1 // Copyright (c) Microsoft Corporation. All rights reserved. 2 // Licensed under the MIT License. 3 4 #ifndef __WEBAUTHN_H_ 5 #define __WEBAUTHN_H_ 6 7 #pragma once 8 9 #include <winapifamily.h> 10 11 #ifdef _MSC_VER 12 #pragma region Desktop Family or OneCore Family 13 #endif 14 #if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM) 15 16 #ifdef __cplusplus 17 extern "C" { 18 #endif 19 20 #ifndef WINAPI 21 #define WINAPI __stdcall 22 #endif 23 24 #ifndef INITGUID 25 #define INITGUID 26 #include <guiddef.h> 27 #undef INITGUID 28 #else 29 #include <guiddef.h> 30 #endif 31 32 //+------------------------------------------------------------------------------------------ 33 // API Version Information. 34 // Caller should check for WebAuthNGetApiVersionNumber to check the presence of relevant APIs 35 // and features for their usage. 36 //------------------------------------------------------------------------------------------- 37 38 #define WEBAUTHN_API_VERSION_1 1 39 // WEBAUTHN_API_VERSION_1 : Baseline Version 40 // Data Structures and their sub versions: 41 // - WEBAUTHN_RP_ENTITY_INFORMATION : 1 42 // - WEBAUTHN_USER_ENTITY_INFORMATION : 1 43 // - WEBAUTHN_CLIENT_DATA : 1 44 // - WEBAUTHN_COSE_CREDENTIAL_PARAMETER : 1 45 // - WEBAUTHN_COSE_CREDENTIAL_PARAMETERS : Not Applicable 46 // - WEBAUTHN_CREDENTIAL : 1 47 // - WEBAUTHN_CREDENTIALS : Not Applicable 48 // - WEBAUTHN_CREDENTIAL_EX : 1 49 // - WEBAUTHN_CREDENTIAL_LIST : Not Applicable 50 // - WEBAUTHN_EXTENSION : Not Applicable 51 // - WEBAUTHN_EXTENSIONS : Not Applicable 52 // - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS : 3 53 // - WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS : 4 54 // - WEBAUTHN_COMMON_ATTESTATION : 1 55 // - WEBAUTHN_CREDENTIAL_ATTESTATION : 3 56 // - WEBAUTHN_ASSERTION : 1 57 // Extensions: 58 // - WEBAUTHN_EXTENSIONS_IDENTIFIER_HMAC_SECRET 59 // APIs: 60 // - WebAuthNGetApiVersionNumber 61 // - WebAuthNIsUserVerifyingPlatformAuthenticatorAvailable 62 // - WebAuthNAuthenticatorMakeCredential 63 // - WebAuthNAuthenticatorGetAssertion 64 // - WebAuthNFreeCredentialAttestation 65 // - WebAuthNFreeAssertion 66 // - WebAuthNGetCancellationId 67 // - WebAuthNCancelCurrentOperation 68 // - WebAuthNGetErrorName 69 // - WebAuthNGetW3CExceptionDOMError 70 // Transports: 71 // - WEBAUTHN_CTAP_TRANSPORT_USB 72 // - WEBAUTHN_CTAP_TRANSPORT_NFC 73 // - WEBAUTHN_CTAP_TRANSPORT_BLE 74 // - WEBAUTHN_CTAP_TRANSPORT_INTERNAL 75 76 #define WEBAUTHN_API_VERSION_2 2 77 // WEBAUTHN_API_VERSION_2 : Delta From WEBAUTHN_API_VERSION_1 78 // Added Extensions: 79 // - WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_PROTECT 80 // 81 82 #define WEBAUTHN_API_VERSION_3 3 83 // WEBAUTHN_API_VERSION_3 : Delta From WEBAUTHN_API_VERSION_2 84 // Data Structures and their sub versions: 85 // - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS : 4 86 // - WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS : 5 87 // - WEBAUTHN_CREDENTIAL_ATTESTATION : 4 88 // - WEBAUTHN_ASSERTION : 2 89 // Added Extensions: 90 // - WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_BLOB 91 // - WEBAUTHN_EXTENSIONS_IDENTIFIER_MIN_PIN_LENGTH 92 // 93 94 #define WEBAUTHN_API_VERSION_4 4 95 // WEBAUTHN_API_VERSION_4 : Delta From WEBAUTHN_API_VERSION_3 96 // Data Structures and their sub versions: 97 // - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS : 5 98 // - WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS : 6 99 // - WEBAUTHN_ASSERTION : 3 100 // - WEBAUTHN_CREDENTIAL_DETAILS : 1 101 // APIs: 102 // - WebAuthNGetPlatformCredentialList 103 // - WebAuthNFreePlatformCredentialList 104 // - WebAuthNDeletePlatformCredential 105 // 106 107 #define WEBAUTHN_API_VERSION_5 5 108 // WEBAUTHN_API_VERSION_5 : Delta From WEBAUTHN_API_VERSION_4 109 // Data Structures and their sub versions: 110 // - WEBAUTHN_CREDENTIAL_DETAILS : 2 111 // Extension Changes: 112 // - Enabled LARGE_BLOB Support 113 // 114 115 #define WEBAUTHN_API_VERSION_6 6 116 // WEBAUTHN_API_VERSION_6 : Delta From WEBAUTHN_API_VERSION_5 117 // Data Structures and their sub versions: 118 // - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS : 6 119 // - WEBAUTHN_CREDENTIAL_ATTESTATION : 5 120 // - WEBAUTHN_ASSERTION : 4 121 // Transports: 122 // - WEBAUTHN_CTAP_TRANSPORT_HYBRID 123 124 #define WEBAUTHN_API_VERSION_7 7 125 // WEBAUTHN_API_VERSION_7 : Delta From WEBAUTHN_API_VERSION_6 126 // Data Structures and their sub versions: 127 // - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS : 7 128 // - WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS : 7 129 // - WEBAUTHN_CREDENTIAL_ATTESTATION : 6 130 // - WEBAUTHN_ASSERTION : 5 131 132 #define WEBAUTHN_API_CURRENT_VERSION WEBAUTHN_API_VERSION_7 133 134 //+------------------------------------------------------------------------------------------ 135 // Information about an RP Entity 136 //------------------------------------------------------------------------------------------- 137 138 #define WEBAUTHN_RP_ENTITY_INFORMATION_CURRENT_VERSION 1 139 140 typedef struct _WEBAUTHN_RP_ENTITY_INFORMATION { 141 // Version of this structure, to allow for modifications in the future. 142 // This field is required and should be set to CURRENT_VERSION above. 143 DWORD dwVersion; 144 145 // Identifier for the RP. This field is required. 146 PCWSTR pwszId; 147 148 // Contains the friendly name of the Relying Party, such as "Acme Corporation", "Widgets Inc" or "Awesome Site". 149 // This field is required. 