<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[243193] trunk</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/243193">243193</a></dd>
<dt>Author</dt> <dd>jiewen_tan@apple.com</dd>
<dt>Date</dt> <dd>2019-03-19 23:11:57 -0700 (Tue, 19 Mar 2019)</dd>
</dl>

<h3>Log Message</h3>
<pre>[WebAuthN] Implement FIDO AppID extension
https://bugs.webkit.org/show_bug.cgi?id=143491
<rdar://problem/48298273>

Reviewed by Brent Fulgham.

Source/WebCore:

This patch adds support for FIDO AppID extension: https://www.w3.org/TR/webauthn/#sctn-appid-extension.
To be noticed, this implementation follows what spec suggested in the 'Note' session and what Chrome/Firefox
do in practice to avoid some unnecessary steps of
https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html#determining-if-a-caller-s-facetid-is-authorized-for-an-appid.

In fido::convertToU2fSignCommand, the checkOnly flag is deleted as it is never used.

Covered by new tests in existing files.

* CMakeLists.txt:
* DerivedSources-input.xcfilelist:
* DerivedSources-output.xcfilelist:
* DerivedSources.make:
* Modules/webauthn/AuthenticationExtensionsClientInputs.h: Copied from Source/WebCore/Modules/webauthn/PublicKeyCredential.idl.
(WebCore::AuthenticationExtensionsClientInputs::encode const):
(WebCore::AuthenticationExtensionsClientInputs::decode):
* Modules/webauthn/AuthenticationExtensionsClientInputs.idl: Copied from Source/WebCore/Modules/webauthn/PublicKeyCredentialRequestOptions.idl.
* Modules/webauthn/AuthenticatorCoordinator.cpp:
(WebCore::AuthenticatorCoordinatorInternal::processAppIdExtension):
(WebCore::AuthenticatorCoordinator::create const):
(WebCore::AuthenticatorCoordinator::discoverFromExternalSource const):
* Modules/webauthn/PublicKeyCredential.cpp:
(WebCore::PublicKeyCredential::tryCreate):
(WebCore::PublicKeyCredential::PublicKeyCredential):
(WebCore::PublicKeyCredential::getClientExtensionResults const):
(WebCore::PublicKeyCredential::create): Deleted.
* Modules/webauthn/PublicKeyCredential.h:
* Modules/webauthn/PublicKeyCredential.idl:
* Modules/webauthn/PublicKeyCredentialCreationOptions.h:
* Modules/webauthn/PublicKeyCredentialCreationOptions.idl:
* Modules/webauthn/PublicKeyCredentialData.h:
(WebCore::PublicKeyCredentialData::encode const):
(WebCore::PublicKeyCredentialData::decode):
* Modules/webauthn/PublicKeyCredentialRequestOptions.h:
(WebCore::PublicKeyCredentialRequestOptions::encode const):
(WebCore::PublicKeyCredentialRequestOptions::decode):
* Modules/webauthn/PublicKeyCredentialRequestOptions.idl:
* Modules/webauthn/fido/DeviceResponseConverter.cpp:
(fido::readCTAPMakeCredentialResponse):
(fido::readCTAPGetAssertionResponse):
* Modules/webauthn/fido/U2fCommandConstructor.cpp:
(fido::convertToU2fSignCommand):
* Modules/webauthn/fido/U2fCommandConstructor.h:
* Modules/webauthn/fido/U2fResponseConverter.cpp:
(fido::readU2fRegisterResponse):
(fido::readU2fSignResponse):
* Sources.txt:
* WebCore.xcodeproj/project.pbxproj:

Source/WebKit:

In U2fHidAuthenticator::continueSignCommandAfterResponseReceived, it will retry the current command
with the AppID if it exists when SW_WRONG_DATA is received from devices. Noted, it will not set
the AuthenticationExtensionsClientOutputs::appid to false in any circumstances. In other words, the
field will be empty if AppID is supplied in AuthenticationExtensionsClientInputs and not used.

* UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm:
(WebKit::LocalAuthenticator::continueMakeCredentialAfterAttested):
(WebKit::LocalAuthenticator::continueGetAssertionAfterUserConsented):
* UIProcess/WebAuthentication/fido/U2fHidAuthenticator.cpp:
(WebKit::U2fHidAuthenticator::issueSignCommand):
(WebKit::U2fHidAuthenticator::continueSignCommandAfterResponseReceived):
* UIProcess/WebAuthentication/fido/U2fHidAuthenticator.h:

Tools:

Add a test that covers the new flag of convertToU2fSignCommand.

* TestWebKitAPI/Tests/WebCore/CtapRequestTest.cpp:
(TestWebKitAPI::TEST):
* TestWebKitAPI/Tests/WebCore/FidoTestData.h:
* TestWebKitAPI/Tests/WebCore/U2fCommandConstructorTest.cpp:
(TestWebKitAPI::TEST):

LayoutTests:

