├── LICENSE ├── README.md ├── .gitignore └── webauthn.h /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) Microsoft Corporation. All rights reserved. 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Description 2 | 3 | This project includes Win32 headers for communicating to Windows Hello and external secruity keys as part of WebAuthn and CTAP specification. 4 | 5 | For more details about the standards, please follow these links: 6 | * WebAuthn: https://w3c.github.io/webauthn/ 7 | * CTAP: https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html 8 | 9 | 10 | # Having Issues? 11 | If you have any issues in adopting these APIs or need some clarification, please contact [fido-dev](fido-dev@microsoft.com) 12 | 13 | 14 | # Contributing 15 | 16 | This project welcomes contributions and suggestions. Most contributions require you to agree to a 17 | Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us 18 | the rights to use your contribution. For details, visit https://cla.microsoft.com. 19 | 20 | When you submit a pull request, a CLA-bot will automatically determine whether you need to provide 21 | a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions 22 | provided by the bot. You will only need to do this once across all repos using our CLA. 23 | 24 | This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). 25 | For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or 26 | contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. 27 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.suo 8 | *.user 9 | *.userosscache 10 | *.sln.docstates 11 | 12 | # User-specific files (MonoDevelop/Xamarin Studio) 13 | *.userprefs 14 | 15 | # Build results 16 | [Dd]ebug/ 17 | [Dd]ebugPublic/ 18 | [Rr]elease/ 19 | [Rr]eleases/ 20 | x64/ 21 | x86/ 22 | bld/ 23 | [Bb]in/ 24 | [Oo]bj/ 25 | [Ll]og/ 26 | 27 | # Visual Studio 2015/2017 cache/options directory 28 | .vs/ 29 | # Uncomment if you have tasks that create the project's static files in wwwroot 30 | #wwwroot/ 31 | 32 | # Visual Studio 2017 auto generated files 33 | Generated\ Files/ 34 | 35 | # MSTest test Results 36 | [Tt]est[Rr]esult*/ 37 | [Bb]uild[Ll]og.* 38 | 39 | # NUNIT 40 | *.VisualState.xml 41 | TestResult.xml 42 | 43 | # Build Results of an ATL Project 44 | [Dd]ebugPS/ 45 | [Rr]eleasePS/ 46 | dlldata.c 47 | 48 | # Benchmark Results 49 | BenchmarkDotNet.Artifacts/ 50 | 51 | # .NET Core 52 | project.lock.json 53 | project.fragment.lock.json 54 | artifacts/ 55 | **/Properties/launchSettings.json 56 | 57 | # StyleCop 58 | StyleCopReport.xml 59 | 60 | # Files built by Visual Studio 61 | *_i.c 62 | *_p.c 63 | *_i.h 64 | *.ilk 65 | *.meta 66 | *.obj 67 | *.iobj 68 | *.pch 69 | *.pdb 70 | *.ipdb 71 | *.pgc 72 | *.pgd 73 | *.rsp 74 | *.sbr 75 | *.tlb 76 | *.tli 77 | *.tlh 78 | *.tmp 79 | *.tmp_proj 80 | *.log 81 | *.vspscc 82 | *.vssscc 83 | .builds 84 | *.pidb 85 | *.svclog 86 | *.scc 87 | 88 | # Chutzpah Test files 89 | _Chutzpah* 90 | 91 | # Visual C++ cache files 92 | ipch/ 93 | *.aps 94 | *.ncb 95 | *.opendb 96 | *.opensdf 97 | *.sdf 98 | *.cachefile 99 | *.VC.db 100 | *.VC.VC.opendb 101 | 102 | # Visual Studio profiler 103 | *.psess 104 | *.vsp 105 | *.vspx 106 | *.sap 107 | 108 | # Visual Studio Trace Files 109 | *.e2e 110 | 111 | # TFS 2012 Local Workspace 112 | $tf/ 113 | 114 | # Guidance Automation Toolkit 115 | *.gpState 116 | 117 | # ReSharper is a .NET coding add-in 118 | _ReSharper*/ 119 | *.[Rr]e[Ss]harper 120 | *.DotSettings.user 121 | 122 | # JustCode is a .NET coding add-in 123 | .JustCode 124 | 125 | # TeamCity is a build add-in 126 | _TeamCity* 127 | 128 | # DotCover is a Code Coverage Tool 129 | *.dotCover 130 | 131 | # AxoCover is a Code Coverage Tool 132 | .axoCover/* 133 | !.axoCover/settings.json 134 | 135 | # Visual Studio code coverage results 136 | *.coverage 137 | *.coveragexml 138 | 139 | # NCrunch 140 | _NCrunch_* 141 | .*crunch*.local.xml 142 | nCrunchTemp_* 143 | 144 | # MightyMoose 145 | *.mm.* 146 | AutoTest.Net/ 147 | 148 | # Web workbench (sass) 149 | .sass-cache/ 150 | 151 | # Installshield output folder 152 | [Ee]xpress/ 153 | 154 | # DocProject is a documentation generator add-in 155 | DocProject/buildhelp/ 156 | DocProject/Help/*.HxT 157 | DocProject/Help/*.HxC 158 | DocProject/Help/*.hhc 159 | DocProject/Help/*.hhk 160 | DocProject/Help/*.hhp 161 | DocProject/Help/Html2 162 | DocProject/Help/html 163 | 164 | # Click-Once directory 165 | publish/ 166 | 167 | # Publish Web Output 168 | *.[Pp]ublish.xml 169 | *.azurePubxml 170 | # Note: Comment the next line if you want to checkin your web deploy settings, 171 | # but database connection strings (with potential passwords) will be unencrypted 172 | *.pubxml 173 | *.publishproj 174 | 175 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 176 | # checkin your Azure Web App publish settings, but sensitive information contained 177 | # in these scripts will be unencrypted 178 | PublishScripts/ 179 | 180 | # NuGet Packages 181 | *.nupkg 182 | # The packages folder can be ignored because of Package Restore 183 | **/[Pp]ackages/* 184 | # except build/, which is used as an MSBuild target. 185 | !**/[Pp]ackages/build/ 186 | # Uncomment if necessary however generally it will be regenerated when needed 187 | #!**/[Pp]ackages/repositories.config 188 | # NuGet v3's project.json files produces more ignorable files 189 | *.nuget.props 190 | *.nuget.targets 191 | 192 | # Microsoft Azure Build Output 193 | csx/ 194 | *.build.csdef 195 | 196 | # Microsoft Azure Emulator 197 | ecf/ 198 | rcf/ 199 | 200 | # Windows Store app package directories and files 201 | AppPackages/ 202 | BundleArtifacts/ 203 | Package.StoreAssociation.xml 204 | _pkginfo.txt 205 | *.appx 206 | 207 | # Visual Studio cache files 208 | # files ending in .cache can be ignored 209 | *.[Cc]ache 210 | # but keep track of directories ending in .cache 211 | !*.