1*2d40c451Schristos // Copyright (c) Microsoft Corporation. All rights reserved. 2*2d40c451Schristos // Licensed under the MIT License. 3*2d40c451Schristos 4*2d40c451Schristos #ifndef __WEBAUTHN_H_ 5*2d40c451Schristos #define __WEBAUTHN_H_ 6*2d40c451Schristos 7*2d40c451Schristos #pragma once 8*2d40c451Schristos 9*2d40c451Schristos #include <winapifamily.h> 10*2d40c451Schristos 11*2d40c451Schristos #ifdef _MSC_VER 12*2d40c451Schristos #pragma region Desktop Family or OneCore Family 13*2d40c451Schristos #endif 14*2d40c451Schristos #if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM) 15*2d40c451Schristos 16*2d40c451Schristos #ifdef __cplusplus 17*2d40c451Schristos extern "C" { 18*2d40c451Schristos #endif 19*2d40c451Schristos 20*2d40c451Schristos #ifndef WINAPI 21*2d40c451Schristos #define WINAPI __stdcall 22*2d40c451Schristos #endif 23*2d40c451Schristos 24*2d40c451Schristos #ifndef INITGUID 25*2d40c451Schristos #define INITGUID 26*2d40c451Schristos #include <guiddef.h> 27*2d40c451Schristos #undef INITGUID 28*2d40c451Schristos #else 29*2d40c451Schristos #include <guiddef.h> 30*2d40c451Schristos #endif 31*2d40c451Schristos 32*2d40c451Schristos //+------------------------------------------------------------------------------------------ 33*2d40c451Schristos // API Version Information. 34*2d40c451Schristos // Caller should check for WebAuthNGetApiVersionNumber to check the presence of relevant APIs 35*2d40c451Schristos // and features for their usage. 36*2d40c451Schristos //------------------------------------------------------------------------------------------- 37*2d40c451Schristos 38*2d40c451Schristos #define WEBAUTHN_API_VERSION_1 1 39*2d40c451Schristos // WEBAUTHN_API_VERSION_1 : Baseline Version 40*2d40c451Schristos // Data Structures and their sub versions: 41*2d40c451Schristos // - WEBAUTHN_RP_ENTITY_INFORMATION : 1 42*2d40c451Schristos // - WEBAUTHN_USER_ENTITY_INFORMATION : 1 43*2d40c451Schristos // - WEBAUTHN_CLIENT_DATA : 1 44*2d40c451Schristos // - WEBAUTHN_COSE_CREDENTIAL_PARAMETER : 1 45*2d40c451Schristos // - WEBAUTHN_COSE_CREDENTIAL_PARAMETERS : Not Applicable 46*2d40c451Schristos // - WEBAUTHN_CREDENTIAL : 1 47*2d40c451Schristos // - WEBAUTHN_CREDENTIALS : Not Applicable 48*2d40c451Schristos // - WEBAUTHN_CREDENTIAL_EX : 1 49*2d40c451Schristos // - WEBAUTHN_CREDENTIAL_LIST : Not Applicable 50*2d40c451Schristos // - WEBAUTHN_EXTENSION : Not Applicable 51*2d40c451Schristos // - WEBAUTHN_EXTENSIONS : Not Applicable 52*2d40c451Schristos // - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS : 3 53*2d40c451Schristos // - WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS : 4 54*2d40c451Schristos // - WEBAUTHN_COMMON_ATTESTATION : 1 55*2d40c451Schristos // - WEBAUTHN_CREDENTIAL_ATTESTATION : 3 56*2d40c451Schristos // - WEBAUTHN_ASSERTION : 1 57*2d40c451Schristos // Extensions: 58*2d40c451Schristos // - WEBAUTHN_EXTENSIONS_IDENTIFIER_HMAC_SECRET 59*2d40c451Schristos // APIs: 60*2d40c451Schristos // - WebAuthNGetApiVersionNumber 61*2d40c451Schristos // - WebAuthNIsUserVerifyingPlatformAuthenticatorAvailable 62*2d40c451Schristos // - WebAuthNAuthenticatorMakeCredential 63*2d40c451Schristos // - WebAuthNAuthenticatorGetAssertion 64*2d40c451Schristos // - WebAuthNFreeCredentialAttestation 65*2d40c451Schristos // - WebAuthNFreeAssertion 66*2d40c451Schristos // - WebAuthNGetCancellationId 67*2d40c451Schristos // - WebAuthNCancelCurrentOperation 68*2d40c451Schristos // - WebAuthNGetErrorName 69*2d40c451Schristos // - WebAuthNGetW3CExceptionDOMError 70*2d40c451Schristos 71*2d40c451Schristos #define WEBAUTHN_API_VERSION_2 2 72*2d40c451Schristos // WEBAUTHN_API_VERSION_2 : Delta From WEBAUTHN_API_VERSION_1 73*2d40c451Schristos // Added Extensions: 74*2d40c451Schristos // - WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_PROTECT 75*2d40c451Schristos // 76*2d40c451Schristos 77*2d40c451Schristos #define WEBAUTHN_API_VERSION_3 3 78*2d40c451Schristos // WEBAUTHN_API_VERSION_3 : Delta From WEBAUTHN_API_VERSION_2 79*2d40c451Schristos // Data Structures and their sub versions: 80*2d40c451Schristos // - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS : 4 81*2d40c451Schristos // - WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS : 5 82*2d40c451Schristos // - WEBAUTHN_CREDENTIAL_ATTESTATION : 4 83*2d40c451Schristos // - WEBAUTHN_ASSERTION : 2 84*2d40c451Schristos // Added Extensions: 85*2d40c451Schristos // - WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_BLOB 86*2d40c451Schristos // - WEBAUTHN_EXTENSIONS_IDENTIFIER_MIN_PIN_LENGTH 87*2d40c451Schristos // 88*2d40c451Schristos 89*2d40c451Schristos #define WEBAUTHN_API_VERSION_4 4 90*2d40c451Schristos // WEBAUTHN_API_VERSION_4 : Delta From WEBAUTHN_API_VERSION_3 91*2d40c451Schristos // Data Structures and their sub versions: 92*2d40c451Schristos // - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS : 5 93*2d40c451Schristos // - WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS : 6 94*2d40c451Schristos // - WEBAUTHN_ASSERTION : 3 95*2d40c451Schristos // APIs: 96*2d40c451Schristos // - WebAuthNGetPlatformCredentialList 97*2d40c451Schristos // - WebAuthNFreePlatformCredentialList 98*2d40c451Schristos // 99*2d40c451Schristos 100*2d40c451Schristos #define WEBAUTHN_API_CURRENT_VERSION WEBAUTHN_API_VERSION_4 101*2d40c451Schristos 102*2d40c451Schristos //+------------------------------------------------------------------------------------------ 103*2d40c451Schristos // Information about an RP Entity 104*2d40c451Schristos //------------------------------------------------------------------------------------------- 105*2d40c451Schristos 106*2d40c451Schristos #define WEBAUTHN_RP_ENTITY_INFORMATION_CURRENT_VERSION 1 107*2d40c451Schristos 108*2d40c451Schristos typedef struct _WEBAUTHN_RP_ENTITY_INFORMATION { 109*2d40c451Schristos // Version of this structure, to allow for modifications in the future. 110*2d40c451Schristos // This field is required and should be set to CURRENT_VERSION above. 111*2d40c451Schristos DWORD dwVersion; 112*2d40c451Schristos 113*2d40c451Schristos // Identifier for the RP. This field is required. 114*2d40c451Schristos PCWSTR pwszId; 115*2d40c451Schristos 116*2d40c451Schristos // Contains the friendly name of the Relying Party, such as "Acme Corporation", "Widgets Inc" or "Awesome Site". 117*2d40c451Schristos // This field is required. 118*2d40c451Schristos PCWSTR pwszName; 119*2d40c451Schristos 120*2d40c451Schristos // Optional URL pointing to RP's logo. 121*2d40c451Schristos PCWSTR pwszIcon; 122*2d40c451Schristos } WEBAUTHN_RP_ENTITY_INFORMATION, *PWEBAUTHN_RP_ENTITY_INFORMATION; 123*2d40c451Schristos typedef const WEBAUTHN_RP_ENTITY_INFORMATION *PCWEBAUTHN_RP_ENTITY_INFORMATION; 124*2d40c451Schristos 125*2d40c451Schristos //+------------------------------------------------------------------------------------------ 126*2d40c451Schristos // Information about an User Entity 127*2d40c451Schristos //------------------------------------------------------------------------------------------- 128*2d40c451Schristos #define WEBAUTHN_MAX_USER_ID_LENGTH 64 129*2d40c451Schristos 130*2d40c451Schristos #define WEBAUTHN_USER_ENTITY_INFORMATION_CURRENT_VERSION 1 131*2d40c451Schristos 132*2d40c451Schristos typedef struct _WEBAUTHN_USER_ENTITY_INFORMATION { 133*2d40c451Schristos // Version of this structure, to allow for modifications in the future. 