[webkit-changes] [WebKit/WebKit] a305a4: [WebAuthn] Implement PRF extension + hmac-secret

Tue, 02 Dec 2025 12:29:02 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: a305a458493c0d4b7835f5fee17cc70295221d38
      
https://github.com/WebKit/WebKit/commit/a305a458493c0d4b7835f5fee17cc70295221d38
  Author: Pascoe <[email protected]>
  Date:   2025-11-21 (Fri, 21 Nov 2025)

  Changed paths:
    M 
LayoutTests/http/wpt/webauthn/public-key-credential-create-success-hid.https-expected.txt
    M 
LayoutTests/http/wpt/webauthn/public-key-credential-create-success-hid.https.html
    M 
LayoutTests/http/wpt/webauthn/public-key-credential-get-success-hid.https-expected.txt
    M 
LayoutTests/http/wpt/webauthn/public-key-credential-get-success-hid.https.html
    M LayoutTests/http/wpt/webauthn/resources/util.js
    M Source/WebCore/Modules/webauthn/AuthenticatorAssertionResponse.cpp
    M Source/WebCore/Modules/webauthn/AuthenticatorAssertionResponse.h
    M Source/WebCore/Modules/webauthn/AuthenticatorAttestationResponse.cpp
    M Source/WebCore/Modules/webauthn/AuthenticatorAttestationResponse.h
    M Source/WebCore/Modules/webauthn/AuthenticatorResponse.cpp
    M Source/WebCore/Modules/webauthn/WebAuthenticationConstants.h
    M Source/WebCore/Modules/webauthn/cbor/CBORReader.cpp
    M Source/WebCore/Modules/webauthn/cbor/CBORReader.h
    M Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.cpp
    M Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.h
    M Source/WebCore/Modules/webauthn/fido/DeviceResponseConverter.cpp
    M Source/WebCore/Modules/webauthn/fido/FidoConstants.h
    M Source/WebCore/Modules/webauthn/fido/Pin.cpp
    M Source/WebCore/Modules/webauthn/fido/Pin.h
    M 
Source/WebKit/UIProcess/API/Cocoa/_WKAuthenticationExtensionsClientInputs.h
    M 
Source/WebKit/UIProcess/API/Cocoa/_WKAuthenticationExtensionsClientInputs.mm
    M 
Source/WebKit/UIProcess/API/Cocoa/_WKAuthenticationExtensionsClientOutputs.h
    M 
Source/WebKit/UIProcess/API/Cocoa/_WKAuthenticationExtensionsClientOutputs.mm
    M 
Source/WebKit/UIProcess/API/Cocoa/_WKAuthenticationExtensionsClientOutputsInternal.h
    M Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm
    M 
Source/WebKit/UIProcess/WebAuthentication/Cocoa/AuthenticationServicesForwardDeclarations.h
    M 
Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm
    M Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp
    M Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.h
    M Tools/TestWebKitAPI/Tests/WebCore/CtapPinTest.cpp
    M Tools/TestWebKitAPI/Tests/WebCore/CtapRequestTest.cpp
    M Tools/TestWebKitAPI/Tests/WebCore/CtapResponseTest.cpp
    M Tools/TestWebKitAPI/Tests/WebCore/FidoTestData.h

  Log Message:
  -----------
  [WebAuthn] Implement PRF extension + hmac-secret
rdar://113572812
https://bugs.webkit.org/show_bug.cgi?id=259934

Reviewed by Brent Fulgham.

Implements the PRF extension for WebAuthn to enable deriving cryptographic
secrets from credentials. The prf extension maps to the CTAP hmac-secret
extension, supporting both credential creation and authentication flows with
salt evaluation. This enables use cases like credential-bound encrypted
storage.

Tests: Tools/TestWebKitAPI/Tests/WebCore/CtapPinTest.cpp
       Tools/TestWebKitAPI/Tests/WebCore/CtapRequestTest.cpp
       Tools/TestWebKitAPI/Tests/WebCore/CtapResponseTest.cpp
       Tools/TestWebKitAPI/Tests/WebCore/FidoTestData.h

