1 files changed, 64 insertions, 9 deletions

diff --git a/dom/webauthn/MacOSWebAuthnService.mm b/dom/webauthn/MacOSWebAuthnService.mm
index cec9600e57..fc08ee1a48 100644
--- a/dom/webauthn/MacOSWebAuthnService.mm
+++ b/dom/webauthn/MacOSWebAuthnService.mm
@@ -338,6 +338,12 @@ nsTArray<uint8_t> NSDataToArray(NSData* data) {
       }
 #endif
     } else {
+      // The platform didn't tell us what transport was used, but we know it
+      // wasn't the internal transport. The transport response is not signed by
+      // the authenticator. It represents the "transports that the authenticator
+      // is believed to support, or an empty sequence if the information is
+      // unavailable". We believe macOS supports usb, so we return usb.
+      transports.AppendElement(u"usb"_ns);
       authenticatorAttachment.emplace(u"cross-platform"_ns);
     }
     mCallback->FinishMakeCredential(rawAttestationObject, credentialId,
@@ -605,6 +611,9 @@ MacOSWebAuthnService::MakeCredential(uint64_t aTransactionId,
             userVerificationPreference = Nothing();
         nsAutoString userVerification;
         Unused << aArgs->GetUserVerification(userVerification);
+        // This mapping needs to be reviewed if values are added to the
+        // UserVerificationRequirement enum.
+        static_assert(MOZ_WEBAUTHN_ENUM_STRINGS_VERSION == 3);
         if (userVerification.EqualsLiteral(
                 MOZ_WEBAUTHN_USER_VERIFICATION_REQUIREMENT_REQUIRED)) {
           userVerificationPreference.emplace(
@@ -620,12 +629,51 @@ MacOSWebAuthnService::MakeCredential(uint64_t aTransactionId,
               ASAuthorizationPublicKeyCredentialUserVerificationPreferenceDiscouraged);
         }
 
-        // The API doesn't support attestation for platform passkeys and shows
-        // no consent UI for non-none attestation for cross-platform devices,
-        // so this must always be none.
-        ASAuthorizationPublicKeyCredentialAttestationKind
-            attestationPreference =
-                ASAuthorizationPublicKeyCredentialAttestationKindNone;
+        // The API doesn't support attestation for platform passkeys, so this is
+        // only used for security keys.
+        ASAuthorizationPublicKeyCredentialAttestationKind attestationPreference;
+        nsAutoString mozAttestationPreference;
+        Unused << aArgs->GetAttestationConveyancePreference(
+            mozAttestationPreference);
+        if (mozAttestationPreference.EqualsLiteral(
+                MOZ_WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_INDIRECT)) {
+          attestationPreference =
+              ASAuthorizationPublicKeyCredentialAttestationKindIndirect;
+        } else if (mozAttestationPreference.EqualsLiteral(
+                       MOZ_WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_DIRECT)) {
+          attestationPreference =
+              ASAuthorizationPublicKeyCredentialAttestationKindDirect;
+        } else if (
+            mozAttestationPreference.EqualsLiteral(
+                MOZ_WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_ENTERPRISE)) {
+          attestationPreference =
+              ASAuthorizationPublicKeyCredentialAttestationKindEnterprise;
+        } else {
+          attestationPreference =
+              ASAuthorizationPublicKeyCredentialAttestationKindNone;
+        }
+
+        ASAuthorizationPublicKeyCredentialResidentKeyPreference
+            residentKeyPreference;
+        nsAutoString mozResidentKey;
+        Unused << aArgs->GetResidentKey(mozResidentKey);
+        // This mapping needs to be reviewed if values are added to the
+        // ResidentKeyRequirement enum.
+        static_assert(MOZ_WEBAUTHN_ENUM_STRINGS_VERSION == 3);
+        if (mozResidentKey.EqualsLiteral(
+                MOZ_WEBAUTHN_RESIDENT_KEY_REQUIREMENT_REQUIRED)) {
+          residentKeyPreference =
+              ASAuthorizationPublicKeyCredentialResidentKeyPreferenceRequired;
+        } else if (mozResidentKey.EqualsLiteral(
+                       MOZ_WEBAUTHN_RESIDENT_KEY_REQUIREMENT_PREFERRED)) {
+          residentKeyPreference =
+              ASAuthorizationPublicKeyCredentialResidentKeyPreferencePreferred;
+        } else {
+          MOZ_ASSERT(mozResidentKey.EqualsLiteral(
+              MOZ_WEBAUTHN_RESIDENT_KEY_REQUIREMENT_DISCOURAGED));
+          residentKeyPreference =
+              ASAuthorizationPublicKeyCredentialResidentKeyPreferenceDiscouraged;
+        }
 
         // Initialize the platform provider with the rpId.
         ASAuthorizationPlatformPublicKeyCredentialProvider* platformProvider =
@@ -639,8 +687,10 @@ MacOSWebAuthnService::MakeCredential(uint64_t aTransactionId,
                                                             name:userNameNS
                                                           userID:userIdNS];
         [platformProvider release];
+
+        // The API doesn't support attestation for platform passkeys
         platformRegistrationRequest.attestationPreference =
-            attestationPreference;
+            ASAuthorizationPublicKeyCredentialAttestationKindNone;
         if (userVerificationPreference.isSome()) {
           platformRegistrationRequest.userVerificationPreference =
               *userVerificationPreference;
@@ -665,6 +715,8 @@ MacOSWebAuthnService::MakeCredential(uint64_t aTransactionId,
             attestationPreference;
         crossPlatformRegistrationRequest.credentialParameters =
             credentialParameters;
+        crossPlatformRegistrationRequest.residentKeyPreference =
+            residentKeyPreference;
         if (userVerificationPreference.isSome()) {
           crossPlatformRegistrationRequest.userVerificationPreference =
               *userVerificationPreference;
@@ -914,6 +966,9 @@ void MacOSWebAuthnService::DoGetAssertion(
             userVerificationPreference = Nothing();
         nsAutoString userVerification;
         Unused << aArgs->GetUserVerification(userVerification);
+        // This mapping needs to be reviewed if values are added to the
+        // UserVerificationRequirement enum.
+        static_assert(MOZ_WEBAUTHN_ENUM_STRINGS_VERSION == 3);
         if (userVerification.EqualsLiteral(
                 MOZ_WEBAUTHN_USER_VERIFICATION_REQUIREMENT_REQUIRED)) {
           userVerificationPreference.emplace(
@@ -1115,8 +1170,8 @@ MacOSWebAuthnService::PinCallback(uint64_t aTransactionId,
 }
 
 NS_IMETHODIMP
-MacOSWebAuthnService::ResumeMakeCredential(uint64_t aTransactionId,
-                                           bool aForceNoneAttestation) {
+MacOSWebAuthnService::SetHasAttestationConsent(uint64_t aTransactionId,
+                                               bool aHasConsent) {
   return NS_ERROR_NOT_IMPLEMENTED;
 }