Changeset 267369 in webkit

Timestamp:

Sep 21, 2020 2:32:21 PM (4 years ago)

Author:

jiewen_tan@apple.com

Message:

[WebAuthn] Don't set the UV option if the authenticator doesn't support it
​https://bugs.webkit.org/show_bug.cgi?id=215836
<rdar://problem/67817359>

Reviewed by Darin Adler.

Source/WebCore:

Covered by new API tests.

UV in the the CTAP 2.0 spec only means internal UV:
​https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#authenticatorGetInfo

If an authenticator supports ClientPin, it can set the uv bit in the responses to true but it
will not advertise itself supporting internal UV, which is the uv in the options.
​https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#authenticatorMakeCredential

Hence, setting it to true could result in error if the authenticator doesn't support internal UV even if it supports ClientPin.
It's not a way to ask the authenticator to set the uv bit in the response.

• Modules/webauthn/fido/DeviceRequestConverter.cpp:

(fido::encodeMakeCredenitalRequestAsCBOR):
(fido::encodeGetAssertionRequestAsCBOR):

Tools:

• TestWebKitAPI/Tests/WebCore/CtapRequestTest.cpp:

(TestWebKitAPI::TEST):

LayoutTests:

• http/wpt/webauthn/public-key-credential-create-failure-hid-silent.https.html:
• http/wpt/webauthn/public-key-credential-create-failure-hid.https.html:
• http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https.html:
• http/wpt/webauthn/public-key-credential-get-failure-hid.https.html:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid-silent.https-expected.txt (modified) (2 diffs)
• LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid-silent.https.html (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid.https-expected.txt (modified) (2 diffs)
• LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid.https.html (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https-expected.txt (modified) (2 diffs)
• LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https.html (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid.https-expected.txt (modified) (2 diffs)
• LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid.https.html (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.cpp (modified) (2 diffs)
• Tools/ChangeLog (modified) (1 diff)
• Tools/TestWebKitAPI/Tests/WebCore/CtapRequestTest.cpp (modified) (8 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2020-09-21  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthn] Don't set the UV option if the authenticator doesn't support it
+        https://bugs.webkit.org/show_bug.cgi?id=215836
+        <rdar://problem/67817359>
+
+        Reviewed by Darin Adler.
+
+        * http/wpt/webauthn/public-key-credential-create-failure-hid-silent.https.html:
+        * http/wpt/webauthn/public-key-credential-create-failure-hid.https.html:
+        * http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https.html:
+        * http/wpt/webauthn/public-key-credential-get-failure-hid.https.html:
+
 2020-09-21  Chris Dumez  <cdumez@apple.com>
 

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid-silent.https-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: User gesture is not detected. To use the platform authenticator, call 'navigator.credentials.create' within user activated events.
 CONSOLE MESSAGE: User gesture is not detected. To use the platform authenticator, call 'navigator.credentials.create' within user activated events.
 CONSOLE MESSAGE: User gesture is not detected. To use the platform authenticator, call 'navigator.credentials.create' within user activated events.
@@ -7 +6 @@
 PASS PublicKeyCredential's [[create]] with malicious payload in a mock hid authenticator. 
 PASS PublicKeyCredential's [[create]] with unsupported options in a mock hid authenticator. 
-PASS PublicKeyCredential's [[create]] with unsupported options in a mock hid authenticator. 2 
 PASS PublicKeyCredential's [[create]] with mixed options in a mock hid authenticator. 
 PASS PublicKeyCredential's [[create]] with InvalidStateError in a mock hid authenticator. 

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid-silent.https.html

@@ -63 +63 @@
                 challenge: asciiToUint8Array("123456"),
                 pubKeyCredParams: [{ type: "public-key", alg: -7 }],
-                authenticatorSelection: { userVerification: "required" },
-                timeout: 10
-            }
-        };
-
-        if (window.internals)
-            internals.setMockWebAuthenticationConfiguration({ silentFailure: true, hid: { stage: "request", subStage: "msg", error: "unsupported-options" } });
-        return promiseRejects(t, "NotAllowedError", navigator.credentials.create(options), "Operation timed out.");
-    }, "PublicKeyCredential's [[create]] with unsupported options in a mock hid authenticator. 2");
-
-    promise_test(function(t) {
-        const options = {
-            publicKey: {
-                rp: {
-                    name: "example.com"
-                },
-                user: {
-                    name: "John Appleseed",
-                    id: asciiToUint8Array("123456"),
-                    displayName: "John",
-                },
-                challenge: asciiToUint8Array("123456"),
-                pubKeyCredParams: [{ type: "public-key", alg: -7 }],
                 authenticatorSelection: { authenticatorAttachment: "cross-platform", requireResidentKey: true, userVerification: "required" },
                 timeout: 10

