protocol

package
v0.3.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 12, 2018 License: MIT Imports: 17 Imported by: 1

Documentation

Overview

protocol is a low-level package that closely resembles the WebAuthn specification. You should prefer to use the webauthn package. The main methods in this package are ParseAttestationResponse, ParseAssertionResponse, IsValidAssertion and IsValidAttestation.

The version of the specification that is implemented is https://www.w3.org/TR/2018/CR-webauthn-20180807/.

Index

Constants

View Source 
const (
	// AuthenticatorTransportUSB indicates the respective authenticator can be contacted over removable USB.
	AuthenticatorTransportUSB AuthenticatorTransport = "usb"
	// AuthenticatorTransportNFC indicates the respective authenticator can be contacted over Near Field Communication (NFC).
	AuthenticatorTransportNFC = "nfc"
	// AuthenticatorTransportBLE indicates the respective authenticator can be contacted over Bluetooth Smart (Bluetooth Low Energy / BLE).
	AuthenticatorTransportBLE = "ble"
	// AuthenticatorTransportInternal indicates the respective authenticator is contacted using a client device-specific transport. These
	// authenticators are not removable from the client device.
	AuthenticatorTransportInternal = "internal"
)
View Source 
const (
	// UserVerificationRequired indicates that the Relying Party requires user verification for the operation and will fail the
	// operation if the response does not have the UV flag set.
	UserVerificationRequired UserVerificationRequirement = "required"
	// UserVerificationPreferred indicates that the Relying Party prefers user verification for the operation if possible, but
	// will not fail the operation if the response does not have the UV flag set.
	UserVerificationPreferred = "preferred"
	// UserVerificationDiscouraged indicates that the Relying Party does not want user verification employed during the operation
	// (e.g., in the interest of minimizing disruption to the user interaction flow).
	UserVerificationDiscouraged = "discouraged"
)
View Source 
const (
	// AttestationConveyancePreferenceNone indicates that the Relying Party is not interested in authenticator attestation. For example, in
	// order to potentially avoid having to obtain user consent to relay identifying information to the Relying Party,
	// or to save a roundtrip to an Attestation CA. This is the default value.
	AttestationConveyancePreferenceNone = "none"
	// AttestationConveyancePreferenceIndirect indicates that the Relying Party prefers an attestation conveyance yielding verifiable attestation
	// statements, but allows the client to decide how to obtain such attestation statements. The client MAY replace
	// the authenticator-generated attestation statements with attestation statements generated by an Anonymization CA,
	// in order to protect the user’s privacy, or to assist Relying Parties with attestation verification in a
	// heterogeneous ecosystem.
	AttestationConveyancePreferenceIndirect = "indirect"
	// AttestationConveyancePreferenceDirect indicates that the Relying Party wants to receive the attestation statement as generated by the
	// authenticator.
	AttestationConveyancePreferenceDirect = "direct"
)
View Source 
const (
	// AuthenticatorDataFlagUserPresent indicates the UP flag.
	AuthenticatorDataFlagUserPresent = 0x001 // 0000 0001
	// AuthenticatorDataFlagUserVerified indicates the UV flag.
	AuthenticatorDataFlagUserVerified = 0x002 // 0000 0010
	// AuthenticatorDataFlagHasCredentialData indicates the AT flag.
	AuthenticatorDataFlagHasCredentialData = 0x040 // 0100 0000
	// AuthenticatorDataFlagHasExtension indicates the ED flag.
	AuthenticatorDataFlagHasExtension = 0x080 // 1000 0000
)
View Source 
const ChallengeSize = 32

ChallengeSize represents the size of a challenge created by NewChallenge.

Variables

View Source 
var (
	ErrInvalidSignature = &Error{
		Name:        "invalid_signature",
		Description: "The signature is invalid",
		Hint:        "Check that the provided token is in the correct format",
		Code:        http.StatusUnauthorized,
	}
	ErrInvalidRequest = &Error{
		Name:        "invalid_request",
		Description: "The request is malformed",
		Hint:        "Make sure that the parameters provided are correct",
		Code:        http.StatusBadRequest,
	}
	ErrUnsupportedAttestationFormat = &Error{
		Name:        "unsupported_attestation_format",
		Description: "The attestation format is unsupported",
		Code:        http.StatusBadRequest,
	}
	ErrInvalidAttestation = &Error{
		Name:        "invalid_attestation",
		Description: "The attestation is malformed",
		Hint:        "Check that you provided a token in the right format.",
		Code:        http.StatusBadRequest,
	}
	ErrInvalidType = &Error{
		Name:        "invalid_type",
		Description: "The attestion/assertion type is invalid",
		Hint:        "Check that the client data was submitted for the right call",
		Code:        http.StatusBadRequest,
	}
	ErrInvalidChallenge = &Error{
		Name:        "invalid_challenge",
		Description: "The challenge is invalid",
		Hint:        "Check that the challenge was supplied for the right request",
		Code:        http.StatusBadRequest,
	}
	ErrInvalidOrigin = &Error{
		Name:        "invalid_origin",
		Description: "The origin is invalid",
		Code:        http.StatusBadRequest,
	}
	ErrNoUserPresent = &Error{
		Name:        "no_user_present",
		Description: "No user was presented during authentication",
		Code:        http.StatusBadRequest,
	}
)

