1458755 - Web Authentication - Copy flag bits 0 & 1 for Sign operations

Status: RESOLVED FIXED

(Core :: DOM: Device Interfaces, enhancement, P3)

Description

[J.C. Jones [:jcj] (he/him)]

WebAuthn's sign method hard-codes the flags in-use to be "user present" (FLAG_TUP) [1] for the data returning to the RP.

We should really be copying that from the "flags" field coming out of U2FDecomposeSignResponse, but only after masking off the relevant bits. 

Per [2], the relevant bit is 0. However, it turns out RFU1 (bit 1) also is relevant for legacy devices, per discussions at FIDO [4] and imminent discussions at WebAuthn.


[1] https://searchfox.org/mozilla-central/rev/ce9ff94ffed34dc17ec0bfa406156d489eaa8ee1/dom/webauthn/WebAuthnManager.cpp#846
[2] https://w3c.github.io/webauthn/#sec-authenticator-data
[3] https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-raw-message-formats-v1.2-ps-20170411.html#authentication-response-message-success
[4] https://github.com/fido-alliance/fido-2-specs/pull/519/files

Comment 1

[Phabricator Automation]

Attachment: Bug 1458755 - Web Authentication - Copy flag bits 0 & 1 for Sign operations r=jcj

Comment 2

[Phabricator Automation]

Comment on attachment 8972807 [details]
Bug 1458755 - Web Authentication - Copy flag bits 0 & 1 for Sign operations r=jcj

J.C. Jones [:jcj] has approved the revision.

https://phabricator.services.mozilla.com/D1114

Comment 3

[Pulsebot]

Pushed by ttaubert@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/75cde3db733a
Web Authentication - Copy flag bits 0 & 1 for Sign operations r=jcj

Comment 4

[Raul Gurzau (:RaulG)]

https://hg.mozilla.org/mozilla-central/rev/75cde3db733a

Comment 5

[Ryan VanderMeulen [:RyanVM]]

Is this OK riding the 62 train?

Comment 6

[J.C. Jones [:jcj] (he/him)]

I don't feel it's urgent to uplift to 61. It'll be more important when we support CTAP2 devices, which isn't yet scheduled.