Bug 143491

Summary: [WebAuthN] Implement FIDO AppID extension
Product: WebKit Reporter: ryan
Component: PlatformAssignee: Jiewen Tan <jiewen_tan>
Status: RESOLVED FIXED    
Severity: Normal CC: alex.gaynor, bfulgham, cdumez, commit-queue, dwaite, esprehn+autocc, ews, jiewen_tan, john+webkit, kondapallykalyan, me, simon.fraser, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=181949
Bug Depends on:    
Bug Blocks: 181943    
Attachments:
Description Flags
U2F request flow diagram.
none
Patch
none
Patch
bfulgham: review+, bfulgham: commit-queue-
Patch for Landing none

Description ryan 2015-04-07 11:39:36 PDT
The FIDO Universal Second Factor (U2F) protocol is an open specification that was recently finalized.  The FINAL spec can be downloaded here: https://fidoalliance.org/specs/fido-u2f-v1.0-ps-20141009.zip
Comment 1 Alice Bevan-McGregor 2016-05-19 11:49:02 PDT
Created attachment 279408 [details]
U2F request flow diagram.

U2F is beginning to see more wide-spread deployment, with Github being one notable example site that utilizes it.  Currently, Chrome integrates support, but lower-level integration in WebKit would broadly increase the potential user base.

There exists a cross-platform (Windows, Linux, Mac OS X) C reference implementation, https://developers.yubico.com/libu2f-host/, supported by a manufacturer (Yubico) of U2F-compliant tokens. They also provide a test server for interactive experimentation (https://demo.yubico.com/u2f), reference server integration implementation, and cURL-able test endpoints.

This client (device host) reference implementation depends on: pkg-config, JSON-C, and HIDAPI for USB communication.

I very strongly desire U2F support both for my own site use, as well as for token-secured access to Github.
Comment 2 Yusuke Suzuki 2017-02-16 21:23:32 PST
What is the difference from the Web Authentication[1,2]?

[1]: https://github.com/w3c/webauthn
[2]: https://w3c.github.io/webauthn/
Comment 3 Jiewen Tan 2018-01-22 13:28:13 PST
(In reply to Yusuke Suzuki from comment #2)
> What is the difference from the Web Authentication[1,2]?
> 
> [1]: https://github.com/w3c/webauthn
> [2]: https://w3c.github.io/webauthn/

WebAuthN is effectively FIDO 2.0. See Bug 181943 for status update regarding to WebAuthN.
Comment 4 john+webkit 2018-05-26 12:28:37 PDT
Does the work on WebAuthN contain FIDO 1.0 support as well? If not, this ticket is probably still valid on it's own.
Comment 5 David Waite 2018-10-29 00:20:48 PDT
FWIW, Edge has no intention to support U2F and only support WebAuthn.

The U2F JavaScript API unfortunately doesn't fully document how to get access to the objects needed to use the MessagePort and u2f interface API.

U2F supports CTAP1 devices, while WebAuthn supports CTAP1 and CTAP2 devices.

There is an extension for WebAuthn to work with existing U2F registrations (such as those created via another browser, or the Safari App Extension) with the new API, so that users can still authenticate when a site upgrades from using the U2F to WebAuthn javascript interfaces.
Comment 6 Jiewen Tan 2018-10-29 11:06:14 PDT
(In reply to john+webkit from comment #4)
> Does the work on WebAuthN contain FIDO 1.0 support as well? If not, this
> ticket is probably still valid on it's own.

WebAuthN will support CTAP1/U2F devices.
Comment 7 Jiewen Tan 2018-10-29 11:08:50 PDT
(In reply to David Waite from comment #5)
> FWIW, Edge has no intention to support U2F and only support WebAuthn.
> 
> The U2F JavaScript API unfortunately doesn't fully document how to get
> access to the objects needed to use the MessagePort and u2f interface API.
> 
> U2F supports CTAP1 devices, while WebAuthn supports CTAP1 and CTAP2 devices.
> 
> There is an extension for WebAuthn to work with existing U2F registrations
> (such as those created via another browser, or the Safari App Extension)
> with the new API, so that users can still authenticate when a site upgrades
> from using the U2F to WebAuthn javascript interfaces.