Default errors

Functions

func IsValidAssertion 

func IsValidAssertion(p ParsedAssertionResponse, originalChallenge []byte, relyingPartyID, relyingPartyOrigin string, cert *x509.Certificate) (bool, error)

IsValidAssertion may be used to check whether an assertion is valid. If originalChallenge is nil, the challenge value will not be checked (INSECURE). If relyingPartyID is empty, the relying party hash will not be checked (INSECURE). If relyingPartyOrigin is empty, the relying party origin will not be checked (INSEUCRE). If cert is nil, the hash will not be checked (INSECURE). Before calling this method, clients should execute the following steps: If the allowCredentials option was given when this authentication ceremony was initiated, verify that credential.id identifies one of the public key credentials that were listed in allowCredentials; If credential.response.userHandle is present, verify that the user identified by this value is the owner of the public key credential identified by credential.id. If the data is invalid, an error is returned, usually of the type Error.

func IsValidAttestation 

func IsValidAttestation(p ParsedAttestationResponse, originalChallenge []byte, relyingPartyID, relyingPartyOrigin string) (bool, error)

IsValidAttestation may be used to check whether an attestation is valid. If originalChallenge is nil, the challenge value will not be checked (INSECURE). If relyingPartyID is empty, the relying party ID hash will not be checked (INSECURE). If relyingPartyOrigin is empty, the relying party origin will not be checked (INSEUCRE). If the data is invalid, an error is returned, usually of the type Error.

func RegisterFormat 

func RegisterFormat(name string, f AttestationFormatFunction)

RegisterFormat will register an attestation format. If the name already exists, it will be overwritten without warning.

Types

type AndroidSafetyNetAttestionResponse added in v0.3.4 

type AndroidSafetyNetAttestionResponse struct {
	Nonce                      []byte   `json:"nonce"`
	TimestampMs                int64    `json:"timestampMs"`
	ApkPackageName             string   `json:"apkPackageName"`
	ApkDigestSha256            []byte   `json:"apkDigestSha256"`
	CtsProfileMatch            bool     `json:"ctsProfileMatch"`
	ApkCertificateDigestSha256 [][]byte `json:"apkCertificateDigestSha256"`
	BasicIntegrity             bool     `json:"basicIntegrity"`
}

type AssertionResponse 

type AssertionResponse struct {
	PublicKeyCredential
	// This attribute contains the authenticator's response to the client’s request to generate an authentication assertion.
	Response AuthenticatorAssertionResponse `json:"response"`
}

AssertionResponse contains the attributes that are returned to the caller when a new assertion is requested. https://www.w3.org/TR/webauthn/#publickeycredential

type Attestation 

type Attestation struct {
	Fmt      string                 `json:"fmt"`
	AuthData AuthenticatorData      `json:"authData"`
	AttStmt  map[string]interface{} `json:"attStmt"`
}

Attestation represents the attestionObject. An important component of the attestation object is the attestation statement. This is a specific type of signed data object, containing statements about a public key credential itself and the authenticator that created it. It contains an attestation signature created using the key of the attesting authority (except for the case of self attestation, when it is created using the credential private key). In order to correctly interpret an attestation statement, a Relying Party needs to understand these two aspects of attestation: https://www.w3.org/TR/webauthn/#attestation-object

func (Attestation) IsValid 

func (a Attestation) IsValid(relyingPartyID string, clientDataHash []byte) error

IsValid checks whether the Attestation is valid. If relyingPartyID is empty, the relying party ID hash will not be checked (INSEUCRE). To register a new attestation type, use RegisterFormat. If the data is invalid, an error is returned, usually of the type Error.

type AttestationConveyancePreference 

type AttestationConveyancePreference string

AttestationConveyancePreference may be used by WebAuthn Relying Parties to specify their preference regarding attestation conveyance during credential generation. https://www.w3.org/TR/webauthn/#enumdef-attestationconveyancepreference

type AttestationFormatFunction 

type AttestationFormatFunction func(Attestation, []byte) error

AttestationFormatFunction will be called when checking whether an Attestation is valid.

