Changeset 261723 in webkit

Timestamp:

May 14, 2020 4:49:04 PM (4 years ago)

Author:

jiewen_tan@apple.com

Message:

[WebAuthn] Relaxing signature length requirements for U2fRegister
​https://bugs.webkit.org/show_bug.cgi?id=209645
<rdar://problem/63204591>

Reviewed by Brent Fulgham.

Source/WebCore:

It turns out the length range specified from the spec, i.e., [71, 73] is wrong.
​https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-raw-message-formats-v1.2-ps-20170411.html#registration-response-message-success

It should actually be [70, 72]. However, as a middleware to relay the messages, user agents
are not necessary to check the length. Therefore, the check is relaxed to make the code more robust.

Covered by existing tests.

• Modules/webauthn/fido/U2fResponseConverter.cpp:

(fido::WebCore::createFidoAttestationStatementFromU2fRegisterResponse):

Tools:

• TestWebKitAPI/Tests/WebCore/CtapResponseTest.cpp:

(TestWebKitAPI::TEST):

Location:

trunk

Files:

• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/Modules/webauthn/fido/U2fResponseConverter.cpp (modified) (2 diffs)
• Tools/ChangeLog (modified) (1 diff)
• Tools/TestWebKitAPI/Tests/WebCore/CtapResponseTest.cpp (modified) (1 diff)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2020-05-14  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthn] Relaxing signature length requirements for U2fRegister
+        https://bugs.webkit.org/show_bug.cgi?id=209645
+        <rdar://problem/63204591>
+
+        Reviewed by Brent Fulgham.
+
+        It turns out the length range specified from the spec, i.e., [71, 73] is wrong.
+        https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-raw-message-formats-v1.2-ps-20170411.html#registration-response-message-success
+
+        It should actually be [70, 72]. However, as a middleware to relay the messages, user agents
+        are not necessary to check the length. Therefore, the check is relaxed to make the code more robust.
+
+        Covered by existing tests.
+
+        * Modules/webauthn/fido/U2fResponseConverter.cpp:
+        (fido::WebCore::createFidoAttestationStatementFromU2fRegisterResponse):
+
 2020-05-14  Timothy Hatcher  <timothy@apple.com>
 

trunk/Source/WebCore/Modules/webauthn/fido/U2fResponseConverter.cpp

@@ -50 +50 @@
 // https://www.w3.org/TR/webauthn/#flags
 const uint8_t makeCredentialFlags = 0b01000001; // UP and AT are set.
-// https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-raw-message-formats-v1.2-ps-20170411.html#registration-response-message-success
-const uint8_t minSignatureLength = 71;
-const uint8_t maxSignatureLength = 73;
 // https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-raw-message-formats-v1.2-ps-20170411.html#authentication-response-message-success
 const size_t flagIndex = 0;
@@ -134 +131 @@
     Vector<uint8_t> signature;
     signature.append(u2fData.data() + offset, u2fData.size() - offset);
-    if (signature.size() < minSignatureLength || signature.size() > maxSignatureLength)
+    if (signature.isEmpty())
         return { };
 

trunk/Tools/ChangeLog

@@ +1 @@
+2020-05-14  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthn] Relaxing signature length requirements for U2fRegister
+        https://bugs.webkit.org/show_bug.cgi?id=209645
+        <rdar://problem/63204591>
+
+        Reviewed by Brent Fulgham.
+
+        * TestWebKitAPI/Tests/WebCore/CtapResponseTest.cpp:
+        (TestWebKitAPI::TEST):
+
 2020-05-14  Jonathan Bedard  <jbedard@apple.com>
 

trunk/Tools/TestWebKitAPI/Tests/WebCore/CtapResponseTest.cpp

@@ -513 +513 @@
     auto response = readU2fRegisterResponse(TestData::kRelyingPartyId, getTestU2fRegisterResponse(prefix - 71, nullptr, 0));
     EXPECT_FALSE(response);
-
-    const uint8_t testData[] = { 0x40, 0x40, 0x40 };
-    response = readU2fRegisterResponse(TestData::kRelyingPartyId, getTestU2fRegisterResponse(prefix, testData, sizeof(testData)));
-    EXPECT_FALSE(response);
 }