Closed
Bug 1458755
Opened 6 years ago
Closed 6 years ago
Web Authentication - Copy flag bits 0 & 1 for Sign operations
Categories
(Core :: DOM: Device Interfaces, enhancement, P3)
Tracking
()
RESOLVED
FIXED
mozilla62
People
(Reporter: jcj, Assigned: ttaubert)
Details
(Whiteboard: [webauthn][webauthn-interop])
Attachments
(1 file)
WebAuthn's sign method hard-codes the flags in-use to be "user present" (FLAG_TUP) [1] for the data returning to the RP. We should really be copying that from the "flags" field coming out of U2FDecomposeSignResponse, but only after masking off the relevant bits. Per [2], the relevant bit is 0. However, it turns out RFU1 (bit 1) also is relevant for legacy devices, per discussions at FIDO [4] and imminent discussions at WebAuthn. [1] https://searchfox.org/mozilla-central/rev/ce9ff94ffed34dc17ec0bfa406156d489eaa8ee1/dom/webauthn/WebAuthnManager.cpp#846 [2] https://w3c.github.io/webauthn/#sec-authenticator-data [3] https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-raw-message-formats-v1.2-ps-20170411.html#authentication-response-message-success [4] https://github.com/fido-alliance/fido-2-specs/pull/519/files
Assignee | ||
Updated•6 years ago
|
Assignee: nobody → ttaubert
Status: NEW → ASSIGNED
Comment 1•6 years ago
|
||
Comment 2•6 years ago
|
||
Comment on attachment 8972807 [details] Bug 1458755 - Web Authentication - Copy flag bits 0 & 1 for Sign operations r=jcj J.C. Jones [:jcj] has approved the revision. https://phabricator.services.mozilla.com/D1114
Attachment #8972807 -
Flags: review+
Pushed by ttaubert@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/75cde3db733a Web Authentication - Copy flag bits 0 & 1 for Sign operations r=jcj
Comment 4•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/75cde3db733a
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox62:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
Reporter | ||
Comment 6•6 years ago
|
||
I don't feel it's urgent to uplift to 61. It'll be more important when we support CTAP2 devices, which isn't yet scheduled.
Flags: needinfo?(ttaubert)
Updated•6 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•