Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: cdd711f31c78da207d5978a9dd7a1b6a5dc06dba
https://github.com/WebKit/WebKit/commit/cdd711f31c78da207d5978a9dd7a1b6a5dc06dba
Author: Chris Dumez <[email protected]>
Date: 2026-06-10 (Wed, 10 Jun 2026)
Changed paths:
A
LayoutTests/http/wpt/webauthn/public-key-credential-create-success-ccid-legacy-u2f.https-expected.txt
A
LayoutTests/http/wpt/webauthn/public-key-credential-create-success-ccid-legacy-u2f.https.html
M LayoutTests/http/wpt/webauthn/resources/util.js
M Source/WebCore/testing/MockWebAuthenticationConfiguration.h
M Source/WebCore/testing/MockWebAuthenticationConfiguration.idl
M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in
M Source/WebKit/UIProcess/WebAuthentication/Cocoa/CcidConnection.mm
M Source/WebKit/UIProcess/WebAuthentication/Mock/MockCcidService.h
M Source/WebKit/UIProcess/WebAuthentication/Mock/MockCcidService.mm
Log Message:
-----------
REGRESSION(259426@main): [WebAuthn] CcidConnection fails to detect legacy
U2F-only keys because the applet-selection fallback sends the wrong command
https://bugs.webkit.org/show_bug.cgi?id=316758
Reviewed by Pascoe.
Some legacy U2F-only contactless keys do not understand the FIDO applet
selection command and are configured to only have the FIDO applet. To detect
these, CcidConnection::trySelectFidoApplet() is supposed to fall back to the
U2F_VERSION command when applet selection fails -- which is what the NFC path
(NfcConnection.mm) does. Instead, the fallback re-sends
kCtapNfcAppletSelectionCommand,
the same command that just failed, so these keys are never detected over CCID.
This is a regression from 259426@main (cef8b0cbe101), which refactored
trySelectFidoApplet() from direct -[TKSmartCard transmitRequest:] calls to the
transact() helper. That change was about session management, but in the rewrite
the fallback's command was changed from kCtapNfcU2fVersionCommand to
kCtapNfcAppletSelectionCommand. As originally shipped in 252425@main
(c0f5fc64aac3), the fallback correctly sent kCtapNfcU2fVersionCommand.
The fix is confirmed correct on several independent grounds:
- The fallback's success check is unchanged: it compares the response against
kCtapNfcAppletSelectionU2f, i.e. the ASCII bytes "U2F_V2" followed by APDU
status word 0x9000. Per the FIDO U2F Raw Message Formats spec (section 6.1,
"GetVersion Request and Response - U2F_VERSION"), that is exactly the response
a U2F token returns to the U2F_VERSION command (CLA=00 INS=03 P1=00 P2=00
Le=00, which is kCtapNfcU2fVersionCommand). A SELECT-by-AID cannot produce
that response, so the command and the response-check only correspond for
U2F_VERSION.
- Re-sending the applet-selection command (the regressed behavior) is dead code:
the first attempt already rejected that response, and a smart card is
deterministic, so the identical second command can never match.
Send kCtapNfcU2fVersionCommand on the fallback, matching the originally shipped
behavior and the NFC implementation.
To make this testable, the mock CCID authenticator is taught to answer based on
the transmitted command. Previously _WKMockTKSmartCard returned scripted
payloads strictly in sequence and ignored the request bytes, so the regressed
and fixed fallbacks were indistinguishable. Two optional fields,
appletSelectionResponseBase64 and u2fVersionResponseBase64, let a test model a
legacy U2F-only key: applet selection is answered with a non-match (forcing the
fallback) and U2F_VERSION with the U2F version response. When unset, the mock
keeps its previous sequential behavior, so existing tests are unaffected. The
new regression test connects (create() succeeds) only when the fallback sends
the correct command; with the bug the tag never connects and the request times
out.
* Source/WebKit/UIProcess/WebAuthentication/Cocoa/CcidConnection.mm:
(WebKit::CcidConnection::trySelectFidoApplet): Send kCtapNfcU2fVersionCommand on
the applet-selection fallback instead of re-sending
kCtapNfcAppletSelectionCommand.
* Source/WebCore/testing/MockWebAuthenticationConfiguration.h:
* Source/WebCore/testing/MockWebAuthenticationConfiguration.idl:
Add appletSelectionResponseBase64 and u2fVersionResponseBase64 to the mock CCID
configuration.
* Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in:
Serialize the new fields.
* Source/WebKit/UIProcess/WebAuthentication/Mock/MockCcidService.h:
* Source/WebKit/UIProcess/WebAuthentication/Mock/MockCcidService.mm:
(-[_WKMockTKSmartCard transmitRequest:reply:]):
(WebKit::dataFromBase64):
(WebKit::MockCcidService::nextReply): Answer the applet-selection and
U2F_VERSION
commands specifically when configured, falling through to the sequential
payloads otherwise.
* LayoutTests/http/wpt/webauthn/resources/util.js:
Add testCcidUnknownInsBase64 (APDU 0x6D00, a non-match).
*
LayoutTests/http/wpt/webauthn/public-key-credential-create-success-ccid-legacy-u2f.https.html:
Added.
*
LayoutTests/http/wpt/webauthn/public-key-credential-create-success-ccid-legacy-u2f.https-expected.txt:
Added.
Canonical link: https://commits.webkit.org/314961@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
