Bug 1385008: WebAuthn CollectedClientData.Origin must be RP ID r=keeler
authorJ.C. Jones <jjones@mozilla.com>
Thu, 27 Jul 2017 10:27:53 -0700
changeset 422590 8791f4a87a60085300c38223908ae1b9e180ee8b
parent 422589 36f1cb0b2adb23227c9abf7cd7ec50f28b9c3899
child 422591 26a1cd534f5d537b18cbea48cb010ce6eebd2288
push id1517
push userjlorenzo@mozilla.com
push dateThu, 14 Sep 2017 16:50:54 +0000
treeherdermozilla-release@3b41fd564418 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler
bugs1385008, 1384776
milestone56.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1385008: WebAuthn CollectedClientData.Origin must be RP ID r=keeler The WebAuthn WD-05 version of the specification defines the Origin field [1] of the CollectedClientData as being set to the RP ID [2][3]. Note there is some ambiguity in the specification, as [1] says CollectedClientData.Origin is the document's origin, while the algorithms [2] and [3] set it to RP ID. I'm going to stick with the algorithm's definition for this patch; it's simple to revert when we move to WD-06 (Bug 1384776). [1] https://www.w3.org/TR/webauthn/#dom-collectedclientdata-origin [2] https://www.w3.org/TR/webauthn/#createCredential [3] https://www.w3.org/TR/webauthn/#getAssertion MozReview-Commit-ID: LW918sIg5wH
dom/webauthn/WebAuthnManager.cpp
dom/webauthn/tests/test_webauthn_loopback.html
--- a/dom/webauthn/WebAuthnManager.cpp
+++ b/dom/webauthn/WebAuthnManager.cpp
@@ -430,18 +430,20 @@ WebAuthnManager::MakeCredential(nsPIDOMW
   // and compute the clientDataJSON and clientDataHash.
 
   CryptoBuffer challenge;
   if (!challenge.Assign(aOptions.mChallenge)) {
     promise->MaybeReject(NS_ERROR_DOM_SECURITY_ERR);
     return promise.forget();
   }
 
+  // WD-05 vs. WD-06: In WD-06, the first parameter should be "origin". Fix
+  // this in Bug 1384776
   nsAutoCString clientDataJSON;
-  srv = AssembleClientData(origin, challenge, clientDataJSON);
+  srv = AssembleClientData(NS_ConvertUTF8toUTF16(rpId), challenge, clientDataJSON);
   if (NS_WARN_IF(NS_FAILED(srv))) {
     promise->MaybeReject(NS_ERROR_DOM_SECURITY_ERR);
     return promise.forget();
   }
 
   CryptoBuffer clientDataHash;
   if (!clientDataHash.SetLength(SHA256_LENGTH, fallible)) {
     promise->MaybeReject(NS_ERROR_DOM_SECURITY_ERR);
@@ -583,17 +585,19 @@ WebAuthnManager::GetAssertion(nsPIDOMWin
   // the clientDataJSON and clientDataHash.
   CryptoBuffer challenge;
   if (!challenge.Assign(aOptions.mChallenge)) {
     promise->MaybeReject(NS_ERROR_DOM_SECURITY_ERR);
     return promise.forget();
   }
 
   nsAutoCString clientDataJSON;
-  srv = AssembleClientData(origin, challenge, clientDataJSON);
+  // WD-05 vs. WD-06: In WD-06, the first parameter should be "origin". Fix
+  // this in Bug 1384776
+  srv = AssembleClientData(NS_ConvertUTF8toUTF16(rpId), challenge, clientDataJSON);
   if (NS_WARN_IF(NS_FAILED(srv))) {
     promise->MaybeReject(NS_ERROR_DOM_SECURITY_ERR);
     return promise.forget();
   }
 
   CryptoBuffer clientDataHash;
   if (!clientDataHash.SetLength(SHA256_LENGTH, fallible)) {
     promise->MaybeReject(NS_ERROR_DOM_SECURITY_ERR);
--- a/dom/webauthn/tests/test_webauthn_loopback.html
+++ b/dom/webauthn/tests/test_webauthn_loopback.html
@@ -53,17 +53,19 @@ function() {
 
     is(aCredInfo.type, "public-key", "Credential type must be public-key")
 
     ok(aCredInfo.rawId.length > 0, "Key ID exists");
     is(aCredInfo.id, bytesToBase64UrlSafe(aCredInfo.rawId), "Encoded Key ID and Raw Key ID match");
 
     let clientData = JSON.parse(buffer2string(aCredInfo.response.clientDataJSON));
     is(clientData.challenge, bytesToBase64UrlSafe(gCredentialChallenge), "Challenge is correct");
-    is(clientData.origin, window.location.origin, "Origin is correct");
+    // WD-05 vs. WD-06: In WD-06, the second parameter should be "window.location.origin". Fix
+    // this in Bug 1384776
+    is(clientData.origin, document.domain, "Origin is correct");
     is(clientData.hashAlg, "S256", "Hash algorithm is correct");
 
     return webAuthnDecodeAttestation(aCredInfo.response.attestationObject.buffer)
     .then(function(decodedResult) {
       aCredInfo.clientDataObj = clientData;
       aCredInfo.publicKeyHandle = decodedResult.publicKeyHandle;
       aCredInfo.attestationObject = decodedResult.attestationObject;
       return aCredInfo;
@@ -84,17 +86,19 @@ function() {
     is(aAssertion.type, "public-key", "Credential type must be public-key")
 
     ok(aAssertion.rawId.length > 0, "Key ID exists");
     is(aAssertion.id, bytesToBase64UrlSafe(aAssertion.rawId), "Encoded Key ID and Raw Key ID match");
 
     ok(aAssertion.response.authenticatorData.length > 0, "Authenticator data exists");
     let clientData = JSON.parse(buffer2string(aAssertion.response.clientDataJSON));
     is(clientData.challenge, bytesToBase64UrlSafe(gAssertionChallenge), "Challenge is correct");
-    is(clientData.origin, window.location.origin, "Origin is correct");
+    // WD-05 vs. WD-06: In WD-06, the second parameter should be "window.location.origin". Fix
+    // this in Bug 1384776
+    is(clientData.origin, document.domain, "Origin is correct");
     is(clientData.hashAlg, "S256", "Hash algorithm is correct");
 
     // Parse the signature data
     if (aAssertion.response.signature[0] != 0x01) {
       throw "User presence byte not set";
     }
     let presenceAndCounter = aAssertion.response.signature.slice(0,5);
     let signatureValue = aAssertion.response.signature.slice(5);