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid.https-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: User gesture is not detected. To use the platform authenticator, call 'navigator.credentials.create' within user activated events.
 CONSOLE MESSAGE: User gesture is not detected. To use the platform authenticator, call 'navigator.credentials.create' within user activated events.
 CONSOLE MESSAGE: User gesture is not detected. To use the platform authenticator, call 'navigator.credentials.create' within user activated events.
@@ -10 +9 @@
 PASS PublicKeyCredential's [[create]] with malicious payload in a mock hid authenticator. 
 PASS PublicKeyCredential's [[create]] with unsupported options in a mock hid authenticator. 
-PASS PublicKeyCredential's [[create]] with unsupported options in a mock hid authenticator. 2 
 PASS PublicKeyCredential's [[create]] with mixed options in a mock hid authenticator. 
 PASS PublicKeyCredential's [[create]] with mixed options in a mock hid authenticator. 2 

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid.https.html

@@ -86 +86 @@
                 challenge: asciiToUint8Array("123456"),
                 pubKeyCredParams: [{ type: "public-key", alg: -7 }],
-                authenticatorSelection: { userVerification: "required" }
-            }
-        };
-
-        if (window.internals)
-            internals.setMockWebAuthenticationConfiguration({ hid: { stage: "request", subStage: "msg", error: "unsupported-options" } });
-        return promiseRejects(t, "UnknownError", navigator.credentials.create(options), "Unknown internal error. Error code: 43");
-    }, "PublicKeyCredential's [[create]] with unsupported options in a mock hid authenticator. 2");
-
-    promise_test(function(t) {
-        const options = {
-            publicKey: {
-                rp: {
-                    name: "example.com"
-                },
-                user: {
-                    name: "John Appleseed",
-                    id: asciiToUint8Array("123456"),
-                    displayName: "John",
-                },
-                challenge: asciiToUint8Array("123456"),
-                pubKeyCredParams: [{ type: "public-key", alg: -7 }],
                 timeout: 10,
                 authenticatorSelection: { authenticatorAttachment: "platform", requireResidentKey: true, userVerification: "required" }

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: User gesture is not detected. To use the platform authenticator, call 'navigator.credentials.get' within user activated events.
 CONSOLE MESSAGE: User gesture is not detected. To use the platform authenticator, call 'navigator.credentials.get' within user activated events.
 CONSOLE MESSAGE: User gesture is not detected. To use the platform authenticator, call 'navigator.credentials.get' within user activated events.
@@ -6 +5 @@
 
 PASS PublicKeyCredential's [[get]] with malicious payload in a mock hid authenticator. 
-PASS PublicKeyCredential's [[get]] with unsupported options in a mock hid authenticator. 
 PASS PublicKeyCredential's [[get]] with invalid credential in a mock hid authenticator. 
 PASS PublicKeyCredential's [[get]] with authenticator downgrade in a mock hid authenticator. 

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https.html

@@ -17 +17 @@
         return promiseRejects(t, "NotAllowedError", navigator.credentials.get(options), "Operation timed out.");
     }, "PublicKeyCredential's [[get]] with malicious payload in a mock hid authenticator.");
-
-    promise_test(function(t) {
-        const options = {
-            publicKey: {
-                challenge: asciiToUint8Array("123456"),
-                userVerification: "required",
-                timeout: 10
-            }
-        };
-
-        if (window.internals)
-            internals.setMockWebAuthenticationConfiguration({ silentFailure: true, hid: { stage: "request", subStage: "msg", error: "unsupported-options" } });
-        return promiseRejects(t, "NotAllowedError", navigator.credentials.get(options), "Operation timed out.");
-    }, "PublicKeyCredential's [[get]] with unsupported options in a mock hid authenticator.");
 
     promise_test(function(t) {

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid.https-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: User gesture is not detected. To use the platform authenticator, call 'navigator.credentials.get' within user activated events.
 CONSOLE MESSAGE: User gesture is not detected. To use the platform authenticator, call 'navigator.credentials.get' within user activated events.
 CONSOLE MESSAGE: User gesture is not detected. To use the platform authenticator, call 'navigator.credentials.get' within user activated events.
@@ -9 +8 @@
 PASS PublicKeyCredential's [[get]] with timeout in a mock hid authenticator. 
 PASS PublicKeyCredential's [[get]] with malicious payload in a mock hid authenticator. 
-PASS PublicKeyCredential's [[get]] with unsupported options in a mock hid authenticator. 
 PASS PublicKeyCredential's [[get]] with authenticator downgrade failed in a mock hid authenticator. 
 PASS PublicKeyCredential's [[get]] with authenticator downgrade failed in a mock hid authenticator. 2 

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid.https.html

@@ -36 +36 @@
         return promiseRejects(t, "UnknownError", navigator.credentials.get(options), "Unknown internal error. Error code: 255");
     }, "PublicKeyCredential's [[get]] with malicious payload in a mock hid authenticator.");
-
-    promise_test(function(t) {
-        const options = {
-            publicKey: {
-                challenge: asciiToUint8Array("123456"),
-                userVerification: "required"
-            }
-        };
-
-        if (window.internals)
-            internals.setMockWebAuthenticationConfiguration({ hid: { stage: "request", subStage: "msg", error: "unsupported-options" } });
-        return promiseRejects(t, "UnknownError", navigator.credentials.get(options), "Unknown internal error. Error code: 43");
-    }, "PublicKeyCredential's [[get]] with unsupported options in a mock hid authenticator.");
 
     promise_test(function(t) {

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2020-09-21  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthn] Don't set the UV option if the authenticator doesn't support it
+        https://bugs.webkit.org/show_bug.cgi?id=215836
+        <rdar://problem/67817359>
+
+        Reviewed by Darin Adler.
+
+        Covered by new API tests.
+
+        UV in the the CTAP 2.0 spec only means internal UV:
+        https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#authenticatorGetInfo
+
+        If an authenticator supports ClientPin, it can set the uv bit in the responses to true but it
+        will not advertise itself supporting internal UV, which is the uv in the options.
+        https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#authenticatorMakeCredential
+
+        Hence, setting it to true could result in error if the authenticator doesn't support internal UV even if it supports ClientPin.
+        It's not a way to ask the authenticator to set the uv bit in the response.
+
+        * Modules/webauthn/fido/DeviceRequestConverter.cpp:
+        (fido::encodeMakeCredenitalRequestAsCBOR):
+        (fido::encodeGetAssertionRequestAsCBOR):
+
 2020-09-21  Chris Dumez  <cdumez@apple.com>
 

trunk/Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.cpp

@@ -112 +112 @@
         switch (options.authenticatorSelection->userVerification) {
         case UserVerificationRequirement::Required:
-            requireUserVerification = true;
-            break;
         case UserVerificationRequirement::Preferred:
-            requireUserVerification = uvCapability == UVAvailability::kNotSupported ? false : true;
+            requireUserVerification = uvCapability == UVAvailability::kSupportedAndConfigured;
             break;
         case UserVerificationRequirement::Discouraged:
@@ -158 +156 @@
     switch (options.userVerification) {
     case UserVerificationRequirement::Required:
-        requireUserVerification = true;
-        break;
     case UserVerificationRequirement::Preferred:
-        requireUserVerification = uvCapability == UVAvailability::kNotSupported ? false : true;
+        requireUserVerification = uvCapability == UVAvailability::kSupportedAndConfigured;
         break;
     case UserVerificationRequirement::Discouraged:

trunk/Tools/ChangeLog

@@ +1 @@
+2020-09-21  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthn] Don't set the UV option if the authenticator doesn't support it
+        https://bugs.webkit.org/show_bug.cgi?id=215836
+        <rdar://problem/67817359>
+
+        Reviewed by Darin Adler.
+
+        * TestWebKitAPI/Tests/WebCore/CtapRequestTest.cpp:
+        (TestWebKitAPI::TEST):
+
 2020-09-21  Jonathan Bedard  <jbedard@apple.com>
 

