webauthn: github.com/koesie10/webauthn/protocol Index | Files

package protocol

import "github.com/koesie10/webauthn/protocol"

protocol is a low-level package that closely resembles the WebAuthn specification. You should prefer to use the webauthn package. The main methods in this package are ParseAttestationResponse, ParseAssertionResponse, IsValidAssertion and IsValidAttestation.

The version of the specification that is implemented is https://www.w3.org/TR/2018/CR-webauthn-20180807/.

Index

Package Files

api.go assertion.go attestation.go attestation_android_safetynet.go attestation_fido.go attestation_packed.go attestation_registry.go challenge.go common.go doc.go errors.go

Constants

const (
    // AuthenticatorTransportUSB indicates the respective authenticator can be contacted over removable USB.
    AuthenticatorTransportUSB AuthenticatorTransport = "usb"
    // AuthenticatorTransportNFC indicates the respective authenticator can be contacted over Near Field Communication (NFC).
    AuthenticatorTransportNFC = "nfc"
    // AuthenticatorTransportBLE indicates the respective authenticator can be contacted over Bluetooth Smart (Bluetooth Low Energy / BLE).
    AuthenticatorTransportBLE = "ble"
    // AuthenticatorTransportInternal indicates the respective authenticator is contacted using a client device-specific transport. These
    // authenticators are not removable from the client device.
    AuthenticatorTransportInternal = "internal"
)
const (
    // UserVerificationRequired indicates that the Relying Party requires user verification for the operation and will fail the
    // operation if the response does not have the UV flag set.
    UserVerificationRequired UserVerificationRequirement = "required"
    // UserVerificationPreferred indicates that the Relying Party prefers user verification for the operation if possible, but
    // will not fail the operation if the response does not have the UV flag set.
    UserVerificationPreferred = "preferred"
    // UserVerificationDiscouraged indicates that the Relying Party does not want user verification employed during the operation
    // (e.g., in the interest of minimizing disruption to the user interaction flow).
    UserVerificationDiscouraged = "discouraged"
)
const (
    // AttestationConveyancePreferenceNone indicates that the Relying Party is not interested in authenticator attestation. For example, in
    // order to potentially avoid having to obtain user consent to relay identifying information to the Relying Party,
    // or to save a roundtrip to an Attestation CA. This is the default value.
    AttestationConveyancePreferenceNone = "none"
    // AttestationConveyancePreferenceIndirect indicates that the Relying Party prefers an attestation conveyance yielding verifiable attestation
    // statements, but allows the client to decide how to obtain such attestation statements. The client MAY replace
    // the authenticator-generated attestation statements with attestation statements generated by an Anonymization CA,
    // in order to protect the user’s privacy, or to assist Relying Parties with attestation verification in a
    // heterogeneous ecosystem.
    AttestationConveyancePreferenceIndirect = "indirect"
    // AttestationConveyancePreferenceDirect indicates that the Relying Party wants to receive the attestation statement as generated by the
    // authenticator.
    AttestationConveyancePreferenceDirect = "direct"
)
const (
    // AuthenticatorDataFlagUserPresent indicates the UP flag.
    AuthenticatorDataFlagUserPresent = 0x001 // 0000 0001
    // AuthenticatorDataFlagUserVerified indicates the UV flag.
    AuthenticatorDataFlagUserVerified = 0x002 // 0000 0010
    // AuthenticatorDataFlagHasCredentialData indicates the AT flag.
    AuthenticatorDataFlagHasCredentialData = 0x040 // 0100 0000
    // AuthenticatorDataFlagHasExtension indicates the ED flag.
    AuthenticatorDataFlagHasExtension = 0x080 // 1000 0000
)
const ChallengeSize = 32

ChallengeSize represents the size of a challenge created by NewChallenge.

Variables

var (
    ErrInvalidSignature = &Error{
        Name:        "invalid_signature",
        Description: "The signature is invalid",
        Hint:        "Check that the provided token is in the correct format",
        Code:        http.StatusUnauthorized,
    }
    ErrInvalidRequest = &Error{
        Name:        "invalid_request",
        Description: "The request is malformed",
        Hint:        "Make sure that the parameters provided are correct",
        Code:        http.StatusBadRequest,
    }
    ErrUnsupportedAttestationFormat = &Error{
        Name:        "unsupported_attestation_format",
        Description: "The attestation format is unsupported",
        Code:        http.StatusBadRequest,
    }
    ErrInvalidAttestation = &Error{
        Name:        "invalid_attestation",
        Description: "The attestation is malformed",
        Hint:        "Check that you provided a token in the right format.",
        Code:        http.StatusBadRequest,
    }
    ErrInvalidType = &Error{
        Name:        "invalid_type",
        Description: "The attestion/assertion type is invalid",
        Hint:        "Check that the client data was submitted for the right call",
        Code:        http.StatusBadRequest,
    }
    ErrInvalidChallenge = &Error{
        Name:        "invalid_challenge",
        Description: "The challenge is invalid",
        Hint:        "Check that the challenge was supplied for the right request",
        Code:        http.StatusBadRequest,
    }
    ErrInvalidOrigin = &Error{
        Name:        "invalid_origin",
        Description: "The origin is invalid",
        Code:        http.StatusBadRequest,
    }
    ErrNoUserPresent = &Error{
        Name:        "no_user_present",
        Description: "No user was presented during authentication",
        Code:        http.StatusBadRequest,
    }
)

