From 432d593389c6b9e41da40876e03b347b3be8b4df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anders=20=C3=85berg?= Date: Thu, 10 Jul 2025 10:54:39 +0200 Subject: [PATCH] Clean up Remove file logging --- apps/desktop/com.bitwarden.pfx | Bin 2694 -> 0 bytes apps/desktop/custom-appx-manifest.xml | 8 +- .../PluginAuthenticatorImpl.cpp.sample | 977 ---------- .../PluginRegistrationManager.cpp.sample | 126 -- .../PluginRegistrationManager.h.sample | 80 - .../src/samples/pluginauthenticator.h.sample | 239 --- .../src/samples/webauthn.h.sample | 1727 ----------------- .../windows_plugin_authenticator/src/util.rs | 4 +- apps/desktop/electron-builder.json | 12 +- apps/desktop/package.json | 5 +- apps/desktop/sign.ps1 | Bin 166 -> 0 bytes .../services/desktop-autofill.service.ts | 67 +- apps/desktop/src/package.json | 2 +- .../main/autofill/native-autofill.main.ts | 2 +- 14 files changed, 48 insertions(+), 3201 deletions(-) delete mode 100644 apps/desktop/com.bitwarden.pfx delete mode 100644 apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/PluginAuthenticatorImpl.cpp.sample delete mode 100644 apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/PluginRegistrationManager.cpp.sample delete mode 100644 apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/PluginRegistrationManager.h.sample delete mode 100644 apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/pluginauthenticator.h.sample delete mode 100644 apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/webauthn.h.sample delete mode 100644 apps/desktop/sign.ps1 diff --git a/apps/desktop/com.bitwarden.pfx b/apps/desktop/com.bitwarden.pfx deleted file mode 100644 index ed82d494b20d3de2562a053abe7f04b7d4e00e8f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2694 zcmZXUc{r5)9>$-U#>j+>ZDi-QHMSY+2!jaWZ5vB8_K9qR8CfbzlPy#tORq9x*T`0u zA!JF^K{6Ftk}Yf5!=TR8^`7@!=Q@A{2@ku;8_UqrE-389%(T-&##)Qzw@UMQ{mkdCV8P zNOxkm5Ab?2x)=gNpo}0p+JTG6)v05u_k9(@w8Mc9rgR&$4@U`%00oMd|o~> ziX1(H=gl&{`~BOeOzAHakp7bSlO+a2MKMjO9-B3BC(e`bg;1EgH`**ZFsFFKAiObE zmJF#1P?=rrSuV_kzZ1!=oHaVOAd=%?65%6fA@fKyw|&><~# zI72}B;(AlL*vI59uhWW&F=spa=bsPDy3k*%93!fjMNs(#;GK`}PpuM*@8++T5hR_k zt&KjLr}s<_zc4yeu)-@jGNh(-$NEC0&Q4CT+Lh74{X83M-&iKEzt+x$CI3|>s{O%L zpVU>w7bj%5>arCscLhmn(*WszQD;wfjCttI(R?vw(?4a8$8nUs6V0NLq6 z_MbViq8DfBL1ROY-s~;Oy96gOSv>fhXtT~3V7Fe{$MMhg`KcLQ62f&kD>x6HFO04!D=k9Khw%jfV0e3Z+z9JTJ z?HqBa5!Naa_sXn2zJXDeKW;A#H+{n4gU!t`N@6ZEUR;U?j=_$}lc&e_W zlDWmgEnYlH#fTY)`wu+tmC~JgVchA{6A-XzTS5LB{zFw6IoA_#;@lRbccsJi0?#ST zys?B;dY$1B$SYRiS9-B~iwNS#O%?P#Llj5A27?(Uh4`yNp@1@`LRYd33KDiBb_v+$ zPUFCF9RP8)ziP$Mr^Mly= z1IqeK#+d*YJfvePk@xjU>SryU)Kva=vwDGtJN@n$YnBG7l*b^qX&eili1n!*D39u8 z3c5yVJ2CNMf(9((gNi}Shoq>N-RoN&@K2|zevm^Y$Ite-hKD?>Z}{%SG}?DGPS=e0 zJ@+;tSD;6Cc+^voGTE(a7~fDS5!Mm7foonOWqc+2^79}gmNcw9p57h_=3s`ER!f!L z{G&P6Ppe*F4}qw2M_*^61pcW@E+I4&0s#R4fO7sX6hxnqJOzXR7XeiO4QK%bz!T5} zG}zOfO$dPAZ>Gwgnt&I8VKWS%%ieX_8;X7Fu$5mvP4@db>=ZQM`72%-3W9(rx^U3% z_&)(3b|47|1jy{;#r~W$fctw3V;f0qqcmX6o)N#55Vl5QbMN2$%x`BXJA=S}Cb2tR z>YxATgtBX%kBzv&Ab@>w{8s_}fAQazC}HTkg@ybo{us)EAybx=Fj1|Q+HWc{_=qt) zPWrgn9vvAjzC0HnymbwAx!(wA&+wtgmW^C>>Cy{#71*E6uP!C74c!TH>g;y{jdQ7F z0Hb@Kxz9RMiY8SKym!9LJ4+K_x*CRH-gsBuzs{MzVY*y_EG#NM8AX3}q|eRaoTlMb zPbSZKu`eSE52dYEhk9z1jT(DlvQC;w-c{K2JWTBIM&EAjznr*cG#zx~TLXVu7;B4B zH9|b%;vUH?XvylXKqE!*`lOnDN1T|q`)<5XD*CEp1?O9uD&C`{y|{n{UKB2F*2AFr zYq&cH;_K7f=y4jwxc0-JoDrBo*hlY&;C?#8$@Qncl(n!+Q&)e@Piw1BM$c!w@yZu+ zrrJ&PCou2N7^<^Ky+;<$`)Avty9>o>NRg-*n^T)r6~+vmEY>2@$%G^!-r}m`48eVD z9w3M6!rz_Al`Cj-uStQ;w+RW_9IK=`e8uYoC8)af_%&S0eI%Vo}`!ZKa$e|1hzI;Bi zsx^_m6myMK`*gPUg!|#81l>}YAk?FNJ9M2Kh5&xmag|s zxNEV=Dj(nf;Jz2kxsxa4Qpb8(%%$Kg=R;;30M!!auqUN2d5eiZdbF1YW{}q@^RPa_ zR;@EUVU?Mz)hBtg0jaH_G48RgwGP1+U*p2ZI9jhOdXJ@a!z5J?Kc2WvMELTb(n^ji zw#ln&_-r6^fEB#Tq2DLx=X*jM|8xf{zM?*A^f^0XV9iNcV_4|*a8hB#Tv5sZzQ})C zcdB_I%f<<8U&5Wf5|AfAA`?zFXV%=X+aa_PykkS{1HDRY<7LzNtQpR?eG|pI - + Bitwarden Bitwarden Inc diff --git a/apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/PluginAuthenticatorImpl.cpp.sample b/apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/PluginAuthenticatorImpl.cpp.sample deleted file mode 100644 index 21025834182..00000000000 --- a/apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/PluginAuthenticatorImpl.cpp.sample +++ /dev/null @@ -1,977 +0,0 @@ -#include "pch.h" -#include "PluginAuthenticatorImpl.h" -#include -#include -#include -#include -#include -#include -#include -#include -namespace winrt -{ - using namespace winrt::Windows::Foundation; - using namespace winrt::Microsoft::UI::Windowing; - using namespace winrt::Microsoft::UI::Xaml; - using namespace winrt::Microsoft::UI::Xaml::Controls; - using namespace winrt::Microsoft::UI::Xaml::Navigation; - using namespace PasskeyManager; - using namespace PasskeyManager::implementation; - using namespace