RESOLVED FIXED 228116
REGRESSION (r278877) [Cocoa] WebAuthn stopped working for non-Safari browsers 
https://bugs.webkit.org/show_bug.cgi?id=228116
Summary REGRESSION (r278877) [Cocoa] WebAuthn stopped working for non-Safari browsers
Brent Fulgham
Reported 2021-07-20 11:45:52 PDT
WebAuthn: webauthn.me/debugger & webauthn.io doesn't load/work in default browsers (Chrome & Firefox) The standard iOS App Sandbox doesn’t allow us to use the API: (1) Sandbox Violation: deny(1) process-codesigning-status-get others [com.apple.WebKit(14180)] Process: Chrome [14153] Thread 0 (id: 2724455, CrWebMain): 0 libsystem_kernel.dylib 0x00000001b816a7f4 csops_audittoken + 8 1 Security 0x0000000189b38f6c SecTaskLoadEntitlements + 348 2 Security 0x0000000189b392dc SecTaskCopyValueForEntitlement + 76 3 JavaScriptCore 0x000000018d31ae3c WTF::hasEntitlementValue(audit_token_t, char const*, char const*) + 124 (2) Sandbox Violation: deny(1) process-codesigning-entitlements-der-blob-get others [com.apple.WebKit(14180)] Process: Chrome [14153] Thread 0 (id: 2724455, CrWebMain): 0 libsystem_kernel.dylib 0x00000001b816a7f4 csops_audittoken + 8 1 Security 0x0000000189b38e64 SecTaskLoadEntitlements + 84 2 Security 0x0000000189b392dc SecTaskCopyValueForEntitlement + 76 3 JavaScriptCore 0x000000018d31ae3c WTF::hasEntitlementValue(audit_token_t, char const*, char const*) + 124 (3) Sandbox Violation: deny(1) sysctl-read kern.proc.pid.14158 Process: Chrome [14153] Thread 0 (id: 2724455, CrWebMain): 0 libsystem_kernel.dylib 0x00000001b816ab98 __sysctl + 8 1 Security 0x0000000189b3f47c SecTaskCopyDebugDescription + 180 2 Security 0x0000000189b38ff4 SecTaskLoadEntitlements + 484 3 Security 0x0000000189b392dc SecTaskCopyValueForEntitlement + 76 4 JavaScriptCore 0x000000018d31ae3c WTF::hasEntitlementValue(audit_token_t, char const*, char const*) + 124 One or more of these failures prevent the PAC key from being read, so the process rejects the message.
Attachments
Patch (19.41 KB, patch)
2021-07-20 12:04 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch (25.12 KB, patch)
2021-07-21 16:17 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch (25.95 KB, patch)
2021-07-21 16:23 PDT, Brent Fulgham 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch (27.66 KB, patch)
2021-07-21 16:47 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch for landing (27.70 KB, patch)
2021-07-22 15:16 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch (27.88 KB, patch)
2021-07-27 14:32 PDT, Kate Cheney 		no flags
DetailsFormatted DiffDiff
Patch (27.96 KB, patch)
2021-07-28 11:11 PDT, Kate Cheney 		no flags
DetailsFormatted DiffDiff
Patch for landing (25.99 KB, patch)
2021-07-29 14:13 PDT, Kate Cheney 		no flags
DetailsFormatted DiffDiff
Show Obsolete (7) View All Add attachment proposed patch, testcase, etc.
Brent Fulgham
Comment 1 2021-07-20 11:46:27 PDT
I spoke with the Security and code signing teams. We should check that the WebContent process is apple-signed, and has the correct signing identity. The PAC key is not a good way to confirm this.
