>&&, Ref<ArrayBuffer>&&, RefPtr<ArrayBuffer>&&);
-    AuthenticatorAssertionResponse(Ref<ArrayBuffer>&&, Ref<ArrayBuffer>&&, SecAccessControlRef);
+    AuthenticatorAssertionResponse(Ref<ArrayBuffer>&&, Ref<ArrayBuffer>&&, String&&, SecAccessControlRef);
 
     Type type() const final { return Type::Assertion; }

trunk/Source/WebCore/Modules/webauthn/cbor/CBORValue.h

@@ -165 +165 @@
     bool isBool() const { return isSimple() && (m_simpleValue == SimpleValue::TrueValue || m_simpleValue == SimpleValue::FalseValue); }
 
+    // FIXME(183535): Considering adding && getter for better performance.
     // These will all fatally assert if the type doesn't match.
     SimpleValue getSimpleValue() const;

trunk/Source/WebCore/testing/MockWebAuthenticationConfiguration.h

@@ -68 +68 @@
         String userCertificateBase64;
         String intermediateCACertificateBase64;
-        String preferredUserhandleBase64;
+        String preferredCredentialIdBase64;
 
         template<class Encoder> void encode(Encoder&) const;
@@ -113 +113 @@
 void MockWebAuthenticationConfiguration::LocalConfiguration::encode(Encoder& encoder) const
 {
-    encoder << acceptAuthentication << acceptAttestation << privateKeyBase64 << userCertificateBase64 << intermediateCACertificateBase64 << preferredUserhandleBase64;
+    encoder << acceptAuthentication << acceptAttestation << privateKeyBase64 << userCertificateBase64 << intermediateCACertificateBase64 << preferredCredentialIdBase64;
 }
 
@@ -151 +151 @@
     result.intermediateCACertificateBase64 = WTFMove(*intermediateCACertificateBase64);
 
-    Optional<String> preferredUserhandleBase64;
-    decoder >> preferredUserhandleBase64;
-    if (!preferredUserhandleBase64)
-        return WTF::nullopt;
-    result.preferredUserhandleBase64 = WTFMove(*preferredUserhandleBase64);
+    Optional<String> preferredCredentialIdBase64;
+    decoder >> preferredCredentialIdBase64;
+    if (!preferredCredentialIdBase64)
+        return WTF::nullopt;
+    result.preferredCredentialIdBase64 = WTFMove(*preferredCredentialIdBase64);
 
     return result;

trunk/Source/WebCore/testing/MockWebAuthenticationConfiguration.idl

@@ -77 +77 @@
     DOMString userCertificateBase64;
     DOMString intermediateCACertificateBase64;
-    DOMString preferredUserhandleBase64;
+    DOMString preferredCredentialIdBase64;
 };
 

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2020-03-11  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthn] Formalize the Keychain schema
+        https://bugs.webkit.org/show_bug.cgi?id=183533
+        <rdar://problem/43347926>
+
+        Reviewed by Brent Fulgham.
+
+        This patch formalizes the schema for the Keychain as follows:
+        kSecAttrLabel: RP ID
+        kSecAttrApplicationLabel: Credential ID (auto-gen by Keychain)
+        kSecAttrApplicationTag: { "id": UserEntity.id, "name": UserEntity.name } (CBOR encoded)
+        Noted, the vale of kSecAttrApplicationLabel is automatically generated by the Keychain, which is a SHA-1 hash of
+        the public key.
+
+        According to the Step 7. from https://www.w3.org/TR/webauthn/#op-make-cred, the following fields are mandatory
+        1. rpId (rpEntity.id);
+        2. userHandle (userEntity.id), this is required for authenticators that support resident keys;
+        3. credentialId.
+
+        Some other optional fields are:
+        (from https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialrpentity)
+        1. rpEntity.name;
+        2. rpEnitty.icon;
+        (from https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialuserentity)
+        3. userEntity.displayName;
+        4. userEntity.name;
+        5. userEntity.icon;
+        (from https://www.w3.org/TR/webauthn/#sign-counter)
+        6. signature counter.
+
+        Among the six possible fields, only 4. is chosen to store. Here is why:
+        For rpEntity, rpEntity.id which is either the domain or the eTLD + 1 of the website is
+        sufficient enough to either classify the credential or serving the UI. Also, this is the only
+        trustworthy information that the UserAgent produce. Others could potentially be used by
+        malicious websites for attacking the Keychain or spoofing/phishing users when being displayed
+        in the UI. Also, rpEnitty.icon is a URL to the website's favicon, which if not implemented
+        correctly can be used for tracking.
+
+        For userEntity, userEntity.name is the human readable version of userEntity.id, and therefore
+        is chosen to store such that later on WebKit can pass it to UI client to help users disambiguate
+        different credentials. And it is necessary as userEntity.id is not guaranteed to be human
+        readable. Others are abandoned for the very same reason as above.
+
+        We hard code a zero value for 'signature counter'. While this is a theoretically interesting
+        technique for a RP to detect private key cloning, it is unlikely to be useful in practice.
+        We store the private keys in our SEP. This counter would only be a meaningful protection if
+        adversaries were able to extract private key data from the SEP without Apple noticing, but
+        were not able to manipulate this counter to fool the RP.
+
+        In terms of the schema,
+        1) RP ID is needed to query all credentials related, and therefore it needs a column and kSecAttrLabel
+        is supposed to be human readable;
+        2) kSecAttrApplicationLabel is the auto generated programmatical identifier for a SecItem, and
+        therefore is suitable as the credential ID. Given the input to the SHA-1 is generated by us, and
+        it is only needed to be powerful enough to be unique across the keychain within a device, and potentially
+        to be unique across different other credential ID for the same user. The SHA-1 collision attack
+        doesn't seem valid here.
+        3) kSecAttrApplicationTag is the only other column Keychain allows applications to modify. Therefore,
+        UserEntity.id and UserEntity.name is bundled to use this slot. The reason to use CBOR here is that
+        it is more friendly then JSON to encode binaries, and it is used widely in WebAuthn.
+
+        * UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.h:
+        * UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm:
+        (WebKit::LocalAuthenticatorInternal::toArrayBuffer):
+        (WebKit::LocalAuthenticatorInternal::getExistingCredentials):
+        (WebKit::LocalAuthenticator::makeCredential):
+        (WebKit::LocalAuthenticator::continueMakeCredentialAfterUserVerification):
+        (WebKit::LocalAuthenticator::continueMakeCredentialAfterAttested):
+        (WebKit::LocalAuthenticator::getAssertion):
+        (WebKit::LocalAuthenticator::deleteDuplicateCredential const):
+        * UIProcess/WebAuthentication/Mock/MockLocalConnection.mm:
+        (WebKit::MockLocalConnection::filterResponses const):
+
 2020-03-11  Per Arne Vollan  <pvollan@apple.com>
 

trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.h

@@ -68 +68 @@
 
     void receiveException(WebCore::ExceptionData&&, WebAuthenticationStatus = WebAuthenticationStatus::LAError) const;
+    void deleteDuplicateCredential() const;
 
     State m_state { State::Init };
     UniqueRef<LocalConnection> m_connection;
+    // FIXME(183534): Combine these two.
     HashSet<Ref<WebCore::AuthenticatorAssertionResponse>> m_assertionResponses;
+    Vector<Ref<WebCore::AuthenticatorAssertionResponse>> m_existingCredentials;
 };
 

trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm

@@ -32 +32 @@
 #import <WebCore/AuthenticatorAssertionResponse.h>
 #import <WebCore/AuthenticatorAttestationResponse.h>
+#import <WebCore/CBORReader.h>
 #import <WebCore/CBORWriter.h>
 #import <WebCore/ExceptionData.h>
@@ -48 +49 @@
 namespace WebKit {
 using namespace WebCore;
+using CBOR = cbor::CBORValue;
 
 namespace LocalAuthenticatorInternal {
@@ -56 +58 @@
 // Credential ID is currently SHA-1 of the corresponding public key.
 const uint16_t credentialIdLength = 20;
+const char* const userEntityIdKey = "id";
+const char* const userEntityNameKey = "name";
+const uint64_t counter = 0;
 
 static inline bool emptyTransportsOrContain(const Vector<AuthenticatorTransport>& transports, AuthenticatorTransport target)
@@ -62 +67 @@
 }
 
+// FIXME(183534): Find a better way of comparing credential id. Doing it with array seems fine given the list should be small.
 static inline HashSet<String> produceHashSet(const Vector<PublicKeyCredentialDescriptor>& credentialDescriptors)
 {
@@ -99 +105 @@
 }
 
+static inline Ref<ArrayBuffer> toArrayBuffer(const Vector<uint8_t>& data)
+{
+    return ArrayBuffer::create(data.data(), data.size());
+}
+
 // FIXME(<rdar://problem/60108131>): Remove this whitelist once testing is complete.
 static const HashSet<String>& whitelistedRpId()
@@ -110 +121 @@
 }
 