134*2d40c451Schristos // This field is required and should be set to CURRENT_VERSION above. 135*2d40c451Schristos DWORD dwVersion; 136*2d40c451Schristos 137*2d40c451Schristos // Identifier for the User. This field is required. 138*2d40c451Schristos DWORD cbId; 139*2d40c451Schristos _Field_size_bytes_(cbId) 140*2d40c451Schristos PBYTE pbId; 141*2d40c451Schristos 142*2d40c451Schristos // Contains a detailed name for this account, such as "john.p.smith@example.com". 143*2d40c451Schristos PCWSTR pwszName; 144*2d40c451Schristos 145*2d40c451Schristos // Optional URL that can be used to retrieve an image containing the user's current avatar, 146*2d40c451Schristos // or a data URI that contains the image data. 147*2d40c451Schristos PCWSTR pwszIcon; 148*2d40c451Schristos 149*2d40c451Schristos // For User: Contains the friendly name associated with the user account by the Relying Party, such as "John P. Smith". 150*2d40c451Schristos PCWSTR pwszDisplayName; 151*2d40c451Schristos } WEBAUTHN_USER_ENTITY_INFORMATION, *PWEBAUTHN_USER_ENTITY_INFORMATION; 152*2d40c451Schristos typedef const WEBAUTHN_USER_ENTITY_INFORMATION *PCWEBAUTHN_USER_ENTITY_INFORMATION; 153*2d40c451Schristos 154*2d40c451Schristos //+------------------------------------------------------------------------------------------ 155*2d40c451Schristos // Information about client data. 156*2d40c451Schristos //------------------------------------------------------------------------------------------- 157*2d40c451Schristos 158*2d40c451Schristos #define WEBAUTHN_HASH_ALGORITHM_SHA_256 L"SHA-256" 159*2d40c451Schristos #define WEBAUTHN_HASH_ALGORITHM_SHA_384 L"SHA-384" 160*2d40c451Schristos #define WEBAUTHN_HASH_ALGORITHM_SHA_512 L"SHA-512" 161*2d40c451Schristos 162*2d40c451Schristos #define WEBAUTHN_CLIENT_DATA_CURRENT_VERSION 1 163*2d40c451Schristos 164*2d40c451Schristos typedef struct _WEBAUTHN_CLIENT_DATA { 165*2d40c451Schristos // Version of this structure, to allow for modifications in the future. 166*2d40c451Schristos // This field is required and should be set to CURRENT_VERSION above. 167*2d40c451Schristos DWORD dwVersion; 168*2d40c451Schristos 169*2d40c451Schristos // Size of the pbClientDataJSON field. 170*2d40c451Schristos DWORD cbClientDataJSON; 171*2d40c451Schristos // UTF-8 encoded JSON serialization of the client data. 172*2d40c451Schristos _Field_size_bytes_(cbClientDataJSON) 173*2d40c451Schristos PBYTE pbClientDataJSON; 174*2d40c451Schristos 175*2d40c451Schristos // Hash algorithm ID used to hash the pbClientDataJSON field. 176*2d40c451Schristos LPCWSTR pwszHashAlgId; 177*2d40c451Schristos } WEBAUTHN_CLIENT_DATA, *PWEBAUTHN_CLIENT_DATA; 178*2d40c451Schristos typedef const WEBAUTHN_CLIENT_DATA *PCWEBAUTHN_CLIENT_DATA; 179*2d40c451Schristos 180*2d40c451Schristos //+------------------------------------------------------------------------------------------ 181*2d40c451Schristos // Information about credential parameters. 182*2d40c451Schristos //------------------------------------------------------------------------------------------- 183*2d40c451Schristos 184*2d40c451Schristos #define WEBAUTHN_CREDENTIAL_TYPE_PUBLIC_KEY L"public-key" 185*2d40c451Schristos 186*2d40c451Schristos #define WEBAUTHN_COSE_ALGORITHM_ECDSA_P256_WITH_SHA256 -7 187*2d40c451Schristos #define WEBAUTHN_COSE_ALGORITHM_ECDSA_P384_WITH_SHA384 -35 188*2d40c451Schristos #define WEBAUTHN_COSE_ALGORITHM_ECDSA_P521_WITH_SHA512 -36 189*2d40c451Schristos 190*2d40c451Schristos #define WEBAUTHN_COSE_ALGORITHM_RSASSA_PKCS1_V1_5_WITH_SHA256 -257 191*2d40c451Schristos #define WEBAUTHN_COSE_ALGORITHM_RSASSA_PKCS1_V1_5_WITH_SHA384 -258 192*2d40c451Schristos #define WEBAUTHN_COSE_ALGORITHM_RSASSA_PKCS1_V1_5_WITH_SHA512 -259 193*2d40c451Schristos 194*2d40c451Schristos #define WEBAUTHN_COSE_ALGORITHM_RSA_PSS_WITH_SHA256 -37 195*2d40c451Schristos #define WEBAUTHN_COSE_ALGORITHM_RSA_PSS_WITH_SHA384 -38 196*2d40c451Schristos #define WEBAUTHN_COSE_ALGORITHM_RSA_PSS_WITH_SHA512 -39 197*2d40c451Schristos 198*2d40c451Schristos #define WEBAUTHN_COSE_CREDENTIAL_PARAMETER_CURRENT_VERSION 1 199*2d40c451Schristos 200*2d40c451Schristos typedef struct _WEBAUTHN_COSE_CREDENTIAL_PARAMETER { 201*2d40c451Schristos // Version of this structure, to allow for modifications in the future. 202*2d40c451Schristos DWORD dwVersion; 203*2d40c451Schristos 204*2d40c451Schristos // Well-known credential type specifying a credential to create. 205*2d40c451Schristos LPCWSTR pwszCredentialType; 206*2d40c451Schristos 207*2d40c451Schristos // Well-known COSE algorithm specifying the algorithm to use for the credential. 208*2d40c451Schristos LONG lAlg; 209*2d40c451Schristos } WEBAUTHN_COSE_CREDENTIAL_PARAMETER, *PWEBAUTHN_COSE_CREDENTIAL_PARAMETER; 210*2d40c451Schristos typedef const WEBAUTHN_COSE_CREDENTIAL_PARAMETER *PCWEBAUTHN_COSE_CREDENTIAL_PARAMETER; 211*2d40c451Schristos 212*2d40c451Schristos typedef struct _WEBAUTHN_COSE_CREDENTIAL_PARAMETERS { 213*2d40c451Schristos DWORD cCredentialParameters; 214*2d40c451Schristos _Field_size_(cCredentialParameters) 215*2d40c451Schristos PWEBAUTHN_COSE_CREDENTIAL_PARAMETER pCredentialParameters; 216*2d40c451Schristos } WEBAUTHN_COSE_CREDENTIAL_PARAMETERS, *PWEBAUTHN_COSE_CREDENTIAL_PARAMETERS; 217*2d40c451Schristos typedef const WEBAUTHN_COSE_CREDENTIAL_PARAMETERS *PCWEBAUTHN_COSE_CREDENTIAL_PARAMETERS; 218*2d40c451Schristos 219*2d40c451Schristos //+------------------------------------------------------------------------------------------ 220*2d40c451Schristos // Information about credential. 221*2d40c451Schristos //------------------------------------------------------------------------------------------- 222*2d40c451Schristos #define WEBAUTHN_CREDENTIAL_CURRENT_VERSION 1 223*2d40c451Schristos 224*2d40c451Schristos typedef struct _WEBAUTHN_CREDENTIAL { 225*2d40c451Schristos // Version of this structure, to allow for modifications in the future. 226*2d40c451Schristos DWORD dwVersion; 227*2d40c451Schristos 228*2d40c451Schristos // Size of pbID. 229*2d40c451Schristos DWORD cbId; 230*2d40c451Schristos // Unique ID for this particular credential. 