xref: /freebsd/contrib/libfido2/src/webauthn.h (revision e63d20b70ee1dbee9b075f29de6f30cdcfe1abe1)
1 // Copyright (c) Microsoft Corporation. All rights reserved.
2 // Licensed under the MIT License.
3 
4 #ifndef __WEBAUTHN_H_
5 #define __WEBAUTHN_H_
6 
7 #pragma once
8 
9 #include <winapifamily.h>
10 
11 #ifdef _MSC_VER
12 #pragma region Desktop Family or OneCore Family
13 #endif
14 #if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM)
15 
16 #ifdef __cplusplus
17 extern "C" {
18 #endif
19 
20 #ifndef WINAPI
21 #define WINAPI __stdcall
22 #endif
23 
24 #ifndef INITGUID
25 #define INITGUID
26 #include <guiddef.h>
27 #undef INITGUID
28 #else
29 #include <guiddef.h>
30 #endif
31 
32 //+------------------------------------------------------------------------------------------
33 // API Version Information.
34 // Caller should check for WebAuthNGetApiVersionNumber to check the presence of relevant APIs
35 // and features for their usage.
36 //-------------------------------------------------------------------------------------------
37 
38 #define WEBAUTHN_API_VERSION_1          1
39 // WEBAUTHN_API_VERSION_1 : Baseline Version
40 //      Data Structures and their sub versions:
41 //          - WEBAUTHN_RP_ENTITY_INFORMATION                    :   1
42 //          - WEBAUTHN_USER_ENTITY_INFORMATION                  :   1
43 //          - WEBAUTHN_CLIENT_DATA                              :   1
44 //          - WEBAUTHN_COSE_CREDENTIAL_PARAMETER                :   1
45 //          - WEBAUTHN_COSE_CREDENTIAL_PARAMETERS               :   Not Applicable
46 //          - WEBAUTHN_CREDENTIAL                               :   1
47 //          - WEBAUTHN_CREDENTIALS                              :   Not Applicable
48 //          - WEBAUTHN_CREDENTIAL_EX                            :   1
49 //          - WEBAUTHN_CREDENTIAL_LIST                          :   Not Applicable
50 //          - WEBAUTHN_EXTENSION                                :   Not Applicable
51 //          - WEBAUTHN_EXTENSIONS                               :   Not Applicable
52 //          - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS    :   3
53 //          - WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS      :   4
54 //          - WEBAUTHN_COMMON_ATTESTATION                       :   1
55 //          - WEBAUTHN_CREDENTIAL_ATTESTATION                   :   3
56 //          - WEBAUTHN_ASSERTION                                :   1
57 //      Extensions:
58 //          - WEBAUTHN_EXTENSIONS_IDENTIFIER_HMAC_SECRET
59 //      APIs:
60 //          - WebAuthNGetApiVersionNumber
61 //          - WebAuthNIsUserVerifyingPlatformAuthenticatorAvailable
62 //          - WebAuthNAuthenticatorMakeCredential
63 //          - WebAuthNAuthenticatorGetAssertion
64 //          - WebAuthNFreeCredentialAttestation
65 //          - WebAuthNFreeAssertion
66 //          - WebAuthNGetCancellationId
67 //          - WebAuthNCancelCurrentOperation
68 //          - WebAuthNGetErrorName
69 //          - WebAuthNGetW3CExceptionDOMError
70 //      Transports:
71 //          - WEBAUTHN_CTAP_TRANSPORT_USB
72 //          - WEBAUTHN_CTAP_TRANSPORT_NFC
73 //          - WEBAUTHN_CTAP_TRANSPORT_BLE
74 //          - WEBAUTHN_CTAP_TRANSPORT_INTERNAL
75 
76 #define WEBAUTHN_API_VERSION_2          2
77 // WEBAUTHN_API_VERSION_2 : Delta From WEBAUTHN_API_VERSION_1
78 //      Added Extensions:
79 //          - WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_PROTECT
80 //
81 
82 #define WEBAUTHN_API_VERSION_3          3
83 // WEBAUTHN_API_VERSION_3 : Delta From WEBAUTHN_API_VERSION_2
84 //      Data Structures and their sub versions:
85 //          - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS    :   4
86 //          - WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS      :   5
87 //          - WEBAUTHN_CREDENTIAL_ATTESTATION                   :   4
88 //          - WEBAUTHN_ASSERTION                                :   2
89 //      Added Extensions:
90 //          - WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_BLOB
91 //          - WEBAUTHN_EXTENSIONS_IDENTIFIER_MIN_PIN_LENGTH
92 //
93 
94 #define WEBAUTHN_API_VERSION_4          4
95 // WEBAUTHN_API_VERSION_4 : Delta From WEBAUTHN_API_VERSION_3
96 //      Data Structures and their sub versions:
97 //          - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS    :   5
98 //          - WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS      :   6
99 //          - WEBAUTHN_ASSERTION                                :   3
100 //          - WEBAUTHN_CREDENTIAL_DETAILS                       :   1
101 //      APIs:
102 //          - WebAuthNGetPlatformCredentialList
103 //          - WebAuthNFreePlatformCredentialList
104 //          - WebAuthNDeletePlatformCredential
105 //
106 
107 #define WEBAUTHN_API_VERSION_5          5
108 // WEBAUTHN_API_VERSION_5 : Delta From WEBAUTHN_API_VERSION_4
109 //      Data Structures and their sub versions:
110 //          - WEBAUTHN_CREDENTIAL_DETAILS                       :   2
111 //      Extension Changes:
112 //          - Enabled LARGE_BLOB Support
113 //
114 
115 #define WEBAUTHN_API_VERSION_6          6
116 // WEBAUTHN_API_VERSION_6 : Delta From WEBAUTHN_API_VERSION_5
117 //      Data Structures and their sub versions:
118 //          - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS    :   6
119 //          - WEBAUTHN_CREDENTIAL_ATTESTATION                   :   5
120 //          - WEBAUTHN_ASSERTION                                :   4
121 //      Transports:
122 //          - WEBAUTHN_CTAP_TRANSPORT_HYBRID
123 
124 #define WEBAUTHN_API_VERSION_7          7
125 // WEBAUTHN_API_VERSION_7 : Delta From WEBAUTHN_API_VERSION_6
126 //      Data Structures and their sub versions:
127 //          - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS    :   7
128 //          - WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS      :   7
129 //          - WEBAUTHN_CREDENTIAL_ATTESTATION                   :   6
130 //          - WEBAUTHN_ASSERTION                                :   5
131 
132 #define WEBAUTHN_API_CURRENT_VERSION    WEBAUTHN_API_VERSION_7
133 
134 //+------------------------------------------------------------------------------------------
135 // Information about an RP Entity
136 //-------------------------------------------------------------------------------------------
137 
138 #define WEBAUTHN_RP_ENTITY_INFORMATION_CURRENT_VERSION          1
139 
140 typedef struct _WEBAUTHN_RP_ENTITY_INFORMATION {
141     // Version of this structure, to allow for modifications in the future.