+static Optional<Vector<Ref<AuthenticatorAssertionResponse>>> getExistingCredentials(const String& rpId)
+{
+    // Search Keychain for existing credential matched the RP ID.
+    NSDictionary *query = @{
+        (id)kSecClass: (id)kSecClassKey,
+        (id)kSecAttrKeyClass: (id)kSecAttrKeyClassPrivate,
+        (id)kSecAttrLabel: rpId,
+        (id)kSecReturnAttributes: @YES,
+        (id)kSecMatchLimit: (id)kSecMatchLimitAll,
+#if HAVE(DATA_PROTECTION_KEYCHAIN)
+        (id)kSecUseDataProtectionKeychain: @YES
+#else
+        (id)kSecAttrNoLegacy: @YES
+#endif
+    };
+    CFTypeRef attributesArrayRef = nullptr;
+    OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, &attributesArrayRef);
+    if (status && status != errSecItemNotFound)
+        return WTF::nullopt;
+    auto retainAttributesArray = adoptCF(attributesArrayRef);
+    NSArray *nsAttributesArray = (NSArray *)attributesArrayRef;
+
+    Vector<Ref<AuthenticatorAssertionResponse>> result;
+    result.reserveInitialCapacity(nsAttributesArray.count);
+    for (NSDictionary *attributes in nsAttributesArray) {
+        auto decodedResponse = cbor::CBORReader::read(toVector(attributes[(id)kSecAttrApplicationTag]));
+        if (!decodedResponse || !decodedResponse->isMap()) {
+            ASSERT_NOT_REACHED();
+            return WTF::nullopt;
+        }
+        auto& responseMap = decodedResponse->getMap();
+
+        auto it = responseMap.find(CBOR(userEntityIdKey));
+        if (it == responseMap.end() || !it->second.isByteString()) {
+            ASSERT_NOT_REACHED();
+            return WTF::nullopt;
+        }
+        auto& userHandle = it->second.getByteString();
+
+        it = responseMap.find(CBOR(userEntityNameKey));
+        if (it == responseMap.end() || !it->second.isString()) {
+            ASSERT_NOT_REACHED();
+            return WTF::nullopt;
+        }
+        auto& username = it->second.getString();
+
+        result.uncheckedAppend(AuthenticatorAssertionResponse::create(toArrayBuffer(attributes[(id)kSecAttrApplicationLabel]), toArrayBuffer(userHandle), String(username), (__bridge SecAccessControlRef)attributes[(id)kSecAttrAccessControl]));
+    }
+    return result;
+}
+
 } // LocalAuthenticatorInternal
 
@@ -128 +190 @@
     // Skip Step 9 as extensions are not supported yet.
     // Step 8 is implicitly captured by all UnknownError exception receiveResponds.
+    // Skip Step 10 as counter is constantly 0.
     // Step 2.
     if (notFound == creationOptions.pubKeyCredParams.findMatching([] (auto& pubKeyCredParam) {
@@ -137 +200 @@
 
     // Step 3.
+    auto existingCredentials = getExistingCredentials(creationOptions.rp.id);
+    if (!existingCredentials) {
+        receiveException({ UnknownError, makeString("Couldn't get existing credentials") });
+        return;
+    }
+    m_existingCredentials = WTFMove(*existingCredentials);
+
     auto excludeCredentialIds = produceHashSet(creationOptions.excludeCredentials);
     if (!excludeCredentialIds.isEmpty()) {
-        // Search Keychain for the RP ID.
-        NSDictionary *query = @{
-            (id)kSecClass: (id)kSecClassKey,
-            (id)kSecAttrKeyClass: (id)kSecAttrKeyClassPrivate,
-            (id)kSecAttrLabel: creationOptions.rp.id,
-            (id)kSecReturnAttributes: @YES,
-            (id)kSecMatchLimit: (id)kSecMatchLimitAll,
-#if HAVE(DATA_PROTECTION_KEYCHAIN)
-            (id)kSecUseDataProtectionKeychain: @YES
-#else
-            (id)kSecAttrNoLegacy: @YES
-#endif
-        };
-        CFTypeRef attributesArrayRef = nullptr;
-        OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, &attributesArrayRef);
-        if (status && status != errSecItemNotFound) {
-            receiveException({ UnknownError, makeString("Couldn't query Keychain: ", status) });
-            return;
-        }
-        auto retainAttributesArray = adoptCF(attributesArrayRef);
-
-        // FIXME: Need to obtain user consent and then return different error according to the result.
-        for (NSDictionary *nsAttributes in (NSArray *)attributesArrayRef) {
-            NSData *nsCredentialId = nsAttributes[(id)kSecAttrApplicationLabel];
-            if (excludeCredentialIds.contains(String(reinterpret_cast<const char*>(nsCredentialId.bytes), nsCredentialId.length))) {
-                receiveException({ NotAllowedError, "At least one credential matches an entry of the excludeCredentials list in the platform attached authenticator."_s }, WebAuthenticationStatus::LAExcludeCredentialsMatched);
-                return;
-            }
+        if (notFound != m_existingCredentials.findMatching([&excludeCredentialIds] (auto& credential) {
+            auto* rawId = credential->rawId();
+            ASSERT(rawId);
+            return excludeCredentialIds.contains(String(reinterpret_cast<const char*>(rawId->data()), rawId->byteLength()));
+        })) {
+            receiveException({ NotAllowedError, "At least one credential matches an entry of the excludeCredentials list in the platform attached authenticator."_s }, WebAuthenticationStatus::LAExcludeCredentialsMatched);
+            return;
         }
     }
@@ -229 +278 @@
     }
 
