191516 – [WebAuthn] Support CTAP Client Pin

Bug 191516 - [WebAuthn] Support CTAP Client Pin

Summary: [WebAuthn] Support CTAP Client Pin

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Jiewen Tan

URL:
Keywords:	InRadar

Duplicates (2):	205222 207821 (view as bug list)
Depends on:
Blocks:	181943
	Show dependency tree / graph

Reported:	2018-11-11 17:04 PST by Jiewen Tan
Modified:	2020-02-16 22:56 PST (History)
CC List:	10 users (show)

See Also:

Attachments
Patch (78.02 KB, patch) 2020-01-06 16:51 PST, Jiewen Tan	no flags	Details \| Formatted Diff \| Diff
Patch (83.55 KB, patch) 2020-01-07 10:12 PST, Jiewen Tan	no flags	Details \| Formatted Diff \| Diff
Patch (83.55 KB, patch) 2020-01-07 11:25 PST, Jiewen Tan	no flags	Details \| Formatted Diff \| Diff
Patch (79.83 KB, patch) 2020-01-07 14:05 PST, Jiewen Tan	bfulgham: review+	Details \| Formatted Diff \| Diff
Patch for landing (80.47 KB, patch) 2020-01-10 17:02 PST, Jiewen Tan	commit-queue: commit-queue-	Details \| Formatted Diff \| Diff
Build fix (1.68 KB, patch) 2020-01-13 17:30 PST, Don Olmstead	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jiewen Tan 2018-11-11 17:04:07 PST

We should consider support CTAP client pin command:https://fidoalliance.org/specs/fido-v2.0-ps-20170927/fido-client-to-authenticator-protocol-v2.0-ps-20170927.html#authenticatorClientPIN

Comment 1 Radar WebKit Bug Importer 2019-10-23 15:54:19 PDT

<rdar://problem/56558558>

Comment 2 login Llama 2019-12-13 09:50:23 PST

Yes for keys with PIN set you cant create new credentials without the user inputting the PIN in CTAP2.   The workaround that Firefox and Chrome use when UV is set to discouraged is to make the credential using U2F on keys that support both CTAP1 and CTAP2.  For a CTAP2 only key or if you are making a resident credential there is no way to do it without PIN support.

I will note that currently CTAP2.1 will allow the creation of non resident credentials via CTAP2, but there are millions of authenticators in the market currently that will only support CTAP2.0.

Comment 3 Jiewen Tan 2020-01-06 08:48:06 PST

*** Bug 205222 has been marked as a duplicate of this bug. ***

Comment 4 login Llama 2020-01-06 10:49:11 PST

My first choice is supporting client pin. 
Second choice is using the U2F make credential workaround that Google used in Chrome.

On the other hand bug 204111 is the highest priority as it is breaking all CTAP 2 authenticators without builtin UV.  That is about 98%.  Until that gets fixed we cant really test this.

Thanks

Comment 5 Jiewen Tan 2020-01-06 16:51:21 PST

Created attachment 386914 [details]
Patch

Comment 6 Jiewen Tan 2020-01-07 10:12:25 PST

Created attachment 386984 [details]
Patch

Comment 7 Jiewen Tan 2020-01-07 11:25:57 PST

Created attachment 387005 [details]
Patch

Comment 8 Jiewen Tan 2020-01-07 14:05:32 PST

Created attachment 387028 [details]
Patch

Comment 9 Brent Fulgham 2020-01-10 15:23:07 PST

Comment on attachment 387028 [details]
Patch

r=me

Comment 10 Jiewen Tan 2020-01-10 15:38:42 PST

Thanks Brent for r+ this patch.

Comment 11 Jiewen Tan 2020-01-10 17:02:30 PST

Created attachment 387399 [details]
Patch for landing

Comment 12 WebKit Commit Bot 2020-01-10 18:47:49 PST

Comment on attachment 387399 [details]
Patch for landing

Rejecting attachment 387399 [details] from commit-queue.

Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-02', 'land-attachment', '--force-clean', '--non-interactive', '--parent-command=commit-queue', 387399, '--port=mac']" exit_code: 2 cwd: /Volumes/Data/EWS/WebKit

Logging in as commit-queue@webkit.org...
Fetching: https://bugs.webkit.org/attachment.cgi?id=387399&action=edit
Fetching: https://bugs.webkit.org/show_bug.cgi?id=191516&ctype=xml&excludefield=attachmentdata
Processing 1 patch from 1 bug.
Updating working directory
Processing patch 387399 from bug 191516.
Fetching: https://bugs.webkit.org/attachment.cgi?id=387399
Authentication required
Authentication required
Authentication required
Updating OpenSource
From https://git.webkit.org/git/WebKit
   8cd2c8b4c7e..e4cf8500860  master     -> origin/master
Partial-rebuilding .git/svn/refs/remotes/origin/master/.rev_map.268f45cc-cd09-0410-ab3c-d52691b4dbfc ...
Currently at 254386 = 8cd2c8b4c7e20fe5b4f3240a3e719722a80784d9
r254387 = e4cf8500860fe817dd55f3a86a67f2a8ab032ead
Done rebuilding .git/svn/refs/remotes/origin/master/.rev_map.268f45cc-cd09-0410-ab3c-d52691b4dbfc
First, rewinding head to replay your work on top of it...
Fast-forwarded master to refs/remotes/origin/master.

Full output: https://webkit-queues.webkit.org/results/13302981

Comment 13 Jiewen Tan 2020-01-13 10:54:09 PST

Committed r254439: <https://trac.webkit.org/changeset/254439>

Comment 14 Don Olmstead 2020-01-13 17:26:26 PST

Reopening for build fix.

Commit queue cancelled my patch because of the following

In file included from /Volumes/Data/EWS/WebKit/WebKitBuild/Release/DerivedSources/WebKit2/unified-sources/UnifiedSource55.cpp:1:
In file included from /Volumes/Data/EWS/WebKit/Source/WebKit/UIProcess/WebAuthentication/fido/FidoService.cpp:31:
/Volumes/Data/EWS/WebKit/Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.h:66:70: error: unknown type name 'CryptoKeyEC'; did you mean 'WebCore::CryptoKeyEC'?
    void continueGetPinTokenAfterRequestPin(const String& pin, const CryptoKeyEC&);
                                                                     ^~~~~~~~~~~
                                                                     WebCore::CryptoKeyEC
/Volumes/Data/EWS/WebKit/Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.h:40:7: note: 'WebCore::CryptoKeyEC' declared here
class CryptoKeyEC;
      ^
1 error generated.

From https://webkit-queues.webkit.org/results/13303609 which came from https://bugs.webkit.org/show_bug.cgi?id=205964

Comment 15 Don Olmstead 2020-01-13 17:30:37 PST

Created attachment 387598 [details]
Build fix

Comment 16 Don Olmstead 2020-01-13 17:51:27 PST

Comment on attachment 387598 [details]
Build fix

Affected builds seem happy

Comment 17 WebKit Commit Bot 2020-01-13 22:42:02 PST

Comment on attachment 387598 [details]
Build fix

Clearing flags on attachment: 387598

Committed r254495: <https://trac.webkit.org/changeset/254495>

Comment 18 Jiewen Tan 2020-01-14 11:06:39 PST

(In reply to Don Olmstead from comment #16)
> Comment on attachment 387598 [details]
> Build fix
> 
> Affected builds seem happy

Thanks for fixing the issue.

Comment 19 Don Olmstead 2020-01-14 12:23:52 PST

(In reply to Jiewen Tan from comment #18)
> (In reply to Don Olmstead from comment #16)
> > Comment on attachment 387598 [details]
> > Build fix
> > 
> > Affected builds seem happy
> 
> Thanks for fixing the issue.

👍

Comment 20 Jiewen Tan 2020-02-16 22:56:52 PST

*** Bug 207821 has been marked as a duplicate of this bug. ***