[Cc]ache/ 212 | 213 | # Others 214 | ClientBin/ 215 | ~$* 216 | *~ 217 | *.dbmdl 218 | *.dbproj.schemaview 219 | *.jfm 220 | *.pfx 221 | *.publishsettings 222 | orleans.codegen.cs 223 | 224 | # Including strong name files can present a security risk 225 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 226 | #*.snk 227 | 228 | # Since there are multiple workflows, uncomment next line to ignore bower_components 229 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 230 | #bower_components/ 231 | 232 | # RIA/Silverlight projects 233 | Generated_Code/ 234 | 235 | # Backup & report files from converting an old project file 236 | # to a newer Visual Studio version. Backup files are not needed, 237 | # because we have git ;-) 238 | _UpgradeReport_Files/ 239 | Backup*/ 240 | UpgradeLog*.XML 241 | UpgradeLog*.htm 242 | ServiceFabricBackup/ 243 | *.rptproj.bak 244 | 245 | # SQL Server files 246 | *.mdf 247 | *.ldf 248 | *.ndf 249 | 250 | # Business Intelligence projects 251 | *.rdl.data 252 | *.bim.layout 253 | *.bim_*.settings 254 | *.rptproj.rsuser 255 | 256 | # Microsoft Fakes 257 | FakesAssemblies/ 258 | 259 | # GhostDoc plugin setting file 260 | *.GhostDoc.xml 261 | 262 | # Node.js Tools for Visual Studio 263 | .ntvs_analysis.dat 264 | node_modules/ 265 | 266 | # Visual Studio 6 build log 267 | *.plg 268 | 269 | # Visual Studio 6 workspace options file 270 | *.opt 271 | 272 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 273 | *.vbw 274 | 275 | # Visual Studio LightSwitch build output 276 | **/*.HTMLClient/GeneratedArtifacts 277 | **/*.DesktopClient/GeneratedArtifacts 278 | **/*.DesktopClient/ModelManifest.xml 279 | **/*.Server/GeneratedArtifacts 280 | **/*.Server/ModelManifest.xml 281 | _Pvt_Extensions 282 | 283 | # Paket dependency manager 284 | .paket/paket.exe 285 | paket-files/ 286 | 287 | # FAKE - F# Make 288 | .fake/ 289 | 290 | # JetBrains Rider 291 | .idea/ 292 | *.sln.iml 293 | 294 | # CodeRush 295 | .cr/ 296 | 297 | # Python Tools for Visual Studio (PTVS) 298 | __pycache__/ 299 | *.pyc 300 | 301 | # Cake - Uncomment if you are using it 302 | # tools/** 303 | # !tools/packages.config 304 | 305 | # Tabs Studio 306 | *.tss 307 | 308 | # Telerik's JustMock configuration file 309 | *.jmconfig 310 | 311 | # BizTalk build output 312 | *.btp.cs 313 | *.btm.cs 314 | *.odx.cs 315 | *.xsd.cs 316 | 317 | # OpenCover UI analysis results 318 | OpenCover/ 319 | 320 | # Azure Stream Analytics local run output 321 | ASALocalRun/ 322 | 323 | # MSBuild Binary and Structured Log 324 | *.binlog 325 | 326 | # NVidia Nsight GPU debugger configuration file 327 | *.nvuser 328 | 329 | # MFractors (Xamarin productivity tool) working folder 330 | .mfractor/ 331 | -------------------------------------------------------------------------------- /webauthn.h: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft Corporation. All rights reserved. 2 | // Licensed under the MIT License. 3 | 4 | #ifndef __WEBAUTHN_H_ 5 | #define __WEBAUTHN_H_ 6 | 7 | #pragma once 8 | 9 | #include 10 | 11 | #pragma region Desktop Family or OneCore Family 12 | #if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM) 13 | 14 | #ifdef __cplusplus 15 | extern "C" { 16 | #endif 17 | 18 | #ifndef WINAPI 19 | #define WINAPI __stdcall 20 | #endif 21 | 22 | #ifndef INITGUID 23 | #define INITGUID 24 | #include 25 | #undef INITGUID 26 | #else 27 | #include 28 | #endif 29 | 30 | //+------------------------------------------------------------------------------------------ 31 | // API Version Information. 32 | // Caller should check for WebAuthNGetApiVersionNumber to check the presence of relevant APIs 33 | // and features for their usage. 34 | //------------------------------------------------------------------------------------------- 35 | 36 | #define WEBAUTHN_API_VERSION_1 1 37 | // WEBAUTHN_API_VERSION_1 : Baseline Version 38 | // Data Structures and their sub versions: 39 | // - WEBAUTHN_RP_ENTITY_INFORMATION : 1 40 | // - WEBAUTHN_USER_ENTITY_INFORMATION : 1 41 | // - WEBAUTHN_CLIENT_DATA : 1 42 | // - WEBAUTHN_COSE_CREDENTIAL_PARAMETER : 1 43 | // - WEBAUTHN_COSE_CREDENTIAL_PARAMETERS : Not Applicable 44 | // - WEBAUTHN_CREDENTIAL : 1 45 | // - WEBAUTHN_CREDENTIALS : Not Applicable 46 | // - WEBAUTHN_CREDENTIAL_EX : 1 47 | // - WEBAUTHN_CREDENTIAL_LIST : Not Applicable 48 | // - WEBAUTHN_EXTENSION : Not Applicable 49 | // - WEBAUTHN_EXTENSIONS : Not Applicable 50 | // - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS : 3 51 | // - WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS : 4 52 | // - WEBAUTHN_COMMON_ATTESTATION : 1 53 | // - WEBAUTHN_CREDENTIAL_ATTESTATION : 3 54 | // - WEBAUTHN_ASSERTION : 1 55 | // Extensions: 56 | // - WEBAUTHN_EXTENSIONS_IDENTIFIER_HMAC_SECRET 57 | // APIs: 58 | // - WebAuthNGetApiVersionNumber 59 | // - WebAuthNIsUserVerifyingPlatformAuthenticatorAvailable 60 | // - WebAuthNAuthenticatorMakeCredential 61 | // - WebAuthNAuthenticatorGetAssertion 62 | // - WebAuthNFreeCredentialAttestation 63 | // - WebAuthNFreeAssertion 64 | // - WebAuthNGetCancellationId 65 | // - WebAuthNCancelCurrentOperation 66 | // - WebAuthNGetErrorName 67 | // - WebAuthNGetW3CExceptionDOMError 68 | 69 | #define WEBAUTHN_API_VERSION_2 2 70 | // WEBAUTHN_API_VERSION_2 : Delta From WEBAUTHN_API_VERSION_1 71 | // Added Extensions: 72 | // - WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_PROTECT 73 | // 74 | 75 | #define WEBAUTHN_API_VERSION_3 3 76 | // WEBAUTHN_API_VERSION_3 : Delta From WEBAUTHN_API_VERSION_2 77 | // Data Structures and their sub versions: 78 | // - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS : 4 79 | // - WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS : 5 80 | // - WEBAUTHN_CREDENTIAL_ATTESTATION : 4 81 | // - WEBAUTHN_ASSERTION : 2 82 | // Added Extensions: 83 | // - WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_BLOB 84 | // - WEBAUTHN_EXTENSIONS_IDENTIFIER_MIN_PIN_LENGTH 85 | // 86 | 87 | #define WEBAUTHN_API_VERSION_4 4 88 | // WEBAUTHN_API_VERSION_4 : Delta From WEBAUTHN_API_VERSION_3 89 | // Data Structures and their sub versions: 90 | // - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS : 5 91 | // - WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS : 6 92 | // - WEBAUTHN_ASSERTION : 3 93 | // APIs: 94 | // - WebAuthNGetPlatformCredentialList 95 | // - WebAuthNFreePlatformCredentialList 96 | // - WebAuthNDeletePlatformCredential 97 | // 98 | 99 | #define WEBAUTHN_API_CURRENT_VERSION WEBAUTHN_API_VERSION_4 100 | 101 | //+------------------------------------------------------------------------------------------ 102 | // Information about an RP Entity 103 | //------------------------------------------------------------------------------------------- 104 | 105 | #define WEBAUTHN_RP_ENTITY_INFORMATION_CURRENT_VERSION 1 106 | 107 | typedef struct _WEBAUTHN_RP_ENTITY_INFORMATION { 108 | // Version of this structure, to allow for modifications in the future. 