Skip to content

[WebAuthn] Always include pinAuth if we have it #47161

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 26, 2025
Merged

[WebAuthn] Always include pinAuth if we have it #47161

merged 1 commit into from
Jun 26, 2025
+4 −1

Conversation

pascoej
Copy link
Member

@pascoej pascoej commented Jun 25, 2025
edited by webkit-early-warning-system
Loading

adb5969

[WebAuthn] Always include pinAuth if we have it
rdar://154214974
https://bugs.webkit.org/show_bug.cgi?id=294950

Reviewed by Charlie Wolfe.

In https://bugs.webkit.org/show_bug.cgi?id=293805, we introduced credential preflight for
getAssertion to avoid hitting maxMsgSize. However, whenever a key requires a pin, we do not
pass the pinAuth for the first silent assertion, which causes issues with some keys.

This patch starts to pass the pinAuth in this case, fixing the issue.

* Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp:
(WebKit::CtapAuthenticator::getAssertion):

Canonical link: https://commits.webkit.org/296675@main

7b59a64

Misc iOS, visionOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe ✅ 🛠 win
✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ✅ 🧪 wpe-wk2 ⏳ 🧪 win-tests
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ✅ 🧪 api-mac ✅ 🧪 api-wpe
✅ 🧪 ios-wk2-wpt ✅ 🛠 wpe-cairo
✅ 🧪 api-ios ✅ 🧪 mac-wk2 ✅ 🛠 gtk
✅ 🛠 vision ✅ 🧪 mac-AS-debug-wk2 ✅ 🧪 gtk-wk2
✅ 🛠 vision-sim ✅ 🧪 mac-wk2-stress ❌ 🧪 api-gtk
🛠 🧪 merge ✅ 🧪 vision-wk2 ✅ 🧪 mac-intel-wk2 ✅ 🛠 playstation
✅ 🛠 🧪 unsafe-merge ✅ 🛠 tv ✅ 🛠 mac-safer-cpp
✅ 🛠 tv-sim
✅ 🛠 watch
✅ 🛠 watch-sim

@pascoej pascoej requested a review from cdumez as a code owner June 25, 2025 04:04
@pascoej pascoej self-assigned this Jun 25, 2025
@webkit-early-warning-system
Copy link
Collaborator

webkit-early-warning-system commented Jun 25, 2025
edited
Loading

EWS run on current version of this PR (hash 7b59a64)

Misc iOS, visionOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe ✅ 🛠 win
✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ✅ 🧪 wpe-wk2 ⏳ 🧪 win-tests
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ✅ 🧪 api-mac ✅ 🧪 api-wpe
✅ 🧪 ios-wk2-wpt ✅ 🛠 wpe-cairo
✅ 🧪 api-ios ✅ 🧪 mac-wk2 ✅ 🛠 gtk
✅ 🛠 vision ✅ 🧪 mac-AS-debug-wk2 ✅ 🧪 gtk-wk2
✅ 🛠 vision-sim ✅ 🧪 mac-wk2-stress ❌ 🧪 api-gtk
🛠 🧪 merge ✅ 🧪 vision-wk2 ✅ 🧪 mac-intel-wk2 ✅ 🛠 playstation
✅ 🛠 🧪 unsafe-merge ✅ 🛠 tv ✅ 🛠 mac-safer-cpp
✅ 🛠 tv-sim
✅ 🛠 watch
✅ 🛠 watch-sim

@pascoej pascoej requested a review from brentfulgham June 25, 2025 04:04
aprotyas
aprotyas reviewed Jun 25, 2025
View reviewed changes
Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp
Vector<uint8_t> cborCmd = encodeSilentGetAssertion(options.rpId, requestData().hash, m_batches[m_currentBatch], std::nullopt);
std::optional<PinParameters> pinParameters;
if (!m_pinAuth.isEmpty())
pinParameters = PinParameters { pin::kProtocolVersion, m_pinAuth };
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit, to benefit from in-place construction

Suggested change
pinParameters = PinParameters { pin::kProtocolVersion, m_pinAuth };
pinParameters.emplace(pin::kProtocolVersion, m_pinAuth);

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will do this before landing, but I am opting not to use EWS resources on it now.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually going to do this in a separate change to be safe: https://bugs.webkit.org/show_bug.cgi?id=295045

@pascoej pascoej added merge-queue Applied to send a pull request to merge-queue unsafe-merge-queue Applied to send a pull request to merge-queue, but skip building and testing and removed merge-queue Applied to send a pull request to merge-queue labels Jun 26, 2025
@pascoej
[WebAuthn] Always include pinAuth if we have it
adb5969 
rdar://154214974
https://bugs.webkit.org/show_bug.cgi?id=294950

Reviewed by Charlie Wolfe.

In https://bugs.webkit.org/show_bug.cgi?id=293805, we introduced credential preflight for
getAssertion to avoid hitting maxMsgSize. However, whenever a key requires a pin, we do not
pass the pinAuth for the first silent assertion, which causes issues with some keys.

This patch starts to pass the pinAuth in this case, fixing the issue.

* Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp:
(WebKit::CtapAuthenticator::getAssertion):

Canonical link: https://commits.webkit.org/296675@main
@webkit-commit-queue webkit-commit-queue force-pushed the eng/WebAuthn-Always-include-pinAuth-if-we-have-it branch from 7b59a64 to adb5969 Compare June 26, 2025 18:25
@webkit-commit-queue
Copy link
Collaborator

Committed 296675@main (adb5969): https://commits.webkit.org/296675@main

Reviewed commits have been landed. Closing PR #47161 and removing active labels.

@webkit-commit-queue webkit-commit-queue merged commit adb5969 into WebKit:main Jun 26, 2025
@webkit-commit-queue webkit-commit-queue removed the unsafe-merge-queue Applied to send a pull request to merge-queue, but skip building and testing label Jun 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aprotyas aprotyas aprotyas left review comments

@charliewolfe charliewolfe charliewolfe approved these changes

@cdumez cdumez Awaiting requested review from cdumez cdumez is a code owner

@brentfulgham brentfulgham Awaiting requested review from brentfulgham

Assignees

@pascoej pascoej

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@pascoej @webkit-early-warning-system @webkit-commit-queue @aprotyas @charliewolfe