diff options
Diffstat (limited to 'dom/webauthn/tests/test_webauthn_make_credential.html')
| -rw-r--r-- | dom/webauthn/tests/test_webauthn_make_credential.html | 459 |
1 files changed, 459 insertions, 0 deletions
diff --git a/dom/webauthn/tests/test_webauthn_make_credential.html b/dom/webauthn/tests/test_webauthn_make_credential.html new file mode 100644 index 0000000000..4812d0da0d --- /dev/null +++ b/dom/webauthn/tests/test_webauthn_make_credential.html @@ -0,0 +1,459 @@ +<!DOCTYPE html> +<meta charset=utf-8> +<head> + <title>Test for MakeCredential for W3C Web Authentication</title> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="u2futil.js"></script> + <script type="text/javascript" src="pkijs/common.js"></script> + <script type="text/javascript" src="pkijs/asn1.js"></script> + <script type="text/javascript" src="pkijs/x509_schema.js"></script> + <script type="text/javascript" src="pkijs/x509_simpl.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> +</head> +<body> + + <h1>Test for MakeCredential for W3C Web Authentication</h1> + <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1309284">Mozilla Bug 1309284</a> + + <script class="testbody" type="text/javascript"> + "use strict"; + + add_task(async () => { + await addVirtualAuthenticator(); + }); + + is(navigator.authentication, undefined, "navigator.authentication does not exist any longer"); + isnot(navigator.credentials, undefined, "Credential Management API endpoint must exist"); + isnot(navigator.credentials.create, undefined, "CredentialManagement create API endpoint must exist"); + isnot(navigator.credentials.get, undefined, "CredentialManagement get API endpoint must exist"); + + let credm; + let gCredentialChallenge; + let rp; + let user; + let param; + let unsupportedParam; + let unknownParam; + + // Setup test env + add_task(() => { + gCredentialChallenge = new Uint8Array(16); + window.crypto.getRandomValues(gCredentialChallenge); + + rp = {id: document.domain, name: "none"}; + user = {id: new Uint8Array(64), name: "none", displayName: "none"}; + param = {type: "public-key", alg: cose_alg_ECDSA_w_SHA256}; + unsupportedParam = {type: "public-key", alg: cose_alg_ECDSA_w_SHA512}; + unknownParam = {type: "SimplePassword", alg: "MaxLength=2"}; + credm = navigator.credentials; + }); + // Add tests + add_task(test_good_call); + add_task(test_empty_account); + add_task(test_without_rp_name); + add_task(test_without_user_id); + add_task(test_without_user_name); + add_task(test_without_user_displayname); + add_task(test_user_too_large); + add_task(test_empty_parameters); + add_task(test_without_parameters); + add_task(test_unsupported_parameter); + add_task(test_unsupported_but_one_param); + add_task(test_one_unknown_parameter); + add_task(test_one_unknown_one_unsupported_param); + add_task(test_one_of_each_parameters); + add_task(test_without_challenge); + add_task(test_invalid_challenge); + add_task(test_duplicate_pub_key); + add_task(test_invalid_rp_id); + add_task(test_invalid_rp_id_2); + add_task(test_missing_rp); + add_task(test_incorrect_user_id_type); + add_task(test_missing_user); + add_task(test_complete_account); + add_task(test_too_large_user_id); + add_task(test_excluding_unknown_transports); + add_task(test_unknown_attestation_type); + add_task(test_unknown_selection_criteria); + add_task(test_no_unexpected_extensions); + add_task(test_cred_props_with_rk_required); + add_task(test_cred_props_with_rk_discouraged); + + function arrivingHereIsGood(aResult) { + ok(true, "Good result! Received a: " + aResult); + return Promise.resolve(); + } + + function arrivingHereIsBad(aResult) { + ok(false, "Bad result! Received a: " + aResult); + return Promise.resolve(); + } + + function expectNotAllowedError(aResult) { + ok(aResult.toString().startsWith("NotAllowedError"), "Expecting a NotAllowedError"); + return Promise.resolve(); + } + + function expectTypeError(aResult) { + ok(aResult.toString().startsWith("TypeError"), "Expecting a TypeError"); + return Promise.resolve(); + } + + function