[webkit-changes] [WebKit/WebKit] 2968de: [WebAuthn] Implement Set Pin for security keys

Commit Queue noreply at github.com
Mon Dec 23 14:43:44 PST 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 2968de52d0664b1fd91876cf47cd91a02faa6fb5
      https://github.com/WebKit/WebKit/commit/2968de52d0664b1fd91876cf47cd91a02faa6fb5
  Author: Pascoe <pascoe at apple.com>
  Date:   2024-12-23 (Mon, 23 Dec 2024)

  Changed paths:
    M LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid-silent.https.html
    M LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid.https.html
    M Source/WebCore/Modules/webauthn/fido/AuthenticatorGetInfoResponse.cpp
    M Source/WebCore/Modules/webauthn/fido/AuthenticatorGetInfoResponse.h
    M Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.cpp
    M Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.h
    M Source/WebCore/Modules/webauthn/fido/DeviceResponseConverter.cpp
    M Source/WebCore/Modules/webauthn/fido/FidoConstants.cpp
    M Source/WebCore/Modules/webauthn/fido/FidoConstants.h
    M Source/WebCore/Modules/webauthn/fido/Pin.cpp
    M Source/WebCore/Modules/webauthn/fido/Pin.h
    M Source/WebKit/Platform/spi/Cocoa/AuthenticationServicesCoreSPI.h
    M Source/WebKit/UIProcess/API/APIWebAuthenticationPanelClient.h
    M Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.h
    M Source/WebKit/UIProcess/WebAuthentication/Authenticator.h
    M Source/WebKit/UIProcess/WebAuthentication/AuthenticatorManager.cpp
    M Source/WebKit/UIProcess/WebAuthentication/AuthenticatorManager.h
    M Source/WebKit/UIProcess/WebAuthentication/Cocoa/AuthenticatorPresenterCoordinator.h
    M Source/WebKit/UIProcess/WebAuthentication/Cocoa/AuthenticatorPresenterCoordinator.mm
    M Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticationPanelClient.h
    M Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticationPanelClient.mm
    M Source/WebKit/UIProcess/WebAuthentication/Mock/MockHidConnection.cpp
    M Source/WebKit/UIProcess/WebAuthentication/Virtual/VirtualService.mm
    M Source/WebKit/UIProcess/WebAuthentication/WebAuthenticationFlags.h
    M Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp
    M Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.h
    M Source/WebKit/UIProcess/WebAuthentication/fido/CtapCcidDriver.cpp
    M Source/WebKit/UIProcess/WebAuthentication/fido/CtapDriver.h
    M Source/WebKit/UIProcess/WebAuthentication/fido/CtapHidDriver.cpp
    M Source/WebKit/UIProcess/WebAuthentication/fido/CtapNfcDriver.cpp
    M Source/WebKit/UIProcess/WebAuthentication/fido/FidoService.cpp
    M Tools/TestWebKitAPI/Tests/WebCore/CtapResponseTest.cpp

  Log Message:
  -----------
  [WebAuthn] Implement Set Pin for security keys
https://bugs.webkit.org/show_bug.cgi?id=269083
rdar://122660610

Reviewed by Brent Fulgham.

This change implements setting a pin for security keys. This is accomplished by asking the user
for a new pin whenever presented with an operation that requires a security key to have user
verification setup, but it does not.

The minimum pin length is fetched from the authenticator, or a default of 4 defined in the
CTAP spec. The maximum length is defined by the spec to be 63. We bubble up errors to show
in the prompt whenever an entered PIN did not meet requirements.

The way setting a pin works is as follows: Whenever an operation requires UV, but it is not setup,
first authenticator selection is performed to confirm a authenticator is desired for the operation.
For CTAP2.1 keys, the authenticatorSelection command is used, on older FIDO2.0 authenticators, a non-rk
makeCredential with zero length pinAuth is used instead. Then, whenever an authenticator without uv is
chosen, a new pin is collected from the user and setup on the security key, which is then able to perform
the operation requiring uv.

The SetPin code is covered by unit tests. I have manually tested setting up a PIN on both CTAP2.1 and CTAP2.0
security keys.

