Safari partially supports AuthenticatorAttestationResponse.getPublicKey()

[pilcrowonpaper]

Summary

Sets Safari's support for AuthenticatorAttestationResponse.getPublicKey() to partial. The Web Authentication API specification (since level 2 where it was first described in) states that user agents MUST support algorithm -7 (ES256), -8 (Ed25519), and -257 (RS256). However, WebKit only supports -7 (ES256) and returns null for the other 2 algorithms.

Test results and supporting details

• WebKit source code
• Tested on Safari 18.6 on macOS.

[github-actions]

Tip: Review these changes grouped by change (recommended for most PRs), or grouped by feature (for large PRs).

[caugner]

@pilcrowonpaper Are you able to confirm whether Chrome and Firefox supports all three algorithm identifiers?

[pilcrowonpaper]

@caugner From manual testing, both Firefox and Chrome supports -8 (Ed25519). I don't have an authenticator that supports -257 (RS256), but looking at the source code, I believe Firefox supports it (via authenticator-rs). I'm unfortunately having a bit of difficultly confirming it for Chrome/Chromium however.

[pilcrowonpaper]

@caugner Chromium seems to have a test that checks for all three algorithms so it should support -257 (RS256) as well.

https://source.chromium.org/chromium/chromium/src/+/main:content/browser/webauth/authenticator_impl_unittest.cc;drc=012c80d36f204a02d495bc8786a6b5ae50987a64;l=4113