1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
|
<!DOCTYPE html>
<meta charset=utf-8>
<head>
<title>Tests W3C Web Authentication Data Types Serialization</title>
<script src="/tests/SimpleTest/SimpleTest.js"></script>
<script type="text/javascript" src="u2futil.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<h1>Tests W3C Web Authentication Data Types Serialization</h1>
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1823782">Mozilla Bug 1823782</a>
<script class="testbody" type="text/javascript">
"use strict";
const { Assert } = SpecialPowers.ChromeUtils.importESModule(
"resource://testing-common/Assert.sys.mjs"
);
function arrayBufferEqualsArray(actual, expected, description) {
ok(actual instanceof ArrayBuffer, `${description} (actual should be array)`);
ok(expected instanceof Array, `${description} (expected should be array)`);
is(actual.byteLength, expected.length, `${description} (actual and expected should have same length)`);
let actualView = new Uint8Array(actual);
for (let i = 0; i < actualView.length; i++) {
if (actualView[i] != expected[i]) {
throw new Error(`actual and expected differ in byte ${i}: ${actualView[i]} vs ${expected[i]}`);
}
}
ok(true, description);
}
function isEmptyArray(arr, description) {
ok(arr instanceof Array, `${description} (expecting Array)`);
is(arr.length, 0, `${description} (array should be empty)`);
}
function shouldThrow(func, expectedError, description) {
let threw = false;
try {
func();
} catch (e) {
is(e.message, expectedError);
threw = true;
}
ok(threw, description);
}
add_task(function test_parseCreationOptionsFromJSON_minimal() {
let creationOptionsJSON = {
rp: { name: "Example" },
user: { id: "-l3qNLTKJng", name: "username", displayName: "display name" },
challenge: "XNJTTB3kfqk",
pubKeyCredParams: [],
};
let creationOptions = PublicKeyCredential.parseCreationOptionsFromJSON(creationOptionsJSON);
is(Object.getOwnPropertyNames(creationOptions).length, 8, "creation options should have 8 properties");
is(creationOptions.rp.id, undefined, "rp.id should be undefined");
is(creationOptions.rp.name, "Example", "rp.name should be Example");
arrayBufferEqualsArray(creationOptions.user.id, [ 250, 93, 234, 52, 180, 202, 38, 120 ], "user.id should be as expected");
is(creationOptions.user.displayName, "display name", "user.displayName should be 'display name'");
is(creationOptions.user.name, "username", "user.name should be username");
arrayBufferEqualsArray(creationOptions.challenge, [ 92, 210, 83, 76, 29, 228, 126, 169 ], "challenge should be as expected");
isEmptyArray(creationOptions.pubKeyCredParams, "pubKeyCredParams should be an empty array");
is(creationOptions.timeout, undefined, "timeout should be undefined");
isEmptyArray(creationOptions.excludeCredentials, "excludeCredentials should be an empty array");
is(creationOptions.authenticatorSelection.authenticatorAttachment, undefined, "authenticatorSelection.authenticatorAttachment should be undefined");
is(creationOptions.authenticatorSelection.residentKey, undefined, "creationOptions.authenticatorSelection.residentKey should be undefined");
is(creationOptions.authenticatorSelection.requireResidentKey, false, "creationOptions.authenticatorSelection.requireResidentKey should be false");
is(creationOptions.authenticatorSelection.userVerification, "preferred", "creationOptions.authenticatorSelection.userVerification should be preferred");
is(creationOptions.attestation, "none", "attestation should be none");
is(Object.getOwnPropertyNames(creationOptions.extensions).length, 0, "extensions should be an empty object");
});
add_task(function test_parseCreationOptionsFromJSON() {
let creationOptionsJSON = {
rp: { name: "Example", id: "example.com" },
user: { id: "19TVpqBBOAM", name: "username2", displayName: "another display name" },
challenge: "dR82FeUh5q4",
pubKeyCredParams: [{ type: "public-key", alg: -7 }],