109 | // This field is required and should be set to CURRENT_VERSION above. 110 | DWORD dwVersion; 111 | 112 | // Identifier for the RP. This field is required. 113 | PCWSTR pwszId; 114 | 115 | // Contains the friendly name of the Relying Party, such as "Acme Corporation", "Widgets Inc" or "Awesome Site". 116 | // This field is required. 117 | PCWSTR pwszName; 118 | 119 | // Optional URL pointing to RP's logo. 120 | PCWSTR pwszIcon; 121 | } WEBAUTHN_RP_ENTITY_INFORMATION, *PWEBAUTHN_RP_ENTITY_INFORMATION; 122 | typedef const WEBAUTHN_RP_ENTITY_INFORMATION *PCWEBAUTHN_RP_ENTITY_INFORMATION; 123 | 124 | //+------------------------------------------------------------------------------------------ 125 | // Information about an User Entity 126 | //------------------------------------------------------------------------------------------- 127 | #define WEBAUTHN_MAX_USER_ID_LENGTH 64 128 | 129 | #define WEBAUTHN_USER_ENTITY_INFORMATION_CURRENT_VERSION 1 130 | 131 | typedef struct _WEBAUTHN_USER_ENTITY_INFORMATION { 132 | // Version of this structure, to allow for modifications in the future. 133 | // This field is required and should be set to CURRENT_VERSION above. 134 | DWORD dwVersion; 135 | 136 | // Identifier for the User. This field is required. 137 | DWORD cbId; 138 | _Field_size_bytes_(cbId) 139 | PBYTE pbId; 140 | 141 | // Contains a detailed name for this account, such as "john.p.smith@example.com". 142 | PCWSTR pwszName; 143 | 144 | // Optional URL that can be used to retrieve an image containing the user's current avatar, 145 | // or a data URI that contains the image data. 146 | PCWSTR pwszIcon; 147 | 148 | // For User: Contains the friendly name associated with the user account by the Relying Party, such as "John P. Smith". 149 | PCWSTR pwszDisplayName; 150 | } WEBAUTHN_USER_ENTITY_INFORMATION, *PWEBAUTHN_USER_ENTITY_INFORMATION; 151 | typedef const WEBAUTHN_USER_ENTITY_INFORMATION *PCWEBAUTHN_USER_ENTITY_INFORMATION; 152 | 153 | //+------------------------------------------------------------------------------------------ 154 | // Information about client data. 155 | //------------------------------------------------------------------------------------------- 156 | 157 | #define WEBAUTHN_HASH_ALGORITHM_SHA_256 L"SHA-256" 158 | #define WEBAUTHN_HASH_ALGORITHM_SHA_384 L"SHA-384" 159 | #define WEBAUTHN_HASH_ALGORITHM_SHA_512 L"SHA-512" 160 | 161 | #define WEBAUTHN_CLIENT_DATA_CURRENT_VERSION 1 162 | 163 | typedef struct _WEBAUTHN_CLIENT_DATA { 164 | // Version of this structure, to allow for modifications in the future. 165 | // This field is required and should be set to CURRENT_VERSION above. 166 | DWORD dwVersion; 167 | 168 | // NOTE: The reference to JSON are for historic reasons, since 169 | // implementations are NOT supposed to parse this data in any way. 170 | // The data simply hashed using the specified algorithm ID resulting 171 | // in the FIDO "clientDataHash" input field. 172 | 173 | // Size of the pbClientDataJSON field. 174 | DWORD cbClientDataJSON; 175 | // UTF-8 encoded JSON serialization of the client data. 176 | _Field_size_bytes_(cbClientDataJSON) 177 | PBYTE pbClientDataJSON; 178 | 179 | // Hash algorithm ID used to hash the pbClientDataJSON field. 180 | LPCWSTR pwszHashAlgId; 181 | } WEBAUTHN_CLIENT_DATA, *PWEBAUTHN_CLIENT_DATA; 182 | typedef const WEBAUTHN_CLIENT_DATA *PCWEBAUTHN_CLIENT_DATA; 183 | 184 | //+------------------------------------------------------------------------------------------ 185 | // Information about credential parameters. 186 | //------------------------------------------------------------------------------------------- 187 | 188 | #define WEBAUTHN_CREDENTIAL_TYPE_PUBLIC_KEY L"public-key" 189 | 190 | #define WEBAUTHN_COSE_ALGORITHM_ECDSA_P256_WITH_SHA256 -7 191 | #define WEBAUTHN_COSE_ALGORITHM_ECDSA_P384_WITH_SHA384 -35 192 | #define WEBAUTHN_COSE_ALGORITHM_ECDSA_P521_WITH_SHA512 -36 193 | 194 | #define WEBAUTHN_COSE_ALGORITHM_RSASSA_PKCS1_V1_5_WITH_SHA256 -257 195 | #define WEBAUTHN_COSE_ALGORITHM_RSASSA_PKCS1_V1_5_WITH_SHA384 -258 196 | #define WEBAUTHN_COSE_ALGORITHM_RSASSA_PKCS1_V1_5_WITH_SHA512 -259 197 | 198 | #define WEBAUTHN_COSE_ALGORITHM_RSA_PSS_WITH_SHA256 -37 199 | #define WEBAUTHN_COSE_ALGORITHM_RSA_PSS_WITH_SHA384 -38 200 | #define WEBAUTHN_COSE_ALGORITHM_RSA_PSS_WITH_SHA512 -39 201 | 202 | #define WEBAUTHN_COSE_CREDENTIAL_PARAMETER_CURRENT_VERSION 1 203 | 204 | typedef struct _WEBAUTHN_COSE_CREDENTIAL_PARAMETER { 205 | // Version of this structure, to allow for modifications in the future. 206 | DWORD dwVersion; 207 | 208 | // Well-known credential type specifying a credential to create. 209 | LPCWSTR pwszCredentialType; 210 | 211 | // Well-known COSE algorithm specifying the algorithm to use for the credential. 212 | LONG lAlg; 213 | } WEBAUTHN_COSE_CREDENTIAL_PARAMETER, *PWEBAUTHN_COSE_CREDENTIAL_PARAMETER; 214 | typedef const WEBAUTHN_COSE_CREDENTIAL_PARAMETER *PCWEBAUTHN_COSE_CREDENTIAL_PARAMETER; 215 | 216 | typedef struct _WEBAUTHN_COSE_CREDENTIAL_PARAMETERS { 217 | DWORD cCredentialParameters; 218 | _Field_size_(cCredentialParameters) 219 | PWEBAUTHN_COSE_CREDENTIAL_PARAMETER pCredentialParameters; 220 | } WEBAUTHN_COSE_CREDENTIAL_PARAMETERS, *PWEBAUTHN_COSE_CREDENTIAL_PARAMETERS; 221 | typedef const WEBAUTHN_COSE_CREDENTIAL_PARAMETERS *PCWEBAUTHN_COSE_CREDENTIAL_PARAMETERS; 222 | 223 | //+------------------------------------------------------------------------------------------ 224 | // Information about credential. 225 | //------------------------------------------------------------------------------------------- 226 | #define WEBAUTHN_CREDENTIAL_CURRENT_VERSION 1 227 | 228 | typedef struct _WEBAUTHN_CREDENTIAL { 229 | // Version of this structure, to allow for modifications in the future. 230 | DWORD dwVersion; 231 | 232 | // Size of pbID. 233 | DWORD cbId; 234 | // Unique ID for this particular credential. 