WebKit Bugzilla
Attachment 370165 Details for
Bug 197974
: [WebAuthN] Allow authenticators that support both CTAP and U2F to try U2F if CTAP fails in authenticatorGetAssertion
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-197974-20190517154542.patch (text/plain), 27.48 KB, created by
Jiewen Tan
on 2019-05-17 15:45:42 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Jiewen Tan
Created:
2019-05-17 15:45:42 PDT
Size:
27.48 KB
patch
obsolete
>Subversion Revision: 245402 >diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog >index 59b43702791264817ced2ae131dafdb1976afaa3..d3d056da4e150cba553d2183c454bbf4528f5d4e 100644 >--- a/Source/WebKit/ChangeLog >+++ b/Source/WebKit/ChangeLog >@@ -1,3 +1,38 @@ >+2019-05-16 Jiewen Tan <jiewen_tan@apple.com> >+ >+ [WebAuthN] Allow authenticators that support both CTAP and U2F to try U2F if CTAP fails in authenticatorGetAssertion >+ https://bugs.webkit.org/show_bug.cgi?id=197974 >+ <rdar://problem/50879746> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Authenticators that support both CTAP and U2F protocols can be used in a U2F enabled browser to create a credential in >+ U2F format. When such authenticator is used to login in WebKit, it will be treated as a CTAP authenticator. Since the >+ previous credential is in U2F format, the authenticator will not consider that as a valid credential when CTAP requests >+ come along for that U2F credential. Therefore the previous created U2F credential will not be asked at all, and users >+ will not be able to login. This situation is not well documented in the CTAP/WebAuthN spec yet. >+ >+ To workaround the above issue, an authenticator that supports both protocols will be downgraded to a U2F authenticator >+ to ask a potential U2F credential once a valid error is returned regarding to the first CTAP request. >+ >+ * UIProcess/API/C/WKWebsiteDataStoreRef.cpp: >+ (WKWebsiteDataStoreSetWebAuthenticationMockConfiguration): >+ * UIProcess/WebAuthentication/Authenticator.h: >+ * UIProcess/WebAuthentication/AuthenticatorManager.cpp: >+ (WebKit::AuthenticatorManager::downgrade): >+ * UIProcess/WebAuthentication/AuthenticatorManager.h: >+ * UIProcess/WebAuthentication/Mock/MockHidConnection.cpp: >+ (WebKit::MockHidConnection::parseRequest): >+ (WebKit::MockHidConnection::feedReports): >+ * UIProcess/WebAuthentication/Mock/MockWebAuthenticationConfiguration.h: >+ * UIProcess/WebAuthentication/fido/CtapHidAuthenticator.cpp: >+ (WebKit::CtapHidAuthenticator::makeCredential): >+ (WebKit::CtapHidAuthenticator::getAssertion): >+ (WebKit::CtapHidAuthenticator::continueGetAssertionAfterResponseReceived): >+ (WebKit::CtapHidAuthenticator::tryDowngrade): >+ (WebKit::CtapHidAuthenticator::continueGetAssertionAfterResponseReceived const): Deleted. >+ * UIProcess/WebAuthentication/fido/CtapHidAuthenticator.h: >+ > 2019-05-16 Alex Christensen <achristensen@webkit.org> > > Add SPI to set a list of hosts to which to send custom header fields cross-origin >diff --git a/Source/WebKit/UIProcess/API/C/WKWebsiteDataStoreRef.cpp b/Source/WebKit/UIProcess/API/C/WKWebsiteDataStoreRef.cpp >index 2dad56427d17a9c4dc96f3c84c23cbd34a85508a..3c9660e2be5246a3ca6bba4eb8fa2eb80313a6d3 100644 >--- a/Source/WebKit/UIProcess/API/C/WKWebsiteDataStoreRef.cpp >+++ b/Source/WebKit/UIProcess/API/C/WKWebsiteDataStoreRef.cpp >@@ -652,6 +652,9 @@ void WKWebsiteDataStoreSetWebAuthenticationMockConfiguration(WKWebsiteDataStoreR > if (auto continueAfterErrorData = static_cast<WKBooleanRef>(WKDictionaryGetItemForKey(hidRef, adoptWK(WKStringCreateWithUTF8CString("ContinueAfterErrorData")).get()))) > hid.continueAfterErrorData = WKBooleanGetValue(continueAfterErrorData); > >+ if (auto canDowngrade = static_cast<WKBooleanRef>(WKDictionaryGetItemForKey(hidRef, adoptWK(WKStringCreateWithUTF8CString("CanDowngrade")).get()))) >+ hid.canDowngrade = WKBooleanGetValue(canDowngrade); >+ > configuration.hid = WTFMove(hid); > } > >diff --git a/Source/WebKit/UIProcess/WebAuthentication/Authenticator.h b/Source/WebKit/UIProcess/WebAuthentication/Authenticator.h >index a2aa27a6f40d59a173a0e5973ff65f664c35feae..cb0111a173d9e6c574203c1c8113642e9f36b74b 100644 >--- a/Source/WebKit/UIProcess/WebAuthentication/Authenticator.h >+++ b/Source/WebKit/UIProcess/WebAuthentication/Authenticator.h >@@ -44,6 +44,7 @@ public: > public: > virtual ~Observer() = default; > virtual void respondReceived(Respond&&) = 0; >+ virtual void downgrade(Authenticator* id, Ref<Authenticator>&& downgradedAuthenticator) = 0; > }; > > virtual ~Authenticator() = default; >diff --git a/Source/WebKit/UIProcess/WebAuthentication/AuthenticatorManager.cpp b/Source/WebKit/UIProcess/WebAuthentication/AuthenticatorManager.cpp >index 0c5d25c554301c0c1b57f7dad5497e9150cdecfa..913bc8a9572149d6f163a7fa4ae7813cfe032c26 100644 >--- a/Source/WebKit/UIProcess/WebAuthentication/AuthenticatorManager.cpp >+++ b/Source/WebKit/UIProcess/WebAuthentication/AuthenticatorManager.cpp >@@ -208,6 +208,17 @@ void AuthenticatorManager::respondReceived(Respond&& respond) > respondReceivedInternal(WTFMove(respond)); > } > >+void AuthenticatorManager::downgrade(Authenticator* id, Ref<Authenticator>&& downgradedAuthenticator) >+{ >+ RunLoop::main().dispatch([weakThis = makeWeakPtr(*this), id] { >+ if (!weakThis) >+ return; >+ auto removed = weakThis->m_authenticators.remove(id); >+ ASSERT_UNUSED(removed, removed); >+ }); >+ authenticatorAdded(WTFMove(downgradedAuthenticator)); >+} >+ > UniqueRef<AuthenticatorTransportService> AuthenticatorManager::createService(WebCore::AuthenticatorTransport transport, AuthenticatorTransportService::Observer& observer) const > { > return AuthenticatorTransportService::create(transport, observer); >diff --git a/Source/WebKit/UIProcess/WebAuthentication/AuthenticatorManager.h b/Source/WebKit/UIProcess/WebAuthentication/AuthenticatorManager.h >index dc459b44c89105c83833268f5cb33646804070c9..b03fe5746bcf39e5bf80ecc132ebb0e7316f0ca1 100644 >--- a/Source/WebKit/UIProcess/WebAuthentication/AuthenticatorManager.h >+++ b/Source/WebKit/UIProcess/WebAuthentication/AuthenticatorManager.h >@@ -70,6 +70,7 @@ private: > > // Authenticator::Observer > void respondReceived(Respond&&) final; >+ void downgrade(Authenticator* id, Ref<Authenticator>&& downgradedAuthenticator) final; > > // Overriden by MockAuthenticatorManager. > virtual UniqueRef<AuthenticatorTransportService> createService(WebCore::AuthenticatorTransport, AuthenticatorTransportService::Observer&) const; >diff --git a/Source/WebKit/UIProcess/WebAuthentication/Mock/MockHidConnection.cpp b/Source/WebKit/UIProcess/WebAuthentication/Mock/MockHidConnection.cpp >index d86a3a472e6bb77390e3401a6cde82c653a6846e..39dd75288a957640d9583ab018f21ef933997022 