Cherry-pick r294122. rdar://problem/93191958

[WebAuthn] Include backup state in authenticatorData https://bugs.webkit.org/show_bug.cgi?id=240353 rdar://problem/93191958 Reviewed by Brent Fulgham. Source/WebCore: Add flags for credential backup state: w3c/webauthn#1695 * Modules/webauthn/WebAuthenticationConstants.h: Source/WebKit: This patch adds support for backup state flags, which will be added to the Web Authentication spec soon via w3c/webauthn#1695 These flags are set whenever a credential is "backup eligible" and "backed up" hinting to RPs that the credential is "durable" and may persist through device restores. This is useful for RPs that may choose to offer to remove the user password if a credental is in this state. * UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm: (WebKit::LocalAuthenticatorInternal::authDataFlags): (WebKit::LocalAuthenticator::continueMakeCredentialAfterUserVerification): (WebKit::LocalAuthenticator::continueGetAssertionAfterUserVerification): Canonical link: https://commits.webkit.org/250501@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@294122 268f45cc-cd09-0410-ab3c-d52691b4dbfc Canonical link: https://commits.webkit.org/[email protected] git-svn-id: https://svn.webkit.org/repository/webkit/branches/safari-7614.1.13-branch@294134 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · May 13, 2022 · bd5ded2 · bd5ded2
1 parent 5523c48
commit bd5ded2
Show file tree

Hide file tree

Showing 4 changed files with 119 additions and 7 deletions.
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
@@ -1,3 +1,49 @@
+2022-05-12  Russell Epstein  <[email protected]>
+
+        Cherry-pick r294122. rdar://problem/93191958
+
+    [WebAuthn] Include backup state in authenticatorData
+    https://bugs.webkit.org/show_bug.cgi?id=240353
+    rdar://problem/93191958
+
+    Reviewed by Brent Fulgham.
+
+    Source/WebCore:
+
+    Add flags for credential backup state: https://github.com/w3c/webauthn/pull/1695
+
+    * Modules/webauthn/WebAuthenticationConstants.h:
+
+    Source/WebKit:
+
+    This patch adds support for backup state flags, which will be added to
+    the Web Authentication spec soon via https://github.com/w3c/webauthn/pull/1695
+
+    These flags are set whenever a credential is "backup eligible" and "backed up"
+    hinting to RPs that the credential is "durable" and may persist through device
+    restores. This is useful for RPs that may choose to offer to remove the user
+    password if a credental is in this state.
+
+    * UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm:
+    (WebKit::LocalAuthenticatorInternal::authDataFlags):
+    (WebKit::LocalAuthenticator::continueMakeCredentialAfterUserVerification):
+    (WebKit::LocalAuthenticator::continueGetAssertionAfterUserVerification):
+
+
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@294122 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2022-05-12  J Pascoe  <[email protected]>
+
+            [WebAuthn] Include backup state in authenticatorData
+            https://bugs.webkit.org/show_bug.cgi?id=240353
+            rdar://problem/93191958
+
+            Reviewed by Brent Fulgham.
+
+            Add flags for credential backup state: https://github.com/w3c/webauthn/pull/1695
+
+            * Modules/webauthn/WebAuthenticationConstants.h:
+
 2022-05-12  Russell Epstein  <[email protected]>
 
         Cherry-pick r294088. rdar://problem/93134975

diff --git a/Source/WebCore/Modules/webauthn/WebAuthenticationConstants.h b/Source/WebCore/Modules/webauthn/WebAuthenticationConstants.h
@@ -110,5 +110,8 @@ enum class Scope {
 constexpr uint8_t userPresenceFlag = 0b00000001;
 constexpr uint8_t userVerifiedFlag = 0b00000100;
 constexpr uint8_t attestedCredentialDataIncludedFlag = 0b01000000;
+// https://github.com/w3c/webauthn/pull/1695
+constexpr uint8_t backupEligibilityFlag = 0b00001000;
+constexpr uint8_t backupStateFlag = 0b00010000;
 
