Struct webauthn_rs_core::interface::Credential
source · [−]pub struct Credential {
pub cred_id: CredentialID,
pub cred: COSEKey,
pub counter: Counter,
pub transports: Option<Vec<AuthenticatorTransport>>,
pub user_verified: bool,
pub backup_eligible: bool,
pub backup_state: bool,
pub registration_policy: UserVerificationPolicy,
pub extensions: RegisteredExtensions,
pub attestation: ParsedAttestation,
pub attestation_format: AttestationFormat,
}Expand description
A user’s authenticator credential. It contains an id, the public key and a counter of how many times the authenticator has been used.
Fields
cred_id: CredentialIDThe ID of this credential.
cred: COSEKeyThe public key of this credential
counter: CounterThe counter for this credential
transports: Option<Vec<AuthenticatorTransport>>The set of transports this credential indicated it could use. This is NOT a security property, but a hint for the browser and the user experience to how to communicate to this specific device.
user_verified: boolDuring registration, if this credential was verified then this is true. If not it is false. This is based on the policy at the time of registration of the credential.
This is a deviation from the Webauthn specification, because it clarifies the user experience of the credentials to UV being a per-credential attribute, rather than a per-authentication ceremony attribute. For example it can be surprising to register a credential as un-verified but then to use verification with it in the future.
backup_eligible: boolDuring registration, this credential indicated that it may be possible for it to exist between multiple hardware authenticators, or be backed up.
This means the private key is NOT sealed within a hardware cryptograhic processor, and may have impacts on your risk assessments and modeling.
backup_state: boolThis credential has indicated that it is currently backed up OR that it is shared between mulitple devices.
registration_policy: UserVerificationPolicyDuring registration, the policy that was requested from this credential. This is used to understand if the how the verified component interacts with the device, i.e. an always verified authenticator vs one that can dynamically request it.
extensions: RegisteredExtensionsThe set of registrations that were verified at registration, that can be used in future authentication attempts
attestation: ParsedAttestationThe attestation certificate of this credential, including parsed metadata from the credential.
attestation_format: AttestationFormatthe format of the attestation
Implementations
sourceimpl Credential
impl Credential
sourcepub fn verify_attestation<'a>(
&self,
ca_list: &'a AttestationCaList
) -> Result<Option<&'a AttestationCa>, WebauthnError>
pub fn verify_attestation<'a>(
&self,
ca_list: &'a AttestationCaList
) -> Result<Option<&'a AttestationCa>, WebauthnError>
Re-verify this Credential’s attestation chain. This re-applies the same process for certificate authority verification that occured at registration. This can be useful if you want to re-assert your credentials match an updated or changed ca_list from the time that registration occured. This can also be useful to re-determine certain properties of your device that may exist.
Safety
Due to the design of CA infrastructure by certain providers, it is NOT possible to verify the CA expiry time. Certain vendors use CA intermediates that have expiries that are only valid for approximately 10 minutes, meaning that if we enforced time validity, these would false negative for their validity.
Trait Implementations
sourceimpl Clone for Credential
impl Clone for Credential
sourcefn clone(&self) -> Credential
fn clone(&self) -> Credential
1.0.0 · sourcefn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read more