100644 >--- a/Source/WebKit/UIProcess/WebAuthentication/Mock/MockHidConnection.cpp >+++ b/Source/WebKit/UIProcess/WebAuthentication/Mock/MockHidConnection.cpp >@@ -132,6 +132,8 @@ void MockHidConnection::parseRequest() > > if (m_stage == Mock::Stage::Request && m_subStage == Mock::SubStage::Msg) { > // Make sure we issue different msg cmd for CTAP and U2F. >+ if (m_configuration.hid->canDowngrade && !m_configuration.hid->isU2f) >+ m_configuration.hid->isU2f = m_requestMessage->cmd() == FidoHidDeviceCommand::kMsg; > ASSERT(m_configuration.hid->isU2f ^ (m_requestMessage->cmd() != FidoHidDeviceCommand::kMsg)); > > // Set options. >@@ -208,7 +210,11 @@ void MockHidConnection::feedReports() > > Optional<FidoHidMessage> message; > if (m_stage == Mock::Stage::Info && m_subStage == Mock::SubStage::Msg) { >- auto infoData = encodeAsCBOR(AuthenticatorGetInfoResponse({ ProtocolVersion::kCtap }, Vector<uint8_t>(aaguidLength, 0u))); >+ Vector<uint8_t> infoData; >+ if (m_configuration.hid->canDowngrade) >+ infoData = encodeAsCBOR(AuthenticatorGetInfoResponse({ ProtocolVersion::kCtap, ProtocolVersion::kU2f }, Vector<uint8_t>(aaguidLength, 0u))); >+ else >+ infoData = encodeAsCBOR(AuthenticatorGetInfoResponse({ ProtocolVersion::kCtap }, Vector<uint8_t>(aaguidLength, 0u))); > infoData.insert(0, static_cast<uint8_t>(CtapDeviceResponseCode::kSuccess)); // Prepend status code. > if (stagesMatch() && m_configuration.hid->error == Mock::Error::WrongChannelId) > message = FidoHidMessage::create(m_currentChannel - 1, FidoHidDeviceCommand::kCbor, infoData); >diff --git a/Source/WebKit/UIProcess/WebAuthentication/Mock/MockWebAuthenticationConfiguration.h b/Source/WebKit/UIProcess/WebAuthentication/Mock/MockWebAuthenticationConfiguration.h >index be0872fbdfb9cac82783b545f54996d64ee79376..f7c39696959418ab950d67f4436ecfe3a3cbfd1c 100644 >--- a/Source/WebKit/UIProcess/WebAuthentication/Mock/MockWebAuthenticationConfiguration.h >+++ b/Source/WebKit/UIProcess/WebAuthentication/Mock/MockWebAuthenticationConfiguration.h >@@ -69,6 +69,7 @@ struct MockWebAuthenticationConfiguration { > bool keepAlive { false }; > bool fastDataArrival { false }; > bool continueAfterErrorData { false }; >+ bool canDowngrade { false }; > }; > > bool silentFailure { false }; >diff --git a/Source/WebKit/UIProcess/WebAuthentication/fido/CtapHidAuthenticator.cpp b/Source/WebKit/UIProcess/WebAuthentication/fido/CtapHidAuthenticator.cpp >index 08cd5a343b127f45cad2fedfeea98a1a0eb9adfe..3541a8ca4e666f1b3e9b3ab2f70750592a96521e 100644 >--- a/Source/WebKit/UIProcess/WebAuthentication/fido/CtapHidAuthenticator.cpp >+++ b/Source/WebKit/UIProcess/WebAuthentication/fido/CtapHidAuthenticator.cpp >@@ -29,6 +29,7 @@ > #if ENABLE(WEB_AUTHN) && PLATFORM(MAC) > > #include "CtapHidDriver.h" >+#include "U2fHidAuthenticator.h" > #include <WebCore/DeviceRequestConverter.h> > #include <WebCore/DeviceResponseConverter.h> > #include <WebCore/ExceptionData.h> >@@ -49,6 +50,7 @@ CtapHidAuthenticator::CtapHidAuthenticator(std::unique_ptr<CtapHidDriver>&& driv > > void CtapHidAuthenticator::makeCredential() > { >+ ASSERT(!m_isDowngraded); > auto cborCmd = encodeMakeCredenitalRequestAsCBOR(requestData().hash, requestData().creationOptions, m_info.options().userVerificationAvailability()); > m_driver->transact(WTFMove(cborCmd), [weakThis = makeWeakPtr(*this)](Vector<uint8_t>&& data) { > ASSERT(RunLoop::isMain()); >@@ -74,6 +76,7 @@ void CtapHidAuthenticator::continueMakeCredentialAfterResponseReceived(Vector<ui > > void CtapHidAuthenticator::getAssertion() > { >+ ASSERT(!m_isDowngraded); > auto cborCmd = encodeGetAssertionRequestAsCBOR(requestData().hash, requestData().requestOptions, m_info.options().userVerificationAvailability()); > m_driver->transact(WTFMove(cborCmd), [weakThis = makeWeakPtr(*this)](Vector<uint8_t>&& data) { > ASSERT(RunLoop::isMain()); >@@ -83,16 +86,32 @@ void CtapHidAuthenticator::getAssertion() > }); > } > >-void CtapHidAuthenticator::continueGetAssertionAfterResponseReceived(Vector<uint8_t>&& data) const >+void CtapHidAuthenticator::continueGetAssertionAfterResponseReceived(Vector<uint8_t>&& data) > { > auto response = readCTAPGetAssertionResponse(data); > if (!response) { >- receiveRespond(ExceptionData { UnknownError, makeString("Unknown internal error. Error code: ", data.size() == 1 ? data[0] : -1) }); >+ auto error = getResponseCode(data); >+ if (error != CtapDeviceResponseCode::kCtap2ErrInvalidCBOR && tryDowngrade()) >+ return; >+ receiveRespond(ExceptionData { UnknownError, makeString("Unknown internal error. Error code: ", static_cast<uint8_t>(error)) }); > return; > } > receiveRespond(WTFMove(*response)); > } > >+bool CtapHidAuthenticator::tryDowngrade() >+{ >+ if (m_info.versions().find(ProtocolVersion::kU2f) == m_info.versions().end()) >+ return false; >+ if (!observer()) >+ return false; >+ >+ m_isDowngraded = true; >+ m_driver->setProtocol(ProtocolVersion::kU2f); >+ observer()->downgrade(this, U2fHidAuthenticator::create(WTFMove(m_driver))); >+ return true; >+} >+ > } // namespace WebKit > > #endif // ENABLE(WEB_AUTHN) && PLATFORM(MAC) >diff --git a/Source/WebKit/UIProcess/WebAuthentication/fido/CtapHidAuthenticator.h b/Source/WebKit/UIProcess/WebAuthentication/fido/CtapHidAuthenticator.h >index fdf6279525691dec5fa8d356e0ae19f2bf207b66..63c461174242847c62f9a5d2ae36c561f0fac7dd 100644 >--- a/Source/WebKit/UIProcess/WebAuthentication/fido/CtapHidAuthenticator.h >+++ b/Source/WebKit/UIProcess/WebAuthentication/fido/CtapHidAuthenticator.h >@@ -47,10 +47,13 @@ private: > void makeCredential() final; > void continueMakeCredentialAfterResponseReceived(Vector<uint8_t>&&) const; > void getAssertion() final; >- void continueGetAssertionAfterResponseReceived(Vector<uint8_t>&&) const; >+ void continueGetAssertionAfterResponseReceived(Vector<uint8_t>&&); >+ >+ bool tryDowngrade(); > > std::unique_ptr<CtapHidDriver> m_driver; > fido::AuthenticatorGetInfoResponse m_info; >+ bool m_isDowngraded { false }; > }; > > } // namespace WebKit >diff --git a/Tools/ChangeLog b/Tools/ChangeLog >index 80a3627ba1283c7e17b780b77eec293c0707adef..fda9c693fada41a8843fb6b03efcf22112fb97cc 100644 >--- a/Tools/ChangeLog >+++ b/Tools/ChangeLog >@@ -1,3 +1,16 @@ >+2019-05-16 Jiewen Tan <jiewen_tan@apple.com> >+ >+ [WebAuthN] Allow authenticators that support both CTAP and U2F to try U2F if CTAP fails in authenticatorGetAssertion >+ https://bugs.webkit.org/show_bug.cgi?id=197974 >+ <rdar://problem/50879746> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Add a canDowngrade option for mock hid devices to simulate the situation. >+ >+ * WebKitTestRunner/InjectedBundle/TestRunner.cpp: >+ (WTR::TestRunner::setWebAuthenticationMockConfiguration): >+ > 2019-05-16 Alex Christensen <achristensen@webkit.org> > > Add SPI to set a list of hosts to which to send custom header fields cross-origin >diff --git a/Tools/WebKitTestRunner/InjectedBundle/TestRunner.cpp b/Tools/WebKitTestRunner/InjectedBundle/TestRunner.cpp >index b24593ff167e3d152611292b560a10cd74f33b49..0be4c1ceb9e6497efbc0a06327a7a760dedc0b29 100644 >--- a/Tools/WebKitTestRunner/InjectedBundle/TestRunner.cpp >+++ b/Tools/WebKitTestRunner/InjectedBundle/TestRunner.cpp >@@ -2692,6 +2692,16 @@ void TestRunner::setWebAuthenticationMockConfiguration(JSValueRef configurationV > hidValues.append(adoptWK(WKBooleanCreate(continueAfterErrorData)).get()); > } > >+ JSRetainPtr<JSStringRef> canDowngradePropertyName(Adopt, JSStringCreateWithUTF8CString("canDowngrade")); >+ JSValueRef canDowngradeValue = JSObjectGetProperty(context, hid, canDowngradePropertyName.get(), 0); >+ if (!JSValueIsUndefined(context, canDowngradeValue) && !JSValueIsNull(context, canDowngradeValue)) { >+ if (!JSValueIsBoolean(context, canDowngradeValue)) >+ return; >+ bool canDowngrade = JSValueToBoolean(context, canDowngradeValue); >+ hidKeys.append(adoptWK(WKStringCreateWithUTF8CString("CanDowngrade"))); >+ hidValues.append(adoptWK(WKBooleanCreate(canDowngrade)).get()); >+ } >+ > Vector<WKStringRef> rawHidKeys; > Vector<WKTypeRef> rawHidValues; > rawHidKeys.resize(hidKeys.size()); >diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog >index 0b6abe65dfa4b72305fdb7751e819598a0c0ab63..b790c63c5d95b1e17fe86733fa8cd47ec2b0c4d5 100644 >--- a/LayoutTests/ChangeLog >+++ b/LayoutTests/ChangeLog >@@ -1,3 +1,19 @@ >+2019-05-16 Jiewen Tan <jiewen_tan@apple.com> >+ >+ [WebAuthN] Allow authenticators that support both CTAP and U2F to try U2F if CTAP fails in authenticatorGetAssertion >+ https://bugs.webkit.org/show_bug.cgi?id=197974 >+ <rdar://problem/50879746> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https-expected.txt: >+ * http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https.html: >+ * http/wpt/webauthn/public-key-credential-get-failure-hid.https-expected.txt: >+ * http/wpt/webauthn/public-key-credential-get-failure-hid.https.html: >+ * http/wpt/webauthn/public-key-credential-get-success-u2f.https-expected.txt: >+ * http/wpt/webauthn/public-key-credential-get-success-u2f.https.html: >+ * http/wpt/webauthn/resources/util.js: >+ > 2019-05-16 Youenn Fablet <youenn@apple.com> > > Layout Test http/wpt/cache-storage/cache-quota-add.any.html is a flaky failure >diff --git a/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https-expected.txt b/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https-expected.txt >index b462a4468ca52ca5a8f1164b2feb8a3dfa0bbfd6..aa9e639012f9babbea28e527e09bbc04010398f7 100644 >--- a/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https-expected.txt >+++ b/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https-expected.txt >@@ -1,4 +1,7 @@ > > PASS PublicKeyCredential's [[get]] with malicious payload in a mock hid authenticator. > PASS PublicKeyCredential's [[get]] with unsupported options in a mock hid authenticator. >+PASS PublicKeyCredential's [[get]] with invalid credential in a mock hid authenticator. >+PASS PublicKeyCredential's [[get]] with authenticator downgrade in a mock hid authenticator. >+PASS PublicKeyCredential's [[get]] with authenticator downgrade in a mock hid authenticator. 