type AttestationResponse 

type AttestationResponse struct {
	PublicKeyCredential
	// This attribute contains the authenticator's response to the client’s request to create a public key credential.
	Response AuthenticatorAttestationResponse `json:"response"`
}

AttestationResponse contains the attributes that are returned to the caller when a new credential is created. https://www.w3.org/TR/webauthn/#publickeycredential

type AttestedCredentialData 

type AttestedCredentialData struct {
	// The AAGUID of the authenticator.
	AAGUID []byte
	// A probabilistically-unique byte sequence identifying a public key credential source and its authentication
	// assertions.
	CredentialID []byte
	// The decoded credential public key.
	COSEKey interface{}
}

AttestedCredentialData represents the AttestedCredentialData type in the WebAuthn specification. https://www.w3.org/TR/webauthn/#attested-credential-data

type AuthenticationExtensionsClientInputs 

type AuthenticationExtensionsClientInputs map[string]interface{}

AuthenticationExtensionsClientInputs contains the client extension input values for zero or more WebAuthn extensions, as defined in §9 WebAuthn Extensions. https://www.w3.org/TR/webauthn/#dictdef-authenticationextensionsclientinputs

type AuthenticatorAssertionResponse 

type AuthenticatorAssertionResponse struct {
	AuthenticatorResponse
	// This attribute contains the authenticator data returned by the authenticator. See §6.1 Authenticator data.
	AuthenticatorData []byte `json:"authenticatorData"`
	// This attribute contains the raw signature returned from the authenticator. See §6.3.3 The
	// authenticatorGetAssertion operation.
	Signature []byte `json:"signature"`
	// This attribute contains the user handle returned from the authenticator, or null if the authenticator did not
	// return a user handle. See §6.3.3 The authenticatorGetAssertion operation.
	UserHandle []byte `json:"userHandle,omitempty"`
}

The AuthenticatorAssertionResponse interface represents an authenticator's response to a client’s request for generation of a new authentication assertion given the WebAuthn Relying Party's challenge and OPTIONAL list of credentials it is aware of. This response contains a cryptographic signature proving possession of the credential private key, and optionally evidence of user consent to a specific transaction. https://www.w3.org/TR/webauthn/#authenticatorassertionresponse

type AuthenticatorAttachment 

type AuthenticatorAttachment string

AuthenticatorAttachment's values describe authenticators' attachment modalities. Relying Parties use this for two purposes: to express a preferred authenticator attachment modality when calling navigator.credentials.create() to create a credential, and to inform the client of the Relying Party's best belief about how to locate the managing authenticators of the credentials listed in allowCredentials when calling navigator.credentials.get(). https://www.w3.org/TR/webauthn/#enumdef-authenticatorattachment 

const (
	// AuthenticatorAttachmentPlatform indicates platform attachment.
	AuthenticatorAttachmentPlatform AuthenticatorAttachment = "platform"
	// AuthenticatorAttachmentCrossPlatform indicates cross-platform attachment.
	AuthenticatorAttachmentCrossPlatform = "cross-platform"
)

type AuthenticatorAttestationResponse 

type AuthenticatorAttestationResponse struct {
	AuthenticatorResponse
	// This attribute contains an attestation object, which is opaque to, and cryptographically protected against
	// tampering by, the client. The attestation object contains both authenticator data and an attestation statement.
	// The former contains the AAGUID, a unique credential ID, and the credential public key. The contents of the
	// attestation statement are determined by the attestation statement format used by the authenticator. It also
	// contains any additional information that the Relying Party's server requires to validate the attestation
	// statement, as well as to decode and validate the authenticator data along with the JSON-serialized client data.
	// For more details, see §6.4 Attestation, §6.4.4 Generating an Attestation Object, and Figure 5.
	AttestationObject []byte `json:"attestationObject"`
}

The AuthenticatorAttestationResponse interface represents the authenticator's response to a client’s request for the creation of a new public key credential. It contains information about the new credential that can be used to identify it for later use, and metadata that can be used by the WebAuthn Relying Party to assess the characteristics of the credential during registration. https://www.w3.org/TR/webauthn/#authenticatorattestationresponse

type AuthenticatorData 

type AuthenticatorData struct {
	// SHA-256 hash of the RP ID associated with the credential.
	RPIDHash []byte
	// Flags
	Flags AuthenticatorDataFlags
	// Signature counter, 32-bit unsigned big-endian integer.
	SignCount uint32
	// attested credential data (if present). See §6.4.1 Attested credential data for details. Its length depends on the
	// length of the credential ID and credential public key being attested.
	AttestedCredentialData AttestedCredentialData
	// Raw contains the raw bytes of this AuthenticatorData.
	Raw []byte
}

