webauthn.h (56077B)
1 // Copyright (c) Microsoft Corporation. All rights reserved. 2 // Licensed under the MIT License. 3 4 #ifndef __WEBAUTHN_H_ 5 #define __WEBAUTHN_H_ 6 7 #pragma once 8 9 #include <winapifamily.h> 10 11 #pragma region Desktop Family or OneCore Family 12 #if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM) 13 14 #ifdef __cplusplus 15 extern "C" { 16 #endif 17 18 #ifndef WINAPI 19 #define WINAPI __stdcall 20 #endif 21 22 #ifndef INITGUID 23 #define INITGUID 24 #include <guiddef.h> 25 #undef INITGUID 26 #else 27 #include <guiddef.h> 28 #endif 29 30 //+------------------------------------------------------------------------------------------ 31 // API Version Information. 32 // Caller should check for WebAuthNGetApiVersionNumber to check the presence of relevant APIs 33 // and features for their usage. 34 //------------------------------------------------------------------------------------------- 35 36 #define WEBAUTHN_API_VERSION_1 1 37 // WEBAUTHN_API_VERSION_1 : Baseline Version 38 // Data Structures and their sub versions: 39 // - WEBAUTHN_RP_ENTITY_INFORMATION : 1 40 // - WEBAUTHN_USER_ENTITY_INFORMATION : 1 41 // - WEBAUTHN_CLIENT_DATA : 1 42 // - WEBAUTHN_COSE_CREDENTIAL_PARAMETER : 1 43 // - WEBAUTHN_COSE_CREDENTIAL_PARAMETERS : Not Applicable 44 // - WEBAUTHN_CREDENTIAL : 1 45 // - WEBAUTHN_CREDENTIALS : Not Applicable 46 // - WEBAUTHN_CREDENTIAL_EX : 1 47 // - WEBAUTHN_CREDENTIAL_LIST : Not Applicable 48 // - WEBAUTHN_EXTENSION : Not Applicable 49 // - WEBAUTHN_EXTENSIONS : Not Applicable 50 // - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS : 3 51 // - WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS : 4 52 // - WEBAUTHN_COMMON_ATTESTATION : 1 53 // - WEBAUTHN_CREDENTIAL_ATTESTATION : 3 54 // - WEBAUTHN_ASSERTION : 1 55 // Extensions: 56 // - WEBAUTHN_EXTENSIONS_IDENTIFIER_HMAC_SECRET 57 // APIs: 58 // - WebAuthNGetApiVersionNumber 59 // - WebAuthNIsUserVerifyingPlatformAuthenticatorAvailable 60 // - WebAuthNAuthenticatorMakeCredential 61 // - WebAuthNAuthenticatorGetAssertion 62 // - WebAuthNFreeCredentialAttestation 63 // - WebAuthNFreeAssertion 64 // - WebAuthNGetCancellationId 65 // - WebAuthNCancelCurrentOperation 66 // - WebAuthNGetErrorName 67 // - WebAuthNGetW3CExceptionDOMError 68 // Transports: 69 // - WEBAUTHN_CTAP_TRANSPORT_USB 70 // - WEBAUTHN_CTAP_TRANSPORT_NFC 71 // - WEBAUTHN_CTAP_TRANSPORT_BLE 72 // - WEBAUTHN_CTAP_TRANSPORT_INTERNAL 73 74 #define WEBAUTHN_API_VERSION_2 2 75 // WEBAUTHN_API_VERSION_2 : Delta From WEBAUTHN_API_VERSION_1 76 // Added Extensions: 77 // - WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_PROTECT 78 // 79 80 #define WEBAUTHN_API_VERSION_3 3 81 // WEBAUTHN_API_VERSION_3 : Delta From WEBAUTHN_API_VERSION_2 82 // Data Structures and their sub versions: 83 // - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS : 4 84 // - WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS : 5 85 // - WEBAUTHN_CREDENTIAL_ATTESTATION : 4 86 // - WEBAUTHN_ASSERTION : 2 87 // Added Extensions: 88 // - WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_BLOB 89 // - WEBAUTHN_EXTENSIONS_IDENTIFIER_MIN_PIN_LENGTH 90 // 91 92 #define WEBAUTHN_API_VERSION_4 4 93 // WEBAUTHN_API_VERSION_4 : Delta From WEBAUTHN_API_VERSION_3 94 // Data Structures and their sub versions: 95 // - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS : 5 96 // - WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS : 6 97 // - WEBAUTHN_ASSERTION : 3 98 // - WEBAUTHN_GET_CREDENTIALS_OPTIONS : 1 99 // - WEBAUTHN_CREDENTIAL_DETAILS : 1 100 // APIs: 101 // - WebAuthNGetPlatformCredentialList 102 // - WebAuthNFreePlatformCredentialList 103 // - WebAuthNDeletePlatformCredential 104 // 105 106 #define WEBAUTHN_API_VERSION_5 5 107 // WEBAUTHN_API_VERSION_5 : Delta From WEBAUTHN_API_VERSION_4 108 // Data Structures and their sub versions: 109 // - WEBAUTHN_CREDENTIAL_DETAILS : 2 110 // Extension Changes: 111 // - Enabled LARGE_BLOB Support 112 // 113 114 #define WEBAUTHN_API_VERSION_6 6 115 // WEBAUTHN_API_VERSION_6 : Delta From WEBAUTHN_API_VERSION_5 116 // Data Structures and their sub versions: 117 // - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS : 6 118 // - WEBAUTHN_CREDENTIAL_ATTESTATION : 5 119 // - WEBAUTHN_ASSERTION : 4 120 // Transports: 121 // - WEBAUTHN_CTAP_TRANSPORT_HYBRID 122 123 #define WEBAUTHN_API_VERSION_7 7 124 // WEBAUTHN_API_VERSION_7 : Delta From WEBAUTHN_API_VERSION_6 125 // Data Structures and their sub versions: 126 // - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS : 7 127 // - WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS : 7 128 // - WEBAUTHN_CREDENTIAL_ATTESTATION : 6 129 // - WEBAUTHN_ASSERTION : 5 130 131 #define WEBAUTHN_API_VERSION_8 8 132 // WEBAUTHN_API_VERSION_8 : Delta From WEBAUTHN_API_VERSION_7 133 // Data Structures and their sub versions: 134 // - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS : 8 135 // - WEBAUTHN_CREDENTIAL_DETAILS : 3 136 // - WEBAUTHN_CREDENTIAL_ATTESTATION : 7 137 // - WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS : 8 138 // 139 140 #define WEBAUTHN_API_VERSION_9 9 141 // WEBAUTHN_API_VERSION_9 : Delta From WEBAUTHN_API_VERSION_8 142 // Data Structures and their sub versions: 143 // - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS : 9 144 // - WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS : 9 145 // - WEBAUTHN_ASSERTION : 6 146 // - WEBAUTHN_CREDENTIAL_DETAILS : 4 147 // - WEBAUTHN_CREDENTIAL_ATTESTATION : 8 148 // - WEBAUTHN_AUTHENTICATOR_DETAILS : 1 149 // - WEBAUTHN_AUTHENTICATOR_DETAILS_LIST : Not Applicable 150 // APIs: 151 // - WebAuthNGetAuthenticatorList 152 // - WebAuthNFreeAuthenticatorList 153 154 #define WEBAUTHN_API_CURRENT_VERSION WEBAUTHN_API_VERSION_9 155 156 //+------------------------------------------------------------------------------------------ 157 // Information about an RP Entity 158 //------------------------------------------------------------------------------------------- 159 160 #define WEBAUTHN_RP_ENTITY_INFORMATION_CURRENT_VERSION 1 161 162 typedef struct _WEBAUTHN_RP_ENTITY_INFORMATION { 163 // Version of this structure, to allow for modifications in the future. 164 // This field is required and should be set to CURRENT_VERSION above. 165 DWORD dwVersion; 166 167 // Identifier for the RP. This field is required. 168 PCWSTR pwszId; 169 170 // Contains the friendly name of the Relying Party, such as "Acme Corporation", "Widgets Inc" or "Awesome Site". 171 // This field is required. 