[WebAuthN] Remove hash from Client Data
authorjiewen_tan@apple.com <jiewen_tan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 20 Dec 2018 23:55:48 +0000 (23:55 +0000)
committerjiewen_tan@apple.com <jiewen_tan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 20 Dec 2018 23:55:48 +0000 (23:55 +0000)
https://bugs.webkit.org/show_bug.cgi?id=192727
<rdar://problem/46746673>

Reviewed by Brent Fulgham.

Source/WebCore:

The hash algorithm for hashing the client data is enforced to SHA_256 in the latest spec:
https://www.w3.org/TR/webauthn/#sec-client-data. Therefore, we should remove it.

Covered by existing tests.

* Modules/webauthn/AuthenticatorCoordinator.cpp:
(WebCore::AuthenticatorCoordinatorInternal::produceClientDataJson):

LayoutTests:

* http/wpt/webauthn/public-key-credential-create-success-hid.https.html:
* http/wpt/webauthn/public-key-credential-create-success-local.https.html:
* http/wpt/webauthn/public-key-credential-get-success-hid.https.html:
* http/wpt/webauthn/public-key-credential-get-success-local.https.html:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@239471 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/wpt/webauthn/public-key-credential-create-success-hid.https.html
LayoutTests/http/wpt/webauthn/public-key-credential-create-success-local.https.html
LayoutTests/http/wpt/webauthn/public-key-credential-get-success-hid.https.html
LayoutTests/http/wpt/webauthn/public-key-credential-get-success-local.https.html
Source/WebCore/ChangeLog
Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp

index 029d079..81bbf4b 100644 (file)
@@ -1,5 +1,18 @@
 2018-12-20  Jiewen Tan  <jiewen_tan@apple.com>
 
+        [WebAuthN] Remove hash from Client Data
+        https://bugs.webkit.org/show_bug.cgi?id=192727
+        <rdar://problem/46746673>
+
+        Reviewed by Brent Fulgham.
+
+        * http/wpt/webauthn/public-key-credential-create-success-hid.https.html:
+        * http/wpt/webauthn/public-key-credential-create-success-local.https.html:
+        * http/wpt/webauthn/public-key-credential-get-success-hid.https.html:
+        * http/wpt/webauthn/public-key-credential-get-success-local.https.html:
+
+2018-12-20  Jiewen Tan  <jiewen_tan@apple.com>
+
         [WebAuthN] Add a runtime flag for local authenticator
         https://bugs.webkit.org/show_bug.cgi?id=192792
         <rdar://problem/46798738>
index 798b7be..957c274 100644 (file)
@@ -15,7 +15,7 @@
         assert_array_equals(Base64URL.parse(credential.id), Base64URL.parse(testHidCredentialIdBase64));
         assert_equals(credential.type, 'public-key');
         assert_array_equals(new Uint8Array(credential.rawId), Base64URL.parse(testHidCredentialIdBase64));
-        assert_equals(bytesToASCIIString(credential.response.clientDataJSON), '{"type":"webauthn.create","challenge":"MTIzNDU2","origin":"https://localhost:9443","hashAlgorithm":"SHA-256"}');
+        assert_equals(bytesToASCIIString(credential.response.clientDataJSON), '{"type":"webauthn.create","challenge":"MTIzNDU2","origin":"https://localhost:9443"}');
         assert_throws("NotSupportedError", () => { credential.getClientExtensionResults() });
 
         // Check attestation
index 9c2d116..6f877c4 100644 (file)
@@ -29,7 +29,7 @@
         assert_array_equals(Base64URL.parse(credential.id), Base64URL.parse(testCredentialIdBase64));
         assert_equals(credential.type, 'public-key');
         assert_array_equals(new Uint8Array(credential.rawId), Base64URL.parse(testCredentialIdBase64));
-        assert_equals(bytesToASCIIString(credential.response.clientDataJSON), '{"type":"webauthn.create","challenge":"MTIzNDU2","origin":"https://localhost:9443","hashAlgorithm":"SHA-256"}');
+        assert_equals(bytesToASCIIString(credential.response.clientDataJSON), '{"type":"webauthn.create","challenge":"MTIzNDU2","origin":"https://localhost:9443"}');
         assert_throws("NotSupportedError", () => { credential.getClientExtensionResults() });
 
         // Check attestation
index a783830..1f13ded 100644 (file)
@@ -14,7 +14,7 @@
         assert_array_equals(Base64URL.parse(credential.id), Base64URL.parse(testHidCredentialIdBase64));
         assert_equals(credential.type, 'public-key');
         assert_array_equals(new Uint8Array(credential.rawId), Base64URL.parse(testHidCredentialIdBase64));
-        assert_equals(bytesToASCIIString(credential.response.clientDataJSON), '{"type":"webauthn.get","challenge":"MTIzNDU2","origin":"https://localhost:9443","hashAlgorithm":"SHA-256"}');
+        assert_equals(bytesToASCIIString(credential.response.clientDataJSON), '{"type":"webauthn.get","challenge":"MTIzNDU2","origin":"https://localhost:9443"}');
         assert_equals(credential.response.userHandle, null);
 
         // Check authData
index c617e75..7f2daaf 100644 (file)
@@ -17,7 +17,7 @@
         assert_array_equals(Base64URL.parse(credential.id), Base64URL.parse(testCredentialIdBase64));
         assert_equals(credential.type, 'public-key');
         assert_array_equals(new Uint8Array(credential.rawId), Base64URL.parse(testCredentialIdBase64));
-        assert_equals(bytesToASCIIString(credential.response.clientDataJSON), '{"type":"webauthn.get","challenge":"MTIzNDU2","origin":"https://localhost:9443","hashAlgorithm":"SHA-256"}');
+        assert_equals(bytesToASCIIString(credential.response.clientDataJSON), '{"type":"webauthn.get","challenge":"MTIzNDU2","origin":"https://localhost:9443"}');
         assert_equals(bytesToHexString(credential.response.userHandle), "00010203040506070809");
 
         // Check authData
index 97b6338..b97e32e 100644 (file)
@@ -1,5 +1,21 @@
 2018-12-20  Jiewen Tan  <jiewen_tan@apple.com>
 
+        [WebAuthN] Remove hash from Client Data
+        https://bugs.webkit.org/show_bug.cgi?id=192727
+        <rdar://problem/46746673>
+
+        Reviewed by Brent Fulgham.
+
+        The hash algorithm for hashing the client data is enforced to SHA_256 in the latest spec:
+        https://www.w3.org/TR/webauthn/#sec-client-data. Therefore, we should remove it.
+
+        Covered by existing tests.
+
+        * Modules/webauthn/AuthenticatorCoordinator.cpp:
+        (WebCore::AuthenticatorCoordinatorInternal::produceClientDataJson):
+
+2018-12-20  Jiewen Tan  <jiewen_tan@apple.com>
+
         [WebAuthN] Add a runtime flag for local authenticator
         https://bugs.webkit.org/show_bug.cgi?id=192792
         <rdar://problem/46798738>
index a0554b7..43f16b0 100644 (file)
@@ -66,8 +66,6 @@ static Ref<ArrayBuffer> produceClientDataJson(ClientDataType type, const BufferS
     }
     object->setString("challenge"_s, WTF::base64URLEncode(challenge.data(), challenge.length()));
     object->setString("origin"_s, origin.toRawString());
-    // FIXME: This might be platform dependent.
-    object->setString("hashAlgorithm"_s, "SHA-256"_s);
 
     auto utf8JSONString = object->toJSONString().utf8();
     return ArrayBuffer::create(utf8JSONString.data(), utf8JSONString.length());