AuthenticatorData encodes contextual bindings made by the authenticator. These bindings are controlled by the authenticator itself, and derive their trust from the WebAuthn Relying Party's assessment of the security properties of the authenticator. In one extreme case, the authenticator may be embedded in the client, and its bindings may be no more trustworthy than the client data. At the other extreme, the authenticator may be a discrete entity with high-security hardware and software, connected to the client over a secure channel. In both cases, the Relying Party receives the authenticator data in the same format, and uses its knowledge of the authenticator to make trust decisions.

func (AuthenticatorData) IsValid 

func (a AuthenticatorData) IsValid(relyingPartyID string) error

IsValid checks whether the AuthenticatorData is valid. If relyingPartyID is empty, the relying party will not be checked (INSEUCRE). If the data is invalid, an error is returned, usually of the type Error.

func (*AuthenticatorData) MarshalBinary 

func (a *AuthenticatorData) MarshalBinary() ([]byte, error)

MarshalBinary implements the encoding.BinaryMarshaler interface.

func (*AuthenticatorData) UnmarshalBinary 

func (a *AuthenticatorData) UnmarshalBinary(authData []byte) error

UnmarshalBinary implements the encoding.BinaryUnmarshaler interface.

type AuthenticatorDataFlags 

type AuthenticatorDataFlags byte

AuthenticatorDataFlags are the flags that are present in the authenticator data.

func (AuthenticatorDataFlags) HasAttestedCredentialData 

func (f AuthenticatorDataFlags) HasAttestedCredentialData() bool

HasAttestedCredentialData returns whether the AT flag is set.

func (AuthenticatorDataFlags) HasExtensions 

func (f AuthenticatorDataFlags) HasExtensions() bool

HasExtensions returns whether the ED flag is set.

func (AuthenticatorDataFlags) UserPresent 

func (f AuthenticatorDataFlags) UserPresent() bool

UserPresent returns whether the UP flag is set.

func (AuthenticatorDataFlags) UserVerified 

func (f AuthenticatorDataFlags) UserVerified() bool

UserVerified returns whether the UV flag is set.

type AuthenticatorResponse 

type AuthenticatorResponse struct {
	// This attribute contains a JSON serialization of the client data passed to the authenticator by the client in
	// its call to either create() or get().
	ClientDataJSON []byte `json:"clientDataJSON"`
}

AuthenticatorResponse is used by authenticators to respond to Relying Party requests. https://www.w3.org/TR/webauthn/#authenticatorresponse

type AuthenticatorSelectionCriteria 

type AuthenticatorSelectionCriteria struct {
	// If this member is present, eligible authenticators are filtered to only authenticators attached with the
	// specified §5.4.5 Authenticator Attachment enumeration (enum AuthenticatorAttachment).
	AuthenticatorAttachment AuthenticatorAttachment `json:"authenticatorAttachment,omitempty"`
	// This member describes the Relying Parties' requirements regarding resident credentials. If the parameter is set
	// to true, the authenticator MUST create a client-side-resident public key credential source when creating a
	// public key credential.
	RequireResidentKey bool `json:"requireResidentKey"`
	// This member describes the Relying Party's requirements regarding user verification for the create() operation.
	// Eligible authenticators are filtered to only those capable of satisfying this requirement.
	UserVerification UserVerificationRequirement `json:"userVerification,omitempty"`
}

The AuthenticatorSelectionCriteria may be used by WebAuthn Relying Parties to specify their requirements regarding authenticator attributes. https://www.w3.org/TR/webauthn/#dictdef-authenticatorselectioncriteria

type AuthenticatorTransport 

type AuthenticatorTransport string

AuthenticatorTransport represents the transport used by an authenticator. Authenticators may implement various transports for communicating with clients. This enumeration defines hints as to how clients might communicate with a particular authenticator in order to obtain an assertion for a specific credential. Note that these hints represent the WebAuthn Relying Party's best belief as to how an authenticator may be reached. A Relying Party may obtain a list of transports hints from some attestation statement formats or via some out-of-band mechanism; it is outside the scope of this specification to define that mechanism. https://www.w3.org/TR/webauthn/#enumdef-authenticatortransport

type COSEAlgorithmIdentifier 

type COSEAlgorithmIdentifier int

A COSEAlgorithmIdentifier's value is a number identifying a cryptographic algorithm. The algorithm identifiers SHOULD be values registered in the IANA COSE Algorithms registry [IANA-COSE-ALGS-REG], for instance, -7 for "ES256" and -257 for "RS256". https://www.w3.org/TR/webauthn/#alg-identifier 

const (
	// ES256 is the COSE Algorithm Identifier of ECDSA 256
	ES256 COSEAlgorithmIdentifier = -7
	// RS256 is the COSE Algorithm Identifier of RSA 256
	RS256 COSEAlgorithmIdentifier = -257
)

type Challenge 

type Challenge []byte

Challenge represents a challenge. It is defined as a separate type to make it clear that NewChallenge should be used to create it.