142     // This field is required and should be set to CURRENT_VERSION above.
143     DWORD dwVersion;
144 
145     // Identifier for the RP. This field is required.
146     PCWSTR pwszId;
147 
148     // Contains the friendly name of the Relying Party, such as "Acme Corporation", "Widgets Inc" or "Awesome Site".
149     // This field is required.
150     PCWSTR pwszName;
151 
152     // Optional URL pointing to RP's logo.
153     PCWSTR pwszIcon;
154 } WEBAUTHN_RP_ENTITY_INFORMATION, *PWEBAUTHN_RP_ENTITY_INFORMATION;
155 typedef const WEBAUTHN_RP_ENTITY_INFORMATION *PCWEBAUTHN_RP_ENTITY_INFORMATION;
156 
157 //+------------------------------------------------------------------------------------------
158 // Information about an User Entity
159 //-------------------------------------------------------------------------------------------
160 #define WEBAUTHN_MAX_USER_ID_LENGTH                             64
161 
162 #define WEBAUTHN_USER_ENTITY_INFORMATION_CURRENT_VERSION        1
163 
164 typedef struct _WEBAUTHN_USER_ENTITY_INFORMATION {
165     // Version of this structure, to allow for modifications in the future.
166     // This field is required and should be set to CURRENT_VERSION above.
167     DWORD dwVersion;
168 
169     // Identifier for the User. This field is required.
170     DWORD cbId;
171     _Field_size_bytes_(cbId)
172     PBYTE pbId;
173 
174     // Contains a detailed name for this account, such as "john.p.smith@example.com".
175     PCWSTR pwszName;
176 
177     // Optional URL that can be used to retrieve an image containing the user's current avatar,
178     // or a data URI that contains the image data.
179     PCWSTR pwszIcon;
180 
181     // For User: Contains the friendly name associated with the user account by the Relying Party, such as "John P. Smith".
182     PCWSTR pwszDisplayName;
183 } WEBAUTHN_USER_ENTITY_INFORMATION, *PWEBAUTHN_USER_ENTITY_INFORMATION;
184 typedef const WEBAUTHN_USER_ENTITY_INFORMATION *PCWEBAUTHN_USER_ENTITY_INFORMATION;
185 
186 //+------------------------------------------------------------------------------------------
187 // Information about client data.
188 //-------------------------------------------------------------------------------------------
189 
190 #define WEBAUTHN_HASH_ALGORITHM_SHA_256                         L"SHA-256"
191 #define WEBAUTHN_HASH_ALGORITHM_SHA_384                         L"SHA-384"
192 #define WEBAUTHN_HASH_ALGORITHM_SHA_512                         L"SHA-512"
193 
194 #define WEBAUTHN_CLIENT_DATA_CURRENT_VERSION                    1
195 
196 typedef struct _WEBAUTHN_CLIENT_DATA {
197     // Version of this structure, to allow for modifications in the future.
198     // This field is required and should be set to CURRENT_VERSION above.
199     DWORD dwVersion;
200 
201     // Size of the pbClientDataJSON field.
202     DWORD cbClientDataJSON;
203     // UTF-8 encoded JSON serialization of the client data.
204     _Field_size_bytes_(cbClientDataJSON)
205     PBYTE pbClientDataJSON;
206 
207     // Hash algorithm ID used to hash the pbClientDataJSON field.
208     LPCWSTR pwszHashAlgId;
209 } WEBAUTHN_CLIENT_DATA, *PWEBAUTHN_CLIENT_DATA;
210 typedef const WEBAUTHN_CLIENT_DATA *PCWEBAUTHN_CLIENT_DATA;
211 
212 //+------------------------------------------------------------------------------------------
213 // Information about credential parameters.
214 //-------------------------------------------------------------------------------------------
215 
216 #define WEBAUTHN_CREDENTIAL_TYPE_PUBLIC_KEY                         L"public-key"
217 
218 #define WEBAUTHN_COSE_ALGORITHM_ECDSA_P256_WITH_SHA256             -7
219 #define WEBAUTHN_COSE_ALGORITHM_ECDSA_P384_WITH_SHA384             -35
220 #define WEBAUTHN_COSE_ALGORITHM_ECDSA_P521_WITH_SHA512             -36
221 
222 #define WEBAUTHN_COSE_ALGORITHM_RSASSA_PKCS1_V1_5_WITH_SHA256      -257
223 #define WEBAUTHN_COSE_ALGORITHM_RSASSA_PKCS1_V1_5_WITH_SHA384      -258
224 #define WEBAUTHN_COSE_ALGORITHM_RSASSA_PKCS1_V1_5_WITH_SHA512      -259
225 
226 #define WEBAUTHN_COSE_ALGORITHM_RSA_PSS_WITH_SHA256                -37
227 #define WEBAUTHN_COSE_ALGORITHM_RSA_PSS_WITH_SHA384                -38
228 #define WEBAUTHN_COSE_ALGORITHM_RSA_PSS_WITH_SHA512                -39
229 
230 #define WEBAUTHN_COSE_CREDENTIAL_PARAMETER_CURRENT_VERSION          1
231 
232 typedef struct _WEBAUTHN_COSE_CREDENTIAL_PARAMETER {
233     // Version of this structure, to allow for modifications in the future.
234     DWORD dwVersion;
235 
236     // Well-known credential type specifying a credential to create.
237     LPCWSTR pwszCredentialType;
238 
239     // Well-known COSE algorithm specifying the algorithm to use for the credential.
240     LONG lAlg;
241 } WEBAUTHN_COSE_CREDENTIAL_PARAMETER, *PWEBAUTHN_COSE_CREDENTIAL_PARAMETER;
242 typedef const WEBAUTHN_COSE_CREDENTIAL_PARAMETER *PCWEBAUTHN_COSE_CREDENTIAL_PARAMETER;
243 
244 typedef struct _WEBAUTHN_COSE_CREDENTIAL_PARAMETERS {
245     DWORD cCredentialParameters;
246     _Field_size_(cCredentialParameters)
247     PWEBAUTHN_COSE_CREDENTIAL_PARAMETER pCredentialParameters;
248 } WEBAUTHN_COSE_CREDENTIAL_PARAMETERS, *PWEBAUTHN_COSE_CREDENTIAL_PARAMETERS;
249 typedef const WEBAUTHN_COSE_CREDENTIAL_PARAMETERS *PCWEBAUTHN_COSE_CREDENTIAL_PARAMETERS;
250 
251 //+------------------------------------------------------------------------------------------
252 // Information about credential.
253 //-------------------------------------------------------------------------------------------
254 #define WEBAUTHN_CREDENTIAL_CURRENT_VERSION                         1
255 
256 typedef struct _WEBAUTHN_CREDENTIAL {
257     // Version of this structure, to allow for modifications in the future.