timeout: 20000,
excludeCredentials: [{ type: "public-key", id: "TeM2k_di7Dk", transports: [ "usb" ]}],
authenticatorSelection: { authenticatorAttachment: "platform", residentKey: "required", requireResidentKey: true, userVerification: "discouraged" },
hints: ["hybrid"],
attestation: "indirect",
attestationFormats: ["fido-u2f"],
extensions: {
appid: "https://www.example.com/appID",
credProps: true,
hmacCreateSecret: true,
minPinLength: true,
prf: {
eval: {
first: "Zmlyc3Q",
second: "c2Vjb25k"
},
evalByCredential: {
"19TVpqBBOAM": {
first: "Zmlyc3Q",
second: "c2Vjb25k"
}
}
}
},
};
let creationOptions = PublicKeyCredential.parseCreationOptionsFromJSON(creationOptionsJSON);
is(Object.getOwnPropertyNames(creationOptions).length, 9, "creation options should have 9 properties");
is(creationOptions.rp.name, "Example", "rp.name should be Example");
is(creationOptions.rp.id, "example.com", "rp.id should be example.com");
arrayBufferEqualsArray(creationOptions.user.id, [ 215, 212, 213, 166, 160, 65, 56, 3 ], "user.id should be as expected");
is(creationOptions.user.displayName, "another display name", "user.displayName should be 'another display name'");
is(creationOptions.user.name, "username2", "user.name should be username2");
arrayBufferEqualsArray(creationOptions.challenge, [ 117, 31, 54, 21, 229, 33, 230, 174 ], "challenge should be as expected");
is(creationOptions.pubKeyCredParams.length, 1, "pubKeyCredParams should have one element");
is(creationOptions.pubKeyCredParams[0].type, "public-key", "pubKeyCredParams[0].type should be public-key");
is(creationOptions.pubKeyCredParams[0].alg, -7, "pubKeyCredParams[0].alg should be -7");
is(creationOptions.timeout, 20000, "timeout should be 20000");
is(creationOptions.excludeCredentials.length, 1, "excludeCredentials should have one element");
is(creationOptions.excludeCredentials[0].type, "public-key", "excludeCredentials[0].type should be public-key");
arrayBufferEqualsArray(creationOptions.excludeCredentials[0].id, [ 77, 227, 54, 147, 247, 98, 236, 57 ], "excludeCredentials[0].id should be as expected");
is(creationOptions.excludeCredentials[0].transports.length, 1, "excludeCredentials[0].transports should have one element");
is(creationOptions.excludeCredentials[0].transports[0], "usb", "excludeCredentials[0].transports[0] should be usb");
is(creationOptions.authenticatorSelection.authenticatorAttachment, "platform", "authenticatorSelection.authenticatorAttachment should be platform");
is(creationOptions.authenticatorSelection.residentKey, "required", "creationOptions.authenticatorSelection.residentKey should be required");
is(creationOptions.authenticatorSelection.requireResidentKey, true, "creationOptions.authenticatorSelection.requireResidentKey should be true");
is(creationOptions.authenticatorSelection.userVerification, "discouraged", "creationOptions.authenticatorSelection.userVerification should be discouraged");
is(creationOptions.attestation, "indirect", "attestation should be indirect");
is(creationOptions.extensions.appid, "https://www.example.com/appID", "extensions.appid should be https://www.example.com/appID");
is(creationOptions.extensions.credProps, true, "extensions.credProps should be true");
is(creationOptions.extensions.hmacCreateSecret, true, "extensions.hmacCreateSecret should be true");
is(creationOptions.extensions.minPinLength, true, "extensions.minPinLength should be true");
arrayBufferEqualsArray(creationOptions.extensions.prf.eval.first, [102, 105, 114, 115, 116], "extensions.prf.eval.first should be 'first'");
arrayBufferEqualsArray(creationOptions.extensions.prf.eval.second, [115, 101, 99, 111, 110, 100], "extensions.prf.eval.second should be 'second'");
arrayBufferEqualsArray(creationOptions.extensions.prf.evalByCredential["19TVpqBBOAM"].first, [102, 105, 114, 115, 116], "extensions.prf.evalByCredential[\"19TVpqBBOAM\"].first should be 'first'");