150 PCWSTR pwszName; 151 152 // Optional URL pointing to RP's logo. 153 PCWSTR pwszIcon; 154 } WEBAUTHN_RP_ENTITY_INFORMATION, *PWEBAUTHN_RP_ENTITY_INFORMATION; 155 typedef const WEBAUTHN_RP_ENTITY_INFORMATION *PCWEBAUTHN_RP_ENTITY_INFORMATION; 156 157 //+------------------------------------------------------------------------------------------ 158 // Information about an User Entity 159 //------------------------------------------------------------------------------------------- 160 #define WEBAUTHN_MAX_USER_ID_LENGTH 64 161 162 #define WEBAUTHN_USER_ENTITY_INFORMATION_CURRENT_VERSION 1 163 164 typedef struct _WEBAUTHN_USER_ENTITY_INFORMATION { 165 // Version of this structure, to allow for modifications in the future. 166 // This field is required and should be set to CURRENT_VERSION above. 167 DWORD dwVersion; 168 169 // Identifier for the User. This field is required. 170 DWORD cbId; 171 _Field_size_bytes_(cbId) 172 PBYTE pbId; 173 174 // Contains a detailed name for this account, such as "john.p.smith@example.com". 175 PCWSTR pwszName; 176 177 // Optional URL that can be used to retrieve an image containing the user's current avatar, 178 // or a data URI that contains the image data. 179 PCWSTR pwszIcon; 180 181 // For User: Contains the friendly name associated with the user account by the Relying Party, such as "John P. Smith". 182 PCWSTR pwszDisplayName; 183 } WEBAUTHN_USER_ENTITY_INFORMATION, *PWEBAUTHN_USER_ENTITY_INFORMATION; 184 typedef const WEBAUTHN_USER_ENTITY_INFORMATION *PCWEBAUTHN_USER_ENTITY_INFORMATION; 185 186 //+------------------------------------------------------------------------------------------ 187 // Information about client data. 188 //------------------------------------------------------------------------------------------- 189 190 #define WEBAUTHN_HASH_ALGORITHM_SHA_256 L"SHA-256" 191 #define WEBAUTHN_HASH_ALGORITHM_SHA_384 L"SHA-384" 192 #define WEBAUTHN_HASH_ALGORITHM_SHA_512 L"SHA-512" 193 194 #define WEBAUTHN_CLIENT_DATA_CURRENT_VERSION 1 195 196 typedef struct _WEBAUTHN_CLIENT_DATA { 197 // Version of this structure, to allow for modifications in the future. 198 // This field is required and should be set to CURRENT_VERSION above. 199 DWORD dwVersion; 200 201 // Size of the pbClientDataJSON field. 202 DWORD cbClientDataJSON; 203 // UTF-8 encoded JSON serialization of the client data. 204 _Field_size_bytes_(cbClientDataJSON) 205 PBYTE pbClientDataJSON; 206 207 // Hash algorithm ID used to hash the pbClientDataJSON field. 208 LPCWSTR pwszHashAlgId; 209 } WEBAUTHN_CLIENT_DATA, *PWEBAUTHN_CLIENT_DATA; 210 typedef const WEBAUTHN_CLIENT_DATA *PCWEBAUTHN_CLIENT_DATA; 211 212 //+------------------------------------------------------------------------------------------ 213 // Information about credential parameters. 214 //------------------------------------------------------------------------------------------- 215 216 #define WEBAUTHN_CREDENTIAL_TYPE_PUBLIC_KEY L"public-key" 217 218 #define WEBAUTHN_COSE_ALGORITHM_ECDSA_P256_WITH_SHA256 -7 219 #define WEBAUTHN_COSE_ALGORITHM_ECDSA_P384_WITH_SHA384 -35 220 #define WEBAUTHN_COSE_ALGORITHM_ECDSA_P521_WITH_SHA512 -36 221 222 #define WEBAUTHN_COSE_ALGORITHM_RSASSA_PKCS1_V1_5_WITH_SHA256 -257 223 #define WEBAUTHN_COSE_ALGORITHM_RSASSA_PKCS1_V1_5_WITH_SHA384 -258 224 #define WEBAUTHN_COSE_ALGORITHM_RSASSA_PKCS1_V1_5_WITH_SHA512 -259 225 226 #define WEBAUTHN_COSE_ALGORITHM_RSA_PSS_WITH_SHA256 -37 227 #define WEBAUTHN_COSE_ALGORITHM_RSA_PSS_WITH_SHA384 -38 228 #define WEBAUTHN_COSE_ALGORITHM_RSA_PSS_WITH_SHA512 -39 229 230 #define WEBAUTHN_COSE_CREDENTIAL_PARAMETER_CURRENT_VERSION 1 231 232 typedef struct _WEBAUTHN_COSE_CREDENTIAL_PARAMETER { 233 // Version of this structure, to allow for modifications in the future. 234 DWORD dwVersion; 235 236 // Well-known credential type specifying a credential to create. 237 LPCWSTR pwszCredentialType; 238 239 // Well-known COSE algorithm specifying the algorithm to use for the credential. 240 LONG lAlg; 241 } WEBAUTHN_COSE_CREDENTIAL_PARAMETER, *PWEBAUTHN_COSE_CREDENTIAL_PARAMETER; 242 typedef const WEBAUTHN_COSE_CREDENTIAL_PARAMETER *PCWEBAUTHN_COSE_CREDENTIAL_PARAMETER; 243 244 typedef struct _WEBAUTHN_COSE_CREDENTIAL_PARAMETERS { 245 DWORD cCredentialParameters; 246 _Field_size_(cCredentialParameters) 247 PWEBAUTHN_COSE_CREDENTIAL_PARAMETER pCredentialParameters; 248 } WEBAUTHN_COSE_CREDENTIAL_PARAMETERS, *PWEBAUTHN_COSE_CREDENTIAL_PARAMETERS; 249 typedef const WEBAUTHN_COSE_CREDENTIAL_PARAMETERS *PCWEBAUTHN_COSE_CREDENTIAL_PARAMETERS; 250 251 //+------------------------------------------------------------------------------------------ 252 // Information about credential. 253 //------------------------------------------------------------------------------------------- 254 #define WEBAUTHN_CREDENTIAL_CURRENT_VERSION 1 255 256 typedef struct _WEBAUTHN_CREDENTIAL { 257 // Version of this structure, to allow for modifications in the future. 258 DWORD dwVersion; 259 260 // Size of pbID. 261 DWORD cbId; 262 // Unique ID for this particular credential. 263 _Field_size_bytes_(cbId) 264 PBYTE pbId; 265 266 // Well-known credential type specifying what this particular credential is. 267 LPCWSTR pwszCredentialType; 268 } WEBAUTHN_CREDENTIAL, *PWEBAUTHN_CREDENTIAL; 269 typedef const WEBAUTHN_CREDENTIAL *PCWEBAUTHN_CREDENTIAL; 270 271 typedef struct _WEBAUTHN_CREDENTIALS { 272 DWORD cCredentials; 273 _Field_size_(cCredentials) 274 PWEBAUTHN_CREDENTIAL pCredentials; 275 } WEBAUTHN_CREDENTIALS, *PWEBAUTHN_CREDENTIALS; 276 typedef const WEBAUTHN_CREDENTIALS *PCWEBAUTHN_CREDENTIALS; 277 278 //+------------------------------------------------------------------------------------------ 279 // Information about credential with extra information, such as, dwTransports 280 //------------------------------------------------------------------------------------------- 281 282 #define WEBAUTHN_CTAP_TRANSPORT_USB 0x00000001 283 #define WEBAUTHN_CTAP_TRANSPORT_NFC 0x00000002 284 #define WEBAUTHN_CTAP_TRANSPORT_BLE 0x00000004 285 #define WEBAUTHN_CTAP_TRANSPORT_TEST 0x00000008 286 #define WEBAUTHN_CTAP_TRANSPORT_INTERNAL 0x00000010 287 #define WEBAUTHN_CTAP_TRANSPORT_HYBRID 0x00000020 288 #define WEBAUTHN_CTAP_TRANSPORT_FLAGS_MASK 0x0000003F 289 290 #define WEBAUTHN_CREDENTIAL_EX_CURRENT_VERSION 1 291 292 typedef struct _WEBAUTHN_CREDENTIAL_EX { 293 // Version of this structure, to allow for modifications in the future. 294 DWORD dwVersion; 295 296 // Size of pbID. 297 DWORD cbId; 298 // Unique ID for this particular credential. 299 _Field_size_bytes_(cbId) 300 PBYTE pbId; 301 302 // Well-known credential type specifying what this particular credential is. 303 LPCWSTR pwszCredentialType; 304 305 // Transports. 0 implies no transport restrictions. 306 DWORD dwTransports; 307 } WEBAUTHN_CREDENTIAL_EX, *PWEBAUTHN_CREDENTIAL_EX; 308 typedef const WEBAUTHN_CREDENTIAL_EX *PCWEBAUTHN_CREDENTIAL_EX; 309 310 //+------------------------------------------------------------------------------------------ 311 // Information about credential list with extra information 312 //------------------------------------------------------------------------------------------- 313 314 typedef struct _WEBAUTHN_CREDENTIAL_LIST { 315 DWORD cCredentials; 316 _Field_size_(cCredentials) 317 PWEBAUTHN_CREDENTIAL_EX *ppCredentials; 318 } WEBAUTHN_CREDENTIAL_LIST, *PWEBAUTHN_CREDENTIAL_LIST; 319 typedef const WEBAUTHN_CREDENTIAL_LIST *PCWEBAUTHN_CREDENTIAL_LIST; 320 321 //+------------------------------------------------------------------------------------------ 322 // Information about linked devices 323 //------------------------------------------------------------------------------------------- 324 325 #define CTAPCBOR_HYBRID_STORAGE_LINKED_DATA_VERSION_1 1 326 #define CTAPCBOR_HYBRID_STORAGE_LINKED_DATA_CURRENT_VERSION CTAPCBOR_HYBRID_STORAGE_LINKED_DATA_VERSION_1 327 328 typedef struct _CTAPCBOR_HYBRID_STORAGE_LINKED_DATA 329 { 330 // Version 331 DWORD dwVersion; 332 333 // Contact Id 334 DWORD cbContactId; 335 _Field_size_bytes_(cbContactId) 336 PBYTE pbContactId; 337 338 // Link Id 339 DWORD cbLinkId; 340 _Field_size_bytes_(cbLinkId) 341 PBYTE pbLinkId; 342 343 // Link secret 344 DWORD cbLinkSecret; 345 _Field_size_bytes_(cbLinkSecret) 346 PBYTE pbLinkSecret; 347 348 // Authenticator Public Key 349 DWORD cbPublicKey; 350 _Field_size_bytes_(cbPublicKey) 351 PBYTE pbPublicKey; 352 353 // Authenticator Name 354 PCWSTR pwszAuthenticatorName; 355 356 // Tunnel server domain 357 WORD wEncodedTunnelServerDomain; 358 } CTAPCBOR_HYBRID_STORAGE_LINKED_DATA, *PCTAPCBOR_HYBRID_STORAGE_LINKED_DATA; 359 typedef const CTAPCBOR_HYBRID_STORAGE_LINKED_DATA *PCCTAPCBOR_HYBRID_STORAGE_LINKED_DATA; 360 361 //+------------------------------------------------------------------------------------------ 362 // Credential Information for WebAuthNGetPlatformCredentialList API 363 //------------------------------------------------------------------------------------------- 364 365 #define WEBAUTHN_CREDENTIAL_DETAILS_VERSION_1 1 366 #define WEBAUTHN_CREDENTIAL_DETAILS_VERSION_2 2 367 #define WEBAUTHN_CREDENTIAL_DETAILS_CURRENT_VERSION WEBAUTHN_CREDENTIAL_DETAILS_VERSION_2 368 369 typedef struct _WEBAUTHN_CREDENTIAL_DETAILS { 370 // Version of this structure, to allow for modifications in the future. 371 DWORD dwVersion; 372 373 // Size of pbCredentialID. 374 DWORD cbCredentialID; 375 _Field_size_bytes_(cbCredentialID) 376 PBYTE pbCredentialID; 377 378 // RP Info 379 PWEBAUTHN_RP_ENTITY_INFORMATION pRpInformation; 380 381 // User Info 382 PWEBAUTHN_USER_ENTITY_INFORMATION pUserInformation; 383 384 // Removable or not. 385 BOOL bRemovable; 386 387 // 388 // The following fields have been added in WEBAUTHN_CREDENTIAL_DETAILS_VERSION_2 389 // 390 391 // Backed Up or not. 392 BOOL bBackedUp; 393 } WEBAUTHN_CREDENTIAL_DETAILS, *PWEBAUTHN_CREDENTIAL_DETAILS; 394 typedef const WEBAUTHN_CREDENTIAL_DETAILS *PCWEBAUTHN_CREDENTIAL_DETAILS; 395 396 typedef struct _WEBAUTHN_CREDENTIAL_DETAILS_LIST { 397 DWORD cCredentialDetails; 398 _Field_size_(cCredentialDetails) 399 PWEBAUTHN_CREDENTIAL_DETAILS *ppCredentialDetails; 400 } WEBAUTHN_CREDENTIAL_DETAILS_LIST, *PWEBAUTHN_CREDENTIAL_DETAILS_LIST; 401 typedef const WEBAUTHN_CREDENTIAL_DETAILS_LIST *PCWEBAUTHN_CREDENTIAL_DETAILS_LIST; 402 403 #define WEBAUTHN_GET_CREDENTIALS_OPTIONS_VERSION_1 1 404 #define WEBAUTHN_GET_CREDENTIALS_OPTIONS_CURRENT_VERSION WEBAUTHN_GET_CREDENTIALS_OPTIONS_VERSION_1 405 406 typedef struct _WEBAUTHN_GET_CREDENTIALS_OPTIONS { 407 // Version of this structure, to allow for modifications in the future. 408 DWORD dwVersion; 409 410 // Optional. 411 LPCWSTR pwszRpId; 412 413 // Optional. BrowserInPrivate Mode. Defaulting to FALSE. 414 BOOL bBrowserInPrivateMode; 415 } WEBAUTHN_GET_CREDENTIALS_OPTIONS, *PWEBAUTHN_GET_CREDENTIALS_OPTIONS; 416 typedef const WEBAUTHN_GET_CREDENTIALS_OPTIONS *PCWEBAUTHN_GET_CREDENTIALS_OPTIONS; 417 418 //+------------------------------------------------------------------------------------------ 419 // PRF values. 