* http/wpt/webauthn/public-key-credential-create-success-hid.https.html:
* http/wpt/webauthn/public-key-credential-create-success-local.https.html:
* http/wpt/webauthn/public-key-credential-create-success-u2f.https.html:
* http/wpt/webauthn/public-key-credential-get-failure-u2f.https-expected.txt:
* http/wpt/webauthn/public-key-credential-get-failure-u2f.https.html:
* http/wpt/webauthn/public-key-credential-get-failure.https-expected.txt:
* http/wpt/webauthn/public-key-credential-get-failure.https.html:
* http/wpt/webauthn/public-key-credential-get-success-hid.https.html:
* http/wpt/webauthn/public-key-credential-get-success-local.https.html:
* http/wpt/webauthn/public-key-credential-get-success-u2f.https-expected.txt:
* http/wpt/webauthn/public-key-credential-get-success-u2f.https.html:</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestshttpwptwebauthnpublickeycredentialcreatesuccesshidhttpshtml">trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-success-hid.https.html</a></li>
<li><a href="#trunkLayoutTestshttpwptwebauthnpublickeycredentialcreatesuccesslocalhttpshtml">trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-success-local.https.html</a></li>
<li><a href="#trunkLayoutTestshttpwptwebauthnpublickeycredentialcreatesuccessu2fhttpshtml">trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-success-u2f.https.html</a></li>
<li><a href="#trunkLayoutTestshttpwptwebauthnpublickeycredentialgetfailureu2fhttpsexpectedtxt">trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-u2f.https-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttpwptwebauthnpublickeycredentialgetfailureu2fhttpshtml">trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-u2f.https.html</a></li>
<li><a href="#trunkLayoutTestshttpwptwebauthnpublickeycredentialgetfailurehttpsexpectedtxt">trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure.https-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttpwptwebauthnpublickeycredentialgetfailurehttpshtml">trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure.https.html</a></li>
<li><a href="#trunkLayoutTestshttpwptwebauthnpublickeycredentialgetsuccesshidhttpshtml">trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-success-hid.https.html</a></li>
<li><a href="#trunkLayoutTestshttpwptwebauthnpublickeycredentialgetsuccesslocalhttpshtml">trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-success-local.https.html</a></li>
<li><a href="#trunkLayoutTestshttpwptwebauthnpublickeycredentialgetsuccessu2fhttpsexpectedtxt">trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-success-u2f.https-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttpwptwebauthnpublickeycredentialgetsuccessu2fhttpshtml">trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-success-u2f.https.html</a></li>
<li><a href="#trunkSourceWebCoreCMakeListstxt">trunk/Source/WebCore/CMakeLists.txt</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreDerivedSourcesinputxcfilelist">trunk/Source/WebCore/DerivedSources-input.xcfilelist</a></li>
<li><a href="#trunkSourceWebCoreDerivedSourcesoutputxcfilelist">trunk/Source/WebCore/DerivedSources-output.xcfilelist</a></li>
<li><a href="#trunkSourceWebCoreDerivedSourcesmake">trunk/Source/WebCore/DerivedSources.make</a></li>
<li><a href="#trunkSourceWebCoreModuleswebauthnAuthenticatorCoordinatorcpp">trunk/Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp</a></li>
<li><a href="#trunkSourceWebCoreModuleswebauthnPublicKeyCredentialcpp">trunk/Source/WebCore/Modules/webauthn/PublicKeyCredential.cpp</a></li>
<li><a href="#trunkSourceWebCoreModuleswebauthnPublicKeyCredentialh">trunk/Source/WebCore/Modules/webauthn/PublicKeyCredential.h</a></li>
<li><a href="#trunkSourceWebCoreModuleswebauthnPublicKeyCredentialidl">trunk/Source/WebCore/Modules/webauthn/PublicKeyCredential.idl</a></li>
<li><a href="#trunkSourceWebCoreModuleswebauthnPublicKeyCredentialCreationOptionsh">trunk/Source/WebCore/Modules/webauthn/PublicKeyCredentialCreationOptions.h</a></li>
<li><a href="#trunkSourceWebCoreModuleswebauthnPublicKeyCredentialCreationOptionsidl">trunk/Source/WebCore/Modules/webauthn/PublicKeyCredentialCreationOptions.idl</a></li>
<li><a href="#trunkSourceWebCoreModuleswebauthnPublicKeyCredentialDatah">trunk/Source/WebCore/Modules/webauthn/PublicKeyCredentialData.h</a></li>
<li><a href="#trunkSourceWebCoreModuleswebauthnPublicKeyCredentialRequestOptionsh">trunk/Source/WebCore/Modules/webauthn/PublicKeyCredentialRequestOptions.h</a></li>
<li><a href="#trunkSourceWebCoreModuleswebauthnPublicKeyCredentialRequestOptionsidl">trunk/Source/WebCore/Modules/webauthn/PublicKeyCredentialRequestOptions.idl</a></li>
<li><a href="#trunkSourceWebCoreModuleswebauthnfidoDeviceResponseConvertercpp">trunk/Source/WebCore/Modules/webauthn/fido/DeviceResponseConverter.cpp</a></li>
<li><a href="#trunkSourceWebCoreModuleswebauthnfidoU2fCommandConstructorcpp">trunk/Source/WebCore/Modules/webauthn/fido/U2fCommandConstructor.cpp</a></li>
<li><a href="#trunkSourceWebCoreModuleswebauthnfidoU2fCommandConstructorh">trunk/Source/WebCore/Modules/webauthn/fido/U2fCommandConstructor.h</a></li>
<li><a href="#trunkSourceWebCoreModuleswebauthnfidoU2fResponseConvertercpp">trunk/Source/WebCore/Modules/webauthn/fido/U2fResponseConverter.cpp</a></li>
<li><a href="#trunkSourceWebCoreSourcestxt">trunk/Source/WebCore/Sources.txt</a></li>
<li><a href="#trunkSourceWebCoreWebCorexcodeprojprojectpbxproj">trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj</a></li>
<li><a href="#trunkSourceWebKitChangeLog">trunk/Source/WebKit/ChangeLog</a></li>
<li><a href="#trunkSourceWebKitUIProcessWebAuthenticationCocoaLocalAuthenticatormm">trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm</a></li>
<li><a href="#trunkSourceWebKitUIProcessWebAuthenticationfidoU2fHidAuthenticatorcpp">trunk/Source/WebKit/UIProcess/WebAuthentication/fido/U2fHidAuthenticator.cpp</a></li>
<li><a href="#trunkSourceWebKitUIProcessWebAuthenticationfidoU2fHidAuthenticatorh">trunk/Source/WebKit/UIProcess/WebAuthentication/fido/U2fHidAuthenticator.h</a></li>
<li><a href="#trunkToolsChangeLog">trunk/Tools/ChangeLog</a></li>
<li><a href="#trunkToolsTestWebKitAPITestsWebCoreCtapRequestTestcpp">trunk/Tools/TestWebKitAPI/Tests/WebCore/CtapRequestTest.cpp</a></li>
<li><a href="#trunkToolsTestWebKitAPITestsWebCoreFidoTestDatah">trunk/Tools/TestWebKitAPI/Tests/WebCore/FidoTestData.h</a></li>
<li><a href="#trunkToolsTestWebKitAPITestsWebCoreU2fCommandConstructorTestcpp">trunk/Tools/TestWebKitAPI/Tests/WebCore/U2fCommandConstructorTest.cpp</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#trunkSourceWebCoreModuleswebauthnAuthenticationExtensionsClientInputsh">trunk/Source/WebCore/Modules/webauthn/AuthenticationExtensionsClientInputs.h</a></li>
<li><a href="#trunkSourceWebCoreModuleswebauthnAuthenticationExtensionsClientInputsidl">trunk/Source/WebCore/Modules/webauthn/AuthenticationExtensionsClientInputs.idl</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog      2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/LayoutTests/ChangeLog 2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -1,3 +1,23 @@
</span><ins>+2019-03-19  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthN] Implement FIDO AppID extension
+        https://bugs.webkit.org/show_bug.cgi?id=143491
+        <rdar://problem/48298273>
+
+        Reviewed by Brent Fulgham.
+
+        * http/wpt/webauthn/public-key-credential-create-success-hid.https.html:
+        * http/wpt/webauthn/public-key-credential-create-success-local.https.html:
+        * http/wpt/webauthn/public-key-credential-create-success-u2f.https.html:
+        * http/wpt/webauthn/public-key-credential-get-failure-u2f.https-expected.txt:
+        * http/wpt/webauthn/public-key-credential-get-failure-u2f.https.html:
+        * http/wpt/webauthn/public-key-credential-get-failure.https-expected.txt:
+        * http/wpt/webauthn/public-key-credential-get-failure.https.html:
+        * http/wpt/webauthn/public-key-credential-get-success-hid.https.html:
+        * http/wpt/webauthn/public-key-credential-get-success-local.https.html:
+        * http/wpt/webauthn/public-key-credential-get-success-u2f.https-expected.txt:
+        * http/wpt/webauthn/public-key-credential-get-success-u2f.https.html:
+
</ins><span class="cx"> 2019-03-19  Ryosuke Niwa  <rniwa@webkit.org>
</span><span class="cx"> 
</span><span class="cx">         Rebaseline the test after r243175. It got somehow landed with failing expectations.
</span></span></pre></div>
<a id="trunkLayoutTestshttpwptwebauthnpublickeycredentialcreatesuccesshidhttpshtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-success-hid.https.html (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-success-hid.https.html  2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-success-hid.https.html     2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -16,7 +16,7 @@
</span><span class="cx">         assert_equals(credential.type, 'public-key');
</span><span class="cx">         assert_array_equals(new Uint8Array(credential.rawId), Base64URL.parse(testHidCredentialIdBase64));
</span><span class="cx">         assert_equals(bytesToASCIIString(credential.response.clientDataJSON), '{"type":"webauthn.create","challenge":"MTIzNDU2","origin":"https://localhost:9443"}');
</span><del>-        assert_throws("NotSupportedError", () => { credential.getClientExtensionResults() });
</del><ins>+        assert_not_exists(credential.getClientExtensionResults(), "appid");
</ins><span class="cx"> 
</span><span class="cx">         // Check attestation
</span><span class="cx">         const attestationObject = CBOR.decode(credential.response.attestationObject);
</span></span></pre></div>
<a id="trunkLayoutTestshttpwptwebauthnpublickeycredentialcreatesuccesslocalhttpshtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-success-local.https.html (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-success-local.https.html        2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-success-local.https.html   2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -30,7 +30,7 @@
</span><span class="cx">         assert_equals(credential.type, 'public-key');
</span><span class="cx">         assert_array_equals(new Uint8Array(credential.rawId), Base64URL.parse(testCredentialIdBase64));
</span><span class="cx">         assert_equals(bytesToASCIIString(credential.response.clientDataJSON), '{"type":"webauthn.create","challenge":"MTIzNDU2","origin":"https://localhost:9443"}');
</span><del>-        assert_throws("NotSupportedError", () => { credential.getClientExtensionResults() });
</del><ins>+        assert_not_exists(credential.getClientExtensionResults(), "appid");
</ins><span class="cx"> 
</span><span class="cx">         // Check attestation
</span><span class="cx">         const attestationObject = CBOR.decode(credential.response.attestationObject);
</span></span></pre></div>
<a id="trunkLayoutTestshttpwptwebauthnpublickeycredentialcreatesuccessu2fhttpshtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-success-u2f.https.html (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-success-u2f.https.html  2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-success-u2f.https.html     2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -12,7 +12,7 @@
</span><span class="cx">         assert_equals(credential.type, 'public-key');
</span><span class="cx">         assert_array_equals(new Uint8Array(credential.rawId), Base64URL.parse(testU2fCredentialIdBase64));
</span><span class="cx">         assert_equals(bytesToASCIIString(credential.response.clientDataJSON), '{"type":"webauthn.create","challenge":"MTIzNDU2","origin":"https://localhost:9443"}');
</span><del>-        assert_throws("NotSupportedError", () => { credential.getClientExtensionResults() });
</del><ins>+        assert_not_exists(credential.getClientExtensionResults(), "appid");
</ins><span class="cx"> 
</span><span class="cx">         // Check attestation
</span><span class="cx">         const attestationObject = CBOR.decode(credential.response.attestationObject);
</span></span></pre></div>
<a id="trunkLayoutTestshttpwptwebauthnpublickeycredentialgetfailureu2fhttpsexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-u2f.https-expected.txt (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-u2f.https-expected.txt     2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-u2f.https-expected.txt        2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -2,4 +2,6 @@
</span><span class="cx"> PASS PublicKeyCredential's [[get]] with malformed sign response in a mock hid authenticator. 
</span><span class="cx"> PASS PublicKeyCredential's [[get]] with no matched allow credentials in a mock hid authenticator. 
</span><span class="cx"> PASS PublicKeyCredential's [[get]] with no matched allow credentials in a mock hid authenticator. 2 
</span><ins>+PASS PublicKeyCredential's [[get]] with no matched allow credentials in a mock hid authenticator. (AppID) 
+PASS PublicKeyCredential's [[get]] with no matched allow credentials in a mock hid authenticator. 2 (AppID) 