Default errors

func IsValidAssertion Uses

func IsValidAssertion(p ParsedAssertionResponse, originalChallenge []byte, relyingPartyID, relyingPartyOrigin string, cert *x509.Certificate) (bool, error)

IsValidAssertion may be used to check whether an assertion is valid. If originalChallenge is nil, the challenge value will not be checked (INSECURE). If relyingPartyID is empty, the relying party hash will not be checked (INSECURE). If relyingPartyOrigin is empty, the relying party origin will not be checked (INSEUCRE). If cert is nil, the hash will not be checked (INSECURE). Before calling this method, clients should execute the following steps: If the allowCredentials option was given when this authentication ceremony was initiated, verify that credential.id identifies one of the public key credentials that were listed in allowCredentials; If credential.response.userHandle is present, verify that the user identified by this value is the owner of the public key credential identified by credential.id. If the data is invalid, an error is returned, usually of the type Error.

func IsValidAttestation Uses

func IsValidAttestation(p ParsedAttestationResponse, originalChallenge []byte, relyingPartyID, relyingPartyOrigin string) (bool, error)

IsValidAttestation may be used to check whether an attestation is valid. If originalChallenge is nil, the challenge value will not be checked (INSECURE). If relyingPartyID is empty, the relying party ID hash will not be checked (INSECURE). If relyingPartyOrigin is empty, the relying party origin will not be checked (INSEUCRE). If the data is invalid, an error is returned, usually of the type Error.

func RegisterFormat Uses

func RegisterFormat(name string, f AttestationFormatFunction)

RegisterFormat will register an attestation format. If the name already exists, it will be overwritten without warning.

type AndroidSafetyNetAttestionResponse Uses

type AndroidSafetyNetAttestionResponse struct {
    Nonce                      []byte   `json:"nonce"`
    TimestampMs                int64    `json:"timestampMs"`
    ApkPackageName             string   `json:"apkPackageName"`
    ApkDigestSha256            []byte   `json:"apkDigestSha256"`
    CtsProfileMatch            bool     `json:"ctsProfileMatch"`
    ApkCertificateDigestSha256 [][]byte `json:"apkCertificateDigestSha256"`
    BasicIntegrity             bool     `json:"basicIntegrity"`
}

type AssertionResponse Uses

type AssertionResponse struct {
    PublicKeyCredential
    // This attribute contains the authenticator's response to the client’s request to generate an authentication assertion.
    Response AuthenticatorAssertionResponse `json:"response"`
}

AssertionResponse contains the attributes that are returned to the caller when a new assertion is requested. https://www.w3.org/TR/webauthn/#publickeycredential

type Attestation Uses

type Attestation struct {
    Fmt      string                 `json:"fmt"`
    AuthData AuthenticatorData      `json:"authData"`
    AttStmt  map[string]interface{} `json:"attStmt"`
}

Attestation represents the attestionObject. An important component of the attestation object is the attestation statement. This is a specific type of signed data object, containing statements about a public key credential itself and the authenticator that created it. It contains an attestation signature created using the key of the attesting authority (except for the case of self attestation, when it is created using the credential private key). In order to correctly interpret an attestation statement, a Relying Party needs to understand these two aspects of attestation: https://www.w3.org/TR/webauthn/#attestation-object

func (Attestation) IsValid Uses

func (a Attestation) IsValid(relyingPartyID string, clientDataHash []byte) error

IsValid checks whether the Attestation is valid. If relyingPartyID is empty, the relying party ID hash will not be checked (INSEUCRE). To register a new attestation type, use RegisterFormat. If the data is invalid, an error is returned, usually of the type Error.

type AttestationConveyancePreference Uses

type AttestationConveyancePreference string

AttestationConveyancePreference may be used by WebAuthn Relying Parties to specify their preference regarding attestation conveyance during credential generation. https://www.w3.org/TR/webauthn/#enumdef-attestationconveyancepreference

type AttestationFormatFunction Uses

type AttestationFormatFunction func(Attestation, []byte) error

AttestationFormatFunction will be called when checking whether an Attestation is valid.

