1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417
//! Extensions allowing certain types of authenticators to provide supplemental information.
use base64urlsafedata::Base64UrlSafeData;
use serde::{Deserialize, Serialize};
/// Valid credential protection policies
#[derive(Debug, Serialize, Clone, Copy, Deserialize, PartialEq, Eq)]
#[serde(rename_all = "camelCase")]
#[repr(u8)]
pub enum CredentialProtectionPolicy {
/// This reflects "FIDO_2_0" semantics. In this configuration, performing
/// some form of user verification is optional with or without credentialID
/// list. This is the default state of the credential if the extension is
/// not specified.
UserVerificationOptional = 0x1,
/// In this configuration, credential is discovered only when its
/// credentialID is provided by the platform or when some form of user
/// verification is performed.
UserVerificationOptionalWithCredentialIDList = 0x2,
/// This reflects that discovery and usage of the credential MUST be
/// preceded by some form of user verification.
UserVerificationRequired = 0x3,
}
impl TryFrom<u8> for CredentialProtectionPolicy {
type Error = &'static str;
fn try_from(v: u8) -> Result<Self, Self::Error> {
use CredentialProtectionPolicy::*;
match v {
0x1 => Ok(UserVerificationOptional),
0x2 => Ok(UserVerificationOptionalWithCredentialIDList),
0x3 => Ok(UserVerificationRequired),
_ => Err("Invalid policy number"),
}
}
}
/// The desired options for the client's use of the `credProtect` extension
///
/// <https://fidoalliance.org/specs/fido-v2.1-rd-20210309/fido-client-to-authenticator-protocol-v2.1-rd-20210309.html#sctn-credProtect-extension>
#[derive(Debug, Serialize, Clone, Deserialize, PartialEq, Eq)]
#[serde(rename_all = "camelCase")]
pub struct CredProtect {
/// The credential policy to enact
pub credential_protection_policy: CredentialProtectionPolicy,
/// Whether it is better for the authenticator to fail to create a
/// credential rather than ignore the protection policy
/// If no value is provided, the client treats it as `false`.
#[serde(skip_serializing_if = "Option::is_none")]
pub enforce_credential_protection_policy: Option<bool>,
}
/// Extension option inputs for PublicKeyCredentialCreationOptions.
///
/// Implements \[AuthenticatorExtensionsClientInputs\] from the spec.
#[derive(Debug, Serialize, Clone, Deserialize)]
#[serde(rename_all = "camelCase")]
pub struct RequestRegistrationExtensions {
/// The `credProtect` extension options
#[serde(flatten, skip_serializing_if = "Option::is_none")]
pub cred_protect: Option<CredProtect>,
/// ⚠️ - Browsers do not support this!
/// Uvm
#[serde(skip_serializing_if = "Option::is_none")]
pub uvm: Option<bool>,
/// ⚠️ - This extension result is always unsigned, and only indicates if the
/// browser *requests* a residentKey to be created. It has no bearing on the
/// true rk state of the credential.
#[serde(skip_serializing_if = "Option::is_none")]
pub cred_props: Option<bool>,
/// CTAP2.1 Minumum pin length
#[serde(skip_serializing_if = "Option::is_none")]
pub min_pin_length: Option<bool>,
/// ⚠️ - Browsers support the *creation* of the secret, but not the retrieval of it.
/// CTAP2.1 create hmac secret
#[serde(skip_serializing_if = "Option::is_none")]
pub hmac_create_secret: Option<bool>,
}
impl Default for RequestRegistrationExtensions {
fn default() -> Self {
RequestRegistrationExtensions {
cred_protect: None,
uvm: Some(true),
cred_props: Some(true),
min_pin_length: None,
hmac_create_secret: None,
}
}
}
// Unable to create from, because it's an out of crate struct
#[allow(clippy::from_over_into)]
#[cfg(feature = "wasm")]
impl Into<js_sys::Object> for &RequestRegistrationExtensions {
fn into(self) -> js_sys::Object {
use js_sys::Object;
use wasm_bindgen::JsValue;
let RequestRegistrationExtensions {
cred_protect,
uvm,
cred_props,
min_pin_length,
hmac_create_secret,
} = self;
let obj = Object::new();
if let Some(cred_protect) = cred_protect {
let jsv = serde_wasm_bindgen::to_value(&cred_protect).unwrap();
js_sys::Reflect::set(&obj, &"credProtect".into(), &jsv).unwrap();
}
if let Some(uvm) = uvm {
js_sys::Reflect::set(&obj, &"uvm".into(), &JsValue::from_bool(*uvm)).unwrap();
}
if let Some(cred_props) = cred_props {
js_sys::Reflect::set(&obj, &"credProps".into(), &JsValue::from_bool(*cred_props))
.unwrap();
}
if let Some(min_pin_length) = min_pin_length {
js_sys::Reflect::set(
&obj,
&"minPinLength".into(),
&JsValue::from_bool(*min_pin_length),
)
.unwrap();
}
if let Some(hmac_create_secret) = hmac_create_secret {
js_sys::Reflect::set(
&obj,
&"hmacCreateSecret".into(),
&JsValue::from_bool(*hmac_create_secret),
)
.unwrap();
}
obj
}
}
// ========== Auth exten ============
/// The inputs to the hmac secret if it was created during registration.
