[java] Add virtual authenticator test case for U2F protocol. Formatting changes.

pujagani · pujagani · commit fe84ca7686d8 · 2022-05-05T17:56:41.000+05:30
diff --git a/java/test/org/openqa/selenium/virtualauthenticator/VirtualAuthenticatorTest.java b/java/test/org/openqa/selenium/virtualauthenticator/VirtualAuthenticatorTest.java
@@ -24,9 +24,11 @@
 
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.util.Base64;
+
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
+import org.openqa.selenium.InvalidArgumentException;
 import org.openqa.selenium.JavascriptExecutor;
 import org.openqa.selenium.environment.webserver.Page;
 import org.openqa.selenium.testing.JUnit4TestBase;
@@ -39,18 +41,33 @@
 public class VirtualAuthenticatorTest extends JUnit4TestBase {
 
   /**
-   * A pkcs#8 encoded unencrypted EC256 private key as a base64url string.
+   * A pkcs#8 encoded encrypted RSA private key as a base64url string.
    */
   private final static String base64EncodedPK =
-      "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg8_zMDQDYAxlU-Q"
-    + "hk1Dwkf0v18GZca1DMF3SaJ9HPdmShRANCAASNYX5lyVCOZLzFZzrIKmeZ2jwU"
-    + "RmgsJYxGP__fWN_S-j5sN4tT15XEpN_7QZnt14YvI6uvAgO0uJEboFaZlOEB";
+    "MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDbBOu5Lhs4vpowbCnmCyLUpIE7JM9sm9QXzye2G+jr+Kr"
+    + "MsinWohEce47BFPJlTaDzHSvOW2eeunBO89ZcvvVc8RLz4qyQ8rO98xS1jtgqi1NcBPETDrtzthODu/gd0sjB2Tk3TLuB"
+    + "GVoPXt54a+Oo4JbBJ6h3s0+5eAfGplCbSNq6hN3Jh9YOTw5ZA6GCEy5l8zBaOgjXytd2v2OdSVoEDNiNQRkjJd2rmS2oi"
+    + "9AyQFR3B7BrPSiDlCcITZFOWgLF5C31Wp/PSHwQhlnh7/6YhnE2y9tzsUvzx0wJXrBADW13+oMxrneDK3WGbxTNYgIi1P"
+    + "vSqXlqGjHtCK+R2QkXAgMBAAECggEAVc6bu7VAnP6v0gDOeX4razv4FX/adCao9ZsHZ+WPX8PQxtmWYqykH5CY4TSfsui"
+    + "zAgyPuQ0+j4Vjssr9VODLqFoanspT6YXsvaKanncUYbasNgUJnfnLnw3an2XpU2XdmXTNYckCPRX9nsAAURWT3/n9ljc/"
+    + "XYY22ecYxM8sDWnHu2uKZ1B7M3X60bQYL5T/lVXkKdD6xgSNLeP4AkRx0H4egaop68hoW8FIwmDPVWYVAvo8etzWCtib"
+    + "RXz5FcNld9MgD/Ai7ycKy4Q1KhX5GBFI79MVVaHkSQfxPHpr7/XcmpQOEAr+BMPon4s4vnKqAGdGB3j/E3d/+4F2swyko"
+    + "QKBgQD8hCsp6FIQ5umJlk9/j/nGsMl85LgLaNVYpWlPRKPc54YNumtvj5vx1BG+zMbT7qIE3nmUPTCHP7qb5ERZG4CdMC"
+    + "S6S64/qzZEqijLCqepwj6j4fV5SyPWEcpxf6ehNdmcfgzVB3Wolfwh1ydhx/96L1jHJcTKchdJJzlfTvq8wwKBgQDeCnK"
+    + "ws1t5GapfE1rmC/h4olL2qZTth9oQmbrXYohVnoqNFslDa43ePZwL9Jmd9kYb0axOTNMmyrP0NTj41uCfgDS0cJnNTc63"
+    + "ojKjegxHIyYDKRZNVUR/dxAYB/vPfBYZUS7M89pO6LLsHhzS3qpu3/hppo/Uc/AM /r8PSflNHQKBgDnWgBh6OQncChPUl"
+    + "OLv9FMZPR1ZOfqLCYrjYEqiuzGm6iKM13zXFO4AGAxu1P/IAd5BovFcTpg79Z8tWqZaUUwvscnl+cRlj+mMXAmdqCeO8V"
+    + "ASOmqM1ml667axeZDIR867ZG8K5V029Wg+4qtX5uFypNAAi6GfHkxIKrD04yOHAoGACdh4wXESi0oiDdkz3KOHPwIjn6B"
+    + "hZC7z8mx+pnJODU3cYukxv3WTctlUhAsyjJiQ/0bK1yX87ulqFVgO0Knmh+wNajrb9wiONAJTMICG7tiWJOm7fW5cfTJw"
+    + "WkBwYADmkfTRmHDvqzQSSvoC2S7aa9QulbC3C/qgGFNrcWgcT9kCgYAZTa1P9bFCDU7hJc2mHwJwAW7/FQKEJg8SL33KI"
+    + "NpLwcR8fqaYOdAHWWz636osVEqosRrHzJOGpf9x2RSWzQJ+dq8+6fACgfFZOVpN644+sAHfNPAI/gnNKU5OfUv+eav8fB"
+    + "nzlf1A3y3GIkyMyzFN3DE7e0n/lyqxE4HBYGpI8g==";
 
