Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ResidentKeyRequired ¶
func ResidentKeyRequired() *bool
ResidentKeyRequired - Require that the key be private key resident to the client device
func ResidentKeyUnrequired ¶
func ResidentKeyUnrequired() *bool
ResidentKeyUnrequired - Do not require that the private key be resident to the client device.
Types ¶
type AttestedCredentialData ¶
type AuthenticatorAttachment ¶
type AuthenticatorAttachment string
AuthenticatorAttachment https://www.w3.org/TR/webauthn/#platform-attachment
const ( // Platform - A platform authenticator is attached using a client device-specific transport, called // platform attachment, and is usually not removable from the client device. A public key credential // bound to a platform authenticator is called a platform credential. Platform AuthenticatorAttachment = "platform" // CrossPlatform A roaming authenticator is attached using cross-platform transports, called // cross-platform attachment. Authenticators of this class are removable from, and can "roam" // among, client devices. A public key credential bound to a roaming authenticator is called a // roaming credential. CrossPlatform AuthenticatorAttachment = "cross-platform" )
type AuthenticatorData ¶
type AuthenticatorData struct {
RPIDHash []byte `json:"rpid"`
Flags AuthenticatorFlags `json:"flags"`
Counter uint32 `json:"sign_count"`
AttData AttestedCredentialData `json:"att_data"`
ExtData []byte `json:"ext_data"`
}
AuthenticatorData From §6.1 of the spec. The authenticator data structure encodes contextual bindings made by the authenticator. These bindings are controlled by the authenticator itself, and derive their trust from the WebAuthn Relying Party's assessment of the security properties of the authenticator. In one extreme case, the authenticator may be embedded in the client, and its bindings may be no more trustworthy than the client data. At the other extreme, the authenticator may be a discrete entity with high-security hardware and software, connected to the client over a secure channel. In both cases, the Relying Party receives the authenticator data in the same format, and uses its knowledge of the authenticator to make trust decisions.
The authenticator data, at least during attestation, contains the Public Key that the RP stores and will associate with the user attempting to register.
func (*AuthenticatorData) Unmarshal ¶
func (a *AuthenticatorData) Unmarshal(rawAuthData []byte) error
Unmarshal will take the raw Authenticator Data and marshalls it into AuthenticatorData for further validation. The authenticator data has a compact but extensible encoding. This is desired since authenticators can be devices with limited capabilities and low power requirements, with much simpler software stacks than the client platform. The authenticator data structure is a byte array of 37 bytes or more, and is laid out in this table: https://www.w3.org/TR/webauthn/#table-authData
type AuthenticatorFlags ¶
type AuthenticatorFlags byte
AuthenticatorFlags A byte of information returned during during ceremonies in the authenticatorData that contains bits that give us information about the whether the user was present and/or verified during authentication, and whether there is attestation or extension data present. Bit 0 is the least significant bit.
const ( // FlagUserPresent Bit 00000001 in the byte sequence. Tells us if user is present FlagUserPresent AuthenticatorFlags = 1 << iota // Referred to as UP // FlagUserVerified Bit 00000100 in the byte sequence. Tells us if user is verified // by the authenticator using a biometric or PIN FlagUserVerified // Referred to as UV // FlagAttestedCredentialData Bit 01000000 in the byte sequence. Indicates whether // the authenticator added attested credential data. FlagAttestedCredentialData // Referred to as AT // FlagHasExtension Bit 10000000 in the byte sequence. Indicates if the authenticator data has extensions. FlagHasExtensions // Referred to as ED )
The bits that do not have flags are reserved for future use.
func (AuthenticatorFlags) HasAttestedCredentialData ¶
func (flag AuthenticatorFlags) HasAttestedCredentialData() bool
HasAttestedCredentialData returns if the AT flag was set
func (AuthenticatorFlags) HasExtensions ¶
func (flag AuthenticatorFlags) HasExtensions() bool
HasExtensions returns if the ED flag was set
func (AuthenticatorFlags) UserPresent ¶
func (flag AuthenticatorFlags) UserPresent() bool
UserPresent returns if the UP flag was set
func (AuthenticatorFlags) UserVerified ¶
func (flag AuthenticatorFlags) UserVerified() bool
UserVerified returns if the UV flag was set
type AuthenticatorResponse ¶
type AuthenticatorResponse struct {
// From the spec https://www.w3.org/TR/webauthn/#dom-authenticatorresponse-clientdatajson
// This attribute contains a JSON serialization of the client data passed to the authenticator
// by the client in its call to either create() or get().
ClientDataJSON utils.URLEncodedBase64 `json:"clientDataJSON"`
}
Authenticators respond to Relying Party requests by returning an object derived from the AuthenticatorResponse interface. See §5.2. Authenticator Responses https://www.w3.org/TR/webauthn/#iface-authenticatorresponse
type AuthenticatorTransport ¶
type AuthenticatorTransport string
Authenticators may implement various transports for communicating with clients. This enumeration defines hints as to how clients might communicate with a particular authenticator in order to obtain an assertion for a specific credential. Note that these hints represent the WebAuthn Relying Party's best belief as to how an authenticator may be reached. A Relying Party may obtain a list of transports hints from some attestation statement formats or via some out-of-band mechanism; it is outside the scope of this specification to define that mechanism. See §5.10.4. Authenticator Transport https://www.w3.org/TR/webauthn/#transport
const ( // USB The authenticator should transport information over USB USB AuthenticatorTransport = "usb" // NFC The authenticator should transport information over Near Field Communication Protocol NFC AuthenticatorTransport = "nfc" // BLE The authenticator should transport information over Bluetooth BLE AuthenticatorTransport = "ble" // Internal the client should use an internal source like a TPM or SE Internal AuthenticatorTransport = "internal" )
type UserVerificationRequirement ¶
type UserVerificationRequirement string
A WebAuthn Relying Party may require user verification for some of its operations but not for others, and may use this type to express its needs. See §5.10.6. User Verification Requirement Enumeration https://www.w3.org/TR/webauthn/#userVerificationRequirement
const ( // VerificationRequired User verification is required to create/release a credential VerificationRequired UserVerificationRequirement = "required" // VerificationPreferred User verification is preferred to create/release a credential VerificationPreferred UserVerificationRequirement = "preferred" // This is the default // VerificationDiscouraged The authenticator should not verify the user for the credential VerificationDiscouraged UserVerificationRequirement = "discouraged" )
Source Files