func NewChallenge 

func NewChallenge() (Challenge, error)

NewChallenge creates a new cryptographically secure random challenge of ChallengeSize bytes.

type CollectedClientData 

type CollectedClientData struct {
	// This member contains the string "webauthn.create" when creating new credentials, and "webauthn.get" when getting
	// an assertion from an existing credential. The purpose of this member is to prevent certain types of signature
	// confusion attacks (where an attacker substitutes one legitimate signature for another).
	Type string `json:"type"`
	// This member contains the base64url encoding of the challenge provided by the RP. See the §13.1 Cryptographic
	// Challenges security consideration.
	Challenge string `json:"challenge"`
	// This member contains the fully qualified origin of the requester, as provided to the authenticator by the client,
	// in the syntax defined by [RFC6454].
	Origin string `json:"origin"`
	// This OPTIONAL member contains information about the state of the Token Binding protocol used when communicating
	// with the Relying Party. Its absence indicates that the client doesn’t support token binding.
	TokenBinding *TokenBinding `json:"tokenBinding,omitempty"`
}

CollectedClientData represents the contextual bindings of both the WebAuthn Relying Party and the client. It is a key-value mapping whose keys are strings. Values can be any type that has a valid encoding in JSON. Its structure is defined by the following Web IDL. https://www.w3.org/TR/webauthn/#client-data

func (CollectedClientData) IsValid 

func (c CollectedClientData) IsValid(requiredType string, originalChallenge []byte, relyingPartyOrigin string) error

IsValid checks whether the CollectedClientData is valid. If originalChallenge is nil, the challenge value will not be checked (INSECURE). If relyingPartyOrigin is empty, the relying party will not be checked (INSEUCRE). If the data is invalid, an error is returned, usually of the type Error.

type CredentialCreationOptions 

type CredentialCreationOptions struct {
	PublicKey PublicKeyCredentialCreationOptions `json:"publicKey"`
}

CredentialCreationOptions contains the options that should be passed to navigator.credentials.create(). https://www.w3.org/TR/webauthn/#credentialcreationoptions-extension

type CredentialRequestOptions 

type CredentialRequestOptions struct {
	PublicKey PublicKeyCredentialRequestOptions `json:"publicKey"`
}

CredentialRequestOptions contains the options that should be passed to navigator.credentials.get(). https://www.w3.org/TR/webauthn/#credentialrequestoptions-extension

type Error 

type Error struct {
	// Name is the name of this error.
	Name string `json:"error"`
	// Description is the description of this error.
	Description string `json:"description"`
	// Hint contains further information about the error.
	Hint string `json:"hint,omitempty"`
	// Code contains the status code that should be returned when this error is returned.
	Code int `json:"status_code,omitempty"`
	// Debug contains debug information about this error that should not be shown to the user.
	Debug string `json:"debug,omitempty"`
}

Error is a representation of errors returned from this package.

func ToWebAuthnError 

func ToWebAuthnError(err error) *Error

ToWebAuthnError converts any error into the *Error type. If that is not possible, it will return an *Error which wraps the error.

func (*Error) Error 

func (e *Error) Error() string

Error implements the error interface.

func (*Error) WithDebug 

func (e *Error) WithDebug(debug string) *Error

WithDebug will add/replace the debug information of the error.

func (*Error) WithDebugf 

func (e *Error) WithDebugf(debug string, args ...interface{}) *Error

WithDebugf will add/replace the debug information of the error.

func (*Error) WithHint 

func (e *Error) WithHint(hint string) *Error

WithHint will add/replace the hint of the error.

func (*Error) WithHintf 

func (e *Error) WithHintf(hint string, args ...interface{}) *Error

WithHintf will add/replace the hint of the error.

type ParsedAssertionResponse 

type ParsedAssertionResponse struct {
	ParsedPublicKeyCredential
	// This attribute contains the authenticator's response to the client’s request to generate an authentication assertion.
	Response ParsedAuthenticatorAssertionResponse
	// RawResponse contains the unparsed AssertionResponse.
	RawResponse AssertionResponse
}

ParsedAssertionResponse is a parsed version of AssertionResponse. https://www.w3.org/TR/webauthn/#publickeycredential

func ParseAssertionResponse 

func ParseAssertionResponse(p AssertionResponse) (ParsedAssertionResponse, error)

ParseAssertionResponse will parse a raw AssertionResponse as supplied by a client to a ParsedAssertionResponse that may be used by clients to examine data. If the data is invalid, an error is returned, usually of the type Error.

type ParsedAttestationResponse 

type ParsedAttestationResponse struct {
	ParsedPublicKeyCredential
	// This attribute contains the authenticator's response to the client’s request to create a public key credential.
	Response ParsedAuthenticatorAttestationResponse
	// RawResponse contains the unparsed AttestationResponse.
	RawResponse AttestationResponse
}

ParsedAttestationResponse is a parsed version of AttestationResponse https://www.w3.org/TR/webauthn/#publickeycredential

func ParseAttestationResponse 

func ParseAttestationResponse(p AttestationResponse) (ParsedAttestationResponse, error)

ParseAttestationResponse will parse a raw AttestationResponse as supplied by a client to a ParsedAttestationResponse that may be used by clients to examine data. If the data is invalid, an error is returned, usually of the type Error.

type ParsedAuthenticatorAssertionResponse 

type ParsedAuthenticatorAssertionResponse struct {
	ParsedAuthenticatorResponse
	// This attribute contains the authenticator data returned by the authenticator. See §6.1 Authenticator data.
	AuthData AuthenticatorData
	// This attribute contains the raw signature returned from the authenticator. See §6.3.3 The
	// authenticatorGetAssertion operation.
	Signature []byte
	// This attribute contains the user handle returned from the authenticator, or null if the authenticator did not
	// return a user handle. See §6.3.3 The authenticatorGetAssertion operation.
	UserHandle []byte
}

ParsedAuthenticatorAssertionResponse is a parsed version of AuthenticatorAssertionResponse. https://www.w3.org/TR/webauthn/#authenticatorassertionresponse

type ParsedAuthenticatorAttestationResponse 

type ParsedAuthenticatorAttestationResponse struct {
	ParsedAuthenticatorResponse
	// This attribute contains an attestation object, which is opaque to, and cryptographically protected against
	// tampering by, the client. The attestation object contains both authenticator data and an attestation statement.
	// The former contains the AAGUID, a unique credential ID, and the credential public key. The contents of the
	// attestation statement are determined by the attestation statement format used by the authenticator. It also
	// contains any additional information that the Relying Party's server requires to validate the attestation
	// statement, as well as to decode and validate the authenticator data along with the JSON-serialized client data.
	// For more details, see §6.4 Attestation, §6.4.4 Generating an Attestation Object, and Figure 5.
	Attestation Attestation
}

ParsedAuthenticatorAttestationResponse is a parsed version of AuthenticatorAttestationResponse https://www.w3.org/TR/webauthn/#authenticatorattestationresponse

type ParsedAuthenticatorResponse 

type ParsedAuthenticatorResponse struct {
	// This attribute contains the parsed client data passed to the authenticator by the client in its call to either
	// create() or get().
	ClientData CollectedClientData
}

ParsedAuthenticatorResponse is a parsed version of AuthenticatorResponse. https://www.w3.org/TR/webauthn/#authenticatorresponse

type ParsedPublicKeyCredential 

type ParsedPublicKeyCredential struct {
	// This attribute is inherited from Credential, though PublicKeyCredential overrides Credential's getter, instead
	// returning the base64url encoding of the data contained in the object’s [[identifier]] internal slot.
	ID string
	// This attribute returns the ArrayBuffer contained in the [[identifier]] internal slot.
	RawID []byte
	// The PublicKeyCredential interface object's [[type]] internal slot's value is the string "public-key".
	Type string
}

ParsedPublicKeyCredential is a parsed version of PublicKeyCredential https://www.w3.org/TR/webauthn/#publickeycredential

type PublicKeyCredential 

type PublicKeyCredential struct {
	// This attribute is inherited from Credential, though PublicKeyCredential overrides Credential's getter, instead
	// returning the base64url encoding of the data contained in the object’s [[identifier]] internal slot.
	ID string `json:"id"`
	// This attribute returns the ArrayBuffer contained in the [[identifier]] internal slot.
	RawID []byte `json:"rawId"`
	// The PublicKeyCredential interface object's [[type]] internal slot's value is the string "public-key".
	Type string `json:"type"`
}