arrayBufferEqualsArray(creationOptions.extensions.prf.evalByCredential["19TVpqBBOAM"].second, [115, 101, 99, 111, 110, 100], "extensions.prf.evalByCredential[\"19TVpqBBOAM\"].second should be 'second'");
});
add_task(function test_parseCreationOptionsFromJSON_malformed() {
let userIdNotBase64 = {
rp: { name: "Example" },
user: { id: "/not urlsafe base64+", name: "username", displayName: "display name" },
challenge: "XNJTTB3kfqk",
pubKeyCredParams: [],
};
shouldThrow(
() => { PublicKeyCredential.parseCreationOptionsFromJSON(userIdNotBase64); },
"PublicKeyCredential.parseCreationOptionsFromJSON: could not decode user ID as urlsafe base64",
"should get encoding error if user.id is not urlsafe base64"
);
let challengeNotBase64 = {
rp: { name: "Example" },
user: { id: "-l3qNLTKJng", name: "username", displayName: "display name" },
challenge: "this is not urlsafe base64!",
pubKeyCredParams: [],
};
shouldThrow(
() => { PublicKeyCredential.parseCreationOptionsFromJSON(challengeNotBase64); },
"PublicKeyCredential.parseCreationOptionsFromJSON: could not decode challenge as urlsafe base64",
"should get encoding error if challenge is not urlsafe base64"
);
let excludeCredentialsIdNotBase64 = {
rp: { name: "Example", id: "example.com" },
user: { id: "-l3qNLTKJng", name: "username", displayName: "display name" },
challenge: "dR82FeUh5q4",
pubKeyCredParams: [{ type: "public-key", alg: -7 }],
timeout: 20000,
excludeCredentials: [{ type: "public-key", id: "@#$%&^", transports: [ "usb" ]}],
authenticatorselection: { authenticatorattachment: "platform", residentkey: "required", requireresidentkey: true, userverification: "discouraged" },
hints: ["hybrid"],
attestation: "indirect",
attestationformats: ["fido-u2f"],
extensions: { appid: "https://www.example.com/appid", hmaccreatesecret: true },
};
shouldThrow(
() => { PublicKeyCredential.parseCreationOptionsFromJSON(excludeCredentialsIdNotBase64); },
"PublicKeyCredential.parseCreationOptionsFromJSON: could not decode excluded credential ID as urlsafe base64",
"should get encoding error if excludeCredentials[0].id is not urlsafe base64"
);
});
add_task(function test_parseRequestOptionsFromJSON_minimal() {
let requestOptionsJSON = {
challenge: "3yW2WHD_jbU",
};
let requestOptions = PublicKeyCredential.parseRequestOptionsFromJSON(requestOptionsJSON);
is(Object.getOwnPropertyNames(requestOptions).length, 4, "request options should have 4 properties");
arrayBufferEqualsArray(requestOptions.challenge, [ 223, 37, 182, 88, 112, 255, 141, 181 ], "challenge should be as expected");
is(requestOptions.timeout, undefined, "timeout should be undefined");
is(requestOptions.rpId, undefined, "rpId should be undefined");
isEmptyArray(requestOptions.allowCredentials, "allowCredentials should be an empty array");
is(requestOptions.userVerification, "preferred", "userVerification should be preferred");
is(Object.getOwnPropertyNames(requestOptions.extensions).length, 0, "extensions should be an empty object");
});
add_task(function test_parseRequestOptionsFromJSON() {
let requestOptionsJSON = {
challenge: "QAfaZwEQCkQ",
timeout: 25000,
rpId: "example.com",
allowCredentials: [{type: "public-key", id: "BTBXXGuXRTk", transports: ["smart-card"] }],
userVerification: "discouraged",
hints: ["client-device"],
attestation: "enterprise",
attestationFormats: ["packed"],
extensions: {
appid: "https://www.example.com/anotherAppID",
prf: {
eval: {
first: "Zmlyc3Q",
second: "c2Vjb25k"
},
evalByCredential: {
"19TVpqBBOAM": {
first: "Zmlyc3Q",
second: "c2Vjb25k"
}
}
}
},
};
let requestOptions = PublicKeyCredential.parseRequestOptionsFromJSON(requestOptionsJSON);
is(Object.getOwnPropertyNames(requestOptions).length, 6, "request options should have 6 properties");
arrayBufferEqualsArray(requestOptions.challenge, [ 64, 7, 218, 103, 1, 16, 10, 68 ], "challenge should be as expected");
is(requestOptions.timeout, 25000, "timeout should be 25000");