CborLite; -} - -namespace winrt::PasskeyManager::implementation -{ - static std::vector GetRequestSigningPubKey() - { - return wil::reg::get_value_binary(HKEY_CURRENT_USER, c_pluginRegistryPath, c_windowsPluginRequestSigningKeyRegKeyName, REG_BINARY); - } - - /* - * This function is used to verify the signature of a request buffer. - * The public key is part of response to plugin registration. - */ - static HRESULT VerifySignatureHelper( - std::vector& dataBuffer, - PBYTE pbKeyData, - DWORD cbKeyData, - PBYTE pbSignature, - DWORD cbSignature) - { - // Create key provider - wil::unique_ncrypt_prov hProvider; - wil::unique_ncrypt_key reqSigningKey; - - // Get the provider - RETURN_IF_FAILED(NCryptOpenStorageProvider(&hProvider, nullptr, 0)); - // Create a NCrypt key handle from the public key - RETURN_IF_FAILED(NCryptImportKey( - hProvider.get(), - NULL, - BCRYPT_ECCPUBLIC_BLOB, - NULL, - &reqSigningKey, - pbKeyData, - cbKeyData, 0)); - - // Verify the signature over the hash of dataBuffer using the hKey - DWORD objLenSize = 0; - DWORD bytesRead = 0; - RETURN_IF_NTSTATUS_FAILED(BCryptGetProperty( - BCRYPT_SHA256_ALG_HANDLE, - BCRYPT_OBJECT_LENGTH, - reinterpret_cast(&objLenSize), - sizeof(objLenSize), - &bytesRead, 0)); - - auto objLen = wil::make_unique_cotaskmem(objLenSize); - wil::unique_bcrypt_hash hashHandle; - RETURN_IF_NTSTATUS_FAILED(BCryptCreateHash( - BCRYPT_SHA256_ALG_HANDLE, - wil::out_param(hashHandle), - objLen.get(), - objLenSize, - nullptr, 0, 0)); - RETURN_IF_NTSTATUS_FAILED(BCryptHashData( - hashHandle.get(), - dataBuffer.data(), - static_cast(dataBuffer.size()), 0)); - - DWORD localHashByteCount = 0; - RETURN_IF_NTSTATUS_FAILED(BCryptGetProperty( - BCRYPT_SHA256_ALG_HANDLE, - BCRYPT_HASH_LENGTH, - reinterpret_cast(&localHashByteCount), - sizeof(localHashByteCount), - &bytesRead, 0)); - - auto localHashBuffer = wil::make_unique_cotaskmem(localHashByteCount); - RETURN_IF_NTSTATUS_FAILED(BCryptFinishHash(hashHandle.get(), localHashBuffer.get(), localHashByteCount, 0)); - RETURN_IF_WIN32_ERROR(NCryptVerifySignature( - reqSigningKey.get(), - nullptr, - localHashBuffer.get(), - localHashByteCount, - pbSignature, - cbSignature, 0)); - - return S_OK; - } - - HRESULT CheckHelloConsentCompleted() - { - winrt::com_ptr curApp = winrt::Microsoft::UI::Xaml::Application::Current().as(); - HANDLE handles[2] = { curApp->m_hVaultConsentComplete.get(), curApp->m_hVaultConsentFailed.get() }; - - DWORD cWait = ARRAYSIZE(handles); - DWORD hIndex = 0; - RETURN_IF_FAILED(CoWaitForMultipleHandles(COWAIT_DISPATCH_WINDOW_MESSAGES | COWAIT_DISPATCH_CALLS, INFINITE, cWait, handles, &hIndex)); - if (hIndex == 1) // Consent failed - { - RETURN_HR(E_FAIL); - } - return S_OK; - } - - HRESULT PerformUv( - winrt::com_ptr& curApp, - HWND hWnd, - wil::shared_hmodule webauthnDll, - GUID transactionId, - PluginOperationType operationType, - std::vector requestBuffer, - wil::shared_cotaskmem_string rpName, - wil::shared_cotaskmem_string userName) - { - curApp->SetPluginPerformOperationOptions(hWnd, operationType, rpName.get(), userName.get()); - - // Wait for the app main window to be ready. - DWORD hIndex = 0; - RETURN_IF_FAILED(CoWaitForMultipleHandles(COWAIT_DISPATCH_WINDOW_MESSAGES | COWAIT_DISPATCH_CALLS, INFINITE, 1, curApp->m_hWindowReady.addressof(), &hIndex)); - - // Trigger a Consent Verifier Dialog to simulate a Windows Hello unlock flow - // This is to demonstrate a vault unlock flow using Windows Hello and is not the recommended way to secure the vault - if (PluginCredentialManager::getInstance().GetVaultLock()) - { - curApp->GetDispatcherQueue().TryEnqueue([curApp]() - { - curApp->SimulateUnLockVaultUsingConsentVerifier(); - }); - RETURN_IF_FAILED(CheckHelloConsentCompleted()); - } - else - { - SetEvent(curApp->m_hVaultConsentComplete.get()); - } - - // Wait for user confirmation to proceed with the operation Create/Signin/Cancel button - // This is a mock up for plugin requiring UI. - { - HANDLE handles[2] = { curApp->m_hPluginProceedButtonEvent.get(), curApp->m_hPluginUserCancelEvent.get() }; - DWORD cWait = ARRAYSIZE(handles); - - RETURN_IF_FAILED(CoWaitForMultipleHandles(COWAIT_DISPATCH_WINDOW_MESSAGES | COWAIT_DISPATCH_CALLS, INFINITE, cWait, handles, &hIndex)); - if (hIndex == 1) // Cancel button clicked - { - // User cancelled the operation. NTE_USER_CANCELLED allows Windows to distinguish between user cancellation and other errors. - return NTE_USER_CANCELLED; - } - } - - // Skip user verification if the user has already performed a gesture to unlock the vault to avoid double prompting - if (PluginCredentialManager::getInstance().GetVaultLock()) - { - return S_OK; - } - - EXPERIMENTAL_WEBAUTHN_PLUGIN_PERFORM_UV pluginPerformUv{}; - pluginPerformUv.transactionId = &transactionId; - - if (curApp->m_silentMode) - { - // If the app did not display any UI, use the hwnd of the caller here. This was included in the request to the plugin. Refer: EXPERIMENTAL_PCWEBAUTHN_PLUGIN_OPERATION_REQUEST - pluginPerformUv.hwnd = hWnd; - } - else - { - // If the app displayed UI, use the hwnd of the app window here - pluginPerformUv.hwnd = curApp->GetNativeWindowHandle(); - } - - EXPERIMENTAL_PWEBAUTHN_PLUGIN_PERFORM_UV_RESPONSE pPluginPerformUvResponse = nullptr; - - auto webAuthNPluginPerformUv = GetProcAddressByFunctionDeclaration(webauthnDll.get(), EXPERIMENTAL_WebAuthNPluginPerformUv); - RETURN_HR_IF_NULL(E_NOTIMPL, webAuthNPluginPerformUv); - - // Step 1: Get the UV count - pluginPerformUv.type = EXPERIMENTAL_WEBAUTHN_PLUGIN_PERFORM_UV_OPERATION_TYPE::GetUvCount; - RETURN_IF_FAILED(webAuthNPluginPerformUv(&pluginPerformUv, &pPluginPerformUvResponse)); - - /* - * pPluginPerformUvResponse->pbResponse contains the UV count - * The UV count tracks the number of times the user has performed a gesture to unlock the vault - */ - - // Step 2: Get the public key - pluginPerformUv.type = EXPERIMENTAL_WEBAUTHN_PLUGIN_PERFORM_UV_OPERATION_TYPE::GetPubKey; - RETURN_IF_FAILED(webAuthNPluginPerformUv(&pluginPerformUv, &pPluginPerformUvResponse)); - - // stash public key in a new buffer for later use - DWORD cbPubData = pPluginPerformUvResponse->cbResponse; - wil::unique_hlocal_ptr ppbPubKeyData = wil::make_unique_hlocal(cbPubData); - memcpy_s(ppbPubKeyData.get(), cbPubData, pPluginPerformUvResponse->pbResponse, pPluginPerformUvResponse->cbResponse); - - // Step 3: Perform UV. This step uses a Windows Hello prompt to authenticate the user - pluginPerformUv.type = EXPERIMENTAL_WEBAUTHN_PLUGIN_PERFORM_UV_OPERATION_TYPE::PerformUv; - pluginPerformUv.pwszUsername = wil::make_cotaskmem_string(userName.get()).release(); - // pwszContext can be used to provide additional context to the user. This is displayed alongside the username in the Windows Hello passkey user verification dialog. - pluginPerformUv.pwszContext = wil::make_cotaskmem_string(L"Context String").release(); - RETURN_IF_FAILED(webAuthNPluginPerformUv(&pluginPerformUv, &pPluginPerformUvResponse)); - - // Verify the signature over the hash of requestBuffer using the hKey - auto signatureVerifyResult = VerifySignatureHelper( - requestBuffer, - ppbPubKeyData.get(), - cbPubData, - pPluginPerformUvResponse->pbResponse, - pPluginPerformUvResponse->cbResponse); - curApp->GetDispatcherQueue().TryEnqueue([curApp, signatureVerifyResult]() - { - if (FAILED(signatureVerifyResult)) - { - curApp->m_pluginOperationStatus.uvSignatureVerificationStatus = signatureVerifyResult; - } - }); - return S_OK; - } - - /* - * This function is used to create a simplified version of authenticator data for the webauthn authenticator operations. - * Refer: https://www.w3.org/TR/webauthn-3/#authenticator-data for more details. - */ - HRESULT CreateAuthenticatorData(wil::shared_ncrypt_key hKey, - DWORD cbRpId, - PBYTE pbRpId, - DWORD& pcbPackedAuthenticatorData, - wil::unique_hlocal_ptr& ppbpackedAuthenticatorData, - std::vector& vCredentialIdBuffer) - { - // Get the public key blob - DWORD cbPubKeyBlob = 0; - THROW_IF_FAILED(NCryptExportKey( - hKey.get(), - NULL, - BCRYPT_ECCPUBLIC_BLOB, - NULL, - NULL, - 0, - &cbPubKeyBlob, - 0)); - auto pbPubKeyBlob = std::make_unique(cbPubKeyBlob); - THROW_HR_IF(E_UNEXPECTED, pbPubKeyBlob == nullptr); - DWORD cbPubKeyBlobOutput = 0; - THROW_IF_FAILED(NCryptExportKey( - hKey.get(), - NULL, - BCRYPT_ECCPUBLIC_BLOB, - NULL, - pbPubKeyBlob.get(), - cbPubKeyBlob, - &cbPubKeyBlobOutput, - 0)); - - BCRYPT_ECCKEY_BLOB* pPubKeyBlobHeader = reinterpret_cast(pbPubKeyBlob.get()); - DWORD cbXCoord = pPubKeyBlobHeader->cbKey; - PBYTE pbXCoord = reinterpret_cast(&pPubKeyBlobHeader[1]); - DWORD cbYCoord = pPubKeyBlobHeader->cbKey; - PBYTE pbYCoord = pbXCoord + cbXCoord; - - // create byte span for x and y - std::span xCoord(pbXCoord, cbXCoord); - std::span yCoord(pbYCoord, cbYCoord); - - // CBOR encode the public key in this order: kty, alg, crv, x, y - std::vector buffer; - -#pragma warning(push) -#pragma warning(disable: 4293) - size_t bufferSize = CborLite::encodeMapSize(buffer, 5u); -#pragma warning(pop) - - // COSE CBOR encoding format. Refer to https://datatracker.ietf.org/doc/html/rfc9052#section-7 for more details. - const int8_t ktyIndex = 1; - const int8_t algIndex = 3; - const int8_t crvIndex = -1; - const int8_t xIndex = -2; - const int8_t yIndex = -3; - - // Example values for EC2 P-256 ES256 Keys. Refer to https://www.w3.org/TR/webauthn-3/#example-bdbd14cc - // Note that this sample authenticator only supports ES256 keys. - const int8_t kty = 2; // Key type is EC2 - const int8_t crv = 1; // Curve is P-256 - const int8_t alg = -7; // Algorithm is ES256 - - bufferSize += CborLite::encodeInteger(buffer, ktyIndex); - bufferSize += CborLite::encodeInteger(buffer, kty); - bufferSize += CborLite::encodeInteger(buffer, algIndex); - bufferSize += CborLite::encodeInteger(buffer, alg); - bufferSize += CborLite::encodeInteger(buffer, crvIndex); - bufferSize += CborLite::encodeInteger(buffer, crv); - bufferSize += CborLite::encodeInteger(buffer, xIndex); - bufferSize += CborLite::encodeBytes(buffer, xCoord); - bufferSize += CborLite::encodeInteger(buffer, yIndex); - bufferSize += CborLite::encodeBytes(buffer, yCoord); - - wil::unique_bcrypt_hash hashHandle; - THROW_IF_NTSTATUS_FAILED(BCryptCreateHash( - BCRYPT_SHA256_ALG_HANDLE, - &hashHandle, - nullptr, - 0, - nullptr, - 0, - 0)); - - THROW_IF_NTSTATUS_FAILED(BCryptHashData(hashHandle.get(), reinterpret_cast(pbXCoord), cbXCoord, 0)); - THROW_IF_NTSTATUS_FAILED(BCryptHashData(hashHandle.get(), reinterpret_cast(pbYCoord), cbYCoord, 0)); - - DWORD cbHash = 0; - DWORD bytesRead = 0; - THROW_IF_NTSTATUS_FAILED(BCryptGetProperty( - hashHandle.get(), - BCRYPT_HASH_LENGTH, - reinterpret_cast(&cbHash), - sizeof(cbHash), - &bytesRead, - 0)); - - wil::unique_hlocal_ptr pbCredentialId = wil::make_unique_hlocal(cbHash); - THROW_IF_NTSTATUS_FAILED(BCryptFinishHash(hashHandle.get(), pbCredentialId.get(), cbHash, 0)); - - // Close the key and hash handle - hKey.reset(); - hashHandle.reset(); - - com_ptr curApp = winrt::Microsoft::UI::Xaml::Application::Current().as(); - PluginOperationType operationType = PLUGIN_OPERATION_TYPE_MAKE_CREDENTIAL; - if (curApp && - curApp->m_pluginOperationOptions.operationType == PLUGIN_OPERATION_TYPE_GET_ASSERTION) - { - operationType = PLUGIN_OPERATION_TYPE_GET_ASSERTION; - } - - // Refer to learn about packing credential data https://www.w3.org/TR/webauthn-3/#sctn-authenticator-data - const DWORD rpidsha256Size = 32; // SHA256 hash of rpId - const DWORD flagsSize = 1; // flags - const DWORD signCountSize = 4; // signCount - DWORD cbPackedAuthenticatorData = rpidsha256Size + flagsSize + signCountSize; - - if (operationType == PLUGIN_OPERATION_TYPE_MAKE_CREDENTIAL) - { - cbPackedAuthenticatorData += sizeof(GUID); // aaGuid - cbPackedAuthenticatorData += sizeof(WORD); // credentialId length - cbPackedAuthenticatorData += cbHash; // credentialId - cbPackedAuthenticatorData += static_cast(buffer.size()); // public key - } - - std::vector vPackedAuthenticatorData(cbPackedAuthenticatorData); - auto writer = buffer_writer{ vPackedAuthenticatorData }; - - auto rgbRpIdHash = writer.reserve_space>(); // 32 bytes of rpIdHash which is SHA256 hash of rpName. https://www.w3.org/TR/webauthn-3/#sctn-authenticator-data - DWORD cbRpIdHash; - THROW_IF_WIN32_BOOL_FALSE(CryptHashCertificate2(BCRYPT_SHA256_ALGORITHM, - 0, - nullptr, - pbRpId, - cbRpId, - rgbRpIdHash->data(), - &cbRpIdHash)); - - // Flags uv, up, be, and at are set - if (operationType == PLUGIN_OPERATION_TYPE_GET_ASSERTION) - { - // Refer https://www.w3.org/TR/webauthn-3/#authdata-flags - *writer.reserve_space() = 0x1d; // credential data flags of size 1 byte - - *writer.reserve_space() = 0u; // Sign count of size 4 bytes is set to 0 - - vCredentialIdBuffer.assign(pbCredentialId.get(), pbCredentialId.get() + cbHash); - } - else - { - // Refer https://www.w3.org/TR/webauthn-3/#authdata-flags - *writer.reserve_space() = 0x5d; // credential data flags of size 1 byte - - *writer.reserve_space() = 0u; // Sign count of size 4 bytes is set to 0 - - *writer.reserve_space() = GUID_NULL; // aaGuid of size 16 bytes is set to 0 - - // Retrieve credential id - WORD cbCredentialId = static_cast(cbHash); - WORD cbCredentialIdBigEndian = _byteswap_ushort(cbCredentialId); - - *writer.reserve_space() = cbCredentialIdBigEndian; // Size of credential id in unsigned big endian of size 2 bytes - - writer.add(std::span(pbCredentialId.get(), cbHash)); // Set credential id - - vCredentialIdBuffer.assign(pbCredentialId.get(), pbCredentialId.get() + cbHash); - - writer.add(std::span(buffer.data(), buffer.size())); // Set CBOR encoded public key - } - - pcbPackedAuthenticatorData = static_cast(vPackedAuthenticatorData.size()); - ppbpackedAuthenticatorData = wil::make_unique_hlocal(pcbPackedAuthenticatorData); - memcpy_s(ppbpackedAuthenticatorData.get(), pcbPackedAuthenticatorData, vPackedAuthenticatorData.data(), pcbPackedAuthenticatorData); - - return S_OK; - } - - /* - * This function is invoked by the platform to request the plugin to handle a make credential operation. - * Refer: pluginauthenticator.h/pluginauthenticator.idl - */ - HRESULT STDMETHODCALLTYPE ContosoPlugin::EXPERIMENTAL_PluginMakeCredential( - /* [in] */ __RPC__in EXPERIMENTAL_PCWEBAUTHN_PLUGIN_OPERATION_REQUEST