Bug 259934
| Summary: | [WebAuthn] Implement PRF extension + hmac-secret | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | pascoe <pascoe> |
| Component: | WebKit Misc. | Assignee: | pascoe <pascoe> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | andrey, bsoft, pascoe, rew.islam, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
pascoe@apple.com
We currently do not support the PRF extension or the necessary CTAP extension for it, hmac-secret. This bug is to implement both of those.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/113572812>
pascoe@apple.com
explainer: https://github.com/w3c/webauthn/wiki/Explainer:-PRF-extension
Rew Islam @ Dashlane
It would be great to also see support for hmac-secret-mc:
https://fidoalliance.org/specs/fido-v2.2-ps-20250228/fido-client-to-authenticator-protocol-v2.2-ps-20250228.html#sctn-hmac-secret-make-cred-extension
pascoe@apple.com
Pull request: https://github.com/WebKit/WebKit/pull/53734
EWS
Committed 303406@main (a305a458493c): <https://commits.webkit.org/303406@main>
Reviewed commits have been landed. Closing PR #53734 and removing active labels.
Berni
Crashes on Safari TP 234
"exceptionReason" : {"arguments":["%s","setPrf:","0xb03edc930"],"format_string":"-[%s %s]: unrecognized selector sent to instance %p","name":"NSInvalidArgumentException","type":"objc-exception","composed_message":"-[%s setPrf:]: unrecognized selector sent to instance 0xb03edc930","class":"NSException"},
Platform authenticator PRF support is well implemented in released Safari, but not for hardware keys (HMAC over CTAP) what this pull request should essentially solve. Can be regression in Safari TP, now any request for PRF extension in await navigator.credentials.create will crash.
Berni
Such features should be clearly marked in STP release notes to require also a dedicated OS beta version, for this case where setPrf selector is available.
Berni
Tested with latest macOS Tahoe 26.3 Beta. Same issue. @pascoe@apple.com Your release process is fairly useless for such features that need proper platform support.
Rew Islam @ Dashlane
I can confirm the crash on Safari TP 234 (running on 26.2 (25C56))
Process: Safari Technology Preview [97404]
Path: /Applications/Safari Technology Preview.app/Contents/MacOS/Safari Technology Preview
Identifier: com.apple.SafariTechnologyPreview
Version: 26.0 (21624.1.6.19.3)
Build Info: Safari-7624001006019003~2
Code Type: ARM-64 (Native)
Role: Foreground
Parent Process: launchd [1]
Coalition: com.apple.SafariTechnologyPreview [47295]
User ID: 502
Date/Time: 2026-01-08 15:54:50.0541 +0100
Launch Time: 2026-01-08 15:53:51.4472 +0100
Hardware Model: MacBookPro18,2
OS Version: macOS 26.2 (25C56)
Release Type: User
Crash Reporter Key: 7EB201A4-6F6D-1A1C-38A5-1BEB294BB4CD
Incident Identifier: EC4EE0B7-84EA-4FD5-BC36-371C1E028C9F
Sleep/Wake UUID: F31CC780-500F-495C-8D10-3C4317D191F7
Time Awake Since Boot: 430000 seconds
Time Since Wake: 3731 seconds
System Integrity Protection: enabled
Triggered by Thread: 0, Dispatch Queue: com.apple.main-thread
Exception Type: EXC_CRASH (SIGABRT)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Exception Reason: -[%s setPrf:]: unrecognized selector sent to instance 0x90845cb60
Termination Reason: Namespace SIGNAL, Code 6, Abort trap: 6
Terminating Process: Safari Technology Preview [97404]
Application Specific Information:
abort() called
Rew Islam @ Dashlane
The above crash was produced with these steps:
1. Visit https://demo.wwwallet.org/login
2. Click "Sign Up"
3. Enter a name
4. Click "Passkey on a security key"
Expected: System prompt for a security key (via CTAP)
Actual: The above crash