172 PCWSTR pwszName; 173 174 // Optional URL pointing to RP's logo. 175 PCWSTR pwszIcon; 176 } WEBAUTHN_RP_ENTITY_INFORMATION, *PWEBAUTHN_RP_ENTITY_INFORMATION; 177 typedef const WEBAUTHN_RP_ENTITY_INFORMATION *PCWEBAUTHN_RP_ENTITY_INFORMATION; 178 179 //+------------------------------------------------------------------------------------------ 180 // Information about an User Entity 181 //------------------------------------------------------------------------------------------- 182 #define WEBAUTHN_MAX_USER_ID_LENGTH 64 183 184 #define WEBAUTHN_USER_ENTITY_INFORMATION_CURRENT_VERSION 1 185 186 typedef struct _WEBAUTHN_USER_ENTITY_INFORMATION { 187 // Version of this structure, to allow for modifications in the future. 188 // This field is required and should be set to CURRENT_VERSION above. 189 DWORD dwVersion; 190 191 // Identifier for the User. This field is required. 192 DWORD cbId; 193 _Field_size_bytes_(cbId) 194 PBYTE pbId; 195 196 // Contains a detailed name for this account, such as "john.p.smith@example.com". 197 PCWSTR pwszName; 198 199 // Optional URL that can be used to retrieve an image containing the user's current avatar, 200 // or a data URI that contains the image data. 201 PCWSTR pwszIcon; 202 203 // For User: Contains the friendly name associated with the user account by the Relying Party, such as "John P. Smith". 204 PCWSTR pwszDisplayName; 205 } WEBAUTHN_USER_ENTITY_INFORMATION, *PWEBAUTHN_USER_ENTITY_INFORMATION; 206 typedef const WEBAUTHN_USER_ENTITY_INFORMATION *PCWEBAUTHN_USER_ENTITY_INFORMATION; 207 208 //+------------------------------------------------------------------------------------------ 209 // Information about client data. 210 //------------------------------------------------------------------------------------------- 211 212 #define WEBAUTHN_HASH_ALGORITHM_SHA_256 L"SHA-256" 213 #define WEBAUTHN_HASH_ALGORITHM_SHA_384 L"SHA-384" 214 #define WEBAUTHN_HASH_ALGORITHM_SHA_512 L"SHA-512" 215 216 #define WEBAUTHN_CLIENT_DATA_CURRENT_VERSION 1 217 218 typedef struct _WEBAUTHN_CLIENT_DATA { 219 // Version of this structure, to allow for modifications in the future. 220 // This field is required and should be set to CURRENT_VERSION above. 221 DWORD dwVersion; 222 223 // Size of the pbClientDataJSON field. 224 DWORD cbClientDataJSON; 225 // UTF-8 encoded JSON serialization of the client data. 226 _Field_size_bytes_(cbClientDataJSON) 227 PBYTE pbClientDataJSON; 228 229 // Hash algorithm ID used to hash the pbClientDataJSON field. 230 LPCWSTR pwszHashAlgId; 231 } WEBAUTHN_CLIENT_DATA, *PWEBAUTHN_CLIENT_DATA; 232 typedef const WEBAUTHN_CLIENT_DATA *PCWEBAUTHN_CLIENT_DATA; 233 234 //+------------------------------------------------------------------------------------------ 235 // Information about credential parameters. 236 //------------------------------------------------------------------------------------------- 237 238 #define WEBAUTHN_CREDENTIAL_TYPE_PUBLIC_KEY L"public-key" 239 240 #define WEBAUTHN_COSE_ALGORITHM_ECDSA_P256_WITH_SHA256 -7 241 #define WEBAUTHN_COSE_ALGORITHM_ECDSA_P384_WITH_SHA384 -35 242 #define WEBAUTHN_COSE_ALGORITHM_ECDSA_P521_WITH_SHA512 -36 243 244 #define WEBAUTHN_COSE_ALGORITHM_RSASSA_PKCS1_V1_5_WITH_SHA256 -257 245 #define WEBAUTHN_COSE_ALGORITHM_RSASSA_PKCS1_V1_5_WITH_SHA384 -258 246 #define WEBAUTHN_COSE_ALGORITHM_RSASSA_PKCS1_V1_5_WITH_SHA512 -259 247 248 #define WEBAUTHN_COSE_ALGORITHM_RSA_PSS_WITH_SHA256 -37 249 #define WEBAUTHN_COSE_ALGORITHM_RSA_PSS_WITH_SHA384 -38 250 #define WEBAUTHN_COSE_ALGORITHM_RSA_PSS_WITH_SHA512 -39 251 252 #define WEBAUTHN_COSE_CREDENTIAL_PARAMETER_CURRENT_VERSION 1 253 254 typedef struct _WEBAUTHN_COSE_CREDENTIAL_PARAMETER { 255 // Version of this structure, to allow for modifications in the future. 256 DWORD dwVersion; 257 258 // Well-known credential type specifying a credential to create. 259 LPCWSTR pwszCredentialType; 260 261 // Well-known COSE algorithm specifying the algorithm to use for the credential. 262 LONG lAlg; 263 } WEBAUTHN_COSE_CREDENTIAL_PARAMETER, *PWEBAUTHN_COSE_CREDENTIAL_PARAMETER; 264 typedef const WEBAUTHN_COSE_CREDENTIAL_PARAMETER *PCWEBAUTHN_COSE_CREDENTIAL_PARAMETER; 265 266 typedef struct _WEBAUTHN_COSE_CREDENTIAL_PARAMETERS { 267 DWORD cCredentialParameters; 268 _Field_size_(cCredentialParameters) 269 PWEBAUTHN_COSE_CREDENTIAL_PARAMETER pCredentialParameters; 270 } WEBAUTHN_COSE_CREDENTIAL_PARAMETERS, *PWEBAUTHN_COSE_CREDENTIAL_PARAMETERS; 271 typedef const WEBAUTHN_COSE_CREDENTIAL_PARAMETERS *PCWEBAUTHN_COSE_CREDENTIAL_PARAMETERS; 272 273 //+------------------------------------------------------------------------------------------ 274 // Information about credential. 275 //------------------------------------------------------------------------------------------- 276 #define WEBAUTHN_CREDENTIAL_CURRENT_VERSION 1 277 278 typedef struct _WEBAUTHN_CREDENTIAL { 279 // Version of this structure, to allow for modifications in the future. 280 DWORD dwVersion; 281 282 // Size of pbID. 283 DWORD cbId; 284 // Unique ID for this particular credential. 285 _Field_size_bytes_(cbId) 286 PBYTE pbId; 287 288 // Well-known credential type specifying what this particular credential is. 289 LPCWSTR pwszCredentialType; 290 } WEBAUTHN_CREDENTIAL, *PWEBAUTHN_CREDENTIAL; 291 typedef const WEBAUTHN_CREDENTIAL *PCWEBAUTHN_CREDENTIAL; 292 293 typedef struct _WEBAUTHN_CREDENTIALS { 294 DWORD cCredentials; 295 _Field_size_(cCredentials) 296 PWEBAUTHN_CREDENTIAL pCredentials; 297 } WEBAUTHN_CREDENTIALS, *PWEBAUTHN_CREDENTIALS; 298 typedef const WEBAUTHN_CREDENTIALS *PCWEBAUTHN_CREDENTIALS; 299 300 //+------------------------------------------------------------------------------------------ 301 // Information about credential with extra information, such as, dwTransports 302 //------------------------------------------------------------------------------------------- 303 304 #define WEBAUTHN_CTAP_TRANSPORT_USB 0x00000001 305 #define WEBAUTHN_CTAP_TRANSPORT_NFC 0x00000002 306 #define WEBAUTHN_CTAP_TRANSPORT_BLE 0x00000004 307 #define WEBAUTHN_CTAP_TRANSPORT_TEST 0x00000008 308 #define WEBAUTHN_CTAP_TRANSPORT_INTERNAL 0x00000010 309 #define WEBAUTHN_CTAP_TRANSPORT_HYBRID 0x00000020 310 #define WEBAUTHN_CTAP_TRANSPORT_SMART_CARD 0x00000040 311 #define WEBAUTHN_CTAP_TRANSPORT_FLAGS_MASK 0x0000007F 312 313 #define WEBAUTHN_CTAP_TRANSPORT_USB_STRING "usb" 314 #define WEBAUTHN_CTAP_TRANSPORT_NFC_STRING "nfc" 315 #define WEBAUTHN_CTAP_TRANSPORT_BLE_STRING "ble" 316 #define WEBAUTHN_CTAP_TRANSPORT_SMART_CARD_STRING "smart-card" 317 #define WEBAUTHN_CTAP_TRANSPORT_HYBRID_STRING "hybrid" 318 #define WEBAUTHN_CTAP_TRANSPORT_INTERNAL_STRING "internal" 319 320 #define WEBAUTHN_CREDENTIAL_EX_CURRENT_VERSION 1 321 322 typedef struct _WEBAUTHN_CREDENTIAL_EX { 323 // Version of this structure, to allow for modifications in the future. 