The PublicKeyCredential interface inherits from Credential [CREDENTIAL-MANAGEMENT-1], and contains the attributes that are returned to the caller when a new credential is created, or a new assertion is requested. See AttestationResponse and AssertionResponse https://www.w3.org/TR/webauthn/#publickeycredential

type PublicKeyCredentialCreationOptions 

type PublicKeyCredentialCreationOptions struct {
	// This member contains data about the Relying Party responsible for the request.
	// Its value’s name member is REQUIRED. See §5.4.1 Public Key Entity Description (dictionary
	// PublicKeyCredentialEntity) for further details.
	// Its value’s id member specifies the RP ID with which the credential should be associated. If omitted, its value
	// will be the CredentialsContainer object’s relevant settings object's origin's effective domain. See §5.4.2
	// Relying Party Parameters for Credential Generation (dictionary PublicKeyCredentialRpEntity) for further details.
	RP PublicKeyCredentialRpEntity `json:"rp"`
	// This member contains data about the user account for which the Relying Party is requesting attestation.
	// Its value’s name, displayName and id members are REQUIRED. See §5.4.1 Public Key Entity Description
	// (dictionary PublicKeyCredentialEntity) and §5.4.3 User Account Parameters for Credential Generation
	// (dictionary PublicKeyCredentialUserEntity) for further details.
	User PublicKeyCredentialUserEntity `json:"user"`

	// This member contains a challenge intended to be used for generating the newly created credential’s attestation
	// object. See the §13.1 Cryptographic Challenges security consideration.
	Challenge Challenge `json:"challenge"`
	// This member contains information about the desired properties of the credential to be created. The sequence is
	// ordered from most preferred to least preferred. The client makes a best-effort to create the most preferred
	// credential that it can.
	PubKeyCredParams []PublicKeyCredentialParameters `json:"pubKeyCredParams,omitempty"`

	// This member specifies a time, in milliseconds, that the caller is willing to wait for the call to complete.
	// This is treated as a hint, and MAY be overridden by the client.
	Timeout uint `json:"timeout,omitempty"`
	// This member is intended for use by Relying Parties that wish to limit the creation of multiple credentials for
	// the same account on a single authenticator. The client is requested to return an error if the new credential
	// would be created on an authenticator that also contains one of the credentials enumerated in this parameter.
	ExcludeCredentials []PublicKeyCredentialDescriptor `json:"excludeCredentials,omitempty"`
	// This member is intended for use by Relying Parties that wish to select the appropriate authenticators to
	// participate in the create() operation.
	AuthenticatorSelection AuthenticatorSelectionCriteria `json:"authenticatorSelection,omitempty"`
	// This member is intended for use by Relying Parties that wish to express their preference for attestation
	// conveyance. The default is none.
	Attestation AttestationConveyancePreference `json:"attestation,omitempty"`
	// This member contains additional parameters requesting additional processing by the client and authenticator. For
	// example, the caller may request that only authenticators with certain capabilities be used to create the
	// credential, or that particular information be returned in the attestation object. Some extensions are defined in
	// §9 WebAuthn Extensions; consult the IANA "WebAuthn Extension Identifier" registry established by
	// [WebAuthn-Registries] for an up-to-date list of registered WebAuthn Extensions.
	Extensions AuthenticationExtensionsClientInputs `json:"extensions,omitempty"`
}

The PublicKeyCredentialCreationOptions dictionary supplies create() with the data it needs to generate an attestation. https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialcreationoptions

type PublicKeyCredentialDescriptor 

type PublicKeyCredentialDescriptor struct {
	// This member contains the type of the public key credential the caller is referring to.
	Type PublicKeyCredentialType `json:"type"`
	// This member contains the credential ID of the public key credential the caller is referring to.
	ID []byte `json:"id"`
	// This OPTIONAL member contains a hint as to how the client might communicate with the managing authenticator of
	// the public key credential the caller is referring to.
	Transport []AuthenticatorTransport `json:"transports,omitempty"`
}

PublicKeyCredentialDescriptor contains the attributes that are specified by a caller when referring to a public key credential as an input parameter to the create() or get() methods. It mirrors the fields of the PublicKeyCredential object returned by the latter methods. https://www.w3.org/TR/webauthn/#credential-dictionary

type PublicKeyCredentialEntity 

type PublicKeyCredentialEntity struct {
	// A human-palatable name for the entity. Its function depends on what the PublicKeyCredentialEntity represents.
	Name string `json:"name"`
}

The PublicKeyCredentialEntity dictionary describes a user account, or a WebAuthn Relying Party, with which a public key credential is associated. https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialentity

type PublicKeyCredentialParameters 

type PublicKeyCredentialParameters struct {
	// This member specifies the type of credential to be created.
	Type PublicKeyCredentialType `json:"type"`
	// This member specifies the cryptographic signature algorithm with which the newly generated credential will be
	// used, and thus also the type of asymmetric key pair to be generated, e.g., RSA or Elliptic Curve.
	Algorithm COSEAlgorithmIdentifier `json:"alg"`
}