trunk/Tools/TestWebKitAPI/Tests/WebCore/CtapRequestTest.cpp

@@ -65 +65 @@
     Vector<uint8_t> hash;
     hash.append(TestData::kClientDataHash, sizeof(TestData::kClientDataHash));
-    auto serializedData = encodeMakeCredenitalRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedButNotConfigured);
+    auto serializedData = encodeMakeCredenitalRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedAndConfigured);
     EXPECT_EQ(serializedData.size(), sizeof(TestData::kCtapMakeCredentialRequest));
     EXPECT_EQ(memcmp(serializedData.data(), TestData::kCtapMakeCredentialRequest, serializedData.size()), 0);
@@ -88 +88 @@
     Vector<uint8_t> hash;
     hash.append(TestData::kClientDataHash, sizeof(TestData::kClientDataHash));
-    auto serializedData = encodeMakeCredenitalRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedButNotConfigured);
+    auto serializedData = encodeMakeCredenitalRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedAndConfigured);
     EXPECT_EQ(serializedData.size(), sizeof(TestData::kCtapMakeCredentialRequestShort));
     EXPECT_EQ(memcmp(serializedData.data(), TestData::kCtapMakeCredentialRequestShort, serializedData.size()), 0);
 }
 
-TEST(CTAPRequestTest, TestConstructMakeCredentialRequestParamWithPin)
+TEST(CTAPRequestTest, TestConstructMakeCredentialRequestParamUVRequiredButNotSupported)
 {
     PublicKeyCredentialCreationOptions::RpEntity rp;
@@ -106 +106 @@
 
     Vector<PublicKeyCredentialCreationOptions::Parameters> params { { PublicKeyCredentialType::PublicKey, 7 }, { PublicKeyCredentialType::PublicKey, 257 } };
+    PublicKeyCredentialCreationOptions::AuthenticatorSelectionCriteria selection { PublicKeyCredentialCreationOptions::AuthenticatorAttachment::Platform, false, UserVerificationRequirement::Required };
+
+    PublicKeyCredentialCreationOptions options { rp, user, { }, params, WTF::nullopt, { }, selection, AttestationConveyancePreference::None, WTF::nullopt };
+    Vector<uint8_t> hash;
+    hash.append(TestData::kClientDataHash, sizeof(TestData::kClientDataHash));
+    auto serializedData = encodeMakeCredenitalRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kNotSupported);
+    EXPECT_EQ(serializedData.size(), sizeof(TestData::kCtapMakeCredentialRequestShort));
+    EXPECT_EQ(memcmp(serializedData.data(), TestData::kCtapMakeCredentialRequestShort, serializedData.size()), 0);
+}
+
+TEST(CTAPRequestTest, TestConstructMakeCredentialRequestParamWithPin)
+{
+    PublicKeyCredentialCreationOptions::RpEntity rp;
+    rp.name = "Acme";
+    rp.id = "acme.com";
+
+    PublicKeyCredentialCreationOptions::UserEntity user;
+    user.name = "johnpsmith@example.com";
+    user.icon = "https://pics.acme.com/00/p/aBjjjpqPb.png";
+    user.idVector.append(TestData::kUserId, sizeof(TestData::kUserId));
+    user.displayName = "John P. Smith";
+
+    Vector<PublicKeyCredentialCreationOptions::Parameters> params { { PublicKeyCredentialType::PublicKey, 7 }, { PublicKeyCredentialType::PublicKey, 257 } };
     PublicKeyCredentialCreationOptions::AuthenticatorSelectionCriteria selection { PublicKeyCredentialCreationOptions::AuthenticatorAttachment::Platform, true, UserVerificationRequirement::Preferred };
 
