mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-23 02:05:42 +00:00
dfd51d4000
Differential Revision: https://phabricator.services.mozilla.com/D32057 --HG-- extra : moz-landing-system : lando
125 lines
4.7 KiB
HTML
125 lines
4.7 KiB
HTML
<!DOCTYPE html>
|
|
<meta charset=utf-8>
|
|
<head>
|
|
<title>W3C Web Authentication - Attestation Conveyance</title>
|
|
<script src="/tests/SimpleTest/SimpleTest.js"></script>
|
|
<script type="text/javascript" src="u2futil.js"></script>
|
|
<script type="text/javascript" src="pkijs/common.js"></script>
|
|
<script type="text/javascript" src="pkijs/asn1.js"></script>
|
|
<script type="text/javascript" src="pkijs/x509_schema.js"></script>
|
|
<script type="text/javascript" src="pkijs/x509_simpl.js"></script>
|
|
<script type="text/javascript" src="cbor.js"></script>
|
|
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
|
</head>
|
|
<body>
|
|
|
|
<h1>W3C Web Authentication - Attestation Conveyance</h1>
|
|
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1428916">Mozilla Bug 1428916</a>
|
|
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1416056">Mozilla Bug 1416056</a>
|
|
|
|
<script class="testbody" type="text/javascript">
|
|
"use strict";
|
|
|
|
function getAttestationCertFromAttestationBuffer(aAttestationBuffer) {
|
|
return webAuthnDecodeCBORAttestation(aAttestationBuffer)
|
|
.then((aAttestationObj) => {
|
|
is(aAttestationObj.fmt, "fido-u2f", "Is a FIDO U2F Attestation");
|
|
let attestationCertDER = aAttestationObj.attStmt.x5c[0];
|
|
let certDERBuffer = attestationCertDER.slice(0, attestationCertDER.byteLength).buffer;
|
|
let certAsn1 = org.pkijs.fromBER(certDERBuffer);
|
|
return new org.pkijs.simpl.CERT({ schema: certAsn1.result });
|
|
});
|
|
}
|
|
|
|
function verifyAnonymizedCertificate(aResult) {
|
|
return webAuthnDecodeCBORAttestation(aResult.response.attestationObject)
|
|
.then(({fmt, attStmt}) => {
|
|
is(fmt, "none", "Is a None Attestation");
|
|
is(typeof(attStmt), "object", "attStmt is a map");
|
|
is(Object.keys(attStmt).length, 0, "attStmt is empty");
|
|
});
|
|
}
|
|
|
|
function verifyDirectCertificate(aResult) {
|
|
return getAttestationCertFromAttestationBuffer(aResult.response.attestationObject)
|
|
.then((attestationCert) => {
|
|
let subject = attestationCert.subject.types_and_values[0].value.value_block.value;
|
|
is(subject, "Firefox U2F Soft Token", "Subject name matches the direct Soft Token")
|
|
});
|
|
}
|
|
|
|
function arrivingHereIsBad(aResult) {
|
|
ok(false, "Bad result! Received a: " + aResult);
|
|
}
|
|
|
|
function expectTypeError(aResult) {
|
|
ok(aResult.toString().startsWith("TypeError"), "Expecting a TypeError, got " + aResult);
|
|
}
|
|
|
|
add_task(() => {
|
|
// Enable the softtoken.
|
|
return SpecialPowers.pushPrefEnv({"set": [
|
|
["security.webauth.webauthn", true],
|
|
["security.webauth.webauthn_enable_softtoken", true],
|
|
["security.webauth.webauthn_enable_usbtoken", false],
|
|
["security.webauth.webauthn_enable_android_fido2", false],
|
|
["security.webauth.webauthn_testing_allow_direct_attestation", true],
|
|
]});
|
|
});
|
|
|
|
// Start a new MakeCredential() request.
|
|
function requestMakeCredential(attestation) {
|
|
let publicKey = {
|
|
rp: {id: document.domain, name: "none", icon: "none"},
|
|
user: {id: new Uint8Array(), name: "none", icon: "none", displayName: "none"},
|
|
challenge: crypto.getRandomValues(new Uint8Array(16)),
|
|
timeout: 5000, // the minimum timeout is actually 15 seconds
|
|
pubKeyCredParams: [{type: "public-key", alg: cose_alg_ECDSA_w_SHA256}],
|
|
attestation,
|
|
};
|
|
|
|
return navigator.credentials.create({publicKey});
|
|
}
|
|
|
|
// Test success cases for make credential.
|
|
add_task(async () => {
|
|
// No selection criteria should be equal to none, which means anonymized
|
|
await requestMakeCredential()
|
|
.then(verifyAnonymizedCertificate)
|
|
.catch(arrivingHereIsBad);
|
|
|
|
// Request no attestation.
|
|
await requestMakeCredential("none")
|
|
.then(verifyAnonymizedCertificate)
|
|
.catch(arrivingHereIsBad);
|
|
|
|
// Request indirect attestation, which is the same as none.
|
|
await requestMakeCredential("indirect")
|
|
.then(verifyAnonymizedCertificate)
|
|
.catch(arrivingHereIsBad);
|
|
|
|
// Request direct attestation, which will prompt for user intervention.
|
|
await requestMakeCredential("direct")
|
|
.then((x) => {
|
|
if (AppConstants.platform === "android") {
|
|
// If this is Android, the result will be anonymized (Bug 1551229)
|
|
return verifyAnonymizedCertificate(x);
|
|
} else {
|
|
return verifyDirectCertificate(x);
|
|
}
|
|
})
|
|
.catch(arrivingHereIsBad);
|
|
});
|
|
|
|
// Test failure cases for make credential.
|
|
add_task(async () => {
|
|
// Request a platform authenticator.
|
|
await requestMakeCredential("unknown")
|
|
.then(arrivingHereIsBad)
|
|
.catch(expectTypeError);
|
|
});
|
|
</script>
|
|
|
|
</body>
|
|
</html>
|