PublicKeyCredentialParameters is used to supply additional parameters when creating a new credential. https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialparameters

type PublicKeyCredentialRequestOptions 

type PublicKeyCredentialRequestOptions struct {
	// This member represents a challenge that the selected authenticator signs, along with other data, when producing
	// an authentication assertion. See the §13.1 Cryptographic Challenges security consideration.
	Challenge Challenge `json:"challenge"`
	// This OPTIONAL member specifies a time, in milliseconds, that the caller is willing to wait for the call to
	// complete. The value is treated as a hint, and MAY be overridden by the client.
	Timeout uint `json:"timeout,omitempty"`
	// This OPTIONAL member specifies the relying party identifier claimed by the caller. If omitted, its value will be
	// the CredentialsContainer object’s relevant settings object's origin's effective domain.
	RPID string `json:"rpId,omitempty"`
	// This OPTIONAL member contains a list of PublicKeyCredentialDescriptor objects representing public key credentials
	// acceptable to the caller, in descending order of the caller’s preference (the first item in the list is the most
	// preferred credential, and so on down the list).
	AllowCredentials []PublicKeyCredentialDescriptor `json:"allowCredentials,omitempty"`
	// This member describes the Relying Party's requirements regarding user verification for the get() operation.
	// Eligible authenticators are filtered to only those capable of satisfying this requirement.
	UserVerification UserVerificationRequirement `json:"userVerification,omitempty"`
	// This OPTIONAL member contains additional parameters requesting additional processing by the client and
	// authenticator. For example, if transaction confirmation is sought from the user, then the prompt string might
	// be included as an extension.
	Extensions AuthenticationExtensionsClientInputs `json:"extensions,omitempty"`
}

The PublicKeyCredentialRequestOptions dictionary supplies get() with the data it needs to generate an assertion. Its challenge member MUST be present, while its other members are OPTIONAL. https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialrequestoptions

type PublicKeyCredentialRpEntity 

type PublicKeyCredentialRpEntity struct {
	PublicKeyCredentialEntity
	// A unique identifier for the Relying Party entity, which sets the RP ID.
	ID string `json:"id,omitempty"`
}

The PublicKeyCredentialRpEntity dictionary is used to supply additional Relying Party attributes when creating a new credential. https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialrpentity

type PublicKeyCredentialType 

type PublicKeyCredentialType string

PublicKeyCredentialType defines the valid credential types. It is an extension point; values can be added to it in the future, as more credential types are defined. The values of this enumeration are used for versioning the Authentication Assertion and attestation structures according to the type of the authenticator. Currently one credential type is defined, namely "public-key". https://www.w3.org/TR/webauthn/#enumdef-publickeycredentialtype 

const (
	// PublicKeyCredentialTypePublicKey is the only credential type defined, namely "public-key".
	PublicKeyCredentialTypePublicKey PublicKeyCredentialType = "public-key"
)

type PublicKeyCredentialUserEntity 

type PublicKeyCredentialUserEntity struct {
	PublicKeyCredentialEntity

	// The user handle of the user account entity. To ensure secure operation, authentication and authorization
	// decisions MUST be made on the basis of this id member, not the displayName nor name members. See
	// Section 6.1 of [RFC8266].
	ID []byte `json:"id"`
	// A human-palatable name for the user account, intended only for display. For example, "Alex P. Müller" or
	// "田中 倫". The Relying Party SHOULD let the user choose this, and SHOULD NOT restrict the choice more than
	// necessary.
	DisplayName string `json:"displayName"`
}

The PublicKeyCredentialUserEntity dictionary is used to supply additional user account attributes when creating a new credential. https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialuserentity

type TokenBinding 

type TokenBinding struct {
	// This member is one of the following:
	Status TokenBindingStatus `json:"status,omitempty"`
	// This member MUST be present if status is present, and MUST a base64url encoding of the Token Binding ID that was
	// used when communicating with the Relying Party.
	ID string `json:"id,omitempty"`
}

TokenBinding represents the token binding. https://www.w3.org/TR/webauthn/#dictdef-tokenbinding

type TokenBindingStatus 

type TokenBindingStatus string

TokenBindingStatus represents the status of a TokenBinding. https://www.w3.org/TR/webauthn/#enumdef-tokenbindingstatus 

const (
	// TokenBindingStatusPresent indicates the client supports token binding, but it was not negotiated when
	// communicating with the Relying Party.
	TokenBindingStatusPresent TokenBindingStatus = "present"
	// TokenBindingStatusSupported indicates token binding was used when communicating with the Relying Party. In this
	// case, the id member MUST be present.
	TokenBindingStatusSupported = "supported"
)

type UserVerificationRequirement 

type UserVerificationRequirement string

UserVerificationRequirement may be used by a WebAuthn Relying Party to require user verification for some of its operations but not for others. https://www.w3.org/TR/webauthn/#enumdef-userverificationrequirement

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.