   private final static PKCS8EncodedKeySpec privateKey =
-      new PKCS8EncodedKeySpec(Base64.getUrlDecoder().decode(base64EncodedPK));
+    new PKCS8EncodedKeySpec(Base64.getMimeDecoder().decode(base64EncodedPK));
 
   private final static String script =
-      "async function registerCredential(options = {}) {"
+    "async function registerCredential(options = {}) {"
     + "  options = Object.assign({"
     + "    authenticatorSelection: {"
     + "      requireResidentKey: false,"
@@ -114,22 +131,39 @@ public void setup() {
     assumeThat(driver).isInstanceOf(HasVirtualAuthenticator.class);
     jsAwareDriver = (JavascriptExecutor) driver;
     driver.get(appServer.create(new Page()
-        .withTitle("Virtual Authenticator Test")
-        .withScripts(script)));
+                                  .withTitle("Virtual Authenticator Test")
+                                  .withScripts(script)));
+  }
+
+  private void createRKEnabledU2FAuthenticator() {
+    VirtualAuthenticatorOptions options = new VirtualAuthenticatorOptions()
+      .setProtocol(Protocol.U2F)
+      .setHasResidentKey(true);
+    authenticator = ((HasVirtualAuthenticator) driver).addVirtualAuthenticator(options);
+  }
+
+  private void createRKDisabledU2FAuthenticator() {
+    VirtualAuthenticatorOptions options = new VirtualAuthenticatorOptions()
+      .setProtocol(Protocol.U2F)
+      .setHasResidentKey(false);
+    authenticator = ((HasVirtualAuthenticator) driver).addVirtualAuthenticator(options);
   }
 
-  private void createSimpleU2FAuthenticator() {
+  private void createRKEnabledCTAP2Authenticator() {
     VirtualAuthenticatorOptions options = new VirtualAuthenticatorOptions()
-        .setProtocol(Protocol.U2F);
+      .setProtocol(Protocol.CTAP2)
+      .setHasResidentKey(true)
+      .setHasUserVerification(true)
+      .setIsUserVerified(true);
     authenticator = ((HasVirtualAuthenticator) driver).addVirtualAuthenticator(options);
   }
 
-  private void createRKEnabledAuthenticator() {
+  private void createRKDisabledCTAP2Authenticator() {
     VirtualAuthenticatorOptions options = new VirtualAuthenticatorOptions()
-        .setProtocol(Protocol.CTAP2)
-        .setHasResidentKey(true)
-        .setHasUserVerification(true)
-        .setIsUserVerified(true);
+      .setProtocol(Protocol.CTAP2)
+      .setHasResidentKey(false)
+      .setHasUserVerification(true)
+      .setIsUserVerified(true);
     authenticator = ((HasVirtualAuthenticator) driver).addVirtualAuthenticator(options);
   }
 
@@ -139,8 +173,9 @@ private void createRKEnabledAuthenticator() {
    */
   private byte[] convertListIntoArrayOfBytes(List<Long> list) {
     byte[] ret = new byte[list.size()];
-    for (int i = 0; i < list.size(); ++i)
+    for (int i = 0; i < list.size(); ++i) {
       ret[i] = list.get(i).byteValue();
+    }
     return ret;
   }
 
