diff --git a/apps/desktop/com.bitwarden.pfx b/apps/desktop/com.bitwarden.pfx
deleted file mode 100644
index ed82d494b20..00000000000
Binary files a/apps/desktop/com.bitwarden.pfx and /dev/null differ
diff --git a/apps/desktop/custom-appx-manifest.xml b/apps/desktop/custom-appx-manifest.xml
index c108e060e9d..44ad4c2eaea 100644
--- a/apps/desktop/custom-appx-manifest.xml
+++ b/apps/desktop/custom-appx-manifest.xml
@@ -13,10 +13,10 @@ xmlns:uap10="http://schemas.microsoft.com/appx/manifest/uap/windows10/10"
IgnorableNamespaces="uap rescap com uap10 build"
xmlns:build="http://schemas.microsoft.com/developer/appx/2015/build">
-
+
Bitwarden
Bitwarden Inc
diff --git a/apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/PluginAuthenticatorImpl.cpp.sample b/apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/PluginAuthenticatorImpl.cpp.sample
deleted file mode 100644
index 21025834182..00000000000
--- a/apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/PluginAuthenticatorImpl.cpp.sample
+++ /dev/null
@@ -1,977 +0,0 @@
-#include "pch.h"
-#include "PluginAuthenticatorImpl.h"
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-namespace winrt
-{
- using namespace winrt::Windows::Foundation;
- using namespace winrt::Microsoft::UI::Windowing;
- using namespace winrt::Microsoft::UI::Xaml;
- using namespace winrt::Microsoft::UI::Xaml::Controls;
- using namespace winrt::Microsoft::UI::Xaml::Navigation;
- using namespace PasskeyManager;
- using namespace PasskeyManager::implementation;
- using namespace CborLite;
-}
-
-namespace winrt::PasskeyManager::implementation
-{
- static std::vector GetRequestSigningPubKey()
- {
- return wil::reg::get_value_binary(HKEY_CURRENT_USER, c_pluginRegistryPath, c_windowsPluginRequestSigningKeyRegKeyName, REG_BINARY);
- }
-
- /*
- * This function is used to verify the signature of a request buffer.
- * The public key is part of response to plugin registration.
- */
- static HRESULT VerifySignatureHelper(
- std::vector& dataBuffer,
- PBYTE pbKeyData,
- DWORD cbKeyData,
- PBYTE pbSignature,
- DWORD cbSignature)
- {
- // Create key provider
- wil::unique_ncrypt_prov hProvider;
- wil::unique_ncrypt_key reqSigningKey;
-
- // Get the provider
- RETURN_IF_FAILED(NCryptOpenStorageProvider(&hProvider, nullptr, 0));
- // Create a NCrypt key handle from the public key
- RETURN_IF_FAILED(NCryptImportKey(
- hProvider.get(),
- NULL,
- BCRYPT_ECCPUBLIC_BLOB,
- NULL,
- &reqSigningKey,
- pbKeyData,
- cbKeyData, 0));
-
- // Verify the signature over the hash of dataBuffer using the hKey
- DWORD objLenSize = 0;
- DWORD bytesRead = 0;
- RETURN_IF_NTSTATUS_FAILED(BCryptGetProperty(
- BCRYPT_SHA256_ALG_HANDLE,
- BCRYPT_OBJECT_LENGTH,
- reinterpret_cast(&objLenSize),
- sizeof(objLenSize),
- &bytesRead, 0));
-
- auto objLen = wil::make_unique_cotaskmem(objLenSize);
- wil::unique_bcrypt_hash hashHandle;
- RETURN_IF_NTSTATUS_FAILED(BCryptCreateHash(
- BCRYPT_SHA256_ALG_HANDLE,
- wil::out_param(hashHandle),
- objLen.get(),
- objLenSize,
- nullptr, 0, 0));
- RETURN_IF_NTSTATUS_FAILED(BCryptHashData(
- hashHandle.get(),
- dataBuffer.data(),
- static_cast(dataBuffer.size()), 0));
-
- DWORD localHashByteCount = 0;
- RETURN_IF_NTSTATUS_FAILED(BCryptGetProperty(
- BCRYPT_SHA256_ALG_HANDLE,
- BCRYPT_HASH_LENGTH,
- reinterpret_cast(&localHashByteCount),
- sizeof(localHashByteCount),
- &bytesRead, 0));
-
- auto localHashBuffer = wil::make_unique_cotaskmem(localHashByteCount);
- RETURN_IF_NTSTATUS_FAILED(BCryptFinishHash(hashHandle.get(), localHashBuffer.get(), localHashByteCount, 0));
- RETURN_IF_WIN32_ERROR(NCryptVerifySignature(
- reqSigningKey.get(),
- nullptr,
- localHashBuffer.get(),
- localHashByteCount,
- pbSignature,
- cbSignature, 0));
-
- return S_OK;
- }
-
- HRESULT CheckHelloConsentCompleted()
- {
- winrt::com_ptr curApp = winrt::Microsoft::UI::Xaml::Application::Current().as();
- HANDLE handles[2] = { curApp->m_hVaultConsentComplete.get(), curApp->m_hVaultConsentFailed.get() };
-
- DWORD cWait = ARRAYSIZE(handles);
- DWORD hIndex = 0;
- RETURN_IF_FAILED(CoWaitForMultipleHandles(COWAIT_DISPATCH_WINDOW_MESSAGES | COWAIT_DISPATCH_CALLS, INFINITE, cWait, handles, &hIndex));
- if (hIndex == 1) // Consent failed
- {
- RETURN_HR(E_FAIL);
- }
- return S_OK;
- }
-
- HRESULT PerformUv(
- winrt::com_ptr& curApp,
- HWND hWnd,
- wil::shared_hmodule webauthnDll,
- GUID transactionId,
- PluginOperationType operationType,
- std::vector requestBuffer,
- wil::shared_cotaskmem_string rpName,
- wil::shared_cotaskmem_string userName)
- {
- curApp->SetPluginPerformOperationOptions(hWnd, operationType, rpName.get(), userName.get());
-
- // Wait for the app main window to be ready.
- DWORD hIndex = 0;
- RETURN_IF_FAILED(CoWaitForMultipleHandles(COWAIT_DISPATCH_WINDOW_MESSAGES | COWAIT_DISPATCH_CALLS, INFINITE, 1, curApp->m_hWindowReady.addressof(), &hIndex));
-
- // Trigger a Consent Verifier Dialog to simulate a Windows Hello unlock flow
- // This is to demonstrate a vault unlock flow using Windows Hello and is not the recommended way to secure the vault
- if (PluginCredentialManager::getInstance().GetVaultLock())
- {
- curApp->GetDispatcherQueue().TryEnqueue([curApp]()
- {
- curApp->SimulateUnLockVaultUsingConsentVerifier();
- });
- RETURN_IF_FAILED(CheckHelloConsentCompleted());
- }
- else
- {
- SetEvent(curApp->m_hVaultConsentComplete.get());
- }
-
- // Wait for user confirmation to proceed with the operation Create/Signin/Cancel button
- // This is a mock up for plugin requiring UI.
- {
- HANDLE handles[2] = { curApp->m_hPluginProceedButtonEvent.get(), curApp->m_hPluginUserCancelEvent.get() };
- DWORD cWait = ARRAYSIZE(handles);
-
- RETURN_IF_FAILED(CoWaitForMultipleHandles(COWAIT_DISPATCH_WINDOW_MESSAGES | COWAIT_DISPATCH_CALLS, INFINITE, cWait, handles, &hIndex));
- if (hIndex == 1) // Cancel button clicked
- {
- // User cancelled the operation. NTE_USER_CANCELLED allows Windows to distinguish between user cancellation and other errors.
- return NTE_USER_CANCELLED;
- }
- }
-
- // Skip user verification if the user has already performed a gesture to unlock the vault to avoid double prompting
- if (PluginCredentialManager::getInstance().GetVaultLock())
- {
- return S_OK;
- }
-
- EXPERIMENTAL_WEBAUTHN_PLUGIN_PERFORM_UV pluginPerformUv{};
- pluginPerformUv.transactionId = &transactionId;
-
- if (curApp->m_silentMode)
- {
- // If the app did not display any UI, use the hwnd of the caller here. This was included in the request to the plugin. Refer: EXPERIMENTAL_PCWEBAUTHN_PLUGIN_OPERATION_REQUEST
- pluginPerformUv.hwnd = hWnd;
- }
- else
- {
- // If the app displayed UI, use the hwnd of the app window here
- pluginPerformUv.hwnd = curApp->GetNativeWindowHandle();
- }
-
- EXPERIMENTAL_PWEBAUTHN_PLUGIN_PERFORM_UV_RESPONSE pPluginPerformUvResponse = nullptr;
-
- auto webAuthNPluginPerformUv = GetProcAddressByFunctionDeclaration(webauthnDll.get(), EXPERIMENTAL_WebAuthNPluginPerformUv);
- RETURN_HR_IF_NULL(E_NOTIMPL, webAuthNPluginPerformUv);
-
- // Step 1: Get the UV count
- pluginPerformUv.type = EXPERIMENTAL_WEBAUTHN_PLUGIN_PERFORM_UV_OPERATION_TYPE::GetUvCount;
- RETURN_IF_FAILED(webAuthNPluginPerformUv(&pluginPerformUv, &pPluginPerformUvResponse));
-
- /*
- * pPluginPerformUvResponse->pbResponse contains the UV count
- * The UV count tracks the number of times the user has performed a gesture to unlock the vault
- */
-
- // Step 2: Get the public key
- pluginPerformUv.type = EXPERIMENTAL_WEBAUTHN_PLUGIN_PERFORM_UV_OPERATION_TYPE::GetPubKey;
- RETURN_IF_FAILED(webAuthNPluginPerformUv(&pluginPerformUv, &pPluginPerformUvResponse));
-
- // stash public key in a new buffer for later use
- DWORD cbPubData = pPluginPerformUvResponse->cbResponse;
- wil::unique_hlocal_ptr ppbPubKeyData = wil::make_unique_hlocal(cbPubData);
- memcpy_s(ppbPubKeyData.get(), cbPubData, pPluginPerformUvResponse->pbResponse, pPluginPerformUvResponse->cbResponse);
-
- // Step 3: Perform UV. This step uses a Windows Hello prompt to authenticate the user
- pluginPerformUv.type = EXPERIMENTAL_WEBAUTHN_PLUGIN_PERFORM_UV_OPERATION_TYPE::PerformUv;
- pluginPerformUv.pwszUsername = wil::make_cotaskmem_string(userName.get()).release();
- // pwszContext can be used to provide additional context to the user. This is displayed alongside the username in the Windows Hello passkey user verification dialog.
- pluginPerformUv.pwszContext = wil::make_cotaskmem_string(L"Context String").release();
- RETURN_IF_FAILED(webAuthNPluginPerformUv(&pluginPerformUv, &pPluginPerformUvResponse));
-
- // Verify the signature over the hash of requestBuffer using the hKey
- auto signatureVerifyResult = VerifySignatureHelper(
- requestBuffer,
- ppbPubKeyData.get(),
- cbPubData,
- pPluginPerformUvResponse->pbResponse,
- pPluginPerformUvResponse->cbResponse);
- curApp->GetDispatcherQueue().TryEnqueue([curApp, signatureVerifyResult]()
- {
- if (FAILED(signatureVerifyResult))
- {
- curApp->m_pluginOperationStatus.uvSignatureVerificationStatus = signatureVerifyResult;
- }
- });
- return S_OK;
- }
-
- /*
- * This function is used to create a simplified version of authenticator data for the webauthn authenticator operations.
- * Refer: https://www.w3.org/TR/webauthn-3/#authenticator-data for more details.
- */
- HRESULT CreateAuthenticatorData(wil::shared_ncrypt_key hKey,
- DWORD cbRpId,
- PBYTE pbRpId,
- DWORD& pcbPackedAuthenticatorData,
- wil::unique_hlocal_ptr& ppbpackedAuthenticatorData,
- std::vector& vCredentialIdBuffer)
- {
- // Get the public key blob
- DWORD cbPubKeyBlob = 0;
- THROW_IF_FAILED(NCryptExportKey(
- hKey.get(),
- NULL,
- BCRYPT_ECCPUBLIC_BLOB,
- NULL,
- NULL,
- 0,
- &cbPubKeyBlob,
- 0));
- auto pbPubKeyBlob = std::make_unique(cbPubKeyBlob);
- THROW_HR_IF(E_UNEXPECTED, pbPubKeyBlob == nullptr);
- DWORD cbPubKeyBlobOutput = 0;
- THROW_IF_FAILED(NCryptExportKey(
- hKey.get(),
- NULL,
- BCRYPT_ECCPUBLIC_BLOB,
- NULL,
- pbPubKeyBlob.get(),
- cbPubKeyBlob,
- &cbPubKeyBlobOutput,
- 0));
-
- BCRYPT_ECCKEY_BLOB* pPubKeyBlobHeader = reinterpret_cast(pbPubKeyBlob.get());
- DWORD cbXCoord = pPubKeyBlobHeader->cbKey;
- PBYTE pbXCoord = reinterpret_cast(&pPubKeyBlobHeader[1]);
- DWORD cbYCoord = pPubKeyBlobHeader->cbKey;
- PBYTE pbYCoord = pbXCoord + cbXCoord;
-
- // create byte span for x and y
- std::span xCoord(pbXCoord, cbXCoord);
- std::span yCoord(pbYCoord, cbYCoord);
-
- // CBOR encode the public key in this order: kty, alg, crv, x, y
- std::vector buffer;
-
-#pragma warning(push)
-#pragma warning(disable: 4293)
- size_t bufferSize = CborLite::encodeMapSize(buffer, 5u);
-#pragma warning(pop)
-
- // COSE CBOR encoding format. Refer to https://datatracker.ietf.org/doc/html/rfc9052#section-7 for more details.
- const int8_t ktyIndex = 1;
- const int8_t algIndex = 3;
- const int8_t crvIndex = -1;
- const int8_t xIndex = -2;
- const int8_t yIndex = -3;
-
- // Example values for EC2 P-256 ES256 Keys. Refer to https://www.w3.org/TR/webauthn-3/#example-bdbd14cc
- // Note that this sample authenticator only supports ES256 keys.
- const int8_t kty = 2; // Key type is EC2
- const int8_t crv = 1; // Curve is P-256
- const int8_t alg = -7; // Algorithm is ES256
-
- bufferSize += CborLite::encodeInteger(buffer, ktyIndex);
- bufferSize += CborLite::encodeInteger(buffer, kty);
- bufferSize += CborLite::encodeInteger(buffer, algIndex);
- bufferSize += CborLite::encodeInteger(buffer, alg);
- bufferSize += CborLite::encodeInteger(buffer, crvIndex);
- bufferSize += CborLite::encodeInteger(buffer, crv);
- bufferSize += CborLite::encodeInteger(buffer, xIndex);
- bufferSize += CborLite::encodeBytes(buffer, xCoord);
- bufferSize += CborLite::encodeInteger(buffer, yIndex);
- bufferSize += CborLite::encodeBytes(buffer, yCoord);
-
- wil::unique_bcrypt_hash hashHandle;
- THROW_IF_NTSTATUS_FAILED(BCryptCreateHash(
- BCRYPT_SHA256_ALG_HANDLE,
- &hashHandle,
- nullptr,
- 0,
- nullptr,
- 0,
- 0));
-
- THROW_IF_NTSTATUS_FAILED(BCryptHashData(hashHandle.get(), reinterpret_cast(pbXCoord), cbXCoord, 0));
- THROW_IF_NTSTATUS_FAILED(BCryptHashData(hashHandle.get(), reinterpret_cast(pbYCoord), cbYCoord, 0));
-
- DWORD cbHash = 0;
- DWORD bytesRead = 0;
- THROW_IF_NTSTATUS_FAILED(BCryptGetProperty(
- hashHandle.get(),
- BCRYPT_HASH_LENGTH,
- reinterpret_cast(&cbHash),
- sizeof(cbHash),
- &bytesRead,
- 0));
-
- wil::unique_hlocal_ptr pbCredentialId = wil::make_unique_hlocal(cbHash);
- THROW_IF_NTSTATUS_FAILED(BCryptFinishHash(hashHandle.get(), pbCredentialId.get(), cbHash, 0));
-
- // Close the key and hash handle
- hKey.reset();
- hashHandle.reset();
-
- com_ptr curApp = winrt::Microsoft::UI::Xaml::Application::Current().as();
- PluginOperationType operationType = PLUGIN_OPERATION_TYPE_MAKE_CREDENTIAL;
- if (curApp &&
- curApp->m_pluginOperationOptions.operationType == PLUGIN_OPERATION_TYPE_GET_ASSERTION)
- {
- operationType = PLUGIN_OPERATION_TYPE_GET_ASSERTION;
- }
-
- // Refer to learn about packing credential data https://www.w3.org/TR/webauthn-3/#sctn-authenticator-data
- const DWORD rpidsha256Size = 32; // SHA256 hash of rpId
- const DWORD flagsSize = 1; // flags
- const DWORD signCountSize = 4; // signCount
- DWORD cbPackedAuthenticatorData = rpidsha256Size + flagsSize + signCountSize;
-
- if (operationType == PLUGIN_OPERATION_TYPE_MAKE_CREDENTIAL)
- {
- cbPackedAuthenticatorData += sizeof(GUID); // aaGuid
- cbPackedAuthenticatorData += sizeof(WORD); // credentialId length
- cbPackedAuthenticatorData += cbHash; // credentialId
- cbPackedAuthenticatorData += static_cast(buffer.size()); // public key
- }
-
- std::vector vPackedAuthenticatorData(cbPackedAuthenticatorData);
- auto writer = buffer_writer{ vPackedAuthenticatorData };
-
- auto rgbRpIdHash = writer.reserve_space>(); // 32 bytes of rpIdHash which is SHA256 hash of rpName. https://www.w3.org/TR/webauthn-3/#sctn-authenticator-data
- DWORD cbRpIdHash;
- THROW_IF_WIN32_BOOL_FALSE(CryptHashCertificate2(BCRYPT_SHA256_ALGORITHM,
- 0,
- nullptr,
- pbRpId,
- cbRpId,
- rgbRpIdHash->data(),
- &cbRpIdHash));
-
- // Flags uv, up, be, and at are set
- if (operationType == PLUGIN_OPERATION_TYPE_GET_ASSERTION)
- {
- // Refer https://www.w3.org/TR/webauthn-3/#authdata-flags
- *writer.reserve_space() = 0x1d; // credential data flags of size 1 byte
-
- *writer.reserve_space() = 0u; // Sign count of size 4 bytes is set to 0
-
- vCredentialIdBuffer.assign(pbCredentialId.get(), pbCredentialId.get() + cbHash);
- }
- else
- {
- // Refer https://www.w3.org/TR/webauthn-3/#authdata-flags
- *writer.reserve_space() = 0x5d; // credential data flags of size 1 byte
-
- *writer.reserve_space() = 0u; // Sign count of size 4 bytes is set to 0
-
- *writer.reserve_space() = GUID_NULL; // aaGuid of size 16 bytes is set to 0
-
- // Retrieve credential id
- WORD cbCredentialId = static_cast(cbHash);
- WORD cbCredentialIdBigEndian = _byteswap_ushort(cbCredentialId);
-
- *writer.reserve_space() = cbCredentialIdBigEndian; // Size of credential id in unsigned big endian of size 2 bytes
-
- writer.add(std::span(pbCredentialId.get(), cbHash)); // Set credential id
-
- vCredentialIdBuffer.assign(pbCredentialId.get(), pbCredentialId.get() + cbHash);
-
- writer.add(std::span(buffer.data(), buffer.size())); // Set CBOR encoded public key
- }
-
- pcbPackedAuthenticatorData = static_cast(vPackedAuthenticatorData.size());
- ppbpackedAuthenticatorData = wil::make_unique_hlocal(pcbPackedAuthenticatorData);
- memcpy_s(ppbpackedAuthenticatorData.get(), pcbPackedAuthenticatorData, vPackedAuthenticatorData.data(), pcbPackedAuthenticatorData);
-
- return S_OK;
- }
-
- /*
- * This function is invoked by the platform to request the plugin to handle a make credential operation.