@@ -115 +138 @@
     Vector<uint8_t> hash;
     hash.append(TestData::kClientDataHash, sizeof(TestData::kClientDataHash));
-    auto serializedData = encodeMakeCredenitalRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedButNotConfigured, pin);
+    auto serializedData = encodeMakeCredenitalRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedAndConfigured, pin);
     EXPECT_EQ(serializedData.size(), sizeof(TestData::kCtapMakeCredentialRequestWithPin));
     EXPECT_EQ(memcmp(serializedData.data(), TestData::kCtapMakeCredentialRequestWithPin, serializedData.size()), 0);
@@ -152 +175 @@
     Vector<uint8_t> hash;
     hash.append(TestData::kClientDataHash, sizeof(TestData::kClientDataHash));
-    auto serializedData = encodeGetAssertionRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedButNotConfigured);
+    auto serializedData = encodeGetAssertionRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedAndConfigured);
     EXPECT_EQ(serializedData.size(), sizeof(TestData::kTestComplexCtapGetAssertionRequest));
     EXPECT_EQ(memcmp(serializedData.data(), TestData::kTestComplexCtapGetAssertionRequest, serializedData.size()), 0);
@@ -189 +212 @@
     Vector<uint8_t> hash;
     hash.append(TestData::kClientDataHash, sizeof(TestData::kClientDataHash));
-    auto serializedData = encodeGetAssertionRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedButNotConfigured);
+    auto serializedData = encodeGetAssertionRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedAndConfigured);
     EXPECT_EQ(serializedData.size(), sizeof(TestData::kTestComplexCtapGetAssertionRequestShort));
     EXPECT_EQ(memcmp(serializedData.data(), TestData::kTestComplexCtapGetAssertionRequestShort, serializedData.size()), 0);
 }
 
-TEST(CTAPRequestTest, TestConstructGetAssertionRequestWithPin)
+TEST(CTAPRequestTest, TestConstructGetAssertionRequestUVRequiredButNotSupported)
 {
     PublicKeyCredentialRequestOptions options;
@@ -224 +247 @@
     options.userVerification = UserVerificationRequirement::Required;
 
+    Vector<uint8_t> hash;
+    hash.append(TestData::kClientDataHash, sizeof(TestData::kClientDataHash));
+    auto serializedData = encodeGetAssertionRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kNotSupported);
+    EXPECT_EQ(serializedData.size(), sizeof(TestData::kTestComplexCtapGetAssertionRequestShort));
+    EXPECT_EQ(memcmp(serializedData.data(), TestData::kTestComplexCtapGetAssertionRequestShort, serializedData.size()), 0);
+}
+
+TEST(CTAPRequestTest, TestConstructGetAssertionRequestWithPin)
+{
+    PublicKeyCredentialRequestOptions options;
+    options.rpId = "acme.com";
+
+    PublicKeyCredentialDescriptor descriptor1;
+    descriptor1.type = PublicKeyCredentialType::PublicKey;
+    const uint8_t id1[] = {
+        0xf2, 0x20, 0x06, 0xde, 0x4f, 0x90, 0x5a, 0xf6, 0x8a, 0x43, 0x94,
+        0x2f, 0x02, 0x4f, 0x2a, 0x5e, 0xce, 0x60, 0x3d, 0x9c, 0x6d, 0x4b,
+        0x3d, 0xf8, 0xbe, 0x08, 0xed, 0x01, 0xfc, 0x44, 0x26, 0x46, 0xd0,
+        0x34, 0x85, 0x8a, 0xc7, 0x5b, 0xed, 0x3f, 0xd5, 0x80, 0xbf, 0x98,
+        0x08, 0xd9, 0x4f, 0xcb, 0xee, 0x82, 0xb9, 0xb2, 0xef, 0x66, 0x77,
+        0xaf, 0x0a, 0xdc, 0xc3, 0x58, 0x52, 0xea, 0x6b, 0x9e };
+    descriptor1.idVector.append(id1, sizeof(id1));
+    options.allowCredentials.append(descriptor1);
+
+    PublicKeyCredentialDescriptor descriptor2;
+    descriptor2.type = PublicKeyCredentialType::PublicKey;
+    const uint8_t id2[] = {
+        0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+        0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+        0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+        0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+        0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03 };
+    descriptor2.idVector.append(id2, sizeof(id2));
+    options.allowCredentials.append(descriptor2);
+
+    options.userVerification = UserVerificationRequirement::Required;
+
     PinParameters pin;
     pin.protocol = pin::kProtocolVersion;
@@ -230 +290 @@
     Vector<uint8_t> hash;
     hash.append(TestData::kClientDataHash, sizeof(TestData::kClientDataHash));
-    auto serializedData = encodeGetAssertionRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedButNotConfigured, pin);
+    auto serializedData = encodeGetAssertionRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedAndConfigured, pin);
     EXPECT_EQ(serializedData.size(), sizeof(TestData::kTestComplexCtapGetAssertionRequestWithPin));
     EXPECT_EQ(memcmp(serializedData.data(), TestData::kTestComplexCtapGetAssertionRequestWithPin, serializedData.size()), 0);