type AttestationResponse Uses

type AttestationResponse struct {
    PublicKeyCredential
    // This attribute contains the authenticator's response to the client’s request to create a public key credential.
    Response AuthenticatorAttestationResponse `json:"response"`
}

AttestationResponse contains the attributes that are returned to the caller when a new credential is created. https://www.w3.org/TR/webauthn/#publickeycredential

type AttestedCredentialData Uses

type AttestedCredentialData struct {
    // The AAGUID of the authenticator.
    AAGUID []byte
    // A probabilistically-unique byte sequence identifying a public key credential source and its authentication
    // assertions.
    CredentialID []byte
    // The decoded credential public key.
    COSEKey interface{}
}

AttestedCredentialData represents the AttestedCredentialData type in the WebAuthn specification. https://www.w3.org/TR/webauthn/#attested-credential-data

type AuthenticationExtensionsClientInputs Uses

type AuthenticationExtensionsClientInputs map[string]interface{}

AuthenticationExtensionsClientInputs contains the client extension input values for zero or more WebAuthn extensions, as defined in §9 WebAuthn Extensions. https://www.w3.org/TR/webauthn/#dictdef-authenticationextensionsclientinputs

type AuthenticatorAssertionResponse Uses

type AuthenticatorAssertionResponse struct {
    AuthenticatorResponse
    // This attribute contains the authenticator data returned by the authenticator. See §6.1 Authenticator data.
    AuthenticatorData []byte `json:"authenticatorData"`
    // This attribute contains the raw signature returned from the authenticator. See §6.3.3 The
    // authenticatorGetAssertion operation.
    Signature []byte `json:"signature"`
    // This attribute contains the user handle returned from the authenticator, or null if the authenticator did not
    // return a user handle. See §6.3.3 The authenticatorGetAssertion operation.
    UserHandle []byte `json:"userHandle,omitempty"`
}

The AuthenticatorAssertionResponse interface represents an authenticator's response to a client’s request for generation of a new authentication assertion given the WebAuthn Relying Party's challenge and OPTIONAL list of credentials it is aware of. This response contains a cryptographic signature proving possession of the credential private key, and optionally evidence of user consent to a specific transaction. https://www.w3.org/TR/webauthn/#authenticatorassertionresponse

type AuthenticatorAttachment Uses

type AuthenticatorAttachment string

AuthenticatorAttachment's values describe authenticators' attachment modalities. Relying Parties use this for two purposes: to express a preferred authenticator attachment modality when calling navigator.credentials.create() to create a credential, and to inform the client of the Relying Party's best belief about how to locate the managing authenticators of the credentials listed in allowCredentials when calling navigator.credentials.get(). https://www.w3.org/TR/webauthn/#enumdef-authenticatorattachment

const (
    // AuthenticatorAttachmentPlatform indicates platform attachment.
    AuthenticatorAttachmentPlatform AuthenticatorAttachment = "platform"
    // AuthenticatorAttachmentCrossPlatform indicates cross-platform attachment.
    AuthenticatorAttachmentCrossPlatform = "cross-platform"
)

type AuthenticatorAttestationResponse Uses

type AuthenticatorAttestationResponse struct {
    AuthenticatorResponse
    // This attribute contains an attestation object, which is opaque to, and cryptographically protected against
    // tampering by, the client. The attestation object contains both authenticator data and an attestation statement.
    // The former contains the AAGUID, a unique credential ID, and the credential public key. The contents of the
    // attestation statement are determined by the attestation statement format used by the authenticator. It also
    // contains any additional information that the Relying Party's server requires to validate the attestation
    // statement, as well as to decode and validate the authenticator data along with the JSON-serialized client data.
    // For more details, see §6.4 Attestation, §6.4.4 Generating an Attestation Object, and Figure 5.
    AttestationObject []byte `json:"attestationObject"`
}

The AuthenticatorAttestationResponse interface represents the authenticator's response to a client’s request for the creation of a new public key credential. It contains information about the new credential that can be used to identify it for later use, and metadata that can be used by the WebAuthn Relying Party to assess the characteristics of the credential during registration. https://www.w3.org/TR/webauthn/#authenticatorattestationresponse

type AuthenticatorData Uses

type AuthenticatorData struct {
    // SHA-256 hash of the RP ID associated with the credential.
    RPIDHash []byte
    // Flags
    Flags AuthenticatorDataFlags
    // Signature counter, 32-bit unsigned big-endian integer.
    SignCount uint32
    // attested credential data (if present). See §6.4.1 Attested credential data for details. Its length depends on the
    // length of the credential ID and credential public key being attested.
    AttestedCredentialData AttestedCredentialData
    // Raw contains the raw bytes of this AuthenticatorData.
    Raw []byte
}

