From c64da1748af95647ca6e53f00cd4b5cd4e45575b Mon Sep 17 00:00:00 2001 From: Nina Satragno Date: Mon, 20 Nov 2023 18:56:14 -0500 Subject: [PATCH 1/5] Add backup flags to virtual authenticator Allow setting and changing the backup eligibility (BE) and backup state (BS) flags through the virtual authenticator API. Fixed: #1987 --- index.bs | 107 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 107 insertions(+) diff --git a/index.bs b/index.bs index e5f847486..891060dee 100644 --- a/index.bs +++ b/index.bs @@ -7764,6 +7764,10 @@ Each stored [=virtual authenticator=] has the following properties: :: A {{UvmEntries}} array to be set as the [=authenticator extension output=] when processing the [=User Verification Method=] extension. Note: This property has no effect if the [=Virtual Authenticator=] does not support the [=User Verification Method=] extension. +: |defaultBackupEligibility| +:: Determines the default state of the [=backup eligibility=] [=flag=] ([=BE=]) for any newly created [=Public Key Credential Source=]. +: |defaultBackupState| +:: Determines the default state of the [=backup state=] [=flag=] ([=BS=]) for any newly created [=Public Key Credential Source=]. ## Add Virtual Authenticator ## {#sctn-automation-add-virtual-authenticator} @@ -7848,6 +7852,18 @@ The Authenticator Configuration is a JSON [=Object=] passed to the [= Up to 3 [=User Verification Method=] entries Empty array + + |defaultBackupEligibility| + boolean + [TRUE], [FALSE] + [FALSE] + + + |defaultBackupState| + boolean + [TRUE], [FALSE] + [FALSE] + @@ -7990,6 +8006,22 @@ The Credential Parameters is a JSON [=Object=] passed to the [=remote string + + |backupEligibility| + + The simulated [=backup eligibility=] for the [=public key credential source=]. If unset, the value will default to the + [=virtual authenticator=]'s |defaultBackupEligibility| property. + + boolean + + + |backupState| + + The simulated [=backup state=] for the [=public key credential source=]. If unset, the value will default to the + [=virtual authenticator=]'s |defaultBackupState| property. + + boolean + @@ -8026,6 +8058,10 @@ The [=remote end steps=] are: 1. If |largeBlob| is failure, return a [=WebDriver error=] with [=WebDriver error code=] [=invalid argument=]. 1. Otherwise: 1. Let |largeBlob| be `null`. + 1. Let |backupEligibility| be the |parameters|' |backupEligibility| property. + 1. If |backupEligibility| is not defined, set |backupEligibility| to the value of the |authenticator|'s |defaultBackupEligibility|. + 1. Let |backupState| be the |parameters|' |backupState| property. + 1. If |backupState| is not defined, set |backupState| to the value of the |authenticator|'s |defaultBackupState|. 1. Let |credential| be a new [=Client-side discoverable Public Key Credential Source=] if |isResidentCredential| is [TRUE] or a [=Server-side Public Key Credential Source=] otherwise whose items are: : [=public key credential source/type=] @@ -8038,6 +8074,8 @@ The [=remote end steps=] are: :: |rpId| : [=public key credential source/userHandle=] :: |userHandle| + 1. Set |credential|'s [=backup eligibility=] [=credential property=] to |backupEligibility|. + 1. Set |credential|'s [=backup state=] [=credential property=] to |backupState|. 1. Associate a [=signature counter=] |counter| to the |credential| with a starting value equal to the |parameters|' |signCount| or `0` if |signCount| is `null`. 1. If |largeBlob| is not `null`, set the [=large, per-credential blob=] associated to the |credential| to |largeBlob|. @@ -8171,6 +8209,75 @@ The [=remote end steps=] are: 1. Set the |authenticator|'s |isUserVerified| property to the |parameters|' |isUserVerified| property. 1. Return [=success=]. +## Set Credential Properties ## {#sctn-automation-set-credential-properties} + +The [=Set Credential Properties=] [=extension command=] allows setting the |backupEligibility| and |backupState| [=credential properties=] of +a [=Virtual Authenticator=]'s [=public key credential source=]. It is defined as follows: + +
+ + + + + + + + + + + + + +
HTTP MethodURI Template
POST`/session/{session id}/webauthn/authenticator/{authenticatorId}/credentials/{credentialId}/props`