///
/// <https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#sctn-hmac-secret-extension>
#[derive(Debug, Serialize, Clone, Deserialize, PartialEq, Eq)]
#[serde(rename_all = "camelCase")]
pub struct HmacGetSecretInput {
/// Retrieve a symmetric secrets from the authenticator with this input.
pub output1: Base64UrlSafeData,
/// Rotate the secret in the same operation.
pub output2: Option<Base64UrlSafeData>,
}
/// Extension option inputs for PublicKeyCredentialRequestOptions
///
/// Implements \[AuthenticatorExtensionsClientInputs\] from the spec
#[derive(Debug, Serialize, Clone, Deserialize)]
#[serde(rename_all = "camelCase")]
pub struct RequestAuthenticationExtensions {
/// The `appid` extension options
#[serde(skip_serializing_if = "Option::is_none")]
pub appid: Option<String>,
/// ⚠️ - Browsers do not support this!
/// Uvm
#[serde(skip_serializing_if = "Option::is_none")]
pub uvm: Option<bool>,
/// ⚠️ - Browsers do not support this!
/// <https://bugs.chromium.org/p/chromium/issues/detail?id=1023225>
/// Hmac get secret
#[serde(skip_serializing_if = "Option::is_none")]
pub hmac_get_secret: Option<HmacGetSecretInput>,
}
// Unable to create from, because it's an out of crate struct
#[allow(clippy::from_over_into)]
#[cfg(feature = "wasm")]
impl Into<js_sys::Object> for &RequestAuthenticationExtensions {
fn into(self) -> js_sys::Object {
use js_sys::{Object, Uint8Array};
use wasm_bindgen::JsValue;
let RequestAuthenticationExtensions {
// I don't think we care?
appid: _,
uvm,
hmac_get_secret,
} = self;
let obj = Object::new();
if let Some(uvm) = uvm {
js_sys::Reflect::set(&obj, &"uvm".into(), &JsValue::from_bool(*uvm)).unwrap();
}
if let Some(HmacGetSecretInput { output1, output2 }) = hmac_get_secret {
let hmac = Object::new();
let o1 = Uint8Array::from(output1.as_slice());
js_sys::Reflect::set(&hmac, &"output1".into(), &o1).unwrap();
if let Some(output2) = output2 {
let o2 = Uint8Array::from(output2.as_slice());
js_sys::Reflect::set(&hmac, &"output2".into(), &o2).unwrap();
}
js_sys::Reflect::set(&obj, &"hmacGetSecret".into(), &hmac).unwrap();
}
obj
}
}
/// The response to a hmac get secret request.
#[derive(Debug, Serialize, Clone, Deserialize, PartialEq, Eq)]
#[serde(rename_all = "camelCase")]
pub struct HmacGetSecretOutput {
/// Output of HMAC(Salt 1 || Client Secret)
pub output1: Base64UrlSafeData,
/// Output of HMAC(Salt 2 || Client Secret)
pub output2: Option<Base64UrlSafeData>,
}
/// <https://w3c.github.io/webauthn/#dictdef-authenticationextensionsclientoutputs>
/// The default option here for Options are None, so it can be derived
#[derive(Debug, Deserialize, Serialize, Clone, Default)]
pub struct AuthenticationExtensionsClientOutputs {
/// Indicates whether the client used the provided appid extension
#[serde(default)]
pub appid: Option<bool>,
/// The response to a hmac get secret request.
#[serde(default)]
pub hmac_get_secret: Option<HmacGetSecretOutput>,
}
#[cfg(feature = "wasm")]
impl From<web_sys::AuthenticationExtensionsClientOutputs>
for AuthenticationExtensionsClientOutputs
{
fn from(
ext: web_sys::AuthenticationExtensionsClientOutputs,
) -> AuthenticationExtensionsClientOutputs {
use js_sys::Uint8Array;
let appid = js_sys::Reflect::get(&ext, &"appid".into())
.ok()
.and_then(|jv| jv.as_bool());
let hmac_get_secret = js_sys::Reflect::get(&ext, &"hmacGetSecret".into())
.ok()
.and_then(|jv| {
let output2 = js_sys::Reflect::get(&jv, &"output2".into())
.map(|v| Uint8Array::new(&v).to_vec())
.map(Base64UrlSafeData::from)
.ok();
let output1 = js_sys::Reflect::get(&jv, &"output1".into())
.map(|v| Uint8Array::new(&v).to_vec())
.map(Base64UrlSafeData::from)
.ok();
output1.map(|output1| HmacGetSecretOutput { output1, output2 })
});
AuthenticationExtensionsClientOutputs {
appid,
hmac_get_secret,
}
}
}
/// <https://www.w3.org/TR/webauthn-3/#sctn-authenticator-credential-properties-extension>
#[derive(Debug, Deserialize, Serialize, Clone)]
pub struct CredProps {
/// A user agent supplied hint that this credential *may* have created a resident key. It is
/// retured from the user agent, not the authenticator meaning that this is an unreliable
/// signal.