324 DWORD dwVersion; 325 326 // Size of pbID. 327 DWORD cbId; 328 // Unique ID for this particular credential. 329 _Field_size_bytes_(cbId) 330 PBYTE pbId; 331 332 // Well-known credential type specifying what this particular credential is. 333 LPCWSTR pwszCredentialType; 334 335 // Transports. 0 implies no transport restrictions. 336 DWORD dwTransports; 337 } WEBAUTHN_CREDENTIAL_EX, *PWEBAUTHN_CREDENTIAL_EX; 338 typedef const WEBAUTHN_CREDENTIAL_EX *PCWEBAUTHN_CREDENTIAL_EX; 339 340 //+------------------------------------------------------------------------------------------ 341 // Information about credential list with extra information 342 //------------------------------------------------------------------------------------------- 343 344 typedef struct _WEBAUTHN_CREDENTIAL_LIST { 345 DWORD cCredentials; 346 _Field_size_(cCredentials) 347 PWEBAUTHN_CREDENTIAL_EX *ppCredentials; 348 } WEBAUTHN_CREDENTIAL_LIST, *PWEBAUTHN_CREDENTIAL_LIST; 349 typedef const WEBAUTHN_CREDENTIAL_LIST *PCWEBAUTHN_CREDENTIAL_LIST; 350 351 //+------------------------------------------------------------------------------------------ 352 // Information about linked devices 353 //------------------------------------------------------------------------------------------- 354 355 #define CTAPCBOR_HYBRID_STORAGE_LINKED_DATA_VERSION_1 1 356 #define CTAPCBOR_HYBRID_STORAGE_LINKED_DATA_CURRENT_VERSION CTAPCBOR_HYBRID_STORAGE_LINKED_DATA_VERSION_1 357 358 // Deprecated 359 typedef struct _CTAPCBOR_HYBRID_STORAGE_LINKED_DATA 360 { 361 // Version 362 DWORD dwVersion; 363 364 // Contact Id 365 DWORD cbContactId; 366 _Field_size_bytes_(cbContactId) 367 PBYTE pbContactId; 368 369 // Link Id 370 DWORD cbLinkId; 371 _Field_size_bytes_(cbLinkId) 372 PBYTE pbLinkId; 373 374 // Link secret 375 DWORD cbLinkSecret; 376 _Field_size_bytes_(cbLinkSecret) 377 PBYTE pbLinkSecret; 378 379 // Authenticator Public Key 380 DWORD cbPublicKey; 381 _Field_size_bytes_(cbPublicKey) 382 PBYTE pbPublicKey; 383 384 // Authenticator Name 385 PCWSTR pwszAuthenticatorName; 386 387 // Tunnel server domain 388 WORD wEncodedTunnelServerDomain; 389 } CTAPCBOR_HYBRID_STORAGE_LINKED_DATA, *PCTAPCBOR_HYBRID_STORAGE_LINKED_DATA; 390 typedef const CTAPCBOR_HYBRID_STORAGE_LINKED_DATA *PCCTAPCBOR_HYBRID_STORAGE_LINKED_DATA; 391 392 //+------------------------------------------------------------------------------------------ 393 // Authenticator Information for WebAuthNGetAuthenticatorList API 394 //------------------------------------------------------------------------------------------- 395 396 #define WEBAUTHN_AUTHENTICATOR_DETAILS_OPTIONS_VERSION_1 1 397 #define WEBAUTHN_AUTHENTICATOR_DETAILS_OPTIONS_CURRENT_VERSION WEBAUTHN_AUTHENTICATOR_DETAILS_OPTIONS_VERSION_1 398 399 typedef struct _WEBAUTHN_AUTHENTICATOR_DETAILS_OPTIONS { 400 // Version of this structure, to allow for modifications in the future. 401 DWORD dwVersion; 402 403 } WEBAUTHN_AUTHENTICATOR_DETAILS_OPTIONS, *PWEBAUTHN_AUTHENTICATOR_DETAILS_OPTIONS; 404 typedef const WEBAUTHN_AUTHENTICATOR_DETAILS_OPTIONS *PCWEBAUTHN_AUTHENTICATOR_DETAILS_OPTIONS; 405 406 #define WEBAUTHN_AUTHENTICATOR_DETAILS_VERSION_1 1 407 #define WEBAUTHN_AUTHENTICATOR_DETAILS_CURRENT_VERSION WEBAUTHN_AUTHENTICATOR_DETAILS_VERSION_1 408 409 typedef struct _WEBAUTHN_AUTHENTICATOR_DETAILS { 410 // Version of this structure, to allow for modifications in the future. 411 DWORD dwVersion; 412 413 // Authenticator ID 414 DWORD cbAuthenticatorId; 415 _Field_size_bytes_(cbAuthenticatorId) 416 PBYTE pbAuthenticatorId; 417 418 // Authenticator Name 419 PCWSTR pwszAuthenticatorName; 420 421 // Authenticator logo (expected to be in SVG format) 422 DWORD cbAuthenticatorLogo; 423 _Field_size_bytes_(cbAuthenticatorLogo) 424 PBYTE pbAuthenticatorLogo; 425 426 // Is the authenticator currently locked? When locked, this authenticator's credentials 427 // might not be present or updated in WebAuthNGetPlatformCredentialList. 428 BOOL bLocked; 429 430 } WEBAUTHN_AUTHENTICATOR_DETAILS, *PWEBAUTHN_AUTHENTICATOR_DETAILS; 431 typedef const WEBAUTHN_AUTHENTICATOR_DETAILS *PCWEBAUTHN_AUTHENTICATOR_DETAILS; 432 433 typedef struct _WEBAUTHN_AUTHENTICATOR_DETAILS_LIST { 434 // Authenticator Details 435 DWORD cAuthenticatorDetails; 436 _Field_size_(cAuthenticatorDetails) 437 PWEBAUTHN_AUTHENTICATOR_DETAILS *ppAuthenticatorDetails; 438 439 } WEBAUTHN_AUTHENTICATOR_DETAILS_LIST, *PWEBAUTHN_AUTHENTICATOR_DETAILS_LIST; 440 typedef const WEBAUTHN_AUTHENTICATOR_DETAILS_LIST *PCWEBAUTHN_AUTHENTICATOR_DETAILS_LIST; 441 442 //+------------------------------------------------------------------------------------------ 443 // Credential Information for WebAuthNGetPlatformCredentialList API 444 //------------------------------------------------------------------------------------------- 445 446 #define WEBAUTHN_CREDENTIAL_DETAILS_VERSION_1 1 447 #define WEBAUTHN_CREDENTIAL_DETAILS_VERSION_2 2 448 #define WEBAUTHN_CREDENTIAL_DETAILS_VERSION_3 3 449 #define WEBAUTHN_CREDENTIAL_DETAILS_VERSION_4 4 450 #define WEBAUTHN_CREDENTIAL_DETAILS_CURRENT_VERSION WEBAUTHN_CREDENTIAL_DETAILS_VERSION_4 451 452 typedef struct _WEBAUTHN_CREDENTIAL_DETAILS { 453 // Version of this structure, to allow for modifications in the future. 454 DWORD dwVersion; 455 456 // Size of pbCredentialID. 457 DWORD cbCredentialID; 458 _Field_size_bytes_(cbCredentialID) 459 PBYTE pbCredentialID; 460 461 // RP Info 462 PWEBAUTHN_RP_ENTITY_INFORMATION pRpInformation; 463 464 // User Info 465 PWEBAUTHN_USER_ENTITY_INFORMATION pUserInformation; 466 467 // Removable or not. 468 BOOL bRemovable; 469 470 // 471 // The following fields have been added in WEBAUTHN_CREDENTIAL_DETAILS_VERSION_2 472 // 473 474 // Backed Up or not. 475 BOOL bBackedUp; 476 477 // 478 // The following fields have been added in WEBAUTHN_CREDENTIAL_DETAILS_VERSION_3 479 // 480 PCWSTR pwszAuthenticatorName; 481 482 // The logo is expected to be in the svg format 483 DWORD cbAuthenticatorLogo; 484 _Field_size_bytes_(cbAuthenticatorLogo) 485 PBYTE pbAuthenticatorLogo; 486 487 // ThirdPartyPayment Credential or not. 488 BOOL bThirdPartyPayment; 489 490 // 491 // The following fields have been added in WEBAUTHN_CREDENTIAL_DETAILS_VERSION_4 492 // 493 494 // Applicable Transports 495 DWORD dwTransports; 496 497 } WEBAUTHN_CREDENTIAL_DETAILS, *PWEBAUTHN_CREDENTIAL_DETAILS; 498 typedef const WEBAUTHN_CREDENTIAL_DETAILS *PCWEBAUTHN_CREDENTIAL_DETAILS; 499 500 typedef struct _WEBAUTHN_CREDENTIAL_DETAILS_LIST { 501 DWORD cCredentialDetails; 502 _Field_size_(cCredentialDetails) 503 PWEBAUTHN_CREDENTIAL_DETAILS *ppCredentialDetails; 504 } WEBAUTHN_CREDENTIAL_DETAILS_LIST, *PWEBAUTHN_CREDENTIAL_DETAILS_LIST; 505 typedef const WEBAUTHN_CREDENTIAL_DETAILS_LIST *PCWEBAUTHN_CREDENTIAL_DETAILS_LIST; 506 507 #define WEBAUTHN_GET_CREDENTIALS_OPTIONS_VERSION_1 1 508 #define WEBAUTHN_GET_CREDENTIALS_OPTIONS_CURRENT_VERSION WEBAUTHN_GET_CREDENTIALS_OPTIONS_VERSION_1 509 510 typedef struct _WEBAUTHN_GET_CREDENTIALS_OPTIONS { 511 // Version of this structure, to allow for modifications in the future. 