231*2d40c451Schristos _Field_size_bytes_(cbId) 232*2d40c451Schristos PBYTE pbId; 233*2d40c451Schristos 234*2d40c451Schristos // Well-known credential type specifying what this particular credential is. 235*2d40c451Schristos LPCWSTR pwszCredentialType; 236*2d40c451Schristos } WEBAUTHN_CREDENTIAL, *PWEBAUTHN_CREDENTIAL; 237*2d40c451Schristos typedef const WEBAUTHN_CREDENTIAL *PCWEBAUTHN_CREDENTIAL; 238*2d40c451Schristos 239*2d40c451Schristos typedef struct _WEBAUTHN_CREDENTIALS { 240*2d40c451Schristos DWORD cCredentials; 241*2d40c451Schristos _Field_size_(cCredentials) 242*2d40c451Schristos PWEBAUTHN_CREDENTIAL pCredentials; 243*2d40c451Schristos } WEBAUTHN_CREDENTIALS, *PWEBAUTHN_CREDENTIALS; 244*2d40c451Schristos typedef const WEBAUTHN_CREDENTIALS *PCWEBAUTHN_CREDENTIALS; 245*2d40c451Schristos 246*2d40c451Schristos //+------------------------------------------------------------------------------------------ 247*2d40c451Schristos // Information about credential with extra information, such as, dwTransports 248*2d40c451Schristos //------------------------------------------------------------------------------------------- 249*2d40c451Schristos 250*2d40c451Schristos #define WEBAUTHN_CTAP_TRANSPORT_USB 0x00000001 251*2d40c451Schristos #define WEBAUTHN_CTAP_TRANSPORT_NFC 0x00000002 252*2d40c451Schristos #define WEBAUTHN_CTAP_TRANSPORT_BLE 0x00000004 253*2d40c451Schristos #define WEBAUTHN_CTAP_TRANSPORT_TEST 0x00000008 254*2d40c451Schristos #define WEBAUTHN_CTAP_TRANSPORT_INTERNAL 0x00000010 255*2d40c451Schristos #define WEBAUTHN_CTAP_TRANSPORT_FLAGS_MASK 0x0000001F 256*2d40c451Schristos 257*2d40c451Schristos #define WEBAUTHN_CREDENTIAL_EX_CURRENT_VERSION 1 258*2d40c451Schristos 259*2d40c451Schristos typedef struct _WEBAUTHN_CREDENTIAL_EX { 260*2d40c451Schristos // Version of this structure, to allow for modifications in the future. 261*2d40c451Schristos DWORD dwVersion; 262*2d40c451Schristos 263*2d40c451Schristos // Size of pbID. 264*2d40c451Schristos DWORD cbId; 265*2d40c451Schristos // Unique ID for this particular credential. 266*2d40c451Schristos _Field_size_bytes_(cbId) 267*2d40c451Schristos PBYTE pbId; 268*2d40c451Schristos 269*2d40c451Schristos // Well-known credential type specifying what this particular credential is. 270*2d40c451Schristos LPCWSTR pwszCredentialType; 271*2d40c451Schristos 272*2d40c451Schristos // Transports. 0 implies no transport restrictions. 273*2d40c451Schristos DWORD dwTransports; 274*2d40c451Schristos } WEBAUTHN_CREDENTIAL_EX, *PWEBAUTHN_CREDENTIAL_EX; 275*2d40c451Schristos typedef const WEBAUTHN_CREDENTIAL_EX *PCWEBAUTHN_CREDENTIAL_EX; 276*2d40c451Schristos 277*2d40c451Schristos //+------------------------------------------------------------------------------------------ 278*2d40c451Schristos // Information about credential list with extra information 279*2d40c451Schristos //------------------------------------------------------------------------------------------- 280*2d40c451Schristos 281*2d40c451Schristos typedef struct _WEBAUTHN_CREDENTIAL_LIST { 282*2d40c451Schristos DWORD cCredentials; 283*2d40c451Schristos _Field_size_(cCredentials) 284*2d40c451Schristos PWEBAUTHN_CREDENTIAL_EX *ppCredentials; 285*2d40c451Schristos } WEBAUTHN_CREDENTIAL_LIST, *PWEBAUTHN_CREDENTIAL_LIST; 286*2d40c451Schristos typedef const WEBAUTHN_CREDENTIAL_LIST *PCWEBAUTHN_CREDENTIAL_LIST; 287*2d40c451Schristos 288*2d40c451Schristos //+------------------------------------------------------------------------------------------ 289*2d40c451Schristos // Credential Information for WebAuthNGetPlatformCredentialList API 290*2d40c451Schristos //------------------------------------------------------------------------------------------- 291*2d40c451Schristos 292*2d40c451Schristos #define WEBAUTHN_CREDENTIAL_DETAILS_VERSION_1 1 293*2d40c451Schristos #define WEBAUTHN_CREDENTIAL_DETAILS_CURRENT_VERSION WEBAUTHN_CREDENTIAL_DETAILS_VERSION_1 294*2d40c451Schristos 295*2d40c451Schristos typedef struct _WEBAUTHN_CREDENTIAL_DETAILS { 296*2d40c451Schristos // Version of this structure, to allow for modifications in the future. 297*2d40c451Schristos DWORD dwVersion; 298*2d40c451Schristos 299*2d40c451Schristos // Size of pbCredentialID. 300*2d40c451Schristos DWORD cbCredentialID; 301*2d40c451Schristos _Field_size_bytes_(cbCredentialID) 302*2d40c451Schristos PBYTE pbCredentialID; 303*2d40c451Schristos 304*2d40c451Schristos // RP Info 305*2d40c451Schristos PWEBAUTHN_RP_ENTITY_INFORMATION pRpInformation; 306*2d40c451Schristos 307*2d40c451Schristos // User Info 308*2d40c451Schristos PWEBAUTHN_USER_ENTITY_INFORMATION pUserInformation; 309*2d40c451Schristos } WEBAUTHN_CREDENTIAL_DETAILS, *PWEBAUTHN_CREDENTIAL_DETAILS; 310*2d40c451Schristos typedef const WEBAUTHN_CREDENTIAL_DETAILS *PCWEBAUTHN_CREDENTIAL_DETAILS; 311*2d40c451Schristos 312*2d40c451Schristos typedef struct _WEBAUTHN_CREDENTIAL_DETAILS_LIST { 313*2d40c451Schristos DWORD cCredentialDetails; 314*2d40c451Schristos _Field_size_(cCredentialDetails) 315*2d40c451Schristos PWEBAUTHN_CREDENTIAL_DETAILS *ppCredentialDetails; 316*2d40c451Schristos } WEBAUTHN_CREDENTIAL_DETAILS_LIST, *PWEBAUTHN_CREDENTIAL_DETAILS_LIST; 317*2d40c451Schristos typedef const WEBAUTHN_CREDENTIAL_DETAILS_LIST *PCWEBAUTHN_CREDENTIAL_DETAILS_LIST; 318*2d40c451Schristos 319*2d40c451Schristos #define WEBAUTHN_GET_CREDENTIALS_OPTIONS_VERSION_1 1 320*2d40c451Schristos #define WEBAUTHN_GET_CREDENTIALS_OPTIONS_CURRENT_VERSION WEBAUTHN_GET_CREDENTIALS_OPTIONS_VERSION_1 321*2d40c451Schristos 322*2d40c451Schristos typedef struct _WEBAUTHN_GET_CREDENTIALS_OPTIONS { 323*2d40c451Schristos // Version of this structure, to allow for modifications in the future. 324*2d40c451Schristos DWORD dwVersion; 325*2d40c451Schristos 326*2d40c451Schristos // RPID 327*2d40c451Schristos LPCWSTR pwszRpId; 328*2d40c451Schristos 329*2d40c451Schristos // Optional. BrowserInPrivate Mode. Defaulting to FALSE. 330*2d40c451Schristos BOOL bBrowserInPrivateMode; 331*2d40c451Schristos } WEBAUTHN_GET_CREDENTIALS_OPTIONS, *PWEBAUTHN_GET_CREDENTIALS_OPTIONS; 332*2d40c451Schristos typedef const WEBAUTHN_GET_CREDENTIALS_OPTIONS *PCWEBAUTHN_GET_CREDENTIALS_OPTIONS; 333*2d40c451Schristos 334*2d40c451Schristos //+------------------------------------------------------------------------------------------ 335*2d40c451Schristos // PRF values. 336*2d40c451Schristos //------------------------------------------------------------------------------------------- 337*2d40c451Schristos 338*2d40c451Schristos #define WEBAUTHN_CTAP_ONE_HMAC_SECRET_LENGTH 32 339*2d40c451Schristos 340*2d40c451Schristos // SALT values below by default are converted into RAW Hmac-Secret values as per PRF extension. 341*2d40c451Schristos // - SHA-256(UTF8Encode("WebAuthn PRF") || 0x00 || Value) 342*2d40c451Schristos // 343*2d40c451Schristos // Set WEBAUTHN_CTAP_HMAC_SECRET_VALUES_FLAG in dwFlags in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS, 344*2d40c451Schristos // if caller wants to provide RAW Hmac-Secret SALT values directly. In that case, 345*2d40c451Schristos // values if provided MUST be of WEBAUTHN_CTAP_ONE_HMAC_SECRET_LENGTH size. 346*2d40c451Schristos 347*2d40c451Schristos typedef struct _WEBAUTHN_HMAC_SECRET_SALT { 348*2d40c451Schristos // Size of pbFirst. 349*2d40c451Schristos DWORD cbFirst; 350*2d40c451Schristos _Field_size_bytes_(cbFirst) 351*2d40c451Schristos PBYTE pbFirst; // Required 352*2d40c451Schristos 353*2d40c451Schristos // Size of pbSecond. 354*2d40c451Schristos DWORD cbSecond; 355*2d40c451Schristos _Field_size_bytes_(cbSecond) 356*2d40c451Schristos PBYTE pbSecond; 357*2d40c451Schristos } WEBAUTHN_HMAC_SECRET_SALT, *PWEBAUTHN_HMAC_SECRET_SALT; 358*2d40c451Schristos typedef const WEBAUTHN_HMAC_SECRET_SALT *PCWEBAUTHN_HMAC_SECRET_SALT; 359*2d40c451Schristos 360*2d40c451Schristos typedef struct _WEBAUTHN_CRED_WITH_HMAC_SECRET_SALT { 361*2d40c451Schristos // Size of pbCredID. 