@@ -160,7 +195,7 @@ private String extractIdFrom(Object response) {
 
   private Object getAssertionFor(Object credentialId) {
     return jsAwareDriver.executeAsyncScript(
-        "getCredential([{"
+      "getCredential([{"
       + "  \"type\": \"public-key\","
       + "  \"id\": Int8Array.from(arguments[0]),"
       + "}]).then(arguments[arguments.length - 1]);", credentialId);
@@ -176,16 +211,16 @@ public void tearDown() {
   @Test
   public void testCreateAuthenticator() {
     // Register a credential on the Virtual Authenticator.
-    createSimpleU2FAuthenticator();
+    createRKDisabledU2FAuthenticator();
     Object response = jsAwareDriver.executeAsyncScript(
-        "registerCredential().then(arguments[arguments.length - 1]);");
+      "registerCredential().then(arguments[arguments.length - 1]);");
     assertThat(response).asInstanceOf(MAP).containsEntry("status", "OK");
 
     // Attempt to use the credential to get an assertion.
     assertThat(response)
-        .extracting("credential.rawId")
-        .extracting(this::getAssertionFor).asInstanceOf(MAP)
-        .containsEntry("status", "OK");
+      .extracting("credential.rawId")
+      .extracting(this::getAssertionFor).asInstanceOf(MAP)
+      .containsEntry("status", "OK");
   }
 
   @Test
@@ -200,10 +235,37 @@ public void testRemoveAuthenticator() {
   @Test
   public void testAddNonResidentCredential() {
     // Add a non-resident credential using the testing API.
-    createSimpleU2FAuthenticator();
+    createRKDisabledCTAP2Authenticator();
     byte[] credentialId = {1, 2, 3, 4};
     Credential credential = Credential.createNonResidentCredential(
-        credentialId, "localhost", privateKey, /*signCount=*/0);
+      credentialId, "localhost", privateKey, /*signCount=*/0);
+    authenticator.addCredential(credential);
+
+    // Attempt to use the credential to generate an assertion.
+    Object response = getAssertionFor(Arrays.asList(1, 2, 3, 4));
+    assertThat(response).asInstanceOf(MAP).containsEntry("status", "OK");
+  }
+
+  @Test
+  public void testAddNonResidentCredentialWhenAuthenticatorUsesU2FProtocol() {
+    // Add a non-resident credential using the testing API.
+
+    createRKDisabledU2FAuthenticator();
+
+    /**
+     * A pkcs#8 encoded unencrypted EC256 private key as a base64url string.
+     */
+    String base64EncodedPK =
+      "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg8_zMDQDYAxlU-Q"
+      + "hk1Dwkf0v18GZca1DMF3SaJ9HPdmShRANCAASNYX5lyVCOZLzFZzrIKmeZ2jwU"
+      + "RmgsJYxGP__fWN_S-j5sN4tT15XEpN_7QZnt14YvI6uvAgO0uJEboFaZlOEB";
+
+    PKCS8EncodedKeySpec privateKey =
+      new PKCS8EncodedKeySpec(Base64.getUrlDecoder().decode(base64EncodedPK));
+
+    byte[] credentialId = {1, 2, 3, 4};
+    Credential credential = Credential.createNonResidentCredential(
+      credentialId, "localhost", privateKey, /*signCount=*/0);
     authenticator.addCredential(credential);
 
     // Attempt to use the credential to generate an assertion.
@@ -214,36 +276,59 @@ public void testAddNonResidentCredential() {
   @Test
   public void testAddResidentCredential() {
     // Add a resident credential using the testing API.
-    createRKEnabledAuthenticator();
+    createRKEnabledCTAP2Authenticator();
     byte[] credentialId = {1, 2, 3, 4};
     byte[] userHandle = {1};
     Credential credential = Credential.createResidentCredential(
-        credentialId, "localhost", privateKey, userHandle, /*signCount=*/0);
+      credentialId, "localhost", privateKey, userHandle, /*signCount=*/0);
     authenticator.addCredential(credential);
 