</ins><span class="cx"> 
</span></span></pre></div>
<a id="trunkLayoutTestshttpwptwebauthnpublickeycredentialgetfailureu2fhttpshtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-u2f.https.html (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-u2f.https.html     2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-u2f.https.html        2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -42,4 +42,33 @@
</span><span class="cx">             testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "malicious-payload", isU2f: true, payloadBase64: [testU2fApduWrongDataOnlyResponseBase64, testU2fApduWrongDataOnlyResponseBase64] } });
</span><span class="cx">         return promiseRejects(t, "NotAllowedError", navigator.credentials.get(options), "No credentials from the allowCredentials list is found in the authenticator.");
</span><span class="cx">     }, "PublicKeyCredential's [[get]] with no matched allow credentials in a mock hid authenticator. 2");
</span><ins>+
+    // With AppID extension
+    promise_test(function(t) {
+        const options = {
+            publicKey: {
+                challenge: asciiToUint8Array("123456"),
+                allowCredentials: [{ type: "public-key", id: Base64URL.parse(testCredentialIdBase64) }],
+                extensions: { appid: "" }
+            }
+        };
+
+        if (window.testRunner)
+            testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "malicious-payload", isU2f: true, payloadBase64: [testU2fApduWrongDataOnlyResponseBase64, testU2fApduWrongDataOnlyResponseBase64] } });
+        return promiseRejects(t, "NotAllowedError", navigator.credentials.get(options), "No credentials from the allowCredentials list is found in the authenticator.");
+    }, "PublicKeyCredential's [[get]] with no matched allow credentials in a mock hid authenticator. (AppID)");
+
+    promise_test(function(t) {
+        const options = {
+            publicKey: {
+                challenge: asciiToUint8Array("123456"),
+                allowCredentials: [{ type: "public-key", id: Base64URL.parse(testCredentialIdBase64) }, { type: "public-key", id: Base64URL.parse(testCredentialIdBase64) }],
+                extensions: { appid: "" }
+            }
+        };
+
+        if (window.testRunner)
+            testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "malicious-payload", isU2f: true, payloadBase64: [testU2fApduWrongDataOnlyResponseBase64, testU2fApduWrongDataOnlyResponseBase64, testU2fApduWrongDataOnlyResponseBase64, testU2fApduWrongDataOnlyResponseBase64] } });
+        return promiseRejects(t, "NotAllowedError", navigator.credentials.get(options), "No credentials from the allowCredentials list is found in the authenticator.");
+    }, "PublicKeyCredential's [[get]] with no matched allow credentials in a mock hid authenticator. 2 (AppID)");
</ins><span class="cx"> </script>
</span></span></pre></div>
<a id="trunkLayoutTestshttpwptwebauthnpublickeycredentialgetfailurehttpsexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure.https-expected.txt (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure.https-expected.txt 2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure.https-expected.txt    2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -1,4 +1,8 @@
</span><span class="cx"> 
</span><span class="cx"> PASS PublicKeyCredential's [[get]] with timeout 
</span><span class="cx"> PASS PublicKeyCredential's [[get]] with a mismatched RP ID 
</span><ins>+PASS PublicKeyCredential's [[get]] with a mismatched APP ID (invalid URLs) 
+PASS PublicKeyCredential's [[get]] with a mismatched APP ID (different protocols) 
+PASS PublicKeyCredential's [[get]] with a mismatched APP ID (different sites 1) 
+PASS PublicKeyCredential's [[get]] with a mismatched APP ID (different sites 2) 
</ins><span class="cx"> 
</span></span></pre></div>
<a id="trunkLayoutTestshttpwptwebauthnpublickeycredentialgetfailurehttpshtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure.https.html (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure.https.html 2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure.https.html    2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -31,4 +31,52 @@
</span><span class="cx">         return promiseRejects(t, "SecurityError",
</span><span class="cx">             navigator.credentials.get(options), "The origin of the document is not a registrable domain suffix of the provided RP ID.");
</span><span class="cx">     }, "PublicKeyCredential's [[get]] with a mismatched RP ID");
</span><ins>+
+    promise_test(t => {
+        const options = {
+            publicKey: {
+                challenge: asciiToUint8Array("123456"),
+                extensions: { appid: "abc" }
+            }
+        };
+
+        return promiseRejects(t, "SecurityError",
+            navigator.credentials.get(options), "The origin of the document is not authorized for the provided App ID.");
+    }, "PublicKeyCredential's [[get]] with a mismatched APP ID (invalid URLs)");
+
+    promise_test(t => {
+        const options = {
+            publicKey: {
+                challenge: asciiToUint8Array("123456"),
+                extensions: { appid: "ftp://localhost" }
+            }
+        };
+
+        return promiseRejects(t, "SecurityError",
+            navigator.credentials.get(options), "The origin of the document is not authorized for the provided App ID.");
+    }, "PublicKeyCredential's [[get]] with a mismatched APP ID (different protocols)");
+
+    promise_test(t => {
+        const options = {
+            publicKey: {
+                challenge: asciiToUint8Array("123456"),
+                extensions: { appid: "https://127.0.0.1" }
+            }
+        };
+
+        return promiseRejects(t, "SecurityError",
+            navigator.credentials.get(options), "The origin of the document is not authorized for the provided App ID.");
+    }, "PublicKeyCredential's [[get]] with a mismatched APP ID (different sites 1)");
+
+    promise_test(t => {
+        const options = {
+            publicKey: {
+                challenge: asciiToUint8Array("123456"),
+                extensions: { appid: "https://haha.localhost" }
+            }
+        };
+
+        return promiseRejects(t, "SecurityError",
+            navigator.credentials.get(options), "The origin of the document is not authorized for the provided App ID.");
+    }, "PublicKeyCredential's [[get]] with a mismatched APP ID (different sites 2)");
</ins><span class="cx"> </script>
</span></span></pre></div>
<a id="trunkLayoutTestshttpwptwebauthnpublickeycredentialgetsuccesshidhttpshtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-success-hid.https.html (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-success-hid.https.html     2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-success-hid.https.html        2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -16,6 +16,7 @@
</span><span class="cx">         assert_array_equals(new Uint8Array(credential.rawId), Base64URL.parse(testHidCredentialIdBase64));
</span><span class="cx">         assert_equals(bytesToASCIIString(credential.response.clientDataJSON), '{"type":"webauthn.get","challenge":"MTIzNDU2","origin":"https://localhost:9443"}');
</span><span class="cx">         assert_equals(credential.response.userHandle, null);
</span><ins>+        assert_not_exists(credential.getClientExtensionResults(), "appid");
</ins><span class="cx"> 
</span><span class="cx">         // Check authData
</span><span class="cx">         const authData = decodeAuthData(new Uint8Array(credential.response.authenticatorData));
</span></span></pre></div>
<a id="trunkLayoutTestshttpwptwebauthnpublickeycredentialgetsuccesslocalhttpshtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-success-local.https.html (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-success-local.https.html   2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-success-local.https.html      2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -19,6 +19,7 @@
</span><span class="cx">         assert_array_equals(new Uint8Array(credential.rawId), Base64URL.parse(testCredentialIdBase64));
</span><span class="cx">         assert_equals(bytesToASCIIString(credential.response.clientDataJSON), '{"type":"webauthn.get","challenge":"MTIzNDU2","origin":"https://localhost:9443"}');
</span><span class="cx">         assert_equals(bytesToHexString(credential.response.userHandle), "00010203040506070809");
</span><ins>+        assert_not_exists(credential.getClientExtensionResults(), "appid");
</ins><span class="cx"> 
</span><span class="cx">         // Check authData
</span><span class="cx">         const authData = decodeAuthData(new Uint8Array(credential.response.authenticatorData));
</span><span class="lines">@@ -32,7 +33,7 @@
</span><span class="cx">                 // credential.response.signature is in ASN.1 and WebCrypto expect signatures provides in r|s.
</span><span class="cx">                 return crypto.subtle.verify({name: "ECDSA", hash: "SHA-256"}, publicKey, extractRawSignature(credential.response.signature), concatenateBuffers(credential.response.authenticatorData, hash)).then( verified => {
</span><span class="cx">                     assert_true(verified);
</span><del>-                    assert_throws("NotSupportedError", () => { credential.getClientExtensionResults() });
</del><ins>+                    assert_not_exists(credential.getClientExtensionResults(), "appid");
</ins><span class="cx">                 });
</span><span class="cx">             });
</span><span class="cx">         });
</span></span></pre></div>
<a id="trunkLayoutTestshttpwptwebauthnpublickeycredentialgetsuccessu2fhttpsexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-success-u2f.https-expected.txt (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-success-u2f.https-expected.txt     2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-success-u2f.https-expected.txt        2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -2,4 +2,10 @@
</span><span class="cx"> PASS PublicKeyCredential's [[get]] with minimum options in a mock hid authenticator. 
</span><span class="cx"> PASS PublicKeyCredential's [[get]] with more allow credentials in a mock hid authenticator. 
</span><span class="cx"> PASS PublicKeyCredential's [[get]] with test of user presence in a mock hid authenticator. 
</span><ins>+PASS PublicKeyCredential's [[get]] with empty extensions in a mock hid authenticator. 
+PASS PublicKeyCredential's [[get]] with same site AppID but not used in a mock hid authenticator. 
+PASS PublicKeyCredential's [[get]] with empty AppID in a mock hid authenticator. 
+PASS PublicKeyCredential's [[get]] with an AppID in a mock hid authenticator. 
+PASS PublicKeyCredential's [[get]] with multiple credentials and AppID is not used in a mock hid authenticator. 
+PASS PublicKeyCredential's [[get]] with multiple credentials and AppID is used in a mock hid authenticator. 
</ins><span class="cx"> 
</span></span></pre></div>
<a id="trunkLayoutTestshttpwptwebauthnpublickeycredentialgetsuccessu2fhttpshtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-success-u2f.https.html (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-success-u2f.https.html     2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-success-u2f.https.html        2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -4,7 +4,9 @@
</span><span class="cx"> <script src="/resources/testharnessreport.js"></script>
</span><span class="cx"> <script src="./resources/util.js"></script>
</span><span class="cx"> <script>
</span><del>-    function checkResult(credential)
</del><ins>+    const defaultAppIDHash = "c2671b6eb9233197d5f2b1288a55ba4f0860f96f7199bba32fe6da7c3f0f31e5";
+
+    function checkResult(credential, isAppID = false, appIDHash = defaultAppIDHash)
</ins><span class="cx">     {
</span><span class="cx">         // Check respond
</span><span class="cx">         assert_array_equals(Base64URL.parse(credential.id), Base64URL.parse(testU2fCredentialIdBase64));
</span><span class="lines">@@ -12,10 +14,17 @@
</span><span class="cx">         assert_array_equals(new Uint8Array(credential.rawId), Base64URL.parse(testU2fCredentialIdBase64));
</span><span class="cx">         assert_equals(bytesToASCIIString(credential.response.clientDataJSON), '{"type":"webauthn.get","challenge":"MTIzNDU2","origin":"https://localhost:9443"}');
</span><span class="cx">         assert_equals(credential.response.userHandle, null);
</span><ins>+        if (!isAppID)
+            assert_not_exists(credential.getClientExtensionResults(), "appid");
+        else
+            assert_true(credential.getClientExtensionResults().appid);
</ins><span class="cx"> 
</span><span class="cx">         // Check authData
</span><span class="cx">         const authData = decodeAuthData(new Uint8Array(credential.response.authenticatorData));
</span><del>-        assert_equals(bytesToHexString(authData.rpIdHash), "49960de5880e8c687434170f6476605b8fe4aeb9a28632c7995cf3ba831d9763");
</del><ins>+        if (!isAppID)