expectNotSupportedError(aResult) { + ok(aResult.toString().startsWith("NotSupportedError"), "Expecting a NotSupportedError"); + return Promise.resolve(); + } + + // Test basic good call + async function test_good_call() { + let makeCredentialOptions = { + rp, user, challenge: gCredentialChallenge, pubKeyCredParams: [param] + }; + return credm.create({publicKey: makeCredentialOptions}) + .then(arrivingHereIsGood) + .catch(arrivingHereIsBad); + } + + // Test empty account + async function test_empty_account() { + let makeCredentialOptions = { + challenge: gCredentialChallenge, pubKeyCredParams: [param] + }; + return credm.create({publicKey: makeCredentialOptions}) + .then(arrivingHereIsBad) + .catch(expectTypeError); + } + + // Test without rp.name + async function test_without_rp_name() { + let rp1 = {id: document.domain}; + let makeCredentialOptions = { + rp: rp1, user, challenge: gCredentialChallenge, pubKeyCredParams: [param] + }; + return credm.create({publicKey: makeCredentialOptions}) + .then(arrivingHereIsBad) + .catch(expectTypeError); + } + + // Test without user.id + async function test_without_user_id() { + let user1 = {name: "none", displayName: "none"}; + let makeCredentialOptions = { + rp, user: user1, challenge: gCredentialChallenge, pubKeyCredParams: [param] + }; + return credm.create({publicKey: makeCredentialOptions}) + .then(arrivingHereIsBad) + .catch(expectTypeError); + } + + // Test without user.name + async function test_without_user_name() { + let user1 = {id: new Uint8Array(64), displayName: "none"}; + let makeCredentialOptions = { + rp, user: user1, challenge: gCredentialChallenge, pubKeyCredParams: [param] + }; + return credm.create({publicKey: makeCredentialOptions}) + .then(arrivingHereIsBad) + .catch(expectTypeError); + } + + // Test without user.displayName + async function test_without_user_displayname() { + let user1 = {id: new Uint8Array(64), name: "none"}; + let makeCredentialOptions = { + rp, user: user1, challenge: gCredentialChallenge, pubKeyCredParams: [param] + }; + return credm.create({publicKey: makeCredentialOptions}) + .then(arrivingHereIsBad) + .catch(expectTypeError); + } + + // Test with a user handle that exceeds the max length + async function test_user_too_large() { + let user1 = {id: new Uint8Array(65), name: "none", displayName: "none"}; + let makeCredentialOptions = { + rp, user: user1, challenge: gCredentialChallenge, pubKeyCredParams: [param] + }; + return credm.create({publicKey: makeCredentialOptions}) + .then(arrivingHereIsBad) + .catch(expectTypeError); + } + + // Test without any parameters; this is acceptable meaning the RP ID is + // happy to accept either ECDSA-SHA256 or RSA-SHA256 + async function test_empty_parameters() { + let makeCredentialOptions = { + rp, user, challenge: gCredentialChallenge, pubKeyCredParams: [] + }; + return credm.create({publicKey: makeCredentialOptions}) + .then(arrivingHereIsGood) + .catch(arrivingHereIsBad); + } + + // Test without a parameter array at all + async function test_without_parameters() { + let makeCredentialOptions = { + rp, user, challenge: gCredentialChallenge + }; + return credm.create({publicKey: makeCredentialOptions}) + .then(arrivingHereIsBad) + .catch(expectTypeError); + } + + // Test with an unsupported parameter + // The result depends on the tokens that are available, so we + // expect a NotAllowedError so as not to leak this. + async function test_unsupported_parameter() { + let makeCredentialOptions = { + rp, user, challenge: gCredentialChallenge, pubKeyCredParams: [unsupportedParam] + }; + return credm.create({publicKey: makeCredentialOptions}) + .then(arrivingHereIsBad) + .catch(expectNotAllowedError); + } + + // Test with an unsupported parameter and a good one + async function test_unsupported_but_one_param() { + let makeCredentialOptions = { + rp, user, challenge: gCredentialChallenge, + pubKeyCredParams: [param, unsupportedParam] + }; + return credm.create({publicKey: makeCredentialOptions}) + .then(arrivingHereIsGood) + .catch(arrivingHereIsBad); + } + + // Test