362*2d40c451Schristos DWORD cbCredID; 363*2d40c451Schristos _Field_size_bytes_(cbCredID) 364*2d40c451Schristos PBYTE pbCredID; // Required 365*2d40c451Schristos 366*2d40c451Schristos // PRF Values for above credential 367*2d40c451Schristos PWEBAUTHN_HMAC_SECRET_SALT pHmacSecretSalt; // Required 368*2d40c451Schristos } WEBAUTHN_CRED_WITH_HMAC_SECRET_SALT, *PWEBAUTHN_CRED_WITH_HMAC_SECRET_SALT; 369*2d40c451Schristos typedef const WEBAUTHN_CRED_WITH_HMAC_SECRET_SALT *PCWEBAUTHN_CRED_WITH_HMAC_SECRET_SALT; 370*2d40c451Schristos 371*2d40c451Schristos typedef struct _WEBAUTHN_HMAC_SECRET_SALT_VALUES { 372*2d40c451Schristos PWEBAUTHN_HMAC_SECRET_SALT pGlobalHmacSalt; 373*2d40c451Schristos 374*2d40c451Schristos DWORD cCredWithHmacSecretSaltList; 375*2d40c451Schristos _Field_size_(cCredWithHmacSecretSaltList) 376*2d40c451Schristos PWEBAUTHN_CRED_WITH_HMAC_SECRET_SALT pCredWithHmacSecretSaltList; 377*2d40c451Schristos } WEBAUTHN_HMAC_SECRET_SALT_VALUES, *PWEBAUTHN_HMAC_SECRET_SALT_VALUES; 378*2d40c451Schristos typedef const WEBAUTHN_HMAC_SECRET_SALT_VALUES *PCWEBAUTHN_HMAC_SECRET_SALT_VALUES; 379*2d40c451Schristos 380*2d40c451Schristos //+------------------------------------------------------------------------------------------ 381*2d40c451Schristos // Hmac-Secret extension 382*2d40c451Schristos //------------------------------------------------------------------------------------------- 383*2d40c451Schristos 384*2d40c451Schristos #define WEBAUTHN_EXTENSIONS_IDENTIFIER_HMAC_SECRET L"hmac-secret" 385*2d40c451Schristos // Below type definitions is for WEBAUTHN_EXTENSIONS_IDENTIFIER_HMAC_SECRET 386*2d40c451Schristos // MakeCredential Input Type: BOOL. 387*2d40c451Schristos // - pvExtension must point to a BOOL with the value TRUE. 388*2d40c451Schristos // - cbExtension must contain the sizeof(BOOL). 389*2d40c451Schristos // MakeCredential Output Type: BOOL. 390*2d40c451Schristos // - pvExtension will point to a BOOL with the value TRUE if credential 391*2d40c451Schristos // was successfully created with HMAC_SECRET. 392*2d40c451Schristos // - cbExtension will contain the sizeof(BOOL). 393*2d40c451Schristos // GetAssertion Input Type: Not Supported 394*2d40c451Schristos // GetAssertion Output Type: Not Supported 395*2d40c451Schristos 396*2d40c451Schristos //+------------------------------------------------------------------------------------------ 397*2d40c451Schristos // credProtect extension 398*2d40c451Schristos //------------------------------------------------------------------------------------------- 399*2d40c451Schristos 400*2d40c451Schristos #define WEBAUTHN_USER_VERIFICATION_ANY 0 401*2d40c451Schristos #define WEBAUTHN_USER_VERIFICATION_OPTIONAL 1 402*2d40c451Schristos #define WEBAUTHN_USER_VERIFICATION_OPTIONAL_WITH_CREDENTIAL_ID_LIST 2 403*2d40c451Schristos #define WEBAUTHN_USER_VERIFICATION_REQUIRED 3 404*2d40c451Schristos 405*2d40c451Schristos typedef struct _WEBAUTHN_CRED_PROTECT_EXTENSION_IN { 406*2d40c451Schristos // One of the above WEBAUTHN_USER_VERIFICATION_* values 407*2d40c451Schristos DWORD dwCredProtect; 408*2d40c451Schristos // Set the following to TRUE to require authenticator support for the credProtect extension 409*2d40c451Schristos BOOL bRequireCredProtect; 410*2d40c451Schristos } WEBAUTHN_CRED_PROTECT_EXTENSION_IN, *PWEBAUTHN_CRED_PROTECT_EXTENSION_IN; 411*2d40c451Schristos typedef const WEBAUTHN_CRED_PROTECT_EXTENSION_IN *PCWEBAUTHN_CRED_PROTECT_EXTENSION_IN; 412*2d40c451Schristos 413*2d40c451Schristos 414*2d40c451Schristos #define WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_PROTECT L"credProtect" 415*2d40c451Schristos // Below type definitions is for WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_PROTECT 416*2d40c451Schristos // MakeCredential Input Type: WEBAUTHN_CRED_PROTECT_EXTENSION_IN. 417*2d40c451Schristos // - pvExtension must point to a WEBAUTHN_CRED_PROTECT_EXTENSION_IN struct 418*2d40c451Schristos // - cbExtension will contain the sizeof(WEBAUTHN_CRED_PROTECT_EXTENSION_IN). 419*2d40c451Schristos // MakeCredential Output Type: DWORD. 420*2d40c451Schristos // - pvExtension will point to a DWORD with one of the above WEBAUTHN_USER_VERIFICATION_* values 421*2d40c451Schristos // if credential was successfully created with CRED_PROTECT. 422*2d40c451Schristos // - cbExtension will contain the sizeof(DWORD). 423*2d40c451Schristos // GetAssertion Input Type: Not Supported 424*2d40c451Schristos // GetAssertion Output Type: Not Supported 425*2d40c451Schristos 426*2d40c451Schristos //+------------------------------------------------------------------------------------------ 427*2d40c451Schristos // credBlob extension 428*2d40c451Schristos //------------------------------------------------------------------------------------------- 429*2d40c451Schristos 430*2d40c451Schristos typedef struct _WEBAUTHN_CRED_BLOB_EXTENSION { 431*2d40c451Schristos // Size of pbCredBlob. 432*2d40c451Schristos DWORD cbCredBlob; 433*2d40c451Schristos _Field_size_bytes_(cbCredBlob) 434*2d40c451Schristos PBYTE pbCredBlob; 435*2d40c451Schristos } WEBAUTHN_CRED_BLOB_EXTENSION, *PWEBAUTHN_CRED_BLOB_EXTENSION; 436*2d40c451Schristos typedef const WEBAUTHN_CRED_BLOB_EXTENSION *PCWEBAUTHN_CRED_BLOB_EXTENSION; 437*2d40c451Schristos 438*2d40c451Schristos 439*2d40c451Schristos #define WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_BLOB L"credBlob" 440*2d40c451Schristos // Below type definitions is for WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_BLOB 441*2d40c451Schristos // MakeCredential Input Type: WEBAUTHN_CRED_BLOB_EXTENSION. 442*2d40c451Schristos // - pvExtension must point to a WEBAUTHN_CRED_BLOB_EXTENSION struct 443*2d40c451Schristos // - cbExtension must contain the sizeof(WEBAUTHN_CRED_BLOB_EXTENSION). 444*2d40c451Schristos // MakeCredential Output Type: BOOL. 445*2d40c451Schristos // - pvExtension will point to a BOOL with the value TRUE if credBlob was successfully created 446*2d40c451Schristos // - cbExtension will contain the sizeof(BOOL). 447*2d40c451Schristos // GetAssertion Input Type: BOOL. 448*2d40c451Schristos // - pvExtension must point to a BOOL with the value TRUE to request the credBlob. 449*2d40c451Schristos // - cbExtension must contain the sizeof(BOOL). 450*2d40c451Schristos // GetAssertion Output Type: WEBAUTHN_CRED_BLOB_EXTENSION. 451*2d40c451Schristos // - pvExtension will point to a WEBAUTHN_CRED_BLOB_EXTENSION struct if the authenticator 452*2d40c451Schristos // returns the credBlob in the signed extensions 453*2d40c451Schristos // - cbExtension will contain the sizeof(WEBAUTHN_CRED_BLOB_EXTENSION). 454*2d40c451Schristos 455*2d40c451Schristos //+------------------------------------------------------------------------------------------ 456*2d40c451Schristos // minPinLength extension 457*2d40c451Schristos //------------------------------------------------------------------------------------------- 458*2d40c451Schristos 459*2d40c451Schristos #define WEBAUTHN_EXTENSIONS_IDENTIFIER_MIN_PIN_LENGTH L"minPinLength" 460*2d40c451Schristos // Below type definitions is for WEBAUTHN_EXTENSIONS_IDENTIFIER_MIN_PIN_LENGTH 461*2d40c451Schristos // MakeCredential Input Type: BOOL. 462*2d40c451Schristos // - pvExtension must point to a BOOL with the value TRUE to request the minPinLength. 463*2d40c451Schristos // - cbExtension must contain the sizeof(BOOL). 464*2d40c451Schristos // MakeCredential Output Type: DWORD. 465*2d40c451Schristos // - pvExtension will point to a DWORD with the minimum pin length if returned by the authenticator 466*2d40c451Schristos // - cbExtension will contain the sizeof(DWORD). 467*2d40c451Schristos // GetAssertion Input Type: Not Supported 468*2d40c451Schristos // GetAssertion Output Type: Not Supported 469*2d40c451Schristos 470*2d40c451Schristos //+------------------------------------------------------------------------------------------ 471*2d40c451Schristos // Information about Extensions. 472*2d40c451Schristos //------------------------------------------------------------------------------------------- 473*2d40c451Schristos typedef struct _WEBAUTHN_EXTENSION { 474*2d40c451Schristos LPCWSTR pwszExtensionIdentifier; 475*2d40c451Schristos DWORD cbExtension; 476*2d40c451Schristos PVOID pvExtension; 477*2d40c451Schristos } WEBAUTHN_EXTENSION, *PWEBAUTHN_EXTENSION; 478*2d40c451Schristos typedef const WEBAUTHN_EXTENSION *PCWEBAUTHN_EXTENSION; 479*2d40c451Schristos 480*2d40c451Schristos typedef struct _WEBAUTHN_EXTENSIONS { 481*2d40c451Schristos DWORD cExtensions; 482*2d40c451Schristos _Field_size_(cExtensions) 483*2d40c451Schristos PWEBAUTHN_EXTENSION pExtensions; 484*2d40c451Schristos } WEBAUTHN_EXTENSIONS, *PWEBAUTHN_EXTENSIONS; 485*2d40c451Schristos typedef const WEBAUTHN_EXTENSIONS *PCWEBAUTHN_EXTENSIONS; 486*2d40c451Schristos 487*2d40c451Schristos //+------------------------------------------------------------------------------------------ 488*2d40c451Schristos // Options. 489*2d40c451Schristos //------------------------------------------------------------------------------------------- 490*2d40c451Schristos 491*2d40c451Schristos #define WEBAUTHN_AUTHENTICATOR_ATTACHMENT_ANY 0 492*2d40c451Schristos #define WEBAUTHN_AUTHENTICATOR_ATTACHMENT_PLATFORM 1 493*2d40c451Schristos #define WEBAUTHN_AUTHENTICATOR_ATTACHMENT_CROSS_PLATFORM 2 494*2d40c451Schristos #define WEBAUTHN_AUTHENTICATOR_ATTACHMENT_CROSS_PLATFORM_U2F_V2 3 495*2d40c451Schristos 496*2d40c451Schristos #define WEBAUTHN_USER_VERIFICATION_REQUIREMENT_ANY 0 497*2d40c451Schristos #define WEBAUTHN_USER_VERIFICATION_REQUIREMENT_REQUIRED 1 498*2d40c451Schristos #define WEBAUTHN_USER_VERIFICATION_REQUIREMENT_PREFERRED 2 499*2d40c451Schristos #define WEBAUTHN_USER_VERIFICATION_REQUIREMENT_DISCOURAGED 3 500*2d40c451Schristos 501*2d40c451Schristos #define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_ANY 0 502*2d40c451Schristos #define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_NONE 1 503*2d40c451Schristos #define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_INDIRECT 2 504*2d40c451Schristos #define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_DIRECT 3 505*2d40c451Schristos 506*2d40c451Schristos #define WEBAUTHN_ENTERPRISE_ATTESTATION_NONE 0 507*2d40c451Schristos #define WEBAUTHN_ENTERPRISE_ATTESTATION_VENDOR_FACILITATED 1 508*2d40c451Schristos #define WEBAUTHN_ENTERPRISE_ATTESTATION_PLATFORM_MANAGED 2 509*2d40c451Schristos 510*2d40c451Schristos #define WEBAUTHN_LARGE_BLOB_SUPPORT_NONE 0 511*2d40c451Schristos #define WEBAUTHN_LARGE_BLOB_SUPPORT_REQUIRED 1 512*2d40c451Schristos #define WEBAUTHN_LARGE_BLOB_SUPPORT_PREFERRED 2 513*2d40c451Schristos 514*2d40c451Schristos #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_1 1 515*2d40c451Schristos #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_2 2 516*2d40c451Schristos #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_3 3 517*2d40c451Schristos #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_4 4 518*2d40c451Schristos #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_5 5 519*2d40c451Schristos #define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_CURRENT_VERSION WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_5 520*2d40c451Schristos 521*2d40c451Schristos typedef struct _WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS { 522*2d40c451Schristos // Version of this structure, to allow for modifications in the future. 523*2d40c451Schristos DWORD dwVersion; 524*2d40c451Schristos 525*2d40c451Schristos // Time that the operation is expected to complete within. 526*2d40c451Schristos // This is used as guidance, and can be overridden by the platform. 527*2d40c451Schristos DWORD dwTimeoutMilliseconds; 528*2d40c451Schristos 529*2d40c451Schristos // Credentials used for exclusion. 530*2d40c451Schristos WEBAUTHN_CREDENTIALS CredentialList; 531*2d40c451Schristos 532*2d40c451Schristos // Optional extensions to parse when performing the operation. 533*2d40c451Schristos WEBAUTHN_EXTENSIONS Extensions; 534*2d40c451Schristos 535*2d40c451Schristos // Optional. Platform vs Cross-Platform Authenticators. 536*2d40c451Schristos DWORD dwAuthenticatorAttachment; 537*2d40c451Schristos 538*2d40c451Schristos // Optional. Require key to be resident or not. Defaulting to FALSE. 539*2d40c451Schristos BOOL bRequireResidentKey; 540*2d40c451Schristos 541*2d40c451Schristos // User Verification Requirement. 542*2d40c451Schristos DWORD dwUserVerificationRequirement; 543*2d40c451Schristos 544*2d40c451Schristos // Attestation Conveyance Preference. 545*2d40c451Schristos DWORD dwAttestationConveyancePreference; 546*2d40c451Schristos 547*2d40c451Schristos // Reserved for future Use 548*2d40c451Schristos DWORD dwFlags; 549*2d40c451Schristos 550*2d40c451Schristos // 551*2d40c451Schristos // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_2 552*2d40c451Schristos // 553*2d40c451Schristos 554*2d40c451Schristos // Cancellation Id - Optional - See WebAuthNGetCancellationId 555*2d40c451Schristos GUID *pCancellationId; 556*2d40c451Schristos 557*2d40c451Schristos // 558*2d40c451Schristos // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_3 559*2d40c451Schristos // 560*2d40c451Schristos 561*2d40c451Schristos // Exclude Credential List. If present, "CredentialList" will be ignored. 562*2d40c451Schristos PWEBAUTHN_CREDENTIAL_LIST pExcludeCredentialList; 563*2d40c451Schristos 564*2d40c451Schristos // 565*2d40c451Schristos // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_4 566*2d40c451Schristos // 567*2d40c451Schristos 568*2d40c451Schristos // Enterprise Attestation 569*2d40c451Schristos DWORD dwEnterpriseAttestation; 570*2d40c451Schristos 571*2d40c451Schristos // Large Blob Support: none, required or preferred 572*2d40c451Schristos // 573*2d40c451Schristos // NTE_INVALID_PARAMETER when large blob required or preferred and 574*2d40c451Schristos // bRequireResidentKey isn't set to TRUE 575*2d40c451Schristos DWORD dwLargeBlobSupport; 576*2d40c451Schristos 577*2d40c451Schristos // Optional. Prefer key to be resident. Defaulting to FALSE. When TRUE, 578*2d40c451Schristos // overrides the above bRequireResidentKey. 