420 //------------------------------------------------------------------------------------------- 421 422 #define WEBAUTHN_CTAP_ONE_HMAC_SECRET_LENGTH 32 423 424 // SALT values below by default are converted into RAW Hmac-Secret values as per PRF extension. 425 // - SHA-256(UTF8Encode("WebAuthn PRF") || 0x00 || Value) 426 // 427 // Set WEBAUTHN_AUTHENTICATOR_HMAC_SECRET_VALUES_FLAG in dwFlags in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS, 428 // if caller wants to provide RAW Hmac-Secret SALT values directly. In that case, 429 // values if provided MUST be of WEBAUTHN_CTAP_ONE_HMAC_SECRET_LENGTH size. 430 431 typedef struct _WEBAUTHN_HMAC_SECRET_SALT { 432 // Size of pbFirst. 433 DWORD cbFirst; 434 _Field_size_bytes_(cbFirst) 435 PBYTE pbFirst; // Required 436 437 // Size of pbSecond. 438 DWORD cbSecond; 439 _Field_size_bytes_(cbSecond) 440 PBYTE pbSecond; 441 } WEBAUTHN_HMAC_SECRET_SALT, *PWEBAUTHN_HMAC_SECRET_SALT; 442 typedef const WEBAUTHN_HMAC_SECRET_SALT *PCWEBAUTHN_HMAC_SECRET_SALT; 443 444 typedef struct _WEBAUTHN_CRED_WITH_HMAC_SECRET_SALT { 445 // Size of pbCredID. 446 DWORD cbCredID; 447 _Field_size_bytes_(cbCredID) 448 PBYTE pbCredID; // Required 449 450 // PRF Values for above credential 451 PWEBAUTHN_HMAC_SECRET_SALT pHmacSecretSalt; // Required 452 } WEBAUTHN_CRED_WITH_HMAC_SECRET_SALT, *PWEBAUTHN_CRED_WITH_HMAC_SECRET_SALT; 453 typedef const WEBAUTHN_CRED_WITH_HMAC_SECRET_SALT *PCWEBAUTHN_CRED_WITH_HMAC_SECRET_SALT; 454 455 typedef struct _WEBAUTHN_HMAC_SECRET_SALT_VALUES { 456 PWEBAUTHN_HMAC_SECRET_SALT pGlobalHmacSalt; 457 458 DWORD cCredWithHmacSecretSaltList; 459 _Field_size_(cCredWithHmacSecretSaltList) 460 PWEBAUTHN_CRED_WITH_HMAC_SECRET_SALT pCredWithHmacSecretSaltList; 461 } WEBAUTHN_HMAC_SECRET_SALT_VALUES, *PWEBAUTHN_HMAC_SECRET_SALT_VALUES; 462 typedef const WEBAUTHN_HMAC_SECRET_SALT_VALUES *PCWEBAUTHN_HMAC_SECRET_SALT_VALUES; 463 464 //+------------------------------------------------------------------------------------------ 465 // Hmac-Secret extension 466 //------------------------------------------------------------------------------------------- 467 468 #define WEBAUTHN_EXTENSIONS_IDENTIFIER_HMAC_SECRET L"hmac-secret" 469 // Below type definitions is for WEBAUTHN_EXTENSIONS_IDENTIFIER_HMAC_SECRET 470 // MakeCredential Input Type: BOOL. 471 // - pvExtension must point to a BOOL with the value TRUE. 472 // - cbExtension must contain the sizeof(BOOL). 473 // MakeCredential Output Type: BOOL. 474 // - pvExtension will point to a BOOL with the value TRUE if credential 475 // was successfully created with HMAC_SECRET. 476 // - cbExtension will contain the sizeof(BOOL). 477 // GetAssertion Input Type: Not Supported 478 // GetAssertion Output Type: Not Supported 479 480 //+------------------------------------------------------------------------------------------ 481 // credProtect extension 482 //------------------------------------------------------------------------------------------- 483 484 #define WEBAUTHN_USER_VERIFICATION_ANY 0 485 #define WEBAUTHN_USER_VERIFICATION_OPTIONAL 1 486 #define WEBAUTHN_USER_VERIFICATION_OPTIONAL_WITH_CREDENTIAL_ID_LIST 2 487 #define WEBAUTHN_USER_VERIFICATION_REQUIRED 3 488 489 typedef struct _WEBAUTHN_CRED_PROTECT_EXTENSION_IN { 490 // One of the above WEBAUTHN_USER_VERIFICATION_* values 491 DWORD dwCredProtect; 492 // Set the following to TRUE to require authenticator support for the credProtect extension 493 BOOL bRequireCredProtect; 494 } WEBAUTHN_CRED_PROTECT_EXTENSION_IN, *PWEBAUTHN_CRED_PROTECT_EXTENSION_IN; 495 typedef const WEBAUTHN_CRED_PROTECT_EXTENSION_IN *PCWEBAUTHN_CRED_PROTECT_EXTENSION_IN; 496 497 498 #define WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_PROTECT L"credProtect" 499 // Below type definitions is for WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_PROTECT 500 // MakeCredential Input Type: WEBAUTHN_CRED_PROTECT_EXTENSION_IN. 501 // - pvExtension must point to a WEBAUTHN_CRED_PROTECT_EXTENSION_IN struct 502 // - cbExtension will contain the sizeof(WEBAUTHN_CRED_PROTECT_EXTENSION_IN). 503 // MakeCredential Output Type: DWORD. 504 // - pvExtension will point to a DWORD with one of the above WEBAUTHN_USER_VERIFICATION_* values 505 // if credential was successfully created with CRED_PROTECT. 506 // - cbExtension will contain the sizeof(DWORD). 507 // GetAssertion Input Type: Not Supported 508 // GetAssertion Output Type: Not Supported 509 510 //+------------------------------------------------------------------------------------------ 511 // credBlob extension 512 //------------------------------------------------------------------------------------------- 513 514 typedef struct _WEBAUTHN_CRED_BLOB_EXTENSION { 515 // Size of pbCredBlob. 516 DWORD cbCredBlob; 517 _Field_size_bytes_(cbCredBlob) 518 PBYTE pbCredBlob; 519 } WEBAUTHN_CRED_BLOB_EXTENSION, *PWEBAUTHN_CRED_BLOB_EXTENSION; 520 typedef const WEBAUTHN_CRED_BLOB_EXTENSION *PCWEBAUTHN_CRED_BLOB_EXTENSION; 521 522 523 #define WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_BLOB L"credBlob" 524 // Below type definitions is for WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_BLOB 525 // MakeCredential Input Type: WEBAUTHN_CRED_BLOB_EXTENSION. 526 // - pvExtension must point to a WEBAUTHN_CRED_BLOB_EXTENSION struct 527 // - cbExtension must contain the sizeof(WEBAUTHN_CRED_BLOB_EXTENSION). 528 // MakeCredential Output Type: BOOL. 529 // - pvExtension will point to a BOOL with the value TRUE if credBlob was successfully created 530 // - cbExtension will contain the sizeof(BOOL). 