235 | _Field_size_bytes_(cbId) 236 | PBYTE pbId; 237 | 238 | // Well-known credential type specifying what this particular credential is. 239 | LPCWSTR pwszCredentialType; 240 | } WEBAUTHN_CREDENTIAL, *PWEBAUTHN_CREDENTIAL; 241 | typedef const WEBAUTHN_CREDENTIAL *PCWEBAUTHN_CREDENTIAL; 242 | 243 | typedef struct _WEBAUTHN_CREDENTIALS { 244 | DWORD cCredentials; 245 | _Field_size_(cCredentials) 246 | PWEBAUTHN_CREDENTIAL pCredentials; 247 | } WEBAUTHN_CREDENTIALS, *PWEBAUTHN_CREDENTIALS; 248 | typedef const WEBAUTHN_CREDENTIALS *PCWEBAUTHN_CREDENTIALS; 249 | 250 | //+------------------------------------------------------------------------------------------ 251 | // Information about credential with extra information, such as, dwTransports 252 | //------------------------------------------------------------------------------------------- 253 | 254 | #define WEBAUTHN_CTAP_TRANSPORT_USB 0x00000001 255 | #define WEBAUTHN_CTAP_TRANSPORT_NFC 0x00000002 256 | #define WEBAUTHN_CTAP_TRANSPORT_BLE 0x00000004 257 | #define WEBAUTHN_CTAP_TRANSPORT_TEST 0x00000008 258 | #define WEBAUTHN_CTAP_TRANSPORT_INTERNAL 0x00000010 259 | #define WEBAUTHN_CTAP_TRANSPORT_FLAGS_MASK 0x0000001F 260 | 261 | #define WEBAUTHN_CREDENTIAL_EX_CURRENT_VERSION 1 262 | 263 | typedef struct _WEBAUTHN_CREDENTIAL_EX { 264 | // Version of this structure, to allow for modifications in the future. 265 | DWORD dwVersion; 266 | 267 | // Size of pbID. 268 | DWORD cbId; 269 | // Unique ID for this particular credential. 270 | _Field_size_bytes_(cbId) 271 | PBYTE pbId; 272 | 273 | // Well-known credential type specifying what this particular credential is. 274 | LPCWSTR pwszCredentialType; 275 | 276 | // Transports. 0 implies no transport restrictions. 277 | DWORD dwTransports; 278 | } WEBAUTHN_CREDENTIAL_EX, *PWEBAUTHN_CREDENTIAL_EX; 279 | typedef const WEBAUTHN_CREDENTIAL_EX *PCWEBAUTHN_CREDENTIAL_EX; 280 | 281 | //+------------------------------------------------------------------------------------------ 282 | // Information about credential list with extra information 283 | //------------------------------------------------------------------------------------------- 284 | 285 | typedef struct _WEBAUTHN_CREDENTIAL_LIST { 286 | DWORD cCredentials; 287 | _Field_size_(cCredentials) 288 | PWEBAUTHN_CREDENTIAL_EX *ppCredentials; 289 | } WEBAUTHN_CREDENTIAL_LIST, *PWEBAUTHN_CREDENTIAL_LIST; 290 | typedef const WEBAUTHN_CREDENTIAL_LIST *PCWEBAUTHN_CREDENTIAL_LIST; 291 | 292 | //+------------------------------------------------------------------------------------------ 293 | // Credential Information for WebAuthNGetPlatformCredentialList API 294 | //------------------------------------------------------------------------------------------- 295 | 296 | #define WEBAUTHN_CREDENTIAL_DETAILS_VERSION_1 1 297 | #define WEBAUTHN_CREDENTIAL_DETAILS_CURRENT_VERSION WEBAUTHN_CREDENTIAL_DETAILS_VERSION_1 298 | 299 | typedef struct _WEBAUTHN_CREDENTIAL_DETAILS { 300 | // Version of this structure, to allow for modifications in the future. 301 | DWORD dwVersion; 302 | 303 | // Size of pbCredentialID. 304 | DWORD cbCredentialID; 305 | _Field_size_bytes_(cbCredentialID) 306 | PBYTE pbCredentialID; 307 | 308 | // RP Info 309 | PWEBAUTHN_RP_ENTITY_INFORMATION pRpInformation; 310 | 311 | // User Info 312 | PWEBAUTHN_USER_ENTITY_INFORMATION pUserInformation; 313 | 314 | // Removable or not. 315 | BOOL bRemovable; 316 | } WEBAUTHN_CREDENTIAL_DETAILS, *PWEBAUTHN_CREDENTIAL_DETAILS; 317 | typedef const WEBAUTHN_CREDENTIAL_DETAILS *PCWEBAUTHN_CREDENTIAL_DETAILS; 318 | 319 | typedef struct _WEBAUTHN_CREDENTIAL_DETAILS_LIST { 320 | DWORD cCredentialDetails; 321 | _Field_size_(cCredentialDetails) 322 | PWEBAUTHN_CREDENTIAL_DETAILS *ppCredentialDetails; 323 | } WEBAUTHN_CREDENTIAL_DETAILS_LIST, *PWEBAUTHN_CREDENTIAL_DETAILS_LIST; 324 | typedef const WEBAUTHN_CREDENTIAL_DETAILS_LIST *PCWEBAUTHN_CREDENTIAL_DETAILS_LIST; 325 | 326 | #define WEBAUTHN_GET_CREDENTIALS_OPTIONS_VERSION_1 1 327 | #define WEBAUTHN_GET_CREDENTIALS_OPTIONS_CURRENT_VERSION WEBAUTHN_GET_CREDENTIALS_OPTIONS_VERSION_1 328 | 329 | typedef struct _WEBAUTHN_GET_CREDENTIALS_OPTIONS { 330 | // Version of this structure, to allow for modifications in the future. 331 | DWORD dwVersion; 332 | 333 | // Optional. 334 | LPCWSTR pwszRpId; 335 | 336 | // Optional. BrowserInPrivate Mode. Defaulting to FALSE. 337 | BOOL bBrowserInPrivateMode; 338 | } WEBAUTHN_GET_CREDENTIALS_OPTIONS, *PWEBAUTHN_GET_CREDENTIALS_OPTIONS; 339 | typedef const WEBAUTHN_GET_CREDENTIALS_OPTIONS *PCWEBAUTHN_GET_CREDENTIALS_OPTIONS; 340 | 341 | //+------------------------------------------------------------------------------------------ 342 | // PRF values. 343 | //------------------------------------------------------------------------------------------- 344 | 345 | #define WEBAUTHN_CTAP_ONE_HMAC_SECRET_LENGTH 32 346 | 347 | // SALT values below by default are converted into RAW Hmac-Secret values as per PRF extension. 348 | // - SHA-256(UTF8Encode("WebAuthn PRF") || 0x00 || Value) 349 | // 350 | // Set WEBAUTHN_AUTHENTICATOR_HMAC_SECRET_VALUES_FLAG in dwFlags in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS, 351 | // if caller wants to provide RAW Hmac-Secret SALT values directly. In that case, 352 | // values if provided MUST be of WEBAUTHN_CTAP_ONE_HMAC_SECRET_LENGTH size. 353 | 354 | typedef struct _WEBAUTHN_HMAC_SECRET_SALT { 355 | // Size of pbFirst. 356 | DWORD cbFirst; 357 | _Field_size_bytes_(cbFirst) 358 | PBYTE pbFirst; // Required 359 | 360 | // Size of pbSecond. 361 | DWORD cbSecond; 362 | _Field_size_bytes_(cbSecond) 363 | PBYTE pbSecond; 364 | } WEBAUTHN_HMAC_SECRET_SALT, *PWEBAUTHN_HMAC_SECRET_SALT; 365 | typedef const WEBAUTHN_HMAC_SECRET_SALT *PCWEBAUTHN_HMAC_SECRET_SALT; 366 | 367 | typedef struct _WEBAUTHN_CRED_WITH_HMAC_SECRET_SALT { 368 | // Size of pbCredID. 