579*2d40c451Schristos BOOL bPreferResidentKey; 580*2d40c451Schristos 581*2d40c451Schristos // 582*2d40c451Schristos // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_5 583*2d40c451Schristos // 584*2d40c451Schristos 585*2d40c451Schristos // Optional. BrowserInPrivate Mode. Defaulting to FALSE. 586*2d40c451Schristos BOOL bBrowserInPrivateMode; 587*2d40c451Schristos 588*2d40c451Schristos } WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS, *PWEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS; 589*2d40c451Schristos typedef const WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS *PCWEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS; 590*2d40c451Schristos 591*2d40c451Schristos #define WEBAUTHN_CRED_LARGE_BLOB_OPERATION_NONE 0 592*2d40c451Schristos #define WEBAUTHN_CRED_LARGE_BLOB_OPERATION_GET 1 593*2d40c451Schristos #define WEBAUTHN_CRED_LARGE_BLOB_OPERATION_SET 2 594*2d40c451Schristos #define WEBAUTHN_CRED_LARGE_BLOB_OPERATION_DELETE 3 595*2d40c451Schristos 596*2d40c451Schristos #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_1 1 597*2d40c451Schristos #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_2 2 598*2d40c451Schristos #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_3 3 599*2d40c451Schristos #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_4 4 600*2d40c451Schristos #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_5 5 601*2d40c451Schristos #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_6 6 602*2d40c451Schristos #define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_CURRENT_VERSION WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_6 603*2d40c451Schristos 604*2d40c451Schristos /* 605*2d40c451Schristos Information about flags. 606*2d40c451Schristos */ 607*2d40c451Schristos 608*2d40c451Schristos #define WEBAUTHN_AUTHENTICATOR_HMAC_SECRET_VALUES_FLAG 0x00100000 609*2d40c451Schristos 610*2d40c451Schristos typedef struct _WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS { 611*2d40c451Schristos // Version of this structure, to allow for modifications in the future. 612*2d40c451Schristos DWORD dwVersion; 613*2d40c451Schristos 614*2d40c451Schristos // Time that the operation is expected to complete within. 615*2d40c451Schristos // This is used as guidance, and can be overridden by the platform. 616*2d40c451Schristos DWORD dwTimeoutMilliseconds; 617*2d40c451Schristos 618*2d40c451Schristos // Allowed Credentials List. 619*2d40c451Schristos WEBAUTHN_CREDENTIALS CredentialList; 620*2d40c451Schristos 621*2d40c451Schristos // Optional extensions to parse when performing the operation. 622*2d40c451Schristos WEBAUTHN_EXTENSIONS Extensions; 623*2d40c451Schristos 624*2d40c451Schristos // Optional. Platform vs Cross-Platform Authenticators. 625*2d40c451Schristos DWORD dwAuthenticatorAttachment; 626*2d40c451Schristos 627*2d40c451Schristos // User Verification Requirement. 628*2d40c451Schristos DWORD dwUserVerificationRequirement; 629*2d40c451Schristos 630*2d40c451Schristos // Flags 631*2d40c451Schristos DWORD dwFlags; 632*2d40c451Schristos 633*2d40c451Schristos // 634*2d40c451Schristos // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_2 635*2d40c451Schristos // 636*2d40c451Schristos 637*2d40c451Schristos // Optional identifier for the U2F AppId. Converted to UTF8 before being hashed. Not lower cased. 638*2d40c451Schristos PCWSTR pwszU2fAppId; 639*2d40c451Schristos 640*2d40c451Schristos // If the following is non-NULL, then, set to TRUE if the above pwszU2fAppid was used instead of 641*2d40c451Schristos // PCWSTR pwszRpId; 642*2d40c451Schristos BOOL *pbU2fAppId; 643*2d40c451Schristos 644*2d40c451Schristos // 645*2d40c451Schristos // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_3 646*2d40c451Schristos // 647*2d40c451Schristos 648*2d40c451Schristos // Cancellation Id - Optional - See WebAuthNGetCancellationId 649*2d40c451Schristos GUID *pCancellationId; 650*2d40c451Schristos 651*2d40c451Schristos // 652*2d40c451Schristos // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_4 653*2d40c451Schristos // 654*2d40c451Schristos 655*2d40c451Schristos // Allow Credential List. If present, "CredentialList" will be ignored. 656*2d40c451Schristos PWEBAUTHN_CREDENTIAL_LIST pAllowCredentialList; 657*2d40c451Schristos 658*2d40c451Schristos // 659*2d40c451Schristos // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_5 660*2d40c451Schristos // 661*2d40c451Schristos 662*2d40c451Schristos DWORD dwCredLargeBlobOperation; 663*2d40c451Schristos 664*2d40c451Schristos // Size of pbCredLargeBlob 665*2d40c451Schristos DWORD cbCredLargeBlob; 666*2d40c451Schristos _Field_size_bytes_(cbCredLargeBlob) 667*2d40c451Schristos PBYTE pbCredLargeBlob; 668*2d40c451Schristos 669*2d40c451Schristos // 670*2d40c451Schristos // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_6 671*2d40c451Schristos // 672*2d40c451Schristos 673*2d40c451Schristos // PRF values which will be converted into HMAC-SECRET values according to WebAuthn Spec. 674*2d40c451Schristos PWEBAUTHN_HMAC_SECRET_SALT_VALUES pHmacSecretSaltValues; 675*2d40c451Schristos 676*2d40c451Schristos // Optional. BrowserInPrivate Mode. Defaulting to FALSE. 677*2d40c451Schristos BOOL bBrowserInPrivateMode; 678*2d40c451Schristos 679*2d40c451Schristos } WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS, *PWEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS; 680*2d40c451Schristos typedef const WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS *PCWEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS; 681*2d40c451Schristos 682*2d40c451Schristos 683*2d40c451Schristos //+------------------------------------------------------------------------------------------ 684*2d40c451Schristos // Attestation Info. 685*2d40c451Schristos // 686*2d40c451Schristos //------------------------------------------------------------------------------------------- 687*2d40c451Schristos #define WEBAUTHN_ATTESTATION_DECODE_NONE 0 688*2d40c451Schristos #define WEBAUTHN_ATTESTATION_DECODE_COMMON 1 689*2d40c451Schristos // WEBAUTHN_ATTESTATION_DECODE_COMMON supports format types 690*2d40c451Schristos // L"packed" 691*2d40c451Schristos // L"fido-u2f" 692*2d40c451Schristos 693*2d40c451Schristos #define WEBAUTHN_ATTESTATION_VER_TPM_2_0 L"2.0" 694*2d40c451Schristos 695*2d40c451Schristos typedef struct _WEBAUTHN_X5C { 696*2d40c451Schristos // Length of X.509 encoded certificate 697*2d40c451Schristos DWORD cbData; 698*2d40c451Schristos // X.509 encoded certificate bytes 699*2d40c451Schristos _Field_size_bytes_(cbData) 700*2d40c451Schristos PBYTE pbData; 701*2d40c451Schristos } WEBAUTHN_X5C, *PWEBAUTHN_X5C; 702*2d40c451Schristos 703*2d40c451Schristos // Supports either Self or Full Basic Attestation 704*2d40c451Schristos 705*2d40c451Schristos // Note, new fields will be added to the following data structure to 706*2d40c451Schristos // support additional attestation format types, such as, TPM. 707*2d40c451Schristos // When fields are added, the dwVersion will be incremented. 708*2d40c451Schristos // 709*2d40c451Schristos // Therefore, your code must make the following check: 710*2d40c451Schristos // "if (dwVersion >= WEBAUTHN_COMMON_ATTESTATION_CURRENT_VERSION)" 711*2d40c451Schristos 712*2d40c451Schristos #define WEBAUTHN_COMMON_ATTESTATION_CURRENT_VERSION 1 713*2d40c451Schristos 714*2d40c451Schristos typedef struct _WEBAUTHN_COMMON_ATTESTATION { 715*2d40c451Schristos // Version of this structure, to allow for modifications in the future. 