512 DWORD dwVersion; 513 514 // Optional. 515 LPCWSTR pwszRpId; 516 517 // Optional. BrowserInPrivate Mode. Defaulting to FALSE. 518 BOOL bBrowserInPrivateMode; 519 } WEBAUTHN_GET_CREDENTIALS_OPTIONS, *PWEBAUTHN_GET_CREDENTIALS_OPTIONS; 520 typedef const WEBAUTHN_GET_CREDENTIALS_OPTIONS *PCWEBAUTHN_GET_CREDENTIALS_OPTIONS; 521 522 //+------------------------------------------------------------------------------------------ 523 // PRF values. 524 //------------------------------------------------------------------------------------------- 525 526 #define WEBAUTHN_CTAP_ONE_HMAC_SECRET_LENGTH 32 527 528 // SALT values below by default are converted into RAW Hmac-Secret values as per PRF extension. 529 // - SHA-256(UTF8Encode("WebAuthn PRF") || 0x00 || Value) 530 // 531 // Set WEBAUTHN_AUTHENTICATOR_HMAC_SECRET_VALUES_FLAG in dwFlags in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS, 532 // if caller wants to provide RAW Hmac-Secret SALT values directly. In that case, 533 // values if provided MUST be of WEBAUTHN_CTAP_ONE_HMAC_SECRET_LENGTH size. 534 535 typedef struct _WEBAUTHN_HMAC_SECRET_SALT { 536 // Size of pbFirst. 537 DWORD cbFirst; 538 _Field_size_bytes_(cbFirst) 539 PBYTE pbFirst; // Required 540 541 // Size of pbSecond. 542 DWORD cbSecond; 543 _Field_size_bytes_(cbSecond) 544 PBYTE pbSecond; 545 } WEBAUTHN_HMAC_SECRET_SALT, *PWEBAUTHN_HMAC_SECRET_SALT; 546 typedef const WEBAUTHN_HMAC_SECRET_SALT *PCWEBAUTHN_HMAC_SECRET_SALT; 547 548 typedef struct _WEBAUTHN_CRED_WITH_HMAC_SECRET_SALT { 549 // Size of pbCredID. 550 DWORD cbCredID; 551 _Field_size_bytes_(cbCredID) 552 PBYTE pbCredID; // Required 553 554 // PRF Values for above credential 555 PWEBAUTHN_HMAC_SECRET_SALT pHmacSecretSalt; // Required 556 } WEBAUTHN_CRED_WITH_HMAC_SECRET_SALT, *PWEBAUTHN_CRED_WITH_HMAC_SECRET_SALT; 557 typedef const WEBAUTHN_CRED_WITH_HMAC_SECRET_SALT *PCWEBAUTHN_CRED_WITH_HMAC_SECRET_SALT; 558 559 typedef struct _WEBAUTHN_HMAC_SECRET_SALT_VALUES { 560 PWEBAUTHN_HMAC_SECRET_SALT pGlobalHmacSalt; 561 562 DWORD cCredWithHmacSecretSaltList; 563 _Field_size_(cCredWithHmacSecretSaltList) 564 PWEBAUTHN_CRED_WITH_HMAC_SECRET_SALT pCredWithHmacSecretSaltList; 565 } WEBAUTHN_HMAC_SECRET_SALT_VALUES, *PWEBAUTHN_HMAC_SECRET_SALT_VALUES; 566 typedef const WEBAUTHN_HMAC_SECRET_SALT_VALUES *PCWEBAUTHN_HMAC_SECRET_SALT_VALUES; 567 568 //+------------------------------------------------------------------------------------------ 569 // Hmac-Secret extension 570 //------------------------------------------------------------------------------------------- 571 572 #define WEBAUTHN_EXTENSIONS_IDENTIFIER_HMAC_SECRET L"hmac-secret" 573 // Below type definitions is for WEBAUTHN_EXTENSIONS_IDENTIFIER_HMAC_SECRET 574 // MakeCredential Input Type: BOOL. 575 // - pvExtension must point to a BOOL with the value TRUE. 576 // - cbExtension must contain the sizeof(BOOL). 577 // MakeCredential Output Type: BOOL. 578 // - pvExtension will point to a BOOL with the value TRUE if credential 579 // was successfully created with HMAC_SECRET. 580 // - cbExtension will contain the sizeof(BOOL). 581 // GetAssertion Input Type: Not Supported 582 // GetAssertion Output Type: Not Supported 583 584 //+------------------------------------------------------------------------------------------ 585 // credProtect extension 586 //------------------------------------------------------------------------------------------- 587 588 #define WEBAUTHN_USER_VERIFICATION_ANY 0 589 #define WEBAUTHN_USER_VERIFICATION_OPTIONAL 1 590 #define WEBAUTHN_USER_VERIFICATION_OPTIONAL_WITH_CREDENTIAL_ID_LIST 2 591 #define WEBAUTHN_USER_VERIFICATION_REQUIRED 3 592 593 typedef struct _WEBAUTHN_CRED_PROTECT_EXTENSION_IN { 594 // One of the above WEBAUTHN_USER_VERIFICATION_* values 595 DWORD dwCredProtect; 596 // Set the following to TRUE to require authenticator support for the credProtect extension 597 BOOL bRequireCredProtect; 598 } WEBAUTHN_CRED_PROTECT_EXTENSION_IN, *PWEBAUTHN_CRED_PROTECT_EXTENSION_IN; 599 typedef const WEBAUTHN_CRED_PROTECT_EXTENSION_IN *PCWEBAUTHN_CRED_PROTECT_EXTENSION_IN; 600 601 602 #define WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_PROTECT L"credProtect" 603 // Below type definitions is for WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_PROTECT 604 // MakeCredential Input Type: WEBAUTHN_CRED_PROTECT_EXTENSION_IN. 605 // - pvExtension must point to a WEBAUTHN_CRED_PROTECT_EXTENSION_IN struct 606 // - cbExtension will contain the sizeof(WEBAUTHN_CRED_PROTECT_EXTENSION_IN). 607 // MakeCredential Output Type: DWORD. 608 // - pvExtension will point to a DWORD with one of the above WEBAUTHN_USER_VERIFICATION_* values 609 // if credential was successfully created with CRED_PROTECT. 610 // - cbExtension will contain the sizeof(DWORD). 611 // GetAssertion Input Type: Not Supported 612 // GetAssertion Output Type: Not Supported 613 614 //+------------------------------------------------------------------------------------------ 615 // credBlob extension 616 //------------------------------------------------------------------------------------------- 617 618 typedef struct _WEBAUTHN_CRED_BLOB_EXTENSION { 619 // Size of pbCredBlob. 620 DWORD cbCredBlob; 621 _Field_size_bytes_(cbCredBlob) 622 PBYTE pbCredBlob; 623 } WEBAUTHN_CRED_BLOB_EXTENSION, *PWEBAUTHN_CRED_BLOB_EXTENSION; 624 typedef const WEBAUTHN_CRED_BLOB_EXTENSION *PCWEBAUTHN_CRED_BLOB_EXTENSION; 625 626 627 #define WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_BLOB L"credBlob" 628 // Below type definitions is for WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_BLOB 629 // MakeCredential Input Type: WEBAUTHN_CRED_BLOB_EXTENSION. 630 // - pvExtension must point to a WEBAUTHN_CRED_BLOB_EXTENSION struct 631 // - cbExtension must contain the sizeof(WEBAUTHN_CRED_BLOB_EXTENSION). 632 // MakeCredential Output Type: BOOL. 633 // - pvExtension will point to a BOOL with the value TRUE if credBlob was successfully created 634 // - cbExtension will contain the sizeof(BOOL). 635 // GetAssertion Input Type: BOOL. 636 // - pvExtension must point to a BOOL with the value TRUE to request the credBlob. 637 // - cbExtension must contain the sizeof(BOOL). 638 // GetAssertion Output Type: WEBAUTHN_CRED_BLOB_EXTENSION. 