* 
LayoutTests/http/wpt/webauthn/public-key-credential-create-success-hid.https-expected.txt:
* 
LayoutTests/http/wpt/webauthn/public-key-credential-create-success-hid.https.html:
* 
LayoutTests/http/wpt/webauthn/public-key-credential-get-success-hid.https-expected.txt:
* 
LayoutTests/http/wpt/webauthn/public-key-credential-get-success-hid.https.html:
* LayoutTests/http/wpt/webauthn/resources/util.js:
* Source/WebCore/Modules/webauthn/AuthenticatorAssertionResponse.cpp:
(WebCore::AuthenticatorAssertionResponse::create):
* Source/WebCore/Modules/webauthn/AuthenticatorAssertionResponse.h:
* Source/WebCore/Modules/webauthn/AuthenticatorAttestationResponse.cpp:
(WebCore::AuthenticatorAttestationResponse::create):
* Source/WebCore/Modules/webauthn/AuthenticatorAttestationResponse.h:
* Source/WebCore/Modules/webauthn/AuthenticatorResponse.cpp:
(WebCore::AuthenticatorResponse::extensions const):
* Source/WebCore/Modules/webauthn/cbor/CBORReader.cpp:
(cbor::CBORReader::readWithBytesConsumed):
* Source/WebCore/Modules/webauthn/cbor/CBORReader.h:
* Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.cpp:
(fido::encodeMakeCredentialRequestAsCBOR):
(fido::encodeGetAssertionRequestAsCBOR):
* Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.h:
* Source/WebCore/Modules/webauthn/fido/DeviceResponseConverter.cpp:
(fido::parseAuthenticatorDataExtensions):
(fido::readCTAPMakeCredentialResponse):
(fido::readCTAPGetAssertionResponse):
* Source/WebCore/Modules/webauthn/fido/FidoConstants.h:
* Source/WebCore/Modules/webauthn/fido/Pin.cpp:
(fido::pin::decryptForProtocol):
(fido::pin::TokenResponse::parse):
(fido::pin::HmacSecretRequest::HmacSecretRequest):
(fido::pin::HmacSecretRequest::create):
(fido::pin::HmacSecretResponse::HmacSecretResponse):
(fido::pin::HmacSecretResponse::parse):
(fido::pin::HmacSecretResponse::output const):
* Source/WebCore/Modules/webauthn/fido/Pin.h:
(fido::pin::HmacSecretRequest::sharedKey const):
(fido::pin::HmacSecretRequest::coseKey const):
(fido::pin::HmacSecretRequest::saltEnc const):
(fido::pin::HmacSecretRequest::saltAuth const):
(fido::pin::HmacSecretRequest::protocol const):
* Source/WebKit/UIProcess/API/Cocoa/_WKAuthenticationExtensionsClientInputs.h:
* Source/WebKit/UIProcess/API/Cocoa/_WKAuthenticationExtensionsClientInputs.mm:
(-[_WKAuthenticationExtensionsClientInputs dealloc]):
* Source/WebKit/UIProcess/API/Cocoa/_WKAuthenticationExtensionsClientOutputs.h:
* Source/WebKit/UIProcess/API/Cocoa/_WKAuthenticationExtensionsClientOutputs.mm:
(-[_WKAuthenticationExtensionsClientOutputs initWithAppid:]):
(-[_WKAuthenticationExtensionsClientOutputs 
initWithAppid:prfEnabled:prfFirst:prfSecond:]):
(-[_WKAuthenticationExtensionsClientOutputs prfFirst]):
(-[_WKAuthenticationExtensionsClientOutputs prfSecond]):
* 
Source/WebKit/UIProcess/API/Cocoa/_WKAuthenticationExtensionsClientOutputsInternal.h:
* Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm:
(authenticationExtensionsClientInputs):
* Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp:
(WebKit::CtapAuthenticator::continueMakeCredentialAfterCheckExcludedCredentials):
(WebKit::CtapAuthenticator::continueGetAssertionAfterCheckAllowCredentials):
* Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.h:
* Tools/TestWebKitAPI/Tests/WebCore/CtapPinTest.cpp:
(TestWebKitAPI::TEST(CtapPinTest, TestHmacSecretRequestCreate)):
(TestWebKitAPI::TEST(CtapPinTest, TestHmacSecretRequestInvalidSalts)):
(TestWebKitAPI::TEST(CtapPinTest, TestHmacSecretResponseRoundTrip)):
(TestWebKitAPI::TEST(CtapPinTest, TestHmacSecretResponseInvalidSize)):
* Tools/TestWebKitAPI/Tests/WebCore/CtapRequestTest.cpp:
(TestWebKitAPI::TEST(CTAPRequestTest, 
TestConstructMakeCredentialRequestWithHmacSecret)):
(TestWebKitAPI::TEST(CTAPRequestTest, 
TestConstructGetAssertionRequestWithHmacSecret)):
* Tools/TestWebKitAPI/Tests/WebCore/CtapResponseTest.cpp:
(TestWebKitAPI::TEST(CTAPResponseTest, 
TestReadMakeCredentialResponseWithHmacSecret)):
(TestWebKitAPI::TEST(CTAPResponseTest, 
TestReadGetAssertionResponseWithHmacSecret)):
(TestWebKitAPI::TEST(CTAPResponseTest, 
TestReadGetAssertionResponseWithHmacSecret64)):
* Tools/TestWebKitAPI/Tests/WebCore/FidoTestData.h:
(TestWebKitAPI::TestData::std::to_array<uint8_t>):

Canonical link: https://commits.webkit.org/303406@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to