AuthenticatorData encodes contextual bindings made by the authenticator. These bindings are controlled by the authenticator itself, and derive their trust from the WebAuthn Relying Party's assessment of the security properties of the authenticator. In one extreme case, the authenticator may be embedded in the client, and its bindings may be no more trustworthy than the client data. At the other extreme, the authenticator may be a discrete entity with high-security hardware and software, connected to the client over a secure channel. In both cases, the Relying Party receives the authenticator data in the same format, and uses its knowledge of the authenticator to make trust decisions.

func (AuthenticatorData) IsValid Uses

func (a AuthenticatorData) IsValid(relyingPartyID string) error

IsValid checks whether the AuthenticatorData is valid. If relyingPartyID is empty, the relying party will not be checked (INSEUCRE). If the data is invalid, an error is returned, usually of the type Error.

func (*AuthenticatorData) MarshalBinary Uses

func (a *AuthenticatorData) MarshalBinary() ([]byte, error)

MarshalBinary implements the encoding.BinaryMarshaler interface.

func (*AuthenticatorData) UnmarshalBinary Uses

func (a *AuthenticatorData) UnmarshalBinary(authData []byte) error

UnmarshalBinary implements the encoding.BinaryUnmarshaler interface.

type AuthenticatorDataFlags Uses

type AuthenticatorDataFlags byte

AuthenticatorDataFlags are the flags that are present in the authenticator data.

func (AuthenticatorDataFlags) HasAttestedCredentialData Uses

func (f AuthenticatorDataFlags) HasAttestedCredentialData() bool

HasAttestedCredentialData returns whether the AT flag is set.

func (AuthenticatorDataFlags) HasExtensions Uses

func (f AuthenticatorDataFlags) HasExtensions() bool

HasExtensions returns whether the ED flag is set.

func (AuthenticatorDataFlags) UserPresent Uses

func (f AuthenticatorDataFlags) UserPresent() bool

UserPresent returns whether the UP flag is set.

func (AuthenticatorDataFlags) UserVerified Uses

func (f AuthenticatorDataFlags) UserVerified() bool

UserVerified returns whether the UV flag is set.

type AuthenticatorResponse Uses

type AuthenticatorResponse struct {
    // This attribute contains a JSON serialization of the client data passed to the authenticator by the client in
    // its call to either create() or get().
    ClientDataJSON []byte `json:"clientDataJSON"`
}

AuthenticatorResponse is used by authenticators to respond to Relying Party requests. https://www.w3.org/TR/webauthn/#authenticatorresponse

type AuthenticatorSelectionCriteria Uses

type AuthenticatorSelectionCriteria struct {
    // If this member is present, eligible authenticators are filtered to only authenticators attached with the
    // specified §5.4.5 Authenticator Attachment enumeration (enum AuthenticatorAttachment).
    AuthenticatorAttachment AuthenticatorAttachment `json:"authenticatorAttachment,omitempty"`
    // This member describes the Relying Parties' requirements regarding resident credentials. If the parameter is set
    // to true, the authenticator MUST create a client-side-resident public key credential source when creating a
    // public key credential.
    RequireResidentKey bool `json:"requireResidentKey"`
    // This member describes the Relying Party's requirements regarding user verification for the create() operation.
    // Eligible authenticators are filtered to only those capable of satisfying this requirement.
    UserVerification UserVerificationRequirement `json:"userVerification,omitempty"`
}

The AuthenticatorSelectionCriteria may be used by WebAuthn Relying Parties to specify their requirements regarding authenticator attributes. https://www.w3.org/TR/webauthn/#dictdef-authenticatorselectioncriteria

type AuthenticatorTransport Uses

type AuthenticatorTransport string

AuthenticatorTransport represents the transport used by an authenticator. Authenticators may implement various transports for communicating with clients. This enumeration defines hints as to how clients might communicate with a particular authenticator in order to obtain an assertion for a specific credential. Note that these hints represent the WebAuthn Relying Party's best belief as to how an authenticator may be reached. A Relying Party may obtain a list of transports hints from some attestation statement formats or via some out-of-band mechanism; it is outside the scope of this specification to define that mechanism. https://www.w3.org/TR/webauthn/#enumdef-authenticatortransport

type COSEAlgorithmIdentifier Uses

type COSEAlgorithmIdentifier int

A COSEAlgorithmIdentifier's value is a number identifying a cryptographic algorithm. The algorithm identifiers SHOULD be values registered in the IANA COSE Algorithms registry [IANA-COSE-ALGS-REG], for instance, -7 for "ES256" and -257 for "RS256". https://www.w3.org/TR/webauthn/#alg-identifier

const (
    // ES256 is the COSE Algorithm Identifier of ECDSA 256
    ES256 COSEAlgorithmIdentifier = -7
    // RS256 is the COSE Algorithm Identifier of RSA 256
    RS256 COSEAlgorithmIdentifier = -257
)

type Challenge Uses

type Challenge []byte

Challenge represents a challenge. It is defined as a separate type to make it clear that NewChallenge should be used to create it.