639 // - pvExtension will point to a WEBAUTHN_CRED_BLOB_EXTENSION struct if the authenticator 640 // returns the credBlob in the signed extensions 641 // - cbExtension will contain the sizeof(WEBAUTHN_CRED_BLOB_EXTENSION). 642 643 //+------------------------------------------------------------------------------------------ 644 // minPinLength extension 645 //------------------------------------------------------------------------------------------- 646 647 #define WEBAUTHN_EXTENSIONS_IDENTIFIER_MIN_PIN_LENGTH L"minPinLength" 648 // Below type definitions is for WEBAUTHN_EXTENSIONS_IDENTIFIER_MIN_PIN_LENGTH 649 // MakeCredential Input Type: BOOL. 650 // - pvExtension must point to a BOOL with the value TRUE to request the minPinLength. 651 // - cbExtension must contain the sizeof(BOOL). 652 // MakeCredential Output Type: DWORD. 653 // - pvExtension will point to a DWORD with the minimum pin length if returned by the authenticator 654 // - cbExtension will contain the sizeof(DWORD). 655 // GetAssertion Input Type: Not Supported 656 // GetAssertion Output Type: Not Supported 657 658 //+------------------------------------------------------------------------------------------ 659 // Information about Extensions. 660 //------------------------------------------------------------------------------------------- 661 typedef struct _WEBAUTHN_EXTENSION { 662 LPCWSTR pwszExtensionIdentifier; 663 DWORD cbExtension; 664 PVOID pvExtension; 665 } WEBAUTHN_EXTENSION, *PWEBAUTHN_EXTENSION; 666 typedef const WEBAUTHN_EXTENSION *PCWEBAUTHN_EXTENSION; 667 668 typedef struct _WEBAUTHN_EXTENSIONS { 669 DWORD cExtensions; 670 _Field_size_(cExtensions) 671 PWEBAUTHN_EXTENSION pExtensions; 672 } WEBAUTHN_EXTENSIONS, *PWEBAUTHN_EXTENSIONS; 673 typedef const WEBAUTHN_EXTENSIONS *PCWEBAUTHN_EXTENSIONS; 674 675 //+------------------------------------------------------------------------------------------ 676 // Options. 677 //------------------------------------------------------------------------------------------- 678 679 #define WEBAUTHN_AUTHENTICATOR_ATTACHMENT_ANY 0 680 #define WEBAUTHN_AUTHENTICATOR_ATTACHMENT_PLATFORM 1 681 #define WEBAUTHN_AUTHENTICATOR_ATTACHMENT_CROSS_PLATFORM 2 682 #define WEBAUTHN_AUTHENTICATOR_ATTACHMENT_CROSS_PLATFORM_U2F_V2 3 683 684 #define WEBAUTHN_USER_VERIFICATION_REQUIREMENT_ANY 0 685 #define WEBAUTHN_USER_VERIFICATION_REQUIREMENT_REQUIRED 1 686 #define WEBAUTHN_USER_VERIFICATION_REQUIREMENT_PREFERRED 2 687 #define WEBAUTHN_USER_VERIFICATION_REQUIREMENT_DISCOURAGED 3 688 689 #define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_ANY 0 690 #define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_NONE 1 691 #define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_INDIRECT 2 692 #define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_DIRECT 3 693 694 #define WEBAUTHN_ENTERPRISE_ATTESTATION_NONE 0 695 #define WEBAUTHN_ENTERPRISE_ATTESTATION_VENDOR_FACILITATED 1 696 #define WEBAUTHN_ENTERPRISE_ATTESTATION_PLATFORM_MANAGED 2 697 698 #define WEBAUTHN_LARGE_BLOB_SUPPORT_NONE 0 699 #define WEBAUTHN_LARGE_BLOB_SUPPORT_REQUIRED 1 700 #define WEBAUTHN_LARGE_BLOB_SUPPORT_PREFERRED 2 701 702 #define WEBAUTHN_CREDENTIAL_HINT_SECURITY_KEY L"security-key" 703 #define WEBAUTHN_CREDENTIAL_HINT_CLIENT_DEVICE L"client-device" 704 #define WEBAUTHN_CREDENTIAL_HINT_HYBRID L"hybrid" 705 706 #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_1 1 707 #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_2 2 708 #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_3 3 709 #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_4 4 710 #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_5 5 711 #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_6 6 712 #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_7 7 713 #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_8 8 714 #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_9 9 715 #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_CURRENT_VERSION WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_9 716 717 typedef struct _WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS { 718 // Version of this structure, to allow for modifications in the future. 719 DWORD dwVersion; 720 721 // Time that the operation is expected to complete within. 722 // This is used as guidance, and can be overridden by the platform. 723 DWORD dwTimeoutMilliseconds; 724 725 // Credentials used for exclusion. 726 WEBAUTHN_CREDENTIALS CredentialList; 727 728 // Optional extensions to parse when performing the operation. 729 WEBAUTHN_EXTENSIONS Extensions; 730 731 // Optional. Platform vs Cross-Platform Authenticators. 732 DWORD dwAuthenticatorAttachment; 733 734 // Optional. Require key to be resident or not. Defaulting to FALSE. 735 BOOL bRequireResidentKey; 736 737 // User Verification Requirement. 738 DWORD dwUserVerificationRequirement; 739 740 // Attestation Conveyance Preference. 741 DWORD dwAttestationConveyancePreference; 742 743 // Reserved for future Use 744 DWORD dwFlags; 745 746 // 747 // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_2 748 // 749 750 // Cancellation Id - Optional - See WebAuthNGetCancellationId 751 GUID *pCancellationId; 752 753 // 754 // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_3 755 // 756 757 // Exclude Credential List. If present, "CredentialList" will be ignored. 758 PWEBAUTHN_CREDENTIAL_LIST pExcludeCredentialList; 759 760 // 761 // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_4 762 // 763 764 // Enterprise Attestation 765 DWORD dwEnterpriseAttestation; 766 767 // Large Blob Support: none, required or preferred 768 // 769 // NTE_INVALID_PARAMETER when large blob required or preferred and 770 // bRequireResidentKey isn't set to TRUE 771 DWORD dwLargeBlobSupport; 772 773 // Optional. Prefer key to be resident. Defaulting to FALSE. When TRUE, 774 // overrides the above bRequireResidentKey. 775 BOOL bPreferResidentKey; 776 777 // 778 // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_5 779 // 780 781 // Optional. BrowserInPrivate Mode. Defaulting to FALSE. 782 BOOL bBrowserInPrivateMode; 783 784 // 785 // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_6 786 // 787 788 // Enable PRF 789 BOOL bEnablePrf; 790 791 // 792 // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_7 793 // 794 795 // Deprecated 796 // Optional. Linked Device Connection Info. 797 PCTAPCBOR_HYBRID_STORAGE_LINKED_DATA pLinkedDevice; 798 799 // Size of pbJsonExt 800 DWORD cbJsonExt; 801 _Field_size_bytes_(cbJsonExt) 802 PBYTE pbJsonExt; 803 804 // 805 // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_8 806 // 807 808 // PRF extension "eval" values which will be converted into HMAC-SECRET values according to WebAuthn Spec. 809 // Set WEBAUTHN_AUTHENTICATOR_HMAC_SECRET_VALUES_FLAG in dwFlags above, if caller wants to provide RAW Hmac-Secret SALT values directly. 