-    // FIXME(183533): A single kSecClassKey item couldn't store all meta data. The following schema is a tentative solution
-    // to accommodate the most important meta data, i.e. RP ID, Credential ID, and userhandle.
+    // Here is the keychain schema.
     // kSecAttrLabel: RP ID
     // kSecAttrApplicationLabel: Credential ID (auto-gen by Keychain)
-    // kSecAttrApplicationTag: userhandle
+    // kSecAttrApplicationTag: { "id": UserEntity.id, "name": UserEntity.name } (CBOR encoded)
     // Noted, the vale of kSecAttrApplicationLabel is automatically generated by the Keychain, which is a SHA-1 hash of
-    // the public key. We borrow it directly for now to workaround the stated limitations.
+    // the public key.
     const auto& secAttrLabel = creationOptions.rp.id;
-    auto secAttrApplicationTag = toNSData(creationOptions.user.idVector);
-
-    // Step 7.5.
-    // Failures after this point could block users' accounts forever. Should we follow the spec?
-    NSDictionary* deleteQuery = @{
-        (id)kSecClass: (id)kSecClassKey,
-        (id)kSecAttrLabel: secAttrLabel,
-        (id)kSecAttrApplicationTag: secAttrApplicationTag.get(),
-#if HAVE(DATA_PROTECTION_KEYCHAIN)
-        (id)kSecUseDataProtectionKeychain: @YES
-#else
-        (id)kSecAttrNoLegacy: @YES
-#endif
-    };
-    OSStatus status = SecItemDelete((__bridge CFDictionaryRef)deleteQuery);
-    if (status && status != errSecItemNotFound) {
-        receiveException({ UnknownError, makeString("Couldn't delete older credential: ", status) });
-        return;
-    }
-
-    // Step 7.1-7.4.
+
+    cbor::CBORValue::MapValue userEntityMap;
+    userEntityMap[cbor::CBORValue(userEntityIdKey)] = cbor::CBORValue(creationOptions.user.idVector);
+    userEntityMap[cbor::CBORValue(userEntityNameKey)] = cbor::CBORValue(creationOptions.user.name);
+    auto userEntity = cbor::CBORWriter::write(cbor::CBORValue(WTFMove(userEntityMap)));
+    ASSERT(userEntity);
+    auto secAttrApplicationTag = toNSData(*userEntity);
+
+    // Step 7.
     // The above-to-create private key will be inserted into keychain while using SEP.
     auto privateKey = m_connection->createCredentialPrivateKey(context, accessControlRef, secAttrLabel, secAttrApplicationTag.get());
@@ -265 +301 @@
     }
 
+    RetainPtr<CFDataRef> publicKeyDataRef;
+    {
+        auto publicKey = adoptCF(SecKeyCopyPublicKey(privateKey.get()));
+        CFErrorRef errorRef = nullptr;
+        publicKeyDataRef = adoptCF(SecKeyCopyExternalRepresentation(publicKey.get(), &errorRef));
+        auto retainError = adoptCF(errorRef);
+        if (errorRef) {
+            receiveException({ UnknownError, makeString("Couldn't export the public key: ", String(((NSError*)errorRef).localizedDescription)) });
+            return;
+        }
+        ASSERT(((NSData *)publicKeyDataRef.get()).length == (1 + 2 * ES256FieldElementLength)); // 04 | X | Y
+    }
+    NSData *nsPublicKeyData = (NSData *)publicKeyDataRef.get();
+
+    // Query credentialId in the keychain could be racy as it is the only unique identifier
+    // of the key item. Instead we calculate that, and examine its equaity in DEBUG build.
     Vector<uint8_t> credentialId;
     {
+        auto digest = PAL::CryptoDigest::create(PAL::CryptoDigest::Algorithm::SHA_1);
+        digest->addBytes(nsPublicKeyData.bytes, nsPublicKeyData.length);
+        credentialId = digest->computeHash();
+
+#ifndef NDEBUG
         NSDictionary *credentialIdQuery = @{
             (id)kSecClass: (id)kSecClassKey,
             (id)kSecAttrKeyClass: (id)kSecAttrKeyClassPrivate,
             (id)kSecAttrLabel: secAttrLabel,
-            (id)kSecAttrApplicationTag: secAttrApplicationTag.get(),
-            (id)kSecReturnAttributes: @YES,
+            (id)kSecAttrApplicationLabel: toNSData(credentialId).get(),
 #if HAVE(DATA_PROTECTION_KEYCHAIN)
             (id)kSecUseDataProtectionKeychain: @YES
@@ -279 +335 @@
 #endif
         };
-        CFTypeRef attributesRef = nullptr;
-        OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)credentialIdQuery, &attributesRef);
-        if (status) {
-            receiveException({ UnknownError, makeString("Couldn't get Credential ID: ", status) });
-            return;
-        }
-        auto retainAttributes = adoptCF(attributesRef);
-
-        NSDictionary *nsAttributes = (NSDictionary *)attributesRef;
-        credentialId = toVector(nsAttributes[(id)kSecAttrApplicationLabel]);
-    }
-
-    // Step 10.
-    // FIXME(183533): store the counter.
-    uint32_t counter = 0;
+        OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)credentialIdQuery, nullptr);
+        ASSERT(!status);
+#endif // NDEBUG
+    }
 