716*2d40c451Schristos DWORD dwVersion; 717*2d40c451Schristos 718*2d40c451Schristos // Hash and Padding Algorithm 719*2d40c451Schristos // 720*2d40c451Schristos // The following won't be set for "fido-u2f" which assumes "ES256". 721*2d40c451Schristos PCWSTR pwszAlg; 722*2d40c451Schristos LONG lAlg; // COSE algorithm 723*2d40c451Schristos 724*2d40c451Schristos // Signature that was generated for this attestation. 725*2d40c451Schristos DWORD cbSignature; 726*2d40c451Schristos _Field_size_bytes_(cbSignature) 727*2d40c451Schristos PBYTE pbSignature; 728*2d40c451Schristos 729*2d40c451Schristos // Following is set for Full Basic Attestation. If not, set then, this is Self Attestation. 730*2d40c451Schristos // Array of X.509 DER encoded certificates. The first certificate is the signer, leaf certificate. 731*2d40c451Schristos DWORD cX5c; 732*2d40c451Schristos _Field_size_(cX5c) 733*2d40c451Schristos PWEBAUTHN_X5C pX5c; 734*2d40c451Schristos 735*2d40c451Schristos // Following are also set for tpm 736*2d40c451Schristos PCWSTR pwszVer; // L"2.0" 737*2d40c451Schristos DWORD cbCertInfo; 738*2d40c451Schristos _Field_size_bytes_(cbCertInfo) 739*2d40c451Schristos PBYTE pbCertInfo; 740*2d40c451Schristos DWORD cbPubArea; 741*2d40c451Schristos _Field_size_bytes_(cbPubArea) 742*2d40c451Schristos PBYTE pbPubArea; 743*2d40c451Schristos } WEBAUTHN_COMMON_ATTESTATION, *PWEBAUTHN_COMMON_ATTESTATION; 744*2d40c451Schristos typedef const WEBAUTHN_COMMON_ATTESTATION *PCWEBAUTHN_COMMON_ATTESTATION; 745*2d40c451Schristos 746*2d40c451Schristos #define WEBAUTHN_ATTESTATION_TYPE_PACKED L"packed" 747*2d40c451Schristos #define WEBAUTHN_ATTESTATION_TYPE_U2F L"fido-u2f" 748*2d40c451Schristos #define WEBAUTHN_ATTESTATION_TYPE_TPM L"tpm" 749*2d40c451Schristos #define WEBAUTHN_ATTESTATION_TYPE_NONE L"none" 750*2d40c451Schristos 751*2d40c451Schristos #define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_1 1 752*2d40c451Schristos #define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_2 2 753*2d40c451Schristos #define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_3 3 754*2d40c451Schristos #define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_4 4 755*2d40c451Schristos #define WEBAUTHN_CREDENTIAL_ATTESTATION_CURRENT_VERSION WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_4 756*2d40c451Schristos 757*2d40c451Schristos typedef struct _WEBAUTHN_CREDENTIAL_ATTESTATION { 758*2d40c451Schristos // Version of this structure, to allow for modifications in the future. 759*2d40c451Schristos DWORD dwVersion; 760*2d40c451Schristos 761*2d40c451Schristos // Attestation format type 762*2d40c451Schristos PCWSTR pwszFormatType; 763*2d40c451Schristos 764*2d40c451Schristos // Size of cbAuthenticatorData. 765*2d40c451Schristos DWORD cbAuthenticatorData; 766*2d40c451Schristos // Authenticator data that was created for this credential. 767*2d40c451Schristos _Field_size_bytes_(cbAuthenticatorData) 768*2d40c451Schristos PBYTE pbAuthenticatorData; 769*2d40c451Schristos 770*2d40c451Schristos // Size of CBOR encoded attestation information 771*2d40c451Schristos //0 => encoded as CBOR null value. 772*2d40c451Schristos DWORD cbAttestation; 773*2d40c451Schristos //Encoded CBOR attestation information 774*2d40c451Schristos _Field_size_bytes_(cbAttestation) 775*2d40c451Schristos PBYTE pbAttestation; 776*2d40c451Schristos 777*2d40c451Schristos DWORD dwAttestationDecodeType; 778*2d40c451Schristos // Following depends on the dwAttestationDecodeType 779*2d40c451Schristos // WEBAUTHN_ATTESTATION_DECODE_NONE 780*2d40c451Schristos // NULL - not able to decode the CBOR attestation information 781*2d40c451Schristos // WEBAUTHN_ATTESTATION_DECODE_COMMON 782*2d40c451Schristos // PWEBAUTHN_COMMON_ATTESTATION; 783*2d40c451Schristos PVOID pvAttestationDecode; 784*2d40c451Schristos 785*2d40c451Schristos // The CBOR encoded Attestation Object to be returned to the RP. 786*2d40c451Schristos DWORD cbAttestationObject; 787*2d40c451Schristos _Field_size_bytes_(cbAttestationObject) 788*2d40c451Schristos PBYTE pbAttestationObject; 789*2d40c451Schristos 790*2d40c451Schristos // The CredentialId bytes extracted from the Authenticator Data. 791*2d40c451Schristos // Used by Edge to return to the RP. 792*2d40c451Schristos DWORD cbCredentialId; 793*2d40c451Schristos _Field_size_bytes_(cbCredentialId) 794*2d40c451Schristos PBYTE pbCredentialId; 795*2d40c451Schristos 796*2d40c451Schristos // 797*2d40c451Schristos // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_2 798*2d40c451Schristos // 799*2d40c451Schristos 800*2d40c451Schristos WEBAUTHN_EXTENSIONS Extensions; 801*2d40c451Schristos 802*2d40c451Schristos // 803*2d40c451Schristos // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_3 804*2d40c451Schristos // 805*2d40c451Schristos 806*2d40c451Schristos // One of the WEBAUTHN_CTAP_TRANSPORT_* bits will be set corresponding to 807*2d40c451Schristos // the transport that was used. 808*2d40c451Schristos DWORD dwUsedTransport; 809*2d40c451Schristos 810*2d40c451Schristos // 811*2d40c451Schristos // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_4 812*2d40c451Schristos // 813*2d40c451Schristos 814*2d40c451Schristos BOOL bEpAtt; 815*2d40c451Schristos BOOL bLargeBlobSupported; 816*2d40c451Schristos BOOL bResidentKey; 817*2d40c451Schristos 818*2d40c451Schristos } WEBAUTHN_CREDENTIAL_ATTESTATION, *PWEBAUTHN_CREDENTIAL_ATTESTATION; 819*2d40c451Schristos typedef const WEBAUTHN_CREDENTIAL_ATTESTATION *PCWEBAUTHN_CREDENTIAL_ATTESTATION; 820*2d40c451Schristos 821*2d40c451Schristos 822*2d40c451Schristos //+------------------------------------------------------------------------------------------ 823*2d40c451Schristos // authenticatorGetAssertion output. 824*2d40c451Schristos //------------------------------------------------------------------------------------------- 825*2d40c451Schristos 826*2d40c451Schristos #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_NONE 0 827*2d40c451Schristos #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_SUCCESS 1 828*2d40c451Schristos #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_NOT_SUPPORTED 2 829*2d40c451Schristos #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_INVALID_DATA 3 830*2d40c451Schristos #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_INVALID_PARAMETER 4 831*2d40c451Schristos #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_NOT_FOUND 5 832*2d40c451Schristos #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_MULTIPLE_CREDENTIALS 6 833*2d40c451Schristos #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_LACK_OF_SPACE 7 834*2d40c451Schristos #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_PLATFORM_ERROR 8 835*2d40c451Schristos #define WEBAUTHN_CRED_LARGE_BLOB_STATUS_AUTHENTICATOR_ERROR 9 836*2d40c451Schristos 837*2d40c451Schristos #define WEBAUTHN_ASSERTION_VERSION_1 1 838*2d40c451Schristos #define WEBAUTHN_ASSERTION_VERSION_2 2 839*2d40c451Schristos #define WEBAUTHN_ASSERTION_VERSION_3 3 840*2d40c451Schristos #define WEBAUTHN_ASSERTION_CURRENT_VERSION WEBAUTHN_ASSERTION_VERSION_3 841*2d40c451Schristos 842*2d40c451Schristos typedef struct _WEBAUTHN_ASSERTION { 843*2d40c451Schristos // Version of this structure, to allow for modifications in the future. 