258     DWORD dwVersion;
259 
260     // Size of pbID.
261     DWORD cbId;
262     // Unique ID for this particular credential.
263     _Field_size_bytes_(cbId)
264     PBYTE pbId;
265 
266     // Well-known credential type specifying what this particular credential is.
267     LPCWSTR pwszCredentialType;
268 } WEBAUTHN_CREDENTIAL, *PWEBAUTHN_CREDENTIAL;
269 typedef const WEBAUTHN_CREDENTIAL *PCWEBAUTHN_CREDENTIAL;
270 
271 typedef struct _WEBAUTHN_CREDENTIALS {
272     DWORD cCredentials;
273     _Field_size_(cCredentials)
274     PWEBAUTHN_CREDENTIAL pCredentials;
275 } WEBAUTHN_CREDENTIALS, *PWEBAUTHN_CREDENTIALS;
276 typedef const WEBAUTHN_CREDENTIALS *PCWEBAUTHN_CREDENTIALS;
277 
278 //+------------------------------------------------------------------------------------------
279 // Information about credential with extra information, such as, dwTransports
280 //-------------------------------------------------------------------------------------------
281 
282 #define WEBAUTHN_CTAP_TRANSPORT_USB         0x00000001
283 #define WEBAUTHN_CTAP_TRANSPORT_NFC         0x00000002
284 #define WEBAUTHN_CTAP_TRANSPORT_BLE         0x00000004
285 #define WEBAUTHN_CTAP_TRANSPORT_TEST        0x00000008
286 #define WEBAUTHN_CTAP_TRANSPORT_INTERNAL    0x00000010
287 #define WEBAUTHN_CTAP_TRANSPORT_HYBRID      0x00000020
288 #define WEBAUTHN_CTAP_TRANSPORT_FLAGS_MASK  0x0000003F
289 
290 #define WEBAUTHN_CREDENTIAL_EX_CURRENT_VERSION                         1
291 
292 typedef struct _WEBAUTHN_CREDENTIAL_EX {
293     // Version of this structure, to allow for modifications in the future.
294     DWORD dwVersion;
295 
296     // Size of pbID.
297     DWORD cbId;
298     // Unique ID for this particular credential.
299     _Field_size_bytes_(cbId)
300     PBYTE pbId;
301 
302     // Well-known credential type specifying what this particular credential is.
303     LPCWSTR pwszCredentialType;
304 
305     // Transports. 0 implies no transport restrictions.
306     DWORD dwTransports;
307 } WEBAUTHN_CREDENTIAL_EX, *PWEBAUTHN_CREDENTIAL_EX;
308 typedef const WEBAUTHN_CREDENTIAL_EX *PCWEBAUTHN_CREDENTIAL_EX;
309 
310 //+------------------------------------------------------------------------------------------
311 // Information about credential list with extra information
312 //-------------------------------------------------------------------------------------------
313 
314 typedef struct _WEBAUTHN_CREDENTIAL_LIST {
315     DWORD cCredentials;
316     _Field_size_(cCredentials)
317     PWEBAUTHN_CREDENTIAL_EX *ppCredentials;
318 } WEBAUTHN_CREDENTIAL_LIST, *PWEBAUTHN_CREDENTIAL_LIST;
319 typedef const WEBAUTHN_CREDENTIAL_LIST *PCWEBAUTHN_CREDENTIAL_LIST;
320 
321 //+------------------------------------------------------------------------------------------
322 // Information about linked devices
323 //-------------------------------------------------------------------------------------------
324 
325 #define CTAPCBOR_HYBRID_STORAGE_LINKED_DATA_VERSION_1       1
326 #define CTAPCBOR_HYBRID_STORAGE_LINKED_DATA_CURRENT_VERSION CTAPCBOR_HYBRID_STORAGE_LINKED_DATA_VERSION_1
327 
328 typedef struct _CTAPCBOR_HYBRID_STORAGE_LINKED_DATA
329 {
330     // Version
331     DWORD dwVersion;
332 
333     // Contact Id
334     DWORD cbContactId;
335     _Field_size_bytes_(cbContactId)
336     PBYTE pbContactId;
337 
338     // Link Id
339     DWORD cbLinkId;
340     _Field_size_bytes_(cbLinkId)
341     PBYTE pbLinkId;
342 
343     // Link secret
344     DWORD cbLinkSecret;
345     _Field_size_bytes_(cbLinkSecret)
346     PBYTE pbLinkSecret;
347 
348     // Authenticator Public Key
349     DWORD cbPublicKey;
350     _Field_size_bytes_(cbPublicKey)
351     PBYTE pbPublicKey;
352 
353     // Authenticator Name
354     PCWSTR pwszAuthenticatorName;
355 
356     // Tunnel server domain
357     WORD wEncodedTunnelServerDomain;
358 } CTAPCBOR_HYBRID_STORAGE_LINKED_DATA, *PCTAPCBOR_HYBRID_STORAGE_LINKED_DATA;
359 typedef const CTAPCBOR_HYBRID_STORAGE_LINKED_DATA *PCCTAPCBOR_HYBRID_STORAGE_LINKED_DATA;
360 
361 //+------------------------------------------------------------------------------------------
362 // Credential Information for WebAuthNGetPlatformCredentialList API
363 //-------------------------------------------------------------------------------------------
364 
365 #define WEBAUTHN_CREDENTIAL_DETAILS_VERSION_1           1
366 #define WEBAUTHN_CREDENTIAL_DETAILS_VERSION_2           2
367 #define WEBAUTHN_CREDENTIAL_DETAILS_CURRENT_VERSION     WEBAUTHN_CREDENTIAL_DETAILS_VERSION_2
368 
369 typedef struct _WEBAUTHN_CREDENTIAL_DETAILS {
370     // Version of this structure, to allow for modifications in the future.
371     DWORD dwVersion;
372 
373     // Size of pbCredentialID.
374     DWORD cbCredentialID;
375     _Field_size_bytes_(cbCredentialID)
376     PBYTE pbCredentialID;
377 
378     // RP Info
379     PWEBAUTHN_RP_ENTITY_INFORMATION     pRpInformation;
380 
381     // User Info
382     PWEBAUTHN_USER_ENTITY_INFORMATION   pUserInformation;
383 
384     // Removable or not.
385     BOOL bRemovable;
386 
387     //
388     // The following fields have been added in WEBAUTHN_CREDENTIAL_DETAILS_VERSION_2
389     //
390 
391     // Backed Up or not.
392     BOOL bBackedUp;
393 } WEBAUTHN_CREDENTIAL_DETAILS, *PWEBAUTHN_CREDENTIAL_DETAILS;
394 typedef const WEBAUTHN_CREDENTIAL_DETAILS *PCWEBAUTHN_CREDENTIAL_DETAILS;
395 
396 typedef struct _WEBAUTHN_CREDENTIAL_DETAILS_LIST {
397     DWORD cCredentialDetails;
398     _Field_size_(cCredentialDetails)
399     PWEBAUTHN_CREDENTIAL_DETAILS *ppCredentialDetails;
400 } WEBAUTHN_CREDENTIAL_DETAILS_LIST, *PWEBAUTHN_CREDENTIAL_DETAILS_LIST;
401 typedef const WEBAUTHN_CREDENTIAL_DETAILS_LIST *PCWEBAUTHN_CREDENTIAL_DETAILS_LIST;
402 
403 #define WEBAUTHN_GET_CREDENTIALS_OPTIONS_VERSION_1          1
404 #define WEBAUTHN_GET_CREDENTIALS_OPTIONS_CURRENT_VERSION    WEBAUTHN_GET_CREDENTIALS_OPTIONS_VERSION_1
405 
406 typedef struct _WEBAUTHN_GET_CREDENTIALS_OPTIONS {
407     // Version of this structure, to allow for modifications in the future.
408     DWORD dwVersion;
409 
410     // Optional.
411     LPCWSTR pwszRpId;
412 
413     // Optional. BrowserInPrivate Mode. Defaulting to FALSE.
414     BOOL bBrowserInPrivateMode;
415 } WEBAUTHN_GET_CREDENTIALS_OPTIONS, *PWEBAUTHN_GET_CREDENTIALS_OPTIONS;
416 typedef const WEBAUTHN_GET_CREDENTIALS_OPTIONS *PCWEBAUTHN_GET_CREDENTIALS_OPTIONS;
417 
418 //+------------------------------------------------------------------------------------------
419 // PRF values.
420 //-------------------------------------------------------------------------------------------
421 
422 #define WEBAUTHN_CTAP_ONE_HMAC_SECRET_LENGTH    32
423 
424 // SALT values below by default are converted into RAW Hmac-Secret values as per PRF extension.
425 //   - SHA-256(UTF8Encode("WebAuthn PRF") || 0x00 || Value)
426 //
427 // Set WEBAUTHN_AUTHENTICATOR_HMAC_SECRET_VALUES_FLAG in dwFlags in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS,
428 //   if caller wants to provide RAW Hmac-Secret SALT values directly. In that case,
429 //   values if provided MUST be of WEBAUTHN_CTAP_ONE_HMAC_SECRET_LENGTH size.
430 
431 typedef struct _WEBAUTHN_HMAC_SECRET_SALT {
432     // Size of pbFirst.
433     DWORD cbFirst;
434     _Field_size_bytes_(cbFirst)
435     PBYTE pbFirst;                                  // Required
436 
437     // Size of pbSecond.
438     DWORD cbSecond;
439     _Field_size_bytes_(cbSecond)
440     PBYTE pbSecond;
441 } WEBAUTHN_HMAC_SECRET_SALT, *PWEBAUTHN_HMAC_SECRET_SALT;
442 typedef const WEBAUTHN_HMAC_SECRET_SALT *PCWEBAUTHN_HMAC_SECRET_SALT;
443 
444 typedef struct _WEBAUTHN_CRED_WITH_HMAC_SECRET_SALT {
445     // Size of pbCredID.
446     DWORD cbCredID;
447     _Field_size_bytes_(cbCredID)
448     PBYTE pbCredID;                                 // Required
449 
450     // PRF Values for above credential
451     PWEBAUTHN_HMAC_SECRET_SALT pHmacSecretSalt;     // Required
452 } WEBAUTHN_CRED_WITH_HMAC_SECRET_SALT, *PWEBAUTHN_CRED_WITH_HMAC_SECRET_SALT;
453 typedef const WEBAUTHN_CRED_WITH_HMAC_SECRET_SALT *PCWEBAUTHN_CRED_WITH_HMAC_SECRET_SALT;
454 
455 typedef struct _WEBAUTHN_HMAC_SECRET_SALT_VALUES {
456     PWEBAUTHN_HMAC_SECRET_SALT pGlobalHmacSalt;
457 
458     DWORD cCredWithHmacSecretSaltList;
459     _Field_size_(cCredWithHmacSecretSaltList)
460     PWEBAUTHN_CRED_WITH_HMAC_SECRET_SALT pCredWithHmacSecretSaltList;
461 } WEBAUTHN_HMAC_SECRET_SALT_VALUES, *PWEBAUTHN_HMAC_SECRET_SALT_VALUES;
462 typedef const WEBAUTHN_HMAC_SECRET_SALT_VALUES *PCWEBAUTHN_HMAC_SECRET_SALT_VALUES;
463 
464 //+------------------------------------------------------------------------------------------
465 // Hmac-Secret extension
466 //-------------------------------------------------------------------------------------------
467 
468 #define WEBAUTHN_EXTENSIONS_IDENTIFIER_HMAC_SECRET                  L"hmac-secret"
469 // Below type definitions is for WEBAUTHN_EXTENSIONS_IDENTIFIER_HMAC_SECRET
470 // MakeCredential Input Type:   BOOL.
471 //      - pvExtension must point to a BOOL with the value TRUE.
472 //      - cbExtension must contain the sizeof(BOOL).
473 // MakeCredential Output Type:  BOOL.
474 //      - pvExtension will point to a BOOL with the value TRUE if credential
475 //        was successfully created with HMAC_SECRET.
476 //      - cbExtension will contain the sizeof(BOOL).
477 // GetAssertion Input Type:     Not Supported
478 // GetAssertion Output Type:    Not Supported
479 
480 //+------------------------------------------------------------------------------------------
481 //  credProtect  extension
482 //-------------------------------------------------------------------------------------------
483 
484 #define WEBAUTHN_USER_VERIFICATION_ANY                                          0
485 #define WEBAUTHN_USER_VERIFICATION_OPTIONAL                                     1
486 #define WEBAUTHN_USER_VERIFICATION_OPTIONAL_WITH_CREDENTIAL_ID_LIST             2
487 #define WEBAUTHN_USER_VERIFICATION_REQUIRED                                     3
488 
489 typedef struct _WEBAUTHN_CRED_PROTECT_EXTENSION_IN {
490     // One of the above WEBAUTHN_USER_VERIFICATION_* values
491     DWORD dwCredProtect;
492     // Set the following to TRUE to require authenticator support for the credProtect extension
493     BOOL bRequireCredProtect;
494 } WEBAUTHN_CRED_PROTECT_EXTENSION_IN, *PWEBAUTHN_CRED_PROTECT_EXTENSION_IN;
495 typedef const WEBAUTHN_CRED_PROTECT_EXTENSION_IN *PCWEBAUTHN_CRED_PROTECT_EXTENSION_IN;
496 
497 
498 #define WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_PROTECT                 L"credProtect"
499 // Below type definitions is for WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_PROTECT
500 // MakeCredential Input Type:   WEBAUTHN_CRED_PROTECT_EXTENSION_IN.
501 //      - pvExtension must point to a WEBAUTHN_CRED_PROTECT_EXTENSION_IN struct
502 //      - cbExtension will contain the sizeof(WEBAUTHN_CRED_PROTECT_EXTENSION_IN).
