[webkit-changes] [WebKit/WebKit] fb4149: [WebAuthn] Pin Protocol 2 support

[Pascoe]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: fb4149ed5439527c905c46ee3ec16f9421c0a7ef
      
https://github.com/WebKit/WebKit/commit/fb4149ed5439527c905c46ee3ec16f9421c0a7ef
  Author: Pascoe <pas...@apple.com>
  Date:   2025-11-04 (Tue, 04 Nov 2025)

  Changed paths:
    M 
LayoutTests/http/wpt/webauthn/public-key-credential-create-success-hid.https-expected.txt
    M 
LayoutTests/http/wpt/webauthn/public-key-credential-create-success-hid.https.html
    M Source/WebCore/Modules/webauthn/fido/AuthenticatorGetInfoResponse.cpp
    M Source/WebCore/Modules/webauthn/fido/AuthenticatorGetInfoResponse.h
    M Source/WebCore/Modules/webauthn/fido/DeviceResponseConverter.cpp
    M Source/WebCore/Modules/webauthn/fido/FidoConstants.h
    M Source/WebCore/Modules/webauthn/fido/Pin.cpp
    M Source/WebCore/Modules/webauthn/fido/Pin.h
    M Source/WebCore/crypto/algorithms/CryptoAlgorithmHKDF.cpp
    M Source/WebCore/crypto/algorithms/CryptoAlgorithmHKDF.h
    M Source/WebCore/testing/MockWebAuthenticationConfiguration.h
    M Source/WebCore/testing/MockWebAuthenticationConfiguration.idl
    M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in
    M Source/WebKit/UIProcess/WebAuthentication/Mock/MockHidConnection.cpp
    M Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp
    M Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.h
    M Tools/TestWebKitAPI/Tests/WebCore/CtapPinTest.cpp
    M Tools/TestWebKitAPI/Tests/WebCore/CtapResponseTest.cpp
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm

  Log Message:
  -----------
  [WebAuthn] Pin Protocol 2 support
rdar://157884782
https://bugs.webkit.org/show_bug.cgi?id=301922

Reviewed by Brent Fulgham.

Add support for CTAP PIN/UV Auth Protocol 2, which uses HKDF-SHA-256
for key derivation instead of SHA-256. This is required for FIPS
certification of authenticators per the CTAP 2.1 specification. Currently
these authenticators will not work over NFC.

The implementation:
- Uses HKDF to derive separate 32-byte HMAC and AES keys (Protocol 2)
  vs. SHA-256 for a single 32-byte key (Protocol 1)
- Encodes the selected protocol in authenticatorClientPIN commands
- Selects Protocol 2 when authenticator reports support for both

This also corrects Protocol 1 pinAuth to return 16-bytes instead of
32 bytes per spec. I updated CtapPinTest expectations for new behavior.

Spec: 
https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#pinProto2

Tests: Tools/TestWebKitAPI/Tests/WebCore/CtapPinTest.cpp
       Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm

* 
LayoutTests/http/wpt/webauthn/public-key-credential-create-success-hid.https-expected.txt:
* 
LayoutTests/http/wpt/webauthn/public-key-credential-create-success-hid.https.html:
* Source/WebCore/Modules/webauthn/fido/DeviceResponseConverter.cpp:
(fido::readCTAPGetInfoResponse):
* Source/WebCore/Modules/webauthn/fido/FidoConstants.h:
* Source/WebCore/Modules/webauthn/fido/Pin.cpp:
(fido::pin::encodePinCommand):
(fido::pin::encodeAsCBOR):
(fido::pin::deriveProtocolSharedSecret):
(fido::pin::TokenRequest::tryCreate):
(fido::pin::TokenRequest::TokenRequest):
(fido::pin::SetPinRequest::SetPinRequest):
(fido::pin::SetPinRequest::tryCreate):
* Source/WebCore/Modules/webauthn/fido/Pin.h:
* Source/WebCore/crypto/algorithms/CryptoAlgorithmHKDF.cpp:
(WebCore::CryptoAlgorithmHKDF::deriveBits):
* Source/WebCore/crypto/algorithms/CryptoAlgorithmHKDF.h:
* Source/WebCore/testing/MockWebAuthenticationConfiguration.h:
* Source/WebCore/testing/MockWebAuthenticationConfiguration.idl:
* Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in:
* Source/WebKit/UIProcess/WebAuthentication/Mock/MockHidConnection.cpp:
(WebKit::MockHidConnection::feedReports):
* Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp:
(WebKit::CtapAuthenticator::makeCredential):
(WebKit::CtapAuthenticator::continueSilentlyCheckCredentials):
(WebKit::CtapAuthenticator::continueMakeCredentialAfterCheckExcludedCredentials):
(WebKit::CtapAuthenticator::getAssertion):
(WebKit::CtapAuthenticator::continueGetAssertionAfterCheckAllowCredentials):
(WebKit::CtapAuthenticator::continueGetPinTokenAfterRequestPin):
(WebKit::CtapAuthenticator::selectPinProtocol const):
(WebKit::CtapAuthenticator::continueSetupPinAfterCommand):
(WebKit::CtapAuthenticator::continueSetupPinAfterGetKeyAgreement):
* Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.h:
* Tools/TestWebKitAPI/Tests/WebCore/CtapPinTest.cpp:
(TestWebKitAPI::TEST(CtapPinTest, TestSetPinRequest)):
(TestWebKitAPI::TEST(CtapPinTest, TestTokenRequest)):
(TestWebKitAPI::TEST(CtapPinTest, TestSetPinRequestProtocol2)):
(TestWebKitAPI::TEST(CtapPinTest, TestTokenRequestProtocol2)):
(TestWebKitAPI::TEST(CtapPinTest, TestProtocol2HKDFKeyDerivation)):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm:
(TestWebKitAPI::TEST(WebAuthenticationPanel, MakeCredentialPinProtocol2)):
(TestWebKitAPI::TEST(WebAuthenticationPanel, GetAssertionPinProtocol2)):

Canonical link: https://commits.webkit.org/302574@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications