tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

WebAuthentication.webidl (15324B)

      1 /* -*- Mode: IDL; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
      2 /* This Source Code Form is subject to the terms of the Mozilla Public
      3 * License, v. 2.0. If a copy of the MPL was not distributed with this file,
      4 * You can obtain one at http://mozilla.org/MPL/2.0/.
      5 *
      6 * The origin of this IDL file is
      7 * https://w3c.github.io/webauthn/
      8 */
      9 
     10 /***** Interfaces to Data *****/
     11 
     12 [SecureContext, Pref="security.webauth.webauthn",
     13 Exposed=Window]
     14 interface PublicKeyCredential : Credential {
     15    [SameObject, Throws] readonly attribute ArrayBuffer      rawId;
     16    [SameObject] readonly attribute AuthenticatorResponse    response;
     17    readonly attribute DOMString?                            authenticatorAttachment;
     18    AuthenticationExtensionsClientOutputs getClientExtensionResults();
     19    [NewObject] static Promise<boolean> isConditionalMediationAvailable();
     20    [Throws, Pref="security.webauthn.enable_json_serialization_methods"] object toJSON();
     21 };
     22 
     23 typedef DOMString Base64URLString;
     24 
     25 [GenerateConversionToJS]
     26 dictionary RegistrationResponseJSON {
     27    required DOMString id;
     28    required Base64URLString rawId;
     29    required AuthenticatorAttestationResponseJSON response;
     30    DOMString authenticatorAttachment;
     31    required AuthenticationExtensionsClientOutputsJSON clientExtensionResults;
     32    required DOMString type;
     33 };
     34 
     35 [GenerateConversionToJS]
     36 dictionary AuthenticatorAttestationResponseJSON {
     37    required Base64URLString clientDataJSON;
     38    required Base64URLString authenticatorData;
     39    required sequence<DOMString> transports;
     40    // The publicKey field will be missing if pubKeyCredParams was used to
     41    // negotiate a public-key algorithm that the user agent doesn’t
     42    // understand. (See section “Easily accessing credential data” for a
     43    // list of which algorithms user agents must support.) If using such an
     44    // algorithm then the public key must be parsed directly from
     45    // attestationObject or authenticatorData.
     46    Base64URLString publicKey;
     47    required long long publicKeyAlgorithm;
     48    // This value contains copies of some of the fields above. See
     49    // section “Easily accessing credential data”.
     50    required Base64URLString attestationObject;
     51 };
     52 
     53 [GenerateConversionToJS]
     54 dictionary AuthenticationResponseJSON {
     55    required DOMString id;
     56    required Base64URLString rawId;
     57    required AuthenticatorAssertionResponseJSON response;
     58    DOMString authenticatorAttachment;
     59    required AuthenticationExtensionsClientOutputsJSON clientExtensionResults;
     60    required DOMString type;
     61 };
     62 
     63 [GenerateConversionToJS]
     64 dictionary AuthenticatorAssertionResponseJSON {
     65    required Base64URLString clientDataJSON;
     66    required Base64URLString authenticatorData;
     67    required Base64URLString signature;
     68    Base64URLString userHandle;
     69 };
     70 
     71 [GenerateConversionToJS]
     72 dictionary AuthenticationExtensionsClientOutputsJSON {
     73 };
     74 
     75 [SecureContext]
     76 partial interface PublicKeyCredential {
     77    [NewObject] static Promise<boolean> isUserVerifyingPlatformAuthenticatorAvailable();
     78 };
     79 
     80 [SecureContext]
     81 partial interface PublicKeyCredential {
     82    [Throws] static Promise<PublicKeyCredentialClientCapabilities> getClientCapabilities();
     83 };
     84 
     85 typedef record<DOMString, boolean> PublicKeyCredentialClientCapabilities;
     86 
     87 [SecureContext]
     88 partial interface PublicKeyCredential {
     89    [Throws, Pref="security.webauthn.enable_json_serialization_methods"] static PublicKeyCredentialCreationOptions parseCreationOptionsFromJSON(PublicKeyCredentialCreationOptionsJSON options);
     90 };
     91 
     92 dictionary PublicKeyCredentialCreationOptionsJSON {
     93    required PublicKeyCredentialRpEntity                    rp;
     94    required PublicKeyCredentialUserEntityJSON              user;