+
+ +The Set Credential Properties Parameters is a JSON [=Object=] passed to the [=remote end steps=] as |parameters|. +It contains the following |key| and |value| pairs: + +
+ + + + + + + + + + + + + + + + + + + + +
KeyDescriptionValue Type
|backupEligibility|The [=backup eligibility=] [=credential property=].boolean
|backupState|The [=backup state=] [=credential property=].boolean
+
+ +The [=remote end steps=] are: + + 1. If |parameters| is not a JSON [=Object=], return a [=WebDriver error=] with [=WebDriver error code=] + [=invalid argument=]. + + Note: |parameters| is a [=Set Credential Properties Parameters=] object. + 1. If |authenticatorId| does not match any [=Virtual Authenticator=] stored in the [=Virtual Authenticator + Database=], return a [=WebDriver error=] with [=WebDriver error code=] [=invalid argument=]. + 1. Let |credential| be the [=public key credential source=] managed by |authenticator| matched by |credentialId|. + 1. If |credential| is empty, return a [=WebDriver error=] with [=WebDriver error code=] [=invalid argument=]. + 1. Let |backupEligibility| be the |parameters|' |backupEligibility| property. + 1. If |backupEligibility| is defined, set the [=backup eligibility=] [=credential property=] of |credential| to its value. + + Note: Normally, the |backupEligibility| property is permanent to a [=public key credential source=]. + [=Set Credential Properties=] allows changing it for testing and debugging purposes. + + 1. Let |backupState| be the |parameters|' |backupState| property. + 1. If |backupState| is defined, set the [=backup state=] [=credential property=] of |credential| to its value. + 1. Return [=success=]. + # IANA Considerations # {#sctn-IANA} ## WebAuthn Attestation Statement Format Identifier Registrations Updates ## {#sctn-att-fmt-reg-update} From 07c8b6967a472826eced8fd86c4234c82286dc73 Mon Sep 17 00:00:00 2001 From: Nina Satragno Date: Tue, 21 Nov 2023 11:47:44 -0500 Subject: [PATCH 2/5] Say what the be/bs virtual auth flags actually do --- index.bs | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/index.bs b/index.bs index 891060dee..3135fdbf7 100644 --- a/index.bs +++ b/index.bs @@ -7765,9 +7765,13 @@ Each stored [=virtual authenticator=] has the following properties: Note: This property has no effect if the [=Virtual Authenticator=] does not support the [=User Verification Method=] extension. : |defaultBackupEligibility| -:: Determines the default state of the [=backup eligibility=] [=flag=] ([=BE=]) for any newly created [=Public Key Credential Source=]. +:: Determines the default state of the [=backup eligibility=] [=credential property=] for any newly created [=Public Key Credential Source=]. + This value MUST be reflected by the [=BE=] [=authenticator data=] [=flag=] when performing an [=authenticatorMakeCredential=] + operation with this [=virtual authenticator=]. : |defaultBackupState| -:: Determines the default state of the [=backup state=] [=flag=] ([=BS=]) for any newly created [=Public Key Credential Source=]. +:: Determines the default state of the [=backup state=] [=credential property=] for any newly created [=Public Key Credential Source=]. + This value MUST be reflected by the [=BS=] [=authenticator data=] [=flag=] when performing an [=authenticatorMakeCredential=] + operation with this [=virtual authenticator=]. ## Add Virtual Authenticator ## {#sctn-automation-add-virtual-authenticator} @@ -8011,6 +8015,8 @@ The Credential Parameters is a JSON [=Object=] passed to the [=remote The simulated [=backup eligibility=] for the [=public key credential source=]. If unset, the value will default to the [=virtual authenticator=]'s |defaultBackupEligibility| property. + This value MUST be reflected by the [=BE=] [=authenticator data=] [=flag=] when performing an [=authenticatorGetAssertion=] + operation with this [=public key credential source=]. boolean @@ -8019,6 +8025,8 @@ The Credential Parameters is a JSON [=Object=] passed to the [=remote The simulated [=backup state=] for the [=public key credential source=]. If unset, the value will default to the [=virtual authenticator=]'s |defaultBackupState| property. + This value MUST be reflected by the [=BS=] [=authenticator data=] [=flag=] when performing an [=authenticatorGetAssertion=] + operation with this [=public key credential source=]. boolean @@ -8074,8 +8082,8 @@ The [=remote end steps=] are: :: |rpId| : [=public key credential source/userHandle=] :: |userHandle| - 1. Set |credential|'s [=backup eligibility=] [=credential property=] to |backupEligibility|. - 1. Set |credential|'s [=backup state=] [=credential property=] to |backupState|. + 1. Set the |credential|'s [=backup eligibility=] [=credential property=] to |backupEligibility|. + 1. Set the |credential|'s [=backup state=] [=credential property=] to |backupState|. 1. Associate a [=signature counter=] |counter| to the |credential| with a starting value equal to the |parameters|' |signCount| or `0` if |signCount| is `null`. 1. If |largeBlob| is not `null`, set the [=large, per-credential blob=] associated to the |credential| to |largeBlob|. From 265d77205b2d2454e120498141136597bc97e6c5 Mon Sep 17 00:00:00 2001 From: Nina Satragno Date: Tue, 21 Nov 2023 12:04:21 -0500 Subject: [PATCH 3/5] reflect backwards compatibility in language --- index.bs | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/index.bs b/index.bs index 3135fdbf7..92ad62ebe 100644 --- a/index.bs +++ b/index.bs @@ -7766,11 +7766,11 @@ Each stored [=virtual authenticator=] has the following properties: Note: This property has no effect if the [=Virtual Authenticator=] does not support the [=User Verification Method=] extension. : |defaultBackupEligibility| :: Determines the default state of the [=backup eligibility=] [=credential property=] for any newly created [=Public Key Credential Source=]. - This value MUST be reflected by the [=BE=] [=authenticator data=] [=flag=] when performing an [=authenticatorMakeCredential=] + This value SHOULD be reflected by the [=BE=] [=authenticator data=] [=flag=] when performing an [=authenticatorMakeCredential=] operation with this [=virtual authenticator=]. : |defaultBackupState| :: Determines the default state of the [=backup state=] [=credential property=] for any newly created [=Public Key Credential Source=]. - This value MUST be reflected by the [=BS=] [=authenticator data=] [=flag=] when performing an [=authenticatorMakeCredential=] + This value SHOULD be reflected by the [=BS=] [=authenticator data=] [=flag=] when performing an [=authenticatorMakeCredential=] operation with this [=virtual authenticator=]. ## Add Virtual Authenticator ## {#sctn-automation-add-virtual-authenticator} @@ -8015,8 +8015,8 @@ The Credential Parameters is a JSON [=Object=] passed to the [=remote The simulated [=backup eligibility=] for the [=public key credential source=]. If unset, the value will default to the [=virtual authenticator=]'s |defaultBackupEligibility| property. - This value MUST be reflected by the [=BE=] [=authenticator data=] [=flag=] when performing an [=authenticatorGetAssertion=] - operation with this [=public key credential source=]. + The simulated [=backup eligibility=] SHOULD be reflected by the [=BE=] [=authenticator data=] [=flag=] when performing + an [=authenticatorGetAssertion=] operation with this [=public key credential source=]. boolean @@ -8025,8 +8025,8 @@ The Credential Parameters is a JSON [=Object=] passed to the [=remote The simulated [=backup state=] for the [=public key credential source=]. If unset, the value will default to the [=virtual authenticator=]'s |defaultBackupState| property. - This value MUST be reflected by the [=BS=] [=authenticator data=] [=flag=] when performing an [=authenticatorGetAssertion=] - operation with this [=public key credential source=]. + The simulated [=backup state=] SHOULD be reflected by the [=BS=] [=authenticator data=] [=flag=] when performing + an [=authenticatorGetAssertion=] operation with this [=public key credential source=]. boolean From fb61a8c31fcc5224f6ccdf9824be9f4ca84bcfba Mon Sep 17 00:00:00 2001 From: Nina Satragno Date: Wed, 22 Nov 2023 13:03:45 -0500 Subject: [PATCH 4/5] Update index.bs emlun's suggestion to change the `it` to be explicit. Co-authored-by: Emil Lundberg --- index.bs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/index.bs b/index.bs index 92ad62ebe..9842f3325 100644 --- a/index.bs +++ b/index.bs @@ -8277,13 +8277,13 @@ The [=remote end steps=] are: 1. Let |credential| be the [=public key credential source=] managed by |authenticator| matched by |credentialId|. 