     // Step 11. https://www.w3.org/TR/webauthn/#attested-credential-data
@@ -299 +344 @@
     Vector<uint8_t> cosePublicKey;
     {
-        RetainPtr<CFDataRef> publicKeyDataRef;
-        {
-            auto publicKey = adoptCF(SecKeyCopyPublicKey(privateKey.get()));
-            CFErrorRef errorRef = nullptr;
-            publicKeyDataRef = adoptCF(SecKeyCopyExternalRepresentation(publicKey.get(), &errorRef));
-            auto retainError = adoptCF(errorRef);
-            if (errorRef) {
-                receiveException({ UnknownError, makeString("Couldn't export the public key: ", String(((NSError*)errorRef).localizedDescription)) });
-                return;
-            }
-            ASSERT(((NSData *)publicKeyDataRef.get()).length == (1 + 2 * ES256FieldElementLength)); // 04 | X | Y
-        }
-
         // COSE Encoding
         Vector<uint8_t> x(ES256FieldElementLength);
-        [(NSData *)publicKeyDataRef.get() getBytes: x.data() range:NSMakeRange(1, ES256FieldElementLength)];
+        [nsPublicKeyData getBytes: x.data() range:NSMakeRange(1, ES256FieldElementLength)];
         Vector<uint8_t> y(ES256FieldElementLength);
-        [(NSData *)publicKeyDataRef.get() getBytes: y.data() range:NSMakeRange(1 + ES256FieldElementLength, ES256FieldElementLength)];
+        [nsPublicKeyData getBytes: y.data() range:NSMakeRange(1 + ES256FieldElementLength, ES256FieldElementLength)];
         cosePublicKey = encodeES256PublicKeyAsCBOR(WTFMove(x), WTFMove(y));
     }
@@ -327 +359 @@
     // Skip Apple Attestation for none attestation, and non whitelisted RP ID for now.
     if (creationOptions.attestation == AttestationConveyancePreference::None || !whitelistedRpId().contains(creationOptions.rp.id)) {
+        deleteDuplicateCredential();
+
         auto attestationObject = buildAttestationObject(WTFMove(authData), "", { }, AttestationConveyancePreference::None);
         receiveRespond(AuthenticatorAttestationResponse::create(credentialId, attestationObject));
@@ -371 +405 @@
     auto attestationObject = buildAttestationObject(WTFMove(authData), "apple", WTFMove(attestationStatementMap), creationOptions.attestation);
 
+    deleteDuplicateCredential();
     receiveRespond(AuthenticatorAttestationResponse::create(credentialId, attestationObject));
 }
@@ -384 +419 @@
     // Skip Step 2 as requireUserVerification is enforced.
     // Skip Step 8 as extensions are not supported yet.
+    // Skip Step 9 as counter is constantly 0.
     // Step 12 is implicitly captured by all UnknownError exception callbacks.
     // Step 3-5. Unlike the spec, if an allow list is provided and there is no intersection between existing ones and the allow list, we always return NotAllowedError.
@@ -393 +429 @@
 
     // Search Keychain for the RP ID.
-    NSDictionary *query = @{
-        (id)kSecClass: (id)kSecClassKey,
-        (id)kSecAttrKeyClass: (id)kSecAttrKeyClassPrivate,
-        (id)kSecAttrLabel: requestOptions.rpId,
-        (id)kSecReturnAttributes: @YES,
-        (id)kSecMatchLimit: (id)kSecMatchLimitAll,
-#if HAVE(DATA_PROTECTION_KEYCHAIN)
-        (id)kSecUseDataProtectionKeychain: @YES
-#else
-        (id)kSecAttrNoLegacy: @YES
-#endif
-    };
-    CFTypeRef attributesArrayRef = nullptr;
-    OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, &attributesArrayRef);
-    if (status && status != errSecItemNotFound) {
-        receiveException({ UnknownError, makeString("Couldn't query Keychain: ", status) });
-        return;
-    }
-    auto retainAttributesArray = adoptCF(attributesArrayRef);
-
-    NSArray *intersectedCredentialsAttributes = nil;
-    if (requestOptions.allowCredentials.isEmpty())
-        intersectedCredentialsAttributes = (NSArray *)attributesArrayRef;
-    else {
-        NSMutableArray *result = [NSMutableArray arrayWithCapacity:allowCredentialIds.size()];
-        for (NSDictionary *nsAttributes in (NSArray *)attributesArrayRef) {
-            NSData *nsCredentialId = nsAttributes[(id)kSecAttrApplicationLabel];
-            if (allowCredentialIds.contains(String(reinterpret_cast<const char*>(nsCredentialId.bytes), nsCredentialId.length)))
-                [result addObject:nsAttributes];
-        }
-        intersectedCredentialsAttributes = result;
-    }
-    if (!intersectedCredentialsAttributes.count) {
+    auto existingCredentials = getExistingCredentials(requestOptions.rpId);
+    if (!existingCredentials) {
+        receiveException({ UnknownError, makeString("Couldn't get existing credentials") });
+        return;
+    }
+    m_existingCredentials = WTFMove(*existingCredentials);
+
+    for (auto& credential : m_existingCredentials) {
+        if (allowCredentialIds.isEmpty()) {
+            auto addResult = m_assertionResponses.add(credential.copyRef());
+            ASSERT_UNUSED(addResult, addResult.isNewEntry);
+            continue;
+        }
+
+        auto* rawId = credential->rawId();
+        if (allowCredentialIds.contains(String(reinterpret_cast<const char*>(rawId->data()), rawId->byteLength()))) {
+            auto addResult = m_assertionResponses.add(credential.copyRef());
+            ASSERT_UNUSED(addResult, addResult.isNewEntry);
+        }
+    }
+    if (m_assertionResponses.isEmpty()) {
         receiveException({ NotAllowedError, "No matched credentials are found in the platform attached authenticator."_s }, WebAuthenticationStatus::LANoCredential);
         return;
@@ -431 +455 @@
 