is(requestOptions.rpId, "example.com", "rpId should be example.com");
is(requestOptions.allowCredentials.length, 1, "allowCredentials should have one element");
is(requestOptions.allowCredentials[0].type, "public-key", "allowCredentials[0].type should be public-key");
arrayBufferEqualsArray(requestOptions.allowCredentials[0].id, [ 5, 48, 87, 92, 107, 151, 69, 57 ], "allowCredentials[0].id should be as expected");
is(requestOptions.allowCredentials[0].transports.length, 1, "allowCredentials[0].transports should have one element");
is(requestOptions.allowCredentials[0].transports[0], "smart-card", "allowCredentials[0].transports[0] should be usb");
is(requestOptions.userVerification, "discouraged", "userVerification should be discouraged");
is(requestOptions.extensions.appid, "https://www.example.com/anotherAppID", "extensions.appid should be https://www.example.com/anotherAppID");
arrayBufferEqualsArray(requestOptions.extensions.prf.eval.first, [102, 105, 114, 115, 116], "extensions.prf.eval.first should be 'first'");
arrayBufferEqualsArray(requestOptions.extensions.prf.eval.second, [115, 101, 99, 111, 110, 100], "extensions.prf.eval.second should be 'second'");
arrayBufferEqualsArray(requestOptions.extensions.prf.evalByCredential["19TVpqBBOAM"].first, [102, 105, 114, 115, 116], "extensions.prf.evalByCredential[\"19TVpqBBOAM\"].first should be 'first'");
arrayBufferEqualsArray(requestOptions.extensions.prf.evalByCredential["19TVpqBBOAM"].second, [115, 101, 99, 111, 110, 100], "extensions.prf.evalByCredential[\"19TVpqBBOAM\"].second should be 'second'");
});
add_task(function test_parseRequestOptionsFromJSON_malformed() {
let challengeNotBase64 = {
challenge: "/not+urlsafe+base64/",
};
shouldThrow(
() => { PublicKeyCredential.parseRequestOptionsFromJSON(challengeNotBase64); },
"PublicKeyCredential.parseRequestOptionsFromJSON: could not decode challenge as urlsafe base64",
"should get encoding error if challenge is not urlsafe base64"
);
let allowCredentialsIdNotBase64 = {
challenge: "QAfaZwEQCkQ",
timeout: 25000,
rpId: "example.com",
allowCredentials: [{type: "public-key", id: "not urlsafe base64", transports: ["smart-card"] }],
userVerification: "discouraged",
hints: ["client-device"],
attestation: "enterprise",
attestationFormats: ["packed"],
extensions: { appid: "https://www.example.com/anotherAppID" },
};
shouldThrow(
() => { PublicKeyCredential.parseRequestOptionsFromJSON(allowCredentialsIdNotBase64); },
"PublicKeyCredential.parseRequestOptionsFromJSON: could not decode allowed credential ID as urlsafe base64",
"should get encoding error if allowCredentials[0].id is not urlsafe base64"
);
});
add_task(async () => {
await addVirtualAuthenticator();
});
function isUrlsafeBase64(urlsafeBase64) {
try {
atob(urlsafeBase64.replace(/_/g, "/").replace(/-/g, "+"));
return true;
} catch (_) {}
return false;
}
add_task(async function test_registrationResponse_toJSON() {
let publicKey = {
rp: {id: document.domain, name: "none", icon: "none"},
user: {id: new Uint8Array(), name: "none", icon: "none", displayName: "none"},
challenge: crypto.getRandomValues(new Uint8Array(16)),
pubKeyCredParams: [{type: "public-key", alg: cose_alg_ECDSA_w_SHA256}],
authenticatorSelection: { residentKey: "discouraged" },
extensions: { credProps: true }
};
let registrationResponse = await navigator.credentials.create({publicKey});
let registrationResponseJSON = registrationResponse.toJSON();
is(Object.keys(registrationResponseJSON).length, 6, "registrationResponseJSON should have 6 properties");
is(registrationResponseJSON.id, registrationResponseJSON.rawId, "registrationResponseJSON.id and rawId should be the same");
ok(isUrlsafeBase64(registrationResponseJSON.id), "registrationResponseJSON.id should be urlsafe base64");
is(Object.keys(registrationResponseJSON.response).length, 6, "registrationResponseJSON.response should have 6 properties");