     // Attempt to use the credential to generate an assertion. Notice we use an
     // empty allowCredentials array.
     Object response = jsAwareDriver.executeAsyncScript(
-        "getCredential([]).then(arguments[arguments.length - 1]);");
+      "getCredential([]).then(arguments[arguments.length - 1]);");
 
     assertThat(response).asInstanceOf(MAP).containsEntry("status", "OK");
     assertThat(response).extracting("attestation.userHandle").asList().containsExactly(1L);
   }
 
+  @Test(expected = InvalidArgumentException.class)
+  public void testAddResidentCredentialNotSupportedWhenAuthenticatorUsesU2FProtocol() {
+    // Add a resident credential using the testing API.
+    createRKEnabledU2FAuthenticator();
+
+    /**
+     * A pkcs#8 encoded unencrypted EC256 private key as a base64url string.
+     */
+    String base64EncodedPK =
+      "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg8_zMDQDYAxlU-Q"
+      + "hk1Dwkf0v18GZca1DMF3SaJ9HPdmShRANCAASNYX5lyVCOZLzFZzrIKmeZ2jwU"
+      + "RmgsJYxGP__fWN_S-j5sN4tT15XEpN_7QZnt14YvI6uvAgO0uJEboFaZlOEB";
+
+    PKCS8EncodedKeySpec privateKey =
+      new PKCS8EncodedKeySpec(Base64.getUrlDecoder().decode(base64EncodedPK));
+
+    byte[] credentialId = {1, 2, 3, 4};
+    byte[] userHandle = {1};
+    Credential credential = Credential.createResidentCredential(
+      credentialId, "localhost", privateKey, userHandle, /*signCount=*/0);
+    authenticator.addCredential(credential);
+  }
+
   @Test
   public void testGetCredentials() {
     // Create an authenticator and add two credentials.
-    createRKEnabledAuthenticator();
+    createRKEnabledCTAP2Authenticator();
 
     // Register a resident credential.
     Object response1 = jsAwareDriver.executeAsyncScript(
-        "registerCredential({authenticatorSelection: {requireResidentKey: true}})"
+      "registerCredential({authenticatorSelection: {requireResidentKey: true}})"
       + " .then(arguments[arguments.length - 1]);");
     assertThat(response1).asInstanceOf(MAP).containsEntry("status", "OK");
 
     // Register a non resident credential.
     Object response2 = jsAwareDriver.executeAsyncScript(
-        "registerCredential().then(arguments[arguments.length - 1]);");
+      "registerCredential().then(arguments[arguments.length - 1]);");
     assertThat(response2).asInstanceOf(MAP).containsEntry("status", "OK");
 
     byte[] credential1Id = convertListIntoArrayOfBytes(extractRawIdFrom(response1));
@@ -270,7 +355,7 @@ public void testGetCredentials() {
     assertThat(credential1.isResidentCredential()).isTrue();
     assertThat(credential1.getPrivateKey()).isNotNull();
     assertThat(credential1.getRpId()).isEqualTo("localhost");
-    assertThat(credential1.getUserHandle()).isEqualTo(new byte[] {1});
+    assertThat(credential1.getUserHandle()).isEqualTo(new byte[]{1});
     assertThat(credential1.getSignCount()).isEqualTo(1);
 
     assertThat(credential2.isResidentCredential()).isFalse();
@@ -283,11 +368,11 @@ public void testGetCredentials() {
 
   @Test
   public void testRemoveCredentialByRawId() {
-    createSimpleU2FAuthenticator();
+    createRKDisabledU2FAuthenticator();
 
     // Register credential.
     Object response = jsAwareDriver.executeAsyncScript(
-        "registerCredential().then(arguments[arguments.length - 1]);");
+      "registerCredential().then(arguments[arguments.length - 1]);");
     assertThat(response).asInstanceOf(MAP).containsEntry("status", "OK");
 
     // Remove a credential by its ID as an array of bytes.
@@ -297,16 +382,17 @@ public void testRemoveCredentialByRawId() {
 
     // Trying to get an assertion should fail.
     response = getAssertionFor(rawId);
-    assertThat(response).asInstanceOf(MAP).extracting("status").asString().startsWith("NotAllowedError");
+    assertThat(response).asInstanceOf(MAP).extracting("status").asString()
+      .startsWith("NotAllowedError");
   }
 
   @Test
   public void testRemoveCredentialByBase64UrlId() {
-    createSimpleU2FAuthenticator();
+    createRKDisabledU2FAuthenticator();
 