531 // GetAssertion Input Type: BOOL. 532 // - pvExtension must point to a BOOL with the value TRUE to request the credBlob. 533 // - cbExtension must contain the sizeof(BOOL). 534 // GetAssertion Output Type: WEBAUTHN_CRED_BLOB_EXTENSION. 535 // - pvExtension will point to a WEBAUTHN_CRED_BLOB_EXTENSION struct if the authenticator 536 // returns the credBlob in the signed extensions 537 // - cbExtension will contain the sizeof(WEBAUTHN_CRED_BLOB_EXTENSION). 538 539 //+------------------------------------------------------------------------------------------ 540 // minPinLength extension 541 //------------------------------------------------------------------------------------------- 542 543 #define WEBAUTHN_EXTENSIONS_IDENTIFIER_MIN_PIN_LENGTH L"minPinLength" 544 // Below type definitions is for WEBAUTHN_EXTENSIONS_IDENTIFIER_MIN_PIN_LENGTH 545 // MakeCredential Input Type: BOOL. 546 // - pvExtension must point to a BOOL with the value TRUE to request the minPinLength. 547 // - cbExtension must contain the sizeof(BOOL). 548 // MakeCredential Output Type: DWORD. 549 // - pvExtension will point to a DWORD with the minimum pin length if returned by the authenticator 550 // - cbExtension will contain the sizeof(DWORD). 551 // GetAssertion Input Type: Not Supported 552 // GetAssertion Output Type: Not Supported 553 554 //+------------------------------------------------------------------------------------------ 555 // Information about Extensions. 556 //------------------------------------------------------------------------------------------- 557 typedef struct _WEBAUTHN_EXTENSION { 558 LPCWSTR pwszExtensionIdentifier; 559 DWORD cbExtension; 560 PVOID pvExtension; 561 } WEBAUTHN_EXTENSION, *PWEBAUTHN_EXTENSION; 562 typedef const WEBAUTHN_EXTENSION *PCWEBAUTHN_EXTENSION; 563 564 typedef struct _WEBAUTHN_EXTENSIONS { 565 DWORD cExtensions; 566 _Field_size_(cExtensions) 567 PWEBAUTHN_EXTENSION pExtensions; 568 } WEBAUTHN_EXTENSIONS, *PWEBAUTHN_EXTENSIONS; 569 typedef const WEBAUTHN_EXTENSIONS *PCWEBAUTHN_EXTENSIONS; 570 571 //+------------------------------------------------------------------------------------------ 572 // Options. 573 //------------------------------------------------------------------------------------------- 574 575 #define WEBAUTHN_AUTHENTICATOR_ATTACHMENT_ANY 0 576 #define WEBAUTHN_AUTHENTICATOR_ATTACHMENT_PLATFORM 1 577 #define WEBAUTHN_AUTHENTICATOR_ATTACHMENT_CROSS_PLATFORM 2 578 #define WEBAUTHN_AUTHENTICATOR_ATTACHMENT_CROSS_PLATFORM_U2F_V2 3 579 580 #define WEBAUTHN_USER_VERIFICATION_REQUIREMENT_ANY 0 581 #define WEBAUTHN_USER_VERIFICATION_REQUIREMENT_REQUIRED 1 582 #define WEBAUTHN_USER_VERIFICATION_REQUIREMENT_PREFERRED 2 583 #define WEBAUTHN_USER_VERIFICATION_REQUIREMENT_DISCOURAGED 3 584 585 #define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_ANY 0 586 #define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_NONE 1 587 #define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_INDIRECT 2 588 #define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_DIRECT 3 589 590 #define WEBAUTHN_ENTERPRISE_ATTESTATION_NONE 0 591 #define WEBAUTHN_ENTERPRISE_ATTESTATION_VENDOR_FACILITATED 1 592 #define WEBAUTHN_ENTERPRISE_ATTESTATION_PLATFORM_MANAGED 2 593 594 #define WEBAUTHN_LARGE_BLOB_SUPPORT_NONE 0 595 #define WEBAUTHN_LARGE_BLOB_SUPPORT_REQUIRED 1 596 #define WEBAUTHN_LARGE_BLOB_SUPPORT_PREFERRED 2 597 598 #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_1 1 599 #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_2 2 600 #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_3 3 601 #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_4 4 602 #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_5 5 603 #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_6 6 604 #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_7 7 605 #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_CURRENT_VERSION WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_7 606 607 typedef struct _WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS { 608 // Version of this structure, to allow for modifications in the future. 609 DWORD dwVersion; 610 611 // Time that the operation is expected to complete within. 612 // This is used as guidance, and can be overridden by the platform. 613 DWORD dwTimeoutMilliseconds; 614 615 // Credentials used for exclusion. 616 WEBAUTHN_CREDENTIALS CredentialList; 617 618 // Optional extensions to parse when performing the operation. 619 WEBAUTHN_EXTENSIONS Extensions; 620 621 // Optional. Platform vs Cross-Platform Authenticators. 622 DWORD dwAuthenticatorAttachment; 623 624 // Optional. Require key to be resident or not. Defaulting to FALSE. 625 BOOL bRequireResidentKey; 626 627 // User Verification Requirement. 628 DWORD dwUserVerificationRequirement; 629 630 // Attestation Conveyance Preference. 631 DWORD dwAttestationConveyancePreference; 632 633 // Reserved for future Use 634 DWORD dwFlags; 635 636 // 637 // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_2 638 // 639 640 // Cancellation Id - Optional - See WebAuthNGetCancellationId 641 GUID *pCancellationId; 642 643 // 644 // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_3 645 // 646 647 // Exclude Credential List. If present, "CredentialList" will be ignored. 