503 // MakeCredential Output Type:  DWORD.
504 //      - pvExtension will point to a DWORD with one of the above WEBAUTHN_USER_VERIFICATION_* values
505 //        if credential was successfully created with CRED_PROTECT.
506 //      - cbExtension will contain the sizeof(DWORD).
507 // GetAssertion Input Type:     Not Supported
508 // GetAssertion Output Type:    Not Supported
509 
510 //+------------------------------------------------------------------------------------------
511 //  credBlob  extension
512 //-------------------------------------------------------------------------------------------
513 
514 typedef struct _WEBAUTHN_CRED_BLOB_EXTENSION {
515     // Size of pbCredBlob.
516     DWORD cbCredBlob;
517     _Field_size_bytes_(cbCredBlob)
518     PBYTE pbCredBlob;
519 } WEBAUTHN_CRED_BLOB_EXTENSION, *PWEBAUTHN_CRED_BLOB_EXTENSION;
520 typedef const WEBAUTHN_CRED_BLOB_EXTENSION *PCWEBAUTHN_CRED_BLOB_EXTENSION;
521 
522 
523 #define WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_BLOB                 L"credBlob"
524 // Below type definitions is for WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_BLOB
525 // MakeCredential Input Type:   WEBAUTHN_CRED_BLOB_EXTENSION.
526 //      - pvExtension must point to a WEBAUTHN_CRED_BLOB_EXTENSION struct
527 //      - cbExtension must contain the sizeof(WEBAUTHN_CRED_BLOB_EXTENSION).
528 // MakeCredential Output Type:  BOOL.
529 //      - pvExtension will point to a BOOL with the value TRUE if credBlob was successfully created
530 //      - cbExtension will contain the sizeof(BOOL).
531 // GetAssertion Input Type:     BOOL.
532 //      - pvExtension must point to a BOOL with the value TRUE to request the credBlob.
533 //      - cbExtension must contain the sizeof(BOOL).
534 // GetAssertion Output Type:    WEBAUTHN_CRED_BLOB_EXTENSION.
535 //      - pvExtension will point to a WEBAUTHN_CRED_BLOB_EXTENSION struct if the authenticator
536 //        returns the credBlob in the signed extensions
537 //      - cbExtension will contain the sizeof(WEBAUTHN_CRED_BLOB_EXTENSION).
538 
539 //+------------------------------------------------------------------------------------------
540 //  minPinLength  extension
541 //-------------------------------------------------------------------------------------------
542 
543 #define WEBAUTHN_EXTENSIONS_IDENTIFIER_MIN_PIN_LENGTH                 L"minPinLength"
544 // Below type definitions is for WEBAUTHN_EXTENSIONS_IDENTIFIER_MIN_PIN_LENGTH
545 // MakeCredential Input Type:   BOOL.
546 //      - pvExtension must point to a BOOL with the value TRUE to request the minPinLength.
547 //      - cbExtension must contain the sizeof(BOOL).
548 // MakeCredential Output Type:  DWORD.
549 //      - pvExtension will point to a DWORD with the minimum pin length if returned by the authenticator
550 //      - cbExtension will contain the sizeof(DWORD).
551 // GetAssertion Input Type:     Not Supported
552 // GetAssertion Output Type:    Not Supported
553 
554 //+------------------------------------------------------------------------------------------
555 // Information about Extensions.
556 //-------------------------------------------------------------------------------------------
557 typedef struct _WEBAUTHN_EXTENSION {
558     LPCWSTR pwszExtensionIdentifier;
559     DWORD cbExtension;
560     PVOID pvExtension;
561 } WEBAUTHN_EXTENSION, *PWEBAUTHN_EXTENSION;
562 typedef const WEBAUTHN_EXTENSION *PCWEBAUTHN_EXTENSION;
563 
564 typedef struct _WEBAUTHN_EXTENSIONS {
565     DWORD cExtensions;
566     _Field_size_(cExtensions)
567     PWEBAUTHN_EXTENSION pExtensions;
568 } WEBAUTHN_EXTENSIONS, *PWEBAUTHN_EXTENSIONS;
569 typedef const WEBAUTHN_EXTENSIONS *PCWEBAUTHN_EXTENSIONS;
570 
571 //+------------------------------------------------------------------------------------------
572 // Options.
573 //-------------------------------------------------------------------------------------------
574 
575 #define WEBAUTHN_AUTHENTICATOR_ATTACHMENT_ANY                               0
576 #define WEBAUTHN_AUTHENTICATOR_ATTACHMENT_PLATFORM                          1
577 #define WEBAUTHN_AUTHENTICATOR_ATTACHMENT_CROSS_PLATFORM                    2
578 #define WEBAUTHN_AUTHENTICATOR_ATTACHMENT_CROSS_PLATFORM_U2F_V2             3
579 
580 #define WEBAUTHN_USER_VERIFICATION_REQUIREMENT_ANY                          0
581 #define WEBAUTHN_USER_VERIFICATION_REQUIREMENT_REQUIRED                     1
582 #define WEBAUTHN_USER_VERIFICATION_REQUIREMENT_PREFERRED                    2
583 #define WEBAUTHN_USER_VERIFICATION_REQUIREMENT_DISCOURAGED                  3
584 
585 #define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_ANY                      0
586 #define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_NONE                     1
587 #define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_INDIRECT                 2
588 #define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_DIRECT                   3
589 
590 #define WEBAUTHN_ENTERPRISE_ATTESTATION_NONE                                0
591 #define WEBAUTHN_ENTERPRISE_ATTESTATION_VENDOR_FACILITATED                  1
592 #define WEBAUTHN_ENTERPRISE_ATTESTATION_PLATFORM_MANAGED                    2
593 
594 #define WEBAUTHN_LARGE_BLOB_SUPPORT_NONE                                    0
595 #define WEBAUTHN_LARGE_BLOB_SUPPORT_REQUIRED                                1
596 #define WEBAUTHN_LARGE_BLOB_SUPPORT_PREFERRED                               2
597 
598 #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_1            1
599 #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_2            2
600 #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_3            3
601 #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_4            4
602 #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_5            5
603 #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_6            6
604 #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_7            7
605 #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_CURRENT_VERSION      WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_7
606 
607 typedef struct _WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS {
608     // Version of this structure, to allow for modifications in the future.
609     DWORD dwVersion;
610 
611     // Time that the operation is expected to complete within.
612     // This is used as guidance, and can be overridden by the platform.
613     DWORD dwTimeoutMilliseconds;
614 
615     // Credentials used for exclusion.
616     WEBAUTHN_CREDENTIALS CredentialList;
617 
618     // Optional extensions to parse when performing the operation.
619     WEBAUTHN_EXTENSIONS Extensions;
620 
621     // Optional. Platform vs Cross-Platform Authenticators.
