[webauthn] PRF inputs should be BufferSource instead of ArrayBuffer (#1851) from Emil Lundberg via GitHub on 2023-02-10 (public-webauthn@w3.org from February 2023)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Fri, 10 Feb 2023 15:35:36 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-1579902960-1676043334-sysbot+gh@w3.org>

emlun has just created a new issue for https://github.com/w3c/webauthn:

== PRF inputs should be BufferSource instead of ArrayBuffer ==
Throughout the WebAuthn API we use `BufferSource` for binary input parameters (e.g., [`PublicKeyCredentialCreationOptions.challenge`](https://w3c.github.io/webauthn/#dom-publickeycredentialcreationoptions-challenge), [`PublicKeyCredentialUserEntity.id`](https://w3c.github.io/webauthn/#dom-publickeycredentialuserentity-id)) and `ArrayBuffer` for binary return values (e.g., [`PublicKeyCredential.rawId`](https://w3c.github.io/webauthn/#dom-publickeycredential-rawid), [`AuthenticatorAttestationResponse.attestationObject`](https://w3c.github.io/webauthn/#dom-authenticatorattestationresponse-attestationobject)). However the `prf` extension uses `ArrayBuffer` for both input parameters and output return values. This means that this code example:

```javascript
var credid = null;
navigator.credentials.create({
    publicKey: {
        challenge: new Uint8Array([1, 2, 3, 4]),
        pubKeyCredParams: [{type: 'public-key', alg: -7}],
        rp: { name: 'Test' },
        user: { id: new Uint8Array([5, 6, 7, 8]), name: 'test', displayName: 'Test' },
        extensions: {
            prf: {
                eval: {
                    first: new Uint8Array([1, 2, 3, 4]),
                },
            },
        },
    },
}).then(cred => {
    console.log(cred);
    console.log(cred.getClientExtensionResults());
    credid = cred.rawId;
})
```
generates the following error in Chrome Canary (112.0.5580.0):
```
VM1538:2 Uncaught (in promise) TypeError: Failed to execute 'create' on 'CredentialsContainer': Failed to read the 'publicKey' property from 'CredentialCreationOptions': Failed to read the 'extensions' property from 'PublicKeyCredentialCreationOptions': Failed to read the 'prf' property from 'AuthenticationExtensionsClientInputs': Failed to read the 'eval' property from 'AuthenticationExtensionsPRFInputs': Failed to read the 'first' property from 'AuthenticationExtensionsPRFValues': Failed to convert value to 'ArrayBuffer'.
    at <anonymous>:2:23
```

This can be worked around using `new Uint8Array(...).buffer`, but is not in line with how the rest of the API works.


## Proposed Change

- Split [`AuthenticationExtensionsPRFValues`](https://w3c.github.io/webauthn/#dictdef-authenticationextensionsprfvalues) into two versions: one for input and one for output.
- Change `ArrayBuffer` to `BufferSource` in the one used in client extension inputs.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1851 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 10 February 2023 15:35:38 UTC