with one unknown (not "public-key") parameter. + async function test_one_unknown_parameter() { + let makeCredentialOptions = { + rp, user, challenge: gCredentialChallenge, pubKeyCredParams: [unknownParam] + }; + return credm.create({publicKey: makeCredentialOptions}) + .then(arrivingHereIsBad) + .catch(expectNotSupportedError); + } + + // Test with an unsupported parameter, and an unknown one + // The result depends on the tokens that are available, so we + // expect a NotAllowedError so as not to leak this. + async function test_one_unknown_one_unsupported_param() { + let makeCredentialOptions = { + rp, user, challenge: gCredentialChallenge, + pubKeyCredParams: [unsupportedParam, unknownParam] + }; + return credm.create({publicKey: makeCredentialOptions}) + .then(arrivingHereIsBad) + .catch(expectNotAllowedError); + } + + // Test with an unsupported parameter, an unknown one, and a good one. This + // should succeed, as the unsupported and unknown should be ignored. + async function test_one_of_each_parameters() { + let makeCredentialOptions = { + rp, user, challenge: gCredentialChallenge, + pubKeyCredParams: [param, unsupportedParam, unknownParam] + }; + return credm.create({publicKey: makeCredentialOptions}) + .then(arrivingHereIsGood) + .catch(arrivingHereIsBad); + } + + // Test without a challenge + async function test_without_challenge() { + let makeCredentialOptions = { + rp, user, pubKeyCredParams: [param] + }; + return credm.create({publicKey: makeCredentialOptions}) + .then(arrivingHereIsBad) + .catch(expectTypeError); + } + + // Test with an invalid challenge + async function test_invalid_challenge() { + let makeCredentialOptions = { + rp, user, challenge: "begone, thou ill-fitting moist glove!", + pubKeyCredParams: [unsupportedParam] + }; + return credm.create({publicKey: makeCredentialOptions}) + .then(arrivingHereIsBad) + .catch(expectTypeError); + } + + // Test with duplicate pubKeyCredParams + async function test_duplicate_pub_key() { + let makeCredentialOptions = { + rp, user, challenge: gCredentialChallenge, + pubKeyCredParams: [param, param, param] + }; + return credm.create({publicKey: makeCredentialOptions}) + .then(arrivingHereIsGood) + .catch(arrivingHereIsBad); + } + + // Test with an RP ID that is not a valid domain string + async function test_invalid_rp_id() { + let rp1 = { id: document.domain + ":somejunk", name: "none"}; + let makeCredentialOptions = { + rp: rp1, user, challenge: gCredentialChallenge, pubKeyCredParams: [param] + }; + return credm.create({publicKey: makeCredentialOptions}) + .then(arrivingHereIsBad) + .catch(arrivingHereIsGood); + } + + // Test with another RP ID that is not a valid domain string + async function test_invalid_rp_id_2() { + let rp1 = { id: document.domain + ":8888", name: "none"}; + let makeCredentialOptions = { + rp: rp1, user, challenge: gCredentialChallenge, pubKeyCredParams: [param] + }; + return credm.create({publicKey: makeCredentialOptions}) + .then(arrivingHereIsBad) + .catch(arrivingHereIsGood); + } + + // Test with missing rp + async function test_missing_rp() { + let makeCredentialOptions = { + user, challenge: gCredentialChallenge, pubKeyCredParams: [param] + }; + return credm.create({publicKey: makeCredentialOptions}) + .then(arrivingHereIsBad) + .catch(expectTypeError); + } + + // Test with incorrect user ID type + async function test_incorrect_user_id_type() { + let invalidType = {id: "a string, which is not a buffer", name: "none", displayName: "none"}; + let makeCredentialOptions = { + user: invalidType, challenge: gCredentialChallenge, pubKeyCredParams: [param] + }; + return credm.create({publicKey: makeCredentialOptions}) + .then(arrivingHereIsBad) + .catch(expectTypeError); + } + + // Test with missing user + async function test_missing_user() { + let makeCredentialOptions = { + rp, challenge: gCredentialChallenge, pubKeyCredParams: [param] + }; + return credm.create({publicKey: makeCredentialOptions}) + .then(arrivingHereIsBad) + .catch(expectTypeError); + } + + // Test