622     DWORD dwAuthenticatorAttachment;
623 
624     // Optional. Require key to be resident or not. Defaulting to FALSE.
625     BOOL bRequireResidentKey;
626 
627     // User Verification Requirement.
628     DWORD dwUserVerificationRequirement;
629 
630     // Attestation Conveyance Preference.
631     DWORD dwAttestationConveyancePreference;
632 
633     // Reserved for future Use
634     DWORD dwFlags;
635 
636     //
637     // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_2
638     //
639 
640     // Cancellation Id - Optional - See WebAuthNGetCancellationId
641     GUID *pCancellationId;
642 
643     //
644     // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_3
645     //
646 
647     // Exclude Credential List. If present, "CredentialList" will be ignored.
648     PWEBAUTHN_CREDENTIAL_LIST pExcludeCredentialList;
649 
650     //
651     // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_4
652     //
653 
654     // Enterprise Attestation
655     DWORD dwEnterpriseAttestation;
656 
657     // Large Blob Support: none, required or preferred
658     //
659     // NTE_INVALID_PARAMETER when large blob required or preferred and
660     //   bRequireResidentKey isn't set to TRUE
661     DWORD dwLargeBlobSupport;
662 
663     // Optional. Prefer key to be resident. Defaulting to FALSE. When TRUE,
664     // overrides the above bRequireResidentKey.
665     BOOL bPreferResidentKey;
666 
667     //
668     // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_5
669     //
670 
671     // Optional. BrowserInPrivate Mode. Defaulting to FALSE.
672     BOOL bBrowserInPrivateMode;
673 
674     //
675     // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_6
676     //
677 
678     // Enable PRF
679     BOOL bEnablePrf;
680 
681     //
682     // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_7
683     //
684 
685     // Optional. Linked Device Connection Info.
686     PCTAPCBOR_HYBRID_STORAGE_LINKED_DATA pLinkedDevice;
687 
688     // Size of pbJsonExt
689     DWORD cbJsonExt;
690     _Field_size_bytes_(cbJsonExt)
691     PBYTE pbJsonExt;
692 } WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS, *PWEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS;
693 typedef const WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS *PCWEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS;
694 
695 #define WEBAUTHN_CRED_LARGE_BLOB_OPERATION_NONE         0
696 #define WEBAUTHN_CRED_LARGE_BLOB_OPERATION_GET          1
697 #define WEBAUTHN_CRED_LARGE_BLOB_OPERATION_SET          2
698 #define WEBAUTHN_CRED_LARGE_BLOB_OPERATION_DELETE       3
699 
700 #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_1          1
701 #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_2          2
702 #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_3          3
703 #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_4          4
704 #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_5          5
705 #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_6          6
706 #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_7          7
707 #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_CURRENT_VERSION    WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_7
708 
709 /*
710     Information about flags.
711 */
712 
713 #define WEBAUTHN_AUTHENTICATOR_HMAC_SECRET_VALUES_FLAG   0x00100000
714 
715 typedef struct _WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS {
716     // Version of this structure, to allow for modifications in the future.
717     DWORD dwVersion;
718 
719     // Time that the operation is expected to complete within.
720     // This is used as guidance, and can be overridden by the platform.
721     DWORD dwTimeoutMilliseconds;
722 
723     // Allowed Credentials List.
724     WEBAUTHN_CREDENTIALS CredentialList;
725 
726     // Optional extensions to parse when performing the operation.
727     WEBAUTHN_EXTENSIONS Extensions;
728 
729     // Optional. Platform vs Cross-Platform Authenticators.
730     DWORD dwAuthenticatorAttachment;
731 
732     // User Verification Requirement.
733     DWORD dwUserVerificationRequirement;
734 
735     // Flags
736     DWORD dwFlags;
737 
738     //
739     // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_2
740     //
741 
742     // Optional identifier for the U2F AppId. Converted to UTF8 before being hashed. Not lower cased.
743     PCWSTR pwszU2fAppId;
744 
745     // If the following is non-NULL, then, set to TRUE if the above pwszU2fAppid was used instead of
746     // PCWSTR pwszRpId;
747     BOOL *pbU2fAppId;
748 
749     //
750     // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_3
751     //
752 
753     // Cancellation Id - Optional - See WebAuthNGetCancellationId
754     GUID *pCancellationId;
755 
756     //
757     // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_4
758     //
759 
760     // Allow Credential List. If present, "CredentialList" will be ignored.
761     PWEBAUTHN_CREDENTIAL_LIST pAllowCredentialList;
762 
763     //
764     // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_5
765     //
766 
767     DWORD dwCredLargeBlobOperation;
768 
769     // Size of pbCredLargeBlob
770     DWORD cbCredLargeBlob;
771     _Field_size_bytes_(cbCredLargeBlob)
772     PBYTE pbCredLargeBlob;
773 
774     //
775     // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_6
776     //
777 
778     // PRF values which will be converted into HMAC-SECRET values according to WebAuthn Spec.
779     PWEBAUTHN_HMAC_SECRET_SALT_VALUES pHmacSecretSaltValues;
780 
781     // Optional. BrowserInPrivate Mode. Defaulting to FALSE.
782     BOOL bBrowserInPrivateMode;
783 
784     //
785     // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_7
786     //
787 
788     // Optional. Linked Device Connection Info.
789     PCTAPCBOR_HYBRID_STORAGE_LINKED_DATA pLinkedDevice;
790 
791     // Optional. Allowlist MUST contain 1 credential applicable for Hybrid transport.
792     BOOL bAutoFill;
793 
794     // Size of pbJsonExt
795     DWORD cbJsonExt;
796     _Field_size_bytes_(cbJsonExt)
797     PBYTE pbJsonExt;
798 } WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS,  *PWEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS;
799 typedef const WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS  *PCWEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS;
800 
801 
802 //+------------------------------------------------------------------------------------------
803 // Attestation Info.
804 //
805 //-------------------------------------------------------------------------------------------
806 #define WEBAUTHN_ATTESTATION_DECODE_NONE                                0
807 #define WEBAUTHN_ATTESTATION_DECODE_COMMON                              1
808 // WEBAUTHN_ATTESTATION_DECODE_COMMON supports format types
809 //  L"packed"
810 //  L"fido-u2f"
811 
812 #define WEBAUTHN_ATTESTATION_VER_TPM_2_0   L"2.0"
813 
814 typedef struct _WEBAUTHN_X5C {
815     // Length of X.509 encoded certificate
816     DWORD cbData;
817     // X.509 encoded certificate bytes
818     _Field_size_bytes_(cbData)
819     PBYTE pbData;
820 } WEBAUTHN_X5C, *PWEBAUTHN_X5C;
821 
822 // Supports either Self or Full Basic Attestation
823 
824 // Note, new fields will be added to the following data structure to
825 // support additional attestation format types, such as, TPM.
826 // When fields are added, the dwVersion will be incremented.