Brent Fulgham
Comment 2 2021-07-20 11:50:51 PDT
<rdar://problem/80693607>
Brent Fulgham
Comment 3 2021-07-20 12:04:22 PDT
Created attachment 433888 [details] Patch
Brent Fulgham
Comment 4 2021-07-21 16:17:24 PDT
Created attachment 433966 [details] Patch
Brent Fulgham
Comment 5 2021-07-21 16:23:33 PDT
Created attachment 433968 [details] Patch
Brent Fulgham
Comment 6 2021-07-21 16:47:49 PDT
Created attachment 433974 [details] Patch
Brent Fulgham
Comment 7 2021-07-22 14:52:54 PDT
Comment on attachment 433974 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=433974&action=review > Source/WebKit/Shared/Cocoa/XPCEndpoint.mm:56 > + auto [signingIdentifier, isPlatformBinary] = codeSigningIdentifierAndPlatformBinaryStatus(connection.get()); @Per Arne: Do you think we should enable this check on all platforms (not just macOS)?
Per Arne Vollan
Comment 8 2021-07-22 15:05:06 PDT
Comment on attachment 433974 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=433974&action=review R=me. >> Source/WebKit/Shared/Cocoa/XPCEndpoint.mm:56 >> + auto [signingIdentifier, isPlatformBinary] = codeSigningIdentifierAndPlatformBinaryStatus(connection.get()); > > @Per Arne: Do you think we should enable this check on all platforms (not just macOS)? Yes, I think that would be good. I am not sure why that was not done initially. If changing, you might need to test manually that this behaves correctly on iOS. > Source/WebKit/UIProcess/Cocoa/WebProcessProxyCocoa.mm:318 > auto auditToken = connection()->getAuditToken(); > if (!auditToken) { > ASSERT_NOT_REACHED(); Can this be removed now? > Source/WebKit/UIProcess/Cocoa/WebProcessProxyCocoa.mm:327 > + if (!currentProcessIsPlatformBinary()) > + return true; Should this return false? Or should it be 'return currentProcessIsPlatformBinary()' to avoid executing the code below?
Brent Fulgham
Comment 9 2021-07-22 15:12:52 PDT
Comment on attachment 433974 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=433974&action=review >> Source/WebKit/UIProcess/Cocoa/WebProcessProxyCocoa.mm:327 >> + return true; > > Should this return false? Or should it be 'return currentProcessIsPlatformBinary()' to avoid executing the code below? No: Returning false causes WebAuthn to fail because I added this overall check to ensure the message is coming from a valid WebContent process. Because of the system sandbox rules, we cannot check this on non-Apple applications so we return early here as a "success" state. When 80908833 is fixed, we can re-enable the entire test for all apps.
Brent Fulgham
Comment 10 2021-07-22 15:16:40 PDT
Created attachment 434040 [details] Patch for landing
Brent Fulgham
Comment 11 2021-07-22 15:17:42 PDT
Comment on attachment 433974 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=433974&action=review >> Source/WebKit/UIProcess/Cocoa/WebProcessProxyCocoa.mm:318 >> ASSERT_NOT_REACHED(); > > Can this be removed now? Good point!
EWS
Comment 12 2021-07-22 15:58:15 PDT
Committed r280205 (239893@main): <https://commits.webkit.org/239893@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 434040 [details].
Robert Jenner
Comment 13 2021-07-23 14:01:28 PDT
Reverted r280205 for reason: Broke multiple WebAuthn tests. Committed r280258 (239925@main): <https://commits.webkit.org/239925@main>
Kate Cheney
Comment 14 2021-07-27 14:32:25 PDT
Created attachment 434318 [details] Patch
Kate Cheney
Comment 15 2021-07-27 14:54:17 PDT
Comment on attachment 434318 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=434318&action=review > Source/WebKit/Shared/Cocoa/CodeSigning.mm:66 > + bool isPlatformBinary = isRunningTest(WebCore::applicationBundleIdentifier()) || (SecTaskGetCodeSignStatus(task.get()) & CS_PLATFORM_BINARY); This is how I fixed the crashing tests. Potentially there is a more elegant way to mark WebKitTestRunner as being a platform binary?