///
/// Note that this extension is UNSIGNED and may have been altered by page javascript.
pub rk: bool,
}
/// <https://w3c.github.io/webauthn/#dictdef-authenticationextensionsclientoutputs>
/// The default option here for Options are None, so it can be derived
#[derive(Debug, Deserialize, Serialize, Clone, Default)]
pub struct RegistrationExtensionsClientOutputs {
/// Indicates whether the client used the provided appid extension
#[serde(default, skip_serializing_if = "Option::is_none")]
pub appid: Option<bool>,
/// Indicates if the client believes it created a resident key. This
/// property is managed by the webbrowser, and is NOT SIGNED and CAN NOT be trusted!
#[serde(default, skip_serializing_if = "Option::is_none")]
pub cred_props: Option<CredProps>,
/// Indicates if the client successfully applied a HMAC Secret
#[serde(default, skip_serializing_if = "Option::is_none")]
pub hmac_secret: Option<bool>,
/// Indicates if the client successfully applied a credential protection policy.
#[serde(default, skip_serializing_if = "Option::is_none")]
pub cred_protect: Option<CredentialProtectionPolicy>,
/// Indicates the current minimum PIN length
#[serde(default, skip_serializing_if = "Option::is_none")]
pub min_pin_length: Option<u32>,
}
#[cfg(feature = "wasm")]
impl From<web_sys::AuthenticationExtensionsClientOutputs> for RegistrationExtensionsClientOutputs {
fn from(
ext: web_sys::AuthenticationExtensionsClientOutputs,
) -> RegistrationExtensionsClientOutputs {
let appid = js_sys::Reflect::get(&ext, &"appid".into())
.ok()
.and_then(|jv| jv.as_bool());
// Destructure "credProps":{"rk":false} from within a map.
let cred_props = js_sys::Reflect::get(&ext, &"credProps".into())
.ok()
.and_then(|cred_props_struct| {
js_sys::Reflect::get(&cred_props_struct, &"rk".into())
.ok()
.and_then(|jv| jv.as_bool())
.map(|rk| CredProps { rk })
});
let hmac_secret = js_sys::Reflect::get(&ext, &"hmac-secret".into())
.ok()
.and_then(|jv| jv.as_bool());
let cred_protect = js_sys::Reflect::get(&ext, &"credProtect".into())
.ok()
.and_then(|jv| jv.as_f64())
.and_then(|f| CredentialProtectionPolicy::try_from(f as u8).ok());
let min_pin_length = js_sys::Reflect::get(&ext, &"minPinLength".into())
.ok()
.and_then(|jv| jv.as_f64())
.map(|f| f as u32);
RegistrationExtensionsClientOutputs {
appid,
cred_props,
hmac_secret,
cred_protect,
min_pin_length,
}
}
}
/// The result state of an extension as returned from the authenticator.
#[derive(Clone, Debug, Default, Serialize, Deserialize)]
pub enum ExtnState<T>
where
T: Clone + std::fmt::Debug,
{
/// This extension was not requested, and so no result was provided.
#[default]
NotRequested,
/// The extension was requested, and the authenticator did NOT act on it.
Ignored,
/// The extension was requested, and the authenticator correctly responded.
Set(T),
/// The extension was not requested, and the authenticator sent an unsolicited extension value.
Unsolicited(T),
/// ⚠️ WARNING: The data in this extension is not signed cryptographically, and can not be
/// trusted for security assertions. It MAY be used for UI/UX hints.
Unsigned(T),
}
/// The set of extensions that were registered by this credential.
#[derive(Clone, Debug, Default, Serialize, Deserialize)]
pub struct RegisteredExtensions {
// ⚠️ It's critical we place serde default here so that we
// can deserialise in the future as we add new types!
/// The state of the cred_protect extension
#[serde(default)]
pub cred_protect: ExtnState<CredentialProtectionPolicy>,
/// The state of the hmac-secret extension, if it was created
#[serde(default)]
pub hmac_create_secret: ExtnState<bool>,
/// The state of the client appid extensions
#[serde(default)]
pub appid: ExtnState<bool>,
/// The state of the client credential properties extension
#[serde(default)]
pub cred_props: ExtnState<CredProps>,
}
impl RegisteredExtensions {
/// Yield an empty set of registered extensions
pub fn none() -> Self {
RegisteredExtensions {
cred_protect: ExtnState::NotRequested,
hmac_create_secret: ExtnState::NotRequested,
appid: ExtnState::NotRequested,
cred_props: ExtnState::NotRequested,
}
}
}
/// The set of extensions that were provided by the client during authentication
#[derive(Clone, Debug, Serialize, Deserialize)]
pub struct AuthenticationExtensions {}