     // Register credential.
     Object response = jsAwareDriver.executeAsyncScript(
-        "registerCredential().then(arguments[arguments.length - 1]);");
+      "registerCredential().then(arguments[arguments.length - 1]);");
     assertThat(response).asInstanceOf(MAP).containsEntry("status", "OK");
     List<Long> rawId = extractRawIdFrom(response);
 
@@ -316,21 +402,22 @@ public void testRemoveCredentialByBase64UrlId() {
 
     // Trying to get an assertion should fail.
     response = getAssertionFor(rawId);
-    assertThat(response).asInstanceOf(MAP).extracting("status").asString().startsWith("NotAllowedError");
+    assertThat(response).asInstanceOf(MAP).extracting("status").asString()
+      .startsWith("NotAllowedError");
   }
 
   @Test
   public void testRemoveAllCredentials() {
-    createSimpleU2FAuthenticator();
+    createRKDisabledU2FAuthenticator();
 
     // Register two credentials.
     Object response1 = jsAwareDriver.executeAsyncScript(
-        "registerCredential().then(arguments[arguments.length - 1]);");
+      "registerCredential().then(arguments[arguments.length - 1]);");
     assertThat(response1).asInstanceOf(MAP).containsEntry("status", "OK");
     List<Long> rawId1 = extractRawIdFrom(response1);
 
     Object response2 = jsAwareDriver.executeAsyncScript(
-        "registerCredential().then(arguments[arguments.length - 1]);");
+      "registerCredential().then(arguments[arguments.length - 1]);");
     assertThat(response2).asInstanceOf(MAP).containsEntry("status", "OK");
     List<Long> rawId2 = extractRawIdFrom(response1);
 
@@ -339,47 +426,49 @@ public void testRemoveAllCredentials() {
 
     // Trying to get an assertion allowing for any of both should fail.
     Object response = jsAwareDriver.executeAsyncScript(
-        "getCredential([{"
+      "getCredential([{"
       + "  \"type\": \"public-key\","
       + "  \"id\": Int8Array.from(arguments[0]),"
       + "}, {"
       + "  \"type\": \"public-key\","
       + "  \"id\": Int8Array.from(arguments[1]),"
       + "}]).then(arguments[arguments.length - 1]);",
-        rawId1, rawId2);
-    assertThat(response).asInstanceOf(MAP).extracting("status").asString().startsWith("NotAllowedError");
+      rawId1, rawId2);
+    assertThat(response).asInstanceOf(MAP).extracting("status").asString()
+      .startsWith("NotAllowedError");
   }
 
   @Test
   public void testSetUserVerified() {
-    createRKEnabledAuthenticator();
+    createRKEnabledCTAP2Authenticator();
 
     // Register a credential requiring UV.
     Object response = jsAwareDriver.executeAsyncScript(
-        "registerCredential({authenticatorSelection: {userVerification: 'required'}})"
+      "registerCredential({authenticatorSelection: {userVerification: 'required'}})"
       + "  .then(arguments[arguments.length - 1]);");
     assertThat(response).asInstanceOf(MAP).containsEntry("status", "OK");
     List<Long> rawId = extractRawIdFrom(response);
 
     // Getting an assertion requiring user verification should succeed.
     response = jsAwareDriver.executeAsyncScript(
-        "getCredential([{"
+      "getCredential([{"
       + "  \"type\": \"public-key\","
       + "  \"id\": Int8Array.from(arguments[0]),"
       + "}], {userVerification: 'required'}).then(arguments[arguments.length - 1]);",
-        rawId);
+      rawId);
     assertThat(response).asInstanceOf(MAP).containsEntry("status", "OK");
 
     // Disable user verification.
     authenticator.setUserVerified(false);
 
     // Getting an assertion requiring user verification should fail.
     response = jsAwareDriver.executeAsyncScript(
-        "getCredential([{"
+      "getCredential([{"
       + "  \"type\": \"public-key\","
       + "  \"id\": Int8Array.from(arguments[0]),"
       + "}], {userVerification: 'required'}).then(arguments[arguments.length - 1]);",
-        rawId);
-    assertThat(response).asInstanceOf(MAP).extracting("status").asString().startsWith("NotAllowedError");
+      rawId);
+    assertThat(response).asInstanceOf(MAP).extracting("status").asString()
+      .startsWith("NotAllowedError");
   }
 }
