test_webauthn_ctap2_omitted_credential_id.html

Enable keyboard shortcuts

<!DOCTYPE html>

<meta charset=utf-8>

<head>

  <title>Tests for omitted credential ID in a CTAP 2.0 authenticator response</title>

  <script src="/tests/SimpleTest/SimpleTest.js"></script>

  <script type="text/javascript" src="u2futil.js"></script>

  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />

</head>

<body>

  <h1>Tests for omitted credential ID in a CTAP 2.0 authenticator response</h1>

  <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1864504">Mozilla Bug 1864504</a>

  <script class="testbody" type="text/javascript">

    "use strict";

    add_task(async () => {

      // CTAP 2.0 allows GetAssertion responses to omit a credential

      // ID if the allowlist has length one. This can cause problems in

      // MakeCredential as well because GetAssertion is used for pre-flighting.

      await addVirtualAuthenticator("ctap2");

});

    let validCred = null;

    add_task(test_setup_valid_credential);

    add_task(test_create_with_one_excluded_credential);

    add_task(test_get_with_one_allowed_credential);

    async function test_setup_valid_credential() {

      let publicKey = {

        rp: {id: document.domain, name: "none"},

        user: {id: new Uint8Array(), name: "none", displayName: "none"},

        challenge: crypto.getRandomValues(new Uint8Array(16)),

        pubKeyCredParams: [{type: "public-key", alg: cose_alg_ECDSA_w_SHA256}],

};

      let res = await navigator.credentials.create({publicKey});

      validCred = {type: "public-key", id: res.rawId};

    async function test_create_with_one_excluded_credential() {

      let publicKey = {

        rp: {id: document.domain, name: "none"},

        user: {id: new Uint8Array(), name: "none", displayName: "none"},

        challenge: crypto.getRandomValues(new Uint8Array(16)),

        excludeList: [validCred],

        pubKeyCredParams: [{type: "public-key", alg: cose_alg_ECDSA_w_SHA256}],

};

      await navigator.credentials.create({publicKey});

      ok(true, "create should not throw");

    async function test_get_with_one_allowed_credential() {

      let publicKey = {

        challenge: crypto.getRandomValues(new Uint8Array(16)),

        allowCredentials: [validCred]

};

      await navigator.credentials.get({publicKey});

      ok(true, "get should not throw");

  </script>

</body>

</html>