1 files changed, 68 insertions, 0 deletions

diff --git a/dom/webauthn/tests/test_webauthn_ctap2_omitted_credential_id.html b/dom/webauthn/tests/test_webauthn_ctap2_omitted_credential_id.html
new file mode 100644
index 0000000000..a2c14eb91d
--- /dev/null
+++ b/dom/webauthn/tests/test_webauthn_ctap2_omitted_credential_id.html
@@ -0,0 +1,68 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<head>
+  <title>Tests for omitted credential ID in a CTAP 2.0 authenticator response</title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="u2futil.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+
+  <h1>Tests for omitted credential ID in a CTAP 2.0 authenticator response</h1>
+  <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1864504">Mozilla Bug 1864504</a>
+
+  <script class="testbody" type="text/javascript">
+    "use strict";
+
+    add_task(async () => {
+      // CTAP 2.0 allows GetAssertion responses to omit a credential
+      // ID if the allowlist has length one. This can cause problems in
+      // MakeCredential as well because GetAssertion is used for pre-flighting.
+      await addVirtualAuthenticator("ctap2");
+    });
+
+    let validCred = null;
+
+    add_task(test_setup_valid_credential);
+    add_task(test_create_with_one_excluded_credential);
+    add_task(test_get_with_one_allowed_credential);
+
+    async function test_setup_valid_credential() {
+      let publicKey = {
+        rp: {id: document.domain, name: "none"},
+        user: {id: new Uint8Array(), name: "none", displayName: "none"},
+        challenge: crypto.getRandomValues(new Uint8Array(16)),
+        pubKeyCredParams: [{type: "public-key", alg: cose_alg_ECDSA_w_SHA256}],
+      };
+
+      let res = await navigator.credentials.create({publicKey});
+      validCred = {type: "public-key", id: res.rawId};
+    }
+
+    async function test_create_with_one_excluded_credential() {
+      let publicKey = {
+        rp: {id: document.domain, name: "none"},
+        user: {id: new Uint8Array(), name: "none", displayName: "none"},
+        challenge: crypto.getRandomValues(new Uint8Array(16)),
+        excludeList: [validCred],
+        pubKeyCredParams: [{type: "public-key", alg: cose_alg_ECDSA_w_SHA256}],
+      };
+
+      await navigator.credentials.create({publicKey});
+      ok(true, "create should not throw");
+    }
+
+    async function test_get_with_one_allowed_credential() {
+      let publicKey = {
+        challenge: crypto.getRandomValues(new Uint8Array(16)),
+        allowCredentials: [validCred]
+      };
+
+      await navigator.credentials.get({publicKey});
+      ok(true, "get should not throw");
+    }
+
+  </script>
+
+</body>
+</html>