This patch was generated by my modeline.py script.
MozReview-Commit-ID: EbVjPLwiUAT
Depends on D4159
Differential Revision: https://phabricator.services.mozilla.com/D4161
--HG--
extra : moz-landing-system : lando
Summary:
This only adds the new WebIDL types but doesn't do any plumbing yet.
Bug 1406471 seems to be better suited for that.
Reviewers: jcj
Reviewed By: jcj
Bug #: 1406458
Differential Revision: https://phabricator.services.mozilla.com/D555
The Web Authentication CollectedClientData is missing the type field, which
is just a simple string. (The editor's draft also removes hashAlgorithm, but
let's not get ahead of ourselves...)
Add in that simple string. This was found at interop testing.
MozReview-Commit-ID: DlawLyHTYhB
--HG--
extra : rebase_source : 6cdd8e14161dc4aea5bfd1baf60c7384219ba951
The WebAuthn spec lets RPs ask to specifically get direct attestation certificates
during credential creation using the "Attestation Conveyance Preference" [1].
This change adds that field into the WebIDL and ignores it for now. This is
pre-work to Bug #1430150 which will make this useful (which in turn requires
Bug #1416056's support for anonymizing those attestation certificates).
[1] https://www.w3.org/TR/webauthn/#attestation-convey
MozReview-Commit-ID: 763vaAMv48z
--HG--
extra : rebase_source : 7fb7c64a0ee3167032485378af6074a7366295a4
Late-breaking rename pre-CR in Web Authentication [1] renamed a dictionary. It's
not an interop issue, really, which must be why it was let through. This is a
WebIDL and Web Platform Tests-only issue. (The WPT updates are happening at
Github [2])
[1] https://github.com/w3c/webauthn/pull/779/files
[2] https://github.com/w3c/web-platform-tests/pull/9237
MozReview-Commit-ID: KEIlqIYbzKp
--HG--
extra : rebase_source : 4204ea62a41f374a6731a9367552af122d354145
Summary:
Add support for PublicKeyCredentialRequestOptions.userVerification. For now
this basically means that we'll abort the operation with NotAllowed, as we
don't support user verification yet.
Pass PublicKeyCredentialDescriptor.transports through to the token manager
implementations. The softoken will ignore those and pretend to support all
transports defined by the spec. The USB HID token will check for the "usb"
transport and either ignore credentials accordingly, or abort the operation.
Note: The `UserVerificationRequirement` in WebIDL is defined at https://w3c.github.io/webauthn/#assertion-options
Reviewers: jcj, smaug
Reviewed By: jcj, smaug
Bug #: 1406467
Differential Revision: https://phabricator.services.mozilla.com/D338
--HG--
extra : amend_source : 314cadb3bc40bbbee2a414bc5f13caed55f9d720
Summary:
We currently implement no platform authenticators, so this would always
resolve to false. For those cases, the spec recommends a resolve timeout
on the order of 10 minutes to avoid fingerprinting.
A simple solution is thus to never resolve the promise, otherwise we'd
have to track every single call to this method along with a promise
and timer to resolve it after exactly X minutes.
A Relying Party has to deal with a non-response in a timely fashion, so
we can keep this as-is (and not resolve) even when we support platform
authenticators but they're not available, or a user rejects a website's
request to use them.
Reviewers: jcj, smaug
Reviewed By: jcj, smaug
Bug #: 1406468
Differential Revision: https://phabricator.services.mozilla.com/D217
The WD-06 (and later) WebAuthn specs choose to move to integer algorithm
identifiers for the signatures [1], with a handful of algorithms identified [2].
U2F devices only support ES256 (e.g., COSE ID "-7"), so that's all that is
implemented here.
Note that the spec also now requires that we accept empty lists of parameters,
and in that case, the RP says they aren't picky, so this changes what happens
when the parameter list is empty (but still aborts when the list is non-empty
but doesn't have anything we can use) [3].
There's a follow-on to move parameter-validation logic into the U2FTokenManager
in Bug 1409220.
