authentication-accepted-bbk-reused.https.html (5305B)
1 <!DOCTYPE html> 2 <meta charset="utf-8"> 3 <title>Test for the 'secure-payment-confirmation' payment method authentication - the browser bound key from enrollment is reused</title> 4 <link rel="help" href="https://w3c.github.io/secure-payment-confirmation/#sctn-retrieving-a-browser-bound-key"> 5 <script src="/resources/testharness.js"></script> 6 <script src="/resources/testharnessreport.js"></script> 7 <script src="/resources/testdriver.js"></script> 8 <script src="/resources/testdriver-vendor.js"></script> 9 <script src=../webauthn/resources/common-inputs.js></script> 10 <script src=../webauthn/resources/utils.js></script> 11 <script src="utils.sub.js"></script> 12 <script src="utils-bbk.js"></script> 13 <script> 14 'use strict'; 15 16 async function testBrowserBoundKeyOnSecurePaymentConfirmationAuthentication(t, options) { 17 options = Object.assign({ 18 // Override the browserBoundPubKeyCredParams on credential enrollment. An 19 // empty list should allow the user agent to default to [ES256, RS256]. 20 enrollmentBrowserBoundPubKeyCredParams: [], 21 // Override the browserBoundPubKeyCredParams on assertion. An empty list 22 // should allow the user agent to default to [ES256, RS256]. 23 browserBoundPubKeyCredParams: [], 24 // When browserBoundPubKeyCredParams nor pubKeyCredParams are specified, 25 // then ES256 and RS256 signature algorithms are allowed which correspond 26 // to EC2 and RSA keys. 27 expectedKeyTypes: [cose_key_type_ec2, cose_key_type_rsa], 28 // When set to true, the test allows a credential response where both the 29 // browser bound public key and the browser bound signature are not included. 30 allowNoBrowserBoundKey: false, 31 }, options); 32 33 await window.test_driver.add_virtual_authenticator( 34 AUTHENTICATOR_OPTS) 35 .then(authenticator => { 36 t.add_cleanup(() => { 37 return window.test_driver.remove_virtual_authenticator(authenticator); 38 }); 39 }); 40 41 await window.test_driver.set_spc_transaction_mode("autoAccept") 42 .then(_ => { 43 t.add_cleanup(() => { 44 return window.test_driver.set_spc_transaction_mode("none"); 45 }); 46 }); 47 48 const credential = await createCredential(/*set_payment_extension=*/true, { 49 browserBoundPubKeyCredParams: options.enrollmentBrowserBoundPubKeyCredParams, 50 }); 51 const browserBoundPublicKeyAtCreation = getBrowserBoundPublicKeyFromCredential(credential); 52 if (!options.allowNoBrowserBoundKey) { 53 assert_not_equals(browserBoundPublicKeyAtCreation, undefined, 54 "A browser bound key was present during credential enrollment."); 55 } 56 57 const challenge = 'server challenge'; 58 const payeeOrigin = 'https://merchant.com'; 59 const displayName = 'Troycard ***1234'; 60 const request = new PaymentRequest([{ 61 supportedMethods: 'secure-payment-confirmation', 62 data: { 63 credentialIds: [credential.rawId], 64 challenge: Uint8Array.from(challenge, c => c.charCodeAt(0)), 65 payeeOrigin, 66 rpId: window.location.hostname, 67 timeout: 60000, 68 instrument: { 69 displayName, 70 icon: ICON_URL, 71 }, 72 browserBoundPubKeyCredParams: options.browserBoundPubKeyCredParams, 73 } 74 }], PAYMENT_DETAILS); 75 76 await test_driver.bless('user activation'); 77 const response = await request.show(); 78 await response.complete('success'); 79 80 const browserBoundPublicKeyAtAuthentication = getBrowserBoundPublicKeyFromCredential(response.details); 81 assert_equals(browserBoundPublicKeyAtCreation, browserBoundPublicKeyAtAuthentication, 82 "The browser bound public keys differed at enrollment and authentication (or only one was present)."); 83 const verificationResult = await verifyBrowserBoundKey(response.details, options.expectedKeyTypes); 84 if (!options.allowNoBrowserBoundKey) { 85 assert_true(verificationResult == 86 BrowserBoundKeyVerificationResult.BrowserBoundKeySignatureVerified, 87 "The browser bound signature could not be verified."); 88 } 89 } 90 91 promise_test(async t => { 92 return testBrowserBoundKeyOnSecurePaymentConfirmationAuthentication(t, /*options=*/{ 93 enrollmentBrowserBoundPubKeyCredParams: [], // Let the user agent provide a default. 94 browserBoundPubKeyCredParams: [], // Let the user agent provide a default. 95 expectedKeyTypes: [cose_key_type_ec2, cose_key_type_rsa], 96 }); 97 }, 'Uses the same browser bound key authentication as enrollment.'); 98 99 promise_test(async t => { 100 return testBrowserBoundKeyOnSecurePaymentConfirmationAuthentication(t, { 101 enrollmentBrowserBoundPubKeyCredParams: [{ 102 type: "public-key", 103 alg: -7, // "ES256" 104 }], 105 browserBoundPubKeyCredParams: [{ 106 type: "public-key", 107 alg: -7, // "ES256" 108 }], 109 expectedKeyTypes: [cose_key_type_ec2], 110 allowNoBrowserBoundKey: true, 111 }); 112 }, 'If ES256 is supported, the browser bound key is the same during authentication as enrollment.'); 113 114 promise_test(async t => { 115 return testBrowserBoundKeyOnSecurePaymentConfirmationAuthentication(t, { 116 enrollmentBrowserBoundPubKeyCredParams: [{ 117 type: "public-key", 118 alg: -257, // "RS256" 119 }], 120 browserBoundPubKeyCredParams: [{ 121 type: "public-key", 122 alg: -257, // "RS256" 123 }], 124 expectedKeyTypes: [cose_key_type_rsa], 125 allowNoBrowserBoundKey: true, 126 }); 127 }, 'If RS256 is supported, the browser bound key is the same during authentication as enrollment.'); 128 </script>