2 > >diff --git a/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https.html b/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https.html >index 144ba9d89a9bd8606d944780d44bba1f95202321..e85c2c84af722d7519c55ec7c5ce6c500636ac20 100644 >--- a/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https.html >+++ b/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https.html >@@ -30,4 +30,44 @@ > testRunner.setWebAuthenticationMockConfiguration({ silentFailure: true, hid: { stage: "request", subStage: "msg", error: "unsupported-options" } }); > return promiseRejects(t, "NotAllowedError", navigator.credentials.get(options), "Operation timed out."); > }, "PublicKeyCredential's [[get]] with unsupported options in a mock hid authenticator."); >+ >+ promise_test(function(t) { >+ const options = { >+ publicKey: { >+ challenge: asciiToUint8Array("123456"), >+ timeout: 10 >+ } >+ }; >+ >+ if (window.testRunner) >+ testRunner.setWebAuthenticationMockConfiguration({ silentFailure: true, hid: { stage: "request", subStage: "msg", error: "malicious-payload", payloadBase64: [testCtapErrInvalidCredentialResponseBase64] } }); >+ return promiseRejects(t, "NotAllowedError", navigator.credentials.get(options), "Operation timed out."); >+ }, "PublicKeyCredential's [[get]] with invalid credential in a mock hid authenticator."); >+ >+ promise_test(function(t) { >+ const options = { >+ publicKey: { >+ challenge: asciiToUint8Array("123456"), >+ timeout: 10 >+ } >+ }; >+ >+ if (window.testRunner) >+ testRunner.setWebAuthenticationMockConfiguration({ silentFailure: true, hid: { stage: "request", subStage: "msg", error: "malicious-payload", canDowngrade: true, payloadBase64: [testCtapErrInvalidCredentialResponseBase64] } }); >+ return promiseRejects(t, "NotAllowedError", navigator.credentials.get(options), "Operation timed out."); >+ }, "PublicKeyCredential's [[get]] with authenticator downgrade in a mock hid authenticator."); >+ >+ promise_test(function(t) { >+ const options = { >+ publicKey: { >+ challenge: asciiToUint8Array("123456"), >+ extensions: { appid: "" }, >+ timeout: 10 >+ } >+ }; >+ >+ if (window.testRunner) >+ testRunner.setWebAuthenticationMockConfiguration({ silentFailure: true, hid: { stage: "request", subStage: "msg", error: "malicious-payload", canDowngrade: true, payloadBase64: [testCtapErrInvalidCredentialResponseBase64] } }); >+ return promiseRejects(t, "NotAllowedError", navigator.credentials.get(options), "Operation timed out."); >+ }, "PublicKeyCredential's [[get]] with authenticator downgrade in a mock hid authenticator. 2"); > </script> >diff --git a/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid.https-expected.txt b/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid.https-expected.txt >index a53dd1572e7a6d4c53a25ca5ec9b02343b169208..61b3afaf1f2cebb6802f39a3d35a41cb01fc6f84 100644 >--- a/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid.https-expected.txt >+++ b/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid.https-expected.txt >@@ -2,4 +2,6 @@ > PASS PublicKeyCredential's [[get]] with timeout in a mock hid authenticator. > PASS PublicKeyCredential's [[get]] with malicious payload in a mock hid authenticator. > PASS PublicKeyCredential's [[get]] with unsupported options in a mock hid authenticator. >+PASS PublicKeyCredential's [[get]] with authenticator downgrade failed in a mock hid authenticator. >+PASS PublicKeyCredential's [[get]] with authenticator downgrade succeeded and then U2F failed in a mock hid authenticator. 