810 // In that case, values provided MUST be of WEBAUTHN_CTAP_ONE_HMAC_SECRET_LENGTH size. 811 PWEBAUTHN_HMAC_SECRET_SALT pPRFGlobalEval; 812 813 // PublicKeyCredentialHints (https://w3c.github.io/webauthn/#enum-hints) 814 DWORD cCredentialHints; 815 _Field_size_(cCredentialHints) 816 LPCWSTR *ppwszCredentialHints; 817 818 // Enable ThirdPartyPayment 819 BOOL bThirdPartyPayment; 820 821 // 822 // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_9 823 // 824 825 // Web Origin. For Remote Web App scenario. 826 PCWSTR pwszRemoteWebOrigin; 827 828 // UTF-8 encoded JSON serialization of the PublicKeyCredentialCreationOptions. 829 DWORD cbPublicKeyCredentialCreationOptionsJSON; 830 _Field_size_bytes_(cbPublicKeyCredentialCreationOptionsJSON) 831 PBYTE pbPublicKeyCredentialCreationOptionsJSON; 832 833 // Authenticator ID got from WebAuthNGetAuthenticatorList API. 834 DWORD cbAuthenticatorId; 835 _Field_size_bytes_(cbAuthenticatorId) 836 PBYTE pbAuthenticatorId; 837 838 } WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS, *PWEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS; 839 typedef const WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS *PCWEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS; 840 841 #define WEBAUTHN_CRED_LARGE_BLOB_OPERATION_NONE 0 842 #define WEBAUTHN_CRED_LARGE_BLOB_OPERATION_GET 1 843 #define WEBAUTHN_CRED_LARGE_BLOB_OPERATION_SET 2 844 #define WEBAUTHN_CRED_LARGE_BLOB_OPERATION_DELETE 3 845 846 #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_1 1 847 #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_2 2 848 #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_3 3 849 #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_4 4 850 #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_5 5 851 #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_6 6 852 #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_7 7 853 #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_8 8 854 #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_9 9 855 #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_CURRENT_VERSION WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_9 856 857 /* 858 Information about flags. 859 */ 860 861 #define WEBAUTHN_AUTHENTICATOR_HMAC_SECRET_VALUES_FLAG 0x00100000 862 863 typedef struct _WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS { 864 // Version of this structure, to allow for modifications in the future. 865 DWORD dwVersion; 866 867 // Time that the operation is expected to complete within. 868 // This is used as guidance, and can be overridden by the platform. 869 DWORD dwTimeoutMilliseconds; 870 871 // Allowed Credentials List. 872 WEBAUTHN_CREDENTIALS CredentialList; 873 874 // Optional extensions to parse when performing the operation. 875 WEBAUTHN_EXTENSIONS Extensions; 876 877 // Optional. Platform vs Cross-Platform Authenticators. 878 DWORD dwAuthenticatorAttachment; 879 880 // User Verification Requirement. 881 DWORD dwUserVerificationRequirement; 882 883 // Flags 884 DWORD dwFlags; 885 886 // 887 // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_2 888 // 889 890 // Optional identifier for the U2F AppId. Converted to UTF8 before being hashed. Not lower cased. 891 PCWSTR pwszU2fAppId; 892 893 // If the following is non-NULL, then, set to TRUE if the above pwszU2fAppid was used instead of 894 // PCWSTR pwszRpId; 895 BOOL *pbU2fAppId; 896 897 // 898 // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_3 899 // 900 901 // Cancellation Id - Optional - See WebAuthNGetCancellationId 902 GUID *pCancellationId; 903 904 // 905 // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_4 906 // 907 908 // Allow Credential List. If present, "CredentialList" will be ignored. 909 PWEBAUTHN_CREDENTIAL_LIST pAllowCredentialList; 910 911 // 912 // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_5 913 // 914 915 DWORD dwCredLargeBlobOperation; 916 917 // Size of pbCredLargeBlob 918 DWORD cbCredLargeBlob; 919 _Field_size_bytes_(cbCredLargeBlob) 920 PBYTE pbCredLargeBlob; 921 922 // 923 // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_6 924 // 925 926 // PRF values which will be converted into HMAC-SECRET values according to WebAuthn Spec. 927 PWEBAUTHN_HMAC_SECRET_SALT_VALUES pHmacSecretSaltValues; 928 929 // Optional. BrowserInPrivate Mode. Defaulting to FALSE. 930 BOOL bBrowserInPrivateMode; 931 932 // 933 // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_7 934 // 935 936 // Deprecated 937 // Optional. Linked Device Connection Info. 938 PCTAPCBOR_HYBRID_STORAGE_LINKED_DATA pLinkedDevice; 939 940 // Optional. Allowlist MUST contain 1 credential applicable for Hybrid transport. 941 BOOL bAutoFill; 942 943 // Size of pbJsonExt 944 DWORD cbJsonExt; 945 _Field_size_bytes_(cbJsonExt) 946 PBYTE pbJsonExt; 947 948 // 949 // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_8 950 // 951 952 // PublicKeyCredentialHints (https://w3c.github.io/webauthn/#enum-hints) 953 DWORD cCredentialHints; 954 _Field_size_(cCredentialHints) 955 LPCWSTR *ppwszCredentialHints; 956 957 // 958 // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_9 959 // 960 961 // Web Origin. For Remote Web App scenario. 962 PCWSTR pwszRemoteWebOrigin; 963 964 // UTF-8 encoded JSON serialization of the PublicKeyCredentialRequestOptions. 965 DWORD cbPublicKeyCredentialRequestOptionsJSON; 966 _Field_size_bytes_(cbPublicKeyCredentialRequestOptionsJSON) 967 PBYTE pbPublicKeyCredentialRequestOptionsJSON; 968 969 // Authenticator ID got from WebAuthNGetAuthenticatorList API. 970 DWORD cbAuthenticatorId; 971 _Field_size_bytes_(cbAuthenticatorId) 972 PBYTE pbAuthenticatorId; 973 974 } WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS, *PWEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS; 975 typedef const WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS *PCWEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS; 976 977 978 //+------------------------------------------------------------------------------------------ 979 // Attestation Info. 980 // 981 //------------------------------------------------------------------------------------------- 982 #define WEBAUTHN_ATTESTATION_DECODE_NONE 0 983 #define WEBAUTHN_ATTESTATION_DECODE_COMMON 1 984 // WEBAUTHN_ATTESTATION_DECODE_COMMON supports format types 985 // L"packed" 986 // L"fido-u2f" 987 988 #define WEBAUTHN_ATTESTATION_VER_TPM_2_0 L"2.0" 989 990 typedef struct _WEBAUTHN_X5C { 991 // Length of X.509 encoded certificate 992 DWORD cbData; 993 // X.509 encoded certificate bytes 994 _Field_size_bytes_(cbData) 995 PBYTE pbData; 996 } WEBAUTHN_X5C, *PWEBAUTHN_X5C; 997 998 // Supports either Self or Full Basic Attestation 999 1000 // Note, new fields will be added to the following data structure to 1001 // support additional attestation format types, such as, TPM. 1002 // When fields are added, the dwVersion will be incremented. 