     95    required Base64URLString                                challenge;
     96    required sequence<PublicKeyCredentialParameters>        pubKeyCredParams;
     97    unsigned long                                           timeout;
     98    sequence<PublicKeyCredentialDescriptorJSON>             excludeCredentials = [];
     99    AuthenticatorSelectionCriteria                          authenticatorSelection;
    100    sequence<DOMString>                                     hints = [];
    101    DOMString                                               attestation = "none";
    102    sequence<DOMString>                                     attestationFormats = [];
    103    AuthenticationExtensionsClientInputsJSON                extensions;
    104 };
    105 
    106 dictionary PublicKeyCredentialUserEntityJSON {
    107    required Base64URLString        id;
    108    required DOMString              name;
    109    required DOMString              displayName;
    110 };
    111 
    112 dictionary PublicKeyCredentialDescriptorJSON {
    113    required DOMString              type;
    114    required Base64URLString        id;
    115    sequence<DOMString>             transports;
    116 };
    117 
    118 dictionary AuthenticationExtensionsClientInputsJSON {
    119 };
    120 
    121 [SecureContext]
    122 partial interface PublicKeyCredential {
    123    [Throws, Pref="security.webauthn.enable_json_serialization_methods"] static PublicKeyCredentialRequestOptions parseRequestOptionsFromJSON(PublicKeyCredentialRequestOptionsJSON options);
    124 };
    125 
    126 dictionary PublicKeyCredentialRequestOptionsJSON {
    127    required Base64URLString                                challenge;
    128    unsigned long                                           timeout;
    129    DOMString                                               rpId;
    130    sequence<PublicKeyCredentialDescriptorJSON>             allowCredentials = [];
    131    DOMString                                               userVerification = "preferred";
    132    sequence<DOMString>                                     hints = [];
    133    AuthenticationExtensionsClientInputsJSON                extensions;
    134 };
    135 
    136 [SecureContext, Pref="security.webauth.webauthn",
    137 Exposed=Window]
    138 interface AuthenticatorResponse {
    139    [SameObject, Throws] readonly attribute ArrayBuffer clientDataJSON;
    140 };
    141 
    142 [SecureContext, Pref="security.webauth.webauthn",
    143 Exposed=Window]
    144 interface AuthenticatorAttestationResponse : AuthenticatorResponse {
    145    [SameObject, Throws] readonly attribute ArrayBuffer attestationObject;
    146    sequence<DOMString>                                 getTransports();
    147    [Throws] ArrayBuffer                                getAuthenticatorData();
    148    [Throws] ArrayBuffer?                               getPublicKey();
    149    [Throws] COSEAlgorithmIdentifier                    getPublicKeyAlgorithm();
    150 };
    151 
    152 [SecureContext, Pref="security.webauth.webauthn",
    153 Exposed=Window]
    154 interface AuthenticatorAssertionResponse : AuthenticatorResponse {
    155    [SameObject, Throws] readonly attribute ArrayBuffer      authenticatorData;
    156    [SameObject, Throws] readonly attribute ArrayBuffer      signature;
    157    [SameObject, Throws] readonly attribute ArrayBuffer?     userHandle;
    158 };
    159 
    160 dictionary PublicKeyCredentialParameters {
    161    required DOMString                    type;
    162    required COSEAlgorithmIdentifier      alg;
    163 };
    164 
    165 dictionary PublicKeyCredentialCreationOptions {
    166    required PublicKeyCredentialRpEntity         rp;
    167    required PublicKeyCredentialUserEntity       user;
    168 
    169    required BufferSource                             challenge;
    170    required sequence<PublicKeyCredentialParameters>  pubKeyCredParams;
    171 
    172    unsigned long                                timeout;
    173    sequence<PublicKeyCredentialDescriptor>      excludeCredentials = [];
    174    // FIXME: bug 1493860: should this "= {}" be here?
    175    AuthenticatorSelectionCriteria               authenticatorSelection = {};
    176    sequence<DOMString>                          hints = [];
    177    DOMString                                    attestation = "none";
    178    // FIXME: bug 1493860: should this "= {}" be here?
    179    AuthenticationExtensionsClientInputs         extensions = {};
    180 };
    181 
    182 dictionary PublicKeyCredentialEntity {
    183    required DOMString    name;
    184 };
    185 
    186 dictionary PublicKeyCredentialRpEntity : PublicKeyCredentialEntity {
    187    DOMString      id;
    188 };
    189 
    190 dictionary PublicKeyCredentialUserEntity : PublicKeyCredentialEntity {
    191    required BufferSource   id;
    192    required DOMString      displayName;
    193 };
    194 
    195 dictionary AuthenticatorSelectionCriteria {
    196    DOMString                    authenticatorAttachment;
    197    DOMString                    residentKey;
    198    boolean                      requireResidentKey = false;
    199    DOMString                    userVerification = "preferred";
    200 };
    201 
    202 dictionary PublicKeyCredentialRequestOptions {
    203    required BufferSource                challenge;
    204    unsigned long                        timeout;
    205    DOMString                            rpId;
    206    sequence<PublicKeyCredentialDescriptor> allowCredentials = [];
    207    DOMString                            userVerification = "preferred";
    208    sequence<DOMString>                  hints = [];
    209    // FIXME: bug 1493860: should this "= {}" be here?
    210    AuthenticationExtensionsClientInputs extensions = {};
    211 };
    212 
    213 dictionary AuthenticationExtensionsClientInputs {
    214 };
    215 
    216 dictionary AuthenticationExtensionsClientOutputs {
    217 };
    218 
    219 typedef record<DOMString, DOMString> AuthenticationExtensionsAuthenticatorInputs;
    220 
    221 // The CollectedClientData dictionary must be serialized using the algorithm
    222 // from https://w3c.github.io/webauthn/#clientdatajson-serialization. Because
    223 // CollectedClientData is only consumed by the relying party, and because
    224 // [GenerateToJSON] does not produce the correct serialization algorithm, the
    225 // definition below is commented out. Please keep this definition in sync with
    226 // in AssembleClientData in dom/webauthn/WebAuthnTransactionParent.cpp.
    227 //
    228 // dictionary CollectedClientData {
    229 //     required DOMString           type;
    230 //     required DOMString           challenge;
    231 //     required DOMString           origin;
    232 //     boolean                      crossOrigin;
    233 //     DOMString                    topOrigin;
    234 // };
    235 
    236 dictionary PublicKeyCredentialDescriptor {
    237    required DOMString                    type;
    238    required BufferSource                 id;
    239    // Transports is a string that is matched against the AuthenticatorTransport
    240    // enumeration so that we have forward-compatibility for new transports.
    241    sequence<DOMString>                   transports;
    242 };
    243 
    244 typedef long COSEAlgorithmIdentifier;
    245 
    246 typedef sequence<AAGUID>      AuthenticatorSelectionList;
    247 
    248 typedef BufferSource      AAGUID;
    249 
    250 partial dictionary AuthenticationExtensionsClientInputs {
    251  DOMString appid;
    252 };
    253 partial dictionary AuthenticationExtensionsClientInputsJSON {
    254  DOMString appid;
    255 };
    256 
    257 partial dictionary AuthenticationExtensionsClientOutputs {
    258  boolean appid;
    259 };
    260 partial dictionary AuthenticationExtensionsClientOutputsJSON {
    261  boolean appid;
    262 };
    263 
    264 partial dictionary AuthenticationExtensionsClientInputs {
    265    boolean credProps;
    266 };
    267 partial dictionary AuthenticationExtensionsClientInputsJSON {
    268    boolean credProps;
    269 };
    270 
    271 dictionary CredentialPropertiesOutput {
    272    boolean rk;
    273 };
    274 
    275 partial dictionary AuthenticationExtensionsClientOutputs {
    276    CredentialPropertiesOutput credProps;
    277 };
    278 partial dictionary AuthenticationExtensionsClientOutputsJSON {
    279    CredentialPropertiesOutput credProps;
    280 };
    281 
    282 dictionary AuthenticationExtensionsPRFValues {
    283    required BufferSource first;
    284    BufferSource second;
    285 };
    286 dictionary AuthenticationExtensionsPRFValuesJSON {
    287    required Base64URLString first;
    288    Base64URLString second;
    289 };
    290 
    291 dictionary AuthenticationExtensionsPRFInputs {
    292    AuthenticationExtensionsPRFValues eval;
    293    record<DOMString, AuthenticationExtensionsPRFValues> evalByCredential;
    294 };