648 PWEBAUTHN_CREDENTIAL_LIST pExcludeCredentialList; 649 650 // 651 // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_4 652 // 653 654 // Enterprise Attestation 655 DWORD dwEnterpriseAttestation; 656 657 // Large Blob Support: none, required or preferred 658 // 659 // NTE_INVALID_PARAMETER when large blob required or preferred and 660 // bRequireResidentKey isn't set to TRUE 661 DWORD dwLargeBlobSupport; 662 663 // Optional. Prefer key to be resident. Defaulting to FALSE. When TRUE, 664 // overrides the above bRequireResidentKey. 665 BOOL bPreferResidentKey; 666 667 // 668 // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_5 669 // 670 671 // Optional. BrowserInPrivate Mode. Defaulting to FALSE. 672 BOOL bBrowserInPrivateMode; 673 674 // 675 // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_6 676 // 677 678 // Enable PRF 679 BOOL bEnablePrf; 680 681 // 682 // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_7 683 // 684 685 // Optional. Linked Device Connection Info. 686 PCTAPCBOR_HYBRID_STORAGE_LINKED_DATA pLinkedDevice; 687 688 // Size of pbJsonExt 689 DWORD cbJsonExt; 690 _Field_size_bytes_(cbJsonExt) 691 PBYTE pbJsonExt; 692 } WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS, *PWEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS; 693 typedef const WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS *PCWEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS; 694 695 #define WEBAUTHN_CRED_LARGE_BLOB_OPERATION_NONE 0 696 #define WEBAUTHN_CRED_LARGE_BLOB_OPERATION_GET 1 697 #define WEBAUTHN_CRED_LARGE_BLOB_OPERATION_SET 2 698 #define WEBAUTHN_CRED_LARGE_BLOB_OPERATION_DELETE 3 699 700 #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_1 1 701 #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_2 2 702 #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_3 3 703 #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_4 4 704 #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_5 5 705 #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_6 6 706 #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_7 7 707 #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_CURRENT_VERSION WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_7 708 709 /* 710 Information about flags. 711 */ 712 713 #define WEBAUTHN_AUTHENTICATOR_HMAC_SECRET_VALUES_FLAG 0x00100000 714 715 typedef struct _WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS { 716 // Version of this structure, to allow for modifications in the future. 717 DWORD dwVersion; 718 719 // Time that the operation is expected to complete within. 720 // This is used as guidance, and can be overridden by the platform. 721 DWORD dwTimeoutMilliseconds; 722 723 // Allowed Credentials List. 724 WEBAUTHN_CREDENTIALS CredentialList; 725 726 // Optional extensions to parse when performing the operation. 727 WEBAUTHN_EXTENSIONS Extensions; 728 729 // Optional. Platform vs Cross-Platform Authenticators. 730 DWORD dwAuthenticatorAttachment; 731 732 // User Verification Requirement. 733 DWORD dwUserVerificationRequirement; 734 735 // Flags 736 DWORD dwFlags; 737 738 // 739 // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_2 740 // 741 742 // Optional identifier for the U2F AppId. Converted to UTF8 before being hashed. Not lower cased. 743 PCWSTR pwszU2fAppId; 744 745 // If the following is non-NULL, then, set to TRUE if the above pwszU2fAppid was used instead of 746 // PCWSTR pwszRpId; 747 BOOL *pbU2fAppId; 748 749 // 750 // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_3 751 // 752 753 // Cancellation Id - Optional - See WebAuthNGetCancellationId 754 GUID *pCancellationId; 755 756 // 757 // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_4 758 // 759 760 // Allow Credential List. If present, "CredentialList" will be ignored. 761 PWEBAUTHN_CREDENTIAL_LIST pAllowCredentialList; 762 763 // 764 // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_5 765 // 766 767 DWORD dwCredLargeBlobOperation; 768 769 // Size of pbCredLargeBlob 770 DWORD cbCredLargeBlob; 771 _Field_size_bytes_(cbCredLargeBlob) 772 PBYTE pbCredLargeBlob; 773 774 // 775 // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_6 776 // 777 778 // PRF values which will be converted into HMAC-SECRET values according to WebAuthn Spec. 779 PWEBAUTHN_HMAC_SECRET_SALT_VALUES pHmacSecretSaltValues; 780 781 // Optional. BrowserInPrivate Mode. Defaulting to FALSE. 782 BOOL bBrowserInPrivateMode; 783 784 // 785 // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_7 786 // 787 788 // Optional. Linked Device Connection Info. 789 PCTAPCBOR_HYBRID_STORAGE_LINKED_DATA pLinkedDevice; 790 791 // Optional. Allowlist MUST contain 1 credential applicable for Hybrid transport. 792 BOOL bAutoFill; 793 794 // Size of pbJsonExt 795 DWORD cbJsonExt; 796 _Field_size_bytes_(cbJsonExt) 797 PBYTE pbJsonExt; 798 } WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS, *PWEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS; 799 typedef const WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS *PCWEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS; 800 801 802 //+------------------------------------------------------------------------------------------ 803 // Attestation Info. 804 // 805 //------------------------------------------------------------------------------------------- 806 #define WEBAUTHN_ATTESTATION_DECODE_NONE 0 807 #define WEBAUTHN_ATTESTATION_DECODE_COMMON 1 808 // WEBAUTHN_ATTESTATION_DECODE_COMMON supports format types 809 // L"packed" 810 // L"fido-u2f" 811 812 #define WEBAUTHN_ATTESTATION_VER_TPM_2_0 L"2.0" 813 814 typedef struct _WEBAUTHN_X5C { 815 // Length of X.509 encoded certificate 816 DWORD cbData; 817 // X.509 encoded certificate bytes 818 _Field_size_bytes_(cbData) 819 PBYTE pbData; 820 } WEBAUTHN_X5C, *PWEBAUTHN_X5C; 821 822 // Supports either Self or Full Basic Attestation 823 824 // Note, new fields will be added to the following data structure to 825 // support additional attestation format types, such as, TPM. 826 // When fields are added, the dwVersion will be incremented. 