1. If |credential| is empty, return a [=WebDriver error=] with [=WebDriver error code=] [=invalid argument=]. 1. Let |backupEligibility| be the |parameters|' |backupEligibility| property. - 1. If |backupEligibility| is defined, set the [=backup eligibility=] [=credential property=] of |credential| to its value. + 1. If |backupEligibility| is defined, set the [=backup eligibility=] [=credential property=] of |credential| to the value of |backupEligibility|. Note: Normally, the |backupEligibility| property is permanent to a [=public key credential source=]. [=Set Credential Properties=] allows changing it for testing and debugging purposes. 1. Let |backupState| be the |parameters|' |backupState| property. - 1. If |backupState| is defined, set the [=backup state=] [=credential property=] of |credential| to its value. + 1. If |backupState| is defined, set the [=backup state=] [=credential property=] of |credential| to the value of |backupState|. 1. Return [=success=]. # IANA Considerations # {#sctn-IANA} From b0c79de6088dd0df2596414e4fcd9077a9243e53 Mon Sep 17 00:00:00 2001 From: Nina Satragno Date: Wed, 22 Nov 2023 13:04:17 -0500 Subject: [PATCH 5/5] s/should/must --- index.bs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/index.bs b/index.bs index 9842f3325..133273c61 100644 --- a/index.bs +++ b/index.bs @@ -7766,11 +7766,11 @@ Each stored [=virtual authenticator=] has the following properties: Note: This property has no effect if the [=Virtual Authenticator=] does not support the [=User Verification Method=] extension. : |defaultBackupEligibility| :: Determines the default state of the [=backup eligibility=] [=credential property=] for any newly created [=Public Key Credential Source=]. - This value SHOULD be reflected by the [=BE=] [=authenticator data=] [=flag=] when performing an [=authenticatorMakeCredential=] + This value MUST be reflected by the [=BE=] [=authenticator data=] [=flag=] when performing an [=authenticatorMakeCredential=] operation with this [=virtual authenticator=]. : |defaultBackupState| :: Determines the default state of the [=backup state=] [=credential property=] for any newly created [=Public Key Credential Source=]. - This value SHOULD be reflected by the [=BS=] [=authenticator data=] [=flag=] when performing an [=authenticatorMakeCredential=] + This value MUST be reflected by the [=BS=] [=authenticator data=] [=flag=] when performing an [=authenticatorMakeCredential=] operation with this [=virtual authenticator=]. ## Add Virtual Authenticator ## {#sctn-automation-add-virtual-authenticator} @@ -8015,7 +8015,7 @@ The Credential Parameters is a JSON [=Object=] passed to the [=remote The simulated [=backup eligibility=] for the [=public key credential source=]. If unset, the value will default to the [=virtual authenticator=]'s |defaultBackupEligibility| property. - The simulated [=backup eligibility=] SHOULD be reflected by the [=BE=] [=authenticator data=] [=flag=] when performing + The simulated [=backup eligibility=] MUST be reflected by the [=BE=] [=authenticator data=] [=flag=] when performing an [=authenticatorGetAssertion=] operation with this [=public key credential source=]. boolean @@ -8025,7 +8025,7 @@ The Credential Parameters is a JSON [=Object=] passed to the [=remote The simulated [=backup state=] for the [=public key credential source=]. If unset, the value will default to the [=virtual authenticator=]'s |defaultBackupState| property. - The simulated [=backup state=] SHOULD be reflected by the [=BS=] [=authenticator data=] [=flag=] when performing + The simulated [=backup state=] MUST be reflected by the [=BS=] [=authenticator data=] [=flag=] when performing an [=authenticatorGetAssertion=] operation with this [=public key credential source=]. boolean