Struct passkey_types::Passkey
source · pub struct Passkey {
pub key: CoseKey,
pub credential_id: Bytes,
pub rp_id: String,
pub user_handle: Option<Bytes>,
pub counter: Option<u32>,
}
Expand description
The private WebAuthn credential containing all relevant required and optional information for an authentication ceremony.
The WebAuthn term for this is a Public Key Credential Source.
Personally Identifying Information (PII) considerations
While this struct implements Debug
, it only prints the following fields:
CoseKey::kty
enum from theSelf::key
field,Self::counter
which is the number of times this was used to authenticate.
The rest of this struct should be considered secret, either for cryptographic security, or because its value could be used as PII.
Fields§
§key: CoseKey
The private key in COSE key format.
PII considerations
This value should be considered secret and never printed out as it is a secret cryptographic
key. The only thing that get printed in the Debug
implementation is the key type,
e.g: EC2, RSA, etc.
credential_id: Bytes
A probabilistically-unique byte sequence identifying this Passkey
. It must be at most 1023
bytes long.
Credential IDs are generated by authenticators in two forms:
- At least 16 bytes that include at least 100 bits of entropy, or
- The
Passkey
item, without itscredential_id
, encrypted so only its managing authenticator can decrypt it. This form allows the authenticator to be nearly stateless, by having the Relying Party store any necessary state.
Relying Parties do not need to distinguish these two credential id
forms.
PII considerations
This value should be considered secret as it is the user’s credential ID for the associated Relying Party. See Privacy leak via credential IDs for more information.
rp_id: String
The Relying Party ID for which the Passkey
is associated. This value mirrors the
webauthn::PublicKeyCredentialRpEntity::id
value passed during the creation of this credential.
PII considerations
This should be handled similarly to a URL. Since this is a user credential for a Relying Party, this would leak the fact that a user has an account for this particular Relying Party.
user_handle: Option<Bytes>
This is the webauthn::PublicKeyCredentialUserEntity::id
passed in during the creation of
this credential. An Authenticator can choose to store this or not. If it stores this value,
this Passkey
will become a Discoverable Credential and will be returned during authentication
Ceremonies.
PII Considerations
This is the identifier a Relying party uses on their side to personally identify a user. This value is analogous to a username.
counter: Option<u32>
Value tracks the number of times an authentication ceremony has been successfully completed.
If the value is None
then it will be sent as the constant 0
.
See Signature counter considerations for more information.
PII considerations
This value, if populated, is used by the Relying Party as an indicator of a cloned
authenticator. If this Passkey
is to be synced, consider leaving this value empty unless
you can guarantee the value to always be increased for every use of this passkey across its
distribution.
Implementations§
source§impl Passkey
impl Passkey
sourcepub fn from_u2f_register_response(
request: &RegisterRequest,
response: &RegisterResponse,
private_key: &CoseKey
) -> Self
pub fn from_u2f_register_response( request: &RegisterRequest, response: &RegisterResponse, private_key: &CoseKey ) -> Self
Standardised way to “upgrade” a U2F register request into a passkey
sourcepub fn from_u2f_auth_request(
request: &AuthenticationRequest,
counter: u32,
private_key: &CoseKey
) -> Self
pub fn from_u2f_auth_request( request: &AuthenticationRequest, counter: u32, private_key: &CoseKey ) -> Self
Updgrade a U2F Authentication Request into a Passkey
sourcepub fn wrap_u2f_registration_request(
request: &RegisterRequest,
response: &RegisterResponse,
key_handle: &[u8],
private_key: &CoseKey
) -> (Passkey, PublicKeyCredentialUserEntity, PublicKeyCredentialRpEntity)
pub fn wrap_u2f_registration_request( request: &RegisterRequest, response: &RegisterResponse, key_handle: &[u8], private_key: &CoseKey ) -> (Passkey, PublicKeyCredentialUserEntity, PublicKeyCredentialRpEntity)
This function wraps up a U2F registration request as a Passkey for storing in a CredentialStore.