827 // 828 // Therefore, your code must make the following check: 829 // "if (dwVersion >= WEBAUTHN_COMMON_ATTESTATION_CURRENT_VERSION)" 830 831 #define WEBAUTHN_COMMON_ATTESTATION_CURRENT_VERSION 1 832 833 typedef struct _WEBAUTHN_COMMON_ATTESTATION { 834 // Version of this structure, to allow for modifications in the future. 835 DWORD dwVersion; 836 837 // Hash and Padding Algorithm 838 // 839 // The following won't be set for "fido-u2f" which assumes "ES256". 840 PCWSTR pwszAlg; 841 LONG lAlg; // COSE algorithm 842 843 // Signature that was generated for this attestation. 844 DWORD cbSignature; 845 _Field_size_bytes_(cbSignature) 846 PBYTE pbSignature; 847 848 // Following is set for Full Basic Attestation. If not, set then, this is Self Attestation. 849 // Array of X.509 DER encoded certificates. The first certificate is the signer, leaf certificate. 850 DWORD cX5c; 851 _Field_size_(cX5c) 852 PWEBAUTHN_X5C pX5c; 853 854 // Following are also set for tpm 855 PCWSTR pwszVer; // L"2.0" 856 DWORD cbCertInfo; 857 _Field_size_bytes_(cbCertInfo) 858 PBYTE pbCertInfo; 859 DWORD cbPubArea; 860 _Field_size_bytes_(cbPubArea) 861 PBYTE pbPubArea; 862 } WEBAUTHN_COMMON_ATTESTATION, *PWEBAUTHN_COMMON_ATTESTATION; 863 typedef const WEBAUTHN_COMMON_ATTESTATION *PCWEBAUTHN_COMMON_ATTESTATION; 864 865 #define WEBAUTHN_ATTESTATION_TYPE_PACKED L"packed" 866 #define WEBAUTHN_ATTESTATION_TYPE_U2F L"fido-u2f" 867 #define WEBAUTHN_ATTESTATION_TYPE_TPM L"tpm" 868 #define WEBAUTHN_ATTESTATION_TYPE_NONE L"none" 869 870 #define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_1 1 871 #define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_2 2 872 #define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_3 3 873 #define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_4 4 874 #define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_5 5 875 #define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_6 6 876 #define WEBAUTHN_CREDENTIAL_ATTESTATION_CURRENT_VERSION WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_6 877 878 typedef struct _WEBAUTHN_CREDENTIAL_ATTESTATION { 879 // Version of this structure, to allow for modifications in the future. 880 DWORD dwVersion; 881 882 // Attestation format type 883 PCWSTR pwszFormatType; 884 885 // Size of cbAuthenticatorData. 886 DWORD cbAuthenticatorData; 887 // Authenticator data that was created for this credential. 888 _Field_size_bytes_(cbAuthenticatorData) 889 PBYTE pbAuthenticatorData; 890 891 // Size of CBOR encoded attestation information 892 //0 => encoded as CBOR null value. 893 DWORD cbAttestation; 894 //Encoded CBOR attestation information 895 _Field_size_bytes_(cbAttestation) 896 PBYTE pbAttestation; 897 898 DWORD dwAttestationDecodeType; 899 // Following depends on the dwAttestationDecodeType 900 // WEBAUTHN_ATTESTATION_DECODE_NONE 901 // NULL - not able to decode the CBOR attestation information 902 // WEBAUTHN_ATTESTATION_DECODE_COMMON 903 // PWEBAUTHN_COMMON_ATTESTATION; 904 PVOID pvAttestationDecode; 905 906 // The CBOR encoded Attestation Object to be returned to the RP. 907 DWORD cbAttestationObject; 908 _Field_size_bytes_(cbAttestationObject) 909 PBYTE pbAttestationObject; 910 911 // The CredentialId bytes extracted from the Authenticator Data. 912 // Used by Edge to return to the RP. 913 DWORD cbCredentialId; 914 _Field_size_bytes_(cbCredentialId) 915 PBYTE pbCredentialId; 916 917 // 918 // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_2 919 // 920 921 WEBAUTHN_EXTENSIONS Extensions; 922 923 // 924 // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_3 925 // 926 927 // One of the WEBAUTHN_CTAP_TRANSPORT_* bits will be set corresponding to 928 // the transport that was used. 929 DWORD dwUsedTransport; 930 931 // 932 // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_4 933 // 934 935 BOOL bEpAtt; 936 BOOL bLargeBlobSupported; 937 BOOL bResidentKey; 938 939 // 940 // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_5 941 // 942 943 BOOL bPrfEnabled; 944 945 // 946 // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_6 947 // 948 949 DWORD cbUnsignedExtensionOutputs; 950 _Field_size_bytes_(cbUnsignedExtensionOutputs) 951 PBYTE pbUnsignedExtensionOutputs; 952 } WEBAUTHN_CREDENTIAL_ATTESTATION, *PWEBAUTHN_CREDENTIAL_ATTESTATION; 953 typedef const WEBAUTHN_CREDENTIAL_ATTESTATION *PCWEBAUTHN_CREDENTIAL_ATTESTATION; 954 955 956 //+------------------------------------------------------------------------------------------ 957 // authenticatorGetAssertion output. 958 //------------------------------------------------------------------------------------------- 959 960 #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_NONE 0 961 #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_SUCCESS 1 962 #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_NOT_SUPPORTED 2 963 #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_INVALID_DATA 3 964 #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_INVALID_PARAMETER 4 965 #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_NOT_FOUND 5 966 #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_MULTIPLE_CREDENTIALS 6 967 #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_LACK_OF_SPACE 7 968 #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_PLATFORM_ERROR 8 969 #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_AUTHENTICATOR_ERROR 9 970 971 #define WEBAUTHN_ASSERTION_VERSION_1 1 972 #define WEBAUTHN_ASSERTION_VERSION_2 2 973 #define WEBAUTHN_ASSERTION_VERSION_3 3 974 #define WEBAUTHN_ASSERTION_VERSION_4 4 975 #define WEBAUTHN_ASSERTION_VERSION_5 5 976 #define WEBAUTHN_ASSERTION_CURRENT_VERSION WEBAUTHN_ASSERTION_VERSION_5 977 978 typedef struct _WEBAUTHN_ASSERTION { 979 // Version of this structure, to allow for modifications in the future. 