827 //
828 // Therefore, your code must make the following check:
829 //  "if (dwVersion >= WEBAUTHN_COMMON_ATTESTATION_CURRENT_VERSION)"
830 
831 #define WEBAUTHN_COMMON_ATTESTATION_CURRENT_VERSION                     1
832 
833 typedef struct _WEBAUTHN_COMMON_ATTESTATION {
834     // Version of this structure, to allow for modifications in the future.
835     DWORD dwVersion;
836 
837     // Hash and Padding Algorithm
838     //
839     // The following won't be set for "fido-u2f" which assumes "ES256".
840     PCWSTR pwszAlg;
841     LONG lAlg;      // COSE algorithm
842 
843     // Signature that was generated for this attestation.
844     DWORD cbSignature;
845     _Field_size_bytes_(cbSignature)
846     PBYTE pbSignature;
847 
848     // Following is set for Full Basic Attestation. If not, set then, this is Self Attestation.
849     // Array of X.509 DER encoded certificates. The first certificate is the signer, leaf certificate.
850     DWORD cX5c;
851     _Field_size_(cX5c)
852     PWEBAUTHN_X5C pX5c;
853 
854     // Following are also set for tpm
855     PCWSTR pwszVer; // L"2.0"
856     DWORD cbCertInfo;
857     _Field_size_bytes_(cbCertInfo)
858     PBYTE pbCertInfo;
859     DWORD cbPubArea;
860     _Field_size_bytes_(cbPubArea)
861     PBYTE pbPubArea;
862 } WEBAUTHN_COMMON_ATTESTATION, *PWEBAUTHN_COMMON_ATTESTATION;
863 typedef const WEBAUTHN_COMMON_ATTESTATION *PCWEBAUTHN_COMMON_ATTESTATION;
864 
865 #define WEBAUTHN_ATTESTATION_TYPE_PACKED                                L"packed"
866 #define WEBAUTHN_ATTESTATION_TYPE_U2F                                   L"fido-u2f"
867 #define WEBAUTHN_ATTESTATION_TYPE_TPM                                   L"tpm"
868 #define WEBAUTHN_ATTESTATION_TYPE_NONE                                  L"none"
869 
870 #define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_1               1
871 #define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_2               2
872 #define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_3               3
873 #define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_4               4
874 #define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_5               5
875 #define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_6               6
876 #define WEBAUTHN_CREDENTIAL_ATTESTATION_CURRENT_VERSION         WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_6
877 
878 typedef struct _WEBAUTHN_CREDENTIAL_ATTESTATION {
879     // Version of this structure, to allow for modifications in the future.
880     DWORD dwVersion;
881 
882     // Attestation format type
883     PCWSTR pwszFormatType;
884 
885     // Size of cbAuthenticatorData.
886     DWORD cbAuthenticatorData;
887     // Authenticator data that was created for this credential.
888     _Field_size_bytes_(cbAuthenticatorData)
889     PBYTE pbAuthenticatorData;
890 
891     // Size of CBOR encoded attestation information
892     //0 => encoded as CBOR null value.
893     DWORD cbAttestation;
894     //Encoded CBOR attestation information
895     _Field_size_bytes_(cbAttestation)
896     PBYTE pbAttestation;
897 
898     DWORD dwAttestationDecodeType;
899     // Following depends on the dwAttestationDecodeType
900     //  WEBAUTHN_ATTESTATION_DECODE_NONE
901     //      NULL - not able to decode the CBOR attestation information
902     //  WEBAUTHN_ATTESTATION_DECODE_COMMON
903     //      PWEBAUTHN_COMMON_ATTESTATION;
904     PVOID pvAttestationDecode;
905 
906     // The CBOR encoded Attestation Object to be returned to the RP.
907     DWORD cbAttestationObject;
908     _Field_size_bytes_(cbAttestationObject)
909     PBYTE pbAttestationObject;
910 
911     // The CredentialId bytes extracted from the Authenticator Data.
912     // Used by Edge to return to the RP.
913     DWORD cbCredentialId;
914     _Field_size_bytes_(cbCredentialId)
915     PBYTE pbCredentialId;
916 
917     //
918     // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_2
919     //
920 
921     WEBAUTHN_EXTENSIONS Extensions;
922 
923     //
924     // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_3
925     //
926 
927     // One of the WEBAUTHN_CTAP_TRANSPORT_* bits will be set corresponding to
928     // the transport that was used.
929     DWORD dwUsedTransport;
930 
931     //
932     // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_4
933     //
934 
935     BOOL bEpAtt;
936     BOOL bLargeBlobSupported;
937     BOOL bResidentKey;
938 
939     //
940     // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_5
941     //
942 
943     BOOL bPrfEnabled;
944 
945     //
946     // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_6
947     //
948 
949     DWORD cbUnsignedExtensionOutputs;
950     _Field_size_bytes_(cbUnsignedExtensionOutputs)
951     PBYTE pbUnsignedExtensionOutputs;
952 } WEBAUTHN_CREDENTIAL_ATTESTATION, *PWEBAUTHN_CREDENTIAL_ATTESTATION;
953 typedef const WEBAUTHN_CREDENTIAL_ATTESTATION *PCWEBAUTHN_CREDENTIAL_ATTESTATION;
954 
955 
956 //+------------------------------------------------------------------------------------------
957 // authenticatorGetAssertion output.
958 //-------------------------------------------------------------------------------------------
959 
960 #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_NONE                    0
961 #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_SUCCESS                 1
962 #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_NOT_SUPPORTED           2
963 #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_INVALID_DATA            3
964 #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_INVALID_PARAMETER       4
965 #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_NOT_FOUND               5
966 #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_MULTIPLE_CREDENTIALS    6
967 #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_LACK_OF_SPACE           7
968 #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_PLATFORM_ERROR          8
969 #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_AUTHENTICATOR_ERROR     9
970 
971 #define WEBAUTHN_ASSERTION_VERSION_1                            1
972 #define WEBAUTHN_ASSERTION_VERSION_2                            2
973 #define WEBAUTHN_ASSERTION_VERSION_3                            3
974 #define WEBAUTHN_ASSERTION_VERSION_4                            4
975 #define WEBAUTHN_ASSERTION_VERSION_5                            5
976 #define WEBAUTHN_ASSERTION_CURRENT_VERSION                      WEBAUTHN_ASSERTION_VERSION_5
977 
978 typedef struct _WEBAUTHN_ASSERTION {
979     // Version of this structure, to allow for modifications in the future.
980     DWORD dwVersion;
981 
982     // Size of cbAuthenticatorData.
983     DWORD cbAuthenticatorData;
984     // Authenticator data that was created for this assertion.
985     _Field_size_bytes_(cbAuthenticatorData)
986     PBYTE pbAuthenticatorData;
987 
988     // Size of pbSignature.
989     DWORD cbSignature;
990     // Signature that was generated for this assertion.
991     _Field_size_bytes_(cbSignature)
992     PBYTE pbSignature;
993 
994     // Credential that was used for this assertion.
