Source code
Revision control
Copy as Markdown
Other Tools
Test Info: Warnings
- This test gets skipped with pattern: win10_2009 OR win11_2009
- Manifest: dom/webauthn/tests/mochitest.toml
<!DOCTYPE html>
<meta charset=utf-8>
<head>
<title>W3C Web Authentication - Attestation Conveyance</title>
<script src="/tests/SimpleTest/SimpleTest.js"></script>
<script type="text/javascript" src="u2futil.js"></script>
<script type="text/javascript" src="pkijs/common.js"></script>
<script type="text/javascript" src="pkijs/asn1.js"></script>
<script type="text/javascript" src="pkijs/x509_schema.js"></script>
<script type="text/javascript" src="pkijs/x509_simpl.js"></script>
<script type="text/javascript" src="cbor.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<h1>W3C Web Authentication - Attestation Conveyance</h1>
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1428916">Mozilla Bug 1428916</a>
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1416056">Mozilla Bug 1416056</a>
<script class="testbody" type="text/javascript">
"use strict";
add_task(async () => {
await SpecialPowers.pushPrefEnv({"set": [
["security.webauth.webauthn_testing_allow_direct_attestation", true],
]});
await addVirtualAuthenticator();
});
function verifyAnonymizedCertificate(aResult) {
return webAuthnDecodeCBORAttestation(aResult.response.attestationObject)
.then(({fmt, attStmt}) => {
is(fmt, "none", "Is a None Attestation");
is(typeof(attStmt), "object", "attStmt is a map");
is(Object.keys(attStmt).length, 0, "attStmt is empty");
});
}
async function verifyDirectCertificate(aResult) {
let clientDataHash = await crypto.subtle.digest("SHA-256", aResult.response.clientDataJSON)
.then(digest => new Uint8Array(digest));
let {fmt, attStmt, authData, authDataObj} = await webAuthnDecodeCBORAttestation(aResult.response.attestationObject);
is(fmt, "packed", "Is a Packed Attestation");
let signedData = new Uint8Array(authData.length + clientDataHash.length);
signedData.set(authData);
signedData.set(clientDataHash, authData.length);
let valid = await verifySignature(authDataObj.publicKeyHandle, signedData, new Uint8Array(attStmt.sig));
ok(valid, "Signature is valid.");
}
function arrivingHereIsBad(aResult) {
ok(false, "Bad result! Received a: " + aResult);
}
function expectTypeError(aResult) {
ok(aResult.toString().startsWith("TypeError"), "Expecting a TypeError, got " + aResult);
}
// Start a new MakeCredential() request.
function requestMakeCredential(attestation) {
let publicKey = {
rp: {id: document.domain, name: "none"},
user: {id: new Uint8Array(), name: "none", displayName: "none"},
challenge: crypto.getRandomValues(new Uint8Array(16)),
timeout: 5000, // the minimum timeout is actually 15 seconds
pubKeyCredParams: [{type: "public-key", alg: cose_alg_ECDSA_w_SHA256}],
attestation,
};
return navigator.credentials.create({publicKey});
}
// Test success cases for make credential.
add_task(async function test_make_credential_success () {
// No selection criteria should be equal to none, which means anonymized
await requestMakeCredential()
.then(verifyAnonymizedCertificate)
.catch(arrivingHereIsBad);
// Request an unknown attestation type. This should be treated as "none".
await requestMakeCredential("unknown")
.then(verifyAnonymizedCertificate)
.catch(arrivingHereIsBad);
// Request no attestation.
await requestMakeCredential("none")
.then(verifyAnonymizedCertificate)
.catch(arrivingHereIsBad);
// Request indirect attestation, which is the same as direct.
await requestMakeCredential("indirect")
.then(verifyDirectCertificate)
.catch(arrivingHereIsBad);
// Request direct attestation, which will prompt for user intervention.
await requestMakeCredential("direct")
.then(verifyDirectCertificate)
.catch(arrivingHereIsBad);
});
</script>
</body>
</html>