980 DWORD dwVersion; 981 982 // Size of cbAuthenticatorData. 983 DWORD cbAuthenticatorData; 984 // Authenticator data that was created for this assertion. 985 _Field_size_bytes_(cbAuthenticatorData) 986 PBYTE pbAuthenticatorData; 987 988 // Size of pbSignature. 989 DWORD cbSignature; 990 // Signature that was generated for this assertion. 991 _Field_size_bytes_(cbSignature) 992 PBYTE pbSignature; 993 994 // Credential that was used for this assertion. 995 WEBAUTHN_CREDENTIAL Credential; 996 997 // Size of User Id 998 DWORD cbUserId; 999 // UserId 1000 _Field_size_bytes_(cbUserId) 1001 PBYTE pbUserId; 1002 1003 // 1004 // Following fields have been added in WEBAUTHN_ASSERTION_VERSION_2 1005 // 1006 1007 WEBAUTHN_EXTENSIONS Extensions; 1008 1009 // Size of pbCredLargeBlob 1010 DWORD cbCredLargeBlob; 1011 _Field_size_bytes_(cbCredLargeBlob) 1012 PBYTE pbCredLargeBlob; 1013 1014 DWORD dwCredLargeBlobStatus; 1015 1016 // 1017 // Following fields have been added in WEBAUTHN_ASSERTION_VERSION_3 1018 // 1019 1020 PWEBAUTHN_HMAC_SECRET_SALT pHmacSecret; 1021 1022 // 1023 // Following fields have been added in WEBAUTHN_ASSERTION_VERSION_4 1024 // 1025 1026 // One of the WEBAUTHN_CTAP_TRANSPORT_* bits will be set corresponding to 1027 // the transport that was used. 1028 DWORD dwUsedTransport; 1029 1030 // 1031 // Following fields have been added in WEBAUTHN_ASSERTION_VERSION_5 1032 // 1033 1034 DWORD cbUnsignedExtensionOutputs; 1035 _Field_size_bytes_(cbUnsignedExtensionOutputs) 1036 PBYTE pbUnsignedExtensionOutputs; 1037 } WEBAUTHN_ASSERTION, *PWEBAUTHN_ASSERTION; 1038 typedef const WEBAUTHN_ASSERTION *PCWEBAUTHN_ASSERTION; 1039 1040 //+------------------------------------------------------------------------------------------ 1041 // APIs. 1042 //------------------------------------------------------------------------------------------- 1043 1044 DWORD 1045 WINAPI 1046 WebAuthNGetApiVersionNumber(); 1047 1048 HRESULT 1049 WINAPI 1050 WebAuthNIsUserVerifyingPlatformAuthenticatorAvailable( 1051 _Out_ BOOL *pbIsUserVerifyingPlatformAuthenticatorAvailable); 1052 1053 1054 HRESULT 1055 WINAPI 1056 WebAuthNAuthenticatorMakeCredential( 1057 _In_ HWND hWnd, 1058 _In_ PCWEBAUTHN_RP_ENTITY_INFORMATION pRpInformation, 1059 _In_ PCWEBAUTHN_USER_ENTITY_INFORMATION pUserInformation, 1060 _In_ PCWEBAUTHN_COSE_CREDENTIAL_PARAMETERS pPubKeyCredParams, 1061 _In_ PCWEBAUTHN_CLIENT_DATA pWebAuthNClientData, 1062 _In_opt_ PCWEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS pWebAuthNMakeCredentialOptions, 1063 _Outptr_result_maybenull_ PWEBAUTHN_CREDENTIAL_ATTESTATION *ppWebAuthNCredentialAttestation); 1064 1065 1066 HRESULT 1067 WINAPI 1068 WebAuthNAuthenticatorGetAssertion( 1069 _In_ HWND hWnd, 1070 _In_ LPCWSTR pwszRpId, 1071 _In_ PCWEBAUTHN_CLIENT_DATA pWebAuthNClientData, 1072 _In_opt_ PCWEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS pWebAuthNGetAssertionOptions, 1073 _Outptr_result_maybenull_ PWEBAUTHN_ASSERTION *ppWebAuthNAssertion); 1074 1075 void 1076 WINAPI 1077 WebAuthNFreeCredentialAttestation( 1078 _In_opt_ PWEBAUTHN_CREDENTIAL_ATTESTATION pWebAuthNCredentialAttestation); 1079 1080 void 1081 WINAPI 1082 WebAuthNFreeAssertion( 1083 _In_ PWEBAUTHN_ASSERTION pWebAuthNAssertion); 1084 1085 HRESULT 1086 WINAPI 1087 WebAuthNGetCancellationId( 1088 _Out_ GUID* pCancellationId); 1089 1090 HRESULT 1091 WINAPI 1092 WebAuthNCancelCurrentOperation( 1093 _In_ const GUID* pCancellationId); 1094 1095 // Returns NTE_NOT_FOUND when credentials are not found. 1096 HRESULT 1097 WINAPI 1098 WebAuthNGetPlatformCredentialList( 1099 _In_ PCWEBAUTHN_GET_CREDENTIALS_OPTIONS pGetCredentialsOptions, 1100 _Outptr_result_maybenull_ PWEBAUTHN_CREDENTIAL_DETAILS_LIST *ppCredentialDetailsList); 1101 1102 void 1103 WINAPI 1104 WebAuthNFreePlatformCredentialList( 1105 _In_ PWEBAUTHN_CREDENTIAL_DETAILS_LIST pCredentialDetailsList); 1106 1107 HRESULT 1108 WINAPI 1109 WebAuthNDeletePlatformCredential( 1110 _In_ DWORD cbCredentialId, 1111 _In_reads_bytes_(cbCredentialId) const BYTE *pbCredentialId 1112 ); 1113 1114 // 1115 // Returns the following Error Names: 1116 // L"Success" - S_OK 1117 // L"InvalidStateError" - NTE_EXISTS 1118 // L"ConstraintError" - HRESULT_FROM_WIN32(ERROR_NOT_SUPPORTED), 1119 // NTE_NOT_SUPPORTED, 1120 // NTE_TOKEN_KEYSET_STORAGE_FULL 1121 // L"NotSupportedError" - NTE_INVALID_PARAMETER 1122 // L"NotAllowedError" - NTE_DEVICE_NOT_FOUND, 1123 // NTE_NOT_FOUND, 1124 // HRESULT_FROM_WIN32(ERROR_CANCELLED), 1125 // NTE_USER_CANCELLED, 1126 // HRESULT_FROM_WIN32(ERROR_TIMEOUT) 1127 // L"UnknownError" - All other hr values 1128 // 1129 PCWSTR 1130 WINAPI 1131 WebAuthNGetErrorName( 1132 _In_ HRESULT hr); 1133 1134 HRESULT 1135 WINAPI 1136 WebAuthNGetW3CExceptionDOMError( 1137 _In_ HRESULT hr); 1138 1139 1140 #ifdef __cplusplus 1141 } // Balance extern "C" above 1142 #endif 1143 1144 #endif // WINAPI_FAMILY_PARTITION 1145 #ifdef _MSC_VER 1146 #pragma endregion 1147 #endif 1148 1149 #endif // __WEBAUTHN_H_ 1150