summaryrefslogtreecommitdiffstats
path: root/dom/webauthn/MacOSWebAuthnService.mm
diff options
context:
space:
mode:
Diffstat (limited to 'dom/webauthn/MacOSWebAuthnService.mm')
-rw-r--r--dom/webauthn/MacOSWebAuthnService.mm73
1 files changed, 64 insertions, 9 deletions
diff --git a/dom/webauthn/MacOSWebAuthnService.mm b/dom/webauthn/MacOSWebAuthnService.mm
index cec9600e57..fc08ee1a48 100644
--- a/dom/webauthn/MacOSWebAuthnService.mm
+++ b/dom/webauthn/MacOSWebAuthnService.mm
@@ -338,6 +338,12 @@ nsTArray<uint8_t> NSDataToArray(NSData* data) {
}
#endif
} else {
+ // The platform didn't tell us what transport was used, but we know it
+ // wasn't the internal transport. The transport response is not signed by
+ // the authenticator. It represents the "transports that the authenticator
+ // is believed to support, or an empty sequence if the information is
+ // unavailable". We believe macOS supports usb, so we return usb.
+ transports.AppendElement(u"usb"_ns);
authenticatorAttachment.emplace(u"cross-platform"_ns);
}
mCallback->FinishMakeCredential(rawAttestationObject, credentialId,
@@ -605,6 +611,9 @@ MacOSWebAuthnService::MakeCredential(uint64_t aTransactionId,
userVerificationPreference = Nothing();
nsAutoString userVerification;
Unused << aArgs->GetUserVerification(userVerification);
+ // This mapping needs to be reviewed if values are added to the
+ // UserVerificationRequirement enum.
+ static_assert(MOZ_WEBAUTHN_ENUM_STRINGS_VERSION == 3);
if (userVerification.EqualsLiteral(
MOZ_WEBAUTHN_USER_VERIFICATION_REQUIREMENT_REQUIRED)) {
userVerificationPreference.emplace(
@@ -620,12 +629,51 @@ MacOSWebAuthnService::MakeCredential(uint64_t aTransactionId,
ASAuthorizationPublicKeyCredentialUserVerificationPreferenceDiscouraged);
}
- // The API doesn't support attestation for platform passkeys and shows
- // no consent UI for non-none attestation for cross-platform devices,
- // so this must always be none.
- ASAuthorizationPublicKeyCredentialAttestationKind
- attestationPreference =
- ASAuthorizationPublicKeyCredentialAttestationKindNone;
+ // The API doesn't support attestation for platform passkeys, so this is
+ // only used for security keys.
+ ASAuthorizationPublicKeyCredentialAttestationKind attestationPreference;
+ nsAutoString mozAttestationPreference;
+ Unused << aArgs->GetAttestationConveyancePreference(
+ mozAttestationPreference);
+ if (mozAttestationPreference.EqualsLiteral(
+ MOZ_WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_INDIRECT)) {
+ attestationPreference =
+ ASAuthorizationPublicKeyCredentialAttestationKindIndirect;
+ } else if (mozAttestationPreference.EqualsLiteral(
+ MOZ_WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_DIRECT)) {
+ attestationPreference =
+ ASAuthorizationPublicKeyCredentialAttestationKindDirect;
+ } else if (
+ mozAttestationPreference.EqualsLiteral(
+ MOZ_WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_ENTERPRISE)) {
+ attestationPreference =
+ ASAuthorizationPublicKeyCredentialAttestationKindEnterprise;
+ } else {
+ attestationPreference =
+ ASAuthorizationPublicKeyCredentialAttestationKindNone;
+ }
+
+ ASAuthorizationPublicKeyCredentialResidentKeyPreference
+ residentKeyPreference;
+ nsAutoString mozResidentKey;
+ Unused << aArgs->GetResidentKey(mozResidentKey);
+ // This mapping needs to be reviewed if values are added to the
+ // ResidentKeyRequirement enum.
+ static_assert(MOZ_WEBAUTHN_ENUM_STRINGS_VERSION == 3);
+ if (mozResidentKey.EqualsLiteral(
+ MOZ_WEBAUTHN_RESIDENT_KEY_REQUIREMENT_REQUIRED)) {
+ residentKeyPreference =
+ ASAuthorizationPublicKeyCredentialResidentKeyPreferenceRequired;
+ } else if (mozResidentKey.EqualsLiteral(
+ MOZ_WEBAUTHN_RESIDENT_KEY_REQUIREMENT_PREFERRED)) {
+ residentKeyPreference =
+ ASAuthorizationPublicKeyCredentialResidentKeyPreferencePreferred;
+ } else {
+ MOZ_ASSERT(mozResidentKey.EqualsLiteral(
+ MOZ_WEBAUTHN_RESIDENT_KEY_REQUIREMENT_DISCOURAGED));
+ residentKeyPreference =
+ ASAuthorizationPublicKeyCredentialResidentKeyPreferenceDiscouraged;
+ }
// Initialize the platform provider with the rpId.
ASAuthorizationPlatformPublicKeyCredentialProvider* platformProvider =
@@ -639,8 +687,10 @@ MacOSWebAuthnService::MakeCredential(uint64_t aTransactionId,
name:userNameNS
userID:userIdNS];
[platformProvider release];
+
+ // The API doesn't support attestation for platform passkeys
platformRegistrationRequest.attestationPreference =
- attestationPreference;
+ ASAuthorizationPublicKeyCredentialAttestationKindNone;
if (userVerificationPreference.isSome()) {
platformRegistrationRequest.userVerificationPreference =
*userVerificationPreference;
@@ -665,6 +715,8 @@ MacOSWebAuthnService::MakeCredential(uint64_t aTransactionId,
attestationPreference;
crossPlatformRegistrationRequest.credentialParameters =
credentialParameters;
+ crossPlatformRegistrationRequest.residentKeyPreference =
+ residentKeyPreference;
if (userVerificationPreference.isSome()) {
crossPlatformRegistrationRequest.userVerificationPreference =
*userVerificationPreference;
@@ -914,6 +966,9 @@ void MacOSWebAuthnService::DoGetAssertion(
userVerificationPreference = Nothing();
nsAutoString userVerification;
Unused << aArgs->GetUserVerification(userVerification);
+ // This mapping needs to be reviewed if values are added to the
+ // UserVerificationRequirement enum.
+ static_assert(MOZ_WEBAUTHN_ENUM_STRINGS_VERSION == 3);
if (userVerification.EqualsLiteral(
MOZ_WEBAUTHN_USER_VERIFICATION_REQUIREMENT_REQUIRED)) {
userVerificationPreference.emplace(
@@ -1115,8 +1170,8 @@ MacOSWebAuthnService::PinCallback(uint64_t aTransactionId,
}
NS_IMETHODIMP
-MacOSWebAuthnService::ResumeMakeCredential(uint64_t aTransactionId,
- bool aForceNoneAttestation) {
+MacOSWebAuthnService::SetHasAttestationConsent(uint64_t aTransactionId,
+ bool aHasConsent) {
return NS_ERROR_NOT_IMPLEMENTED;
}