[webkit-reviews] review denied: [Bug 205376] [WebAuthn] Implement coders for CTAP ClientPIN requests and responses : [Attachment 385972] Patch

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Dec 18 17:54:02 PST 2019 

Brent Fulgham <bfulgham at webkit.org> has denied Jiewen Tan
<jiewen_tan at apple.com>'s request for review:
Bug 205376: [WebAuthn] Implement coders for CTAP ClientPIN requests and
responses
https://bugs.webkit.org/show_bug.cgi?id=205376

Attachment 385972: Patch

https://bugs.webkit.org/attachment.cgi?id=385972&action=review




--- Comment #5 from Brent Fulgham <bfulgham at webkit.org> ---
Comment on attachment 385972
  --> https://bugs.webkit.org/attachment.cgi?id=385972
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=385972&action=review

Looks like your API tests are failing on some systems.

> Source/WebCore/ChangeLog:24
> +	   of API tests.

I suggest rephrasing this as: "The authenticatorClientPIN subCommands are based
on a Chromium patch:
https://chromium-review.googlesource.com/c/chromium/src/+/1457004 Specifically,
it adopts the interfaces from that patch, but rewrites the BoringSSL-based
crypto features using WebCore's WebCrypto implementation. This allows us to
focus on high level crypto interfaces, and lets WebCrypto handle the underlying
crypto library. Also, the original Chromium patch lacks tests. We introduce a
large set of API tests to confirm proper function."

> Source/WebCore/ChangeLog:29
> +	   made headers private for TestWebKitAPI.

Maybe: "This patch also makes the AES CBC, EDCH, and HMAC platform*
implementations public, so that these implementations can be shared by
WebAuthentication and test infrastructure."

> Source/WebCore/Modules/webauthn/fido/Pin.cpp:111
> +// static

I don't think these comments are helpful. I suggest removing them.

> Source/WebCore/Modules/webauthn/fido/Pin.cpp:170
> +	   {-1 /* curve */, 1 /* P-256 */},

I think this Vector<std::pair<int, int>> would be better as a constexpr called
'P256Point' or something, and this loop as a helper function: "static bool
coseKeyIsP256Point(const CBORValue::MapValue& coseKey)"

> Source/WebCore/Modules/webauthn/fido/Pin.h:63
> +enum class RequestKey : int {

Does this need to be an 'int' by spec? All values are positive, and would fit
in a byte (could be uint8_t).

> Source/WebCore/crypto/mac/CryptoKeyRSAMac.cpp:204
> +	   return WTFMove(result);

Is this WTFMove() necessary? I would expect the return value optimization to
handle this.

> Source/WebCore/crypto/mac/CryptoKeyRSAMac.cpp:211
> +    return WTFMove(result);

Is this WTFMove() necessary? I would expect the return value optimization to
handle this.

More information about the webkit-reviews mailing list