+            assert_equals(bytesToHexString(authData.rpIdHash), "49960de5880e8c687434170f6476605b8fe4aeb9a28632c7995cf3ba831d9763");
+        else
+            assert_equals(bytesToHexString(authData.rpIdHash), appIDHash);
</ins><span class="cx">         assert_equals(authData.flags, 1);
</span><span class="cx">         assert_equals(authData.counter, 59);
</span><span class="cx">     }
</span><span class="lines">@@ -67,4 +76,109 @@
</span><span class="cx">             return checkResult(credential);
</span><span class="cx">         });
</span><span class="cx">     }, "PublicKeyCredential's [[get]] with test of user presence in a mock hid authenticator.");
</span><ins>+
+    // With AppID extension
+    promise_test(t => {
+        const options = {
+            publicKey: {
+                challenge: Base64URL.parse("MTIzNDU2"),
+                allowCredentials: [{ type: "public-key", id: Base64URL.parse(testU2fCredentialIdBase64) }],
+                timeout: 100,
+                extensions: { }
+            }
+        };
+
+        if (window.testRunner)
+            testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "success", isU2f: true, payloadBase64: [testU2fSignResponse] } });
+        return navigator.credentials.get(options).then(credential => {
+            return checkResult(credential);
+        });
+    }, "PublicKeyCredential's [[get]] with empty extensions in a mock hid authenticator.");
+
+    promise_test(t => {
+        const options = {
+            publicKey: {
+                challenge: Base64URL.parse("MTIzNDU2"),
+                allowCredentials: [{ type: "public-key", id: Base64URL.parse(testU2fCredentialIdBase64) }],
+                timeout: 100,
+                extensions: { appid: "https://localhost:666/appid" }
+            }
+        };
+
+        if (window.testRunner)
+            testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "success", isU2f: true, payloadBase64: [testU2fSignResponse] } });
+        return navigator.credentials.get(options).then(credential => {
+            return checkResult(credential);
+        });
+    }, "PublicKeyCredential's [[get]] with same site AppID but not used in a mock hid authenticator.");
+
+    promise_test(t => {
+        const options = {
+            publicKey: {
+                challenge: Base64URL.parse("MTIzNDU2"),
+                allowCredentials: [{ type: "public-key", id: Base64URL.parse(testU2fCredentialIdBase64) }],
+                timeout: 100,
+                extensions: { appid: "" }
+            }
+        };
+
+        if (window.testRunner)
+            testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "success", isU2f: true, payloadBase64: [testU2fApduWrongDataOnlyResponseBase64, testU2fSignResponse] } });
+        return navigator.credentials.get(options).then(credential => {
+            return checkResult(credential, true);
+        });
+    }, "PublicKeyCredential's [[get]] with empty AppID in a mock hid authenticator.");
+
+    // FIXME: Sub domains need to be tested as well. However, localhost has no sub domains.
+    promise_test(t => {
+        const options = {
+            publicKey: {
+                challenge: Base64URL.parse("MTIzNDU2"),
+                allowCredentials: [{ type: "public-key", id: Base64URL.parse(testU2fCredentialIdBase64) }],
+                timeout: 100,
+                extensions: { appid: "https://localhost:666/appid" }
+            }
+        };
+
+        if (window.testRunner)
+            testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "success", isU2f: true, payloadBase64: [testU2fApduWrongDataOnlyResponseBase64, testU2fSignResponse] } });
+        return navigator.credentials.get(options).then(credential => {
+            return checkResult(credential, true, "7eabc5cc3251bdc59115ef87b5f7ee74cb03747e39ba8341748565cc129c0719");
+        });
+    }, "PublicKeyCredential's [[get]] with an AppID in a mock hid authenticator.");
+
+    promise_test(t => {
+        const options = {
+            publicKey: {
+                challenge: Base64URL.parse("MTIzNDU2"),
+                allowCredentials: [{ type: "public-key", id: Base64URL.parse(testCredentialIdBase64) }, { type: "public-key", id: Base64URL.parse(testU2fCredentialIdBase64) }],
+                timeout: 100,
+                extensions: { appid: "" }
+            }
+        };
+
+        if (window.testRunner)
+            testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "success", isU2f: true, payloadBase64: [testU2fApduWrongDataOnlyResponseBase64, testU2fApduWrongDataOnlyResponseBase64, testU2fSignResponse] } });
+        return navigator.credentials.get(options).then(credential => {
+            return checkResult(credential);
+        });
+    }, "PublicKeyCredential's [[get]] with multiple credentials and AppID is not used in a mock hid authenticator.");
+
+    promise_test(t => {
+        const options = {
+            publicKey: {
+                challenge: Base64URL.parse("MTIzNDU2"),
+                allowCredentials: [{ type: "public-key", id: Base64URL.parse(testCredentialIdBase64) }, { type: "public-key", id: Base64URL.parse(testU2fCredentialIdBase64) }],
+                timeout: 100,
+                extensions: { appid: "" }
+            }
+        };
+
+        if (window.testRunner)
+            testRunner.setWebAuthenticationMockConfiguration({ hid: { stage: "request", subStage: "msg", error: "success", isU2f: true, payloadBase64: [testU2fApduWrongDataOnlyResponseBase64, testU2fApduWrongDataOnlyResponseBase64, testU2fApduWrongDataOnlyResponseBase64, testU2fSignResponse] } });
+        return navigator.credentials.get(options).then(credential => {
+            return checkResult(credential, true);
+        });
+    }, "PublicKeyCredential's [[get]] with multiple credentials and AppID is used in a mock hid authenticator.");
+
</ins><span class="cx"> </script>
</span></span></pre></div>
<a id="trunkSourceWebCoreCMakeListstxt"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/CMakeLists.txt (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/CMakeLists.txt      2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/Source/WebCore/CMakeLists.txt 2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -438,6 +438,7 @@
</span><span class="cx">     Modules/webaudio/ScriptProcessorNode.idl
</span><span class="cx">     Modules/webaudio/WaveShaperNode.idl
</span><span class="cx"> 
</span><ins>+    Modules/webauthn/AuthenticationExtensionsClientInputs.idl
</ins><span class="cx">     Modules/webauthn/AuthenticatorAssertionResponse.idl
</span><span class="cx">     Modules/webauthn/AuthenticatorAttestationResponse.idl
</span><span class="cx">     Modules/webauthn/AuthenticatorResponse.idl
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog   2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/Source/WebCore/ChangeLog      2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -1,3 +1,60 @@
</span><ins>+2019-03-19  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthN] Implement FIDO AppID extension
+        https://bugs.webkit.org/show_bug.cgi?id=143491
+        <rdar://problem/48298273>
+
+        Reviewed by Brent Fulgham.
+
+        This patch adds support for FIDO AppID extension: https://www.w3.org/TR/webauthn/#sctn-appid-extension.
+        To be noticed, this implementation follows what spec suggested in the 'Note' session and what Chrome/Firefox
+        do in practice to avoid some unnecessary steps of
+        https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html#determining-if-a-caller-s-facetid-is-authorized-for-an-appid.
+
+        In fido::convertToU2fSignCommand, the checkOnly flag is deleted as it is never used.
+
+        Covered by new tests in existing files.
+
+        * CMakeLists.txt:
+        * DerivedSources-input.xcfilelist:
+        * DerivedSources-output.xcfilelist:
+        * DerivedSources.make:
+        * Modules/webauthn/AuthenticationExtensionsClientInputs.h: Copied from Source/WebCore/Modules/webauthn/PublicKeyCredential.idl.
+        (WebCore::AuthenticationExtensionsClientInputs::encode const):
+        (WebCore::AuthenticationExtensionsClientInputs::decode):
+        * Modules/webauthn/AuthenticationExtensionsClientInputs.idl: Copied from Source/WebCore/Modules/webauthn/PublicKeyCredentialRequestOptions.idl.
+        * Modules/webauthn/AuthenticatorCoordinator.cpp:
+        (WebCore::AuthenticatorCoordinatorInternal::processAppIdExtension):
+        (WebCore::AuthenticatorCoordinator::create const):
+        (WebCore::AuthenticatorCoordinator::discoverFromExternalSource const):
+        * Modules/webauthn/PublicKeyCredential.cpp:
+        (WebCore::PublicKeyCredential::tryCreate):
+        (WebCore::PublicKeyCredential::PublicKeyCredential):
+        (WebCore::PublicKeyCredential::getClientExtensionResults const):
+        (WebCore::PublicKeyCredential::create): Deleted.
+        * Modules/webauthn/PublicKeyCredential.h:
+        * Modules/webauthn/PublicKeyCredential.idl:
+        * Modules/webauthn/PublicKeyCredentialCreationOptions.h:
+        * Modules/webauthn/PublicKeyCredentialCreationOptions.idl:
+        * Modules/webauthn/PublicKeyCredentialData.h:
+        (WebCore::PublicKeyCredentialData::encode const):
+        (WebCore::PublicKeyCredentialData::decode):
+        * Modules/webauthn/PublicKeyCredentialRequestOptions.h:
+        (WebCore::PublicKeyCredentialRequestOptions::encode const):
+        (WebCore::PublicKeyCredentialRequestOptions::decode):
+        * Modules/webauthn/PublicKeyCredentialRequestOptions.idl:
+        * Modules/webauthn/fido/DeviceResponseConverter.cpp:
+        (fido::readCTAPMakeCredentialResponse):
+        (fido::readCTAPGetAssertionResponse):
+        * Modules/webauthn/fido/U2fCommandConstructor.cpp:
+        (fido::convertToU2fSignCommand):
+        * Modules/webauthn/fido/U2fCommandConstructor.h:
+        * Modules/webauthn/fido/U2fResponseConverter.cpp:
+        (fido::readU2fRegisterResponse):
+        (fido::readU2fSignResponse):
+        * Sources.txt:
+        * WebCore.xcodeproj/project.pbxproj:
+
</ins><span class="cx"> 2019-03-19  Devin Rousso  <drousso@apple.com>
</span><span class="cx"> 
</span><span class="cx">         Web Inspector: Debugger: lazily create the agent
</span></span></pre></div>
<a id="trunkSourceWebCoreDerivedSourcesinputxcfilelist"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/DerivedSources-input.xcfilelist (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/DerivedSources-input.xcfilelist     2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/Source/WebCore/DerivedSources-input.xcfilelist        2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -304,6 +304,7 @@
</span><span class="cx"> $(PROJECT_DIR)/Modules/webaudio/PeriodicWave.idl
</span><span class="cx"> $(PROJECT_DIR)/Modules/webaudio/ScriptProcessorNode.idl
</span><span class="cx"> $(PROJECT_DIR)/Modules/webaudio/WaveShaperNode.idl
</span><ins>+$(PROJECT_DIR)/Modules/webauthn/AuthenticationExtensionsClientInputs.idl
</ins><span class="cx"> $(PROJECT_DIR)/Modules/webauthn/AuthenticatorAssertionResponse.idl
</span><span class="cx"> $(PROJECT_DIR)/Modules/webauthn/AuthenticatorAttestationResponse.idl
</span><span class="cx"> $(PROJECT_DIR)/Modules/webauthn/AuthenticatorResponse.idl
</span></span></pre></div>
<a id="trunkSourceWebCoreDerivedSourcesoutputxcfilelist"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/DerivedSources-output.xcfilelist (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/DerivedSources-output.xcfilelist    2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/Source/WebCore/DerivedSources-output.xcfilelist       2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -154,6 +154,8 @@
</span><span class="cx"> $(BUILT_PRODUCTS_DIR)/DerivedSources/WebCore/JSAudioTrackList.h
</span><span class="cx"> $(BUILT_PRODUCTS_DIR)/DerivedSources/WebCore/JSAudioTrackMediaSource.cpp
</span><span class="cx"> $(BUILT_PRODUCTS_DIR)/DerivedSources/WebCore/JSAudioTrackMediaSource.h
</span><ins>+$(BUILT_PRODUCTS_DIR)/DerivedSources/WebCore/JSAuthenticationExtensionsClientInputs.cpp
+$(BUILT_PRODUCTS_DIR)/DerivedSources/WebCore/JSAuthenticationExtensionsClientInputs.h
</ins><span class="cx"> $(BUILT_PRODUCTS_DIR)/DerivedSources/WebCore/JSAuthenticatorAssertionResponse.cpp
</span><span class="cx"> $(BUILT_PRODUCTS_DIR)/DerivedSources/WebCore/JSAuthenticatorAssertionResponse.h
</span><span class="cx"> $(BUILT_PRODUCTS_DIR)/DerivedSources/WebCore/JSAuthenticatorAttestationResponse.cpp
</span></span></pre></div>
<a id="trunkSourceWebCoreDerivedSourcesmake"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/DerivedSources.make (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/DerivedSources.make 2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/Source/WebCore/DerivedSources.make    2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -351,6 +351,7 @@
</span><span class="cx">     $(WebCore)/Modules/webaudio/PeriodicWave.idl \
