tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

enrollment-bbk.https.html (3138B)

      1 <!DOCTYPE html>
      2 <meta charset="utf-8">
      3 <title>Test for registering a PublicKeyCredential with "payment" extension creates a browser bound key</title>
      4 <link rel="help" href="https://w3c.github.io/secure-payment-confirmation/#client-extension-processing-registration">
      5 <script src="/resources/testharness.js"></script>
      6 <script src="/resources/testharnessreport.js"></script>
      7 <script src="/resources/testdriver.js"></script>
      8 <script src="/resources/testdriver-vendor.js"></script>
      9 <script src=../webauthn/resources/common-inputs.js></script>
     10 <script src=../webauthn/resources/utils.js></script>
     11 <script src="utils.sub.js"></script>
     12 <script src="utils-bbk.js"></script>
     13 <script>
     14 'use strict';
     15 
     16 async function testBrowserBoundKeyOnPasskeyEnrollment(t, options) {
     17  options = Object.assign({
     18    // Override the browserBoundPubKeyCredParams on assertion. An empty list
     19    // should allow the user agent to default to [ES256, RS256].
     20    browserBoundPubKeyCredParams: [],
     21    // When browserBoundPubKeyCredParams nor pubKeyCredParams are specified,
     22    // then ES256 and RS256 signature algorithms are allowed which correspond
     23    // to EC2 and RSA keys.
     24    expectedKeyTypes: [cose_key_type_ec2, cose_key_type_rsa],
     25    // When set to true, the test allows a credential response where both the
     26    // browser bound public key and the browser bound signature are not included.
     27    allowNoBrowserBoundKey: false,
     28  }, options);
     29 
     30  await window.test_driver.add_virtual_authenticator(
     31    AUTHENTICATOR_OPTS)
     32    .then(authenticator => {
     33      t.add_cleanup(() => {
     34        return window.test_driver.remove_virtual_authenticator(authenticator);
     35      });
     36    });
     37 
     38  const credential = await createCredential(/*set_payment_extension=*/true, {
     39    browserBoundPubKeyCredParams: options.browserBoundPublicKey,
     40  });
     41  const browserBoundPublicKey = getBrowserBoundPublicKeyFromCredential(credential);
     42 
     43  const verificationResult = await verifyBrowserBoundKey(credential, options.expectedKeyTypes);
     44  if (!options.allowNoBrowserBoundKey) {
     45    assert_true(verificationResult ==
     46       BrowserBoundKeyVerificationResult.BrowserBoundKeySignatureVerified,
     47      "The browser bound signature could not be verified.");
     48  }
     49 }
     50 
     51 promise_test(async t => {
     52  testBrowserBoundKeyOnPasskeyEnrollment(t, {
     53    browserBoundPubKeyCredParams: [], // Let the user agent provide a default.
     54    expectedKeyTypes: [cose_key_type_ec2, cose_key_type_rsa],
     55  });
     56 }, 'Creates a browser bound key on enrollment');
     57 
     58 promise_test(async t => {
     59  testBrowserBoundKeyOnPasskeyEnrollment(t, {
     60    browserBoundPubKeyCredParams: [{
     61      type: "public-key",
     62      alg: -7, // "ES256"
     63    }],
     64    expectedKeyTypes: [cose_key_type_ec2],
     65    allowNoBrowserBoundKey: true,
     66  });
     67 }, 'If ES256 is supported creates a browser bound key on enrollment.');
     68 
     69 promise_test(async t => {
     70  testBrowserBoundKeyOnPasskeyEnrollment(t, {
     71    browserBoundPubKeyCredParams: [{
     72      type: "public-key",
     73      alg: -257, // "RS256"
     74    }],
     75    expectedKeyTypes: [cose_key_type_rsa],
     76    allowNoBrowserBoundKey: true,
     77  });
     78 }, 'If RS256 is supported creates a browser bound key on enrollment.');
     79 
     80 </script>