RESOLVED FIXED259934
[WebAuthn] Implement PRF extension + hmac-secret 
https://bugs.webkit.org/show_bug.cgi?id=259934
Summary [WebAuthn] Implement PRF extension + hmac-secret
pascoe@apple.com
Reported 2023-08-08 10:30:08 PDT
We currently do not support the PRF extension or the necessary CTAP extension for it, hmac-secret. This bug is to implement both of those.
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2023-08-08 10:30:21 PDT
<rdar://problem/113572812>
pascoe@apple.com
Comment 2 2023-08-08 10:30:41 PDT
explainer: https://github.com/w3c/webauthn/wiki/Explainer:-PRF-extension
Rew Islam @ Dashlane
Comment 3 2025-03-26 06:28:35 PDT
It would be great to also see support for hmac-secret-mc: https://fidoalliance.org/specs/fido-v2.2-ps-20250228/fido-client-to-authenticator-protocol-v2.2-ps-20250228.html#sctn-hmac-secret-make-cred-extension
pascoe@apple.com
Comment 4 2025-11-11 00:26:57 PST
Pull request: https://github.com/WebKit/WebKit/pull/53734
EWS
Comment 5 2025-11-21 10:54:21 PST
Committed 303406@main (a305a458493c): <https://commits.webkit.org/303406@main> Reviewed commits have been landed. Closing PR #53734 and removing active labels.
Berni
Comment 6 2025-12-20 00:17:53 PST
Crashes on Safari TP 234 "exceptionReason" : {"arguments":["%s","setPrf:","0xb03edc930"],"format_string":"-[%s %s]: unrecognized selector sent to instance %p","name":"NSInvalidArgumentException","type":"objc-exception","composed_message":"-[%s setPrf:]: unrecognized selector sent to instance 0xb03edc930","class":"NSException"}, Platform authenticator PRF support is well implemented in released Safari, but not for hardware keys (HMAC over CTAP) what this pull request should essentially solve. Can be regression in Safari TP, now any request for PRF extension in await navigator.credentials.create will crash.
Berni
Comment 7 2025-12-20 00:30:41 PST
Such features should be clearly marked in STP release notes to require also a dedicated OS beta version, for this case where setPrf selector is available.
Berni
Comment 8 2025-12-20 02:58:34 PST
Tested with latest macOS Tahoe 26.3 Beta. Same issue. @pascoe@apple.com Your release process is fairly useless for such features that need proper platform support.
Rew Islam @ Dashlane
Comment 9 2026-01-08 06:58:08 PST
I can confirm the crash on Safari TP 234 (running on 26.2 (25C56)) Process: Safari Technology Preview [97404] Path: /Applications/Safari Technology Preview.app/Contents/MacOS/Safari Technology Preview Identifier: com.apple.SafariTechnologyPreview Version: 26.0 (21624.1.6.19.3) Build Info: Safari-7624001006019003~2 Code Type: ARM-64 (Native) Role: Foreground Parent Process: launchd [1] Coalition: com.apple.SafariTechnologyPreview [47295] User ID: 502 Date/Time: 2026-01-08 15:54:50.0541 +0100 Launch Time: 2026-01-08 15:53:51.4472 +0100 Hardware Model: MacBookPro18,2 OS Version: macOS 26.2 (25C56) Release Type: User Crash Reporter Key: 7EB201A4-6F6D-1A1C-38A5-1BEB294BB4CD Incident Identifier: EC4EE0B7-84EA-4FD5-BC36-371C1E028C9F Sleep/Wake UUID: F31CC780-500F-495C-8D10-3C4317D191F7 Time Awake Since Boot: 430000 seconds Time Since Wake: 3731 seconds System Integrity Protection: enabled Triggered by Thread: 0, Dispatch Queue: com.apple.main-thread Exception Type: EXC_CRASH (SIGABRT) Exception Codes: 0x0000000000000000, 0x0000000000000000 Exception Reason: -[%s setPrf:]: unrecognized selector sent to instance 0x90845cb60 Termination Reason: Namespace SIGNAL, Code 6, Abort trap: 6 Terminating Process: Safari Technology Preview [97404] Application Specific Information: abort() called
Rew Islam @ Dashlane
Comment 10 2026-01-08 23:37:45 PST
The above crash was produced with these steps: 1. Visit https://demo.wwwallet.org/login 2. Click "Sign Up" 3. Enter a name 4. Click "Passkey on a security key" Expected: System prompt for a security key (via CTAP) Actual: The above crash
Note You need to log in before you can comment on or make changes to this bug.