</span><span class="cx">     $(WebCore)/Modules/webaudio/ScriptProcessorNode.idl \
</span><span class="cx">     $(WebCore)/Modules/webaudio/WaveShaperNode.idl \
</span><ins>+    $(WebCore)/Modules/webauthn/AuthenticationExtensionsClientInputs.idl \
</ins><span class="cx">     $(WebCore)/Modules/webauthn/AuthenticatorAssertionResponse.idl \
</span><span class="cx">     $(WebCore)/Modules/webauthn/AuthenticatorAttestationResponse.idl \
</span><span class="cx">     $(WebCore)/Modules/webauthn/AuthenticatorResponse.idl \
</span></span></pre></div>
<a id="trunkSourceWebCoreModuleswebauthnAuthenticationExtensionsClientInputshfromrev243192trunkSourceWebCoreModuleswebauthnPublicKeyCredentialidl"></a>
<div class="copfile"><h4>Copied: trunk/Source/WebCore/Modules/webauthn/AuthenticationExtensionsClientInputs.h (from rev 243192, trunk/Source/WebCore/Modules/webauthn/PublicKeyCredential.idl) (0 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/Modules/webauthn/AuthenticationExtensionsClientInputs.h                             (rev 0)
+++ trunk/Source/WebCore/Modules/webauthn/AuthenticationExtensionsClientInputs.h        2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -0,0 +1,63 @@
</span><ins>+/*
+ * Copyright (C) 2019 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#pragma once
+
+#if ENABLE(WEB_AUTHN)
+
+#include <wtf/text/WTFString.h>
+
+namespace WebCore {
+
+struct AuthenticationExtensionsClientInputs {
+    String appid;
+
+    template<class Encoder> void encode(Encoder&) const;
+    template<class Decoder> static Optional<AuthenticationExtensionsClientInputs> decode(Decoder&);
+};
+
+template<class Encoder>
+void AuthenticationExtensionsClientInputs::encode(Encoder& encoder) const
+{
+    encoder << appid;
+}
+
+template<class Decoder>
+Optional<AuthenticationExtensionsClientInputs> AuthenticationExtensionsClientInputs::decode(Decoder& decoder)
+{
+    AuthenticationExtensionsClientInputs result;
+
+    Optional<String> appid;
+    decoder >> appid;
+    if (!appid)
+        return WTF::nullopt;
+    result.appid = WTFMove(*appid);
+
+    return result;
+}
+
+} // namespace WebCore
+
+#endif // ENABLE(WEB_AUTHN)
</ins></span></pre></div>
<a id="trunkSourceWebCoreModuleswebauthnAuthenticationExtensionsClientInputsidlfromrev243192trunkSourceWebCoreModuleswebauthnPublicKeyCredentialRequestOptionsidl"></a>
<div class="copfile"><h4>Copied: trunk/Source/WebCore/Modules/webauthn/AuthenticationExtensionsClientInputs.idl (from rev 243192, trunk/Source/WebCore/Modules/webauthn/PublicKeyCredentialRequestOptions.idl) (0 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/Modules/webauthn/AuthenticationExtensionsClientInputs.idl                           (rev 0)
+++ trunk/Source/WebCore/Modules/webauthn/AuthenticationExtensionsClientInputs.idl      2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -0,0 +1,30 @@
</span><ins>+/*
+ * Copyright (C) 2019 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+[
+    Conditional=WEB_AUTHN,
+] dictionary AuthenticationExtensionsClientInputs {
+    USVString appid;
+};
</ins></span></pre></div>
<a id="trunkSourceWebCoreModuleswebauthnAuthenticatorCoordinatorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp       2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp  2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -37,6 +37,8 @@
</span><span class="cx"> #include "PublicKeyCredentialCreationOptions.h"
</span><span class="cx"> #include "PublicKeyCredentialData.h"
</span><span class="cx"> #include "PublicKeyCredentialRequestOptions.h"
</span><ins>+#include "RegistrableDomain.h"
+#include "SchemeRegistry.h"
</ins><span class="cx"> #include "SecurityOrigin.h"
</span><span class="cx"> #include <pal/crypto/CryptoDigest.h>
</span><span class="cx"> #include <wtf/JSONValues.h>
</span><span class="lines">@@ -78,6 +80,27 @@
</span><span class="cx">     return crypto->computeHash();
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+// The following roughly implements Step 1-3 of the spec to avoid the complexity of making unnecessary network requests:
+// https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html#determining-if-a-caller-s-facetid-is-authorized-for-an-appid
+// It follows what Chrome and Firefox do, see:
+// https://bugzilla.mozilla.org/show_bug.cgi?id=1244959#c8
+// https://bugs.chromium.org/p/chromium/issues/detail?id=818303
+static String processAppIdExtension(const SecurityOrigin& facetId, const String& appId)
+{
+    // Step 1. Skipped since facetId should always be secure origins.
+    ASSERT(SchemeRegistry::shouldTreatURLSchemeAsSecure(facetId.protocol()));
+
+    // Step 2. Follow Chrome and Firefox to use the origin directly without adding a trailing slash.
+    if (appId.isEmpty())
+        return facetId.toString();
+
+    // Step 3. Relax the comparison to same site.
+    URL appIdURL(URL(), appId);
+    if (!appIdURL.isValid() || facetId.protocol() != appIdURL.protocol() || RegistrableDomain(appIdURL) != RegistrableDomain::uncheckedCreateFromHost(facetId.host()))
+        return String();
+    return appId;
+}
+
</ins><span class="cx"> } // namespace AuthenticatorCoordinatorInternal
</span><span class="cx"> 
</span><span class="cx"> AuthenticatorCoordinator::AuthenticatorCoordinator(std::unique_ptr<AuthenticatorCoordinatorClient>&& client)
</span><span class="lines">@@ -95,7 +118,7 @@
</span><span class="cx">     using namespace AuthenticatorCoordinatorInternal;
</span><span class="cx"> 
</span><span class="cx">     // The following implements https://www.w3.org/TR/webauthn/#createCredential as of 5 December 2017.
</span><del>-    // FIXME: Extensions are not supported yet. Skip Step 11-12.
</del><ins>+    // Extensions are not supported. Skip Step 11-12.
</ins><span class="cx">     // Step 1, 3, 16 are handled by the caller.
</span><span class="cx">     // Step 2.
</span><span class="cx">     if (!sameOriginWithAncestors) {
</span><span class="lines">@@ -158,7 +181,6 @@
</span><span class="cx">     using namespace AuthenticatorCoordinatorInternal;
</span><span class="cx"> 
</span><span class="cx">     // The following implements https://www.w3.org/TR/webauthn/#createCredential as of 5 December 2017.
</span><del>-    // FIXME: Extensions are not supported yet. Skip Step 8-9.
</del><span class="cx">     // Step 1, 3, 13 are handled by the caller.
</span><span class="cx">     // Step 2.
</span><span class="cx">     if (!sameOriginWithAncestors) {
</span><span class="lines">@@ -177,6 +199,18 @@
</span><span class="cx">     if (options.rpId.isEmpty())
</span><span class="cx">         options.rpId = callerOrigin.host();
</span><span class="cx"> 
</span><ins>+    // Step 8-9.
+    // Only FIDO AppID Extension is supported.
+    if (options.extensions && !options.extensions->appid.isNull()) {
+        // The following implements https://www.w3.org/TR/webauthn/#sctn-appid-extension as of 4 March 2019.
+        auto appid = processAppIdExtension(callerOrigin, options.extensions->appid);
+        if (!appid) {
+            promise.reject(Exception { SecurityError, "The origin of the document is not authorized for the provided App ID."_s });
+            return;
+        }
+        options.extensions->appid = appid;
+    }
+
</ins><span class="cx">     // Step 10-12.
</span><span class="cx">     auto clientDataJson = produceClientDataJson(ClientDataType::Get, options.challenge, callerOrigin);
</span><span class="cx">     auto clientDataJsonHash = produceClientDataJsonHash(clientDataJson);
</span></span></pre></div>
<a id="trunkSourceWebCoreModuleswebauthnPublicKeyCredentialcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/Modules/webauthn/PublicKeyCredential.cpp (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/Modules/webauthn/PublicKeyCredential.cpp    2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/Source/WebCore/Modules/webauthn/PublicKeyCredential.cpp       2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -40,11 +40,6 @@
</span><span class="cx"> 
</span><span class="cx"> namespace WebCore {
</span><span class="cx"> 
</span><del>-Ref<PublicKeyCredential> PublicKeyCredential::create(Ref<ArrayBuffer>&& id, Ref<AuthenticatorResponse>&& response)
-{
-    return adoptRef(*new PublicKeyCredential(WTFMove(id), WTFMove(response)));
-}
-
</del><span class="cx"> RefPtr<PublicKeyCredential> PublicKeyCredential::tryCreate(const PublicKeyCredentialData& data)
</span><span class="cx"> {
</span><span class="cx">     if (!data.rawId || !data.clientDataJSON)
</span><span class="lines">@@ -54,25 +49,26 @@
</span><span class="cx">         if (!data.attestationObject)
</span><span class="cx">             return nullptr;
</span><span class="cx"> 
</span><del>-        return adoptRef(*new PublicKeyCredential(data.rawId.releaseNonNull(), AuthenticatorAttestationResponse::create(data.clientDataJSON.releaseNonNull(), data.attestationObject.releaseNonNull())));
</del><ins>+        return adoptRef(*new PublicKeyCredential(data.rawId.releaseNonNull(), AuthenticatorAttestationResponse::create(data.clientDataJSON.releaseNonNull(), data.attestationObject.releaseNonNull()), { data.appid }));
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     if (!data.authenticatorData || !data.signature)
</span><span class="cx">         return nullptr;
</span><span class="cx"> 
</span><del>-    return adoptRef(*new PublicKeyCredential(data.rawId.releaseNonNull(), AuthenticatorAssertionResponse::create(data.clientDataJSON.releaseNonNull(), data.authenticatorData.releaseNonNull(), data.signature.releaseNonNull(), WTFMove(data.userHandle))));
</del><ins>+    return adoptRef(*new PublicKeyCredential(data.rawId.releaseNonNull(), AuthenticatorAssertionResponse::create(data.clientDataJSON.releaseNonNull(), data.authenticatorData.releaseNonNull(), data.signature.releaseNonNull(), WTFMove(data.userHandle)), { data.appid }));
</ins><span class="cx"> }
</span><span class="cx"> 
</span><del>-PublicKeyCredential::PublicKeyCredential(Ref<ArrayBuffer>&& id, Ref<AuthenticatorResponse>&& response)
</del><ins>+PublicKeyCredential::PublicKeyCredential(Ref<ArrayBuffer>&& id, Ref<AuthenticatorResponse>&& response, AuthenticationExtensionsClientOutputs&& extensions)
</ins><span class="cx">     : BasicCredential(WTF::base64URLEncode(id->data(), id->byteLength()), Type::PublicKey, Discovery::Remote)
</span><span class="cx">     , m_rawId(WTFMove(id))
</span><span class="cx">     , m_response(WTFMove(response))
</span><ins>+    , m_extensions(WTFMove(extensions))
</ins><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-ExceptionOr<bool> PublicKeyCredential::getClientExtensionResults() const
</del><ins>+PublicKeyCredential::AuthenticationExtensionsClientOutputs PublicKeyCredential::getClientExtensionResults() const
</ins><span class="cx"> {
</span><del>-    return Exception { NotSupportedError };
</del><ins>+    return m_extensions;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void PublicKeyCredential::isUserVerifyingPlatformAuthenticatorAvailable(Document& document, DOMPromiseDeferred<IDLBoolean>&& promise)
</span></span></pre></div>
<a id="trunkSourceWebCoreModuleswebauthnPublicKeyCredentialh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/Modules/webauthn/PublicKeyCredential.h (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/Modules/webauthn/PublicKeyCredential.h      2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/Source/WebCore/Modules/webauthn/PublicKeyCredential.h 2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -42,23 +42,26 @@
</span><span class="cx"> 
</span><span class="cx"> class PublicKeyCredential final : public BasicCredential {
</span><span class="cx"> public:
</span><del>-    static Ref<PublicKeyCredential> create(Ref<ArrayBuffer>&& id, Ref<AuthenticatorResponse>&&);
</del><ins>+    struct AuthenticationExtensionsClientOutputs {
+        Optional<bool> appid;
+    };
+
</ins><span class="cx">     static RefPtr<PublicKeyCredential> tryCreate(const PublicKeyCredentialData&);
</span><span class="cx"> 
</span><span class="cx">     ArrayBuffer* rawId() const { return m_rawId.ptr(); }
</span><span class="cx">     AuthenticatorResponse* response() const { return m_response.ptr(); }
</span><del>-    // Not support yet. Always throws.
-    ExceptionOr<bool> getClientExtensionResults() const;
</del><ins>+    AuthenticationExtensionsClientOutputs getClientExtensionResults() const;
</ins><span class="cx"> 
</span><span class="cx">     static void isUserVerifyingPlatformAuthenticatorAvailable(Document&, DOMPromiseDeferred<IDLBoolean>&&);
</span><span class="cx"> 
</span><span class="cx"> private:
</span><del>-    PublicKeyCredential(Ref<ArrayBuffer>&& id, Ref<AuthenticatorResponse>&&);
</del><ins>+    PublicKeyCredential(Ref<ArrayBuffer>&& id, Ref<AuthenticatorResponse>&&, AuthenticationExtensionsClientOutputs&&);
</ins><span class="cx"> 
</span><span class="cx">     Type credentialType() const final { return Type::PublicKey; }
</span><span class="cx"> 
</span><span class="cx">     Ref<ArrayBuffer> m_rawId;
</span><span class="cx">     Ref<AuthenticatorResponse> m_response;
</span><ins>+    AuthenticationExtensionsClientOutputs m_extensions;