ok(isUrlsafeBase64(registrationResponseJSON.response.clientDataJSON), "registrationResponseJSON.response.clientDataJSON should be urlsafe base64");
ok(isUrlsafeBase64(registrationResponseJSON.response.authenticatorData), "registrationResponseJSON.response.authenticatorData should be urlsafe base64");
ok(isUrlsafeBase64(registrationResponseJSON.response.publicKey), "registrationResponseJSON.response.publicKey should be urlsafe base64");
ok(isUrlsafeBase64(registrationResponseJSON.response.attestationObject), "registrationResponseJSON.response.attestationObject should be urlsafe base64");
is(registrationResponseJSON.response.publicKeyAlgorithm, cose_alg_ECDSA_w_SHA256, "registrationResponseJSON.response.publicKeyAlgorithm should be ECDSA with SHA256 (COSE)");
is(registrationResponseJSON.response.transports.length, 1, "registrationResponseJSON.response.transports.length should be 1");
is(registrationResponseJSON.response.transports[0], "internal", "registrationResponseJSON.response.transports[0] should be internal");
is(registrationResponseJSON.authenticatorAttachment, "platform", "registrationResponseJSON.authenticatorAttachment should be platform");
is(registrationResponseJSON.clientExtensionResults?.credProps?.rk, false, "registrationResponseJSON.clientExtensionResults.credProps.rk should be false");
is(registrationResponseJSON.type, "public-key", "registrationResponseJSON.type should be public-key");
});
add_task(async function test_assertionResponse_toJSON() {
let registrationRequest = {
publicKey: {
rp: {id: document.domain, name: "none", icon: "none"},
user: {id: new Uint8Array(), name: "none", icon: "none", displayName: "none"},
challenge: crypto.getRandomValues(new Uint8Array(16)),
pubKeyCredParams: [{type: "public-key", alg: cose_alg_ECDSA_w_SHA256}],
extensions: { prf: { enabled: true } }
},
};
let registrationResponse = await navigator.credentials.create(registrationRequest);
let assertionRequest = {
publicKey: {
challenge: crypto.getRandomValues(new Uint8Array(16)),
allowCredentials: [{ type: "public-key", id: registrationResponse.rawId }],
extensions: { prf: { eval: { first: new Uint8Array([1,2,3,4,5]).buffer } } }
},
};
let assertionResponse = await navigator.credentials.get(assertionRequest);
let assertionResponseJSON = assertionResponse.toJSON();
is(Object.keys(assertionResponseJSON).length, 6, "assertionResponseJSON should have 6 properties");
is(assertionResponseJSON.id, assertionResponseJSON.rawId, "assertionResponseJSON.id and rawId should be the same");
ok(isUrlsafeBase64(assertionResponseJSON.id), "assertionResponseJSON.id should be urlsafe base64");
is(Object.keys(assertionResponseJSON.response).length, 3, "assertionResponseJSON.response should have 3 properties");
ok(isUrlsafeBase64(assertionResponseJSON.response.clientDataJSON), "assertionResponseJSON.response.clientDataJSON should be urlsafe base64");
ok(isUrlsafeBase64(assertionResponseJSON.response.authenticatorData), "assertionResponseJSON.response.authenticatorData should be urlsafe base64");
ok(isUrlsafeBase64(assertionResponseJSON.response.signature), "assertionResponseJSON.response.signature should be urlsafe base64");
is(assertionResponseJSON.authenticatorAttachment, "platform", "assertionResponseJSON.authenticatorAttachment should be platform");
is(Object.keys(assertionResponseJSON.clientExtensionResults).length, 1, "assertionResponseJSON.clientExtensionResults should have one entry");
ok(isUrlsafeBase64(assertionResponseJSON.clientExtensionResults.prf.results.first), "assertionResponseJSON.clientExtensionResults.prf.results should be urlsafe base64");
is(assertionResponseJSON.clientExtensionResults.prf.results.first.length, 43, "assertionResponseJSON.clientExtensionResults.prf.results should be of length 43");
is(assertionResponseJSON.type, "public-key", "assertionResponseJSON.type should be public-key");
});
</script>
</body>
</html>
|