* Source/WebCore/Modules/webauthn/fido/AuthenticatorGetInfoResponse.cpp:
(fido::AuthenticatorGetInfoResponse::setMinPINLength):
(fido::encodeAsCBOR):
* Source/WebCore/Modules/webauthn/fido/AuthenticatorGetInfoResponse.h:
* Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.cpp:
(fido::encodeBogusRequestForAuthenticatorSelection):
* Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.h:
* Source/WebCore/Modules/webauthn/fido/DeviceResponseConverter.cpp:
(fido::convertStringToProtocolVersion):
(fido::readCTAPGetInfoResponse):
* Source/WebCore/Modules/webauthn/fido/FidoConstants.cpp:
(fido::isCtap2Protocol):
(fido::toString):
* Source/WebCore/Modules/webauthn/fido/FidoConstants.h:
* Source/WebCore/Modules/webauthn/fido/Pin.cpp:
(fido::pin::SetPinRequest::pinAuth const):
(fido::pin::encodeAsCBOR):
* Source/WebCore/Modules/webauthn/fido/Pin.h:
* Source/WebKit/Platform/spi/Cocoa/AuthenticationServicesCoreSPI.h:
* Source/WebKit/UIProcess/API/APIWebAuthenticationPanelClient.h:
(API::WebAuthenticationPanelClient::requestNewPin const):
* Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.h:
* Source/WebKit/UIProcess/WebAuthentication/Authenticator.h:
* Source/WebKit/UIProcess/WebAuthentication/AuthenticatorManager.cpp:
(WebKit::AuthenticatorManager::requestNewPin):
* Source/WebKit/UIProcess/WebAuthentication/AuthenticatorManager.h:
* Source/WebKit/UIProcess/WebAuthentication/Cocoa/AuthenticatorPresenterCoordinator.h:
* Source/WebKit/UIProcess/WebAuthentication/Cocoa/AuthenticatorPresenterCoordinator.mm:
(WebKit::AuthenticatorPresenterCoordinator::updatePresenter):
(WebKit::AuthenticatorPresenterCoordinator::requestNewPin):
* Source/WebKit/UIProcess/WebAuthentication/Cocoa/HidConnection.mm:
* Source/WebKit/UIProcess/WebAuthentication/Cocoa/HidService.mm:
* Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticationPanelClient.h:
* Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticationPanelClient.mm:
(WebKit::WebAuthenticationPanelClient::WebAuthenticationPanelClient):
(WebKit::wkWebAuthenticationPanelUpdate):
(WebKit::WebAuthenticationPanelClient::requestNewPin const):
* Source/WebKit/UIProcess/WebAuthentication/Mock/MockHidConnection.cpp:
(WebKit::MockHidConnection::feedReports):
* Source/WebKit/UIProcess/WebAuthentication/Virtual/VirtualService.mm:
(WebKit::authenticatorInfoForConfig):
* Source/WebKit/UIProcess/WebAuthentication/WebAuthenticationFlags.h:
* Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp:
(WebKit::CtapAuthenticator::makeCredential):
(WebKit::CtapAuthenticator::isUVSetup const):
(WebKit::CtapAuthenticator::continueSetupPinAfterCommand):
(WebKit::CtapAuthenticator::continueSetupPinAfterGetKeyAgreement):
(WebKit::CtapAuthenticator::setupPin):
(WebKit::CtapAuthenticator::performAuthenticatorSelectionForSetupPin):
* Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.h:
* Source/WebKit/UIProcess/WebAuthentication/fido/CtapCcidDriver.cpp:
(WebKit::CtapCcidDriver::transact):
* Source/WebKit/UIProcess/WebAuthentication/fido/CtapDriver.h:
(WebKit::CtapDriver::isCtap2Protocol const):
* Source/WebKit/UIProcess/WebAuthentication/fido/CtapHidDriver.cpp:
(WebKit::CtapHidDriver::continueAfterChannelAllocated):
(WebKit::CtapHidDriver::cancel):
* Source/WebKit/UIProcess/WebAuthentication/fido/CtapNfcDriver.cpp:
(WebKit::CtapNfcDriver::transact):
* Source/WebKit/UIProcess/WebAuthentication/fido/FidoService.cpp:
(WebKit::FidoService::continueAfterGetInfo):
* Tools/TestWebKitAPI/Tests/WebCore/CtapResponseTest.cpp:
(TestWebKitAPI::TEST(CTAPResponseTest, TestReadGetInfoResponse)):
(TestWebKitAPI::TEST(CTAPResponseTest, TestReadGetInfoResponse2)):
(TestWebKitAPI::TEST(CTAPResponseTest, TestReadGetInfoResponseDeviceYubikey5c)):
(TestWebKitAPI::TEST(CTAPResponseTest, TestSerializeGetInfoResponse)):

Canonical link: https://commits.webkit.org/288259@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list