</ins><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> } // namespace WebCore
</span></span></pre></div>
<a id="trunkSourceWebCoreModuleswebauthnPublicKeyCredentialidl"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/Modules/webauthn/PublicKeyCredential.idl (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/Modules/webauthn/PublicKeyCredential.idl    2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/Source/WebCore/Modules/webauthn/PublicKeyCredential.idl       2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -23,8 +23,6 @@
</span><span class="cx">  * THE POSSIBILITY OF SUCH DAMAGE.
</span><span class="cx">  */
</span><span class="cx"> 
</span><del>-typedef boolean AuthenticationExtensions;
-
</del><span class="cx"> [
</span><span class="cx">     Conditional=WEB_AUTHN,
</span><span class="cx">     EnabledAtRuntime=WebAuthentication,
</span><span class="lines">@@ -33,7 +31,14 @@
</span><span class="cx"> ] interface PublicKeyCredential : BasicCredential {
</span><span class="cx">     [SameObject] readonly attribute ArrayBuffer rawId;
</span><span class="cx">     [SameObject] readonly attribute AuthenticatorResponse response;
</span><del>-    [MayThrowException] AuthenticationExtensions getClientExtensionResults();
</del><ins>+    AuthenticationExtensionsClientOutputs getClientExtensionResults();
</ins><span class="cx"> 
</span><span class="cx">     [CallWith=Document] static Promise<boolean> isUserVerifyingPlatformAuthenticatorAvailable();
</span><span class="cx"> };
</span><ins>+
+[
+    Conditional=WEB_AUTHN,
+    JSGenerateToJSObject,
+] dictionary AuthenticationExtensionsClientOutputs {
+    boolean appid;
+};
</ins></span></pre></div>
<a id="trunkSourceWebCoreModuleswebauthnPublicKeyCredentialCreationOptionsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/Modules/webauthn/PublicKeyCredentialCreationOptions.h (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/Modules/webauthn/PublicKeyCredentialCreationOptions.h       2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/Source/WebCore/Modules/webauthn/PublicKeyCredentialCreationOptions.h  2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -27,6 +27,7 @@
</span><span class="cx"> 
</span><span class="cx"> #if ENABLE(WEB_AUTHN)
</span><span class="cx"> 
</span><ins>+#include "AuthenticationExtensionsClientInputs.h"
</ins><span class="cx"> #include "BufferSource.h"
</span><span class="cx"> #include "PublicKeyCredentialDescriptor.h"
</span><span class="cx"> #include "PublicKeyCredentialType.h"
</span><span class="lines">@@ -83,6 +84,7 @@
</span><span class="cx">     Optional<unsigned> timeout;
</span><span class="cx">     Vector<PublicKeyCredentialDescriptor> excludeCredentials;
</span><span class="cx">     Optional<AuthenticatorSelectionCriteria> authenticatorSelection;
</span><ins>+    Optional<AuthenticationExtensionsClientInputs> extensions; // A place holder, but never used.
</ins><span class="cx"> 
</span><span class="cx">     template<class Encoder> void encode(Encoder&) const;
</span><span class="cx">     template<class Decoder> static Optional<PublicKeyCredentialCreationOptions> decode(Decoder&);
</span></span></pre></div>
<a id="trunkSourceWebCoreModuleswebauthnPublicKeyCredentialCreationOptionsidl"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/Modules/webauthn/PublicKeyCredentialCreationOptions.idl (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/Modules/webauthn/PublicKeyCredentialCreationOptions.idl     2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/Source/WebCore/Modules/webauthn/PublicKeyCredentialCreationOptions.idl        2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -39,8 +39,7 @@
</span><span class="cx">     AuthenticatorSelectionCriteria authenticatorSelection;
</span><span class="cx">     // Always "direct" for us.
</span><span class="cx">     // AttestationConveyancePreference attestation = "none";
</span><del>-    // Not support yet.
-    // AuthenticationExtensions extensions;
</del><ins>+    AuthenticationExtensionsClientInputs extensions;
</ins><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> [
</span></span></pre></div>
<a id="trunkSourceWebCoreModuleswebauthnPublicKeyCredentialDatah"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/Modules/webauthn/PublicKeyCredentialData.h (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/Modules/webauthn/PublicKeyCredentialData.h  2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/Source/WebCore/Modules/webauthn/PublicKeyCredentialData.h     2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -49,6 +49,9 @@
</span><span class="cx">     mutable RefPtr<ArrayBuffer> signature;
</span><span class="cx">     mutable RefPtr<ArrayBuffer> userHandle;
</span><span class="cx"> 
</span><ins>+    // Extensions
+    Optional<bool> appid;
+
</ins><span class="cx">     template<class Encoder> void encode(Encoder&) const;
</span><span class="cx">     template<class Decoder> static Optional<PublicKeyCredentialData> decode(Decoder&);
</span><span class="cx"> };
</span><span class="lines">@@ -81,6 +84,9 @@
</span><span class="cx">     encoder << static_cast<uint64_t>(signature->byteLength());
</span><span class="cx">     encoder.encodeFixedLengthData(reinterpret_cast<const uint8_t*>(signature->data()), signature->byteLength(), 1);
</span><span class="cx"> 
</span><ins>+    // Encode AppID before user handle to avoid the userHandle flag.
+    encoder << appid;
+
</ins><span class="cx">     if (!userHandle) {
</span><span class="cx">         encoder << false;
</span><span class="cx">         return;
</span><span class="lines">@@ -148,6 +154,12 @@
</span><span class="cx">     if (!decoder.decodeFixedLengthData(reinterpret_cast<uint8_t*>(result.signature->data()), signatureLength.value(), 1))
</span><span class="cx">         return WTF::nullopt;
</span><span class="cx"> 
</span><ins>+    Optional<Optional<bool>> appid;
+    decoder >> appid;
+    if (!appid)
+        return WTF::nullopt;
+    result.appid = WTFMove(*appid);
+
</ins><span class="cx">     Optional<bool> hasUserHandle;
</span><span class="cx">     decoder >> hasUserHandle;
</span><span class="cx">     if (!hasUserHandle)
</span></span></pre></div>
<a id="trunkSourceWebCoreModuleswebauthnPublicKeyCredentialRequestOptionsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/Modules/webauthn/PublicKeyCredentialRequestOptions.h (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/Modules/webauthn/PublicKeyCredentialRequestOptions.h        2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/Source/WebCore/Modules/webauthn/PublicKeyCredentialRequestOptions.h   2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -27,6 +27,7 @@
</span><span class="cx"> 
</span><span class="cx"> #if ENABLE(WEB_AUTHN)
</span><span class="cx"> 
</span><ins>+#include "AuthenticationExtensionsClientInputs.h"
</ins><span class="cx"> #include "BufferSource.h"
</span><span class="cx"> #include "PublicKeyCredentialDescriptor.h"
</span><span class="cx"> #include "UserVerificationRequirement.h"
</span><span class="lines">@@ -40,6 +41,7 @@
</span><span class="cx">     mutable String rpId;
</span><span class="cx">     Vector<PublicKeyCredentialDescriptor> allowCredentials;
</span><span class="cx">     UserVerificationRequirement userVerification { UserVerificationRequirement::Preferred };
</span><ins>+    mutable Optional<AuthenticationExtensionsClientInputs> extensions;
</ins><span class="cx"> 
</span><span class="cx">     template<class Encoder> void encode(Encoder&) const;
</span><span class="cx">     template<class Decoder> static Optional<PublicKeyCredentialRequestOptions> decode(Decoder&);
</span><span class="lines">@@ -49,7 +51,7 @@
</span><span class="cx"> template<class Encoder>
</span><span class="cx"> void PublicKeyCredentialRequestOptions::encode(Encoder& encoder) const
</span><span class="cx"> {
</span><del>-    encoder << timeout << rpId << allowCredentials << userVerification;
</del><ins>+    encoder << timeout << rpId << allowCredentials << userVerification << extensions;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template<class Decoder>
</span><span class="lines">@@ -74,6 +76,12 @@
</span><span class="cx">         return WTF::nullopt;
</span><span class="cx">     result.userVerification = WTFMove(*userVerification);
</span><span class="cx"> 
</span><ins>+    Optional<Optional<AuthenticationExtensionsClientInputs>> extensions;
+    decoder >> extensions;
+    if (!extensions)
+        return WTF::nullopt;
+    result.extensions = WTFMove(*extensions);
+
</ins><span class="cx">     return result;
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceWebCoreModuleswebauthnPublicKeyCredentialRequestOptionsidl"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/Modules/webauthn/PublicKeyCredentialRequestOptions.idl (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/Modules/webauthn/PublicKeyCredentialRequestOptions.idl      2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/Source/WebCore/Modules/webauthn/PublicKeyCredentialRequestOptions.idl 2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -31,6 +31,5 @@
</span><span class="cx">     USVString rpId;
</span><span class="cx">     sequence<PublicKeyCredentialDescriptor> allowCredentials = [];
</span><span class="cx">     UserVerificationRequirement userVerification = "preferred";
</span><del>-    // Not support yet.
-    // AuthenticationExtensions extensions;
</del><ins>+    AuthenticationExtensionsClientInputs extensions;
</ins><span class="cx"> };
</span></span></pre></div>
<a id="trunkSourceWebCoreModuleswebauthnfidoDeviceResponseConvertercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/Modules/webauthn/fido/DeviceResponseConverter.cpp (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/Modules/webauthn/fido/DeviceResponseConverter.cpp   2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/Source/WebCore/Modules/webauthn/fido/DeviceResponseConverter.cpp      2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -121,7 +121,7 @@
</span><span class="cx">     attestationObjectMap[CBOR("attStmt")] = WTFMove(attStmt);
</span><span class="cx">     auto attestationObject = cbor::CBORWriter::write(CBOR(WTFMove(attestationObjectMap)));
</span><span class="cx"> 
</span><del>-    return PublicKeyCredentialData { ArrayBuffer::create(credentialId.data(), credentialId.size()), true, nullptr, ArrayBuffer::create(attestationObject.value().data(), attestationObject.value().size()), nullptr, nullptr, nullptr };
</del><ins>+    return PublicKeyCredentialData { ArrayBuffer::create(credentialId.data(), credentialId.size()), true, nullptr, ArrayBuffer::create(attestationObject.value().data(), attestationObject.value().size()), nullptr, nullptr, nullptr, WTF::nullopt };
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> Optional<PublicKeyCredentialData> readCTAPGetAssertionResponse(const Vector<uint8_t>& inBuffer)
</span><span class="lines">@@ -170,7 +170,7 @@
</span><span class="cx">         userHandle = ArrayBuffer::create(id.data(), id.size());
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    return PublicKeyCredentialData { WTFMove(credentialId), false, nullptr, nullptr, ArrayBuffer::create(authData.data(), authData.size()), ArrayBuffer::create(signature.data(), signature.size()), WTFMove(userHandle) };
</del><ins>+    return PublicKeyCredentialData { WTFMove(credentialId), false, nullptr, nullptr, ArrayBuffer::create(authData.data(), authData.size()), ArrayBuffer::create(signature.data(), signature.size()), WTFMove(userHandle), WTF::nullopt };
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> Optional<AuthenticatorGetInfoResponse> readCTAPGetInfoResponse(const Vector<uint8_t>& inBuffer)
</span></span></pre></div>
<a id="trunkSourceWebCoreModuleswebauthnfidoU2fCommandConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/Modules/webauthn/fido/U2fCommandConstructor.cpp (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/Modules/webauthn/fido/U2fCommandConstructor.cpp     2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/Source/WebCore/Modules/webauthn/fido/U2fCommandConstructor.cpp        2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -114,12 +114,15 @@
</span><span class="cx">     return constructU2fSignCommand(produceRpIdHash(request.rp.id), clientDataHash, keyHandle.idVector, true /* checkOnly */);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-Optional<Vector<uint8_t>> convertToU2fSignCommand(const Vector<uint8_t>& clientDataHash, const PublicKeyCredentialRequestOptions& request, const Vector<uint8_t>& keyHandle, bool checkOnly)
</del><ins>+Optional<Vector<uint8_t>> convertToU2fSignCommand(const Vector<uint8_t>& clientDataHash, const PublicKeyCredentialRequestOptions& request, const Vector<uint8_t>& keyHandle, bool isAppId)
</ins><span class="cx"> {
</span><span class="cx">     if (!isConvertibleToU2fSignCommand(request))
</span><span class="cx">         return WTF::nullopt;
</span><span class="cx"> 
</span><del>-    return constructU2fSignCommand(produceRpIdHash(request.rpId), clientDataHash, keyHandle, checkOnly);
