Bug 1964526 - Get FIDO2 credProp extension from request r=geckoview-reviewers,m_kato,jschanck

p1gp1g · makotokato · commit d94246cde3be · 2025-07-30T05:42:11.000Z
Differential Revision: https://phabricator.services.mozilla.com/D253459
diff --git a/dom/webauthn/AndroidWebAuthnService.cpp b/dom/webauthn/AndroidWebAuthnService.cpp
@@ -192,6 +192,9 @@ AndroidWebAuthnService::MakeCredential(uint64_t aTransactionId,
         GECKOBUNDLE_FINISH(authSelBundle);
 
         GECKOBUNDLE_START(extensionsBundle);
+        GECKOBUNDLE_PUT(extensionsBundle, "credProps",
+                        requestedCredProps ? java::sdk::Boolean::TRUE()
+                                           : java::sdk::Boolean::FALSE());
         GECKOBUNDLE_FINISH(extensionsBundle);
 
         auto result = java::WebAuthnTokenManager::WebAuthnMakeCredential(
diff --git a/mobile/android/geckoview/src/main/java/org/mozilla/gecko/WebAuthnCredentialManager.java b/mobile/android/geckoview/src/main/java/org/mozilla/gecko/WebAuthnCredentialManager.java
@@ -77,11 +77,18 @@ private static Bundle getRequestBundleForMakeCredential(
       final int[] algs,
       final WebAuthnUtils.WebAuthnPublicCredential[] excludeList,
       final GeckoBundle authenticatorSelection,
+      final GeckoBundle extensions,
       final byte[] clientDataHash) {
     try {
       final JSONObject requestJSON =
           WebAuthnUtils.getJSONObjectForMakeCredential(
-              credentialBundle, userId, challenge, algs, excludeList, authenticatorSelection);
+              credentialBundle,
+              userId,
+              challenge,
+              algs,
+              excludeList,
+              authenticatorSelection,
+              extensions);
       final Bundle bundle = getRequestBundle(requestJSON.toString(), clientDataHash);
       if (bundle == null) {
         return null;
@@ -135,6 +142,7 @@ public static GeckoResult<WebAuthnUtils.MakeCredentialResponse> makeCredential(
       final int[] algs,
       final WebAuthnUtils.WebAuthnPublicCredential[] excludeList,
       final GeckoBundle authenticatorSelection,
+      final GeckoBundle extensions,
       final byte[] clientDataHash) {
 
     // We use Credential Manager first. If it doesn't work, we use GMS FIDO2.
@@ -160,6 +168,7 @@ public static GeckoResult<WebAuthnUtils.MakeCredentialResponse> makeCredential(
             algs,
             excludeList,
             authenticatorSelection,
+            extensions,
             clientDataHash);
     if (requestBundle == null) {
       return GeckoResult.fromException(new WebAuthnUtils.Exception("UNKNOWN_ERR"));
diff --git a/mobile/android/geckoview/src/main/java/org/mozilla/gecko/util/WebAuthnUtils.java b/mobile/android/geckoview/src/main/java/org/mozilla/gecko/util/WebAuthnUtils.java
@@ -331,7 +331,8 @@ public static JSONObject getJSONObjectForMakeCredential(
       final byte[] challenge,
       final int[] algs,
       final WebAuthnPublicCredential[] excludeList,
-      final GeckoBundle authenticatorSelection)
+      final GeckoBundle authenticatorSelection,
+      final GeckoBundle extensions)
       throws JSONException {
     final JSONObject json = credentialBundle.toJSONObject();
     // origin is unnecessary for requestJSON.
@@ -375,9 +376,8 @@ public static JSONObject getJSONObjectForMakeCredential(
         authenticatorSelection.getString("residentKey", "").equals("required"));
     json.put("authenticatorSelection", authenticatorSelectionJSON);
 
-    final JSONObject extensions = new JSONObject();
-    extensions.put("credProps", true);
-    json.put("extensions", extensions);
+    final JSONObject extensionsJSON = extensions.toJSONObject();
+    json.put("extensions", extensionsJSON);
 
     if (DEBUG) {
       Log.d(LOGTAG, "getJSONObjectForMakeCredential: JSON=\"" + json.toString() + "\"");
diff --git a/mobile/android/geckoview/src/main/java/org/mozilla/geckoview/WebAuthnTokenManager.java b/mobile/android/geckoview/src/main/java/org/mozilla/geckoview/WebAuthnTokenManager.java
@@ -337,6 +337,7 @@ private static GeckoResult<WebAuthnUtils.MakeCredentialResponse> webAuthnMakeCre
             algs,
             excludeList,
             authenticatorSelection,
+            extensions,
             clientDataHashBytes)
         .accept(
             response -> result.complete(response),
diff --git a/mobile/android/geckoview/src/test/java/org/mozilla/gecko/util/WebAuthnUtilsTest.java b/mobile/android/geckoview/src/test/java/org/mozilla/gecko/util/WebAuthnUtilsTest.java
@@ -41,6 +41,9 @@ public void requestJSONForMakeCredentail() throws Exception {
     authenticatorSelection.putString("authenticatorAttachment", "platform");
     authenticatorSelection.putString("residentKey", "required");
 
+    final GeckoBundle extensions = new GeckoBundle(1);
+    extensions.putBoolean("credProps", true);
+
     final byte[] userId = new byte[] {0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7};
     final byte[] challenge =
         new byte[] {0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf};
@@ -50,7 +53,13 @@ public void requestJSONForMakeCredentail() throws Exception {
 
     final JSONObject request =
         WebAuthnUtils.getJSONObjectForMakeCredential(
-            credentialBundle, userId, challenge, algs, excludeList, authenticatorSelection);
+            credentialBundle,
+            userId,
+            challenge,
+            algs,
+            excludeList,
+            authenticatorSelection,
+            extensions);
 
     final JSONObject expected =
         new JSONObject(