Per Arne Vollan
Comment 16 2021-07-28 10:24:51 PDT
Comment on attachment 434318 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=434318&action=review >> Source/WebKit/Shared/Cocoa/CodeSigning.mm:66 >> + bool isPlatformBinary = isRunningTest(WebCore::applicationBundleIdentifier()) || (SecTaskGetCodeSignStatus(task.get()) & CS_PLATFORM_BINARY); > > This is how I fixed the crashing tests. Potentially there is a more elegant way to mark WebKitTestRunner as being a platform binary? I think we could move the check 'isRunningTest(WebCore::applicationBundleIdentifier())' to the affected call site instead, since there are potentially many callers of this function who does not need the additional check.
Kate Cheney
Comment 17 2021-07-28 11:11:16 PDT
Created attachment 434440 [details] Patch
Kate Cheney
Comment 18 2021-07-28 11:11:34 PDT
(In reply to Per Arne Vollan from comment #16) > Comment on attachment 434318 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=434318&action=review > > >> Source/WebKit/Shared/Cocoa/CodeSigning.mm:66 > >> + bool isPlatformBinary = isRunningTest(WebCore::applicationBundleIdentifier()) || (SecTaskGetCodeSignStatus(task.get()) & CS_PLATFORM_BINARY); > > > > This is how I fixed the crashing tests. Potentially there is a more elegant way to mark WebKitTestRunner as being a platform binary? > > I think we could move the check > 'isRunningTest(WebCore::applicationBundleIdentifier())' to the affected call > site instead, since there are potentially many callers of this function who > does not need the additional check. Good call. Fixed in the latest patch.
Kate Cheney
Comment 19 2021-07-29 12:23:43 PDT
Comment on attachment 434440 [details] Patch Test failure seems quite unrelated.
Per Arne Vollan
Comment 20 2021-07-29 13:09:14 PDT
Comment on attachment 434440 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=434440&action=review R=me. > Source/WebKit/WebKit.xcodeproj/project.pbxproj:6 > + objectVersion = 54; Is this an intended change? > Source/WebKit/WebKit.xcodeproj/project.pbxproj:-6003 > - F414CE2A269DDED100BD216A /* GPUProcessCocoa.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; name = GPUProcessCocoa.mm; path = cocoa/GPUProcessCocoa.mm; sourceTree = "<group>"; }; Ditto. > Source/WebKit/WebKit.xcodeproj/project.pbxproj:-11726 > - F414CE27269DDE8000BD216A /* cocoa */ = { > - isa = PBXGroup; > - children = ( > - F414CE2A269DDED100BD216A /* GPUProcessCocoa.mm */, > - ); > - name = cocoa; > - sourceTree = "<group>"; > - }; Ditto.
Kate Cheney
Comment 21 2021-07-29 13:28:03 PDT
(In reply to Per Arne Vollan from comment #20) > Comment on attachment 434440 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=434440&action=review > > R=me. > Thanks! > > Source/WebKit/WebKit.xcodeproj/project.pbxproj:6 > > + objectVersion = 54; > > Is this an intended change? > > > Source/WebKit/WebKit.xcodeproj/project.pbxproj:-6003 > > - F414CE2A269DDED100BD216A /* GPUProcessCocoa.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; name = GPUProcessCocoa.mm; path = cocoa/GPUProcessCocoa.mm; sourceTree = "<group>"; }; > > Ditto. > > > Source/WebKit/WebKit.xcodeproj/project.pbxproj:-11726 > > - F414CE27269DDE8000BD216A /* cocoa */ = { > > - isa = PBXGroup; > > - children = ( > > - F414CE2A269DDED100BD216A /* GPUProcessCocoa.mm */, > > - ); > > - name = cocoa; > > - sourceTree = "<group>"; > > - }; > > Ditto. These were all in Brent's original patch that got rolled out, so I assumed they were necessary. Will try to remove before landing.
Kate Cheney
Comment 22 2021-07-29 14:13:44 PDT
Created attachment 434572 [details] Patch for landing
EWS
Comment 23 2021-07-29 15:12:23 PDT
Committed r280451 (240086@main): <https://commits.webkit.org/240086@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 434572 [details].
Note You need to log in before you can comment on or make changes to this bug.