     // Step 6-7. User consent is implicitly acquired by selecting responses.
-    for (NSDictionary *attribute : intersectedCredentialsAttributes) {
-        auto addResult = m_assertionResponses.add(AuthenticatorAssertionResponse::create(
-            toArrayBuffer(attribute[(id)kSecAttrApplicationLabel]),
-            toArrayBuffer(attribute[(id)kSecAttrApplicationTag]),
-            (__bridge SecAccessControlRef)attribute[(id)kSecAttrAccessControl]));
-        ASSERT_UNUSED(addResult, addResult.isNewEntry);
-    }
     m_connection->filterResponses(m_assertionResponses);
 
@@ -485 +502 @@
     }
 
-    // Step 9-10.
-    // FIXME(183533): Due to the stated Keychain limitations, we can't save the counter value.
-    // Therefore, it is always zero.
-    uint32_t counter = 0;
+    // Step 10.
     auto authData = buildAuthData(WTF::get<PublicKeyCredentialRequestOptions>(requestData().options).rpId, getAssertionFlags, counter, { });
 
@@ -542 +556 @@
 }
 
+void LocalAuthenticator::deleteDuplicateCredential() const
+{
+    using namespace LocalAuthenticatorInternal;
+
+    auto& creationOptions = WTF::get<PublicKeyCredentialCreationOptions>(requestData().options);
+    m_existingCredentials.findMatching([creationOptions] (auto& credential) {
+        auto* userHandle = credential->userHandle();
+        ASSERT(userHandle);
+        if (memcmp(userHandle->data(), creationOptions.user.idVector.data(), userHandle->byteLength()))
+            return false;
+
+        NSDictionary* deleteQuery = @{
+            (id)kSecClass: (id)kSecClassKey,
+            (id)kSecAttrApplicationLabel: toNSData(credential->rawId()).get(),
+#if HAVE(DATA_PROTECTION_KEYCHAIN)
+            (id)kSecUseDataProtectionKeychain: @YES
+#else
+            (id)kSecAttrNoLegacy: @YES
+#endif
+        };
+        OSStatus status = SecItemDelete((__bridge CFDictionaryRef)deleteQuery);
+        if (status && status != errSecItemNotFound)
+            LOG_ERROR(makeString("Couldn't delete older credential: "_s, status).utf8().data());
+        return true;
+    });
+}
+
 } // namespace WebKit
 

trunk/Source/WebKit/UIProcess/WebAuthentication/Mock/MockLocalConnection.mm

@@ -116 +116 @@
 void MockLocalConnection::filterResponses(HashSet<Ref<WebCore::AuthenticatorAssertionResponse>>& responses) const
 {
-    const auto& preferredUserhandleBase64 = m_configuration.local->preferredUserhandleBase64;
-    if (preferredUserhandleBase64.isEmpty())
+    const auto& preferredCredentialIdBase64 = m_configuration.local->preferredCredentialIdBase64;
+    if (preferredCredentialIdBase64.isEmpty())
         return;
 
     auto itr = responses.begin();
     for (; itr != responses.end(); ++itr) {
-        auto* userHandle = itr->get().userHandle();
-        ASSERT(userHandle);
-        auto userhandleBase64 = base64Encode(userHandle->data(), userHandle->byteLength());
-        if (userhandleBase64 == preferredUserhandleBase64)
+        auto* rawId = itr->get().rawId();
+        ASSERT(rawId);
+        auto rawIdBase64 = base64Encode(rawId->data(), rawId->byteLength());
+        if (rawIdBase64 == preferredCredentialIdBase64)
             break;
     }

trunk/Tools/ChangeLog

@@ +1 @@
+2020-03-11  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthn] Formalize the Keychain schema
+        https://bugs.webkit.org/show_bug.cgi?id=183533
+        <rdar://problem/43347926>
+
+        Reviewed by Brent Fulgham.
+
+        Modifies the test infra to use Credential ID as the unique identifier for a credential instead of
+        the original combination of RP ID and user handle.
+
+        * WebKitTestRunner/InjectedBundle/Bindings/TestRunner.idl:
+        * WebKitTestRunner/InjectedBundle/TestRunner.cpp:
+        (WTR::TestRunner::cleanUpKeychain):
+        (WTR::TestRunner::keyExistsInKeychain):
+        * WebKitTestRunner/InjectedBundle/TestRunner.h:
+        * WebKitTestRunner/TestController.h:
+        * WebKitTestRunner/TestInvocation.cpp:
+        (WTR::TestInvocation::didReceiveSynchronousMessageFromInjectedBundle):
+        * WebKitTestRunner/cocoa/TestControllerCocoa.mm:
+        (WTR::TestController::cleanUpKeychain):
+        (WTR::TestController::keyExistsInKeychain):
+
 2020-03-11  Keith Miller  <keith_miller@apple.com>
 

trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm

@@ -63 +63 @@
     "PH76c0+WFOzZKslPyyFse4goGIW2R7k9VHLPEZl5nfnBgEVFh5zev+/xpHQIvuq6"
     "RQ==";
-static String testUserhandleBase64 = "AAECAwQFBgcICQ==";
+static String testUserEntityBundleBase64 = "omJpZEoAAQIDBAUGBwgJZG5hbWVwQUFFQ0F3UUZCZ2NJQ1E9PQ==";
 