- * Refer: pluginauthenticator.h/pluginauthenticator.idl
- */
- HRESULT STDMETHODCALLTYPE ContosoPlugin::EXPERIMENTAL_PluginMakeCredential(
- /* [in] */ __RPC__in EXPERIMENTAL_PCWEBAUTHN_PLUGIN_OPERATION_REQUEST pPluginMakeCredentialRequest,
- /* [out] */ __RPC__deref_out_opt EXPERIMENTAL_PWEBAUTHN_PLUGIN_OPERATION_RESPONSE* response) noexcept
- {
- try
- {
- SetEvent(App::s_pluginOpRequestRecievedEvent.get()); // indicate COM message received
- DWORD hIndex = 0;
- RETURN_IF_FAILED(CoWaitForMultipleHandles( // wait for app to be ready
- COWAIT_DISPATCH_WINDOW_MESSAGES | COWAIT_DISPATCH_CALLS,
- INFINITE,
- 1,
- App::s_hAppReadyForPluginOpEvent.addressof(),
- &hIndex));
- com_ptr curApp = winrt::Microsoft::UI::Xaml::Application::Current().as();
-
- wil::shared_hmodule webauthnDll(LoadLibraryExW(L"webauthn.dll", nullptr, LOAD_LIBRARY_SEARCH_SYSTEM32));
- if (webauthnDll == nullptr)
- {
- return E_ABORT;
- }
-
- wil::unique_cotaskmem_ptr pDecodedMakeCredentialRequest;
- auto webauthnDecodeMakeCredentialRequest = GetProcAddressByFunctionDeclaration(webauthnDll.get(), EXPERIMENTAL_WebAuthNDecodeMakeCredentialRequest);
- THROW_IF_FAILED(webauthnDecodeMakeCredentialRequest(
- pPluginMakeCredentialRequest->cbEncodedRequest,
- pPluginMakeCredentialRequest->pbEncodedRequest,
- wil::out_param(pDecodedMakeCredentialRequest)));
- auto rpName = wil::make_cotaskmem_string(pDecodedMakeCredentialRequest->pRpInformation->pwszName);
- auto userName = wil::make_cotaskmem_string(pDecodedMakeCredentialRequest->pUserInformation->pwszName);
- std::vector requestBuffer(
- pPluginMakeCredentialRequest->pbEncodedRequest,
- pPluginMakeCredentialRequest->pbEncodedRequest + pPluginMakeCredentialRequest->cbEncodedRequest);
-
- auto ppbPubKeyData = GetRequestSigningPubKey();
- HRESULT requestSignResult = E_FAIL;
- if (!ppbPubKeyData.empty())
- {
- requestSignResult = VerifySignatureHelper(
- requestBuffer,
- ppbPubKeyData.data(),
- static_cast(ppbPubKeyData.size()),
- pPluginMakeCredentialRequest->pbRequestSignature,
- pPluginMakeCredentialRequest->cbRequestSignature);
- }
- {
- std::lock_guard lock(curApp->m_pluginOperationOptionsMutex);
- curApp->m_pluginOperationStatus.requestSignatureVerificationStatus = requestSignResult;
- }
-
- THROW_IF_FAILED(PerformUv(curApp,
- pPluginMakeCredentialRequest->hWnd,
- webauthnDll,
- pPluginMakeCredentialRequest->transactionId,
- PLUGIN_OPERATION_TYPE_MAKE_CREDENTIAL,
- requestBuffer,
- std::move(rpName),
- std::move(userName)));
-
- //create a persisted key using ncrypt
- wil::unique_ncrypt_prov hProvider;
- wil::unique_ncrypt_key hKey;
-
- // get the provider
- THROW_IF_FAILED(NCryptOpenStorageProvider(&hProvider, nullptr, 0));
-
- // get the user handle as a string
- std::wstring keyNameStr = contosoplugin_key_domain;
- std::wstringstream keyNameStream;
- for (DWORD idx = 0; idx < pDecodedMakeCredentialRequest->pUserInformation->cbId; idx++)
- {
- keyNameStream << std::hex << std::setw(2) << std::setfill(L'0') <<
- static_cast(pDecodedMakeCredentialRequest->pUserInformation->pbId[idx]);
- }
- keyNameStr += keyNameStream.str();
-
- // create the key
- THROW_IF_FAILED(NCryptCreatePersistedKey(
- hProvider.get(),
- &hKey,
- BCRYPT_ECDH_P256_ALGORITHM,
- keyNameStr.c_str(),
- 0,
- NCRYPT_OVERWRITE_KEY_FLAG));
-
- // set the export policy
- DWORD exportPolicy = NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
- THROW_IF_FAILED(NCryptSetProperty(
- hKey.get(),
- NCRYPT_EXPORT_POLICY_PROPERTY,
- reinterpret_cast(&exportPolicy),
- sizeof(exportPolicy),
- NCRYPT_PERSIST_FLAG));
-
- // allow both signing and encryption
- DWORD keyUsage = NCRYPT_ALLOW_SIGNING_FLAG | NCRYPT_ALLOW_DECRYPT_FLAG;
- THROW_IF_FAILED(NCryptSetProperty(
- hKey.get(),
- NCRYPT_KEY_USAGE_PROPERTY,
- reinterpret_cast(&keyUsage),
- sizeof(keyUsage),
- NCRYPT_PERSIST_FLAG));
- HWND hWnd;
- if (curApp->m_silentMode)
- {
- hWnd = curApp->m_pluginOperationOptions.hWnd;
- }
- else
- {
- hWnd = curApp->GetNativeWindowHandle();
- }
- THROW_IF_FAILED(NCryptSetProperty(
- hKey.get(),
- NCRYPT_WINDOW_HANDLE_PROPERTY,
- reinterpret_cast(&hWnd),
- sizeof(HWND),
- 0));
-
- // finalize the key
- THROW_IF_FAILED(NCryptFinalizeKey(hKey.get(), 0));
-
- DWORD cbPackedAuthenticatorData = 0;
- wil::unique_hlocal_ptr packedAuthenticatorData;
- std::vector vCredentialIdBuffer;
- THROW_IF_FAILED(CreateAuthenticatorData(
- std::move(hKey),
- pDecodedMakeCredentialRequest->cbRpId,
- pDecodedMakeCredentialRequest->pbRpId,
- cbPackedAuthenticatorData,
- packedAuthenticatorData,
- vCredentialIdBuffer));
-
- auto operationResponse = wil::make_unique_cotaskmem();
-
- WEBAUTHN_CREDENTIAL_ATTESTATION attestationResponse{};
- attestationResponse.dwVersion = WEBAUTHN_CREDENTIAL_ATTESTATION_CURRENT_VERSION;
- attestationResponse.pwszFormatType = WEBAUTHN_ATTESTATION_TYPE_NONE;
- attestationResponse.cbAttestation = 0;
- attestationResponse.pbAttestation = nullptr;
- attestationResponse.cbAuthenticatorData = 0;
- attestationResponse.pbAuthenticatorData = nullptr;
-
- attestationResponse.pbAuthenticatorData = packedAuthenticatorData.get();
- attestationResponse.cbAuthenticatorData = cbPackedAuthenticatorData;
-
- DWORD cbAttestationBuffer = 0;
- PBYTE pbattestationBuffer;
-
- auto webauthnEncodeMakeCredentialResponse = GetProcAddressByFunctionDeclaration(webauthnDll.get(), EXPERIMENTAL_WebAuthNEncodeMakeCredentialResponse);
- THROW_IF_FAILED(webauthnEncodeMakeCredentialResponse(
- &attestationResponse,
- &cbAttestationBuffer,
- &pbattestationBuffer));
- operationResponse->cbEncodedResponse = cbAttestationBuffer;
- operationResponse->pbEncodedResponse = wil::make_unique_cotaskmem(cbAttestationBuffer).release();
- memcpy_s(operationResponse->pbEncodedResponse,
- operationResponse->cbEncodedResponse,
- pbattestationBuffer,
- cbAttestationBuffer);
-
- *response = operationResponse.release();
-
- WEBAUTHN_CREDENTIAL_DETAILS credentialDetails{};
- credentialDetails.dwVersion = WEBAUTHN_CREDENTIAL_DETAILS_CURRENT_VERSION;
- credentialDetails.pUserInformation = const_cast(pDecodedMakeCredentialRequest->pUserInformation);
- credentialDetails.pRpInformation = const_cast(pDecodedMakeCredentialRequest->pRpInformation);
- credentialDetails.cbCredentialID = static_cast(vCredentialIdBuffer.size());
- credentialDetails.pbCredentialID = wil::make_unique_cotaskmem(vCredentialIdBuffer.size()).release();
- memcpy_s(credentialDetails.pbCredentialID, credentialDetails.cbCredentialID, vCredentialIdBuffer.data(), static_cast(vCredentialIdBuffer.size()));
- if (!PluginCredentialManager::getInstance().SaveCredentialMetadataToMockDB(credentialDetails))
- {
- std::lock_guard lock(curApp->m_pluginOperationOptionsMutex);
- curApp->m_pluginOperationStatus.performOperationStatus = E_FAIL;
- }
- pDecodedMakeCredentialRequest.reset();
- SetEvent(App::s_hPluginOpCompletedEvent.get());
- return S_OK;
- }
- catch (...)
- {
- HRESULT hr = wil::ResultFromCaughtException();
- com_ptr curApp = winrt::Microsoft::UI::Xaml::Application::Current().as();
- if (curApp)
- {
- hr = winrt::to_hresult();
- std::lock_guard lock(curApp->m_pluginOperationOptionsMutex);
- curApp->m_pluginOperationStatus.performOperationStatus = hr;
- };
- SetEvent(App::s_hPluginOpCompletedEvent.get());
- return hr;
- }
- }
-
- /*
- * This function is invoked by the platform to request the plugin to handle a get assertion operation.
- * Refer: pluginauthenticator.h/pluginauthenticator.idl
- */
- HRESULT STDMETHODCALLTYPE ContosoPlugin::EXPERIMENTAL_PluginGetAssertion(
- /* [in] */ __RPC__in EXPERIMENTAL_PCWEBAUTHN_PLUGIN_OPERATION_REQUEST pPluginGetAssertionRequest,
- /* [out] */ __RPC__deref_out_opt EXPERIMENTAL_PWEBAUTHN_PLUGIN_OPERATION_RESPONSE* response) noexcept
- {
- try
- {
- SetEvent(App::s_pluginOpRequestRecievedEvent.get());
- DWORD hIndex = 0;
- RETURN_IF_FAILED(CoWaitForMultipleHandles(
- COWAIT_DISPATCH_WINDOW_MESSAGES | COWAIT_DISPATCH_CALLS,
- INFINITE,
- 1,
- App::s_hAppReadyForPluginOpEvent.addressof(),
- &hIndex));
- com_ptr curApp = winrt::Microsoft::UI::Xaml::Application::Current().as();
-
- wil::shared_hmodule webauthnDll(LoadLibraryExW(L"webauthn.dll", nullptr, LOAD_LIBRARY_SEARCH_SYSTEM32));
- if (webauthnDll == nullptr)
- {
- return E_ABORT;
- }
-
- wil::unique_cotaskmem_ptr pDecodedAssertionRequest;
- // The EXPERIMENTAL_WebAuthNDecodeGetAssertionRequest function can be optionally used to decode the CBOR encoded request to a EXPERIMENTAL_WEBAUTHN_CTAPCBOR_GET_ASSERTION_REQUEST structure.
- auto webauthnDecodeGetAssertionRequest = GetProcAddressByFunctionDeclaration(webauthnDll.get(), EXPERIMENTAL_WebAuthNDecodeGetAssertionRequest);
- webauthnDecodeGetAssertionRequest(pPluginGetAssertionRequest->cbEncodedRequest, pPluginGetAssertionRequest->pbEncodedRequest, wil::out_param(pDecodedAssertionRequest));
- wil::shared_cotaskmem_string rpName = wil::make_cotaskmem_string(pDecodedAssertionRequest->pwszRpId);
- //load the user handle
- auto& credManager = PluginCredentialManager::getInstance();
- const WEBAUTHN_CREDENTIAL_DETAILS* selectedCredential{};
- // create a list of credentials
- std::vector selectedCredentials;
-
- while (true)
- {
- Sleep(100);
- if (credManager.IsLocalCredentialMetadataLoaded())
- {
- credManager.GetLocalCredsByRpIdAndAllowList(pDecodedAssertionRequest->pwszRpId,
- pDecodedAssertionRequest->CredentialList.ppCredentials,
- pDecodedAssertionRequest->CredentialList.cCredentials,
- selectedCredentials);
- break;
- }
- }
-
- if (selectedCredentials.empty())
- {
- {
- std::lock_guard lock(curApp->m_pluginOperationOptionsMutex);
- curApp->m_pluginOperationStatus.performOperationStatus = NTE_NOT_FOUND;
- }
- SetEvent(App::s_hPluginOpCompletedEvent.get());
- return NTE_NOT_FOUND;
- }
- else if (selectedCredentials.size() == 1 && credManager.GetSilentOperation())
- {
- selectedCredential = selectedCredentials[0];
- }
- else
- {
- curApp->SetMatchingCredentials(pDecodedAssertionRequest->pwszRpId, selectedCredentials, pPluginGetAssertionRequest->hWnd);
- hIndex = 0;
- RETURN_IF_FAILED(CoWaitForMultipleHandles(COWAIT_DISPATCH_WINDOW_MESSAGES | COWAIT_DISPATCH_CALLS, INFINITE, 1, curApp->m_hPluginCredentialSelected.addressof(), &hIndex));
-
- {
- std::lock_guard lock(curApp->m_pluginOperationOptionsMutex);
- selectedCredential = curApp->m_pluginOperationOptions.selectedCredential;
- }
-
- // Failed to select a credential
- if (selectedCredential->cbCredentialID == 0 ||
- selectedCredential->pbCredentialID == nullptr ||
- selectedCredential->pUserInformation == nullptr ||
- selectedCredential->pUserInformation->pwszName == nullptr)
- {
- {
- std::lock_guard lock(curApp->m_pluginOperationOptionsMutex);
- curApp->m_pluginOperationStatus.performOperationStatus = NTE_NOT_FOUND;
- }
- SetEvent(App::s_hPluginOpCompletedEvent.get());
- return NTE_NOT_FOUND;
- }
- }
-
- wil::shared_cotaskmem_string userName = wil::make_cotaskmem_string(selectedCredential->pUserInformation->pwszName);
-
- std::vector requestBuffer(
- pPluginGetAssertionRequest->pbEncodedRequest,
- pPluginGetAssertionRequest->pbEncodedRequest + pPluginGetAssertionRequest->cbEncodedRequest);
-
- auto ppbPubKeyData = GetRequestSigningPubKey();
- HRESULT requestSignResult = E_FAIL;
- if (!ppbPubKeyData.empty())
- {
- requestSignResult = VerifySignatureHelper(
- requestBuffer,
- ppbPubKeyData.data(),
- static_cast(ppbPubKeyData.size()),
- pPluginGetAssertionRequest->pbRequestSignature,
- pPluginGetAssertionRequest->cbRequestSignature);
- }
-
- {
- std::lock_guard lock(curApp->m_pluginOperationOptionsMutex);
- curApp->m_pluginOperationStatus.requestSignatureVerificationStatus = requestSignResult;
- }
-
- THROW_IF_FAILED(PerformUv(curApp,
- pPluginGetAssertionRequest->hWnd,
- webauthnDll,
- pPluginGetAssertionRequest->transactionId,
- PLUGIN_OPERATION_TYPE_GET_ASSERTION,
- requestBuffer,
- rpName,
- userName));
-
- // convert user handle to a string
- std::wstring keyNameStr = contosoplugin_key_domain;
- std::wstringstream keyNameStream;
- for (DWORD idx = 0; idx < selectedCredential->pUserInformation->cbId; idx++)
- {
- keyNameStream << std::hex << std::setw(2) << std::setfill(L'0') <<
- static_cast(selectedCredential->pUserInformation->pbId[idx]);
- }
- keyNameStr += keyNameStream.str();
-
- //open the key using ncrypt and sign the data
- wil::unique_ncrypt_prov hProvider;
- wil::shared_ncrypt_key hKey;
-
- // get the provider
- THROW_IF_FAILED(NCryptOpenStorageProvider(&hProvider, nullptr, 0));
-
- // open the key
- THROW_IF_FAILED(NCryptOpenKey(hProvider.get(), &hKey, keyNameStr.c_str(), 0, 0));
-
- // set hwnd property
- wil::unique_hwnd hWnd;
- if (curApp->m_silentMode)
- {
- hWnd.reset(curApp->m_pluginOperationOptions.hWnd);
- }
- else
- {
- hWnd.reset(curApp->GetNativeWindowHandle());
- }
- THROW_IF_FAILED(NCryptSetProperty(
- hKey.get(),
- NCRYPT_WINDOW_HANDLE_PROPERTY,
- (BYTE*)(hWnd.addressof()),
- sizeof(HWND),
- 0));
-
- // create authenticator data
- DWORD cbPackedAuthenticatorData = 0;
- wil::unique_hlocal_ptr packedAuthenticatorData;
- std::vector vCredentialIdBuffer;
- THROW_IF_FAILED(CreateAuthenticatorData(hKey,
- pDecodedAssertionRequest->cbRpId,
- pDecodedAssertionRequest->pbRpId,
- cbPackedAuthenticatorData,
- packedAuthenticatorData,
- vCredentialIdBuffer));
-
- wil::unique_hlocal_ptr pbSignature = nullptr;
- DWORD cbSignature = 0;
-
- {
- wil::unique_bcrypt_hash hashHandle;
-
-
- THROW_IF_NTSTATUS_FAILED(BCryptCreateHash(
- BCRYPT_SHA256_ALG_HANDLE,
- &hashHandle,
- nullptr,
- 0,
- nullptr,
- 0,
- 0));
-
- THROW_IF_NTSTATUS_FAILED(BCryptHashData(hashHandle.get(), const_cast(packedAuthenticatorData.get()), cbPackedAuthenticatorData, 0));
- THROW_IF_NTSTATUS_FAILED(BCryptHashData(hashHandle.get(), const_cast(pDecodedAssertionRequest->pbClientDataHash), pDecodedAssertionRequest->cbClientDataHash, 0));
-
- DWORD bytesRead = 0;
- DWORD cbSignatureBuffer = 0;
- THROW_IF_NTSTATUS_FAILED(BCryptGetProperty(
- hashHandle.get(),
- BCRYPT_HASH_LENGTH,
- reinterpret_cast(&cbSignatureBuffer),
- sizeof(cbSignatureBuffer),
- &bytesRead,
- 0));
-
- wil::unique_hlocal_ptr signatureBuffer = wil::make_unique_hlocal(cbSignatureBuffer);
- THROW_HR_IF(E_UNEXPECTED, signatureBuffer == nullptr);
- THROW_IF_NTSTATUS_FAILED(BCryptFinishHash(hashHandle.get(), signatureBuffer.get(), cbSignatureBuffer, 0));
-
- // sign the data
- THROW_IF_FAILED(NCryptSignHash(hKey.get(), nullptr, signatureBuffer.get(), cbSignatureBuffer, nullptr, 0, &cbSignature, 0));
-
- pbSignature = wil::make_unique_hlocal(cbSignature);
- THROW_HR_IF(E_UNEXPECTED, pbSignature == nullptr);
-
- THROW_IF_FAILED(NCryptSignHash(hKey.get(), nullptr, signatureBuffer.get(), cbSignatureBuffer, pbSignature.get(), cbSignature, &cbSignature, 0));
- signatureBuffer.reset();
-
- auto encodeSignature = [](PBYTE signature, size_t signatureSize)
- {
- std::vector encodedSignature{};
- encodedSignature.push_back(0x02); // ASN integer tag
- encodedSignature.push_back(static_cast(signatureSize)); // length of the signature
- if (WI_IsFlagSet(signature[0], 0x80))
- {
- encodedSignature[encodedSignature.size() - 1]++;
- encodedSignature.push_back(0x00); // add a padding byte if the first byte has the high bit set
- }
-
- encodedSignature.insert(encodedSignature.end(), signature, signature + signatureSize);
- return encodedSignature;
- };
-
- auto signatureR = encodeSignature(pbSignature.get(), cbSignature / 2);
- auto signatureS = encodeSignature(pbSignature.get() + cbSignature / 2, cbSignature / 2);
-
- std::vector encodedSignature{};
- encodedSignature.push_back(0x30); // ASN sequence tag
- encodedSignature.push_back(static_cast(signatureR.size() + signatureS.size())); // length of the sequence
- encodedSignature.insert(encodedSignature.end(), signatureR.begin(), signatureR.end());
- encodedSignature.insert(encodedSignature.end(), signatureS.begin(), signatureS.end());
-
- cbSignature = static_cast(encodedSignature.size());
- pbSignature.reset();
- pbSignature = wil::make_unique_hlocal(cbSignature);
- THROW_HR_IF(E_UNEXPECTED, pbSignature == nullptr);
- memcpy_s(pbSignature.get(), cbSignature, encodedSignature.data(), static_cast(cbSignature));
- }
-
- // create the response
- auto operationResponse = wil::make_unique_cotaskmem();
-
- auto assertionResponse = wil::make_unique_cotaskmem();
- assertionResponse->dwVersion = WEBAUTHN_ASSERTION_CURRENT_VERSION;
-
- // [1] Credential (optional)
- assertionResponse->Credential.dwVersion = WEBAUTHN_CREDENTIAL_CURRENT_VERSION;
- assertionResponse->Credential.cbId = static_cast(vCredentialIdBuffer.size());
- assertionResponse->Credential.pbId = vCredentialIdBuffer.data();
- assertionResponse->Credential.pwszCredentialType = WEBAUTHN_CREDENTIAL_TYPE_PUBLIC_KEY;
-
- // [2] AuthenticatorData
- assertionResponse->cbAuthenticatorData = cbPackedAuthenticatorData;
- assertionResponse->pbAuthenticatorData = packedAuthenticatorData.get();
-
- // [3] Signature
- assertionResponse->cbSignature = cbSignature;
- assertionResponse->pbSignature = pbSignature.get();
-
- // [4] User (optional)
- assertionResponse->cbUserId = selectedCredential->pUserInformation->cbId;
- auto userIdBuffer = wil::make_unique_cotaskmem(selectedCredential->pUserInformation->cbId);
- memcpy_s(userIdBuffer.get(),
- selectedCredential->pUserInformation->cbId,
- selectedCredential->pUserInformation->pbId,
- selectedCredential->pUserInformation->cbId);
- assertionResponse->pbUserId = userIdBuffer.get();
- WEBAUTHN_USER_ENTITY_INFORMATION userEntityInformation{};
- userEntityInformation.dwVersion = WEBAUTHN_USER_ENTITY_INFORMATION_CURRENT_VERSION;
- userEntityInformation.cbId = assertionResponse->cbUserId;
- userEntityInformation.pbId = assertionResponse->pbUserId;
-
- auto ctapGetAssertionResponse = wil::make_unique_cotaskmem();
- ctapGetAssertionResponse->WebAuthNAssertion = *(assertionResponse.get()); // [1] Credential, [2] AuthenticatorData, [3] Signature
- ctapGetAssertionResponse->pUserInformation = &userEntityInformation; // [4] User
- ctapGetAssertionResponse->dwNumberOfCredentials = 1; // [5] NumberOfCredentials
-
- DWORD cbAssertionBuffer = 0;
- PBYTE pbAssertionBuffer;
-
- // The EXPERIMENTAL_WebAuthNEncodeGetAssertionResponse function can be optionally used to encode the
- // EXPERIMENTAL_WEBAUTHN_CTAPCBOR_GET_ASSERTION_RESPONSE structure to a CBOR encoded response.