369 | DWORD cbCredID; 370 | _Field_size_bytes_(cbCredID) 371 | PBYTE pbCredID; // Required 372 | 373 | // PRF Values for above credential 374 | PWEBAUTHN_HMAC_SECRET_SALT pHmacSecretSalt; // Required 375 | } WEBAUTHN_CRED_WITH_HMAC_SECRET_SALT, *PWEBAUTHN_CRED_WITH_HMAC_SECRET_SALT; 376 | typedef const WEBAUTHN_CRED_WITH_HMAC_SECRET_SALT *PCWEBAUTHN_CRED_WITH_HMAC_SECRET_SALT; 377 | 378 | typedef struct _WEBAUTHN_HMAC_SECRET_SALT_VALUES { 379 | PWEBAUTHN_HMAC_SECRET_SALT pGlobalHmacSalt; 380 | 381 | DWORD cCredWithHmacSecretSaltList; 382 | _Field_size_(cCredWithHmacSecretSaltList) 383 | PWEBAUTHN_CRED_WITH_HMAC_SECRET_SALT pCredWithHmacSecretSaltList; 384 | } WEBAUTHN_HMAC_SECRET_SALT_VALUES, *PWEBAUTHN_HMAC_SECRET_SALT_VALUES; 385 | typedef const WEBAUTHN_HMAC_SECRET_SALT_VALUES *PCWEBAUTHN_HMAC_SECRET_SALT_VALUES; 386 | 387 | //+------------------------------------------------------------------------------------------ 388 | // Hmac-Secret extension 389 | //------------------------------------------------------------------------------------------- 390 | 391 | #define WEBAUTHN_EXTENSIONS_IDENTIFIER_HMAC_SECRET L"hmac-secret" 392 | // Below type definitions is for WEBAUTHN_EXTENSIONS_IDENTIFIER_HMAC_SECRET 393 | // MakeCredential Input Type: BOOL. 394 | // - pvExtension must point to a BOOL with the value TRUE. 395 | // - cbExtension must contain the sizeof(BOOL). 396 | // MakeCredential Output Type: BOOL. 397 | // - pvExtension will point to a BOOL with the value TRUE if credential 398 | // was successfully created with HMAC_SECRET. 399 | // - cbExtension will contain the sizeof(BOOL). 400 | // GetAssertion Input Type: Not Supported 401 | // GetAssertion Output Type: Not Supported 402 | 403 | //+------------------------------------------------------------------------------------------ 404 | // credProtect extension 405 | //------------------------------------------------------------------------------------------- 406 | 407 | #define WEBAUTHN_USER_VERIFICATION_ANY 0 408 | #define WEBAUTHN_USER_VERIFICATION_OPTIONAL 1 409 | #define WEBAUTHN_USER_VERIFICATION_OPTIONAL_WITH_CREDENTIAL_ID_LIST 2 410 | #define WEBAUTHN_USER_VERIFICATION_REQUIRED 3 411 | 412 | typedef struct _WEBAUTHN_CRED_PROTECT_EXTENSION_IN { 413 | // One of the above WEBAUTHN_USER_VERIFICATION_* values 414 | DWORD dwCredProtect; 415 | // Set the following to TRUE to require authenticator support for the credProtect extension 416 | BOOL bRequireCredProtect; 417 | } WEBAUTHN_CRED_PROTECT_EXTENSION_IN, *PWEBAUTHN_CRED_PROTECT_EXTENSION_IN; 418 | typedef const WEBAUTHN_CRED_PROTECT_EXTENSION_IN *PCWEBAUTHN_CRED_PROTECT_EXTENSION_IN; 419 | 420 | 421 | #define WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_PROTECT L"credProtect" 422 | // Below type definitions is for WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_PROTECT 423 | // MakeCredential Input Type: WEBAUTHN_CRED_PROTECT_EXTENSION_IN. 424 | // - pvExtension must point to a WEBAUTHN_CRED_PROTECT_EXTENSION_IN struct 425 | // - cbExtension will contain the sizeof(WEBAUTHN_CRED_PROTECT_EXTENSION_IN). 426 | // MakeCredential Output Type: DWORD. 427 | // - pvExtension will point to a DWORD with one of the above WEBAUTHN_USER_VERIFICATION_* values 428 | // if credential was successfully created with CRED_PROTECT. 429 | // - cbExtension will contain the sizeof(DWORD). 430 | // GetAssertion Input Type: Not Supported 431 | // GetAssertion Output Type: Not Supported 432 | 433 | //+------------------------------------------------------------------------------------------ 434 | // credBlob extension 435 | //------------------------------------------------------------------------------------------- 436 | 437 | typedef struct _WEBAUTHN_CRED_BLOB_EXTENSION { 438 | // Size of pbCredBlob. 439 | DWORD cbCredBlob; 440 | _Field_size_bytes_(cbCredBlob) 441 | PBYTE pbCredBlob; 442 | } WEBAUTHN_CRED_BLOB_EXTENSION, *PWEBAUTHN_CRED_BLOB_EXTENSION; 443 | typedef const WEBAUTHN_CRED_BLOB_EXTENSION *PCWEBAUTHN_CRED_BLOB_EXTENSION; 444 | 445 | 446 | #define WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_BLOB L"credBlob" 447 | // Below type definitions is for WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_BLOB 448 | // MakeCredential Input Type: WEBAUTHN_CRED_BLOB_EXTENSION. 449 | // - pvExtension must point to a WEBAUTHN_CRED_BLOB_EXTENSION struct 450 | // - cbExtension must contain the sizeof(WEBAUTHN_CRED_BLOB_EXTENSION). 451 | // MakeCredential Output Type: BOOL. 452 | // - pvExtension will point to a BOOL with the value TRUE if credBlob was successfully created 453 | // - cbExtension will contain the sizeof(BOOL). 454 | // GetAssertion Input Type: BOOL. 455 | // - pvExtension must point to a BOOL with the value TRUE to request the credBlob. 456 | // - cbExtension must contain the sizeof(BOOL). 457 | // GetAssertion Output Type: WEBAUTHN_CRED_BLOB_EXTENSION. 458 | // - pvExtension will point to a WEBAUTHN_CRED_BLOB_EXTENSION struct if the authenticator 459 | // returns the credBlob in the signed extensions 460 | // - cbExtension will contain the sizeof(WEBAUTHN_CRED_BLOB_EXTENSION). 461 | 462 | //+------------------------------------------------------------------------------------------ 463 | // minPinLength extension 464 | //------------------------------------------------------------------------------------------- 465 | 466 | #define WEBAUTHN_EXTENSIONS_IDENTIFIER_MIN_PIN_LENGTH L"minPinLength" 467 | // Below type definitions is for WEBAUTHN_EXTENSIONS_IDENTIFIER_MIN_PIN_LENGTH 468 | // MakeCredential Input Type: BOOL. 469 | // - pvExtension must point to a BOOL with the value TRUE to request the minPinLength. 470 | // - cbExtension must contain the sizeof(BOOL). 471 | // MakeCredential Output Type: DWORD. 472 | // - pvExtension will point to a DWORD with the minimum pin length if returned by the authenticator 473 | // - cbExtension will contain the sizeof(DWORD). 474 | // GetAssertion Input Type: Not Supported 475 | // GetAssertion Output Type: Not Supported 476 | 477 | //+------------------------------------------------------------------------------------------ 478 | // Information about Extensions. 479 | //------------------------------------------------------------------------------------------- 480 | typedef struct _WEBAUTHN_EXTENSION { 481 | LPCWSTR pwszExtensionIdentifier; 482 | DWORD cbExtension; 483 | PVOID pvExtension; 484 | } WEBAUTHN_EXTENSION, *PWEBAUTHN_EXTENSION; 485 | typedef const WEBAUTHN_EXTENSION *PCWEBAUTHN_EXTENSION; 486 | 487 | typedef struct _WEBAUTHN_EXTENSIONS { 488 | DWORD cExtensions; 489 | _Field_size_(cExtensions) 490 | PWEBAUTHN_EXTENSION pExtensions; 491 | } WEBAUTHN_EXTENSIONS, *PWEBAUTHN_EXTENSIONS; 492 | typedef const WEBAUTHN_EXTENSIONS *PCWEBAUTHN_EXTENSIONS; 493 | 494 | //+------------------------------------------------------------------------------------------ 495 | // Options. 