Same as WebKit. I will leave this bug alone and re-scope it as [WebAuthN] Implement FIDO U2F extension.
Comment 8 Radar WebKit Bug Importer 2019-02-21 17:53:42 PST
<rdar://problem/48298273>
Comment 9 Jiewen Tan 2019-03-19 15:48:01 PDT
Created attachment 365249 [details]
Patch
Comment 10 Jiewen Tan 2019-03-19 16:29:50 PDT
Created attachment 365256 [details]
Patch
Comment 11 Jiewen Tan 2019-03-19 16:45:16 PDT
Comment on attachment 365256 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=365256&action=review

> Source/WebCore/ChangeLog:11
> +        do in practice to avoid some unncessary steps of

unnecessary

> Source/WebCore/Modules/webauthn/fido/U2fCommandConstructor.h:65
> +WEBCORE_EXPORT Optional<Vector<uint8_t>> convertToU2fSignCommand(const Vector<uint8_t>& clientDataHash, const WebCore::PublicKeyCredentialRequestOptions&, const Vector<uint8_t>& keyHandle, bool isAppId = false);

I should explain the change in the ChangeLog: the checkOnly flag is never used and therefore is deleted.

> LayoutTests/http/wpt/webauthn/public-key-credential-create-success-hid.https.html:19
> +        assert_not_exists(credential.getClientExtensionResults());

assert_not_exists(credential.getClientExtensionResults(), "appid");

> LayoutTests/http/wpt/webauthn/public-key-credential-create-success-local.https.html:33
> +        assert_not_exists(credential.getClientExtensionResults());

Ditto.

> LayoutTests/http/wpt/webauthn/public-key-credential-create-success-u2f.https.html:15
> +        assert_not_exists(credential.getClientExtensionResults());

Ditto.

> LayoutTests/http/wpt/webauthn/public-key-credential-get-success-local.https.html:36
> +                    assert_not_exists(credential.getClientExtensionResults());

Ditto.

> LayoutTests/http/wpt/webauthn/public-key-credential-get-success-u2f.https.html:18
> +            assert_not_exists(credential.getClientExtensionResults());

Ditto.
Comment 12 Jiewen Tan 2019-03-19 16:57:52 PDT
Comment on attachment 365256 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=365256&action=review

> Source/WebCore/ChangeLog:15
> +

Need to add the new IDL file to MakeLists.txt to make GTK+ happy.
Comment 13 Brent Fulgham 2019-03-19 17:37:23 PDT
Comment on attachment 365256 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=365256&action=review

Nice work getting this together. r=me with the changes suggested, and assuming tests pass when you are done.

>> Source/WebCore/Modules/webauthn/fido/U2fCommandConstructor.h:65
>> +WEBCORE_EXPORT Optional<Vector<uint8_t>> convertToU2fSignCommand(const Vector<uint8_t>& clientDataHash, const WebCore::PublicKeyCredentialRequestOptions&, const Vector<uint8_t>& keyHandle, bool isAppId = false);
> 
> I should explain the change in the ChangeLog: the checkOnly flag is never used and therefore is deleted.

Yes -- I got confused when I looked at the implementation, until I saw this note! :-)

> Source/WebKit/UIProcess/WebAuthentication/fido/U2fHidAuthenticator.cpp:214
> +            response->appid = true;

Could this be:

response->appid = m_isAppId;
Comment 14 Jiewen Tan 2019-03-19 18:01:49 PDT
Comment on attachment 365256 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=365256&action=review

Thanks Brent for r+ this patch.

>> Source/WebKit/UIProcess/WebAuthentication/fido/U2fHidAuthenticator.cpp:214
>> +            response->appid = true;
> 
> Could this be:
> 
> response->appid = m_isAppId;

Sure. Fixed.
Comment 15 Jiewen Tan 2019-03-19 21:53:30 PDT
Created attachment 365306 [details]
Patch for Landing
Comment 16 Jiewen Tan 2019-03-19 22:44:16 PDT
Comment on attachment 365306 [details]
Patch for Landing

cq+ since GTK+ bots are happy.
Comment 17 WebKit Commit Bot 2019-03-19 23:12:03 PDT
Comment on attachment 365306 [details]
Patch for Landing

Clearing flags on attachment: 365306

Committed r243193: <https://trac.webkit.org/changeset/243193>