- auto webAuthNEncodeGetAssertionResponse = GetProcAddressByFunctionDeclaration(webauthnDll.get(), EXPERIMENTAL_WebAuthNEncodeGetAssertionResponse);
- THROW_IF_FAILED(webAuthNEncodeGetAssertionResponse(
- (EXPERIMENTAL_PCWEBAUTHN_CTAPCBOR_GET_ASSERTION_RESPONSE)(ctapGetAssertionResponse.get()),
- &cbAssertionBuffer,
- &pbAssertionBuffer));
-
- assertionResponse.reset();
- ctapGetAssertionResponse.reset();
- userIdBuffer.reset();
- packedAuthenticatorData.reset();
- pbSignature.reset();
- pDecodedAssertionRequest.reset();
-
- operationResponse->cbEncodedResponse = cbAssertionBuffer;
- // pbEncodedResponse must contain a CBOR encoded response as specified the FIDO CTAP.
- // Refer: https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#message-encoding.
- operationResponse->pbEncodedResponse = wil::make_unique_cotaskmem(cbAssertionBuffer).release();
- memcpy_s(
- operationResponse->pbEncodedResponse,
- operationResponse->cbEncodedResponse,
- pbAssertionBuffer,
- cbAssertionBuffer);
-
- *response = operationResponse.release();
- SetEvent(App::s_hPluginOpCompletedEvent.get());
- return S_OK;
- }
- catch (...)
- {
- HRESULT localHr = wil::ResultFromCaughtException();
- {
- winrt::com_ptr curApp = winrt::Microsoft::UI::Xaml::Application::Current().as();
- std::lock_guard lock(curApp->m_pluginOperationOptionsMutex);
- curApp->m_pluginOperationStatus.performOperationStatus = localHr;
- }
- SetEvent(App::s_hPluginOpCompletedEvent.get());
- return localHr;
- }
- }
-
- /*
- * This function is invoked by the platform to request the plugin to cancel an ongoing operation.
- */
- HRESULT STDMETHODCALLTYPE ContosoPlugin::EXPERIMENTAL_PluginCancelOperation(
- /* [out] */ __RPC__in EXPERIMENTAL_PCWEBAUTHN_PLUGIN_CANCEL_OPERATION_REQUEST)
- {
- SetEvent(App::s_pluginOpRequestRecievedEvent.get());
- com_ptr curApp = winrt::Microsoft::UI::Xaml::Application::Current().as();
- curApp->GetDispatcherQueue().TryEnqueue([curApp]()
- {
- curApp->PluginCancelAction();
- });
- return S_OK;
- }
-
- /*
- * This is a sample implementation of a factory method that creates an instance of the Class that implements the EXPERIMENTAL_IPluginAuthenticator interface.
- * Refer: pluginauthenticator.h/pluginauthenticator.idl for the interface definition.
- */
- HRESULT __stdcall ContosoPluginFactory::CreateInstance(
- ::IUnknown* outer,
- GUID const& iid,
- void** result) noexcept
- {
- *result = nullptr;
-
- if (outer)
- {
- return CLASS_E_NOAGGREGATION;
- }
-
- try
- {
- return make()->QueryInterface(iid, result);
- }
- catch (...)
- {
- return winrt::to_hresult();
- }
- }
-
- HRESULT __stdcall ContosoPluginFactory::LockServer(BOOL) noexcept
- {
- return S_OK;
- }
-
-}
diff --git a/apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/PluginRegistrationManager.cpp.sample b/apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/PluginRegistrationManager.cpp.sample
deleted file mode 100644
index c5a5a52bfa5..00000000000
--- a/apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/PluginRegistrationManager.cpp.sample
+++ /dev/null
@@ -1,126 +0,0 @@
-#include "pch.h"
-#include "MainPage.xaml.h"
-#include "PluginRegistrationManager.h"
-#include
-
-namespace winrt::PasskeyManager::implementation {
- PluginRegistrationManager::PluginRegistrationManager() :
- m_pluginRegistered(false),
- m_initialized(false),
- m_pluginState(EXPERIMENTAL_PLUGIN_AUTHENTICATOR_STATE::PluginAuthenticatorState_Unknown)
- {
- Initialize();
- m_webAuthnDll.reset(LoadLibraryExW(L"webauthn.dll", nullptr, LOAD_LIBRARY_SEARCH_SYSTEM32));
- }
-
- PluginRegistrationManager::~PluginRegistrationManager()
- {
- }
-
- HRESULT PluginRegistrationManager::Initialize()
- {
- HRESULT hr = RefreshPluginState();
- RETURN_HR_IF_EXPECTED(S_OK, RefreshPluginState() == NTE_NOT_FOUND);
- RETURN_HR(hr);
- }
-
- HRESULT PluginRegistrationManager::RegisterPlugin()
- {
- // Get the function pointer of WebAuthNPluginAddAuthenticator
- auto webAuthNPluginAddAuthenticator = GetProcAddressByFunctionDeclaration(
- m_webAuthnDll.get(),
- EXPERIMENTAL_WebAuthNPluginAddAuthenticator);
- RETURN_HR_IF_NULL(E_FAIL, webAuthNPluginAddAuthenticator);
-
- /*
- * This section creates a sample authenticatorInfo blob to include in the registration
- * request. This blob must CBOR encoded using the format defined
- * in https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#authenticatorGetInfo
- *
- * 'AAGUID' maybe used to fetch information about the authenticator from the FIDO Metadata Service and other sources.
- * Refer: https://fidoalliance.org/metadata/
- *
- * 'extensions' field is used to perform feature detection on the authenticator
- * and maybe used to determine if the authenticator is filtered out.
- */
- std::string tempAaguidStr{ c_pluginAaguid };
- tempAaguidStr.erase(std::remove(tempAaguidStr.begin(), tempAaguidStr.end(), L'-'), tempAaguidStr.end());
- std::transform(tempAaguidStr.begin(), tempAaguidStr.end(), tempAaguidStr.begin(), [](unsigned char c) { return static_cast(std::toupper(c)); });
- // The following hex strings represent the encoding of
- // {1: ["FIDO_2_0", "FIDO_2_1"], 2: ["prf", "hmac-secret"], 3: h'/* AAGUID */', 4: {"rk": true, "up": true, "uv": true},
- // 9: ["internal"], 10: [{"alg": -7, "type": "public-key"}]}
- std::string authenticatorInfoStrPart1 = "A60182684649444F5F325F30684649444F5F325F310282637072666B686D61632D7365637265740350";
- std::string authenticatorInfoStrPart2 = "04A362726BF5627570F5627576F5098168696E7465726E616C0A81A263616C672664747970656A7075626C69632D6B6579";
- std::string fullAuthenticatorInfoStr = authenticatorInfoStrPart1 + tempAaguidStr + authenticatorInfoStrPart2;
- std::vector authenticatorInfo = hexStringToBytes(fullAuthenticatorInfoStr);
-
- // Validate that c_pluginClsid is a valid CLSID
- CLSID CLSID_ContosoPluginAuthenticator;
- RETURN_IF_FAILED(CLSIDFromString(c_pluginClsid, &CLSID_ContosoPluginAuthenticator));
-
- EXPERIMENTAL_WEBAUTHN_PLUGIN_ADD_AUTHENTICATOR_OPTIONS addOptions{};
- addOptions.pwszAuthenticatorName = c_pluginName;
- addOptions.pwszPluginRpId = c_pluginRpId;
- addOptions.pwszPluginClsId = c_pluginClsid;
- addOptions.pbAuthenticatorInfo = authenticatorInfo.data();
- addOptions.cbAuthenticatorInfo = static_cast(authenticatorInfo.size());
-
- EXPERIMENTAL_PWEBAUTHN_PLUGIN_ADD_AUTHENTICATOR_RESPONSE addResponse;
- RETURN_IF_FAILED(webAuthNPluginAddAuthenticator(&addOptions, &addResponse));
-
- // The response from plugin contains the public key used to sign plugin operation requests. Stash it for later use.
- wil::unique_hkey hKey;
- RETURN_IF_WIN32_ERROR(RegCreateKeyEx(
- HKEY_CURRENT_USER,
- c_pluginRegistryPath,
- 0,
- nullptr,
- REG_OPTION_NON_VOLATILE,
- KEY_WRITE,
- nullptr,
- &hKey,
- nullptr));
-
- RETURN_IF_WIN32_ERROR(RegSetValueEx(
- hKey.get(),
- c_windowsPluginRequestSigningKeyRegKeyName,
- 0,
- REG_BINARY,
- addResponse->pbOpSignPubKey,
- addResponse->cbOpSignPubKey));
- return S_OK;
- }
-
- HRESULT PluginRegistrationManager::UnregisterPlugin()
- {
- // Get the function pointer of WebAuthNPluginRemoveAuthenticator
- auto webAuthNPluginRemoveAuthenticator = GetProcAddressByFunctionDeclaration(
- m_webAuthnDll.get(),
- EXPERIMENTAL_WebAuthNPluginRemoveAuthenticator);
- RETURN_HR_IF_NULL(E_FAIL, webAuthNPluginRemoveAuthenticator);
-
- RETURN_HR(webAuthNPluginRemoveAuthenticator(c_pluginClsid));
- }
-
- HRESULT PluginRegistrationManager::RefreshPluginState()
- {
- // Reset the plugin state and registration status
- m_pluginRegistered = false;
- m_pluginState = EXPERIMENTAL_PLUGIN_AUTHENTICATOR_STATE::PluginAuthenticatorState_Unknown;
-
- // Get handle to EXPERIMENTAL_WebAuthNPluginGetAuthenticatorState which takes in a GUID and returns EXPERIMENTAL_PLUGIN_AUTHENTICATOR_STATE
- auto webAuthNPluginGetAuthenticatorState = GetProcAddressByFunctionDeclaration(
- m_webAuthnDll.get(),
- EXPERIMENTAL_WebAuthNPluginGetAuthenticatorState);
- RETURN_HR_IF_NULL(E_FAIL, webAuthNPluginGetAuthenticatorState);
-
- // Get the plugin state
- EXPERIMENTAL_PLUGIN_AUTHENTICATOR_STATE localPluginState;
- RETURN_IF_FAILED(webAuthNPluginGetAuthenticatorState(c_pluginClsid, &localPluginState));
-
- // If the EXPERIMENTAL_WebAuthNPluginGetAuthenticatorState function succeeded, that indicates the plugin is registered and localPluginState is the valid plugin state
- m_pluginRegistered = true;
- m_pluginState = localPluginState;
- return S_OK;
- }
-}
\ No newline at end of file
diff --git a/apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/PluginRegistrationManager.h.sample b/apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/PluginRegistrationManager.h.sample
deleted file mode 100644
index df0d3b6949b..00000000000
--- a/apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/PluginRegistrationManager.h.sample
+++ /dev/null
@@ -1,80 +0,0 @@
-#pragma once
-#include "pch.h"
-#include
-#include
-#include
-#include
-#include
-
-constexpr wchar_t c_pluginName[] = L"Contoso Passkey Manager";
-constexpr wchar_t c_pluginRpId[] = L"contoso.com";
-
-/* The AAGUID is a unique identifier for the FIDO authenticator model.
-*'AAGUID' maybe used to fetch information about the authenticator from the FIDO Metadata Service and other sources.
-* Refer: https://fidoalliance.org/metadata/
-*/
-constexpr char c_pluginAaguid[] = "########-####-####-####-############";
-static_assert(c_pluginAaguid[1] != '#', "Please replace the ##### above with your AAGUID or a value you generated by running guidgen");
-
-/* Generate a GUID using guidgen and replace below and in Package.appxmanifest file */
-constexpr wchar_t c_pluginClsid[] = L"{########-####-####-####-############}";
-static_assert(c_pluginClsid[1] != '#', "Please replace the ##### above with a GUID you generated by running guidgen");
-
-
-constexpr wchar_t c_pluginSigningKeyName[] = L"TestAppPluginIdKey";
-constexpr wchar_t c_pluginRegistryPath[] = L"Software\\Contoso\\PasskeyManager";
-constexpr wchar_t c_windowsPluginRequestSigningKeyRegKeyName[] = L"RequestSigningKeyBlob";
-constexpr wchar_t c_windowsPluginVaultLockedRegKeyName[] = L"VaultLocked";
-constexpr wchar_t c_windowsPluginSilentOperationRegKeyName[] = L"SilentOperation";
-constexpr wchar_t c_windowsPluginDBUpdateInd[] = L"SilentOperation";
-
-namespace winrt::PasskeyManager::implementation
-{
- class PluginRegistrationManager
- {
- public:
- static PluginRegistrationManager& getInstance()
- {
- static PluginRegistrationManager instance;
- return instance;
- }
-
- // Initialize function which calls GetPluginState to check if the plugin is already registered
- HRESULT Initialize();
-
- HRESULT RegisterPlugin();
- HRESULT UnregisterPlugin();
-
- HRESULT RefreshPluginState();
-
- bool IsPluginRegistered() const
- {
- return m_pluginRegistered;
- }
-
- EXPERIMENTAL_PLUGIN_AUTHENTICATOR_STATE GetPluginState() const
- {
- return m_pluginState;
- }
-
- private:
- EXPERIMENTAL_PLUGIN_AUTHENTICATOR_STATE m_pluginState;
- bool m_initialized = false;
- bool m_pluginRegistered = false;
- wil::unique_hmodule m_webAuthnDll;
-
- PluginRegistrationManager();
- ~PluginRegistrationManager();
- PluginRegistrationManager(const PluginRegistrationManager&) = delete;
- PluginRegistrationManager& operator=(const PluginRegistrationManager&) = delete;
-
- void UpdatePasskeyOperationStatusText(hstring const& statusText)
- {
- com_ptr curApp = winrt::Microsoft::UI::Xaml::Application::Current().as();
- curApp->GetDispatcherQueue().TryEnqueue([curApp, statusText]()
- {
- curApp->m_window.Content().try_as().Content().try_as()->UpdatePasskeyOperationStatusText(statusText);
- });
- }
- };
-};
\ No newline at end of file
diff --git a/apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/pluginauthenticator.h.sample b/apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/pluginauthenticator.h.sample
deleted file mode 100644
index 3e5bfcb80c9..00000000000
--- a/apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/pluginauthenticator.h.sample
+++ /dev/null
@@ -1,239 +0,0 @@
-
-
-/* this ALWAYS GENERATED file contains the definitions for the interfaces */
-
-
- /* File created by MIDL compiler version 8.01.0628 */
-/* @@MIDL_FILE_HEADING( ) */
-
-
-
-/* verify that the version is high enough to compile this file*/
-#ifndef __REQUIRED_RPCNDR_H_VERSION__
-#define __REQUIRED_RPCNDR_H_VERSION__ 501
-#endif
-
-/* verify that the version is high enough to compile this file*/
-#ifndef __REQUIRED_RPCSAL_H_VERSION__
-#define __REQUIRED_RPCSAL_H_VERSION__ 100
-#endif
-
-#include "rpc.h"
-#include "rpcndr.h"
-
-#ifndef __RPCNDR_H_VERSION__
-#error this stub requires an updated version of
-#endif /* __RPCNDR_H_VERSION__ */
-
-#ifndef COM_NO_WINDOWS_H
-#include "windows.h"
-#include "ole2.h"
-#endif /*COM_NO_WINDOWS_H*/
-
-#ifndef __pluginauthenticator_h__
-#define __pluginauthenticator_h__
-
-#if defined(_MSC_VER) && (_MSC_VER >= 1020)
-#pragma once
-#endif
-
-#ifndef DECLSPEC_XFGVIRT
-#if defined(_CONTROL_FLOW_GUARD_XFG)
-#define DECLSPEC_XFGVIRT(base, func) __declspec(xfg_virtual(base, func))
-#else
-#define DECLSPEC_XFGVIRT(base, func)
-#endif
-#endif
-
-/* Forward Declarations */
-
-#ifndef __EXPERIMENTAL_IPluginAuthenticator_FWD_DEFINED__
-#define __EXPERIMENTAL_IPluginAuthenticator_FWD_DEFINED__
-typedef interface EXPERIMENTAL_IPluginAuthenticator EXPERIMENTAL_IPluginAuthenticator;
-
-#endif /* __EXPERIMENTAL_IPluginAuthenticator_FWD_DEFINED__ */
-
-
-/* header files for imported files */
-#include "oaidl.h"
-#include "webauthn.h"
-
-#ifdef __cplusplus
-extern "C"{
-#endif
-
-
-/* interface __MIDL_itf_pluginauthenticator_0000_0000 */
-/* [local] */
-
-typedef struct _EXPERIMENTAL_WEBAUTHN_PLUGIN_OPERATION_REQUEST
- {
- HWND hWnd;
- GUID transactionId;
- DWORD cbRequestSignature;
- /* [size_is] */ byte *pbRequestSignature;
- DWORD cbEncodedRequest;
- /* [size_is] */ byte *pbEncodedRequest;
- } EXPERIMENTAL_WEBAUTHN_PLUGIN_OPERATION_REQUEST;
-
-typedef struct _EXPERIMENTAL_WEBAUTHN_PLUGIN_OPERATION_REQUEST *EXPERIMENTAL_PWEBAUTHN_PLUGIN_OPERATION_REQUEST;
-
-typedef const EXPERIMENTAL_WEBAUTHN_PLUGIN_OPERATION_REQUEST *EXPERIMENTAL_PCWEBAUTHN_PLUGIN_OPERATION_REQUEST;
-
-typedef struct _EXPERIMENTAL_WEBAUTHN_PLUGIN_OPERATION_RESPONSE
- {
- DWORD cbEncodedResponse;
- /* [size_is] */ byte *pbEncodedResponse;
- } EXPERIMENTAL_WEBAUTHN_PLUGIN_OPERATION_RESPONSE;
-
-typedef struct _EXPERIMENTAL_WEBAUTHN_PLUGIN_OPERATION_RESPONSE *EXPERIMENTAL_PWEBAUTHN_PLUGIN_OPERATION_RESPONSE;
-
-typedef const EXPERIMENTAL_WEBAUTHN_PLUGIN_OPERATION_RESPONSE *EXPERIMENTAL_PCWEBAUTHN_PLUGIN_OPERATION_RESPONSE;
-
-typedef struct _EXPERIMENTAL_WEBAUTHN_PLUGIN_CANCEL_OPERATION_REQUEST
- {
- GUID transactionId;
- DWORD cbRequestSignature;
- /* [size_is] */ byte *pbRequestSignature;
- } EXPERIMENTAL_WEBAUTHN_PLUGIN_CANCEL_OPERATION_REQUEST;
-
-typedef struct _EXPERIMENTAL_WEBAUTHN_PLUGIN_CANCEL_OPERATION_REQUEST *EXPERIMENTAL_PWEBAUTHN_PLUGIN_CANCEL_OPERATION_REQUEST;
-
-typedef const EXPERIMENTAL_WEBAUTHN_PLUGIN_CANCEL_OPERATION_REQUEST *EXPERIMENTAL_PCWEBAUTHN_PLUGIN_CANCEL_OPERATION_REQUEST;
-
-
-
-extern RPC_IF_HANDLE __MIDL_itf_pluginauthenticator_0000_0000_v0_0_c_ifspec;
-extern RPC_IF_HANDLE __MIDL_itf_pluginauthenticator_0000_0000_v0_0_s_ifspec;
-
-#ifndef __EXPERIMENTAL_IPluginAuthenticator_INTERFACE_DEFINED__
-#define __EXPERIMENTAL_IPluginAuthenticator_INTERFACE_DEFINED__
-
-/* interface EXPERIMENTAL_IPluginAuthenticator */
-/* [unique][version][uuid][object] */
-
-
-EXTERN_C const IID IID_EXPERIMENTAL_IPluginAuthenticator;
-
-#if defined(__cplusplus) && !defined(CINTERFACE)
-
- MIDL_INTERFACE("e6466e9a-b2f3-47c5-b88d-89bc14a8d998")
- EXPERIMENTAL_IPluginAuthenticator : public IUnknown
- {
- public:
- virtual HRESULT STDMETHODCALLTYPE EXPERIMENTAL_PluginMakeCredential(
- /* [in] */ __RPC__in EXPERIMENTAL_PCWEBAUTHN_PLUGIN_OPERATION_REQUEST request,
- /* [out] */ __RPC__deref_out_opt EXPERIMENTAL_PWEBAUTHN_PLUGIN_OPERATION_RESPONSE *response) = 0;
-
- virtual HRESULT STDMETHODCALLTYPE EXPERIMENTAL_PluginGetAssertion(
- /* [in] */ __RPC__in EXPERIMENTAL_PCWEBAUTHN_PLUGIN_OPERATION_REQUEST request,
- /* [out] */ __RPC__deref_out_opt EXPERIMENTAL_PWEBAUTHN_PLUGIN_OPERATION_RESPONSE *response) = 0;
-
- virtual HRESULT STDMETHODCALLTYPE EXPERIMENTAL_PluginCancelOperation(
- /* [in] */ __RPC__in EXPERIMENTAL_PCWEBAUTHN_PLUGIN_CANCEL_OPERATION_REQUEST request) = 0;
-
- };
-
-
-#else /* C style interface */
-
- typedef struct EXPERIMENTAL_IPluginAuthenticatorVtbl
- {
- BEGIN_INTERFACE
-
- DECLSPEC_XFGVIRT(IUnknown, QueryInterface)
- HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
- __RPC__in EXPERIMENTAL_IPluginAuthenticator * This,
- /* [in] */ __RPC__in REFIID riid,
- /* [annotation][iid_is][out] */
- _COM_Outptr_ void **ppvObject);
-
- DECLSPEC_XFGVIRT(IUnknown, AddRef)
- ULONG ( STDMETHODCALLTYPE *AddRef )(
- __RPC__in EXPERIMENTAL_IPluginAuthenticator * This);
-
- DECLSPEC_XFGVIRT(IUnknown, Release)
- ULONG ( STDMETHODCALLTYPE *Release )(
- __RPC__in EXPERIMENTAL_IPluginAuthenticator * This);
-
- DECLSPEC_XFGVIRT(EXPERIMENTAL_IPluginAuthenticator, EXPERIMENTAL_PluginMakeCredential)
- HRESULT ( STDMETHODCALLTYPE *EXPERIMENTAL_PluginMakeCredential )(
- __RPC__in EXPERIMENTAL_IPluginAuthenticator * This,
- /* [in] */ __RPC__in EXPERIMENTAL_PCWEBAUTHN_PLUGIN_OPERATION_REQUEST request,
- /* [out] */ __RPC__deref_out_opt EXPERIMENTAL_PWEBAUTHN_PLUGIN_OPERATION_RESPONSE *response);
-
- DECLSPEC_XFGVIRT(EXPERIMENTAL_IPluginAuthenticator, EXPERIMENTAL_PluginGetAssertion)
- HRESULT ( STDMETHODCALLTYPE *EXPERIMENTAL_PluginGetAssertion )(
- __RPC__in EXPERIMENTAL_IPluginAuthenticator * This,
- /* [in] */ __RPC__in EXPERIMENTAL_PCWEBAUTHN_PLUGIN_OPERATION_REQUEST request,
- /* [out] */ __RPC__deref_out_opt EXPERIMENTAL_PWEBAUTHN_PLUGIN_OPERATION_RESPONSE *response);
-
- DECLSPEC_XFGVIRT(EXPERIMENTAL_IPluginAuthenticator, EXPERIMENTAL_PluginCancelOperation)
- HRESULT ( STDMETHODCALLTYPE *EXPERIMENTAL_PluginCancelOperation )(
- __RPC__in EXPERIMENTAL_IPluginAuthenticator * This,
- /* [in] */ __RPC__in EXPERIMENTAL_PCWEBAUTHN_PLUGIN_CANCEL_OPERATION_REQUEST request);
-
- END_INTERFACE
- } EXPERIMENTAL_IPluginAuthenticatorVtbl;
-
- interface EXPERIMENTAL_IPluginAuthenticator
- {
- CONST_VTBL struct EXPERIMENTAL_IPluginAuthenticatorVtbl *lpVtbl;
- };
-
-
-
-#ifdef COBJMACROS
-
-
-#define EXPERIMENTAL_IPluginAuthenticator_QueryInterface(This,riid,ppvObject) \
- ( (This)->lpVtbl -> QueryInterface(This,riid,ppvObject) )
-
-#define EXPERIMENTAL_IPluginAuthenticator_AddRef(This) \
- ( (This)->lpVtbl -> AddRef(This) )
-
-#define EXPERIMENTAL_IPluginAuthenticator_Release(This) \
- ( (This)->lpVtbl -> Release(This) )
-
-
-#define EXPERIMENTAL_IPluginAuthenticator_EXPERIMENTAL_PluginMakeCredential(This,request,response) \
- ( (This)->lpVtbl -> EXPERIMENTAL_PluginMakeCredential(This,request,response) )
-
-#define EXPERIMENTAL_IPluginAuthenticator_EXPERIMENTAL_PluginGetAssertion(This,request,response) \
- ( (This)->lpVtbl -> EXPERIMENTAL_PluginGetAssertion(This,request,response) )
-
-#define EXPERIMENTAL_IPluginAuthenticator_EXPERIMENTAL_PluginCancelOperation(This,request) \
- ( (This)->lpVtbl -> EXPERIMENTAL_PluginCancelOperation(This,request) )
-
-#endif /* COBJMACROS */
-
-
-#endif /* C style interface */
-
-
-
-
-#endif /* __EXPERIMENTAL_IPluginAuthenticator_INTERFACE_DEFINED__ */
-
-
-/* Additional Prototypes for ALL interfaces */
-
-unsigned long __RPC_USER HWND_UserSize( __RPC__in unsigned long *, unsigned long , __RPC__in HWND * );
-unsigned char * __RPC_USER HWND_UserMarshal( __RPC__in unsigned long *, __RPC__inout_xcount(0) unsigned char *, __RPC__in HWND * );
-unsigned char * __RPC_USER HWND_UserUnmarshal(__RPC__in unsigned long *, __RPC__in_xcount(0) unsigned char *, __RPC__out HWND * );
-void __RPC_USER HWND_UserFree( __RPC__in unsigned long *, __RPC__in HWND * );
-
-unsigned long __RPC_USER HWND_UserSize64( __RPC__in unsigned long *, unsigned long , __RPC__in HWND * );
-unsigned char * __RPC_USER HWND_UserMarshal64( __RPC__in unsigned long *, __RPC__inout_xcount(0) unsigned char *, __RPC__in HWND * );
-unsigned char * __RPC_USER HWND_UserUnmarshal64(__RPC__in unsigned long *, __RPC__in_xcount(0) unsigned char *, __RPC__out HWND * );
-void __RPC_USER HWND_UserFree64( __RPC__in unsigned long *, __RPC__in HWND * );
-
-/* end of Additional Prototypes */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
-
-
diff --git a/apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/webauthn.h.sample b/apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/webauthn.h.sample
deleted file mode 100644
index 2f50e771bed..00000000000
--- a/apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/webauthn.h.sample
+++ /dev/null
@@ -1,1727 +0,0 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
-// Licensed under the MIT License.
-
-#ifndef __WEBAUTHN_H_
-#define __WEBAUTHN_H_
-
-#pragma once
-
-#include
-
-#pragma region Desktop Family or OneCore Family
-#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM)
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#ifndef WINAPI
-#define WINAPI __stdcall
-#endif
-
-#ifndef INITGUID
-#define INITGUID
-#include
-#undef INITGUID
-#else
-#include
-#endif
-
-//+------------------------------------------------------------------------------------------
-// API Version Information.
-// Caller should check for WebAuthNGetApiVersionNumber to check the presence of relevant APIs
-// and features for their usage.
-//-------------------------------------------------------------------------------------------
-
-#define WEBAUTHN_API_VERSION_1 1
-// WEBAUTHN_API_VERSION_1 : Baseline Version
-// Data Structures and their sub versions:
-// - WEBAUTHN_RP_ENTITY_INFORMATION : 1
-// - WEBAUTHN_USER_ENTITY_INFORMATION : 1
-// - WEBAUTHN_CLIENT_DATA : 1
-// - WEBAUTHN_COSE_CREDENTIAL_PARAMETER : 1
-// - WEBAUTHN_COSE_CREDENTIAL_PARAMETERS : Not Applicable
-// - WEBAUTHN_CREDENTIAL : 1
-// - WEBAUTHN_CREDENTIALS : Not Applicable
-// - WEBAUTHN_CREDENTIAL_EX : 1
-// - WEBAUTHN_CREDENTIAL_LIST : Not Applicable
-// - WEBAUTHN_EXTENSION : Not Applicable
-// - WEBAUTHN_EXTENSIONS : Not Applicable
-// - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS : 3
-// - WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS : 4
-// - WEBAUTHN_COMMON_ATTESTATION : 1
-// - WEBAUTHN_CREDENTIAL_ATTESTATION : 3
-// - WEBAUTHN_ASSERTION : 1
-// Extensions:
-// - WEBAUTHN_EXTENSIONS_IDENTIFIER_HMAC_SECRET
-// APIs:
-// - WebAuthNGetApiVersionNumber
-// - WebAuthNIsUserVerifyingPlatformAuthenticatorAvailable
-// - WebAuthNAuthenticatorMakeCredential
-// - WebAuthNAuthenticatorGetAssertion
-// - WebAuthNFreeCredentialAttestation
-// - WebAuthNFreeAssertion
-// - WebAuthNGetCancellationId
-// - WebAuthNCancelCurrentOperation
-// - WebAuthNGetErrorName
-// - WebAuthNGetW3CExceptionDOMError
-// Transports:
-// - WEBAUTHN_CTAP_TRANSPORT_USB
-// - WEBAUTHN_CTAP_TRANSPORT_NFC
-// - WEBAUTHN_CTAP_TRANSPORT_BLE
-// - WEBAUTHN_CTAP_TRANSPORT_INTERNAL
-
-#define WEBAUTHN_API_VERSION_2 2
-// WEBAUTHN_API_VERSION_2 : Delta From WEBAUTHN_API_VERSION_1
-// Added Extensions:
-// - WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_PROTECT
-//
-
-#define WEBAUTHN_API_VERSION_3 3
-// WEBAUTHN_API_VERSION_3 : Delta From WEBAUTHN_API_VERSION_2
-// Data Structures and their sub versions:
-// - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS : 4
-// - WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS : 5
-// - WEBAUTHN_CREDENTIAL_ATTESTATION : 4
-// - WEBAUTHN_ASSERTION : 2
-// Added Extensions:
-// - WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_BLOB
-// - WEBAUTHN_EXTENSIONS_IDENTIFIER_MIN_PIN_LENGTH
-//
-
-#define WEBAUTHN_API_VERSION_4 4
-// WEBAUTHN_API_VERSION_4 : Delta From WEBAUTHN_API_VERSION_3
-// Data Structures and their sub versions:
-// - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS : 5
-// - WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS : 6
-// - WEBAUTHN_ASSERTION : 3
-// - WEBAUTHN_CREDENTIAL_DETAILS : 1
-// APIs:
-// - WebAuthNGetPlatformCredentialList
-// - WebAuthNFreePlatformCredentialList
-// - WebAuthNDeletePlatformCredential
-//
-
-#define WEBAUTHN_API_VERSION_5 5
-// WEBAUTHN_API_VERSION_5 : Delta From WEBAUTHN_API_VERSION_4
-// Data Structures and their sub versions:
-// - WEBAUTHN_CREDENTIAL_DETAILS : 2
-// Extension Changes:
-// - Enabled LARGE_BLOB Support
-//
-
-#define WEBAUTHN_API_VERSION_6 6
-// WEBAUTHN_API_VERSION_6 : Delta From WEBAUTHN_API_VERSION_5
-// Data Structures and their sub versions:
-// - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS : 6
-// - WEBAUTHN_CREDENTIAL_ATTESTATION : 5
-// - WEBAUTHN_ASSERTION : 4
-// Transports:
-// - WEBAUTHN_CTAP_TRANSPORT_HYBRID
-
-#define WEBAUTHN_API_VERSION_7 7
-// WEBAUTHN_API_VERSION_7 : Delta From WEBAUTHN_API_VERSION_6
-// Data Structures and their sub versions:
-// - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS : 7
-// - WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS : 7
-// - WEBAUTHN_CREDENTIAL_ATTESTATION : 6
-// - WEBAUTHN_ASSERTION : 5
-
-#define WEBAUTHN_API_VERSION_8 8
-// WEBAUTHN_API_VERSION_8 : Delta From WEBAUTHN_API_VERSION_7
-// Data Structures and their sub versions:
-// - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS : 8
-// - WEBAUTHN_CREDENTIAL_DETAILS : 3
-// - WEBAUTHN_CREDENTIAL_ATTESTATION : 7
-// - WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS : 8
-
-#define WEBAUTHN_API_CURRENT_VERSION WEBAUTHN_API_VERSION_8
-
-//+------------------------------------------------------------------------------------------
-// Information about an RP Entity
-//-------------------------------------------------------------------------------------------
-
-#define WEBAUTHN_RP_ENTITY_INFORMATION_CURRENT_VERSION 1
-
-typedef struct _WEBAUTHN_RP_ENTITY_INFORMATION {
- // Version of this structure, to allow for modifications in the future.
- // This field is required and should be set to CURRENT_VERSION above.
- DWORD dwVersion;
-
- // Identifier for the RP. This field is required.
- PCWSTR pwszId;
-
- // Contains the friendly name of the Relying Party, such as "Acme Corporation", "Widgets Inc" or "Awesome Site".
- // This field is required.
- PCWSTR pwszName;
-
- // Optional URL pointing to RP's logo.
- PCWSTR pwszIcon;
-} WEBAUTHN_RP_ENTITY_INFORMATION, *PWEBAUTHN_RP_ENTITY_INFORMATION;
-typedef const WEBAUTHN_RP_ENTITY_INFORMATION *PCWEBAUTHN_RP_ENTITY_INFORMATION;
-
-//+------------------------------------------------------------------------------------------
-// Information about an User Entity
-//-------------------------------------------------------------------------------------------
-#define WEBAUTHN_MAX_USER_ID_LENGTH 64
-
-#define WEBAUTHN_USER_ENTITY_INFORMATION_CURRENT_VERSION 1
-
-typedef struct _WEBAUTHN_USER_ENTITY_INFORMATION {
- // Version of this structure, to allow for modifications in the future.
- // This field is required and should be set to CURRENT_VERSION above.
- DWORD dwVersion;
-
- // Identifier for the User. This field is required.
- DWORD cbId;
- _Field_size_bytes_(cbId)
- PBYTE pbId;
-
- // Contains a detailed name for this account, such as "john.p.smith@example.com".
- PCWSTR pwszName;
-
- // Optional URL that can be used to retrieve an image containing the user's current avatar,
- // or a data URI that contains the image data.
- PCWSTR pwszIcon;
-
- // For User: Contains the friendly name associated with the user account by the Relying Party, such as "John P. Smith".
- PCWSTR pwszDisplayName;
-} WEBAUTHN_USER_ENTITY_INFORMATION, *PWEBAUTHN_USER_ENTITY_INFORMATION;
-typedef const WEBAUTHN_USER_ENTITY_INFORMATION *PCWEBAUTHN_USER_ENTITY_INFORMATION;
-
-//+------------------------------------------------------------------------------------------
-// Information about client data.
-//-------------------------------------------------------------------------------------------
-
-#define WEBAUTHN_HASH_ALGORITHM_SHA_256 L"SHA-256"
-#define WEBAUTHN_HASH_ALGORITHM_SHA_384 L"SHA-384"
-#define WEBAUTHN_HASH_ALGORITHM_SHA_512 L"SHA-512"
-
-#define WEBAUTHN_CLIENT_DATA_CURRENT_VERSION 1
-
-typedef struct _WEBAUTHN_CLIENT_DATA {
- // Version of this structure, to allow for modifications in the future.