    295 dictionary AuthenticationExtensionsPRFInputsJSON {
    296    AuthenticationExtensionsPRFValuesJSON eval;
    297    record<DOMString, AuthenticationExtensionsPRFValuesJSON> evalByCredential;
    298 };
    299 
    300 partial dictionary AuthenticationExtensionsClientInputs {
    301    AuthenticationExtensionsPRFInputs prf;
    302 };
    303 partial dictionary AuthenticationExtensionsClientInputsJSON {
    304    AuthenticationExtensionsPRFInputsJSON prf;
    305 };
    306 
    307 dictionary AuthenticationExtensionsPRFOutputs {
    308    boolean enabled;
    309    AuthenticationExtensionsPRFValues results;
    310 };
    311 dictionary AuthenticationExtensionsPRFOutputsJSON {
    312    boolean enabled;
    313    AuthenticationExtensionsPRFValuesJSON results;
    314 };
    315 
    316 partial dictionary AuthenticationExtensionsClientOutputs {
    317    AuthenticationExtensionsPRFOutputs prf;
    318 };
    319 partial dictionary AuthenticationExtensionsClientOutputsJSON {
    320    AuthenticationExtensionsPRFOutputsJSON prf;
    321 };
    322 
    323 partial dictionary AuthenticationExtensionsClientInputs {
    324    AuthenticationExtensionsLargeBlobInputs largeBlob;
    325 };
    326 partial dictionary AuthenticationExtensionsClientInputsJSON {
    327    AuthenticationExtensionsLargeBlobInputsJSON largeBlob;
    328 };
    329 
    330 dictionary AuthenticationExtensionsLargeBlobInputs {
    331    DOMString support;
    332    boolean read;
    333    BufferSource write;
    334 };
    335 dictionary AuthenticationExtensionsLargeBlobInputsJSON {
    336    DOMString support;
    337    boolean read;
    338    Base64URLString write;
    339 };
    340 
    341 partial dictionary AuthenticationExtensionsClientOutputs {
    342    AuthenticationExtensionsLargeBlobOutputs largeBlob;
    343 };
    344 partial dictionary AuthenticationExtensionsClientOutputsJSON {
    345    AuthenticationExtensionsLargeBlobOutputsJSON largeBlob;
    346 };
    347 
    348 dictionary AuthenticationExtensionsLargeBlobOutputs {
    349    boolean supported;
    350    ArrayBuffer blob;
    351    boolean written;
    352 };
    353 dictionary AuthenticationExtensionsLargeBlobOutputsJSON {
    354    boolean supported;
    355    Base64URLString blob;
    356    boolean written;
    357 };
    358 
    359 /*
    360 * CTAP2 Extensions
    361 * <https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#sctn-defined-extensions>
    362 */
    363 
    364 // credProtect
    365 // <https://fidoalliance.org/specs/fido-v2.2-rd-20230321/fido-client-to-authenticator-protocol-v2.2-rd-20230321.html#sctn-credProtect-extension>
    366 enum CredentialProtectionPolicy {
    367  "userVerificationOptional",
    368  "userVerificationOptionalWithCredentialIDList",
    369  "userVerificationRequired",
    370 };
    371 partial dictionary AuthenticationExtensionsClientInputs {
    372  CredentialProtectionPolicy credentialProtectionPolicy;
    373  // The specification includes a default `= false` value for
    374  // enforceCredentialProtectionPolicy. We omit it here to distinguish between
    375  // three logical cases: the extension was not sent, the extension was sent
    376  // with value false, the extension was sent with value true.
    377  boolean enforceCredentialProtectionPolicy;
    378 };
    379 partial dictionary AuthenticationExtensionsClientInputsJSON {
    380  CredentialProtectionPolicy credentialProtectionPolicy;
    381  boolean enforceCredentialProtectionPolicy;
    382 };
    383 
    384 // hmac-secret
    385 // <https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#sctn-hmac-secret-extension>
    386 // note: we don't support hmac-secret in get() (see instead the prf extension)
    387 // so we only define the create() inputs and outputs here.
    388 partial dictionary AuthenticationExtensionsClientInputs {
    389    boolean hmacCreateSecret;
    390 };
    391 partial dictionary AuthenticationExtensionsClientInputsJSON {
    392    boolean hmacCreateSecret;
    393 };
    394 
    395 partial dictionary AuthenticationExtensionsClientOutputs {
    396    boolean hmacCreateSecret;
    397 };
    398 partial dictionary AuthenticationExtensionsClientOutputsJSON {
    399    boolean hmacCreateSecret;
    400 };
    401 
    402 // minPinLength
    403 // <https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#sctn-minpinlength-extension>
    404 partial dictionary AuthenticationExtensionsClientInputs {
    405  boolean minPinLength;
    406 };
    407 partial dictionary AuthenticationExtensionsClientInputsJSON {
    408  boolean minPinLength;
    409 };