 } // namespace WebAuthn
diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog
@@ -1,3 +1,58 @@
+2022-05-12  Russell Epstein  <[email protected]>
+
+        Cherry-pick r294122. rdar://problem/93191958
+
+    [WebAuthn] Include backup state in authenticatorData
+    https://bugs.webkit.org/show_bug.cgi?id=240353
+    rdar://problem/93191958
+
+    Reviewed by Brent Fulgham.
+
+    Source/WebCore:
+
+    Add flags for credential backup state: https://github.com/w3c/webauthn/pull/1695
+
+    * Modules/webauthn/WebAuthenticationConstants.h:
+
+    Source/WebKit:
+
+    This patch adds support for backup state flags, which will be added to
+    the Web Authentication spec soon via https://github.com/w3c/webauthn/pull/1695
+
+    These flags are set whenever a credential is "backup eligible" and "backed up"
+    hinting to RPs that the credential is "durable" and may persist through device
+    restores. This is useful for RPs that may choose to offer to remove the user
+    password if a credental is in this state.
+
+    * UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm:
+    (WebKit::LocalAuthenticatorInternal::authDataFlags):
+    (WebKit::LocalAuthenticator::continueMakeCredentialAfterUserVerification):
+    (WebKit::LocalAuthenticator::continueGetAssertionAfterUserVerification):
+
+
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@294122 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2022-05-12  J Pascoe  <[email protected]>
+
+            [WebAuthn] Include backup state in authenticatorData
+            https://bugs.webkit.org/show_bug.cgi?id=240353
+            rdar://problem/93191958
+
+            Reviewed by Brent Fulgham.
+
+            This patch adds support for backup state flags, which will be added to
+            the Web Authentication spec soon via https://github.com/w3c/webauthn/pull/1695
+
+            These flags are set whenever a credential is "backup eligible" and "backed up"
+            hinting to RPs that the credential is "durable" and may persist through device
+            restores. This is useful for RPs that may choose to offer to remove the user
+            password if a credental is in this state.
+
+            * UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm:
+            (WebKit::LocalAuthenticatorInternal::authDataFlags):
+            (WebKit::LocalAuthenticator::continueMakeCredentialAfterUserVerification):
+            (WebKit::LocalAuthenticator::continueGetAssertionAfterUserVerification):
+
 2022-05-12  Russell Epstein  <[email protected]>
 
         Cherry-pick r294084. rdar://problem/93036066

diff --git a/Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm b/Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm
@@ -75,11 +75,6 @@ static bool shouldUpdateQuery()
 
 namespace LocalAuthenticatorInternal {
 
-// See https://www.w3.org/TR/webauthn/#flags.
-const uint8_t makeCredentialFlags = userPresenceFlag | userVerifiedFlag | attestedCredentialDataIncludedFlag; // UP, UV and AT are set.
-const uint8_t otherMakeCredentialFlags = userPresenceFlag | attestedCredentialDataIncludedFlag; // UP and AT are set.
-const uint8_t getAssertionFlags = userPresenceFlag | userVerifiedFlag; // UP and UV are set.
-const uint8_t otherGetAssertionFlags = userPresenceFlag; // UP is set.
 // Credential ID is currently SHA-1 of the corresponding public key.
 const uint16_t credentialIdLength = 20;
 const uint64_t counter = 0;
@@ -101,6 +96,18 @@ static inline bool emptyTransportsOrContain(const Vector<AuthenticatorTransport>
     return result;
 }
 
+static inline uint8_t authDataFlags(ClientDataType type, LocalConnection::UserVerification verification, bool synchronizable)
+{
+    auto flags = userPresenceFlag;
+    if (verification != LocalConnection::UserVerification::Presence)
+        flags |= userVerifiedFlag;
+    if (type == ClientDataType::Create)
+        flags |= attestedCredentialDataIncludedFlag;
+    if (synchronizable)
+        flags |= backupEligibilityFlag | backupStateFlag;
+    return flags;
+}
+
 static inline Vector<uint8_t> aaguidVector()
 {
     static NeverDestroyed<Vector<uint8_t>> aaguidVector = { aaguid, aaguidLength };
@@ -451,7 +458,7 @@ static inline bool emptyTransportsOrContain(const Vector<AuthenticatorTransport>
         cosePublicKey = encodeES256PublicKeyAsCBOR(WTFMove(x), WTFMove(y));
     }
 
-    auto flags = verification == LocalConnection::UserVerification::Presence ? otherMakeCredentialFlags : makeCredentialFlags;
+    auto flags = authDataFlags(ClientDataType::Create, verification, shouldUpdateQuery());
     // Step 12.
     // Skip Apple Attestation for none attestation.
     if (creationOptions.attestation == AttestationConveyancePreference::None) {
@@ -622,7 +629,8 @@ static inline bool emptyTransportsOrContain(const Vector<AuthenticatorTransport>
 
     // Step 10.
     auto requestOptions = std::get<PublicKeyCredentialRequestOptions>(requestData().options);
-    auto authData = buildAuthData(requestOptions.rpId, verification == LocalConnection::UserVerification::Presence ? otherGetAssertionFlags : getAssertionFlags, counter, { });
+    auto flags = authDataFlags(ClientDataType::Get, verification, response->synchronizable());
+    auto authData = buildAuthData(requestOptions.rpId, flags, counter, { });
 
     // Step 11.
     RetainPtr<CFDataRef> signature;