 @interface TestWebAuthenticationPanelDelegate : NSObject <_WKWebAuthenticationPanelDelegate>
@@ -1215 +1215 @@
     [webView setUIDelegate:delegate.get()];
 
-    ASSERT_TRUE(addKeyToKeychain(testES256PrivateKeyBase64, "", testUserhandleBase64));
+    ASSERT_TRUE(addKeyToKeychain(testES256PrivateKeyBase64, "", testUserEntityBundleBase64));
     [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
     Util::run(&webAuthenticationPanelUpdateLAExcludeCredentialsMatched);
@@ -1306 +1306 @@
     [webView setUIDelegate:delegate.get()];
 
-    ASSERT_TRUE(addKeyToKeychain(testES256PrivateKeyBase64, "", testUserhandleBase64));
+    ASSERT_TRUE(addKeyToKeychain(testES256PrivateKeyBase64, "", testUserEntityBundleBase64));
     [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
     [webView waitForMessage:@"Succeeded!"];

trunk/Tools/WebKitTestRunner/InjectedBundle/Bindings/TestRunner.idl

@@ -405 +405 @@
     // WebAuthn
     void addTestKeyToKeychain(DOMString privateKeyBase64, DOMString attrLabel, DOMString applicationTagBase64);
-    void cleanUpKeychain(DOMString attrLabel, optional DOMString applicationTagBase64);
-    boolean keyExistsInKeychain(DOMString attrLabel, DOMString applicationTagBase64);
+    void cleanUpKeychain(DOMString attrLabel, optional DOMString applicationLabelBase64);
+    boolean keyExistsInKeychain(DOMString attrLabel, DOMString applicationLabelBase64);
 
     // Ad Click Attribution

trunk/Tools/WebKitTestRunner/InjectedBundle/TestRunner.cpp

@@ -2789 +2789 @@
 }
 
-void TestRunner::cleanUpKeychain(JSStringRef attrLabel, JSStringRef applicationTagBase64)
+void TestRunner::cleanUpKeychain(JSStringRef attrLabel, JSStringRef applicationLabelBase64)
 {
     Vector<WKRetainPtr<WKStringRef>> keys;
@@ -2797 +2797 @@
     values.append(toWK(attrLabel));
 
-    if (applicationTagBase64) {
-        keys.append(adoptWK(WKStringCreateWithUTF8CString("ApplicationTag")));
-        values.append(toWK(applicationTagBase64));
+    if (applicationLabelBase64) {
+        keys.append(adoptWK(WKStringCreateWithUTF8CString("ApplicationLabel")));
+        values.append(toWK(applicationLabelBase64));
     }
 
@@ -2818 +2818 @@
 }
 
-bool TestRunner::keyExistsInKeychain(JSStringRef attrLabel, JSStringRef applicationTagBase64)
+bool TestRunner::keyExistsInKeychain(JSStringRef attrLabel, JSStringRef applicationLabelBase64)
 {
     Vector<WKRetainPtr<WKStringRef>> keys;
@@ -2826 +2826 @@
     values.append(toWK(attrLabel));
 
-    keys.append(adoptWK(WKStringCreateWithUTF8CString("ApplicationTag")));
-    values.append(toWK(applicationTagBase64));
+    keys.append(adoptWK(WKStringCreateWithUTF8CString("ApplicationLabel")));
+    values.append(toWK(applicationLabelBase64));
 
     Vector<WKStringRef> rawKeys;

trunk/Tools/WebKitTestRunner/InjectedBundle/TestRunner.h

@@ -513 +513 @@
     // FIXME(189876)
     void addTestKeyToKeychain(JSStringRef privateKeyBase64, JSStringRef attrLabel, JSStringRef applicationTagBase64);
-    void cleanUpKeychain(JSStringRef attrLabel, JSStringRef applicationTagBase64);
-    bool keyExistsInKeychain(JSStringRef attrLabel, JSStringRef applicationTagBase64);
+    void cleanUpKeychain(JSStringRef attrLabel, JSStringRef applicationLabelBase64);
+    bool keyExistsInKeychain(JSStringRef attrLabel, JSStringRef applicationLabelBase64);
 
     unsigned long serverTrustEvaluationCallbackCallsCount();

trunk/Tools/WebKitTestRunner/TestController.h

@@ -317 +317 @@
 
     void addTestKeyToKeychain(const String& privateKeyBase64, const String& attrLabel, const String& applicationTagBase64);
-    void cleanUpKeychain(const String& attrLabel, const String& applicationTagBase64);
-    bool keyExistsInKeychain(const String& attrLabel, const String& applicationTagBase64);
+    void cleanUpKeychain(const String& attrLabel, const String& applicationLabelBase64);
+    bool keyExistsInKeychain(const String& attrLabel, const String& applicationLabelBase64);
 