- // This field is required and should be set to CURRENT_VERSION above.
- DWORD dwVersion;
-
- // Size of the pbClientDataJSON field.
- DWORD cbClientDataJSON;
- // UTF-8 encoded JSON serialization of the client data.
- _Field_size_bytes_(cbClientDataJSON)
- PBYTE pbClientDataJSON;
-
- // Hash algorithm ID used to hash the pbClientDataJSON field.
- LPCWSTR pwszHashAlgId;
-} WEBAUTHN_CLIENT_DATA, *PWEBAUTHN_CLIENT_DATA;
-typedef const WEBAUTHN_CLIENT_DATA *PCWEBAUTHN_CLIENT_DATA;
-
-//+------------------------------------------------------------------------------------------
-// Information about credential parameters.
-//-------------------------------------------------------------------------------------------
-
-#define WEBAUTHN_CREDENTIAL_TYPE_PUBLIC_KEY L"public-key"
-
-#define WEBAUTHN_COSE_ALGORITHM_ECDSA_P256_WITH_SHA256 -7
-#define WEBAUTHN_COSE_ALGORITHM_ECDSA_P384_WITH_SHA384 -35
-#define WEBAUTHN_COSE_ALGORITHM_ECDSA_P521_WITH_SHA512 -36
-
-#define WEBAUTHN_COSE_ALGORITHM_RSASSA_PKCS1_V1_5_WITH_SHA256 -257
-#define WEBAUTHN_COSE_ALGORITHM_RSASSA_PKCS1_V1_5_WITH_SHA384 -258
-#define WEBAUTHN_COSE_ALGORITHM_RSASSA_PKCS1_V1_5_WITH_SHA512 -259
-
-#define WEBAUTHN_COSE_ALGORITHM_RSA_PSS_WITH_SHA256 -37
-#define WEBAUTHN_COSE_ALGORITHM_RSA_PSS_WITH_SHA384 -38
-#define WEBAUTHN_COSE_ALGORITHM_RSA_PSS_WITH_SHA512 -39
-
-#define WEBAUTHN_COSE_CREDENTIAL_PARAMETER_CURRENT_VERSION 1
-
-typedef struct _WEBAUTHN_COSE_CREDENTIAL_PARAMETER {
- // Version of this structure, to allow for modifications in the future.
- DWORD dwVersion;
-
- // Well-known credential type specifying a credential to create.
- LPCWSTR pwszCredentialType;
-
- // Well-known COSE algorithm specifying the algorithm to use for the credential.
- LONG lAlg;
-} WEBAUTHN_COSE_CREDENTIAL_PARAMETER, *PWEBAUTHN_COSE_CREDENTIAL_PARAMETER;
-typedef const WEBAUTHN_COSE_CREDENTIAL_PARAMETER *PCWEBAUTHN_COSE_CREDENTIAL_PARAMETER;
-
-typedef struct _WEBAUTHN_COSE_CREDENTIAL_PARAMETERS {
- DWORD cCredentialParameters;
- _Field_size_(cCredentialParameters)
- PWEBAUTHN_COSE_CREDENTIAL_PARAMETER pCredentialParameters;
-} WEBAUTHN_COSE_CREDENTIAL_PARAMETERS, *PWEBAUTHN_COSE_CREDENTIAL_PARAMETERS;
-typedef const WEBAUTHN_COSE_CREDENTIAL_PARAMETERS *PCWEBAUTHN_COSE_CREDENTIAL_PARAMETERS;
-
-//+------------------------------------------------------------------------------------------
-// Information about credential.
-//-------------------------------------------------------------------------------------------
-#define WEBAUTHN_CREDENTIAL_CURRENT_VERSION 1
-
-typedef struct _WEBAUTHN_CREDENTIAL {
- // Version of this structure, to allow for modifications in the future.
- DWORD dwVersion;
-
- // Size of pbID.
- DWORD cbId;
- // Unique ID for this particular credential.
- _Field_size_bytes_(cbId)
- PBYTE pbId;
-
- // Well-known credential type specifying what this particular credential is.
- LPCWSTR pwszCredentialType;
-} WEBAUTHN_CREDENTIAL, *PWEBAUTHN_CREDENTIAL;
-typedef const WEBAUTHN_CREDENTIAL *PCWEBAUTHN_CREDENTIAL;
-
-typedef struct _WEBAUTHN_CREDENTIALS {
- DWORD cCredentials;
- _Field_size_(cCredentials)
- PWEBAUTHN_CREDENTIAL pCredentials;
-} WEBAUTHN_CREDENTIALS, *PWEBAUTHN_CREDENTIALS;
-typedef const WEBAUTHN_CREDENTIALS *PCWEBAUTHN_CREDENTIALS;
-
-//+------------------------------------------------------------------------------------------
-// Information about credential with extra information, such as, dwTransports
-//-------------------------------------------------------------------------------------------
-
-#define WEBAUTHN_CTAP_TRANSPORT_USB 0x00000001
-#define WEBAUTHN_CTAP_TRANSPORT_NFC 0x00000002
-#define WEBAUTHN_CTAP_TRANSPORT_BLE 0x00000004
-#define WEBAUTHN_CTAP_TRANSPORT_TEST 0x00000008
-#define WEBAUTHN_CTAP_TRANSPORT_INTERNAL 0x00000010
-#define WEBAUTHN_CTAP_TRANSPORT_HYBRID 0x00000020
-#define WEBAUTHN_CTAP_TRANSPORT_FLAGS_MASK 0x0000003F
-
-#define WEBAUTHN_CREDENTIAL_EX_CURRENT_VERSION 1
-
-typedef struct _WEBAUTHN_CREDENTIAL_EX {
- // Version of this structure, to allow for modifications in the future.
- DWORD dwVersion;
-
- // Size of pbID.
- DWORD cbId;
- // Unique ID for this particular credential.
- _Field_size_bytes_(cbId)
- PBYTE pbId;
-
- // Well-known credential type specifying what this particular credential is.
- LPCWSTR pwszCredentialType;
-
- // Transports. 0 implies no transport restrictions.
- DWORD dwTransports;
-} WEBAUTHN_CREDENTIAL_EX, *PWEBAUTHN_CREDENTIAL_EX;
-typedef const WEBAUTHN_CREDENTIAL_EX *PCWEBAUTHN_CREDENTIAL_EX;
-
-//+------------------------------------------------------------------------------------------
-// Information about credential list with extra information
-//-------------------------------------------------------------------------------------------
-
-typedef struct _WEBAUTHN_CREDENTIAL_LIST {
- DWORD cCredentials;
- _Field_size_(cCredentials)
- PWEBAUTHN_CREDENTIAL_EX *ppCredentials;
-} WEBAUTHN_CREDENTIAL_LIST, *PWEBAUTHN_CREDENTIAL_LIST;
-typedef const WEBAUTHN_CREDENTIAL_LIST *PCWEBAUTHN_CREDENTIAL_LIST;
-
-//+------------------------------------------------------------------------------------------
-// Information about linked devices
-//-------------------------------------------------------------------------------------------
-
-#define CTAPCBOR_HYBRID_STORAGE_LINKED_DATA_VERSION_1 1
-#define CTAPCBOR_HYBRID_STORAGE_LINKED_DATA_CURRENT_VERSION CTAPCBOR_HYBRID_STORAGE_LINKED_DATA_VERSION_1
-
-typedef struct _CTAPCBOR_HYBRID_STORAGE_LINKED_DATA
-{
- // Version
- DWORD dwVersion;
-
- // Contact Id
- DWORD cbContactId;
- _Field_size_bytes_(cbContactId)
- PBYTE pbContactId;
-
- // Link Id
- DWORD cbLinkId;
- _Field_size_bytes_(cbLinkId)
- PBYTE pbLinkId;
-
- // Link secret
- DWORD cbLinkSecret;
- _Field_size_bytes_(cbLinkSecret)
- PBYTE pbLinkSecret;
-
- // Authenticator Public Key
- DWORD cbPublicKey;
- _Field_size_bytes_(cbPublicKey)
- PBYTE pbPublicKey;
-
- // Authenticator Name
- PCWSTR pwszAuthenticatorName;
-
- // Tunnel server domain
- WORD wEncodedTunnelServerDomain;
-} CTAPCBOR_HYBRID_STORAGE_LINKED_DATA, *PCTAPCBOR_HYBRID_STORAGE_LINKED_DATA;
-typedef const CTAPCBOR_HYBRID_STORAGE_LINKED_DATA *PCCTAPCBOR_HYBRID_STORAGE_LINKED_DATA;
-
-//+------------------------------------------------------------------------------------------
-// Credential Information for WebAuthNGetPlatformCredentialList API
-//-------------------------------------------------------------------------------------------
-
-#define WEBAUTHN_CREDENTIAL_DETAILS_VERSION_1 1
-#define WEBAUTHN_CREDENTIAL_DETAILS_VERSION_2 2
-#define WEBAUTHN_CREDENTIAL_DETAILS_VERSION_3 3
-#define WEBAUTHN_CREDENTIAL_DETAILS_CURRENT_VERSION WEBAUTHN_CREDENTIAL_DETAILS_VERSION_3
-
-typedef struct _WEBAUTHN_CREDENTIAL_DETAILS {
- // Version of this structure, to allow for modifications in the future.
- DWORD dwVersion;
-
- // Size of pbCredentialID.
- DWORD cbCredentialID;
- _Field_size_bytes_(cbCredentialID)
- PBYTE pbCredentialID;
-
- // RP Info
- PWEBAUTHN_RP_ENTITY_INFORMATION pRpInformation;
-
- // User Info
- PWEBAUTHN_USER_ENTITY_INFORMATION pUserInformation;
-
- // Removable or not.
- BOOL bRemovable;
-
- //
- // The following fields have been added in WEBAUTHN_CREDENTIAL_DETAILS_VERSION_2
- //
-
- // Backed Up or not.
- BOOL bBackedUp;
-
- //
- // The following fields have been added in WEBAUTHN_CREDENTIAL_DETAILS_VERSION_3
- //
- PCWSTR pwszAuthenticatorName;
-
- // The logo is expected to be in the svg format
- DWORD cbAuthenticatorLogo;
- _Field_size_bytes_(cbAuthenticatorLogo)
- PBYTE pbAuthenticatorLogo;
-
- // ThirdPartyPayment Credential or not.
- BOOL bThirdPartyPayment;
-
-} WEBAUTHN_CREDENTIAL_DETAILS, *PWEBAUTHN_CREDENTIAL_DETAILS;
-typedef const WEBAUTHN_CREDENTIAL_DETAILS *PCWEBAUTHN_CREDENTIAL_DETAILS;
-
-typedef struct _WEBAUTHN_CREDENTIAL_DETAILS_LIST {
- DWORD cCredentialDetails;
- _Field_size_(cCredentialDetails)
- PWEBAUTHN_CREDENTIAL_DETAILS *ppCredentialDetails;
-} WEBAUTHN_CREDENTIAL_DETAILS_LIST, *PWEBAUTHN_CREDENTIAL_DETAILS_LIST;
-typedef const WEBAUTHN_CREDENTIAL_DETAILS_LIST *PCWEBAUTHN_CREDENTIAL_DETAILS_LIST;
-
-#define WEBAUTHN_GET_CREDENTIALS_OPTIONS_VERSION_1 1
-#define WEBAUTHN_GET_CREDENTIALS_OPTIONS_CURRENT_VERSION WEBAUTHN_GET_CREDENTIALS_OPTIONS_VERSION_1
-
-typedef struct _WEBAUTHN_GET_CREDENTIALS_OPTIONS {
- // Version of this structure, to allow for modifications in the future.
- DWORD dwVersion;
-
- // Optional.
- LPCWSTR pwszRpId;
-
- // Optional. BrowserInPrivate Mode. Defaulting to FALSE.
- BOOL bBrowserInPrivateMode;
-} WEBAUTHN_GET_CREDENTIALS_OPTIONS, *PWEBAUTHN_GET_CREDENTIALS_OPTIONS;
-typedef const WEBAUTHN_GET_CREDENTIALS_OPTIONS *PCWEBAUTHN_GET_CREDENTIALS_OPTIONS;
-
-//+------------------------------------------------------------------------------------------
-// PRF values.
-//-------------------------------------------------------------------------------------------
-
-#define WEBAUTHN_CTAP_ONE_HMAC_SECRET_LENGTH 32
-
-// SALT values below by default are converted into RAW Hmac-Secret values as per PRF extension.
-// - SHA-256(UTF8Encode("WebAuthn PRF") || 0x00 || Value)
-//
-// Set WEBAUTHN_AUTHENTICATOR_HMAC_SECRET_VALUES_FLAG in dwFlags in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS,
-// if caller wants to provide RAW Hmac-Secret SALT values directly. In that case,
-// values if provided MUST be of WEBAUTHN_CTAP_ONE_HMAC_SECRET_LENGTH size.
-
-typedef struct _WEBAUTHN_HMAC_SECRET_SALT {
- // Size of pbFirst.
- DWORD cbFirst;
- _Field_size_bytes_(cbFirst)
- PBYTE pbFirst; // Required
-
- // Size of pbSecond.
- DWORD cbSecond;
- _Field_size_bytes_(cbSecond)
- PBYTE pbSecond;
-} WEBAUTHN_HMAC_SECRET_SALT, *PWEBAUTHN_HMAC_SECRET_SALT;
-typedef const WEBAUTHN_HMAC_SECRET_SALT *PCWEBAUTHN_HMAC_SECRET_SALT;
-
-typedef struct _WEBAUTHN_CRED_WITH_HMAC_SECRET_SALT {
- // Size of pbCredID.
- DWORD cbCredID;
- _Field_size_bytes_(cbCredID)
- PBYTE pbCredID; // Required
-
- // PRF Values for above credential
- PWEBAUTHN_HMAC_SECRET_SALT pHmacSecretSalt; // Required
-} WEBAUTHN_CRED_WITH_HMAC_SECRET_SALT, *PWEBAUTHN_CRED_WITH_HMAC_SECRET_SALT;
-typedef const WEBAUTHN_CRED_WITH_HMAC_SECRET_SALT *PCWEBAUTHN_CRED_WITH_HMAC_SECRET_SALT;
-
-typedef struct _WEBAUTHN_HMAC_SECRET_SALT_VALUES {
- PWEBAUTHN_HMAC_SECRET_SALT pGlobalHmacSalt;
-
- DWORD cCredWithHmacSecretSaltList;
- _Field_size_(cCredWithHmacSecretSaltList)
- PWEBAUTHN_CRED_WITH_HMAC_SECRET_SALT pCredWithHmacSecretSaltList;
-} WEBAUTHN_HMAC_SECRET_SALT_VALUES, *PWEBAUTHN_HMAC_SECRET_SALT_VALUES;
-typedef const WEBAUTHN_HMAC_SECRET_SALT_VALUES *PCWEBAUTHN_HMAC_SECRET_SALT_VALUES;
-
-//+------------------------------------------------------------------------------------------
-// Hmac-Secret extension
-//-------------------------------------------------------------------------------------------
-
-#define WEBAUTHN_EXTENSIONS_IDENTIFIER_HMAC_SECRET L"hmac-secret"
-// Below type definitions is for WEBAUTHN_EXTENSIONS_IDENTIFIER_HMAC_SECRET
-// MakeCredential Input Type: BOOL.
-// - pvExtension must point to a BOOL with the value TRUE.
-// - cbExtension must contain the sizeof(BOOL).
-// MakeCredential Output Type: BOOL.
-// - pvExtension will point to a BOOL with the value TRUE if credential
-// was successfully created with HMAC_SECRET.
-// - cbExtension will contain the sizeof(BOOL).
-// GetAssertion Input Type: Not Supported
-// GetAssertion Output Type: Not Supported
-
-//+------------------------------------------------------------------------------------------
-// credProtect extension
-//-------------------------------------------------------------------------------------------
-
-#define WEBAUTHN_USER_VERIFICATION_ANY 0
-#define WEBAUTHN_USER_VERIFICATION_OPTIONAL 1
-#define WEBAUTHN_USER_VERIFICATION_OPTIONAL_WITH_CREDENTIAL_ID_LIST 2
-#define WEBAUTHN_USER_VERIFICATION_REQUIRED 3
-
-typedef struct _WEBAUTHN_CRED_PROTECT_EXTENSION_IN {
- // One of the above WEBAUTHN_USER_VERIFICATION_* values
- DWORD dwCredProtect;
- // Set the following to TRUE to require authenticator support for the credProtect extension
- BOOL bRequireCredProtect;
-} WEBAUTHN_CRED_PROTECT_EXTENSION_IN, *PWEBAUTHN_CRED_PROTECT_EXTENSION_IN;
-typedef const WEBAUTHN_CRED_PROTECT_EXTENSION_IN *PCWEBAUTHN_CRED_PROTECT_EXTENSION_IN;
-
-
-#define WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_PROTECT L"credProtect"
-// Below type definitions is for WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_PROTECT
-// MakeCredential Input Type: WEBAUTHN_CRED_PROTECT_EXTENSION_IN.
-// - pvExtension must point to a WEBAUTHN_CRED_PROTECT_EXTENSION_IN struct
-// - cbExtension will contain the sizeof(WEBAUTHN_CRED_PROTECT_EXTENSION_IN).
-// MakeCredential Output Type: DWORD.
-// - pvExtension will point to a DWORD with one of the above WEBAUTHN_USER_VERIFICATION_* values
-// if credential was successfully created with CRED_PROTECT.
-// - cbExtension will contain the sizeof(DWORD).
-// GetAssertion Input Type: Not Supported
-// GetAssertion Output Type: Not Supported
-
-//+------------------------------------------------------------------------------------------
-// credBlob extension
-//-------------------------------------------------------------------------------------------
-
-typedef struct _WEBAUTHN_CRED_BLOB_EXTENSION {
- // Size of pbCredBlob.
- DWORD cbCredBlob;
- _Field_size_bytes_(cbCredBlob)
- PBYTE pbCredBlob;
-} WEBAUTHN_CRED_BLOB_EXTENSION, *PWEBAUTHN_CRED_BLOB_EXTENSION;
-typedef const WEBAUTHN_CRED_BLOB_EXTENSION *PCWEBAUTHN_CRED_BLOB_EXTENSION;
-
-
-#define WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_BLOB L"credBlob"
-// Below type definitions is for WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_BLOB
-// MakeCredential Input Type: WEBAUTHN_CRED_BLOB_EXTENSION.
-// - pvExtension must point to a WEBAUTHN_CRED_BLOB_EXTENSION struct
-// - cbExtension must contain the sizeof(WEBAUTHN_CRED_BLOB_EXTENSION).
-// MakeCredential Output Type: BOOL.
-// - pvExtension will point to a BOOL with the value TRUE if credBlob was successfully created
-// - cbExtension will contain the sizeof(BOOL).
-// GetAssertion Input Type: BOOL.
-// - pvExtension must point to a BOOL with the value TRUE to request the credBlob.
-// - cbExtension must contain the sizeof(BOOL).
-// GetAssertion Output Type: WEBAUTHN_CRED_BLOB_EXTENSION.
-// - pvExtension will point to a WEBAUTHN_CRED_BLOB_EXTENSION struct if the authenticator
-// returns the credBlob in the signed extensions
-// - cbExtension will contain the sizeof(WEBAUTHN_CRED_BLOB_EXTENSION).
-
-//+------------------------------------------------------------------------------------------
-// minPinLength extension
-//-------------------------------------------------------------------------------------------
-
-#define WEBAUTHN_EXTENSIONS_IDENTIFIER_MIN_PIN_LENGTH L"minPinLength"
-// Below type definitions is for WEBAUTHN_EXTENSIONS_IDENTIFIER_MIN_PIN_LENGTH
-// MakeCredential Input Type: BOOL.
-// - pvExtension must point to a BOOL with the value TRUE to request the minPinLength.
-// - cbExtension must contain the sizeof(BOOL).
-// MakeCredential Output Type: DWORD.