496 | //------------------------------------------------------------------------------------------- 497 | 498 | #define WEBAUTHN_AUTHENTICATOR_ATTACHMENT_ANY 0 499 | #define WEBAUTHN_AUTHENTICATOR_ATTACHMENT_PLATFORM 1 500 | #define WEBAUTHN_AUTHENTICATOR_ATTACHMENT_CROSS_PLATFORM 2 501 | #define WEBAUTHN_AUTHENTICATOR_ATTACHMENT_CROSS_PLATFORM_U2F_V2 3 502 | 503 | #define WEBAUTHN_USER_VERIFICATION_REQUIREMENT_ANY 0 504 | #define WEBAUTHN_USER_VERIFICATION_REQUIREMENT_REQUIRED 1 505 | #define WEBAUTHN_USER_VERIFICATION_REQUIREMENT_PREFERRED 2 506 | #define WEBAUTHN_USER_VERIFICATION_REQUIREMENT_DISCOURAGED 3 507 | 508 | #define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_ANY 0 509 | #define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_NONE 1 510 | #define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_INDIRECT 2 511 | #define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_DIRECT 3 512 | 513 | #define WEBAUTHN_ENTERPRISE_ATTESTATION_NONE 0 514 | #define WEBAUTHN_ENTERPRISE_ATTESTATION_VENDOR_FACILITATED 1 515 | #define WEBAUTHN_ENTERPRISE_ATTESTATION_PLATFORM_MANAGED 2 516 | 517 | #define WEBAUTHN_LARGE_BLOB_SUPPORT_NONE 0 518 | #define WEBAUTHN_LARGE_BLOB_SUPPORT_REQUIRED 1 519 | #define WEBAUTHN_LARGE_BLOB_SUPPORT_PREFERRED 2 520 | 521 | #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_1 1 522 | #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_2 2 523 | #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_3 3 524 | #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_4 4 525 | #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_5 5 526 | #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_CURRENT_VERSION WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_5 527 | 528 | typedef struct _WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS { 529 | // Version of this structure, to allow for modifications in the future. 530 | DWORD dwVersion; 531 | 532 | // Time that the operation is expected to complete within. 533 | // This is used as guidance, and can be overridden by the platform. 534 | DWORD dwTimeoutMilliseconds; 535 | 536 | // Credentials used for exclusion. 537 | WEBAUTHN_CREDENTIALS CredentialList; 538 | 539 | // Optional extensions to parse when performing the operation. 540 | WEBAUTHN_EXTENSIONS Extensions; 541 | 542 | // Optional. Platform vs Cross-Platform Authenticators. 543 | DWORD dwAuthenticatorAttachment; 544 | 545 | // Optional. Require key to be resident or not. Defaulting to FALSE. 546 | BOOL bRequireResidentKey; 547 | 548 | // User Verification Requirement. 549 | DWORD dwUserVerificationRequirement; 550 | 551 | // Attestation Conveyance Preference. 552 | DWORD dwAttestationConveyancePreference; 553 | 554 | // Reserved for future Use 555 | DWORD dwFlags; 556 | 557 | // 558 | // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_2 559 | // 560 | 561 | // Cancellation Id - Optional - See WebAuthNGetCancellationId 562 | GUID *pCancellationId; 563 | 564 | // 565 | // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_3 566 | // 567 | 568 | // Exclude Credential List. If present, "CredentialList" will be ignored. 569 | PWEBAUTHN_CREDENTIAL_LIST pExcludeCredentialList; 570 | 571 | // 572 | // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_4 573 | // 574 | 575 | // Enterprise Attestation 576 | DWORD dwEnterpriseAttestation; 577 | 578 | // Large Blob Support: none, required or preferred 579 | // 580 | // NTE_INVALID_PARAMETER when large blob required or preferred and 581 | // bRequireResidentKey isn't set to TRUE 582 | DWORD dwLargeBlobSupport; 583 | 584 | // Optional. Prefer key to be resident. Defaulting to FALSE. When TRUE, 585 | // overrides the above bRequireResidentKey. 586 | BOOL bPreferResidentKey; 587 | 588 | // 589 | // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_5 590 | // 591 | 592 | // Optional. BrowserInPrivate Mode. Defaulting to FALSE. 593 | BOOL bBrowserInPrivateMode; 594 | 595 | } WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS, *PWEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS; 596 | typedef const WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS *PCWEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS; 597 | 598 | #define WEBAUTHN_CRED_LARGE_BLOB_OPERATION_NONE 0 599 | #define WEBAUTHN_CRED_LARGE_BLOB_OPERATION_GET 1 600 | #define WEBAUTHN_CRED_LARGE_BLOB_OPERATION_SET 2 601 | #define WEBAUTHN_CRED_LARGE_BLOB_OPERATION_DELETE 3 602 | 603 | #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_1 1 604 | #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_2 2 605 | #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_3 3 606 | #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_4 4 607 | #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_5 5 608 | #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_6 6 609 | #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_CURRENT_VERSION WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_6 610 | 611 | /* 612 | Information about flags. 613 | */ 614 | 615 | #define WEBAUTHN_AUTHENTICATOR_HMAC_SECRET_VALUES_FLAG 0x00100000 616 | 617 | typedef struct _WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS { 618 | // Version of this structure, to allow for modifications in the future. 619 | DWORD dwVersion; 620 | 621 | // Time that the operation is expected to complete within. 622 | // This is used as guidance, and can be overridden by the platform. 623 | DWORD dwTimeoutMilliseconds; 624 | 625 | // Allowed Credentials List. 626 | WEBAUTHN_CREDENTIALS CredentialList; 627 | 628 | // Optional extensions to parse when performing the operation. 629 | WEBAUTHN_EXTENSIONS Extensions; 630 | 631 | // Optional. Platform vs Cross-Platform Authenticators. 632 | DWORD dwAuthenticatorAttachment; 633 | 634 | // User Verification Requirement. 635 | DWORD dwUserVerificationRequirement; 636 | 637 | // Flags 638 | DWORD dwFlags; 639 | 640 | // 641 | // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_2 642 | // 643 | 644 | // Optional identifier for the U2F AppId. Converted to UTF8 before being hashed. Not lower cased. 