func NewChallenge Uses

func NewChallenge() (Challenge, error)

NewChallenge creates a new cryptographically secure random challenge of ChallengeSize bytes.

type CollectedClientData Uses

type CollectedClientData struct {
    // This member contains the string "webauthn.create" when creating new credentials, and "webauthn.get" when getting
    // an assertion from an existing credential. The purpose of this member is to prevent certain types of signature
    // confusion attacks (where an attacker substitutes one legitimate signature for another).
    Type string `json:"type"`
    // This member contains the base64url encoding of the challenge provided by the RP. See the §13.1 Cryptographic
    // Challenges security consideration.
    Challenge string `json:"challenge"`
    // This member contains the fully qualified origin of the requester, as provided to the authenticator by the client,
    // in the syntax defined by [RFC6454].
    Origin string `json:"origin"`
    // This OPTIONAL member contains information about the state of the Token Binding protocol used when communicating
    // with the Relying Party. Its absence indicates that the client doesn’t support token binding.
    TokenBinding *TokenBinding `json:"tokenBinding,omitempty"`
}

CollectedClientData represents the contextual bindings of both the WebAuthn Relying Party and the client. It is a key-value mapping whose keys are strings. Values can be any type that has a valid encoding in JSON. Its structure is defined by the following Web IDL. https://www.w3.org/TR/webauthn/#client-data

func (CollectedClientData) IsValid Uses

func (c CollectedClientData) IsValid(requiredType string, originalChallenge []byte, relyingPartyOrigin string) error

IsValid checks whether the CollectedClientData is valid. If originalChallenge is nil, the challenge value will not be checked (INSECURE). If relyingPartyOrigin is empty, the relying party will not be checked (INSEUCRE). If the data is invalid, an error is returned, usually of the type Error.

type CredentialCreationOptions Uses

type CredentialCreationOptions struct {
    PublicKey PublicKeyCredentialCreationOptions `json:"publicKey"`
}

CredentialCreationOptions contains the options that should be passed to navigator.credentials.create(). https://www.w3.org/TR/webauthn/#credentialcreationoptions-extension

type CredentialRequestOptions Uses

type CredentialRequestOptions struct {
    PublicKey PublicKeyCredentialRequestOptions `json:"publicKey"`
}

CredentialRequestOptions contains the options that should be passed to navigator.credentials.get(). https://www.w3.org/TR/webauthn/#credentialrequestoptions-extension

type Error Uses

type Error struct {
    // Name is the name of this error.
    Name string `json:"error"`
    // Description is the description of this error.
    Description string `json:"description"`
    // Hint contains further information about the error.
    Hint string `json:"hint,omitempty"`
    // Code contains the status code that should be returned when this error is returned.
    Code int `json:"status_code,omitempty"`
    // Debug contains debug information about this error that should not be shown to the user.
    Debug string `json:"debug,omitempty"`
}

Error is a representation of errors returned from this package.

func ToWebAuthnError Uses

func ToWebAuthnError(err error) *Error

ToWebAuthnError converts any error into the *Error type. If that is not possible, it will return an *Error which wraps the error.

func (*Error) Error Uses

func (e *Error) Error() string

Error implements the error interface.

func (*Error) WithDebug Uses

func (e *Error) WithDebug(debug string) *Error

WithDebug will add/replace the debug information of the error.

func (*Error) WithDebugf Uses

func (e *Error) WithDebugf(debug string, args ...interface{}) *Error

WithDebugf will add/replace the debug information of the error.

func (*Error) WithHint Uses

func (e *Error) WithHint(hint string) *Error

WithHint will add/replace the hint of the error.

func (*Error) WithHintf Uses

func (e *Error) WithHintf(hint string, args ...interface{}) *Error

WithHintf will add/replace the hint of the error.

type ParsedAssertionResponse Uses

type ParsedAssertionResponse struct {
    ParsedPublicKeyCredential
    // This attribute contains the authenticator's response to the client’s request to generate an authentication assertion.
    Response ParsedAuthenticatorAssertionResponse
    // RawResponse contains the unparsed AssertionResponse.
    RawResponse AssertionResponse
}

ParsedAssertionResponse is a parsed version of AssertionResponse. https://www.w3.org/TR/webauthn/#publickeycredential

func ParseAssertionResponse Uses

func ParseAssertionResponse(p AssertionResponse) (ParsedAssertionResponse, error)

ParseAssertionResponse will parse a raw AssertionResponse as supplied by a client to a ParsedAssertionResponse that may be used by clients to examine data. If the data is invalid, an error is returned, usually of the type Error.