-// - pvExtension will point to a DWORD with the minimum pin length if returned by the authenticator
-// - cbExtension will contain the sizeof(DWORD).
-// GetAssertion Input Type: Not Supported
-// GetAssertion Output Type: Not Supported
-
-//+------------------------------------------------------------------------------------------
-// Information about Extensions.
-//-------------------------------------------------------------------------------------------
-typedef struct _WEBAUTHN_EXTENSION {
- LPCWSTR pwszExtensionIdentifier;
- DWORD cbExtension;
- PVOID pvExtension;
-} WEBAUTHN_EXTENSION, *PWEBAUTHN_EXTENSION;
-typedef const WEBAUTHN_EXTENSION *PCWEBAUTHN_EXTENSION;
-
-typedef struct _WEBAUTHN_EXTENSIONS {
- DWORD cExtensions;
- _Field_size_(cExtensions)
- PWEBAUTHN_EXTENSION pExtensions;
-} WEBAUTHN_EXTENSIONS, *PWEBAUTHN_EXTENSIONS;
-typedef const WEBAUTHN_EXTENSIONS *PCWEBAUTHN_EXTENSIONS;
-
-//+------------------------------------------------------------------------------------------
-// Options.
-//-------------------------------------------------------------------------------------------
-
-#define WEBAUTHN_AUTHENTICATOR_ATTACHMENT_ANY 0
-#define WEBAUTHN_AUTHENTICATOR_ATTACHMENT_PLATFORM 1
-#define WEBAUTHN_AUTHENTICATOR_ATTACHMENT_CROSS_PLATFORM 2
-#define WEBAUTHN_AUTHENTICATOR_ATTACHMENT_CROSS_PLATFORM_U2F_V2 3
-
-#define WEBAUTHN_USER_VERIFICATION_REQUIREMENT_ANY 0
-#define WEBAUTHN_USER_VERIFICATION_REQUIREMENT_REQUIRED 1
-#define WEBAUTHN_USER_VERIFICATION_REQUIREMENT_PREFERRED 2
-#define WEBAUTHN_USER_VERIFICATION_REQUIREMENT_DISCOURAGED 3
-
-#define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_ANY 0
-#define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_NONE 1
-#define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_INDIRECT 2
-#define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_DIRECT 3
-
-#define WEBAUTHN_ENTERPRISE_ATTESTATION_NONE 0
-#define WEBAUTHN_ENTERPRISE_ATTESTATION_VENDOR_FACILITATED 1
-#define WEBAUTHN_ENTERPRISE_ATTESTATION_PLATFORM_MANAGED 2
-
-#define WEBAUTHN_LARGE_BLOB_SUPPORT_NONE 0
-#define WEBAUTHN_LARGE_BLOB_SUPPORT_REQUIRED 1
-#define WEBAUTHN_LARGE_BLOB_SUPPORT_PREFERRED 2
-
-#define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_1 1
-#define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_2 2
-#define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_3 3
-#define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_4 4
-#define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_5 5
-#define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_6 6
-#define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_7 7
-#define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_8 8
-#define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_CURRENT_VERSION WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_8
-
-typedef struct _WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS {
- // Version of this structure, to allow for modifications in the future.
- DWORD dwVersion;
-
- // Time that the operation is expected to complete within.
- // This is used as guidance, and can be overridden by the platform.
- DWORD dwTimeoutMilliseconds;
-
- // Credentials used for exclusion.
- WEBAUTHN_CREDENTIALS CredentialList;
-
- // Optional extensions to parse when performing the operation.
- WEBAUTHN_EXTENSIONS Extensions;
-
- // Optional. Platform vs Cross-Platform Authenticators.
- DWORD dwAuthenticatorAttachment;
-
- // Optional. Require key to be resident or not. Defaulting to FALSE.
- BOOL bRequireResidentKey;
-
- // User Verification Requirement.
- DWORD dwUserVerificationRequirement;
-
- // Attestation Conveyance Preference.
- DWORD dwAttestationConveyancePreference;
-
- // Reserved for future Use
- DWORD dwFlags;
-
- //
- // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_2
- //
-
- // Cancellation Id - Optional - See WebAuthNGetCancellationId
- GUID *pCancellationId;
-
- //
- // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_3
- //
-
- // Exclude Credential List. If present, "CredentialList" will be ignored.
- PWEBAUTHN_CREDENTIAL_LIST pExcludeCredentialList;
-
- //
- // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_4
- //
-
- // Enterprise Attestation
- DWORD dwEnterpriseAttestation;
-
- // Large Blob Support: none, required or preferred
- //
- // NTE_INVALID_PARAMETER when large blob required or preferred and
- // bRequireResidentKey isn't set to TRUE
- DWORD dwLargeBlobSupport;
-
- // Optional. Prefer key to be resident. Defaulting to FALSE. When TRUE,
- // overrides the above bRequireResidentKey.
- BOOL bPreferResidentKey;
-
- //
- // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_5
- //
-
- // Optional. BrowserInPrivate Mode. Defaulting to FALSE.
- BOOL bBrowserInPrivateMode;
-
- //
- // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_6
- //
-
- // Enable PRF
- BOOL bEnablePrf;
-
- //
- // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_7
- //
-
- // Optional. Linked Device Connection Info.
- PCTAPCBOR_HYBRID_STORAGE_LINKED_DATA pLinkedDevice;
-
- // Size of pbJsonExt
- DWORD cbJsonExt;
- _Field_size_bytes_(cbJsonExt)
- PBYTE pbJsonExt;
-
- //
- // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_8
- //
-
- // PRF extension "eval" values which will be converted into HMAC-SECRET values according to WebAuthn Spec.
- // Set WEBAUTHN_AUTHENTICATOR_HMAC_SECRET_VALUES_FLAG in dwFlags above, if caller wants to provide RAW Hmac-Secret SALT values directly.
- // In that case, values provided MUST be of WEBAUTHN_CTAP_ONE_HMAC_SECRET_LENGTH size.
- PWEBAUTHN_HMAC_SECRET_SALT pPRFGlobalEval;
-
- // PublicKeyCredentialHints (https://w3c.github.io/webauthn/#enum-hints)
- DWORD cCredentialHints;
- _Field_size_(cCredentialHints)
- LPCWSTR *ppwszCredentialHints;
-
- // Enable ThirdPartyPayment
- BOOL bThirdPartyPayment;
-
-} WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS, *PWEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS;
-typedef const WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS *PCWEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS;
-
-#define WEBAUTHN_CRED_LARGE_BLOB_OPERATION_NONE 0
-#define WEBAUTHN_CRED_LARGE_BLOB_OPERATION_GET 1
-#define WEBAUTHN_CRED_LARGE_BLOB_OPERATION_SET 2
-#define WEBAUTHN_CRED_LARGE_BLOB_OPERATION_DELETE 3
-
-#define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_1 1
-#define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_2 2
-#define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_3 3
-#define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_4 4
-#define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_5 5
-#define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_6 6
-#define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_7 7
-#define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_8 8
-#define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_CURRENT_VERSION WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_8
-
-/*
- Information about flags.
-*/
-
-#define WEBAUTHN_AUTHENTICATOR_HMAC_SECRET_VALUES_FLAG 0x00100000
-
-typedef struct _WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS {
- // Version of this structure, to allow for modifications in the future.
- DWORD dwVersion;
-
- // Time that the operation is expected to complete within.
- // This is used as guidance, and can be overridden by the platform.
- DWORD dwTimeoutMilliseconds;
-
- // Allowed Credentials List.
- WEBAUTHN_CREDENTIALS CredentialList;
-
- // Optional extensions to parse when performing the operation.
- WEBAUTHN_EXTENSIONS Extensions;
-
- // Optional. Platform vs Cross-Platform Authenticators.
- DWORD dwAuthenticatorAttachment;
-
- // User Verification Requirement.
- DWORD dwUserVerificationRequirement;
-
- // Flags
- DWORD dwFlags;
-
- //
- // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_2
- //
-
- // Optional identifier for the U2F AppId. Converted to UTF8 before being hashed. Not lower cased.
- PCWSTR pwszU2fAppId;
-
- // If the following is non-NULL, then, set to TRUE if the above pwszU2fAppid was used instead of
- // PCWSTR pwszRpId;
- BOOL *pbU2fAppId;
-
- //
- // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_3
- //
-
- // Cancellation Id - Optional - See WebAuthNGetCancellationId
- GUID *pCancellationId;
-
- //
- // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_4
- //
-
- // Allow Credential List. If present, "CredentialList" will be ignored.
- PWEBAUTHN_CREDENTIAL_LIST pAllowCredentialList;
-
- //
- // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_5
- //
-
- DWORD dwCredLargeBlobOperation;
-
- // Size of pbCredLargeBlob
- DWORD cbCredLargeBlob;
- _Field_size_bytes_(cbCredLargeBlob)
- PBYTE pbCredLargeBlob;
-
- //
- // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_6
- //
-
- // PRF values which will be converted into HMAC-SECRET values according to WebAuthn Spec.
- PWEBAUTHN_HMAC_SECRET_SALT_VALUES pHmacSecretSaltValues;
-
- // Optional. BrowserInPrivate Mode. Defaulting to FALSE.
- BOOL bBrowserInPrivateMode;
-
- //
- // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_7
- //
-
- // Optional. Linked Device Connection Info.
- PCTAPCBOR_HYBRID_STORAGE_LINKED_DATA pLinkedDevice;
-
- // Optional. Allowlist MUST contain 1 credential applicable for Hybrid transport.
- BOOL bAutoFill;
-
- // Size of pbJsonExt
- DWORD cbJsonExt;
- _Field_size_bytes_(cbJsonExt)
- PBYTE pbJsonExt;
-
- //
- // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_8
- //
-
- // PublicKeyCredentialHints (https://w3c.github.io/webauthn/#enum-hints)
- DWORD cCredentialHints;
- _Field_size_(cCredentialHints)
- LPCWSTR *ppwszCredentialHints;
-
-} WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS, *PWEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS;
-typedef const WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS *PCWEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS;
-
-
-//+------------------------------------------------------------------------------------------
-// Attestation Info.
-//
-//-------------------------------------------------------------------------------------------
-#define WEBAUTHN_ATTESTATION_DECODE_NONE 0
-#define WEBAUTHN_ATTESTATION_DECODE_COMMON 1
-// WEBAUTHN_ATTESTATION_DECODE_COMMON supports format types
-// L"packed"
-// L"fido-u2f"
-
-#define WEBAUTHN_ATTESTATION_VER_TPM_2_0 L"2.0"
-
-typedef struct _WEBAUTHN_X5C {
- // Length of X.509 encoded certificate
- DWORD cbData;
- // X.509 encoded certificate bytes
- _Field_size_bytes_(cbData)
- PBYTE pbData;
-} WEBAUTHN_X5C, *PWEBAUTHN_X5C;
-
-// Supports either Self or Full Basic Attestation
-
-// Note, new fields will be added to the following data structure to
-// support additional attestation format types, such as, TPM.
-// When fields are added, the dwVersion will be incremented.
-//
-// Therefore, your code must make the following check:
-// "if (dwVersion >= WEBAUTHN_COMMON_ATTESTATION_CURRENT_VERSION)"
-
-#define WEBAUTHN_COMMON_ATTESTATION_CURRENT_VERSION 1
-
-typedef struct _WEBAUTHN_COMMON_ATTESTATION {
- // Version of this structure, to allow for modifications in the future.
- DWORD dwVersion;
-
- // Hash and Padding Algorithm
- //
- // The following won't be set for "fido-u2f" which assumes "ES256".
- PCWSTR pwszAlg;
- LONG lAlg; // COSE algorithm
-
- // Signature that was generated for this attestation.
- DWORD cbSignature;
- _Field_size_bytes_(cbSignature)
- PBYTE pbSignature;
-
- // Following is set for Full Basic Attestation. If not, set then, this is Self Attestation.
- // Array of X.509 DER encoded certificates. The first certificate is the signer, leaf certificate.
- DWORD cX5c;
- _Field_size_(cX5c)
- PWEBAUTHN_X5C pX5c;
-
- // Following are also set for tpm
- PCWSTR pwszVer; // L"2.0"
- DWORD cbCertInfo;
- _Field_size_bytes_(cbCertInfo)
- PBYTE pbCertInfo;
- DWORD cbPubArea;
- _Field_size_bytes_(cbPubArea)
- PBYTE pbPubArea;
-} WEBAUTHN_COMMON_ATTESTATION, *PWEBAUTHN_COMMON_ATTESTATION;
-typedef const WEBAUTHN_COMMON_ATTESTATION *PCWEBAUTHN_COMMON_ATTESTATION;
-
-#define WEBAUTHN_ATTESTATION_TYPE_PACKED L"packed"
-#define WEBAUTHN_ATTESTATION_TYPE_U2F L"fido-u2f"
-#define WEBAUTHN_ATTESTATION_TYPE_TPM L"tpm"
-#define WEBAUTHN_ATTESTATION_TYPE_NONE L"none"
-
-#define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_1 1
-#define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_2 2
-#define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_3 3
-#define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_4 4
-#define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_5 5
-#define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_6 6
-#define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_7 7
-#define WEBAUTHN_CREDENTIAL_ATTESTATION_CURRENT_VERSION WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_7
-
-typedef struct _WEBAUTHN_CREDENTIAL_ATTESTATION {
- // Version of this structure, to allow for modifications in the future.
- DWORD dwVersion;
-
- // Attestation format type
- PCWSTR pwszFormatType;
-
- // Size of cbAuthenticatorData.
- DWORD cbAuthenticatorData;
- // Authenticator data that was created for this credential.
- _Field_size_bytes_(cbAuthenticatorData)
- PBYTE pbAuthenticatorData;
-
- // Size of CBOR encoded attestation information
- //0 => encoded as CBOR null value.
- DWORD cbAttestation;
- //Encoded CBOR attestation information
- _Field_size_bytes_(cbAttestation)
- PBYTE pbAttestation;
-
- DWORD dwAttestationDecodeType;
- // Following depends on the dwAttestationDecodeType
- // WEBAUTHN_ATTESTATION_DECODE_NONE
- // NULL - not able to decode the CBOR attestation information
- // WEBAUTHN_ATTESTATION_DECODE_COMMON
- // PWEBAUTHN_COMMON_ATTESTATION;
- PVOID pvAttestationDecode;
-
- // The CBOR encoded Attestation Object to be returned to the RP.
- DWORD cbAttestationObject;
- _Field_size_bytes_(cbAttestationObject)
- PBYTE pbAttestationObject;
-
- // The CredentialId bytes extracted from the Authenticator Data.
- // Used by Edge to return to the RP.
- DWORD cbCredentialId;
- _Field_size_bytes_(cbCredentialId)
- PBYTE pbCredentialId;
-
- //
- // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_2
- //
-
- WEBAUTHN_EXTENSIONS Extensions;
-
- //
- // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_3
- //
-
- // One of the WEBAUTHN_CTAP_TRANSPORT_* bits will be set corresponding to
- // the transport that was used.
- DWORD dwUsedTransport;
-
- //
- // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_4
- //
-
- BOOL bEpAtt;
- BOOL bLargeBlobSupported;
- BOOL bResidentKey;
-
- //
- // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_5
- //
-
- BOOL bPrfEnabled;
-
- //
- // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_6
- //
-
- DWORD cbUnsignedExtensionOutputs;
- _Field_size_bytes_(cbUnsignedExtensionOutputs)
- PBYTE pbUnsignedExtensionOutputs;
-
- //
- // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_7
- //
-
- PWEBAUTHN_HMAC_SECRET_SALT pHmacSecret;
-
- // ThirdPartyPayment Credential or not.
- BOOL bThirdPartyPayment;
-
-} WEBAUTHN_CREDENTIAL_ATTESTATION, *PWEBAUTHN_CREDENTIAL_ATTESTATION;
-typedef const WEBAUTHN_CREDENTIAL_ATTESTATION *PCWEBAUTHN_CREDENTIAL_ATTESTATION;
-
-
-//+------------------------------------------------------------------------------------------
-// authenticatorGetAssertion output.
-//-------------------------------------------------------------------------------------------
-
-#define WEBAUTHN_CRED_LARGE_BLOB_STATUS_NONE 0
-#define WEBAUTHN_CRED_LARGE_BLOB_STATUS_SUCCESS 1
-#define WEBAUTHN_CRED_LARGE_BLOB_STATUS_NOT_SUPPORTED 2
-#define WEBAUTHN_CRED_LARGE_BLOB_STATUS_INVALID_DATA 3
-#define WEBAUTHN_CRED_LARGE_BLOB_STATUS_INVALID_PARAMETER 4
-#define WEBAUTHN_CRED_LARGE_BLOB_STATUS_NOT_FOUND 5
-#define WEBAUTHN_CRED_LARGE_BLOB_STATUS_MULTIPLE_CREDENTIALS 6
-#define WEBAUTHN_CRED_LARGE_BLOB_STATUS_LACK_OF_SPACE 7
-#define WEBAUTHN_CRED_LARGE_BLOB_STATUS_PLATFORM_ERROR 8
-#define WEBAUTHN_CRED_LARGE_BLOB_STATUS_AUTHENTICATOR_ERROR 9
-
-#define WEBAUTHN_ASSERTION_VERSION_1 1
-#define WEBAUTHN_ASSERTION_VERSION_2 2
-#define WEBAUTHN_ASSERTION_VERSION_3 3
-#define WEBAUTHN_ASSERTION_VERSION_4 4
-#define WEBAUTHN_ASSERTION_VERSION_5 5
-#define WEBAUTHN_ASSERTION_CURRENT_VERSION WEBAUTHN_ASSERTION_VERSION_5
-
-typedef struct _WEBAUTHN_ASSERTION {
- // Version of this structure, to allow for modifications in the future.
- DWORD dwVersion;
-
- // Size of cbAuthenticatorData.
- DWORD cbAuthenticatorData;
- // Authenticator data that was created for this assertion.
- _Field_size_bytes_(cbAuthenticatorData)
- PBYTE pbAuthenticatorData;
-
- // Size of pbSignature.
- DWORD cbSignature;
- // Signature that was generated for this assertion.
- _Field_size_bytes_(cbSignature)
- PBYTE pbSignature;
-
- // Credential that was used for this assertion.
- WEBAUTHN_CREDENTIAL Credential;
-
- // Size of User Id
- DWORD cbUserId;
- // UserId
- _Field_size_bytes_(cbUserId)
- PBYTE pbUserId;
-
- //
- // Following fields have been added in WEBAUTHN_ASSERTION_VERSION_2
- //
-
- WEBAUTHN_EXTENSIONS Extensions;
-
- // Size of pbCredLargeBlob
- DWORD cbCredLargeBlob;
- _Field_size_bytes_(cbCredLargeBlob)
- PBYTE pbCredLargeBlob;
-
- DWORD dwCredLargeBlobStatus;
-
- //
- // Following fields have been added in WEBAUTHN_ASSERTION_VERSION_3
- //
-
- PWEBAUTHN_HMAC_SECRET_SALT pHmacSecret;
-
- //
- // Following fields have been added in WEBAUTHN_ASSERTION_VERSION_4
- //
-
- // One of the WEBAUTHN_CTAP_TRANSPORT_* bits will be set corresponding to
- // the transport that was used.
- DWORD dwUsedTransport;
-
- //
- // Following fields have been added in WEBAUTHN_ASSERTION_VERSION_5
- //
-
- DWORD cbUnsignedExtensionOutputs;
- _Field_size_bytes_(cbUnsignedExtensionOutputs)
- PBYTE pbUnsignedExtensionOutputs;
-} WEBAUTHN_ASSERTION, *PWEBAUTHN_ASSERTION;
-typedef const WEBAUTHN_ASSERTION *PCWEBAUTHN_ASSERTION;
-
-//+------------------------------------------------------------------------------------------
-// APIs.