[1] https://w3c.github.io/webauthn/#dictdef-publickeycredentialparameters
[2] https://w3c.github.io/webauthn/#alg-identifier
[3] https://w3c.github.io/webauthn/#createCredential bullet #12
MozReview-Commit-ID: KgL7mQ9u1uq
--HG--
extra : rebase_source : 2a1767805779a9f8049102723011193f113f0713
Reorder WebAuthentication.webidl to match the ordering of the IDL index in
the Web Authentication spec. No normative changes.
MozReview-Commit-ID: 7qPE60Qh7Ly
--HG--
extra : rebase_source : 18f18a85c013528bf9b2ec84165f7a32a134c3d7
This covers these renames:
* In CollectedClientData, hashAlg => hashAlgorithm
* In CollectedClientData, tokenBinding => tokenBindingId
* In MakePublicKeyCredentialOptions, parameters => pubKeyCredParams
* In MakePublicKeyCredentialOptions, excludeList => excludeCredentials
* In PublicKeyCredentialRequestOptions, allowList => allowCredentials
* Transport (WebAuthnTransport in Gecko) => AuthenticatorTransport
MozReview-Commit-ID: 3FdRnkosy83
--HG--
extra : rebase_source : 22f124c781b03837ad0cd4be4edf34527e3b9d38
This covers these renames:
* In PublicKeyCredentialParameters, algorithm => alg
* MakeCredentialOptions => MakePublicKeyCredentialOptions
* PublicKeyCredentialEntity => PublicKeyCredentialRpEntity
* Attachment => AuthenticatorAttachment
It sets a default excludeList and allowList for the make / get options.
It adds the method isPlatformAuthenticatorAvailable which is incomplete and
not callable, to be completed in Bug 1406468.
Adds type PublicKeyCredentialRpEntity.
Adds "userId" to AuthenticatorAssertionResponse.
Adds "id" as a buffer source to PublicKeyCredentialUserEntity and as a
DOMString to PublicKeyCredentialRpEntity, refactoring out the "id" field
from the parent PublicKeyCredentialEntity.
It also adds a simple enforcement per spec 4.4.3 "User Account Parameters for
Credential Generation" that the new user ID buffer, if set, be no more than
64 bytes long. I mostly added it here so I could adjust the tests all at once
in this commit.
MozReview-Commit-ID: IHUdGVoWocq
--HG--
extra : rebase_source : bc1793f74700b2785d2bf2099c0dba068f717a59
Most of the WebIDL objects for the current editor's draft of Web Authentication
are annotated as [SameObject], which won't affect interop based on WD-05 [1].
We should go ahead and annotate ours that way.
[1] https://w3c.github.io/webauthn/#idl-index
MozReview-Commit-ID: 2T2YR3g66nC
--HG--
extra : rebase_source : f446efc285096bf3700e02090044ae9d4ce2a5b4
Should have happened in Bug 1309284 but was missed since test_interfaces'
scheme wasn't https.
Update: Disable all WebAuthn webidl interfaces.
MozReview-Commit-ID: CSeGLoIGKvf
--HG--
extra : rebase_source : bce1b425462e3ec9346de68b7224802ccf431327
This patch implements the W3C Web Authentication API from
https://www.w3.org/TR/webauthn/, currently the 28 September 2016
working draft.
It utilizes a tentative binding of the U2F NSS Soft Token to provide
authentication services while waiting on Bug 1245527 to support USB HID-based
U2F tokens. This binding is not in the specification yet, so it should be
considered an experiment to help the specification move fowrard.
There are also a handful of deviations from the specification's WebIDL, which
are annotated with comments in WebAuthentication.webidl.
There are no tests in this commit; they are in Part 4 of this commit series.
There is a small script online at https://webauthn.bin.coffee/ to exercise this
code, but it doesn't do any automated checks.
There are also a handful of TODOS:
1) The algorithm to relax the same-origin restriction is in Part 3.
2) The use of AlgorithmIdentifier and having a way to coerce an object to a
string is still missing.
3) Timeouts and deadlines aren't there, and are pending reworking how
the nsIU2FToken interface works.
UPDATED:
- Address qdot, keeler review comments (thanks!)
- Address more qdot, keeler review comments (thanks!)
MozReview-Commit-ID: JITapI38iOh
--HG--
extra : rebase_source : 9a09e852dd0c8dc47f42dabbcf8b845a6828b225