type ParsedAttestationResponse Uses

type ParsedAttestationResponse struct {
    ParsedPublicKeyCredential
    // This attribute contains the authenticator's response to the client’s request to create a public key credential.
    Response ParsedAuthenticatorAttestationResponse
    // RawResponse contains the unparsed AttestationResponse.
    RawResponse AttestationResponse
}

ParsedAttestationResponse is a parsed version of AttestationResponse https://www.w3.org/TR/webauthn/#publickeycredential

func ParseAttestationResponse Uses

func ParseAttestationResponse(p AttestationResponse) (ParsedAttestationResponse, error)

ParseAttestationResponse will parse a raw AttestationResponse as supplied by a client to a ParsedAttestationResponse that may be used by clients to examine data. If the data is invalid, an error is returned, usually of the type Error.

type ParsedAuthenticatorAssertionResponse Uses

type ParsedAuthenticatorAssertionResponse struct {
    ParsedAuthenticatorResponse
    // This attribute contains the authenticator data returned by the authenticator. See §6.1 Authenticator data.
    AuthData AuthenticatorData
    // This attribute contains the raw signature returned from the authenticator. See §6.3.3 The
    // authenticatorGetAssertion operation.
    Signature []byte
    // This attribute contains the user handle returned from the authenticator, or null if the authenticator did not
    // return a user handle. See §6.3.3 The authenticatorGetAssertion operation.
    UserHandle []byte
}

ParsedAuthenticatorAssertionResponse is a parsed version of AuthenticatorAssertionResponse. https://www.w3.org/TR/webauthn/#authenticatorassertionresponse

type ParsedAuthenticatorAttestationResponse Uses

type ParsedAuthenticatorAttestationResponse struct {
    ParsedAuthenticatorResponse
    // This attribute contains an attestation object, which is opaque to, and cryptographically protected against
    // tampering by, the client. The attestation object contains both authenticator data and an attestation statement.
    // The former contains the AAGUID, a unique credential ID, and the credential public key. The contents of the
    // attestation statement are determined by the attestation statement format used by the authenticator. It also
    // contains any additional information that the Relying Party's server requires to validate the attestation
    // statement, as well as to decode and validate the authenticator data along with the JSON-serialized client data.
    // For more details, see §6.4 Attestation, §6.4.4 Generating an Attestation Object, and Figure 5.
    Attestation Attestation
}

ParsedAuthenticatorAttestationResponse is a parsed version of AuthenticatorAttestationResponse https://www.w3.org/TR/webauthn/#authenticatorattestationresponse

type ParsedAuthenticatorResponse Uses

type ParsedAuthenticatorResponse struct {
    // This attribute contains the parsed client data passed to the authenticator by the client in its call to either
    // create() or get().
    ClientData CollectedClientData
}

ParsedAuthenticatorResponse is a parsed version of AuthenticatorResponse. https://www.w3.org/TR/webauthn/#authenticatorresponse

type ParsedPublicKeyCredential Uses

type ParsedPublicKeyCredential struct {
    // This attribute is inherited from Credential, though PublicKeyCredential overrides Credential's getter, instead
    // returning the base64url encoding of the data contained in the object’s [[identifier]] internal slot.
    ID  string
    // This attribute returns the ArrayBuffer contained in the [[identifier]] internal slot.
    RawID []byte
    // The PublicKeyCredential interface object's [[type]] internal slot's value is the string "public-key".
    Type string
}

ParsedPublicKeyCredential is a parsed version of PublicKeyCredential https://www.w3.org/TR/webauthn/#publickeycredential

type PublicKeyCredential Uses

type PublicKeyCredential struct {
    // This attribute is inherited from Credential, though PublicKeyCredential overrides Credential's getter, instead
    // returning the base64url encoding of the data contained in the object’s [[identifier]] internal slot.
    ID  string `json:"id"`
    // This attribute returns the ArrayBuffer contained in the [[identifier]] internal slot.
    RawID []byte `json:"rawId"`
    // The PublicKeyCredential interface object's [[type]] internal slot's value is the string "public-key".
    Type string `json:"type"`
}

