1428916 - Web Authentication - Support Attestation Conveyance

Status: RESOLVED FIXED

(Core :: DOM: Device Interfaces, enhancement, P1)

Description

[J.C. Jones [:jcj] (he/they)]

WebAuthn now has an enumeration to indicate whether to request direct, indirect, or no attestation. This would indicate whether the RP feels they require the raw attestation certificate from the security token.

If they don't specify "direct", we should always take the path provided in Bug 1416056. (We have no plans to support "indirect" at this time.)

If they do specify "direct", then we should obey the preference from Bug 1416056. This enumeration is only advisory in nature, so if we disobey and replace the attestation cert anyway, the worst that can happen is the RP rejects it.

[1] https://www.w3.org/TR/webauthn/#attestation-convey

Comment 1

[J.C. Jones [:jcj] (he/they)]

Update:

Until Bug 1430150 lands, we should always follow the anonymization path in Bug 1416056. No need for a preference.

Comment 2

[J.C. Jones [:jcj] (he/they)]

Doesn't really depend on Bug 1416056... I'll have a patch up shortly.

Comment 3

[J.C. Jones [:jcj] (he/they)]

Attachment: Bug 1428916 - WebAuthn: Draft Attestation Preference

The WebAuthn spec lets RPs ask to specifically get direct attestation certificates
during credential creation using the "Attestation Conveyance Preference" [1].

This change adds that field into the WebIDL and ignores it for now. This is
pre-work to Bug #1430150 which will make this useful (which in turn requires
Bug #1416056's support for anonymizing those attestation certificates).

[1] https://www.w3.org/TR/webauthn/#attestation-convey

Review commit: https://reviewboard.mozilla.org/r/215002/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/215002/

Comment 4

[Olli Pettay [:smaug][bugs@pettay.fi]]

Comment on attachment 8944841 [details]
Bug 1428916 - WebAuthn: Draft Attestation Preference

https://reviewboard.mozilla.org/r/215002/#review220638

r+ for the .webidl

::: dom/webauthn/WebAuthnManager.cpp:383
(Diff revision 1)
>    // TODO: Add extension list building
>    nsTArray<WebAuthnExtension> extensions;
>  
>    const auto& selection = aOptions.mAuthenticatorSelection;
>    const auto& attachment = selection.mAuthenticatorAttachment;
> +  const auto& attestation = aOptions.mAttestation;

FWIW, I'd prefer to not use auto here, since the type of the variable isn't clear to the reader here.

Comment 5

[J.C. Jones [:jcj] (he/they)]

Comment on attachment 8944841 [details]
Bug 1428916 - WebAuthn: Draft Attestation Preference

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/215002/diff/1-2/

Comment 6

[Tim Taubert [:ttaubert] (inactive)]

Comment on attachment 8944841 [details]
Bug 1428916 - WebAuthn: Draft Attestation Preference

https://reviewboard.mozilla.org/r/215002/#review220666

Comment 7

[J.C. Jones [:jcj] (he/they)]

Comment on attachment 8944841 [details]
Bug 1428916 - WebAuthn: Draft Attestation Preference

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/215002/diff/2-3/

Comment 8

[J.C. Jones [:jcj] (he/they)]

Try is good: https://treeherder.mozilla.org/#/jobs?repo=try&revision=3e920d62e99b

Checkin-needed; thanks Olli & Tim!

Comment 9

[Pulsebot]

Pushed by mozilla@noorenberghe.ca:
https://hg.mozilla.org/integration/autoland/rev/c2e41df3f41f
WebAuthn: Draft Attestation Preference r=smaug,ttaubert

Comment 10

[Eliza Balazs [:ebalazs_]]

https://hg.mozilla.org/mozilla-central/rev/c2e41df3f41f