995     WEBAUTHN_CREDENTIAL Credential;
996 
997     // Size of User Id
998     DWORD cbUserId;
999     // UserId
1000     _Field_size_bytes_(cbUserId)
1001     PBYTE pbUserId;
1002 
1003     //
1004     // Following fields have been added in WEBAUTHN_ASSERTION_VERSION_2
1005     //
1006 
1007     WEBAUTHN_EXTENSIONS Extensions;
1008 
1009     // Size of pbCredLargeBlob
1010     DWORD cbCredLargeBlob;
1011     _Field_size_bytes_(cbCredLargeBlob)
1012     PBYTE pbCredLargeBlob;
1013 
1014     DWORD dwCredLargeBlobStatus;
1015 
1016     //
1017     // Following fields have been added in WEBAUTHN_ASSERTION_VERSION_3
1018     //
1019 
1020     PWEBAUTHN_HMAC_SECRET_SALT pHmacSecret;
1021 
1022     //
1023     // Following fields have been added in WEBAUTHN_ASSERTION_VERSION_4
1024     //
1025 
1026     // One of the WEBAUTHN_CTAP_TRANSPORT_* bits will be set corresponding to
1027     // the transport that was used.
1028     DWORD dwUsedTransport;
1029 
1030     //
1031     // Following fields have been added in WEBAUTHN_ASSERTION_VERSION_5
1032     //
1033 
1034     DWORD cbUnsignedExtensionOutputs;
1035     _Field_size_bytes_(cbUnsignedExtensionOutputs)
1036     PBYTE pbUnsignedExtensionOutputs;
1037 } WEBAUTHN_ASSERTION, *PWEBAUTHN_ASSERTION;
1038 typedef const WEBAUTHN_ASSERTION *PCWEBAUTHN_ASSERTION;
1039 
1040 //+------------------------------------------------------------------------------------------
1041 // APIs.
1042 //-------------------------------------------------------------------------------------------
1043 
1044 DWORD
1045 WINAPI
1046 WebAuthNGetApiVersionNumber();
1047 
1048 HRESULT
1049 WINAPI
1050 WebAuthNIsUserVerifyingPlatformAuthenticatorAvailable(
1051     _Out_ BOOL *pbIsUserVerifyingPlatformAuthenticatorAvailable);
1052 
1053 
1054 HRESULT
1055 WINAPI
1056 WebAuthNAuthenticatorMakeCredential(
1057     _In_        HWND                                                hWnd,
1058     _In_        PCWEBAUTHN_RP_ENTITY_INFORMATION                    pRpInformation,
1059     _In_        PCWEBAUTHN_USER_ENTITY_INFORMATION                  pUserInformation,
1060     _In_        PCWEBAUTHN_COSE_CREDENTIAL_PARAMETERS               pPubKeyCredParams,
1061     _In_        PCWEBAUTHN_CLIENT_DATA                              pWebAuthNClientData,
1062     _In_opt_    PCWEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS    pWebAuthNMakeCredentialOptions,
1063     _Outptr_result_maybenull_ PWEBAUTHN_CREDENTIAL_ATTESTATION      *ppWebAuthNCredentialAttestation);
1064 
1065 
1066 HRESULT
1067 WINAPI
1068 WebAuthNAuthenticatorGetAssertion(
1069     _In_        HWND                                                hWnd,
1070     _In_        LPCWSTR                                             pwszRpId,
1071     _In_        PCWEBAUTHN_CLIENT_DATA                              pWebAuthNClientData,
1072     _In_opt_    PCWEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS      pWebAuthNGetAssertionOptions,
1073     _Outptr_result_maybenull_ PWEBAUTHN_ASSERTION                   *ppWebAuthNAssertion);
1074 
1075 void
1076 WINAPI
1077 WebAuthNFreeCredentialAttestation(
1078     _In_opt_ PWEBAUTHN_CREDENTIAL_ATTESTATION pWebAuthNCredentialAttestation);
1079 
1080 void
1081 WINAPI
1082 WebAuthNFreeAssertion(
1083     _In_ PWEBAUTHN_ASSERTION pWebAuthNAssertion);
1084 
1085 HRESULT
1086 WINAPI
1087 WebAuthNGetCancellationId(
1088     _Out_ GUID* pCancellationId);
1089 
1090 HRESULT
1091 WINAPI
1092 WebAuthNCancelCurrentOperation(
1093     _In_ const GUID* pCancellationId);
1094 
1095 // Returns NTE_NOT_FOUND when credentials are not found.
1096 HRESULT
1097 WINAPI
1098 WebAuthNGetPlatformCredentialList(
1099     _In_    PCWEBAUTHN_GET_CREDENTIALS_OPTIONS                  pGetCredentialsOptions,
1100     _Outptr_result_maybenull_ PWEBAUTHN_CREDENTIAL_DETAILS_LIST *ppCredentialDetailsList);
1101 
1102 void
1103 WINAPI
1104 WebAuthNFreePlatformCredentialList(
1105     _In_ PWEBAUTHN_CREDENTIAL_DETAILS_LIST  pCredentialDetailsList);
1106 
1107 HRESULT
1108 WINAPI
1109 WebAuthNDeletePlatformCredential(
1110     _In_ DWORD cbCredentialId,
1111     _In_reads_bytes_(cbCredentialId) const BYTE *pbCredentialId
1112     );
1113 
1114 //
1115 // Returns the following Error Names:
1116 //  L"Success"              - S_OK
1117 //  L"InvalidStateError"    - NTE_EXISTS
1118 //  L"ConstraintError"      - HRESULT_FROM_WIN32(ERROR_NOT_SUPPORTED),
1119 //                            NTE_NOT_SUPPORTED,
1120 //                            NTE_TOKEN_KEYSET_STORAGE_FULL
1121 //  L"NotSupportedError"    - NTE_INVALID_PARAMETER
1122 //  L"NotAllowedError"      - NTE_DEVICE_NOT_FOUND,
1123 //                            NTE_NOT_FOUND,
1124 //                            HRESULT_FROM_WIN32(ERROR_CANCELLED),
1125 //                            NTE_USER_CANCELLED,
1126 //                            HRESULT_FROM_WIN32(ERROR_TIMEOUT)
1127 //  L"UnknownError"         - All other hr values
1128 //
1129 PCWSTR
1130 WINAPI
1131 WebAuthNGetErrorName(
1132     _In_ HRESULT hr);
1133 
1134 HRESULT
1135 WINAPI
1136 WebAuthNGetW3CExceptionDOMError(
1137     _In_ HRESULT hr);
1138 
1139 
1140 #ifdef __cplusplus
1141 }       // Balance extern "C" above
1142 #endif
1143 
1144 #endif // WINAPI_FAMILY_PARTITION
1145 #ifdef _MSC_VER
1146 #pragma endregion
1147 #endif
1148 
1149 #endif // __WEBAUTHN_H_
1150