a complete account + async function test_complete_account() { + // the icon fields are deprecated, but including them should not cause an error + let completeRP = {id: document.domain, name: "Foxxy Name", + icon: "https://example.com/fox.svg"}; + let completeUser = {id: string2buffer("foxes_are_the_best@example.com"), + name: "Fox F. Foxington", + icon: "https://example.com/fox.svg", + displayName: "Foxxy V"}; + let makeCredentialOptions = { + rp: completeRP, user: completeUser, challenge: gCredentialChallenge, + pubKeyCredParams: [param] + }; + return credm.create({publicKey: makeCredentialOptions}) + .then(arrivingHereIsGood) + .catch(arrivingHereIsBad); + } + + // Test with too-large user ID buffer + async function test_too_large_user_id() { + let hugeUser = {id: new Uint8Array(65), + name: "Fox F. Foxington", + displayName: "Foxxy V"}; + let makeCredentialOptions = { + rp, user: hugeUser, challenge: gCredentialChallenge, + pubKeyCredParams: [param] + }; + return credm.create({publicKey: makeCredentialOptions}) + .then(arrivingHereIsBad) + .catch(expectTypeError); + } + + // Test with excluding unknown transports + async function test_excluding_unknown_transports() { + let completeRP = {id: document.domain, name: "Foxxy Name"}; + let completeUser = {id: string2buffer("foxes_are_the_best@example.com"), + name: "Fox F. Foxington", + displayName: "Foxxy V"}; + let excludedUnknownTransport = {type: "public-key", + id: string2buffer("123"), + transports: ["unknown", "usb"]}; + let makeCredentialOptions = { + rp: completeRP, user: completeUser, challenge: gCredentialChallenge, + pubKeyCredParams: [param], excludeCredentials: [excludedUnknownTransport] + }; + return credm.create({publicKey: makeCredentialOptions}) + .then(arrivingHereIsGood) + .catch(arrivingHereIsBad); + } + + async function test_unknown_attestation_type() { + let makeCredentialOptions = { + rp, user, challenge: gCredentialChallenge, pubKeyCredParams: [param], + attestation: "unknown" + }; + return credm.create({publicKey: makeCredentialOptions }) + .then(arrivingHereIsGood) + .catch(arrivingHereIsBad); + } + + async function test_unknown_selection_criteria() { + let makeCredentialOptions = { + rp, user, challenge: gCredentialChallenge, pubKeyCredParams: [param], + authenticatorSelection: { + userVerificationRequirement: "unknown UV requirement", + authenticatorAttachment: "unknown authenticator attachment type" + }, + }; + return credm.create({publicKey: makeCredentialOptions }) + .then(arrivingHereIsGood) + .catch(arrivingHereIsBad); + } + + async function test_no_unexpected_extensions() { + let makeCredentialOptions = { + rp, user, challenge: gCredentialChallenge, pubKeyCredParams: [param], + }; + let cred = await credm.create({publicKey: makeCredentialOptions}).catch(arrivingHereIsBad); + let extensionResults = cred.getClientExtensionResults(); + is(extensionResults.credProps, undefined, "no credProps output"); + } + + async function test_cred_props_with_rk_required() { + let makeCredentialOptions = { + rp, user, challenge: gCredentialChallenge, pubKeyCredParams: [param], + authenticatorSelection: { + authenticatorAttachment: "cross-platform", + residentKey: "required", + }, + extensions: { credProps: true } + }; + let cred = await credm.create({publicKey: makeCredentialOptions}).catch(arrivingHereIsBad); + let extensionResults = cred.getClientExtensionResults(); + is(extensionResults.credProps?.rk, true, "rk is true"); + } + + async function test_cred_props_with_rk_discouraged() { + let makeCredentialOptions = { + rp, user, challenge: gCredentialChallenge, pubKeyCredParams: [param], + authenticatorSelection: { + authenticatorAttachment: "cross-platform", + residentKey: "discouraged", + }, + extensions: { credProps: true } + }; + let cred = await credm.create({publicKey: makeCredentialOptions}).catch(arrivingHereIsBad); + let extensionResults = cred.getClientExtensionResults(); + is(extensionResults.credProps?.rk, false, "rk is false"); + } + + </script> + +</body> +</html> |