From cf353630e40d0ed7e23449d6c0077da89c4738ab Mon Sep 17 00:00:00 2001 From: Nina Satragno Date: Wed, 13 Dec 2023 15:14:06 -0500 Subject: [PATCH] Add backup flags to virtual authenticator (#1999) * Add backup flags to virtual authenticator Allow setting and changing the backup eligibility (BE) and backup state (BS) flags through the virtual authenticator API. Fixed: #1987 Co-authored-by: Emil Lundberg --- index.bs | 115 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 115 insertions(+) diff --git a/index.bs b/index.bs index d7990b060..d5b59d36c 100644 --- a/index.bs +++ b/index.bs @@ -7794,6 +7794,14 @@ Each stored [=virtual authenticator=] has the following properties: :: A {{UvmEntries}} array to be set as the [=authenticator extension output=] when processing the [=User Verification Method=] extension. Note: This property has no effect if the [=Virtual Authenticator=] does not support the [=User Verification Method=] extension. +: |defaultBackupEligibility| +:: Determines the default state of the [=backup eligibility=] [=credential property=] for any newly created [=Public Key Credential Source=]. + This value MUST be reflected by the [=BE=] [=authenticator data=] [=flag=] when performing an [=authenticatorMakeCredential=] + operation with this [=virtual authenticator=]. +: |defaultBackupState| +:: Determines the default state of the [=backup state=] [=credential property=] for any newly created [=Public Key Credential Source=]. + This value MUST be reflected by the [=BS=] [=authenticator data=] [=flag=] when performing an [=authenticatorMakeCredential=] + operation with this [=virtual authenticator=]. ## Add Virtual Authenticator ## {#sctn-automation-add-virtual-authenticator} @@ -7878,6 +7886,18 @@ The Authenticator Configuration is a JSON [=Object=] passed to the [= Up to 3 [=User Verification Method=] entries Empty array + + |defaultBackupEligibility| + boolean + [TRUE], [FALSE] + [FALSE] + + + |defaultBackupState| + boolean + [TRUE], [FALSE] + [FALSE] + @@ -8020,6 +8040,26 @@ The Credential Parameters is a JSON [=Object=] passed to the [=remote string + + |backupEligibility| + + The simulated [=backup eligibility=] for the [=public key credential source=]. If unset, the value will default to the + [=virtual authenticator=]'s |defaultBackupEligibility| property. + The simulated [=backup eligibility=] MUST be reflected by the [=BE=] [=authenticator data=] [=flag=] when performing + an [=authenticatorGetAssertion=] operation with this [=public key credential source=]. + + boolean + + + |backupState| + + The simulated [=backup state=] for the [=public key credential source=]. If unset, the value will default to the + [=virtual authenticator=]'s |defaultBackupState| property. + The simulated [=backup state=] MUST be reflected by the [=BS=] [=authenticator data=] [=flag=] when performing + an [=authenticatorGetAssertion=] operation with this [=public key credential source=]. + + boolean + @@ -8056,6 +8096,10 @@ The [=remote end steps=] are: 1. If |largeBlob| is failure, return a [=WebDriver error=] with [=WebDriver error code=] [=invalid argument=]. 1. Otherwise: 1. Let |largeBlob| be `null`. + 1. Let |backupEligibility| be the |parameters|' |backupEligibility| property. + 1. If |backupEligibility| is not defined, set |backupEligibility| to the value of the |authenticator|'s |defaultBackupEligibility|. + 1. Let |backupState| be the |parameters|' |backupState| property. + 1. If |backupState| is not defined, set |backupState| to the value of the |authenticator|'s |defaultBackupState|. 1. Let |credential| be a new [=Client-side discoverable Public Key Credential Source=] if |isResidentCredential| is [TRUE] or a [=Server-side Public Key Credential Source=] otherwise whose items are: : [=public key credential source/type=] @@ -8068,6 +8112,8 @@ The [=remote end steps=] are: :: |rpId| : [=public key credential source/userHandle=] :: |userHandle| + 1. Set the |credential|'s [=backup eligibility=] [=credential property=] to |backupEligibility|. + 1. Set the |credential|'s [=backup state=] [=credential property=] to |backupState|. 1. Associate a [=signature counter=] |counter| to the |credential| with a starting value equal to the |parameters|' |signCount| or `0` if |signCount| is `null`. 1. If |largeBlob| is not `null`, set the [=large, per-credential blob=] associated to the |credential| to |largeBlob|. @@ -8201,6 +8247,75 @@ The [=remote end steps=] are: 1. Set the |authenticator|'s |isUserVerified| property to the |parameters|' |isUserVerified| property. 1. Return [=success=]. +## Set Credential Properties ## {#sctn-automation-set-credential-properties} + +The [=Set Credential Properties=] [=extension command=] allows setting the |backupEligibility| and |backupState| [=credential properties=] of +a [=Virtual Authenticator=]'s [=public key credential source=]. It is defined as follows: + +
+ + + + + + + + + + + + + +
HTTP MethodURI Template
POST`/session/{session id}/webauthn/authenticator/{authenticatorId}/credentials/{credentialId}/props`
+
+ +The Set Credential Properties Parameters is a JSON [=Object=] passed to the [=remote end steps=] as |parameters|. +It contains the following |key| and |value| pairs: + +
+ + + + + + + + + + + + + + + + + + + + +
KeyDescriptionValue Type
|backupEligibility|The [=backup eligibility=] [=credential property=].boolean
|backupState|The [=backup state=] [=credential property=].boolean
+
+ +The [=remote end steps=] are: + + 1. If |parameters| is not a JSON [=Object=], return a [=WebDriver error=] with [=WebDriver error code=] + [=invalid argument=]. + + Note: |parameters| is a [=Set Credential Properties Parameters=] object. + 1. If |authenticatorId| does not match any [=Virtual Authenticator=] stored in the [=Virtual Authenticator + Database=], return a [=WebDriver error=] with [=WebDriver error code=] [=invalid argument=]. + 1. Let |credential| be the [=public key credential source=] managed by |authenticator| matched by |credentialId|. + 1. If |credential| is empty, return a [=WebDriver error=] with [=WebDriver error code=] [=invalid argument=]. + 1. Let |backupEligibility| be the |parameters|' |backupEligibility| property. + 1. If |backupEligibility| is defined, set the [=backup eligibility=] [=credential property=] of |credential| to the value of |backupEligibility|. + + Note: Normally, the |backupEligibility| property is permanent to a [=public key credential source=]. + [=Set Credential Properties=] allows changing it for testing and debugging purposes. + + 1. Let |backupState| be the |parameters|' |backupState| property. + 1. If |backupState| is defined, set the [=backup state=] [=credential property=] of |credential| to the value of |backupState|. + 1. Return [=success=]. + # IANA Considerations # {#sctn-IANA} ## WebAuthn Attestation Statement Format Identifier Registrations Updates ## {#sctn-att-fmt-reg-update}