-//-------------------------------------------------------------------------------------------
-
-DWORD
-WINAPI
-WebAuthNGetApiVersionNumber();
-
-HRESULT
-WINAPI
-WebAuthNIsUserVerifyingPlatformAuthenticatorAvailable(
- _Out_ BOOL *pbIsUserVerifyingPlatformAuthenticatorAvailable);
-
-
-HRESULT
-WINAPI
-WebAuthNAuthenticatorMakeCredential(
- _In_ HWND hWnd,
- _In_ PCWEBAUTHN_RP_ENTITY_INFORMATION pRpInformation,
- _In_ PCWEBAUTHN_USER_ENTITY_INFORMATION pUserInformation,
- _In_ PCWEBAUTHN_COSE_CREDENTIAL_PARAMETERS pPubKeyCredParams,
- _In_ PCWEBAUTHN_CLIENT_DATA pWebAuthNClientData,
- _In_opt_ PCWEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS pWebAuthNMakeCredentialOptions,
- _Outptr_result_maybenull_ PWEBAUTHN_CREDENTIAL_ATTESTATION *ppWebAuthNCredentialAttestation);
-
-
-HRESULT
-WINAPI
-WebAuthNAuthenticatorGetAssertion(
- _In_ HWND hWnd,
- _In_ LPCWSTR pwszRpId,
- _In_ PCWEBAUTHN_CLIENT_DATA pWebAuthNClientData,
- _In_opt_ PCWEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS pWebAuthNGetAssertionOptions,
- _Outptr_result_maybenull_ PWEBAUTHN_ASSERTION *ppWebAuthNAssertion);
-
-void
-WINAPI
-WebAuthNFreeCredentialAttestation(
- _In_opt_ PWEBAUTHN_CREDENTIAL_ATTESTATION pWebAuthNCredentialAttestation);
-
-void
-WINAPI
-WebAuthNFreeAssertion(
- _In_ PWEBAUTHN_ASSERTION pWebAuthNAssertion);
-
-HRESULT
-WINAPI
-WebAuthNGetCancellationId(
- _Out_ GUID* pCancellationId);
-
-HRESULT
-WINAPI
-WebAuthNCancelCurrentOperation(
- _In_ const GUID* pCancellationId);
-
-// Returns NTE_NOT_FOUND when credentials are not found.
-HRESULT
-WINAPI
-WebAuthNGetPlatformCredentialList(
- _In_ PCWEBAUTHN_GET_CREDENTIALS_OPTIONS pGetCredentialsOptions,
- _Outptr_result_maybenull_ PWEBAUTHN_CREDENTIAL_DETAILS_LIST *ppCredentialDetailsList);
-
-void
-WINAPI
-WebAuthNFreePlatformCredentialList(
- _In_ PWEBAUTHN_CREDENTIAL_DETAILS_LIST pCredentialDetailsList);
-
-HRESULT
-WINAPI
-WebAuthNDeletePlatformCredential(
- _In_ DWORD cbCredentialId,
- _In_reads_bytes_(cbCredentialId) const BYTE *pbCredentialId
- );
-
-//
-// Returns the following Error Names:
-// L"Success" - S_OK
-// L"InvalidStateError" - NTE_EXISTS
-// L"ConstraintError" - HRESULT_FROM_WIN32(ERROR_NOT_SUPPORTED),
-// NTE_NOT_SUPPORTED,
-// NTE_TOKEN_KEYSET_STORAGE_FULL
-// L"NotSupportedError" - NTE_INVALID_PARAMETER
-// L"NotAllowedError" - NTE_DEVICE_NOT_FOUND,
-// NTE_NOT_FOUND,
-// HRESULT_FROM_WIN32(ERROR_CANCELLED),
-// NTE_USER_CANCELLED,
-// HRESULT_FROM_WIN32(ERROR_TIMEOUT)
-// L"UnknownError" - All other hr values
-//
-PCWSTR
-WINAPI
-WebAuthNGetErrorName(
- _In_ HRESULT hr);
-
-HRESULT
-WINAPI
-WebAuthNGetW3CExceptionDOMError(
- _In_ HRESULT hr);
-
-typedef enum _EXPERIMENTAL_PLUGIN_AUTHENTICATOR_STATE
-{
- PluginAuthenticatorState_Unknown = 0,
- PluginAuthenticatorState_Disabled,
- PluginAuthenticatorState_Enabled
-} EXPERIMENTAL_PLUGIN_AUTHENTICATOR_STATE;
-
-//
-// Plugin Authenticator API: WebAuthNPluginGetAuthenticatorState: Get Plugin Authenticator State
-//
-HRESULT
-WINAPI
-EXPERIMENTAL_WebAuthNPluginGetAuthenticatorState(
- _In_ LPCWSTR pwszPluginClsId,
- _Out_ EXPERIMENTAL_PLUGIN_AUTHENTICATOR_STATE* pluginAuthenticatorState
-);
-
-//
-// Plugin Authenticator API: WebAuthNAddPluginAuthenticator: Add Plugin Authenticator
-//
-
-typedef struct _EXPERIMENTAL_WEBAUTHN_PLUGIN_ADD_AUTHENTICATOR_OPTIONS {
- // Authenticator Name
- LPCWSTR pwszAuthenticatorName;
-
- // Plugin COM ClsId
- LPCWSTR pwszPluginClsId;
-
- // Plugin RPID (Optional. Required for a nested WebAuthN call originating from a plugin)
- LPCWSTR pwszPluginRpId;
-
- // Plugin Authenticator Logo for the Light themes. base64 svg (Optional)
- LPCWSTR pwszLightThemeLogo;
-
- // Plugin Authenticator Logo for the Dark themes. base64 svg (Optional)
- LPCWSTR pwszDarkThemeLogo;
-
- // CTAP CBOR encoded authenticatorGetInfo
- DWORD cbAuthenticatorInfo;
- _Field_size_bytes_(cbAuthenticatorInfo)
- PBYTE pbAuthenticatorInfo;
-
-} EXPERIMENTAL_WEBAUTHN_PLUGIN_ADD_AUTHENTICATOR_OPTIONS, *EXPERIMENTAL_PWEBAUTHN_PLUGIN_ADD_AUTHENTICATOR_OPTIONS;
-typedef const EXPERIMENTAL_WEBAUTHN_PLUGIN_ADD_AUTHENTICATOR_OPTIONS *EXPERIMENTAL_PCWEBAUTHN_PLUGIN_ADD_AUTHENTICATOR_OPTIONS;
-
-typedef struct _EXPERIMENTAL_WEBAUTHN_PLUGIN_ADD_AUTHENTICATOR_RESPONSE {
- // Plugin operation signing Public Key - Used to sign the request in the EXPERIMENTAL_PluginPerformOperation. Refer pluginauthenticator.h.
- DWORD cbOpSignPubKey;
- _Field_size_bytes_(cbOpSignPubKey)
- PBYTE pbOpSignPubKey;
-
-} EXPERIMENTAL_WEBAUTHN_PLUGIN_ADD_AUTHENTICATOR_RESPONSE, *EXPERIMENTAL_PWEBAUTHN_PLUGIN_ADD_AUTHENTICATOR_RESPONSE;
-typedef const EXPERIMENTAL_WEBAUTHN_PLUGIN_ADD_AUTHENTICATOR_RESPONSE *EXPERIMENTAL_PCWEBAUTHN_PLUGIN_ADD_AUTHENTICATOR_RESPONSE;
-
-HRESULT
-WINAPI
-EXPERIMENTAL_WebAuthNPluginAddAuthenticator(
- _In_ EXPERIMENTAL_PCWEBAUTHN_PLUGIN_ADD_AUTHENTICATOR_OPTIONS pPluginAddAuthenticatorOptions,
- _Outptr_result_maybenull_ EXPERIMENTAL_PWEBAUTHN_PLUGIN_ADD_AUTHENTICATOR_RESPONSE *ppPluginAddAuthenticatorResponse);
-
-void
-WINAPI
-EXPERIMENTAL_WebAuthNPluginFreeAddAuthenticatorResponse(
- _In_opt_ EXPERIMENTAL_PWEBAUTHN_PLUGIN_ADD_AUTHENTICATOR_RESPONSE pPluginAddAuthenticatorResponse);
-
-//
-// Plugin Authenticator API: WebAuthNRemovePluginAuthenticator: Remove Plugin Authenticator
-//
-
-HRESULT
-WINAPI
-EXPERIMENTAL_WebAuthNPluginRemoveAuthenticator(
- _In_ LPCWSTR pwszPluginClsId);
-
-//
-// Plugin Authenticator API: WebAuthNPluginAuthenticatorUpdateDetails: Update Credential Metadata for Browser AutoFill Scenarios
-//
-
-typedef struct _EXPERIMENTAL_WEBAUTHN_PLUGIN_UPDATE_AUTHENTICATOR_DETAILS {
- // Authenticator Name (Optional)
- LPCWSTR pwszAuthenticatorName;
-
- // Plugin COM ClsId
- LPCWSTR pwszPluginClsId;
-
- // Plugin COM New ClsId (Optional)
- LPCWSTR pwszNewPluginClsId;
-
- // Plugin Authenticator Logo for the Light themes. base64 svg (Optional)
- LPCWSTR pwszLightThemeLogo;
-
- // Plugin Authenticator Logo for the Dark themes. base64 svg (Optional)
- LPCWSTR pwszDarkThemeLogo;
-
- // CTAP CBOR encoded authenticatorGetInfo (Optional)
- DWORD cbAuthenticatorInfo;
- _Field_size_bytes_(cbAuthenticatorInfo)
- PBYTE pbAuthenticatorInfo;
-
-} EXPERIMENTAL_WEBAUTHN_PLUGIN_UPDATE_AUTHENTICATOR_DETAILS, *EXPERIMENTAL_PWEBAUTHN_PLUGIN_UPDATE_AUTHENTICATOR_DETAILS;
-typedef const EXPERIMENTAL_WEBAUTHN_PLUGIN_UPDATE_AUTHENTICATOR_DETAILS *EXPERIMENTAL_PCWEBAUTHN_PLUGIN_UPDATE_AUTHENTICATOR_DETAILS;
-
-HRESULT
-WINAPI
-EXPERIMENTAL_WebAuthNPluginUpdateAuthenticatorDetails(
- _In_ EXPERIMENTAL_PCWEBAUTHN_PLUGIN_UPDATE_AUTHENTICATOR_DETAILS pPluginUpdateAuthenticatorDetails);
-
-#endif //__midl
-
-//
-// Plugin Authenticator API: WebAuthNPluginAuthenticatorAddCredentials: Add Credential Metadata for Browser AutoFill Scenarios
-//
-
-
-typedef struct _EXPERIMENTAL_WEBAUTHN_PLUGIN_CREDENTIAL_DETAILS {
- // Size of pbCredentialId.
- DWORD cbCredentialId;
-
- // Credential Identifier bytes. This field is required.
- #ifdef __midl
- [size_is(cbCredentialId)]
- #else
- _Field_size_bytes_(cbCredentialId)
- #endif
- PBYTE pbCredentialId;
-
- // Identifier for the RP. This field is required.
- PWSTR pwszRpId;
-
- // Contains the friendly name of the Relying Party, such as "Acme Corporation", "Widgets Inc" or "Awesome Site".
- // This field is required.
- PWSTR pwszRpName;
-
- // Identifier for the User. This field is required.
- DWORD cbUserId;
-
- // User Identifier bytes. This field is required.
- #ifdef __midl
- [size_is(cbUserId)]
- #else
- _Field_size_bytes_(cbUserId)
- #endif
- PBYTE pbUserId;
-
- // Contains a detailed name for this account, such as "john.p.smith@example.com".
- PWSTR pwszUserName;
-
- // For User: Contains the friendly name associated with the user account such as "John P. Smith".
- PWSTR pwszUserDisplayName;
-
-} EXPERIMENTAL_WEBAUTHN_PLUGIN_CREDENTIAL_DETAILS, *EXPERIMENTAL_PWEBAUTHN_PLUGIN_CREDENTIAL_DETAILS;
-typedef const EXPERIMENTAL_WEBAUTHN_PLUGIN_CREDENTIAL_DETAILS *EXPERIMENTAL_PCWEBAUTHN_PLUGIN_CREDENTIAL_DETAILS;
-
-typedef struct _EXPERIMENTAL_WEBAUTHN_PLUGIN_CREDENTIAL_DETAILS_LIST {
- // Plugin COM ClsId
- PWSTR pwszPluginClsId;
-
- // count of credentials
- DWORD cCredentialDetails;
-
- #ifdef __midl
- [size_is(cCredentialDetails)]
- #else
- _Field_size_(cCredentialDetails)
- #endif
- EXPERIMENTAL_PWEBAUTHN_PLUGIN_CREDENTIAL_DETAILS *pCredentialDetails;
-
-} EXPERIMENTAL_WEBAUTHN_PLUGIN_CREDENTIAL_DETAILS_LIST, *EXPERIMENTAL_PWEBAUTHN_PLUGIN_CREDENTIAL_DETAILS_LIST;
-typedef const EXPERIMENTAL_WEBAUTHN_PLUGIN_CREDENTIAL_DETAILS_LIST *EXPERIMENTAL_PCWEBAUTHN_PLUGIN_CREDENTIAL_DETAILS_LIST;
-
-#ifndef __midl
-
-HRESULT
-WINAPI
-EXPERIMENTAL_WebAuthNPluginAuthenticatorAddCredentials(
- _In_ EXPERIMENTAL_PWEBAUTHN_PLUGIN_CREDENTIAL_DETAILS_LIST pCredentialDetailsList);
-
-//
-// Plugin Authenticator API: WebAuthNPluginAuthenticatorRemoveCredentials: Remove Credential Metadata for Browser AutoFill Scenarios
-//
-
-HRESULT
-WINAPI
-EXPERIMENTAL_WebAuthNPluginAuthenticatorRemoveCredentials(
- _In_ EXPERIMENTAL_PWEBAUTHN_PLUGIN_CREDENTIAL_DETAILS_LIST pCredentialDetailsList);
-
-//
-// Plugin Authenticator API: WebAuthNPluginAuthenticatorRemoveCredentials: Remove All Credential Metadata for Browser AutoFill Scenarios
-//
-
-HRESULT
-WINAPI
-EXPERIMENTAL_WebAuthNPluginAuthenticatorRemoveAllCredentials(
- _In_ LPCWSTR pwszPluginClsId);
-
-//
-// Plugin Authenticator API: WebAuthNPluginAuthenticatorGetAllCredentials: Get All Credential Metadata cached for Browser AutoFill Scenarios
-//
-HRESULT
-WINAPI
-EXPERIMENTAL_WebAuthNPluginAuthenticatorGetAllCredentials(
- _In_ LPCWSTR pwszPluginClsId,
- _Outptr_result_maybenull_ EXPERIMENTAL_PWEBAUTHN_PLUGIN_CREDENTIAL_DETAILS_LIST *ppCredentialDetailsList);
-
-//
-// Hello UV API for Plugin: WebAuthNPluginPerformUv: Perform Hello UV related operations
-//
-
-typedef enum _EXPERIMENTAL_WEBAUTHN_PLUGIN_PERFORM_UV_OPERATION_TYPE
-{
- PerformUv = 1,
- GetUvCount,
- GetPubKey
-} EXPERIMENTAL_WEBAUTHN_PLUGIN_PERFORM_UV_OPERATION_TYPE;
-
-typedef struct _EXPERIMENTAL_WEBAUTHN_PLUGIN_PERFORM_UV {
- HWND hwnd;
- GUID* transactionId;
- EXPERIMENTAL_WEBAUTHN_PLUGIN_PERFORM_UV_OPERATION_TYPE type;
- PCWSTR pwszUsername;
- PCWSTR pwszContext;
-} EXPERIMENTAL_WEBAUTHN_PLUGIN_PERFORM_UV, *EXPERIMENTAL_PWEBAUTHN_PLUGIN_PERFROM_UV;
-typedef const EXPERIMENTAL_WEBAUTHN_PLUGIN_PERFORM_UV *EXPERIMENTAL_PCWEBAUTHN_PLUGIN_PERFORM_UV;
-
-typedef struct _EXPERIMENTAL_WEBAUTHN_PLUGIN_PERFORM_UV_RESPONSE {
- DWORD cbResponse;
- PBYTE pbResponse;
-} EXPERIMENTAL_WEBAUTHN_PLUGIN_PERFORM_UV_RESPONSE, *EXPERIMENTAL_PWEBAUTHN_PLUGIN_PERFORM_UV_RESPONSE;
-typedef const EXPERIMENTAL_WEBAUTHN_PLUGIN_PERFORM_UV_RESPONSE *EXPERIMENTAL_PCWEBAUTHN_PLUGIN_PERFORM_UV_RESPONSE;
-
-HRESULT
-WINAPI
-EXPERIMENTAL_WebAuthNPluginPerformUv(
- _In_ EXPERIMENTAL_PCWEBAUTHN_PLUGIN_PERFORM_UV pPluginPerformUv,
- _Outptr_result_maybenull_ EXPERIMENTAL_PWEBAUTHN_PLUGIN_PERFORM_UV_RESPONSE *ppPluginPerformUvRespose);
-
-void
-WINAPI
-EXPERIMENTAL_WebAuthNPluginFreePerformUvResponse(
- _In_opt_ EXPERIMENTAL_PWEBAUTHN_PLUGIN_PERFORM_UV_RESPONSE ppPluginPerformUvResponse);
-
-#define EXPERIMENTAL_WEBAUTHN_CTAPCBOR_AUTHENTICATOR_OPTIONS_VERSION_1 1
-#define EXPERIMENTAL_WEBAUTHN_CTAPCBOR_AUTHENTICATOR_OPTIONS_CURRENT_VERSION EXPERIMENTAL_WEBAUTHN_CTAPCBOR_AUTHENTICATOR_OPTIONS_VERSION_1
-typedef struct _EXPERIMENTAL_WEBAUTHN_CTAPCBOR_AUTHENTICATOR_OPTIONS {
- //Version of this structure, to allow for modifications in the future.
- DWORD dwVersion;
-
- // Following have following values:
- // +1 - TRUE
- // 0 - Not defined
- // -1 - FALSE
- //up: "true" | "false"
- LONG lUp;
- //uv: "true" | "false"
- LONG lUv;
- //rk: "true" | "false"
- LONG lRequireResidentKey;
-} EXPERIMENTAL_WEBAUTHN_CTAPCBOR_AUTHENTICATOR_OPTIONS, *EXPERIMENTAL_PWEBAUTHN_CTAPCBOR_AUTHENTICATOR_OPTIONS;
-typedef const EXPERIMENTAL_WEBAUTHN_CTAPCBOR_AUTHENTICATOR_OPTIONS *EXPERIMENTAL_PCWEBAUTHN_CTAPCBOR_AUTHENTICATOR_OPTIONS;
-
-#define EXPERIMENTAL_WEBAUTHN_CTAPCBOR_ECC_PUBLIC_KEY_VERSION_1 1
-#define EXPERIMENTAL_WEBAUTHN_CTAPCBOR_ECC_PUBLIC_KEY_CURRENT_VERSION EXPERIMENTAL_WEBAUTHN_CTAPCBOR_ECC_PUBLIC_KEY_VERSION_1
-typedef struct _EXPERIMENTAL_WEBAUTHN_CTAPCBOR_ECC_PUBLIC_KEY {
- //Version of this structure, to allow for modifications in the future.
- DWORD dwVersion;
-
- // Key type
- LONG lKty;
-
- // Hash Algorithm: ES256, ES384, ES512
- LONG lAlg;
-
- // Curve
- LONG lCrv;
-
- //Size of "x" (X Coordinate)
- DWORD cbX;
-
- //"x" (X Coordinate) data. Big Endian.
- PBYTE pbX;
-
- //Size of "y" (Y Coordinate)
- DWORD cbY;
-
- //"y" (Y Coordinate) data. Big Endian.