645 | PCWSTR pwszU2fAppId; 646 | 647 | // If the following is non-NULL, then, set to TRUE if the above pwszU2fAppid was used instead of 648 | // PCWSTR pwszRpId; 649 | BOOL *pbU2fAppId; 650 | 651 | // 652 | // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_3 653 | // 654 | 655 | // Cancellation Id - Optional - See WebAuthNGetCancellationId 656 | GUID *pCancellationId; 657 | 658 | // 659 | // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_4 660 | // 661 | 662 | // Allow Credential List. If present, "CredentialList" will be ignored. 663 | PWEBAUTHN_CREDENTIAL_LIST pAllowCredentialList; 664 | 665 | // 666 | // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_5 667 | // 668 | 669 | DWORD dwCredLargeBlobOperation; 670 | 671 | // Size of pbCredLargeBlob 672 | DWORD cbCredLargeBlob; 673 | _Field_size_bytes_(cbCredLargeBlob) 674 | PBYTE pbCredLargeBlob; 675 | 676 | // 677 | // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_6 678 | // 679 | 680 | // PRF values which will be converted into HMAC-SECRET values according to WebAuthn Spec. 681 | PWEBAUTHN_HMAC_SECRET_SALT_VALUES pHmacSecretSaltValues; 682 | 683 | // Optional. BrowserInPrivate Mode. Defaulting to FALSE. 684 | BOOL bBrowserInPrivateMode; 685 | 686 | } WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS, *PWEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS; 687 | typedef const WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS *PCWEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS; 688 | 689 | 690 | //+------------------------------------------------------------------------------------------ 691 | // Attestation Info. 692 | // 693 | //------------------------------------------------------------------------------------------- 694 | #define WEBAUTHN_ATTESTATION_DECODE_NONE 0 695 | #define WEBAUTHN_ATTESTATION_DECODE_COMMON 1 696 | // WEBAUTHN_ATTESTATION_DECODE_COMMON supports format types 697 | // L"packed" 698 | // L"fido-u2f" 699 | 700 | #define WEBAUTHN_ATTESTATION_VER_TPM_2_0 L"2.0" 701 | 702 | typedef struct _WEBAUTHN_X5C { 703 | // Length of X.509 encoded certificate 704 | DWORD cbData; 705 | // X.509 encoded certificate bytes 706 | _Field_size_bytes_(cbData) 707 | PBYTE pbData; 708 | } WEBAUTHN_X5C, *PWEBAUTHN_X5C; 709 | 710 | // Supports either Self or Full Basic Attestation 711 | 712 | // Note, new fields will be added to the following data structure to 713 | // support additional attestation format types, such as, TPM. 714 | // When fields are added, the dwVersion will be incremented. 715 | // 716 | // Therefore, your code must make the following check: 717 | // "if (dwVersion >= WEBAUTHN_COMMON_ATTESTATION_CURRENT_VERSION)" 718 | 719 | #define WEBAUTHN_COMMON_ATTESTATION_CURRENT_VERSION 1 720 | 721 | typedef struct _WEBAUTHN_COMMON_ATTESTATION { 722 | // Version of this structure, to allow for modifications in the future. 723 | DWORD dwVersion; 724 | 725 | // Hash and Padding Algorithm 726 | // 727 | // The following won't be set for "fido-u2f" which assumes "ES256". 728 | PCWSTR pwszAlg; 729 | LONG lAlg; // COSE algorithm 730 | 731 | // Signature that was generated for this attestation. 732 | DWORD cbSignature; 733 | _Field_size_bytes_(cbSignature) 734 | PBYTE pbSignature; 735 | 736 | // Following is set for Full Basic Attestation. If not, set then, this is Self Attestation. 737 | // Array of X.509 DER encoded certificates. The first certificate is the signer, leaf certificate. 738 | DWORD cX5c; 739 | _Field_size_(cX5c) 740 | PWEBAUTHN_X5C pX5c; 741 | 742 | // Following are also set for tpm 743 | PCWSTR pwszVer; // L"2.0" 744 | DWORD cbCertInfo; 745 | _Field_size_bytes_(cbCertInfo) 746 | PBYTE pbCertInfo; 747 | DWORD cbPubArea; 748 | _Field_size_bytes_(cbPubArea) 749 | PBYTE pbPubArea; 750 | } WEBAUTHN_COMMON_ATTESTATION, *PWEBAUTHN_COMMON_ATTESTATION; 751 | typedef const WEBAUTHN_COMMON_ATTESTATION *PCWEBAUTHN_COMMON_ATTESTATION; 752 | 753 | #define WEBAUTHN_ATTESTATION_TYPE_PACKED L"packed" 754 | #define WEBAUTHN_ATTESTATION_TYPE_U2F L"fido-u2f" 755 | #define WEBAUTHN_ATTESTATION_TYPE_TPM L"tpm" 756 | #define WEBAUTHN_ATTESTATION_TYPE_NONE L"none" 757 | 758 | #define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_1 1 759 | #define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_2 2 760 | #define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_3 3 761 | #define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_4 4 762 | #define WEBAUTHN_CREDENTIAL_ATTESTATION_CURRENT_VERSION WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_4 763 | 764 | typedef struct _WEBAUTHN_CREDENTIAL_ATTESTATION { 765 | // Version of this structure, to allow for modifications in the future. 766 | DWORD dwVersion; 767 | 768 | // Attestation format type 769 | PCWSTR pwszFormatType; 770 | 771 | // Size of cbAuthenticatorData. 772 | DWORD cbAuthenticatorData; 773 | // Authenticator data that was created for this credential. 774 | _Field_size_bytes_(cbAuthenticatorData) 775 | PBYTE pbAuthenticatorData; 776 | 777 | // Size of CBOR encoded attestation information 778 | //0 => encoded as CBOR null value. 779 | DWORD cbAttestation; 780 | //Encoded CBOR attestation information 781 | _Field_size_bytes_(cbAttestation) 782 | PBYTE pbAttestation; 783 | 784 | DWORD dwAttestationDecodeType; 785 | // Following depends on the dwAttestationDecodeType 786 | // WEBAUTHN_ATTESTATION_DECODE_NONE 787 | // NULL - not able to decode the CBOR attestation information 788 | // WEBAUTHN_ATTESTATION_DECODE_COMMON 789 | // PWEBAUTHN_COMMON_ATTESTATION; 790 | PVOID pvAttestationDecode; 791 | 792 | // The CBOR encoded Attestation Object to be returned to the RP. 793 | DWORD cbAttestationObject; 794 | _Field_size_bytes_(cbAttestationObject) 795 | PBYTE pbAttestationObject; 796 | 797 | // The CredentialId bytes extracted from the Authenticator Data. 798 | // Used by Edge to return to the RP. 799 | DWORD cbCredentialId; 800 | _Field_size_bytes_(cbCredentialId) 801 | PBYTE pbCredentialId; 802 | 803 | // 804 | // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_2 805 | // 806 | 807 | WEBAUTHN_EXTENSIONS Extensions; 808 | 809 | // 810 | // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_3 811 | // 812 | 813 | // One of the WEBAUTHN_CTAP_TRANSPORT_* bits will be set corresponding to 814 | // the transport that was used. 815 | DWORD dwUsedTransport; 816 | 817 | // 818 | // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_4 819 | // 820 | 821 | BOOL bEpAtt; 822 | BOOL bLargeBlobSupported; 823 | BOOL bResidentKey; 824 | 825 | } WEBAUTHN_CREDENTIAL_ATTESTATION, *PWEBAUTHN_CREDENTIAL_ATTESTATION; 826 | typedef const WEBAUTHN_CREDENTIAL_ATTESTATION *PCWEBAUTHN_CREDENTIAL_ATTESTATION; 827 | 828 | 829 | //+------------------------------------------------------------------------------------------ 830 | // authenticatorGetAssertion output. 