</del><ins>+    if (!isAppId)
+        return constructU2fSignCommand(produceRpIdHash(request.rpId), clientDataHash, keyHandle, false);
+    ASSERT(request.extensions && !request.extensions->appid.isNull());
+    return constructU2fSignCommand(produceRpIdHash(request.extensions->appid), clientDataHash, keyHandle, false);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> Vector<uint8_t> constructBogusU2fRegistrationCommand()
</span></span></pre></div>
<a id="trunkSourceWebCoreModuleswebauthnfidoU2fCommandConstructorh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/Modules/webauthn/fido/U2fCommandConstructor.h (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/Modules/webauthn/fido/U2fCommandConstructor.h       2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/Source/WebCore/Modules/webauthn/fido/U2fCommandConstructor.h  2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -62,7 +62,7 @@
</span><span class="cx"> WEBCORE_EXPORT Optional<Vector<uint8_t>> convertToU2fCheckOnlySignCommand(const Vector<uint8_t>& clientDataHash, const WebCore::PublicKeyCredentialCreationOptions&, const WebCore::PublicKeyCredentialDescriptor&);
</span><span class="cx"> 
</span><span class="cx"> // Extracts APDU encoded U2F sign command from PublicKeyCredentialRequestOptions.
</span><del>-WEBCORE_EXPORT Optional<Vector<uint8_t>> convertToU2fSignCommand(const Vector<uint8_t>& clientDataHash, const WebCore::PublicKeyCredentialRequestOptions&, const Vector<uint8_t>& keyHandle, bool checkOnly = false);
</del><ins>+WEBCORE_EXPORT Optional<Vector<uint8_t>> convertToU2fSignCommand(const Vector<uint8_t>& clientDataHash, const WebCore::PublicKeyCredentialRequestOptions&, const Vector<uint8_t>& keyHandle, bool isAppId = false);
</ins><span class="cx"> 
</span><span class="cx"> WEBCORE_EXPORT Vector<uint8_t> constructBogusU2fRegistrationCommand();
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceWebCoreModuleswebauthnfidoU2fResponseConvertercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/Modules/webauthn/fido/U2fResponseConverter.cpp (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/Modules/webauthn/fido/U2fResponseConverter.cpp      2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/Source/WebCore/Modules/webauthn/fido/U2fResponseConverter.cpp 2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -170,7 +170,7 @@
</span><span class="cx"> 
</span><span class="cx">     auto attestationObject = buildAttestationObject(WTFMove(authData), "fido-u2f", WTFMove(fidoAttestationStatement));
</span><span class="cx"> 
</span><del>-    return PublicKeyCredentialData { ArrayBuffer::create(credentialId.data(), credentialId.size()), true, nullptr, ArrayBuffer::create(attestationObject.data(), attestationObject.size()), nullptr, nullptr, nullptr };
</del><ins>+    return PublicKeyCredentialData { ArrayBuffer::create(credentialId.data(), credentialId.size()), true, nullptr, ArrayBuffer::create(attestationObject.data(), attestationObject.size()), nullptr, nullptr, nullptr, WTF::nullopt };
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> Optional<PublicKeyCredentialData> readU2fSignResponse(const String& rpId, const Vector<uint8_t>& keyHandle, const Vector<uint8_t>& u2fData)
</span><span class="lines">@@ -186,7 +186,7 @@
</span><span class="cx">     counter += u2fData[counterIndex + 3];
</span><span class="cx">     auto authData = buildAuthData(rpId, flags, counter, { });
</span><span class="cx"> 
</span><del>-    return PublicKeyCredentialData { ArrayBuffer::create(keyHandle.data(), keyHandle.size()), false, nullptr, nullptr, ArrayBuffer::create(authData.data(), authData.size()), ArrayBuffer::create(u2fData.data() + signatureIndex, u2fData.size() - signatureIndex), nullptr };
</del><ins>+    return PublicKeyCredentialData { ArrayBuffer::create(keyHandle.data(), keyHandle.size()), false, nullptr, nullptr, ArrayBuffer::create(authData.data(), authData.size()), ArrayBuffer::create(u2fData.data() + signatureIndex, u2fData.size() - signatureIndex), nullptr, WTF::nullopt };
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> } // namespace fido
</span></span></pre></div>
<a id="trunkSourceWebCoreSourcestxt"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/Sources.txt (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/Sources.txt 2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/Source/WebCore/Sources.txt    2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -2567,6 +2567,7 @@
</span><span class="cx"> JSAudioNode.cpp
</span><span class="cx"> JSAudioParam.cpp
</span><span class="cx"> JSAudioProcessingEvent.cpp
</span><ins>+JSAuthenticationExtensionsClientInputs.cpp
</ins><span class="cx"> JSAuthenticatorAssertionResponse.cpp
</span><span class="cx"> JSAuthenticatorAttestationResponse.cpp
</span><span class="cx"> JSAuthenticatorResponse.cpp
</span></span></pre></div>
<a id="trunkSourceWebCoreWebCorexcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj   2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj      2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -1864,6 +1864,7 @@
</span><span class="cx">          57D0018D1DD5413200ED19D9 /* JSCryptoKeyUsage.h in Headers */ = {isa = PBXBuildFile; fileRef = 57D0018C1DD5413200ED19D9 /* JSCryptoKeyUsage.h */; };
</span><span class="cx">          57D8462E1FEAF69900CA3682 /* PublicKeyCredential.h in Headers */ = {isa = PBXBuildFile; fileRef = 57D8462B1FEAF68F00CA3682 /* PublicKeyCredential.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">          57D846351FEAFCD300CA3682 /* JSPublicKeyCredential.h in Headers */ = {isa = PBXBuildFile; fileRef = 57D846301FEAFC2F00CA3682 /* JSPublicKeyCredential.h */; };
</span><ins>+               57DA47B0224034E4002A4612 /* AuthenticationExtensionsClientInputs.h in Headers */ = {isa = PBXBuildFile; fileRef = 57DA47A522401E0F002A4612 /* AuthenticationExtensionsClientInputs.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx">           57DCED74214305F00016B847 /* PublicKeyCredentialData.h in Headers */ = {isa = PBXBuildFile; fileRef = 57DCED72214305F00016B847 /* PublicKeyCredentialData.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">          57DCED9021487FF70016B847 /* AuthenticatorTransport.h in Headers */ = {isa = PBXBuildFile; fileRef = 57DCED8C21487EDB0016B847 /* AuthenticatorTransport.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">          57DCED98214882160016B847 /* JSAuthenticatorTransport.h in Headers */ = {isa = PBXBuildFile; fileRef = 57DCED92214880C60016B847 /* JSAuthenticatorTransport.h */; };
</span><span class="lines">@@ -8865,6 +8866,10 @@
</span><span class="cx">          57D8462D1FEAF68F00CA3682 /* PublicKeyCredential.idl */ = {isa = PBXFileReference; lastKnownFileType = text; path = PublicKeyCredential.idl; sourceTree = "<group>"; };
</span><span class="cx">          57D846301FEAFC2F00CA3682 /* JSPublicKeyCredential.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSPublicKeyCredential.h; sourceTree = "<group>"; };
</span><span class="cx">          57D846311FEAFC2F00CA3682 /* JSPublicKeyCredential.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSPublicKeyCredential.cpp; sourceTree = "<group>"; };
</span><ins>+               57DA47A522401E0F002A4612 /* AuthenticationExtensionsClientInputs.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = AuthenticationExtensionsClientInputs.h; sourceTree = "<group>"; };
+               57DA47A722401E0F002A4612 /* AuthenticationExtensionsClientInputs.idl */ = {isa = PBXFileReference; lastKnownFileType = text; path = AuthenticationExtensionsClientInputs.idl; sourceTree = "<group>"; };
+               57DA47AC224032DC002A4612 /* JSAuthenticationExtensionsClientInputs.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = JSAuthenticationExtensionsClientInputs.cpp; sourceTree = "<group>"; };
+               57DA47AD224032DD002A4612 /* JSAuthenticationExtensionsClientInputs.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = JSAuthenticationExtensionsClientInputs.h; sourceTree = "<group>"; };
</ins><span class="cx">           57DCED72214305F00016B847 /* PublicKeyCredentialData.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = PublicKeyCredentialData.h; sourceTree = "<group>"; };
</span><span class="cx">          57DCED8C21487EDB0016B847 /* AuthenticatorTransport.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = AuthenticatorTransport.h; sourceTree = "<group>"; };
</span><span class="cx">          57DCED8E21487EDB0016B847 /* AuthenticatorTransport.idl */ = {isa = PBXFileReference; lastKnownFileType = text; path = AuthenticatorTransport.idl; sourceTree = "<group>"; };
</span><span class="lines">@@ -19879,6 +19884,8 @@
</span><span class="cx">                          57152B5321CB2CE3000C37CA /* apdu */,
</span><span class="cx">                          57303BB32006C6ED00355965 /* cbor */,
</span><span class="cx">                          578A4BFA2166AE0000D08F34 /* fido */,
</span><ins>+                               57DA47A522401E0F002A4612 /* AuthenticationExtensionsClientInputs.h */,
+                               57DA47A722401E0F002A4612 /* AuthenticationExtensionsClientInputs.idl */,
</ins><span class="cx">                           57303C272009B2FC00355965 /* AuthenticatorAssertionResponse.h */,
</span><span class="cx">                          57303C292009B2FC00355965 /* AuthenticatorAssertionResponse.idl */,
</span><span class="cx">                          57303C1B2009A98600355965 /* AuthenticatorAttestationResponse.h */,
</span><span class="lines">@@ -19915,6 +19922,8 @@
</span><span class="cx">          57D8462F1FEAFB0500CA3682 /* WebAuthN */ = {
</span><span class="cx">                  isa = PBXGroup;
</span><span class="cx">                  children = (
</span><ins>+                               57DA47AC224032DC002A4612 /* JSAuthenticationExtensionsClientInputs.cpp */,
+                               57DA47AD224032DD002A4612 /* JSAuthenticationExtensionsClientInputs.h */,
</ins><span class="cx">                           57303C2E2009B7DA00355965 /* JSAuthenticatorAssertionResponse.cpp */,
</span><span class="cx">                          57303C2D2009B7D900355965 /* JSAuthenticatorAssertionResponse.h */,
</span><span class="cx">                          57303C202009AEF500355965 /* JSAuthenticatorAttestationResponse.cpp */,
</span><span class="lines">@@ -28608,6 +28617,7 @@
</span><span class="cx">                          7EE6846112D26E3800E79415 /* AuthenticationChallenge.h in Headers */,
</span><span class="cx">                          934F713A0D5A6F1000018D69 /* AuthenticationChallengeBase.h in Headers */,
</span><span class="cx">                          E124748410AA161D00B79493 /* AuthenticationClient.h in Headers */,
</span><ins>+                               57DA47B0224034E4002A4612 /* AuthenticationExtensionsClientInputs.h in Headers */,
</ins><span class="cx">                           514C764C0CE9234E007EF3CD /* AuthenticationMac.h in Headers */,
</span><span class="cx">                          57303C2C2009B4A800355965 /* AuthenticatorAssertionResponse.h in Headers */,
</span><span class="cx">                          57303C1F2009AB4200355965 /* AuthenticatorAttestationResponse.h in Headers */,
</span></span></pre></div>
<a id="trunkSourceWebKitChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit/ChangeLog (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit/ChangeLog    2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/Source/WebKit/ChangeLog       2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -1,3 +1,24 @@
</span><ins>+2019-03-19  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthN] Implement FIDO AppID extension
+        https://bugs.webkit.org/show_bug.cgi?id=143491
+        <rdar://problem/48298273>
+
+        Reviewed by Brent Fulgham.
+
+        In U2fHidAuthenticator::continueSignCommandAfterResponseReceived, it will retry the current command
+        with the AppID if it exists when SW_WRONG_DATA is received from devices. Noted, it will not set
+        the AuthenticationExtensionsClientOutputs::appid to false in any circumstances. In other words, the
+        field will be empty if AppID is supplied in AuthenticationExtensionsClientInputs and not used.
+
+        * UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm:
+        (WebKit::LocalAuthenticator::continueMakeCredentialAfterAttested):
+        (WebKit::LocalAuthenticator::continueGetAssertionAfterUserConsented):
+        * UIProcess/WebAuthentication/fido/U2fHidAuthenticator.cpp:
+        (WebKit::U2fHidAuthenticator::issueSignCommand):
+        (WebKit::U2fHidAuthenticator::continueSignCommandAfterResponseReceived):
+        * UIProcess/WebAuthentication/fido/U2fHidAuthenticator.h:
+
</ins><span class="cx"> 2019-03-19  Ross Kirsling  <ross.kirsling@sony.com>
</span><span class="cx"> 
</span><span class="cx">         Unreviewed adjustment to r242842 per Darin's request.
</span></span></pre></div>
