Struct webauthn_rs::prelude::Credential
source · pub struct Credential {
pub cred_id: Base64UrlSafeData,
pub cred: COSEKey,
pub counter: u32,
pub transports: Option<Vec<AuthenticatorTransport>>,
pub user_verified: bool,
pub backup_eligible: bool,
pub backup_state: bool,
pub registration_policy: UserVerificationPolicy,
pub extensions: RegisteredExtensions,
pub attestation: ParsedAttestation,
pub attestation_format: AttestationFormat,
}
danger-credential-internals
only.Expand description
A user’s authenticator credential. It contains an id, the public key and a counter of how many times the authenticator has been used.
Fields§
§cred_id: Base64UrlSafeData
The ID of this credential.
cred: COSEKey
The public key of this credential
counter: u32
The counter for this credential
transports: Option<Vec<AuthenticatorTransport>>
The set of transports this credential indicated it could use. This is NOT a security property, but a hint for the browser and the user experience to how to communicate to this specific device.
user_verified: bool
During registration, if this credential was verified then this is true. If not it is false. This is based on the policy at the time of registration of the credential.
This is a deviation from the Webauthn specification, because it clarifies the user experience of the credentials to UV being a per-credential attribute, rather than a per-authentication ceremony attribute. For example it can be surprising to register a credential as un-verified but then to use verification with it in the future.
backup_eligible: bool
During registration, this credential indicated that it may be possible for it to exist between multiple hardware authenticators, or be backed up.
This means the private key is NOT sealed within a hardware cryptograhic processor, and may have impacts on your risk assessments and modeling.
backup_state: bool
This credential has indicated that it is currently backed up OR that it is shared between mulitple devices.
registration_policy: UserVerificationPolicy
During registration, the policy that was requested from this credential. This is used to understand if the how the verified component interacts with the device, i.e. an always verified authenticator vs one that can dynamically request it.
extensions: RegisteredExtensions
The set of extensions that were verified at registration, that can be used in future authentication attempts
attestation: ParsedAttestation
The attestation certificate of this credential, including parsed metadata from the credential.
attestation_format: AttestationFormat
the format of the attestation
Implementations§
source§impl Credential
impl Credential
sourcepub fn verify_attestation<'a>(
&self,
ca_list: &'a AttestationCaList
) -> Result<Option<&'a AttestationCa>, WebauthnError>
pub fn verify_attestation<'a>( &self, ca_list: &'a AttestationCaList ) -> Result<Option<&'a AttestationCa>, WebauthnError>
Re-verify this Credential’s attestation chain. This re-applies the same process for certificate authority verification that occured at registration. This can be useful if you want to re-assert your credentials match an updated or changed ca_list from the time that registration occured. This can also be useful to re-determine certain properties of your device that may exist.
Safety
Due to the design of CA infrastructure by certain providers, it is NOT possible to verify the CA expiry time. Certain vendors use CA intermediates that have expiries that are only valid for approximately 10 minutes, meaning that if we enforced time validity, these would false negative for their validity.
Trait Implementations§
source§impl Clone for Credential
impl Clone for Credential
source§fn clone(&self) -> Credential
fn clone(&self) -> Credential
1.0.0 · source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source
. Read moresource§impl Debug for Credential
impl Debug for Credential
source§impl<'de> Deserialize<'de> for Credential
impl<'de> Deserialize<'de> for Credential
source§fn deserialize<__D>(
__deserializer: __D
) -> Result<Credential, <__D as Deserializer<'de>>::Error>where
__D: Deserializer<'de>,
fn deserialize<__D>(
__deserializer: __D
) -> Result<Credential, <__D as Deserializer<'de>>::Error>where
__D: Deserializer<'de>,
source§impl From<Credential> for Passkey
impl From<Credential> for Passkey
source§fn from(cred: Credential) -> Self
fn from(cred: Credential) -> Self
Convert a generic webauthn credential into a Passkey
source§impl From<Credential> for SecurityKey
impl From<Credential> for SecurityKey
source§fn from(cred: Credential) -> Self
fn from(cred: Credential) -> Self
Convert a generic webauthn credential into a security key
source§impl From<CredentialV3> for Credential
impl From<CredentialV3> for Credential
source§fn from(other: CredentialV3) -> Credential
fn from(other: CredentialV3) -> Credential
source§impl From<Passkey> for Credential
impl From<Passkey> for Credential
source§impl From<SecurityKey> for Credential
impl From<SecurityKey> for Credential
source§fn from(sk: SecurityKey) -> Self
fn from(sk: SecurityKey) -> Self
source§impl PartialEq for Credential
impl PartialEq for Credential
source§fn eq(&self, c: &Credential) -> bool
fn eq(&self, c: &Credential) -> bool
self
and other
values to be equal, and is used
by ==
.