831 | //------------------------------------------------------------------------------------------- 832 | 833 | #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_NONE 0 834 | #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_SUCCESS 1 835 | #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_NOT_SUPPORTED 2 836 | #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_INVALID_DATA 3 837 | #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_INVALID_PARAMETER 4 838 | #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_NOT_FOUND 5 839 | #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_MULTIPLE_CREDENTIALS 6 840 | #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_LACK_OF_SPACE 7 841 | #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_PLATFORM_ERROR 8 842 | #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_AUTHENTICATOR_ERROR 9 843 | 844 | #define WEBAUTHN_ASSERTION_VERSION_1 1 845 | #define WEBAUTHN_ASSERTION_VERSION_2 2 846 | #define WEBAUTHN_ASSERTION_VERSION_3 3 847 | #define WEBAUTHN_ASSERTION_CURRENT_VERSION WEBAUTHN_ASSERTION_VERSION_3 848 | 849 | typedef struct _WEBAUTHN_ASSERTION { 850 | // Version of this structure, to allow for modifications in the future. 851 | DWORD dwVersion; 852 | 853 | // Size of cbAuthenticatorData. 854 | DWORD cbAuthenticatorData; 855 | // Authenticator data that was created for this assertion. 856 | _Field_size_bytes_(cbAuthenticatorData) 857 | PBYTE pbAuthenticatorData; 858 | 859 | // Size of pbSignature. 860 | DWORD cbSignature; 861 | // Signature that was generated for this assertion. 862 | _Field_size_bytes_(cbSignature) 863 | PBYTE pbSignature; 864 | 865 | // Credential that was used for this assertion. 866 | WEBAUTHN_CREDENTIAL Credential; 867 | 868 | // Size of User Id 869 | DWORD cbUserId; 870 | // UserId 871 | _Field_size_bytes_(cbUserId) 872 | PBYTE pbUserId; 873 | 874 | // 875 | // Following fields have been added in WEBAUTHN_ASSERTION_VERSION_2 876 | // 877 | 878 | WEBAUTHN_EXTENSIONS Extensions; 879 | 880 | // Size of pbCredLargeBlob 881 | DWORD cbCredLargeBlob; 882 | _Field_size_bytes_(cbCredLargeBlob) 883 | PBYTE pbCredLargeBlob; 884 | 885 | DWORD dwCredLargeBlobStatus; 886 | 887 | // 888 | // Following fields have been added in WEBAUTHN_ASSERTION_VERSION_3 889 | // 890 | 891 | PWEBAUTHN_HMAC_SECRET_SALT pHmacSecret; 892 | 893 | } WEBAUTHN_ASSERTION, *PWEBAUTHN_ASSERTION; 894 | typedef const WEBAUTHN_ASSERTION *PCWEBAUTHN_ASSERTION; 895 | 896 | //+------------------------------------------------------------------------------------------ 897 | // APIs. 898 | //------------------------------------------------------------------------------------------- 899 | 900 | DWORD 901 | WINAPI 902 | WebAuthNGetApiVersionNumber(); 903 | 904 | HRESULT 905 | WINAPI 906 | WebAuthNIsUserVerifyingPlatformAuthenticatorAvailable( 907 | _Out_ BOOL *pbIsUserVerifyingPlatformAuthenticatorAvailable); 908 | 909 | 910 | HRESULT 911 | WINAPI 912 | WebAuthNAuthenticatorMakeCredential( 913 | _In_ HWND hWnd, 914 | _In_ PCWEBAUTHN_RP_ENTITY_INFORMATION pRpInformation, 915 | _In_ PCWEBAUTHN_USER_ENTITY_INFORMATION pUserInformation, 916 | _In_ PCWEBAUTHN_COSE_CREDENTIAL_PARAMETERS pPubKeyCredParams, 917 | _In_ PCWEBAUTHN_CLIENT_DATA pWebAuthNClientData, 918 | _In_opt_ PCWEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS pWebAuthNMakeCredentialOptions, 919 | _Outptr_result_maybenull_ PWEBAUTHN_CREDENTIAL_ATTESTATION *ppWebAuthNCredentialAttestation); 920 | 921 | 922 | HRESULT 923 | WINAPI 924 | WebAuthNAuthenticatorGetAssertion( 925 | _In_ HWND hWnd, 926 | _In_ LPCWSTR pwszRpId, 927 | _In_ PCWEBAUTHN_CLIENT_DATA pWebAuthNClientData, 928 | _In_opt_ PCWEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS pWebAuthNGetAssertionOptions, 929 | _Outptr_result_maybenull_ PWEBAUTHN_ASSERTION *ppWebAuthNAssertion); 930 | 931 | void 932 | WINAPI 933 | WebAuthNFreeCredentialAttestation( 934 | _In_opt_ PWEBAUTHN_CREDENTIAL_ATTESTATION pWebAuthNCredentialAttestation); 935 | 936 | void 937 | WINAPI 938 | WebAuthNFreeAssertion( 939 | _In_ PWEBAUTHN_ASSERTION pWebAuthNAssertion); 940 | 941 | HRESULT 942 | WINAPI 943 | WebAuthNGetCancellationId( 944 | _Out_ GUID* pCancellationId); 945 | 946 | HRESULT 947 | WINAPI 948 | WebAuthNCancelCurrentOperation( 949 | _In_ const GUID* pCancellationId); 950 | 951 | // Returns NTE_NOT_FOUND when credentials are not found. 952 | HRESULT 953 | WINAPI 954 | WebAuthNGetPlatformCredentialList( 955 | _In_ PCWEBAUTHN_GET_CREDENTIALS_OPTIONS pGetCredentialsOptions, 956 | _Outptr_result_maybenull_ PWEBAUTHN_CREDENTIAL_DETAILS_LIST *ppCredentialDetailsList); 957 | 958 | void 959 | WINAPI 960 | WebAuthNFreePlatformCredentialList( 961 | _In_ PWEBAUTHN_CREDENTIAL_DETAILS_LIST pCredentialDetailsList); 962 | 963 | HRESULT 964 | WINAPI 965 | WebAuthNDeletePlatformCredential( 966 | _In_ DWORD cbCredentialId, 967 | _In_reads_bytes_(cbCredentialId) const BYTE *pbCredentialId 968 | ); 969 | 970 | // 971 | // Returns the following Error Names: 972 | // L"Success" - S_OK 973 | // L"InvalidStateError" - NTE_EXISTS 974 | // L"ConstraintError" - HRESULT_FROM_WIN32(ERROR_NOT_SUPPORTED), 975 | // NTE_NOT_SUPPORTED, 976 | // NTE_TOKEN_KEYSET_STORAGE_FULL 977 | // L"NotSupportedError" - NTE_INVALID_PARAMETER 978 | // L"NotAllowedError" - NTE_DEVICE_NOT_FOUND, 979 | // NTE_NOT_FOUND, 980 | // HRESULT_FROM_WIN32(ERROR_CANCELLED), 981 | // NTE_USER_CANCELLED, 982 | // HRESULT_FROM_WIN32(ERROR_TIMEOUT) 983 | // L"UnknownError" - All other hr values 984 | // 985 | PCWSTR 986 | WINAPI 987 | WebAuthNGetErrorName( 988 | _In_ HRESULT hr); 989 | 990 | HRESULT 991 | WINAPI 992 | WebAuthNGetW3CExceptionDOMError( 993 | _In_ HRESULT hr); 994 | 995 | 996 | #ifdef __cplusplus 997 | } // Balance extern "C" above 998 | #endif 999 | 1000 | #endif // WINAPI_FAMILY_PARTITION 1001 | #pragma endregion 1002 | 1003 | #endif // __WEBAUTHN_H_ 1004 | --------------------------------------------------------------------------------