<a id="trunkSourceWebKitUIProcessWebAuthenticationCocoaLocalAuthenticatormm"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm      2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm 2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -326,7 +326,7 @@
</span><span class="cx">     }
</span><span class="cx">     auto attestationObject = buildAttestationObject(WTFMove(authData), "Apple", WTFMove(attestationStatementMap));
</span><span class="cx"> 
</span><del>-    receiveRespond(PublicKeyCredentialData { ArrayBuffer::create(credentialId.data(), credentialId.size()), true, nullptr, ArrayBuffer::create(attestationObject.data(), attestationObject.size()), nullptr, nullptr, nullptr });
</del><ins>+    receiveRespond(PublicKeyCredentialData { ArrayBuffer::create(credentialId.data(), credentialId.size()), true, nullptr, ArrayBuffer::create(attestationObject.data(), attestationObject.size()), nullptr, nullptr, nullptr, WTF::nullopt });
</ins><span class="cx"> #endif // !PLATFORM(IOS_FAMILY)
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -463,7 +463,7 @@
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     // Step 13.
</span><del>-    receiveRespond(PublicKeyCredentialData { ArrayBuffer::create(credentialId.data(), credentialId.size()), false, nullptr, nullptr, ArrayBuffer::create(authData.data(), authData.size()), ArrayBuffer::create(signature.data(), signature.size()), ArrayBuffer::create(userhandle.data(), userhandle.size()) });
</del><ins>+    receiveRespond(PublicKeyCredentialData { ArrayBuffer::create(credentialId.data(), credentialId.size()), false, nullptr, nullptr, ArrayBuffer::create(authData.data(), authData.size()), ArrayBuffer::create(signature.data(), signature.size()), ArrayBuffer::create(userhandle.data(), userhandle.size()), WTF::nullopt });
</ins><span class="cx"> #endif // !PLATFORM(IOS_FAMILY)
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceWebKitUIProcessWebAuthenticationfidoU2fHidAuthenticatorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit/UIProcess/WebAuthentication/fido/U2fHidAuthenticator.cpp (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit/UIProcess/WebAuthentication/fido/U2fHidAuthenticator.cpp     2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/Source/WebKit/UIProcess/WebAuthentication/fido/U2fHidAuthenticator.cpp        2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -101,7 +101,7 @@
</span><span class="cx">         receiveRespond(ExceptionData { NotAllowedError, "No credentials from the allowCredentials list is found in the authenticator."_s });
</span><span class="cx">         return;
</span><span class="cx">     }
</span><del>-    auto u2fCmd = convertToU2fSignCommand(requestData().hash, requestData().requestOptions, requestData().requestOptions.allowCredentials[index].idVector);
</del><ins>+    auto u2fCmd = convertToU2fSignCommand(requestData().hash, requestData().requestOptions, requestData().requestOptions.allowCredentials[index].idVector, m_isAppId);
</ins><span class="cx">     ASSERT(u2fCmd);
</span><span class="cx">     issueNewCommand(WTFMove(*u2fCmd), CommandType::SignCommand);
</span><span class="cx"> }
</span><span class="lines">@@ -200,11 +200,19 @@
</span><span class="cx"> {
</span><span class="cx">     switch (apduResponse.status()) {
</span><span class="cx">     case ApduResponse::Status::SW_NO_ERROR: {
</span><del>-        auto response = readU2fSignResponse(requestData().requestOptions.rpId, requestData().requestOptions.allowCredentials[m_nextListIndex - 1].idVector, apduResponse.data());
</del><ins>+        Optional<PublicKeyCredentialData> response;
+        if (m_isAppId) {
+            ASSERT(requestData().requestOptions.extensions && !requestData().requestOptions.extensions->appid.isNull());
+            response = readU2fSignResponse(requestData().requestOptions.extensions->appid, requestData().requestOptions.allowCredentials[m_nextListIndex - 1].idVector, apduResponse.data());
+        } else
+            response = readU2fSignResponse(requestData().requestOptions.rpId, requestData().requestOptions.allowCredentials[m_nextListIndex - 1].idVector, apduResponse.data());
</ins><span class="cx">         if (!response) {
</span><span class="cx">             receiveRespond(ExceptionData { UnknownError, "Couldn't parse the U2F sign response."_s });
</span><span class="cx">             return;
</span><span class="cx">         }
</span><ins>+        if (m_isAppId)
+            response->appid = m_isAppId;
+
</ins><span class="cx">         receiveRespond(WTFMove(*response));
</span><span class="cx">         return;
</span><span class="cx">     }
</span><span class="lines">@@ -212,6 +220,17 @@
</span><span class="cx">         // Polling is required during test of user presence.
</span><span class="cx">         m_retryTimer.startOneShot(Seconds::fromMilliseconds(retryTimeOutValueMs));
</span><span class="cx">         return;
</span><ins>+    case ApduResponse::Status::SW_WRONG_DATA:
+        if (requestData().requestOptions.extensions && !requestData().requestOptions.extensions->appid.isNull()) {
+            if (!m_isAppId) {
+                m_isAppId = true;
+                issueSignCommand(m_nextListIndex - 1);
+                return;
+            }
+            m_isAppId = false;
+        }
+        issueSignCommand(m_nextListIndex++);
+        return;
</ins><span class="cx">     default:
</span><span class="cx">         issueSignCommand(m_nextListIndex++);
</span><span class="cx">     }
</span></span></pre></div>
<a id="trunkSourceWebKitUIProcessWebAuthenticationfidoU2fHidAuthenticatorh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit/UIProcess/WebAuthentication/fido/U2fHidAuthenticator.h (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit/UIProcess/WebAuthentication/fido/U2fHidAuthenticator.h       2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/Source/WebKit/UIProcess/WebAuthentication/fido/U2fHidAuthenticator.h  2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -74,6 +74,7 @@
</span><span class="cx">     Vector<uint8_t> m_lastCommand;
</span><span class="cx">     CommandType m_lastCommandType;
</span><span class="cx">     size_t m_nextListIndex { 0 };
</span><ins>+    bool m_isAppId { false };
</ins><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> } // namespace WebKit
</span></span></pre></div>
<a id="trunkToolsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Tools/ChangeLog (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Tools/ChangeLog    2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/Tools/ChangeLog       2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -1,3 +1,19 @@
</span><ins>+2019-03-19  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthN] Implement FIDO AppID extension
+        https://bugs.webkit.org/show_bug.cgi?id=143491
+        <rdar://problem/48298273>
+
+        Reviewed by Brent Fulgham.
+
+        Add a test that covers the new flag of convertToU2fSignCommand.
+
+        * TestWebKitAPI/Tests/WebCore/CtapRequestTest.cpp:
+        (TestWebKitAPI::TEST):
+        * TestWebKitAPI/Tests/WebCore/FidoTestData.h:
+        * TestWebKitAPI/Tests/WebCore/U2fCommandConstructorTest.cpp:
+        (TestWebKitAPI::TEST):
+
</ins><span class="cx"> 2019-03-19  Keith Rollin  <krollin@apple.com>
</span><span class="cx"> 
</span><span class="cx">         Add support for more platforms to generate-xcfilelists
</span></span></pre></div>
<a id="trunkToolsTestWebKitAPITestsWebCoreCtapRequestTestcpp"></a>
<div class="modfile"><h4>Modified: trunk/Tools/TestWebKitAPI/Tests/WebCore/CtapRequestTest.cpp (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Tools/TestWebKitAPI/Tests/WebCore/CtapRequestTest.cpp      2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/Tools/TestWebKitAPI/Tests/WebCore/CtapRequestTest.cpp 2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -59,7 +59,7 @@
</span><span class="cx">     Vector<PublicKeyCredentialCreationOptions::Parameters> params { { PublicKeyCredentialType::PublicKey, 7 }, { PublicKeyCredentialType::PublicKey, 257 } };
</span><span class="cx">     PublicKeyCredentialCreationOptions::AuthenticatorSelectionCriteria selection { PublicKeyCredentialCreationOptions::AuthenticatorAttachment::Platform, true, UserVerificationRequirement::Preferred };
</span><span class="cx"> 
</span><del>-    PublicKeyCredentialCreationOptions options { rp, user, { }, params, WTF::nullopt, { }, selection };
</del><ins>+    PublicKeyCredentialCreationOptions options { rp, user, { }, params, WTF::nullopt, { }, selection, WTF::nullopt };
</ins><span class="cx">     Vector<uint8_t> hash;
</span><span class="cx">     hash.append(TestData::kClientDataHash, sizeof(TestData::kClientDataHash));
</span><span class="cx">     auto serializedData = encodeMakeCredenitalRequestAsCBOR(hash, options, AuthenticatorSupportedOptions::UserVerificationAvailability::kSupportedButNotConfigured);
</span></span></pre></div>
<a id="trunkToolsTestWebKitAPITestsWebCoreFidoTestDatah"></a>
<div class="modfile"><h4>Modified: trunk/Tools/TestWebKitAPI/Tests/WebCore/FidoTestData.h (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Tools/TestWebKitAPI/Tests/WebCore/FidoTestData.h   2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/Tools/TestWebKitAPI/Tests/WebCore/FidoTestData.h      2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -113,6 +113,32 @@
</span><span class="cx">     0x00, 0x00,
</span><span class="cx"> };
</span><span class="cx"> 
</span><ins>+constexpr uint8_t kU2fAppIDSignCommandApdu[] = {
+    // CLA, INS, P1, P2 APDU instruction parameters
+    0x00, 0x02, 0x03, 0x00,
+    // Data Length (3 bytes in big endian order)
+    0x00, 0x00, 0x81,
+    // Challenge parameter -- see kClientDataHash
+    0x68, 0x71, 0x34, 0x96, 0x82, 0x22, 0xec, 0x17, 0x20, 0x2e, 0x42,
+    0x50, 0x5f, 0x8e, 0xd2, 0xb1, 0x6a, 0xe2, 0x2f, 0x16, 0xbb, 0x05,
+    0xb8, 0x8c, 0x25, 0xdb, 0x9e, 0x60, 0x26, 0x45, 0xf1, 0x41,
+    // Application parameter
+    0xc9, 0x34, 0x02, 0x87, 0x08, 0x3d, 0x64, 0xde, 0xed, 0x17, 0x1b, 0xbb,
+    0xd7, 0x60, 0x10, 0xae, 0xc5, 0x65, 0x3e, 0x78, 0xfc, 0xd0, 0x31, 0x88,
+    0xd0, 0xbf, 0x70, 0x16, 0x9a, 0x46, 0x91, 0xda,
+    // Key handle length
+    0x40,
+    // Key handle
+    0x3E, 0xBD, 0x89, 0xBF, 0x77, 0xEC, 0x50, 0x97, 0x55, 0xEE, 0x9C, 0x26,
+    0x35, 0xEF, 0xAA, 0xAC, 0x7B, 0x2B, 0x9C, 0x5C, 0xEF, 0x17, 0x36, 0xC3,
+    0x71, 0x7D, 0xA4, 0x85, 0x34, 0xC8, 0xC6, 0xB6, 0x54, 0xD7, 0xFF, 0x94,
+    0x5F, 0x50, 0xB5, 0xCC, 0x4E, 0x78, 0x05, 0x5B, 0xDD, 0x39, 0x6B, 0x64,
+    0xF7, 0x8D, 0xA2, 0xC5, 0xF9, 0x62, 0x00, 0xCC, 0xD4, 0x15, 0xCD, 0x08,
+    0xFE, 0x42, 0x00, 0x38,
+    // Max response length
+    0x00, 0x00,
+};
+
</ins><span class="cx"> constexpr uint8_t kU2fCheckOnlySignCommandApdu[] = {
</span><span class="cx">     // CLA, INS, P1, P2 APDU instruction parameters
</span><span class="cx">     0x00, 0x02, 0x07, 0x00,
</span></span></pre></div>
<a id="trunkToolsTestWebKitAPITestsWebCoreU2fCommandConstructorTestcpp"></a>
<div class="modfile"><h4>Modified: trunk/Tools/TestWebKitAPI/Tests/WebCore/U2fCommandConstructorTest.cpp (243192 => 243193)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Tools/TestWebKitAPI/Tests/WebCore/U2fCommandConstructorTest.cpp    2019-03-20 05:40:11 UTC (rev 243192)
+++ trunk/Tools/TestWebKitAPI/Tests/WebCore/U2fCommandConstructorTest.cpp       2019-03-20 06:11:57 UTC (rev 243193)
</span><span class="lines">@@ -176,6 +176,27 @@
</span><span class="cx">     EXPECT_EQ(*u2fSignCommand, convertBytesToVector(TestData::kU2fSignCommandApdu, sizeof(TestData::kU2fSignCommandApdu)));
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+TEST(U2fCommandConstructorTest, TestConvertCtapGetAssertionWithAppIDToU2fSignRequest)
+{
+    auto getAssertionReq = constructGetAssertionRequest();
+    PublicKeyCredentialDescriptor credentialDescriptor;
+    credentialDescriptor.type = PublicKeyCredentialType::PublicKey;
+    credentialDescriptor.idVector = convertBytesToVector(TestData::kU2fSignKeyHandle, sizeof(TestData::kU2fSignKeyHandle));
+    Vector<PublicKeyCredentialDescriptor> allowedList;
+    allowedList.append(WTFMove(credentialDescriptor));
+    getAssertionReq.allowCredentials = WTFMove(allowedList);
+    EXPECT_TRUE(isConvertibleToU2fSignCommand(getAssertionReq));
+
+    // AppID
+    WebCore::AuthenticationExtensionsClientInputs extensions;
+    extensions.appid = "https://www.example.com/appid";
+    getAssertionReq.extensions = WTFMove(extensions);
+
+    const auto u2fSignCommand = convertToU2fSignCommand(convertBytesToVector(TestData::kClientDataHash, sizeof(TestData::kClientDataHash)), getAssertionReq, convertBytesToVector(TestData::kU2fSignKeyHandle, sizeof(TestData::kU2fSignKeyHandle)), true);
+    ASSERT_TRUE(u2fSignCommand);
+    EXPECT_EQ(*u2fSignCommand, convertBytesToVector(TestData::kU2fAppIDSignCommandApdu, sizeof(TestData::kU2fAppIDSignCommandApdu)));
+}
+
</ins><span class="cx"> TEST(U2fCommandConstructorTest, TestU2fSignAllowListRequirement)
</span><span class="cx"> {
</span><span class="cx">     auto getAssertionReq = constructGetAssertionRequest();
</span></span></pre>
</div>
</div>

</body>
</html>