 #if PLATFORM(COCOA)

trunk/Tools/WebKitTestRunner/TestInvocation.cpp

@@ -1724 +1724 @@
         WKStringRef attrLabelWK = static_cast<WKStringRef>(WKDictionaryGetItemForKey(testDictionary, attrLabelKey.get()));
 
-        WKRetainPtr<WKStringRef> applicationTagKey = adoptWK(WKStringCreateWithUTF8CString("ApplicationTag"));
-        WKStringRef applicationTagWK = static_cast<WKStringRef>(WKDictionaryGetItemForKey(testDictionary, applicationTagKey.get()));
-
-        TestController::singleton().cleanUpKeychain(toWTFString(attrLabelWK), applicationTagWK ? toWTFString(applicationTagWK) : String());
+        WKRetainPtr<WKStringRef> applicationLabelKey = adoptWK(WKStringCreateWithUTF8CString("ApplicationLabel"));
+        WKStringRef applicationLabelWK = static_cast<WKStringRef>(WKDictionaryGetItemForKey(testDictionary, applicationLabelKey.get()));
+
+        TestController::singleton().cleanUpKeychain(toWTFString(attrLabelWK), applicationLabelWK ? toWTFString(applicationLabelWK) : String());
         return nullptr;
     }
@@ -1738 +1738 @@
         WKStringRef attrLabelWK = static_cast<WKStringRef>(WKDictionaryGetItemForKey(testDictionary, attrLabelKey.get()));
 
-        WKRetainPtr<WKStringRef> applicationTagKey = adoptWK(WKStringCreateWithUTF8CString("ApplicationTag"));
-        WKStringRef applicationTagWK = static_cast<WKStringRef>(WKDictionaryGetItemForKey(testDictionary, applicationTagKey.get()));
-
-        bool keyExistsInKeychain = TestController::singleton().keyExistsInKeychain(toWTFString(attrLabelWK), toWTFString(applicationTagWK));
+        WKRetainPtr<WKStringRef> applicationLabelKey = adoptWK(WKStringCreateWithUTF8CString("ApplicationLabel"));
+        WKStringRef applicationLabelWK = static_cast<WKStringRef>(WKDictionaryGetItemForKey(testDictionary, applicationLabelKey.get()));
+
+        bool keyExistsInKeychain = TestController::singleton().keyExistsInKeychain(toWTFString(attrLabelWK), toWTFString(applicationLabelWK));
         WKRetainPtr<WKTypeRef> result = adoptWK(WKBooleanCreate(keyExistsInKeychain));
         return result;

trunk/Tools/WebKitTestRunner/cocoa/TestControllerCocoa.mm

@@ -431 +431 @@
 }
 
-void TestController::cleanUpKeychain(const String& attrLabel, const String& applicationTagBase64)
+void TestController::cleanUpKeychain(const String& attrLabel, const String& applicationLabelBase64)
 {
     auto deleteQuery = adoptNS([[NSMutableDictionary alloc] init]);
@@ -441 +441 @@
     [deleteQuery setObject:@YES forKey:(id)kSecAttrNoLegacy];
 #endif
-    if (!!applicationTagBase64)
-        [deleteQuery setObject:adoptNS([[NSData alloc] initWithBase64EncodedString:applicationTagBase64 options:NSDataBase64DecodingIgnoreUnknownCharacters]).get() forKey:(id)kSecAttrApplicationTag];
+    if (!!applicationLabelBase64)
+        [deleteQuery setObject:adoptNS([[NSData alloc] initWithBase64EncodedString:applicationLabelBase64 options:NSDataBase64DecodingIgnoreUnknownCharacters]).get() forKey:(id)kSecAttrApplicationLabel];
 
     SecItemDelete((__bridge CFDictionaryRef)deleteQuery.get());
 }
 
-bool TestController::keyExistsInKeychain(const String& attrLabel, const String& applicationTagBase64)
+bool TestController::keyExistsInKeychain(const String& attrLabel, const String& applicationLabelBase64)
 {
     NSDictionary *query = @{
@@ -453 +453 @@
         (id)kSecAttrKeyClass: (id)kSecAttrKeyClassPrivate,
         (id)kSecAttrLabel: attrLabel,
-        (id)kSecAttrApplicationTag: adoptNS([[NSData alloc] initWithBase64EncodedString:applicationTagBase64 options:NSDataBase64DecodingIgnoreUnknownCharacters]).get(),
+        (id)kSecAttrApplicationLabel: adoptNS([[NSData alloc] initWithBase64EncodedString:applicationLabelBase64 options:NSDataBase64DecodingIgnoreUnknownCharacters]).get(),
 #if HAVE(DATA_PROTECTION_KEYCHAIN)
         (id)kSecUseDataProtectionKeychain: @YES