2 > >diff --git a/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid.https.html b/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid.https.html >index 5ac21390a252a63aa3759345bd512039f8735f94..5485f370d67971e2235d8d9a872eab34f9c566f7 100644 >--- a/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid.https.html >+++ b/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid.https.html >@@ -33,7 +33,7 @@ > > if (window.testRunner) > testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "malicious-payload", payloadBase64: [testDummyMessagePayloadBase64] } }); >- return promiseRejects(t, "UnknownError", navigator.credentials.get(options), "Unknown internal error. Error code: -1"); >+ return promiseRejects(t, "UnknownError", navigator.credentials.get(options), "Unknown internal error. Error code: 255"); > }, "PublicKeyCredential's [[get]] with malicious payload in a mock hid authenticator."); > > promise_test(function(t) { >@@ -48,4 +48,29 @@ > testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "unsupported-options" } }); > return promiseRejects(t, "UnknownError", navigator.credentials.get(options), "Unknown internal error. Error code: 43"); > }, "PublicKeyCredential's [[get]] with unsupported options in a mock hid authenticator."); >+ >+ promise_test(function(t) { >+ const options = { >+ publicKey: { >+ challenge: asciiToUint8Array("123456") >+ } >+ }; >+ >+ if (window.testRunner) >+ testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "malicious-payload", payloadBase64: [testCtapErrInvalidCredentialResponseBase64] } }); >+ return promiseRejects(t, "UnknownError", navigator.credentials.get(options), "Unknown internal error. Error code: 34"); >+ }, "PublicKeyCredential's [[get]] with authenticator downgrade failed in a mock hid authenticator."); >+ >+ promise_test(function(t) { >+ const options = { >+ publicKey: { >+ challenge: asciiToUint8Array("123456"), >+ extensions: { appid: "" } >+ } >+ }; >+ >+ if (window.testRunner) >+ testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "malicious-payload", canDowngrade: true, payloadBase64: [testCtapErrInvalidCredentialResponseBase64] } }); >+ return promiseRejects(t, "NotSupportedError", navigator.credentials.get(options), "Cannot convert the request to U2F command."); >+ }, "PublicKeyCredential's [[get]] with authenticator downgrade succeeded and then U2F failed in a mock hid authenticator. 2"); > </script> >diff --git a/LayoutTests/http/wpt/webauthn/public-key-credential-get-success-u2f.https-expected.txt b/LayoutTests/http/wpt/webauthn/public-key-credential-get-success-u2f.https-expected.txt >index ab8f071eb547412833617fd119f35a6de66c0b14..aefe75ed5258558b0cb07902ed572ad17dc1ce34 100644 >--- a/LayoutTests/http/wpt/webauthn/public-key-credential-get-success-u2f.https-expected.txt >+++ b/LayoutTests/http/wpt/webauthn/public-key-credential-get-success-u2f.https-expected.txt >@@ -8,4 +8,6 @@ PASS PublicKeyCredential's [[get]] with empty AppID in a mock hid authenticator. > PASS PublicKeyCredential's [[get]] with an AppID in a mock hid authenticator. > PASS PublicKeyCredential's [[get]] with multiple credentials and AppID is not used in a mock hid authenticator. > PASS PublicKeyCredential's [[get]] with multiple credentials and AppID is used in a mock hid authenticator. >+PASS PublicKeyCredential's [[get]] with downgraded authenticator in a mock hid authenticator. >+PASS PublicKeyCredential's [[get]] with downgraded authenticator in a mock hid authenticator. (AppID) > >diff --git a/LayoutTests/http/wpt/webauthn/public-key-credential-get-success-u2f.https.html b/LayoutTests/http/wpt/webauthn/public-key-credential-get-success-u2f.https.html >index a0a0f0b7f8b0a88d0039610d9f6c4f06596b3f89..c857114f977f49b6e3f53e448b7185baa01ad3ad 100644 >--- a/LayoutTests/http/wpt/webauthn/public-key-credential-get-success-u2f.https.html >+++ b/LayoutTests/http/wpt/webauthn/public-key-credential-get-success-u2f.https.html >@@ -181,4 +181,38 @@ > }); > }, "PublicKeyCredential's [[get]] with multiple credentials and AppID is used in a mock hid authenticator."); > >+ promise_test(t => { >+ const options = { >+ publicKey: { >+ challenge: Base64URL.parse("MTIzNDU2"), >+ allowCredentials: [{ type: "public-key", id: Base64URL.parse(testU2fCredentialIdBase64) }], >+ timeout: 100, >+ extensions: { appid: "https://localhost:666/appid" } >+ } >+ }; >+ >+ if (window.testRunner) >+ testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "success", canDowngrade: true, payloadBase64: [testCtapErrInvalidCredentialResponseBase64, testU2fSignResponse] } }); >+ return navigator.credentials.get(options).then(credential => { >+ return checkResult(credential); >+ }); >+ }, "PublicKeyCredential's [[get]] with downgraded authenticator in a mock hid authenticator."); >+ >+ promise_test(t => { >+ const options = { >+ publicKey: { >+ challenge: Base64URL.parse("MTIzNDU2"), >+ allowCredentials: [{ type: "public-key", id: Base64URL.parse(testU2fCredentialIdBase64) }], >+ timeout: 100, >+ extensions: { appid: "https://localhost:666/appid" } >+ } >+ }; >+ >+ if (window.testRunner) >+ testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "success", canDowngrade: true, payloadBase64: [testCtapErrInvalidCredentialResponseBase64, testU2fApduWrongDataOnlyResponseBase64, testU2fSignResponse] } }); >+ return navigator.credentials.get(options).then(credential => { >+ return checkResult(credential, true, "7eabc5cc3251bdc59115ef87b5f7ee74cb03747e39ba8341748565cc129c0719"); >+ }); >+ }, "PublicKeyCredential's [[get]] with downgraded authenticator in a mock hid authenticator. (AppID)"); >+ > </script> >diff --git a/LayoutTests/http/wpt/webauthn/resources/util.js b/LayoutTests/http/wpt/webauthn/resources/util.js >index f9a3204118001e599c2f8e72d0c7ff88592ac7cd..987d07219d4e477074c98f42c15b1853c73ac612 100644 >--- a/LayoutTests/http/wpt/webauthn/resources/util.js >+++ b/LayoutTests/http/wpt/webauthn/resources/util.js >@@ -98,6 +98,7 @@ const testU2fSignResponse = > "AQAAADswRAIge94KUqwfTIsn4AOjcM1mpMcRjdItVEeDX0W5nGhCP/cCIDxRe0eH" + > "f4V4LeEAhqeD0effTjY553H19q+jWq1Tc4WOkAA="; > const testCtapErrCredentialExcludedOnlyResponseBase64 = "GQ=="; >+const testCtapErrInvalidCredentialResponseBase64 = "Ig=="; > > const RESOURCES_DIR = "/WebKit/webauthn/resources/"; >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=370165">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 197974
:
370100
|
370163
| 370165