The PublicKeyCredential interface inherits from Credential [CREDENTIAL-MANAGEMENT-1], and contains the attributes that are returned to the caller when a new credential is created, or a new assertion is requested. See AttestationResponse and AssertionResponse https://www.w3.org/TR/webauthn/#publickeycredential

type PublicKeyCredentialCreationOptions Uses

type PublicKeyCredentialCreationOptions struct {
    // This member contains data about the Relying Party responsible for the request.
    // Its value’s name member is REQUIRED. See §5.4.1 Public Key Entity Description (dictionary
    // PublicKeyCredentialEntity) for further details.
    // Its value’s id member specifies the RP ID with which the credential should be associated. If omitted, its value
    // will be the CredentialsContainer object’s relevant settings object's origin's effective domain. See §5.4.2
    // Relying Party Parameters for Credential Generation (dictionary PublicKeyCredentialRpEntity) for further details.
    RP  PublicKeyCredentialRpEntity `json:"rp"`
    // This member contains data about the user account for which the Relying Party is requesting attestation.
    // Its value’s name, displayName and id members are REQUIRED. See §5.4.1 Public Key Entity Description
    // (dictionary PublicKeyCredentialEntity) and §5.4.3 User Account Parameters for Credential Generation
    // (dictionary PublicKeyCredentialUserEntity) for further details.
    User PublicKeyCredentialUserEntity `json:"user"`

    // This member contains a challenge intended to be used for generating the newly created credential’s attestation
    // object. See the §13.1 Cryptographic Challenges security consideration.
    Challenge Challenge `json:"challenge"`
    // This member contains information about the desired properties of the credential to be created. The sequence is
    // ordered from most preferred to least preferred. The client makes a best-effort to create the most preferred
    // credential that it can.
    PubKeyCredParams []PublicKeyCredentialParameters `json:"pubKeyCredParams,omitempty"`

    // This member specifies a time, in milliseconds, that the caller is willing to wait for the call to complete.
    // This is treated as a hint, and MAY be overridden by the client.
    Timeout uint `json:"timeout,omitempty"`
    // This member is intended for use by Relying Parties that wish to limit the creation of multiple credentials for
    // the same account on a single authenticator. The client is requested to return an error if the new credential
    // would be created on an authenticator that also contains one of the credentials enumerated in this parameter.
    ExcludeCredentials []PublicKeyCredentialDescriptor `json:"excludeCredentials,omitempty"`
    // This member is intended for use by Relying Parties that wish to select the appropriate authenticators to
    // participate in the create() operation.
    AuthenticatorSelection AuthenticatorSelectionCriteria `json:"authenticatorSelection,omitempty"`
    // This member is intended for use by Relying Parties that wish to express their preference for attestation
    // conveyance. The default is none.
    Attestation AttestationConveyancePreference `json:"attestation,omitempty"`
    // This member contains additional parameters requesting additional processing by the client and authenticator. For
    // example, the caller may request that only authenticators with certain capabilities be used to create the
    // credential, or that particular information be returned in the attestation object. Some extensions are defined in
    // §9 WebAuthn Extensions; consult the IANA "WebAuthn Extension Identifier" registry established by
    // [WebAuthn-Registries] for an up-to-date list of registered WebAuthn Extensions.
    Extensions AuthenticationExtensionsClientInputs `json:"extensions,omitempty"`
}

The PublicKeyCredentialCreationOptions dictionary supplies create() with the data it needs to generate an attestation. https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialcreationoptions

type PublicKeyCredentialDescriptor Uses

type PublicKeyCredentialDescriptor struct {
    // This member contains the type of the public key credential the caller is referring to.
    Type PublicKeyCredentialType `json:"type"`
    // This member contains the credential ID of the public key credential the caller is referring to.
    ID  []byte `json:"id"`
    // This OPTIONAL member contains a hint as to how the client might communicate with the managing authenticator of
    // the public key credential the caller is referring to.
    Transport []AuthenticatorTransport `json:"transports,omitempty"`
}

PublicKeyCredentialDescriptor contains the attributes that are specified by a caller when referring to a public key credential as an input parameter to the create() or get() methods. It mirrors the fields of the PublicKeyCredential object returned by the latter methods. https://www.w3.org/TR/webauthn/#credential-dictionary

type PublicKeyCredentialEntity Uses

type PublicKeyCredentialEntity struct {
    // A human-palatable name for the entity. Its function depends on what the PublicKeyCredentialEntity represents.
    Name string `json:"name"`
}

The PublicKeyCredentialEntity dictionary describes a user account, or a WebAuthn Relying Party, with which a public key credential is associated. https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialentity

type PublicKeyCredentialParameters Uses

type PublicKeyCredentialParameters struct {
    // This member specifies the type of credential to be created.
    Type PublicKeyCredentialType `json:"type"`
    // This member specifies the cryptographic signature algorithm with which the newly generated credential will be
    // used, and thus also the type of asymmetric key pair to be generated, e.g., RSA or Elliptic Curve.
    Algorithm COSEAlgorithmIdentifier `json:"alg"`
}

