Skip to content

Commit

Permalink
rebased onto master
Browse files Browse the repository at this point in the history
  • Loading branch information
JeffH authored and JeffH committed Sep 29, 2017
1 parent 3ee8ed5 commit ae91fa0
Showing 1 changed file with 36 additions and 27 deletions.
63 changes: 36 additions & 27 deletions index.bs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -562,11 +562,12 @@ When this method is invoked, the user agent MUST execute the following algorithm

1. Let |options| be the value of <code>|options|.{{CredentialCreationOptions/publicKey}}</code>.

1. If any of the {{PublicKeyCredentialEntity/name}} member of |options|.{{MakePublicKeyCredentialOptions/rp}}, the
{{PublicKeyCredentialEntity/name}} member of |options|.{{MakePublicKeyCredentialOptions/user}},
the {{PublicKeyCredentialUserEntity/displayName}} member of |options|.{{MakePublicKeyCredentialOptions/user}},
or the {{PublicKeyCredentialUserEntity/id}}
member of |options|.{{MakePublicKeyCredentialOptions/user}} are [=present|not present=], return a {{TypeError}} [=simple exception=].
1. If any of the {{PublicKeyCredentialEntity/name}} member of <code>|options|.{{MakeCredentialOptions/rp}}</code>, the
{{PublicKeyCredentialEntity/name}} member of <code>|options|.{{MakeCredentialOptions/user}}</code>,
the {{PublicKeyCredentialUserEntity/displayName}} member of <code>|options|.{{MakeCredentialOptions/user}}</code>,
or the {{PublicKeyCredentialEntity/id}}
member of <code>|options|.{{MakeCredentialOptions/user}}</code> are [=present|not present=], return a {{TypeError}}
[=simple exception=].

1. If the {{MakePublicKeyCredentialOptions/timeout}} member of |options| is [=present=], check if its value lies within a
reasonable range as defined by the platform and if not, correct it to the closest value lying within that range. Set
Expand All @@ -588,38 +589,44 @@ When this method is invoked, the user agent MUST execute the following algorithm
such as [=domain=], [=ipv4 address=], [=ipv6 address=], [=opaque host=], or [=empty host=].
Only the [=domain=] format of [=host=] is allowed here.

1. Let |rpId| be |effectiveDomain|.

<!-- Note: this next step is actually a top-level step, but bikeshed wanted it indented this much in order to compile w/o errors
-->
<li id='CreateCred-DetermineRpId'>
If |options|.{{MakePublicKeyCredentialOptions/rp}}.{{PublicKeyCredentialRpEntity/id}} is [=present=]:

1. If |options|.{{MakePublicKeyCredentialOptions/rp}}.{{PublicKeyCredentialRpEntity/id}} [=is not a registrable domain suffix of
and is not equal to=] |effectiveDomain|, return a {{DOMException}} whose name is "{{SecurityError}}", and terminate
this algorithm.
If <code>|options|.{{MakeCredentialOptions/rp}}.{{PublicKeyCredentialEntity/id}}</code>
<dl class="switch">

: Is [=present=]
:: If <code>|options|.{{MakeCredentialOptions/rp}}.{{PublicKeyCredentialEntity/id}}</code> [=is not a
registrable domain suffix of and is not equal to=] |effectiveDomain|, return a {{DOMException}} whose name
is "{{SecurityError}}", and terminate this algorithm.

1. Set |rpId| to |options|.{{MakePublicKeyCredentialOptions/rp}}.{{PublicKeyCredentialRpEntity/id}}.
: Is [=present|not present=]
:: Set <code>|options|.{{MakeCredentialOptions/rp}}.{{PublicKeyCredentialEntity/id}}</code> to
|effectiveDomain|.

Note: |rpId| represents the caller's [=RP ID=]. The [=RP ID=] defaults to being the caller's [=environment settings
object/origin=]'s [=effective domain=] unless the caller has explicitly set
|options|.{{MakePublicKeyCredentialOptions/rp}}.{{PublicKeyCredentialRpEntity/id}} when calling
</dl>

Note: <code>|options|.{{MakeCredentialOptions/rp}}.{{PublicKeyCredentialEntity/id}}</code> represents the caller's
[=RP ID=]. The [=RP ID=] defaults to being the caller's [=environment settings object/origin=]'s [=effective
domain=] unless the caller has explicitly set
<code>|options|.{{MakeCredentialOptions/rp}}.{{PublicKeyCredentialEntity/id}}</code> when calling
{{CredentialsContainer/create()}}.
</li>

1. Let |credTypesAndPubKeyAlgs| be a new [=list=] whose [=list/items=] are pairs of {{PublicKeyCredentialType}} and
a {{COSEAlgorithmIdentifier}}.

1. [=list/For each=] |current| of |options|.{{MakePublicKeyCredentialOptions/pubKeyCredParams}}:
1. [=list/For each=] |current| of <code>|options|.{{MakePublicKeyCredentialOptions/pubKeyCredParams}}<code>:

1. If <code>|current|.{{PublicKeyCredentialParameters/type}}</code> does not contain a {{PublicKeyCredentialType}} supported
by this implementation, then [=continue=].
1. Let |alg| be <code>|current|.{{PublicKeyCredentialParameters/alg}}</code>.
1. [=list/Append=] the pair of <code>|current|.{{PublicKeyCredentialParameters/type}}</code> and |alg| to
|credTypesAndPubKeyAlgs|.