1003 // 1004 // Therefore, your code must make the following check: 1005 // "if (dwVersion >= WEBAUTHN_COMMON_ATTESTATION_CURRENT_VERSION)" 1006 1007 #define WEBAUTHN_COMMON_ATTESTATION_CURRENT_VERSION 1 1008 1009 typedef struct _WEBAUTHN_COMMON_ATTESTATION { 1010 // Version of this structure, to allow for modifications in the future. 1011 DWORD dwVersion; 1012 1013 // Hash and Padding Algorithm 1014 // 1015 // The following won't be set for "fido-u2f" which assumes "ES256". 1016 PCWSTR pwszAlg; 1017 LONG lAlg; // COSE algorithm 1018 1019 // Signature that was generated for this attestation. 1020 DWORD cbSignature; 1021 _Field_size_bytes_(cbSignature) 1022 PBYTE pbSignature; 1023 1024 // Following is set for Full Basic Attestation. If not, set then, this is Self Attestation. 1025 // Array of X.509 DER encoded certificates. The first certificate is the signer, leaf certificate. 1026 DWORD cX5c; 1027 _Field_size_(cX5c) 1028 PWEBAUTHN_X5C pX5c; 1029 1030 // Following are also set for tpm 1031 PCWSTR pwszVer; // L"2.0" 1032 DWORD cbCertInfo; 1033 _Field_size_bytes_(cbCertInfo) 1034 PBYTE pbCertInfo; 1035 DWORD cbPubArea; 1036 _Field_size_bytes_(cbPubArea) 1037 PBYTE pbPubArea; 1038 } WEBAUTHN_COMMON_ATTESTATION, *PWEBAUTHN_COMMON_ATTESTATION; 1039 typedef const WEBAUTHN_COMMON_ATTESTATION *PCWEBAUTHN_COMMON_ATTESTATION; 1040 1041 #define WEBAUTHN_ATTESTATION_TYPE_PACKED L"packed" 1042 #define WEBAUTHN_ATTESTATION_TYPE_U2F L"fido-u2f" 1043 #define WEBAUTHN_ATTESTATION_TYPE_TPM L"tpm" 1044 #define WEBAUTHN_ATTESTATION_TYPE_NONE L"none" 1045 1046 #define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_1 1 1047 #define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_2 2 1048 #define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_3 3 1049 #define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_4 4 1050 #define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_5 5 1051 #define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_6 6 1052 #define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_7 7 1053 #define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_8 8 1054 #define WEBAUTHN_CREDENTIAL_ATTESTATION_CURRENT_VERSION WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_8 1055 1056 typedef struct _WEBAUTHN_CREDENTIAL_ATTESTATION { 1057 // Version of this structure, to allow for modifications in the future. 1058 DWORD dwVersion; 1059 1060 // Attestation format type 1061 PCWSTR pwszFormatType; 1062 1063 // Size of cbAuthenticatorData. 1064 DWORD cbAuthenticatorData; 1065 // Authenticator data that was created for this credential. 1066 _Field_size_bytes_(cbAuthenticatorData) 1067 PBYTE pbAuthenticatorData; 1068 1069 // Size of CBOR encoded attestation information 1070 //0 => encoded as CBOR null value. 1071 DWORD cbAttestation; 1072 //Encoded CBOR attestation information 1073 _Field_size_bytes_(cbAttestation) 1074 PBYTE pbAttestation; 1075 1076 DWORD dwAttestationDecodeType; 1077 // Following depends on the dwAttestationDecodeType 1078 // WEBAUTHN_ATTESTATION_DECODE_NONE 1079 // NULL - not able to decode the CBOR attestation information 1080 // WEBAUTHN_ATTESTATION_DECODE_COMMON 1081 // PWEBAUTHN_COMMON_ATTESTATION; 1082 PVOID pvAttestationDecode; 1083 1084 // The CBOR encoded Attestation Object to be returned to the RP. 1085 DWORD cbAttestationObject; 1086 _Field_size_bytes_(cbAttestationObject) 1087 PBYTE pbAttestationObject; 1088 1089 // The CredentialId bytes extracted from the Authenticator Data. 1090 // Used by Edge to return to the RP. 1091 DWORD cbCredentialId; 1092 _Field_size_bytes_(cbCredentialId) 1093 PBYTE pbCredentialId; 1094 1095 // 1096 // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_2 1097 // 1098 1099 WEBAUTHN_EXTENSIONS Extensions; 1100 1101 // 1102 // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_3 1103 // 1104 1105 // One of the WEBAUTHN_CTAP_TRANSPORT_* bits will be set corresponding to 1106 // the transport that was used. 1107 DWORD dwUsedTransport; 1108 1109 // 1110 // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_4 1111 // 1112 1113 BOOL bEpAtt; 1114 BOOL bLargeBlobSupported; 1115 BOOL bResidentKey; 1116 1117 // 1118 // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_5 1119 // 1120 1121 BOOL bPrfEnabled; 1122 1123 // 1124 // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_6 1125 // 1126 1127 DWORD cbUnsignedExtensionOutputs; 1128 _Field_size_bytes_(cbUnsignedExtensionOutputs) 1129 PBYTE pbUnsignedExtensionOutputs; 1130 1131 // 1132 // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_7 1133 // 1134 1135 PWEBAUTHN_HMAC_SECRET_SALT pHmacSecret; 1136 1137 // ThirdPartyPayment Credential or not. 1138 BOOL bThirdPartyPayment; 1139 1140 // 1141 // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_8 1142 // 1143 1144 // Multiple WEBAUTHN_CTAP_TRANSPORT_* bits will be set corresponding to 1145 // the transports that are supported. 1146 DWORD dwTransports; 1147 1148 // UTF-8 encoded JSON serialization of the client data. 1149 DWORD cbClientDataJSON; 1150 _Field_size_bytes_(cbClientDataJSON) 1151 PBYTE pbClientDataJSON; 1152 1153 // UTF-8 encoded JSON serialization of the RegistrationResponse. 1154 DWORD cbRegistrationResponseJSON; 1155 _Field_size_bytes_(cbRegistrationResponseJSON) 1156 PBYTE pbRegistrationResponseJSON; 1157 1158 } WEBAUTHN_CREDENTIAL_ATTESTATION, *PWEBAUTHN_CREDENTIAL_ATTESTATION; 1159 typedef const WEBAUTHN_CREDENTIAL_ATTESTATION *PCWEBAUTHN_CREDENTIAL_ATTESTATION; 1160 1161 1162 //+------------------------------------------------------------------------------------------ 1163 // authenticatorGetAssertion output. 