844*2d40c451Schristos DWORD dwVersion; 845*2d40c451Schristos 846*2d40c451Schristos // Size of cbAuthenticatorData. 847*2d40c451Schristos DWORD cbAuthenticatorData; 848*2d40c451Schristos // Authenticator data that was created for this assertion. 849*2d40c451Schristos _Field_size_bytes_(cbAuthenticatorData) 850*2d40c451Schristos PBYTE pbAuthenticatorData; 851*2d40c451Schristos 852*2d40c451Schristos // Size of pbSignature. 853*2d40c451Schristos DWORD cbSignature; 854*2d40c451Schristos // Signature that was generated for this assertion. 855*2d40c451Schristos _Field_size_bytes_(cbSignature) 856*2d40c451Schristos PBYTE pbSignature; 857*2d40c451Schristos 858*2d40c451Schristos // Credential that was used for this assertion. 859*2d40c451Schristos WEBAUTHN_CREDENTIAL Credential; 860*2d40c451Schristos 861*2d40c451Schristos // Size of User Id 862*2d40c451Schristos DWORD cbUserId; 863*2d40c451Schristos // UserId 864*2d40c451Schristos _Field_size_bytes_(cbUserId) 865*2d40c451Schristos PBYTE pbUserId; 866*2d40c451Schristos 867*2d40c451Schristos // 868*2d40c451Schristos // Following fields have been added in WEBAUTHN_ASSERTION_VERSION_2 869*2d40c451Schristos // 870*2d40c451Schristos 871*2d40c451Schristos WEBAUTHN_EXTENSIONS Extensions; 872*2d40c451Schristos 873*2d40c451Schristos // Size of pbCredLargeBlob 874*2d40c451Schristos DWORD cbCredLargeBlob; 875*2d40c451Schristos _Field_size_bytes_(cbCredLargeBlob) 876*2d40c451Schristos PBYTE pbCredLargeBlob; 877*2d40c451Schristos 878*2d40c451Schristos DWORD dwCredLargeBlobStatus; 879*2d40c451Schristos 880*2d40c451Schristos // 881*2d40c451Schristos // Following fields have been added in WEBAUTHN_ASSERTION_VERSION_3 882*2d40c451Schristos // 883*2d40c451Schristos 884*2d40c451Schristos PWEBAUTHN_HMAC_SECRET_SALT pHmacSecret; 885*2d40c451Schristos 886*2d40c451Schristos } WEBAUTHN_ASSERTION, *PWEBAUTHN_ASSERTION; 887*2d40c451Schristos typedef const WEBAUTHN_ASSERTION *PCWEBAUTHN_ASSERTION; 888*2d40c451Schristos 889*2d40c451Schristos //+------------------------------------------------------------------------------------------ 890*2d40c451Schristos // APIs. 891*2d40c451Schristos //------------------------------------------------------------------------------------------- 892*2d40c451Schristos 893*2d40c451Schristos DWORD 894*2d40c451Schristos WINAPI 895*2d40c451Schristos WebAuthNGetApiVersionNumber(); 896*2d40c451Schristos 897*2d40c451Schristos HRESULT 898*2d40c451Schristos WINAPI 899*2d40c451Schristos WebAuthNIsUserVerifyingPlatformAuthenticatorAvailable( 900*2d40c451Schristos _Out_ BOOL *pbIsUserVerifyingPlatformAuthenticatorAvailable); 901*2d40c451Schristos 902*2d40c451Schristos 903*2d40c451Schristos HRESULT 904*2d40c451Schristos WINAPI 905*2d40c451Schristos WebAuthNAuthenticatorMakeCredential( 906*2d40c451Schristos _In_ HWND hWnd, 907*2d40c451Schristos _In_ PCWEBAUTHN_RP_ENTITY_INFORMATION pRpInformation, 908*2d40c451Schristos _In_ PCWEBAUTHN_USER_ENTITY_INFORMATION pUserInformation, 909*2d40c451Schristos _In_ PCWEBAUTHN_COSE_CREDENTIAL_PARAMETERS pPubKeyCredParams, 910*2d40c451Schristos _In_ PCWEBAUTHN_CLIENT_DATA pWebAuthNClientData, 911*2d40c451Schristos _In_opt_ PCWEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS pWebAuthNMakeCredentialOptions, 912*2d40c451Schristos _Outptr_result_maybenull_ PWEBAUTHN_CREDENTIAL_ATTESTATION *ppWebAuthNCredentialAttestation); 913*2d40c451Schristos 914*2d40c451Schristos 915*2d40c451Schristos HRESULT 916*2d40c451Schristos WINAPI 917*2d40c451Schristos WebAuthNAuthenticatorGetAssertion( 918*2d40c451Schristos _In_ HWND hWnd, 919*2d40c451Schristos _In_ LPCWSTR pwszRpId, 920*2d40c451Schristos _In_ PCWEBAUTHN_CLIENT_DATA pWebAuthNClientData, 921*2d40c451Schristos _In_opt_ PCWEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS pWebAuthNGetAssertionOptions, 922*2d40c451Schristos _Outptr_result_maybenull_ PWEBAUTHN_ASSERTION *ppWebAuthNAssertion); 923*2d40c451Schristos 924*2d40c451Schristos void 925*2d40c451Schristos WINAPI 926*2d40c451Schristos WebAuthNFreeCredentialAttestation( 927*2d40c451Schristos _In_opt_ PWEBAUTHN_CREDENTIAL_ATTESTATION pWebAuthNCredentialAttestation); 928*2d40c451Schristos 929*2d40c451Schristos void 930*2d40c451Schristos WINAPI 931*2d40c451Schristos WebAuthNFreeAssertion( 932*2d40c451Schristos _In_ PWEBAUTHN_ASSERTION pWebAuthNAssertion); 933*2d40c451Schristos 934*2d40c451Schristos HRESULT 935*2d40c451Schristos WINAPI 936*2d40c451Schristos WebAuthNGetCancellationId( 937*2d40c451Schristos _Out_ GUID* pCancellationId); 938*2d40c451Schristos 939*2d40c451Schristos HRESULT 940*2d40c451Schristos WINAPI 941*2d40c451Schristos WebAuthNCancelCurrentOperation( 942*2d40c451Schristos _In_ const GUID* pCancellationId); 943*2d40c451Schristos 944*2d40c451Schristos HRESULT 945*2d40c451Schristos WINAPI 946*2d40c451Schristos WebAuthNGetPlatformCredentialList( 947*2d40c451Schristos _In_ PCWEBAUTHN_GET_CREDENTIALS_OPTIONS pGetCredentialsOptions, 948*2d40c451Schristos _Outptr_result_maybenull_ PWEBAUTHN_CREDENTIAL_DETAILS_LIST *ppCredentialDetailsList); 949*2d40c451Schristos 950*2d40c451Schristos void 951*2d40c451Schristos WINAPI 952*2d40c451Schristos WebAuthNFreePlatformCredentialList( 953*2d40c451Schristos _In_ PWEBAUTHN_CREDENTIAL_DETAILS_LIST pCredentialDetailsList); 954*2d40c451Schristos 955*2d40c451Schristos // 956*2d40c451Schristos // Returns the following Error Names: 957*2d40c451Schristos // L"Success" - S_OK 958*2d40c451Schristos // L"InvalidStateError" - NTE_EXISTS 959*2d40c451Schristos // L"ConstraintError" - HRESULT_FROM_WIN32(ERROR_NOT_SUPPORTED), 960*2d40c451Schristos // NTE_NOT_SUPPORTED, 961*2d40c451Schristos // NTE_TOKEN_KEYSET_STORAGE_FULL 962*2d40c451Schristos // L"NotSupportedError" - NTE_INVALID_PARAMETER 963*2d40c451Schristos // L"NotAllowedError" - NTE_DEVICE_NOT_FOUND, 964*2d40c451Schristos // NTE_NOT_FOUND, 965*2d40c451Schristos // HRESULT_FROM_WIN32(ERROR_CANCELLED), 966*2d40c451Schristos // NTE_USER_CANCELLED, 967*2d40c451Schristos // HRESULT_FROM_WIN32(ERROR_TIMEOUT) 968*2d40c451Schristos // L"UnknownError" - All other hr values 969*2d40c451Schristos // 970*2d40c451Schristos PCWSTR 971*2d40c451Schristos WINAPI 972*2d40c451Schristos WebAuthNGetErrorName( 973*2d40c451Schristos _In_ HRESULT hr); 974*2d40c451Schristos 975*2d40c451Schristos HRESULT 976*2d40c451Schristos WINAPI 977*2d40c451Schristos WebAuthNGetW3CExceptionDOMError( 978*2d40c451Schristos _In_ HRESULT hr); 979*2d40c451Schristos 980*2d40c451Schristos 981*2d40c451Schristos #ifdef __cplusplus 982*2d40c451Schristos } // Balance extern "C" above 983*2d40c451Schristos #endif 984*2d40c451Schristos 985*2d40c451Schristos #endif // WINAPI_FAMILY_PARTITION 986*2d40c451Schristos #ifdef _MSC_VER 987*2d40c451Schristos #pragma endregion 988*2d40c451Schristos #endif 989*2d40c451Schristos 990*2d40c451Schristos #endif // __WEBAUTHN_H_ 991