1. If |credTypesAndPubKeyAlgs| [=list/is empty=] and |options|.{{MakePublicKeyCredentialOptions/pubKeyCredParams}}
[=list/is not empty=], cancel the timer started in step 2, return a {{DOMException}} whose name is "{{NotSupportedError}}",
and terminate this algorithm.
1. If |credTypesAndPubKeyAlgs| [=list/is empty=] and <code>|options|.{{MakePublicKeyCredentialOptions/pubKeyCredParams}}</code>
[=list/is not empty=], return a {{DOMException}} whose name is "{{NotSupportedError}}", and terminate this algorithm.

1. Let |clientExtensions| be a new [=map=] and let |authenticatorExtensions| be a new [=map=].

Expand Down Expand Up @@ -663,7 +670,7 @@ When this method is invoked, the user agent MUST execute the following algorithm
1. If |currentlyAvailableAuthenticators| [=list/is empty=], return a {{DOMException}} whose name is
"{{NotFoundError}}", and terminate this algorithm.

1. If |options|.{{MakePublicKeyCredentialOptions/authenticatorSelection}} is [=present|present=], iterate through
1. If <code>|options|.{{MakeCredentialOptions/authenticatorSelection}}</code> is [=present|present=], iterate through
|currentlyAvailableAuthenticators| and do the following [=set/for each=] |authenticator|:
1. If {{AuthenticatorSelectionCriteria/authenticatorAttachment}} is [=present|present=] and its value is not equal
to |authenticator|'s attachment modality, [=iteration/continue=].
Expand All @@ -680,14 +687,16 @@ When this method is invoked, the user agent MUST execute the following algorithm

1. [=set/For each=] |authenticator| in |currentlyAvailableAuthenticators|:
1. Let |excludeCredentialDescriptorList| be a new [=list=].

1. [=list/For each=] credential descriptor |C| in <code>|options|.{{MakePublicKeyCredentialOptions/excludeCredentials}}</code>:
1. If <code>|C|.{{transports}}</code> [=list/is not empty=], and |authenticator| is connected over a transport not
mentioned in <code>|C|.{{transports}}</code>, the client MAY [=continue=].
1. Otherwise, [=list/Append=] |C| to |excludeCredentialDescriptorList|.
1. [=In parallel=], invoke the [=authenticatorMakeCredential=] operation on |authenticator| with |rpId|,
|clientDataHash|, |options|.{{MakePublicKeyCredentialOptions/rp}}, |options|.{{MakePublicKeyCredentialOptions/user}},
<code>|options|.{{MakePublicKeyCredentialOptions/authenticatorSelection}}.{{AuthenticatorSelectionCriteria/requireResidentKey}}</code>,
|credTypesAndPubKeyAlgs|, |excludeCredentialDescriptorList|, and |authenticatorExtensions| as parameters.

1. Invoke the [=authenticatorMakeCredential=] operation on |authenticator| with
|clientDataHash|, <code>|options|.{{MakeCredentialOptions/rp}}</code>, <code>|options|.{{MakeCredentialOptions/user}}</code>,
|normalizedParameters|, |excludeCredentialDescriptorList|, and |authenticatorExtensions| as parameters.

1. [=set/Append=] |authenticator| to |issuedRequests|.

1. Start a timer for |adjustedTimeout| milliseconds. Then execute the following steps [=in parallel=]. The [=task source=] for
Expand Down Expand Up @@ -731,7 +740,7 @@ When this method is invoked, the user agent MUST execute the following algorithm
: {{PublicKeyCredential/clientExtensionResults}}
:: A new {{AuthenticationExtensions}} object containing the [=extension identifier=][=client extension output=]
entries created by running each extension's [=client extension processing=] algorithm to create the [=client
extension outputs=], for each [=client extension=] in {{AuthenticatorResponse/clientDataJSON}}.clientExtensions.
extension outputs=], for each [=client extension=] in {{AuthenticatorResponse/clientDataJSON}}<code>.clientExtensions</code>.

5. [=set/For each=] remaining |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on
|authenticator| and [=set/remove=] it from |issuedRequests|.
Expand Down Expand Up @@ -1654,9 +1663,9 @@ The following operations can be invoked by the client in an authenticator sessio
This operation must be invoked in an authenticator session which has no other operations in progress. It takes the following
input parameters:

- The caller's [=RP ID=], as <a href='#CreateCred-DetermineRpId'>determined</a> by the user agent and the client.
- The [=hash of the serialized client data=], provided by the client.
- The [=[RP]=]'s {{PublicKeyCredentialRpEntity}}.
- The [=[RP]=]'s {{PublicKeyCredentialEntity}}. This contains the caller's [=RP ID=], as
<a href='#CreateCred-DetermineRpId'>determined</a> by the user agent and the client.
- The user account's {{PublicKeyCredentialUserEntity}}.
- A sequence of pairs of {{PublicKeyCredentialType}} and {{COSEAlgorithmIdentifier}} requested by the [=[RP]=].
This sequence is ordered from most preferred to least
Expand Down

0 comments on commit ae91fa0

Please sign in to comment.