PublicKeyCredentialParameters is used to supply additional parameters when creating a new credential. https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialparameters

type PublicKeyCredentialRequestOptions Uses

type PublicKeyCredentialRequestOptions struct {
    // This member represents a challenge that the selected authenticator signs, along with other data, when producing
    // an authentication assertion. See the §13.1 Cryptographic Challenges security consideration.
    Challenge Challenge `json:"challenge"`
    // This OPTIONAL member specifies a time, in milliseconds, that the caller is willing to wait for the call to
    // complete. The value is treated as a hint, and MAY be overridden by the client.
    Timeout uint `json:"timeout,omitempty"`
    // This OPTIONAL member specifies the relying party identifier claimed by the caller. If omitted, its value will be
    // the CredentialsContainer object’s relevant settings object's origin's effective domain.
    RPID string `json:"rpId,omitempty"`
    // This OPTIONAL member contains a list of PublicKeyCredentialDescriptor objects representing public key credentials
    // acceptable to the caller, in descending order of the caller’s preference (the first item in the list is the most
    // preferred credential, and so on down the list).
    AllowCredentials []PublicKeyCredentialDescriptor `json:"allowCredentials,omitempty"`
    // This member describes the Relying Party's requirements regarding user verification for the get() operation.
    // Eligible authenticators are filtered to only those capable of satisfying this requirement.
    UserVerification UserVerificationRequirement `json:"userVerification,omitempty"`
    // This OPTIONAL member contains additional parameters requesting additional processing by the client and
    // authenticator. For example, if transaction confirmation is sought from the user, then the prompt string might
    // be included as an extension.
    Extensions AuthenticationExtensionsClientInputs `json:"extensions,omitempty"`
}

The PublicKeyCredentialRequestOptions dictionary supplies get() with the data it needs to generate an assertion. Its challenge member MUST be present, while its other members are OPTIONAL. https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialrequestoptions

type PublicKeyCredentialRpEntity Uses

type PublicKeyCredentialRpEntity struct {
    PublicKeyCredentialEntity
    // A unique identifier for the Relying Party entity, which sets the RP ID.
    ID  string `json:"id,omitempty"`
}

The PublicKeyCredentialRpEntity dictionary is used to supply additional Relying Party attributes when creating a new credential. https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialrpentity

type PublicKeyCredentialType Uses

type PublicKeyCredentialType string

PublicKeyCredentialType defines the valid credential types. It is an extension point; values can be added to it in the future, as more credential types are defined. The values of this enumeration are used for versioning the Authentication Assertion and attestation structures according to the type of the authenticator. Currently one credential type is defined, namely "public-key". https://www.w3.org/TR/webauthn/#enumdef-publickeycredentialtype

const (
    // PublicKeyCredentialTypePublicKey is the only credential type defined, namely "public-key".
    PublicKeyCredentialTypePublicKey PublicKeyCredentialType = "public-key"
)

type PublicKeyCredentialUserEntity Uses

type PublicKeyCredentialUserEntity struct {
    PublicKeyCredentialEntity

    // The user handle of the user account entity. To ensure secure operation, authentication and authorization
    // decisions MUST be made on the basis of this id member, not the displayName nor name members. See
    // Section 6.1 of [RFC8266].
    ID  []byte `json:"id"`
    // A human-palatable name for the user account, intended only for display. For example, "Alex P. Müller" or
    // "田中 倫". The Relying Party SHOULD let the user choose this, and SHOULD NOT restrict the choice more than
    // necessary.
    DisplayName string `json:"displayName"`
}

The PublicKeyCredentialUserEntity dictionary is used to supply additional user account attributes when creating a new credential. https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialuserentity

type TokenBinding Uses

type TokenBinding struct {
    // This member is one of the following:
    Status TokenBindingStatus `json:"status,omitempty"`
    // This member MUST be present if status is present, and MUST a base64url encoding of the Token Binding ID that was
    // used when communicating with the Relying Party.
    ID  string `json:"id,omitempty"`
}

TokenBinding represents the token binding. https://www.w3.org/TR/webauthn/#dictdef-tokenbinding

type TokenBindingStatus Uses

type TokenBindingStatus string

TokenBindingStatus represents the status of a TokenBinding. https://www.w3.org/TR/webauthn/#enumdef-tokenbindingstatus

const (
    // TokenBindingStatusPresent indicates the client supports token binding, but it was not negotiated when
    // communicating with the Relying Party.
    TokenBindingStatusPresent TokenBindingStatus = "present"
    // TokenBindingStatusSupported indicates token binding was used when communicating with the Relying Party. In this
    // case, the id member MUST be present.
    TokenBindingStatusSupported = "supported"
)

type UserVerificationRequirement Uses

type UserVerificationRequirement string

UserVerificationRequirement may be used by a WebAuthn Relying Party to require user verification for some of its operations but not for others. https://www.w3.org/TR/webauthn/#enumdef-userverificationrequirement

Package protocol imports 17 packages (graph) and is imported by 1 packages. Updated 2018-11-24. Refresh now. Tools for package owners.