diff options
Diffstat (limited to 'dom/webauthn/tests/test_webauthn_attestation_conveyance.html')
-rw-r--r-- | dom/webauthn/tests/test_webauthn_attestation_conveyance.html | 103 |
1 files changed, 103 insertions, 0 deletions
diff --git a/dom/webauthn/tests/test_webauthn_attestation_conveyance.html b/dom/webauthn/tests/test_webauthn_attestation_conveyance.html new file mode 100644 index 0000000000..061e2c2624 --- /dev/null +++ b/dom/webauthn/tests/test_webauthn_attestation_conveyance.html @@ -0,0 +1,103 @@ +<!DOCTYPE html> +<meta charset=utf-8> +<head> + <title>W3C Web Authentication - Attestation Conveyance</title> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="u2futil.js"></script> + <script type="text/javascript" src="pkijs/common.js"></script> + <script type="text/javascript" src="pkijs/asn1.js"></script> + <script type="text/javascript" src="pkijs/x509_schema.js"></script> + <script type="text/javascript" src="pkijs/x509_simpl.js"></script> + <script type="text/javascript" src="cbor.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> +</head> +<body> + + <h1>W3C Web Authentication - Attestation Conveyance</h1> + <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1428916">Mozilla Bug 1428916</a> + <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1416056">Mozilla Bug 1416056</a> + + <script class="testbody" type="text/javascript"> + "use strict"; + + add_task(async () => { + await SpecialPowers.pushPrefEnv({"set": [ + ["security.webauth.webauthn_testing_allow_direct_attestation", true], + ]}); + await addVirtualAuthenticator(); + }); + + function verifyAnonymizedCertificate(aResult) { + return webAuthnDecodeCBORAttestation(aResult.response.attestationObject) + .then(({fmt, attStmt}) => { + is(fmt, "none", "Is a None Attestation"); + is(typeof(attStmt), "object", "attStmt is a map"); + is(Object.keys(attStmt).length, 0, "attStmt is empty"); + }); + } + + async function verifyDirectCertificate(aResult) { + let clientDataHash = await crypto.subtle.digest("SHA-256", aResult.response.clientDataJSON) + .then(digest => new Uint8Array(digest)); + let {fmt, attStmt, authData, authDataObj} = await webAuthnDecodeCBORAttestation(aResult.response.attestationObject); + is(fmt, "packed", "Is a Packed Attestation"); + let signedData = new Uint8Array(authData.length + clientDataHash.length); + signedData.set(authData); + signedData.set(clientDataHash, authData.length); + let valid = await verifySignature(authDataObj.publicKeyHandle, signedData, new Uint8Array(attStmt.sig)); + ok(valid, "Signature is valid."); + } + + function arrivingHereIsBad(aResult) { + ok(false, "Bad result! Received a: " + aResult); + } + + function expectTypeError(aResult) { + ok(aResult.toString().startsWith("TypeError"), "Expecting a TypeError, got " + aResult); + } + + // Start a new MakeCredential() request. + function requestMakeCredential(attestation) { + let publicKey = { + rp: {id: document.domain, name: "none"}, + user: {id: new Uint8Array(), name: "none", displayName: "none"}, + challenge: crypto.getRandomValues(new Uint8Array(16)), + timeout: 5000, // the minimum timeout is actually 15 seconds + pubKeyCredParams: [{type: "public-key", alg: cose_alg_ECDSA_w_SHA256}], + attestation, + }; + + return navigator.credentials.create({publicKey}); + } + + // Test success cases for make credential. + add_task(async function test_make_credential_success () { + // No selection criteria should be equal to none, which means anonymized + await requestMakeCredential() + .then(verifyAnonymizedCertificate) + .catch(arrivingHereIsBad); + + // Request an unknown attestation type. This should be treated as "none". + await requestMakeCredential("unknown") + .then(verifyAnonymizedCertificate) + .catch(arrivingHereIsBad); + + // Request no attestation. + await requestMakeCredential("none") + .then(verifyAnonymizedCertificate) + .catch(arrivingHereIsBad); + + // Request indirect attestation, which is the same as direct. + await requestMakeCredential("indirect") + .then(verifyDirectCertificate) + .catch(arrivingHereIsBad); + + // Request direct attestation, which will prompt for user intervention. + await requestMakeCredential("direct") + .then(verifyDirectCertificate) + .catch(arrivingHereIsBad); + }); + </script> + +</body> +</html> |