1164 //------------------------------------------------------------------------------------------- 1165 1166 #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_NONE 0 1167 #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_SUCCESS 1 1168 #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_NOT_SUPPORTED 2 1169 #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_INVALID_DATA 3 1170 #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_INVALID_PARAMETER 4 1171 #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_NOT_FOUND 5 1172 #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_MULTIPLE_CREDENTIALS 6 1173 #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_LACK_OF_SPACE 7 1174 #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_PLATFORM_ERROR 8 1175 #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_AUTHENTICATOR_ERROR 9 1176 1177 #define WEBAUTHN_ASSERTION_VERSION_1 1 1178 #define WEBAUTHN_ASSERTION_VERSION_2 2 1179 #define WEBAUTHN_ASSERTION_VERSION_3 3 1180 #define WEBAUTHN_ASSERTION_VERSION_4 4 1181 #define WEBAUTHN_ASSERTION_VERSION_5 5 1182 #define WEBAUTHN_ASSERTION_VERSION_6 6 1183 #define WEBAUTHN_ASSERTION_CURRENT_VERSION WEBAUTHN_ASSERTION_VERSION_6 1184 1185 typedef struct _WEBAUTHN_ASSERTION { 1186 // Version of this structure, to allow for modifications in the future. 1187 DWORD dwVersion; 1188 1189 // Size of cbAuthenticatorData. 1190 DWORD cbAuthenticatorData; 1191 // Authenticator data that was created for this assertion. 1192 _Field_size_bytes_(cbAuthenticatorData) 1193 PBYTE pbAuthenticatorData; 1194 1195 // Size of pbSignature. 1196 DWORD cbSignature; 1197 // Signature that was generated for this assertion. 1198 _Field_size_bytes_(cbSignature) 1199 PBYTE pbSignature; 1200 1201 // Credential that was used for this assertion. 1202 WEBAUTHN_CREDENTIAL Credential; 1203 1204 // Size of User Id 1205 DWORD cbUserId; 1206 // UserId 1207 _Field_size_bytes_(cbUserId) 1208 PBYTE pbUserId; 1209 1210 // 1211 // Following fields have been added in WEBAUTHN_ASSERTION_VERSION_2 1212 // 1213 1214 WEBAUTHN_EXTENSIONS Extensions; 1215 1216 // Size of pbCredLargeBlob 1217 DWORD cbCredLargeBlob; 1218 _Field_size_bytes_(cbCredLargeBlob) 1219 PBYTE pbCredLargeBlob; 1220 1221 DWORD dwCredLargeBlobStatus; 1222 1223 // 1224 // Following fields have been added in WEBAUTHN_ASSERTION_VERSION_3 1225 // 1226 1227 PWEBAUTHN_HMAC_SECRET_SALT pHmacSecret; 1228 1229 // 1230 // Following fields have been added in WEBAUTHN_ASSERTION_VERSION_4 1231 // 1232 1233 // One of the WEBAUTHN_CTAP_TRANSPORT_* bits will be set corresponding to 1234 // the transport that was used. 1235 DWORD dwUsedTransport; 1236 1237 // 1238 // Following fields have been added in WEBAUTHN_ASSERTION_VERSION_5 1239 // 1240 1241 DWORD cbUnsignedExtensionOutputs; 1242 _Field_size_bytes_(cbUnsignedExtensionOutputs) 1243 PBYTE pbUnsignedExtensionOutputs; 1244 1245 // 1246 // Following fields have been added in WEBAUTHN_ASSERTION_VERSION_6 1247 // 1248 1249 // UTF-8 encoded JSON serialization of the client data. 1250 DWORD cbClientDataJSON; 1251 _Field_size_bytes_(cbClientDataJSON) 1252 PBYTE pbClientDataJSON; 1253 1254 // UTF-8 encoded JSON serialization of the AuthenticationResponse. 1255 DWORD cbAuthenticationResponseJSON; 1256 _Field_size_bytes_(cbAuthenticationResponseJSON) 1257 PBYTE pbAuthenticationResponseJSON; 1258 1259 } WEBAUTHN_ASSERTION, *PWEBAUTHN_ASSERTION; 1260 typedef const WEBAUTHN_ASSERTION *PCWEBAUTHN_ASSERTION; 1261 1262 //+------------------------------------------------------------------------------------------ 1263 // APIs. 1264 //------------------------------------------------------------------------------------------- 1265 1266 DWORD 1267 WINAPI 1268 WebAuthNGetApiVersionNumber(); 1269 1270 HRESULT 1271 WINAPI 1272 WebAuthNIsUserVerifyingPlatformAuthenticatorAvailable( 1273 _Out_ BOOL *pbIsUserVerifyingPlatformAuthenticatorAvailable); 1274 1275 1276 HRESULT 1277 WINAPI 1278 WebAuthNAuthenticatorMakeCredential( 1279 _In_ HWND hWnd, 1280 _In_ PCWEBAUTHN_RP_ENTITY_INFORMATION pRpInformation, 1281 _In_ PCWEBAUTHN_USER_ENTITY_INFORMATION pUserInformation, 1282 _In_ PCWEBAUTHN_COSE_CREDENTIAL_PARAMETERS pPubKeyCredParams, 1283 _In_ PCWEBAUTHN_CLIENT_DATA pWebAuthNClientData, 1284 _In_opt_ PCWEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS pWebAuthNMakeCredentialOptions, 1285 _Outptr_result_maybenull_ PWEBAUTHN_CREDENTIAL_ATTESTATION *ppWebAuthNCredentialAttestation); 1286 1287 1288 HRESULT 1289 WINAPI 1290 WebAuthNAuthenticatorGetAssertion( 1291 _In_ HWND hWnd, 1292 _In_ LPCWSTR pwszRpId, 1293 _In_ PCWEBAUTHN_CLIENT_DATA pWebAuthNClientData, 1294 _In_opt_ PCWEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS pWebAuthNGetAssertionOptions, 1295 _Outptr_result_maybenull_ PWEBAUTHN_ASSERTION *ppWebAuthNAssertion); 1296 1297 void 1298 WINAPI 1299 WebAuthNFreeCredentialAttestation( 1300 _In_opt_ PWEBAUTHN_CREDENTIAL_ATTESTATION pWebAuthNCredentialAttestation); 1301 1302 void 1303 WINAPI 1304 WebAuthNFreeAssertion( 1305 _In_ PWEBAUTHN_ASSERTION pWebAuthNAssertion); 1306 1307 HRESULT 1308 WINAPI 1309 WebAuthNGetCancellationId( 1310 _Out_ GUID* pCancellationId); 1311 1312 HRESULT 1313 WINAPI 1314 WebAuthNCancelCurrentOperation( 1315 _In_ const GUID* pCancellationId); 1316 1317 // Returns NTE_NOT_FOUND when credentials are not found. 1318 HRESULT 1319 WINAPI 1320 WebAuthNGetPlatformCredentialList( 1321 _In_ PCWEBAUTHN_GET_CREDENTIALS_OPTIONS pGetCredentialsOptions, 1322 _Outptr_result_maybenull_ PWEBAUTHN_CREDENTIAL_DETAILS_LIST *ppCredentialDetailsList); 1323 1324 void 1325 WINAPI 1326 WebAuthNFreePlatformCredentialList( 1327 _In_ PWEBAUTHN_CREDENTIAL_DETAILS_LIST pCredentialDetailsList); 1328 1329 HRESULT 1330 WINAPI 1331 WebAuthNDeletePlatformCredential( 1332 _In_ DWORD cbCredentialId, 1333 _In_reads_bytes_(cbCredentialId) const BYTE *pbCredentialId 1334 ); 1335 1336 // Returns NTE_NOT_FOUND when authenticator details are not found. 1337 HRESULT 1338 WINAPI 1339 WebAuthNGetAuthenticatorList( 1340 _In_opt_ PCWEBAUTHN_AUTHENTICATOR_DETAILS_OPTIONS pWebAuthNGetAuthenticatorListOptions, 1341 _Outptr_result_maybenull_ PWEBAUTHN_AUTHENTICATOR_DETAILS_LIST* ppAuthenticatorDetailsList); 1342 1343 void 1344 WINAPI 1345 WebAuthNFreeAuthenticatorList( 1346 _In_ PWEBAUTHN_AUTHENTICATOR_DETAILS_LIST pAuthenticatorDetailsList); 1347 1348 // 1349 // Returns the following Error Names: 1350 // L"Success" - S_OK 1351 // L"InvalidStateError" - NTE_EXISTS 1352 // L"ConstraintError" - HRESULT_FROM_WIN32(ERROR_NOT_SUPPORTED), 1353 // NTE_NOT_SUPPORTED, 1354 // NTE_TOKEN_KEYSET_STORAGE_FULL 1355 // L"NotSupportedError" - NTE_INVALID_PARAMETER 1356 // L"NotAllowedError" - NTE_DEVICE_NOT_FOUND, 1357 // NTE_NOT_FOUND, 1358 // HRESULT_FROM_WIN32(ERROR_CANCELLED), 1359 // NTE_USER_CANCELLED, 1360 // HRESULT_FROM_WIN32(ERROR_TIMEOUT) 1361 // L"UnknownError" - All other hr values 1362 // 1363 PCWSTR 1364 WINAPI 1365 WebAuthNGetErrorName( 1366 _In_ HRESULT hr); 1367 1368 HRESULT 1369 WINAPI 1370 WebAuthNGetW3CExceptionDOMError( 1371 _In_ HRESULT hr); 1372 1373 1374 #ifdef __cplusplus 1375 } // Balance extern "C" above 1376 #endif 1377 1378 #endif // WINAPI_FAMILY_PARTITION 1379 #pragma endregion 1380 1381 #endif // __WEBAUTHN_H_