firefox/testing/web-platform/tests/webauthn/getcredential-prf.https.html

<!DOCTYPE html>
<meta charset="utf-8">
<title>navigator.credentials.get() prf extension tests with authenticator support</title>
<meta name="timeout" content="long">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/resources/testdriver.js"></script>
<script src="/resources/testdriver-vendor.js"></script>
<script src=helpers.js></script>
<body></body>
<script>
standardSetup(async function(authenticator) {
  "use strict";

  const b64 = buf => btoa(String.fromCharCode.apply(null, new Uint8Array(buf)));
  const b64url = buf => b64(buf).
    replace(/\+/g, '-').
    replace(/\//g, '_').
    replace(/=+$/, '');

  const credential = createCredential({
    options: {
      publicKey: {
        extensions: {
          prf: {},
        },
      },
    },
  });

  const assert = (id, prfExt) =>
    navigator.credentials.get({publicKey: {
      challenge: new Uint8Array(),
      allowCredentials: [{
        id: id,
        type: "public-key",
      }],
      extensions: {
        prf: prfExt,
      },
    }});

  promise_test(async t => {
    const id = (await credential).rawId;
    const assertion = await assert(id, {
          eval: {
            first: new Uint8Array([1,2,3,4]).buffer,
          },
    });
    const results = assertion.getClientExtensionResults().prf.results;
    assert_equals(results.first.byteLength, 32)
    assert_not_own_property(results, 'second');
  }, "navigator.credentials.get() with single evaluation point");

  promise_test(async t => {
    const id = (await credential).rawId;
    const assertion = await assert(id, {
          eval: {
            first: new Uint8Array([1,2,3,4]).buffer,
            second: new Uint8Array([1,2,3,4]).buffer,
          },
    });
    const results = assertion.getClientExtensionResults().prf.results;
    assert_equals(results.first.byteLength, 32)
    assert_equals(results.second.byteLength, 32)
    assert_equals(b64(results.first), b64(results.second));
  }, "navigator.credentials.get() with two equal evaluation points");

  promise_test(async t => {
    const id = (await credential).rawId;
    const assertion = await assert(id, {
          eval: {
            first: new Uint8Array([1,2,3,4]).buffer,
            second: new Uint8Array([1,2,3,5]).buffer,
          },
    });
    const results = assertion.getClientExtensionResults().prf.results;
    assert_equals(results.first.byteLength, 32)
    assert_equals(results.second.byteLength, 32)
    assert_not_equals(b64(results.first), b64(results.second));
  }, "navigator.credentials.get() with two distinct evaluation points");

  promise_test(async t => {
    const id = (await credential).rawId;
    const byCred = {};
    byCred[b64url(id)] = {
      first: new Uint8Array([1,2,3,4]).buffer,
    };
    const assertion = await assert(id, {
          evalByCredential: byCred,
    });
    const results = assertion.getClientExtensionResults().prf.results;
    assert_equals(results.first.byteLength, 32)
    assert_not_own_property(results, 'second');
  }, "navigator.credentials.get() using credential ID with one evaluation point");

  promise_test(async t => {
    const id = (await credential).rawId;
    const byCred = {};
    byCred[b64url(id)] = {
      first: new Uint8Array([1,2,3,4]).buffer,
      second: new Uint8Array([1,2,3,4]).buffer,
    };
    const assertion = await assert(id, {
          evalByCredential: byCred,
    });
    const results = assertion.getClientExtensionResults().prf.results;
    assert_equals(results.first.byteLength, 32)
    assert_equals(results.second.byteLength, 32)
    assert_equals(b64(results.first), b64(results.second));
  }, "navigator.credentials.get() using credential ID with two evaluation points");

  promise_test(async t => {
    const id = (await credential).rawId;
    const byCred = {};
    byCred["Zm9v"] = {
      first: new Uint8Array([1,2,3,4]).buffer,
    };
    return promise_rejects_dom(t, "SyntaxError", assert(id, {
          evalByCredential: byCred,
    }));
  }, "navigator.credentials.get() with credential ID not in allowedCredentials");

  promise_test(async t => {
    const id = (await credential).rawId;
    const byCred = {};
    byCred["Zm9v"] = {
      first: new Uint8Array([1,2,3,4]),
    };
    return promise_rejects_dom(t, "SyntaxError", assert(id, {
          evalByCredential: byCred,
    }));
  }, "navigator.credentials.get() with Uint8Array credential ID not in allowedCredentials");

  promise_test(async t => {
    const id = (await credential).rawId;
    const byCred = {};
    byCred["Zm9v="] = {
      first: new Uint8Array([1,2,3,4]).buffer,
    };
    return promise_rejects_dom(
      t, "SyntaxError", assert(id, {evalByCredential: byCred }));
  }, "navigator.credentials.get() using invalid base64url credential ID");

  promise_test(async t => {
    const id = (await credential).rawId;
    const byCred = {};
    byCred["Zm9v"] = {
      first: new Uint8Array([1,2,3,4]).buffer,
    };
    const promise = navigator.credentials.get({publicKey: {
      challenge: new Uint8Array(),
      extensions: {
        prf: {evalByCredential: byCred },
      },
    }});
    return promise_rejects_dom(t, "NotSupportedError", promise);
  }, "navigator.credentials.get() with an empty allow list but also using evalByCredential");
}, {
  protocol: "ctap2_1",
  extensions: ["prf"],
  hasUserVerification: true,
  isUserVerified: true,
});
</script>