- PBYTE pbY;
-} EXPERIMENTAL_WEBAUTHN_CTAPCBOR_ECC_PUBLIC_KEY, *EXPERIMENTAL_PWEBAUTHN_CTAPCBOR_ECC_PUBLIC_KEY;
-typedef const EXPERIMENTAL_WEBAUTHN_CTAPCBOR_ECC_PUBLIC_KEY *EXPERIMENTAL_PCWEBAUTHN_CTAPCBOR_ECC_PUBLIC_KEY;
-
-#define EXPERIMENTAL_WEBAUTHN_CTAPCBOR_HMAC_SALT_EXTENSION_VERSION_1 1
-#define EXPERIMENTAL_WEBAUTHN_CTAPCBOR_HMAC_SALT_EXTENSION_CURRENT_VERSION EXPERIMENTAL_WEBAUTHN_CTAPCBOR_HMAC_SALT_EXTENSION_VERSION_1
-typedef struct _EXPERIMENTAL_WEBAUTHN_CTAPCBOR_HMAC_SALT_EXTENSION {
- //Version of this structure, to allow for modifications in the future.
- DWORD dwVersion;
-
- // Platform's key agreement public key
- EXPERIMENTAL_PWEBAUTHN_CTAPCBOR_ECC_PUBLIC_KEY pKeyAgreement;
-
- DWORD cbEncryptedSalt;
- PBYTE pbEncryptedSalt;
-
- DWORD cbSaltAuth;
- PBYTE pbSaltAuth;
-} EXPERIMENTAL_WEBAUTHN_CTAPCBOR_HMAC_SALT_EXTENSION, *EXPERIMENTAL_PWEBAUTHN_CTAPCBOR_HMAC_SALT_EXTENSION;
-typedef const EXPERIMENTAL_WEBAUTHN_CTAPCBOR_HMAC_SALT_EXTENSION *EXPERIMENTAL_PCWEBAUTHN_CTAPCBOR_HMAC_SALT_EXTENSION;
-
-#define EXPERIMENTAL_WEBAUTHN_CTAPCBOR_MAKE_CREDENTIAL_REQUEST_VERSION_1 1
-#define EXPERIMENTAL_WEBAUTHN_CTAPCBOR_MAKE_CREDENTIAL_REQUEST_CURRENT_VERSION EXPERIMENTAL_WEBAUTHN_CTAPCBOR_MAKE_CREDENTIAL_REQUEST_VERSION_1
-typedef struct _EXPERIMENTAL_WEBAUTHN_CTAPCBOR_MAKE_CREDENTIAL_REQUEST {
- //Version of this structure, to allow for modifications in the future.
- DWORD dwVersion;
-
- //Input RP ID. Raw UTF8 bytes before conversion.
- //These are the bytes to be hashed in the Authenticator Data.
- DWORD cbRpId;
- PBYTE pbRpId;
-
- //Client Data Hash
- DWORD cbClientDataHash;
- PBYTE pbClientDataHash;
-
- //RP Information
- PCWEBAUTHN_RP_ENTITY_INFORMATION pRpInformation;
-
- //User Information
- PCWEBAUTHN_USER_ENTITY_INFORMATION pUserInformation;
-
- // Crypto Parameters
- WEBAUTHN_COSE_CREDENTIAL_PARAMETERS WebAuthNCredentialParameters;
-
- //Credentials used for exclusion
- WEBAUTHN_CREDENTIAL_LIST CredentialList;
-
- //Optional extensions to parse when performing the operation.
- DWORD cbCborExtensionsMap;
- PBYTE pbCborExtensionsMap;
-
- // Authenticator Options (Optional)
- EXPERIMENTAL_PWEBAUTHN_CTAPCBOR_AUTHENTICATOR_OPTIONS pAuthenticatorOptions;
-
- // Pin Auth (Optional)
- BOOL fEmptyPinAuth; // Zero length PinAuth is included in the request
- DWORD cbPinAuth;
- PBYTE pbPinAuth;
-
- //"hmac-secret": true extension
- LONG lHmacSecretExt;
-
- // "hmac-secret-mc" extension
- EXPERIMENTAL_PWEBAUTHN_CTAPCBOR_HMAC_SALT_EXTENSION pHmacSecretMcExtension;
-
- //"prf" extension
- LONG lPrfExt;
- DWORD cbHmacSecretSaltValues;
- PBYTE pbHmacSecretSaltValues;
-
- //"credProtect" extension. Nonzero if present
- DWORD dwCredProtect;
-
- // Nonzero if present
- DWORD dwPinProtocol;
-
- // Nonzero if present
- DWORD dwEnterpriseAttestation;
-
- //"credBlob" extension. Nonzero if present
- DWORD cbCredBlobExt;
- PBYTE pbCredBlobExt;
-
- //"largeBlobKey": true extension
- LONG lLargeBlobKeyExt;
-
- //"largeBlob": extension
- DWORD dwLargeBlobSupport;
-
- //"minPinLength": true extension
- LONG lMinPinLengthExt;
-
- // "json" extension. Nonzero if present
- DWORD cbJsonExt;
- PBYTE pbJsonExt;
-} EXPERIMENTAL_WEBAUTHN_CTAPCBOR_MAKE_CREDENTIAL_REQUEST, *EXPERIMENTAL_PWEBAUTHN_CTAPCBOR_MAKE_CREDENTIAL_REQUEST;
-typedef const EXPERIMENTAL_WEBAUTHN_CTAPCBOR_MAKE_CREDENTIAL_REQUEST *EXPERIMENTAL_PCWEBAUTHN_CTAPCBOR_MAKE_CREDENTIAL_REQUEST;
-
-_Success_(return == S_OK)
-HRESULT
-WINAPI
-EXPERIMENTAL_WebAuthNEncodeMakeCredentialResponse(
- _In_ PCWEBAUTHN_CREDENTIAL_ATTESTATION pCredentialAttestation,
- _Out_ DWORD *pcbResp,
- _Outptr_result_buffer_maybenull_(*pcbResp) BYTE **ppbResp
- );
-
-_Success_(return == S_OK)
-HRESULT
-WINAPI
-EXPERIMENTAL_WebAuthNDecodeMakeCredentialRequest(
- _In_ DWORD cbEncoded,
- _In_reads_bytes_(cbEncoded) const BYTE *pbEncoded,
- _Outptr_ EXPERIMENTAL_PWEBAUTHN_CTAPCBOR_MAKE_CREDENTIAL_REQUEST *ppMakeCredentialRequest
- );
-
-void
-WINAPI
-EXPERIMENTAL_WebAuthNFreeDecodedMakeCredentialRequest(
- _In_opt_ EXPERIMENTAL_PWEBAUTHN_CTAPCBOR_MAKE_CREDENTIAL_REQUEST pMakeCredentialRequest
- );
-
-#define EXPERIMENTAL_WEBAUTHN_CTAPCBOR_GET_ASSERTION_REQUEST_VERSION_1 1
-#define EXPERIMENTAL_WEBAUTHN_CTAPCBOR_GET_ASSERTION_REQUEST_CURRENT_VERSION EXPERIMENTAL_WEBAUTHN_CTAPCBOR_GET_ASSERTION_REQUEST_VERSION_1
-typedef struct _EXPERIMENTAL_WEBAUTHN_CTAPCBOR_GET_ASSERTION_REQUEST {
- //Version of this structure, to allow for modifications in the future.
- DWORD dwVersion;
-
- //RP ID. After UTF8 to Unicode conversion,
- PCWSTR pwszRpId;
-
- //Input RP ID. Raw UTF8 bytes before conversion.
- //These are the bytes to be hashed in the Authenticator Data.
- DWORD cbRpId;
- PBYTE pbRpId;
-
- //Client Data Hash
- DWORD cbClientDataHash;
- PBYTE pbClientDataHash;
-
- //Credentials used for inclusion
- WEBAUTHN_CREDENTIAL_LIST CredentialList;
-
- //Optional extensions to parse when performing the operation.
- DWORD cbCborExtensionsMap;
- PBYTE pbCborExtensionsMap;
-
- // Authenticator Options (Optional)
- EXPERIMENTAL_PWEBAUTHN_CTAPCBOR_AUTHENTICATOR_OPTIONS pAuthenticatorOptions;
-
- // Pin Auth (Optional)
- BOOL fEmptyPinAuth; // Zero length PinAuth is included in the request
- DWORD cbPinAuth;
- PBYTE pbPinAuth;
-
- // HMAC Salt Extension (Optional)
- EXPERIMENTAL_PWEBAUTHN_CTAPCBOR_HMAC_SALT_EXTENSION pHmacSaltExtension;
-
- // PRF Extension
- DWORD cbHmacSecretSaltValues;
- PBYTE pbHmacSecretSaltValues;
-
- DWORD dwPinProtocol;
-
- //"credBlob": true extension
- LONG lCredBlobExt;
-
- //"largeBlobKey": true extension
- LONG lLargeBlobKeyExt;
-
- //"largeBlob" extension
- DWORD dwCredLargeBlobOperation;
- DWORD cbCredLargeBlobCompressed;
- PBYTE pbCredLargeBlobCompressed;
- DWORD dwCredLargeBlobOriginalSize;
-
- // "json" extension. Nonzero if present
- DWORD cbJsonExt;
- PBYTE pbJsonExt;
-} EXPERIMENTAL_WEBAUTHN_CTAPCBOR_GET_ASSERTION_REQUEST, *EXPERIMENTAL_PWEBAUTHN_CTAPCBOR_GET_ASSERTION_REQUEST;
-typedef const EXPERIMENTAL_WEBAUTHN_CTAPCBOR_GET_ASSERTION_REQUEST *EXPERIMENTAL_PCWEBAUTHN_CTAPCBOR_GET_ASSERTION_REQUEST;
-
-_Success_(return == S_OK)
-HRESULT
-WINAPI
-EXPERIMENTAL_WebAuthNDecodeGetAssertionRequest(
- _In_ DWORD cbEncoded,
- _In_reads_bytes_(cbEncoded) const BYTE *pbEncoded,
- _Outptr_ EXPERIMENTAL_PWEBAUTHN_CTAPCBOR_GET_ASSERTION_REQUEST *ppGetAssertionRequest
- );
-
-void
-WINAPI
-EXPERIMENTAL_WebAuthNFreeDecodedGetAssertionRequest(
- _In_opt_ EXPERIMENTAL_PWEBAUTHN_CTAPCBOR_GET_ASSERTION_REQUEST pGetAssertionRequest
- );
-
-typedef struct _EXPERIMENTAL_WEBAUTHN_CTAPCBOR_GET_ASSERTION_RESPONSE {
- // [1] credential (optional)
- // [2] authenticatorData
- // [3] signature
- WEBAUTHN_ASSERTION WebAuthNAssertion;
-
- // [4] user (optional)
- PCWEBAUTHN_USER_ENTITY_INFORMATION pUserInformation;
-
- // [5] numberOfCredentials (optional)
- DWORD dwNumberOfCredentials;
-
- // [6] userSelected (optional)
- LONG lUserSelected;
-
- // [7] largeBlobKey (optional)
- DWORD cbLargeBlobKey;
- PBYTE pbLargeBlobKey;
-
- // [8] unsignedExtensionOutputs
- DWORD cbUnsignedExtensionOutputs;
- PBYTE pbUnsignedExtensionOutputs;
-} EXPERIMENTAL_WEBAUTHN_CTAPCBOR_GET_ASSERTION_RESPONSE, *EXPERIMENTAL_PWEBAUTHN_CTAPCBOR_GET_ASSERTION_RESPONSE;
-typedef const EXPERIMENTAL_PWEBAUTHN_CTAPCBOR_GET_ASSERTION_RESPONSE *EXPERIMENTAL_PCWEBAUTHN_CTAPCBOR_GET_ASSERTION_RESPONSE;
-
-_Success_(return == S_OK)
-HRESULT
-WINAPI
-EXPERIMENTAL_WebAuthNEncodeGetAssertionResponse(
- _In_ EXPERIMENTAL_PCWEBAUTHN_CTAPCBOR_GET_ASSERTION_RESPONSE pGetAssertionResponse,
- _Out_ DWORD *pcbResp,
- _Outptr_result_buffer_maybenull_(*pcbResp) BYTE **ppbResp
- );
-
-#endif //__midl
-
-
-#ifdef __cplusplus
-} // Balance extern "C" above
-#endif
-
-#endif // WINAPI_FAMILY_PARTITION
-#pragma endregion
-
diff --git a/apps/desktop/desktop_native/windows_plugin_authenticator/src/util.rs b/apps/desktop/desktop_native/windows_plugin_authenticator/src/util.rs
index 035d9df06cf..7e6ba9d26c0 100644
--- a/apps/desktop/desktop_native/windows_plugin_authenticator/src/util.rs
+++ b/apps/desktop/desktop_native/windows_plugin_authenticator/src/util.rs
@@ -77,9 +77,7 @@ pub fn file_log(msg: &str) {
}
}
-pub fn debug_log(message: &str) {
- file_log(message)
-}
+pub fn debug_log(message: &str) {}
// Helper function to convert Windows wide string (UTF-16) to Rust String
pub unsafe fn wstr_to_string(
diff --git a/apps/desktop/electron-builder.json b/apps/desktop/electron-builder.json
index f4c60b3afb7..6703dbb1c20 100644
--- a/apps/desktop/electron-builder.json
+++ b/apps/desktop/electron-builder.json
@@ -1,6 +1,4 @@
{
- "$schema": "https://raw.githubusercontent.com/electron-userland/electron-builder/master/packages/app-builder-lib/scheme.json",
-
"extraMetadata": {
"name": "bitwarden"
},
@@ -90,10 +88,9 @@
},
"win": {
"electronUpdaterCompatibility": ">=0.0.1",
- "target": ["appx"],
+ "target": ["portable", "nsis-web", "appx"],
"signtoolOptions": {
- "sign": "./sign.js",
- "publisherName": "CN=com.bitwarden.localdevelopment"
+ "sign": "./sign.js"
},
"extraFiles": [
{
@@ -165,9 +162,8 @@
"artifactName": "${productName}-Portable-${version}.${ext}"
},
"appx": {
- "artifactName": "${productName}-${arch}.${ext}",
- "customManifestPath": "./custom-appx-manifest.xml",
- "publisher": "CN=com.bitwarden.localdevelopment"
+ "artifactName": "${productName}-${version}-${arch}.${ext}",
+ "customManifestPath": "./custom-appx-manifest.xml"
},
"deb": {
"artifactName": "${productName}-${version}-${arch}.${ext}",
diff --git a/apps/desktop/package.json b/apps/desktop/package.json
index 9b9ccec9f2a..9488828c146 100644
--- a/apps/desktop/package.json
+++ b/apps/desktop/package.json
@@ -1,7 +1,7 @@
{
"name": "@bitwarden/desktop",
"description": "A secure and free password manager for all of your devices.",
- "version": "2025.6.4",
+ "version": "2025.6.0",
"keywords": [
"bitwarden",
"password",
@@ -67,7 +67,6 @@
"upload:mas": "xcrun altool --upload-app --type osx --file \"$(find ./dist/mas-universal/Bitwarden*.pkg)\" --apiKey $APP_STORE_CONNECT_AUTH_KEY --apiIssuer $APP_STORE_CONNECT_TEAM_ISSUER",
"test": "jest",
"test:watch": "jest --watch",
- "test:watch:all": "jest --watchAll",
- "local:win": "cd desktop_native/napi && npm run build && cd ../.. && npm run build:dev && npm run pack:win"
+ "test:watch:all": "jest --watchAll"
}
}
diff --git a/apps/desktop/sign.ps1 b/apps/desktop/sign.ps1
deleted file mode 100644
index 7709b3be8f3..00000000000
Binary files a/apps/desktop/sign.ps1 and /dev/null differ
diff --git a/apps/desktop/src/autofill/services/desktop-autofill.service.ts b/apps/desktop/src/autofill/services/desktop-autofill.service.ts
index 44cf6c0052a..7e60c6b8d76 100644
--- a/apps/desktop/src/autofill/services/desktop-autofill.service.ts
+++ b/apps/desktop/src/autofill/services/desktop-autofill.service.ts
@@ -61,6 +61,10 @@ export class DesktopAutofillService implements OnDestroy {
.pipe(
distinctUntilChanged(),
switchMap((enabled) => {
+ if (!enabled) {
+ return EMPTY;
+ }
+
return this.accountService.activeAccount$.pipe(
map((account) => account?.id),
filter((userId): userId is UserId => userId != null),
@@ -80,44 +84,43 @@ export class DesktopAutofillService implements OnDestroy {
/** Give metadata about all available credentials in the users vault */
async sync(cipherViews: CipherView[]) {
- this.logService.info("Syncing autofill credentials: ", cipherViews.length);
- // const status = await this.status();
- // if (status.type === "error") {
- // return this.logService.error("Error getting autofill status", status.error);
- // }
+ const status = await this.status();
+ if (status.type === "error") {
+ return this.logService.error("Error getting autofill status", status.error);
+ }
- // if (!status.value.state.enabled) {
- // // Autofill is disabled
- // return;
- // }
+ if (!status.value.state.enabled) {
+ // Autofill is disabled
+ return;
+ }
let fido2Credentials: NativeAutofillFido2Credential[];
let passwordCredentials: NativeAutofillPasswordCredential[];
- fido2Credentials = (await getCredentialsForAutofill(cipherViews)).map((credential) => ({
- type: "fido2",
- ...credential,
- }));
+ if (status.value.support.password) {
+ passwordCredentials = cipherViews
+ .filter(
+ (cipher) =>
+ cipher.type === CipherType.Login &&
+ cipher.login.uris?.length > 0 &&
+ cipher.login.uris.some((uri) => uri.match !== UriMatchStrategy.Never) &&
+ cipher.login.uris.some((uri) => !Utils.isNullOrWhitespace(uri.uri)) &&
+ !Utils.isNullOrWhitespace(cipher.login.username),
+ )
+ .map((cipher) => ({
+ type: "password",
+ cipherId: cipher.id,
+ uri: cipher.login.uris.find((uri) => uri.match !== UriMatchStrategy.Never).uri,
+ username: cipher.login.username,
+ }));
+ }
- // Mock a couple of passkeys for testing purposes
- fido2Credentials.push({
- type: "fido2",
- cipherId: "mock-cipher-id-1",
- credentialId: "passkey1",
- rpId: "webauthn.io",
- userHandle: "passkey1",
- userName: "Mock passkey1",
- });
- fido2Credentials.push({
- type: "fido2",
- cipherId: "mock-cipher-id-2",
- credentialId: "passkey2",
- rpId: "webauthn.io",
- userHandle: "passkey2",
- userName: "Mock passkey2",
- });
-
- this.logService.info("Found FIDO2 credentials", fido2Credentials.length);
+ if (status.value.support.fido2) {
+ fido2Credentials = (await getCredentialsForAutofill(cipherViews)).map((credential) => ({
+ type: "fido2",
+ ...credential,
+ }));
+ }
const syncResult = await ipc.autofill.runCommand({
namespace: "autofill",
diff --git a/apps/desktop/src/package.json b/apps/desktop/src/package.json
index 1394c43ff54..a3d811e572f 100644
--- a/apps/desktop/src/package.json
+++ b/apps/desktop/src/package.json
@@ -2,7 +2,7 @@
"name": "@bitwarden/desktop",
"productName": "Bitwarden",
"description": "A secure and free password manager for all of your devices.",
- "version": "2025.6.19",
+ "version": "2025.6.0",
"author": "Bitwarden Inc. (https://bitwarden.com)",
"homepage": "https://bitwarden.com",
"license": "GPL-3.0",
diff --git a/apps/desktop/src/platform/main/autofill/native-autofill.main.ts b/apps/desktop/src/platform/main/autofill/native-autofill.main.ts
index 28b53ebfde1..d4bf8036a79 100644
--- a/apps/desktop/src/platform/main/autofill/native-autofill.main.ts
+++ b/apps/desktop/src/platform/main/autofill/native-autofill.main.ts
@@ -28,7 +28,7 @@ export class NativeAutofillMain {
}
async init() {
- const enableWindowsPasskeyProvider = true;
+ const enableWindowsPasskeyProvider = false;
if (enableWindowsPasskeyProvider) {
this.windowsMain.initWindows();
this.windowsMain.setupWindowsRendererIPCHandlers();