pPluginMakeCredentialRequest, - /* [out] */ __RPC__deref_out_opt EXPERIMENTAL_PWEBAUTHN_PLUGIN_OPERATION_RESPONSE* response) noexcept - { - try - { - SetEvent(App::s_pluginOpRequestRecievedEvent.get()); // indicate COM message received - DWORD hIndex = 0; - RETURN_IF_FAILED(CoWaitForMultipleHandles( // wait for app to be ready - COWAIT_DISPATCH_WINDOW_MESSAGES | COWAIT_DISPATCH_CALLS, - INFINITE, - 1, - App::s_hAppReadyForPluginOpEvent.addressof(), - &hIndex)); - com_ptr curApp = winrt::Microsoft::UI::Xaml::Application::Current().as(); - - wil::shared_hmodule webauthnDll(LoadLibraryExW(L"webauthn.dll", nullptr, LOAD_LIBRARY_SEARCH_SYSTEM32)); - if (webauthnDll == nullptr) - { - return E_ABORT; - } - - wil::unique_cotaskmem_ptr pDecodedMakeCredentialRequest; - auto webauthnDecodeMakeCredentialRequest = GetProcAddressByFunctionDeclaration(webauthnDll.get(), EXPERIMENTAL_WebAuthNDecodeMakeCredentialRequest); - THROW_IF_FAILED(webauthnDecodeMakeCredentialRequest( - pPluginMakeCredentialRequest->cbEncodedRequest, - pPluginMakeCredentialRequest->pbEncodedRequest, - wil::out_param(pDecodedMakeCredentialRequest))); - auto rpName = wil::make_cotaskmem_string(pDecodedMakeCredentialRequest->pRpInformation->pwszName); - auto userName = wil::make_cotaskmem_string(pDecodedMakeCredentialRequest->pUserInformation->pwszName); - std::vector requestBuffer( - pPluginMakeCredentialRequest->pbEncodedRequest, - pPluginMakeCredentialRequest->pbEncodedRequest + pPluginMakeCredentialRequest->cbEncodedRequest); - - auto ppbPubKeyData = GetRequestSigningPubKey(); - HRESULT requestSignResult = E_FAIL; - if (!ppbPubKeyData.empty()) - { - requestSignResult = VerifySignatureHelper( - requestBuffer, - ppbPubKeyData.data(), - static_cast(ppbPubKeyData.size()), - pPluginMakeCredentialRequest->pbRequestSignature, - pPluginMakeCredentialRequest->cbRequestSignature); - } - { - std::lock_guard lock(curApp->m_pluginOperationOptionsMutex); - curApp->m_pluginOperationStatus.requestSignatureVerificationStatus = requestSignResult; - } - - THROW_IF_FAILED(PerformUv(curApp, - pPluginMakeCredentialRequest->hWnd, - webauthnDll, - pPluginMakeCredentialRequest->transactionId, - PLUGIN_OPERATION_TYPE_MAKE_CREDENTIAL, - requestBuffer, - std::move(rpName), - std::move(userName))); - - //create a persisted key using ncrypt - wil::unique_ncrypt_prov hProvider; - wil::unique_ncrypt_key hKey; - - // get the provider - THROW_IF_FAILED(NCryptOpenStorageProvider(&hProvider, nullptr, 0)); - - // get the user handle as a string - std::wstring keyNameStr = contosoplugin_key_domain; - std::wstringstream keyNameStream; - for (DWORD idx = 0; idx < pDecodedMakeCredentialRequest->pUserInformation->cbId; idx++) - { - keyNameStream << std::hex << std::setw(2) << std::setfill(L'0') << - static_cast(pDecodedMakeCredentialRequest->pUserInformation->pbId[idx]); - } - keyNameStr += keyNameStream.str(); - - // create the key - THROW_IF_FAILED(NCryptCreatePersistedKey( - hProvider.get(), - &hKey, - BCRYPT_ECDH_P256_ALGORITHM, - keyNameStr.c_str(), - 0, - NCRYPT_OVERWRITE_KEY_FLAG)); - - // set the export policy - DWORD exportPolicy = NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG; - THROW_IF_FAILED(NCryptSetProperty( - hKey.get(), - NCRYPT_EXPORT_POLICY_PROPERTY, - reinterpret_cast(&exportPolicy), - sizeof(exportPolicy), - NCRYPT_PERSIST_FLAG)); - - // allow both signing and encryption - DWORD keyUsage = NCRYPT_ALLOW_SIGNING_FLAG | NCRYPT_ALLOW_DECRYPT_FLAG; - THROW_IF_FAILED(NCryptSetProperty( - hKey.get(), - NCRYPT_KEY_USAGE_PROPERTY, - reinterpret_cast(&keyUsage), - sizeof(keyUsage), - NCRYPT_PERSIST_FLAG)); - HWND hWnd; - if (curApp->m_silentMode) - { - hWnd = curApp->m_pluginOperationOptions.hWnd; - } - else - { - hWnd = curApp->GetNativeWindowHandle(); - } - THROW_IF_FAILED(NCryptSetProperty( - hKey.get(), - NCRYPT_WINDOW_HANDLE_PROPERTY, - reinterpret_cast(&hWnd), - sizeof(HWND), - 0)); - - // finalize the key - THROW_IF_FAILED(NCryptFinalizeKey(hKey.get(), 0)); - - DWORD cbPackedAuthenticatorData = 0; - wil::unique_hlocal_ptr packedAuthenticatorData; - std::vector vCredentialIdBuffer; - THROW_IF_FAILED(CreateAuthenticatorData( - std::move(hKey), - pDecodedMakeCredentialRequest->cbRpId, - pDecodedMakeCredentialRequest->pbRpId, - cbPackedAuthenticatorData, - packedAuthenticatorData, - vCredentialIdBuffer)); - - auto operationResponse = wil::make_unique_cotaskmem(); - - WEBAUTHN_CREDENTIAL_ATTESTATION attestationResponse{}; - attestationResponse.dwVersion = WEBAUTHN_CREDENTIAL_ATTESTATION_CURRENT_VERSION; - attestationResponse.pwszFormatType = WEBAUTHN_ATTESTATION_TYPE_NONE; - attestationResponse.cbAttestation = 0; - attestationResponse.pbAttestation = nullptr; - attestationResponse.cbAuthenticatorData = 0; - attestationResponse.pbAuthenticatorData = nullptr; - - attestationResponse.pbAuthenticatorData = packedAuthenticatorData.get(); - attestationResponse.cbAuthenticatorData = cbPackedAuthenticatorData; - - DWORD cbAttestationBuffer = 0; - PBYTE pbattestationBuffer; - - auto webauthnEncodeMakeCredentialResponse = GetProcAddressByFunctionDeclaration(webauthnDll.get(), EXPERIMENTAL_WebAuthNEncodeMakeCredentialResponse); - THROW_IF_FAILED(webauthnEncodeMakeCredentialResponse( - &attestationResponse, - &cbAttestationBuffer, - &pbattestationBuffer)); - operationResponse->cbEncodedResponse = cbAttestationBuffer; - operationResponse->pbEncodedResponse = wil::make_unique_cotaskmem(cbAttestationBuffer).release(); - memcpy_s(operationResponse->pbEncodedResponse, - operationResponse->cbEncodedResponse, - pbattestationBuffer, - cbAttestationBuffer); - - *response = operationResponse.release(); - - WEBAUTHN_CREDENTIAL_DETAILS credentialDetails{}; - credentialDetails.dwVersion = WEBAUTHN_CREDENTIAL_DETAILS_CURRENT_VERSION; - credentialDetails.pUserInformation = const_cast(pDecodedMakeCredentialRequest->pUserInformation); - credentialDetails.pRpInformation = const_cast(pDecodedMakeCredentialRequest->pRpInformation); - credentialDetails.cbCredentialID = static_cast(vCredentialIdBuffer.size()); - credentialDetails.pbCredentialID = wil::make_unique_cotaskmem(vCredentialIdBuffer.size()).release(); - memcpy_s(credentialDetails.pbCredentialID, credentialDetails.cbCredentialID, vCredentialIdBuffer.data(), static_cast(vCredentialIdBuffer.size())); - if (!PluginCredentialManager::getInstance().SaveCredentialMetadataToMockDB(credentialDetails)) - { - std::lock_guard lock(curApp->m_pluginOperationOptionsMutex); - curApp->m_pluginOperationStatus.performOperationStatus = E_FAIL; - } - pDecodedMakeCredentialRequest.reset(); - SetEvent(App::s_hPluginOpCompletedEvent.get()); - return S_OK; - } - catch (...) - { - HRESULT hr = wil::ResultFromCaughtException(); - com_ptr curApp = winrt::Microsoft::UI::Xaml::Application::Current().as(); - if (curApp) - { - hr = winrt::to_hresult(); - std::lock_guard lock(curApp->m_pluginOperationOptionsMutex); - curApp->m_pluginOperationStatus.performOperationStatus = hr; - }; - SetEvent(App::s_hPluginOpCompletedEvent.get()); - return hr; - } - } - - /* - * This function is invoked by the platform to request the plugin to handle a get assertion operation. - * Refer: pluginauthenticator.h/pluginauthenticator.idl - */ - HRESULT STDMETHODCALLTYPE ContosoPlugin::EXPERIMENTAL_PluginGetAssertion( - /* [in] */ __RPC__in EXPERIMENTAL_PCWEBAUTHN_PLUGIN_OPERATION_REQUEST pPluginGetAssertionRequest, - /* [out] */ __RPC__deref_out_opt EXPERIMENTAL_PWEBAUTHN_PLUGIN_OPERATION_RESPONSE* response) noexcept - { - try - { - SetEvent(App::s_pluginOpRequestRecievedEvent.get()); - DWORD hIndex = 0; - RETURN_IF_FAILED(CoWaitForMultipleHandles( - COWAIT_DISPATCH_WINDOW_MESSAGES | COWAIT_DISPATCH_CALLS, - INFINITE, - 1, - App::s_hAppReadyForPluginOpEvent.addressof(), - &hIndex)); - com_ptr curApp = winrt::Microsoft::UI::Xaml::Application::Current().as(); - - wil::shared_hmodule webauthnDll(LoadLibraryExW(L"webauthn.dll", nullptr, LOAD_LIBRARY_SEARCH_SYSTEM32)); - if (webauthnDll == nullptr) - { - return E_ABORT; - } - - wil::unique_cotaskmem_ptr pDecodedAssertionRequest; - // The EXPERIMENTAL_WebAuthNDecodeGetAssertionRequest function can be optionally used to decode the CBOR encoded request to a EXPERIMENTAL_WEBAUTHN_CTAPCBOR_GET_ASSERTION_REQUEST structure. - auto webauthnDecodeGetAssertionRequest = GetProcAddressByFunctionDeclaration(webauthnDll.get(), EXPERIMENTAL_WebAuthNDecodeGetAssertionRequest); - webauthnDecodeGetAssertionRequest(pPluginGetAssertionRequest->cbEncodedRequest, pPluginGetAssertionRequest->pbEncodedRequest, wil::out_param(pDecodedAssertionRequest)); - wil::shared_cotaskmem_string rpName = wil::make_cotaskmem_string(pDecodedAssertionRequest->pwszRpId); - //load the user handle - auto& credManager = PluginCredentialManager::getInstance(); - const WEBAUTHN_CREDENTIAL_DETAILS* selectedCredential{}; - // create a list of credentials - std::vector selectedCredentials; - - while (true) - { - Sleep(100); - if (credManager.IsLocalCredentialMetadataLoaded()) - { - credManager.GetLocalCredsByRpIdAndAllowList(pDecodedAssertionRequest->pwszRpId, - pDecodedAssertionRequest->CredentialList.ppCredentials, - pDecodedAssertionRequest->CredentialList.cCredentials, - selectedCredentials); - break; - } - } - - if (selectedCredentials.empty()) - { - { - std::lock_guard lock(curApp->m_pluginOperationOptionsMutex); - curApp->m_pluginOperationStatus.performOperationStatus = NTE_NOT_FOUND; - } - SetEvent(App::s_hPluginOpCompletedEvent.get()); - return NTE_NOT_FOUND; - } - else if (selectedCredentials.size() == 1 && credManager.GetSilentOperation()) - { - selectedCredential = selectedCredentials[0]; - } - else - { - curApp->SetMatchingCredentials(pDecodedAssertionRequest->pwszRpId, selectedCredentials, pPluginGetAssertionRequest->hWnd); - hIndex = 0; - RETURN_IF_FAILED(CoWaitForMultipleHandles(COWAIT_DISPATCH_WINDOW_MESSAGES | COWAIT_DISPATCH_CALLS, INFINITE, 1, curApp->m_hPluginCredentialSelected.addressof(), &hIndex)); - - { - std::lock_guard lock(curApp->m_pluginOperationOptionsMutex); - selectedCredential = curApp->m_pluginOperationOptions.selectedCredential; - } - - // Failed to select a credential - if (selectedCredential->cbCredentialID == 0 || - selectedCredential->pbCredentialID == nullptr || - selectedCredential->pUserInformation == nullptr || - selectedCredential->pUserInformation->pwszName == nullptr) - { - { - std::lock_guard lock(curApp->m_pluginOperationOptionsMutex); - curApp->m_pluginOperationStatus.performOperationStatus = NTE_NOT_FOUND; - } - SetEvent(App::s_hPluginOpCompletedEvent.get()); - return NTE_NOT_FOUND; - } - } - - wil::shared_cotaskmem_string userName = wil::make_cotaskmem_string(selectedCredential->pUserInformation->pwszName); - - std::vector requestBuffer( - pPluginGetAssertionRequest->pbEncodedRequest, - pPluginGetAssertionRequest->pbEncodedRequest + pPluginGetAssertionRequest->cbEncodedRequest); - - auto ppbPubKeyData = GetRequestSigningPubKey(); - HRESULT requestSignResult = E_FAIL; - if (!ppbPubKeyData.empty()) - { - requestSignResult = VerifySignatureHelper( - requestBuffer, - ppbPubKeyData.data(), - static_cast(ppbPubKeyData.size()), - pPluginGetAssertionRequest->pbRequestSignature, - pPluginGetAssertionRequest->cbRequestSignature); - } - - { - std::lock_guard lock(curApp->m_pluginOperationOptionsMutex); - curApp->m_pluginOperationStatus.requestSignatureVerificationStatus = requestSignResult; - } - - THROW_IF_FAILED(PerformUv(curApp, - pPluginGetAssertionRequest->hWnd, - webauthnDll, - pPluginGetAssertionRequest->transactionId, - PLUGIN_OPERATION_TYPE_GET_ASSERTION, - requestBuffer, - rpName, - userName)); - - // convert user handle to a string - std::wstring keyNameStr = contosoplugin_key_domain; - std::wstringstream keyNameStream; - for (DWORD idx = 0; idx < selectedCredential->pUserInformation->cbId; idx++) - { - keyNameStream << std::hex << std::setw(2) << std::setfill(L'0') << - static_cast(selectedCredential->pUserInformation->pbId[idx]); - } - keyNameStr += keyNameStream.str(); - - //open the key using ncrypt and sign the data - wil::unique_ncrypt_prov hProvider; - wil::shared_ncrypt_key hKey; - - // get the provider - THROW_IF_FAILED(NCryptOpenStorageProvider(&hProvider, nullptr, 0)); - - // open the key - THROW_IF_FAILED(NCryptOpenKey(hProvider.get(), &hKey, keyNameStr.c_str(), 0, 0)); - - // set hwnd property - wil::unique_hwnd hWnd; - if (curApp->m_silentMode) - { - hWnd.reset(curApp->m_pluginOperationOptions.hWnd); - } - else - { - hWnd.reset(curApp->GetNativeWindowHandle()); - } - THROW_IF_FAILED(NCryptSetProperty( - hKey.get(), - NCRYPT_WINDOW_HANDLE_PROPERTY, - (BYTE*)(hWnd.addressof()), - sizeof(HWND), - 0)); - - // create authenticator data - DWORD cbPackedAuthenticatorData = 0; - wil::unique_hlocal_ptr packedAuthenticatorData; - std::vector vCredentialIdBuffer; - THROW_IF_FAILED(CreateAuthenticatorData(hKey, - pDecodedAssertionRequest->cbRpId, - pDecodedAssertionRequest->pbRpId, - cbPackedAuthenticatorData, - packedAuthenticatorData, - vCredentialIdBuffer)); - - wil::unique_hlocal_ptr pbSignature = nullptr; - DWORD cbSignature = 0; - - { - wil::unique_bcrypt_hash hashHandle; - - - THROW_IF_NTSTATUS_FAILED(BCryptCreateHash( - BCRYPT_SHA256_ALG_HANDLE, - &hashHandle, - nullptr, - 0, - nullptr, - 0, - 0)); - - THROW_IF_NTSTATUS_FAILED(BCryptHashData(hashHandle.get(), const_cast(packedAuthenticatorData.get()), cbPackedAuthenticatorData, 0)); - THROW_IF_NTSTATUS_FAILED(BCryptHashData(hashHandle.get(), const_cast(pDecodedAssertionRequest->pbClientDataHash), pDecodedAssertionRequest->cbClientDataHash, 0)); - - DWORD bytesRead = 0; - DWORD cbSignatureBuffer = 0; - THROW_IF_NTSTATUS_FAILED(BCryptGetProperty( - hashHandle.get(), - BCRYPT_HASH_LENGTH, - reinterpret_cast(&cbSignatureBuffer), - sizeof(cbSignatureBuffer), - &bytesRead, - 0)); - - wil::unique_hlocal_ptr signatureBuffer = wil::make_unique_hlocal(cbSignatureBuffer); - THROW_HR_IF(E_UNEXPECTED, signatureBuffer == nullptr); - THROW_IF_NTSTATUS_FAILED(BCryptFinishHash(hashHandle.get(), signatureBuffer.get(), cbSignatureBuffer, 0)); - - // sign the data - THROW_IF_FAILED(NCryptSignHash(hKey.get(), nullptr, signatureBuffer.get(), cbSignatureBuffer, nullptr, 0, &cbSignature, 0)); - - pbSignature = wil::make_unique_hlocal(cbSignature); - THROW_HR_IF(E_UNEXPECTED, pbSignature == nullptr); - - THROW_IF_FAILED(NCryptSignHash(hKey.get(), nullptr, signatureBuffer.get(), cbSignatureBuffer, pbSignature.get(), cbSignature, &cbSignature, 0)); - signatureBuffer.reset(); - - auto encodeSignature = [](PBYTE signature, size_t signatureSize) - { - std::vector encodedSignature{}; - encodedSignature.push_back(0x02); // ASN integer tag - encodedSignature.push_back(static_cast(signatureSize)); // length of the signature - if (WI_IsFlagSet(signature[0], 0x80)) - { - encodedSignature[encodedSignature.size() - 1]++; - encodedSignature.push_back(0x00); // add a padding byte if the first byte has the high bit set - } - - encodedSignature.insert(encodedSignature.end(), signature, signature + signatureSize); - return encodedSignature; - }; - - auto signatureR = encodeSignature(pbSignature.get(), cbSignature / 2); - auto signatureS = encodeSignature(pbSignature.get() + cbSignature / 2, cbSignature / 2); - - std::vector encodedSignature{}; - encodedSignature.push_back(0x30); // ASN sequence tag - encodedSignature.push_back(static_cast(signatureR.size() + signatureS.size())); // length of the sequence - encodedSignature.insert(encodedSignature.end(), signatureR.begin(), signatureR.end()); - encodedSignature.insert(encodedSignature.end(), signatureS.begin(), signatureS.end()); - - cbSignature = static_cast(encodedSignature.size()); - pbSignature.reset(); - pbSignature = wil::make_unique_hlocal(cbSignature); - THROW_HR_IF(E_UNEXPECTED, pbSignature == nullptr); - memcpy_s(pbSignature.get(), cbSignature, encodedSignature.data(), static_cast(cbSignature)); - } - - // create the response - auto operationResponse = wil::make_unique_cotaskmem(); - - auto assertionResponse = wil::make_unique_cotaskmem(); - assertionResponse->dwVersion = WEBAUTHN_ASSERTION_CURRENT_VERSION; - - // [1] Credential (optional) - assertionResponse->Credential.dwVersion = WEBAUTHN_CREDENTIAL_CURRENT_VERSION; - assertionResponse->Credential.cbId = static_cast(vCredentialIdBuffer.size()); - assertionResponse->Credential.pbId = vCredentialIdBuffer.data(); - assertionResponse->Credential.pwszCredentialType = WEBAUTHN_CREDENTIAL_TYPE_PUBLIC_KEY; - - // [2] AuthenticatorData - assertionResponse->cbAuthenticatorData = cbPackedAuthenticatorData; - assertionResponse->pbAuthenticatorData = packedAuthenticatorData.get(); - - // [3] Signature - assertionResponse->cbSignature = cbSignature; - assertionResponse->pbSignature = pbSignature.get(); - - // [4] User (optional) - assertionResponse->cbUserId = selectedCredential->pUserInformation->cbId; - auto userIdBuffer = wil::make_unique_cotaskmem(selectedCredential->pUserInformation->cbId); - memcpy_s(userIdBuffer.get(), - selectedCredential->pUserInformation->cbId, - selectedCredential->pUserInformation->pbId, - selectedCredential->pUserInformation->cbId); - assertionResponse->pbUserId = userIdBuffer.get(); - WEBAUTHN_USER_ENTITY_INFORMATION userEntityInformation{}; - userEntityInformation.dwVersion = WEBAUTHN_USER_ENTITY_INFORMATION_CURRENT_VERSION; - userEntityInformation.cbId = assertionResponse->cbUserId; - userEntityInformation.pbId = assertionResponse->pbUserId; - - auto ctapGetAssertionResponse = wil::make_unique_cotaskmem(); - ctapGetAssertionResponse->WebAuthNAssertion = *(assertionResponse.get()); // [1] Credential, [2] AuthenticatorData, [3] Signature - ctapGetAssertionResponse->pUserInformation = &userEntityInformation; // [4] User - ctapGetAssertionResponse->dwNumberOfCredentials = 1; // [5] NumberOfCredentials - - DWORD cbAssertionBuffer = 0; - PBYTE pbAssertionBuffer; - - // The EXPERIMENTAL_WebAuthNEncodeGetAssertionResponse function can be optionally used to encode the - // EXPERIMENTAL_WEBAUTHN_CTAPCBOR_GET_ASSERTION_RESPONSE structure to a CBOR encoded response. - auto webAuthNEncodeGetAssertionResponse = GetProcAddressByFunctionDeclaration(webauthnDll.get(), EXPERIMENTAL_WebAuthNEncodeGetAssertionResponse); - THROW_IF_FAILED(webAuthNEncodeGetAssertionResponse( - (EXPERIMENTAL_PCWEBAUTHN_CTAPCBOR_GET_ASSERTION_RESPONSE)(ctapGetAssertionResponse.get()), - &cbAssertionBuffer, - &pbAssertionBuffer)); - - assertionResponse.reset(); - ctapGetAssertionResponse.reset(); - userIdBuffer.reset(); - packedAuthenticatorData.reset(); - pbSignature.reset(); - pDecodedAssertionRequest.reset(); - - operationResponse->cbEncodedResponse = cbAssertionBuffer; - // pbEncodedResponse must contain a CBOR encoded response as specified the FIDO CTAP. - // Refer: https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#message-encoding. - operationResponse->pbEncodedResponse = wil::make_unique_cotaskmem(cbAssertionBuffer).release(); - memcpy_s( - operationResponse->pbEncodedResponse, - operationResponse->cbEncodedResponse, - pbAssertionBuffer, - cbAssertionBuffer); - - *response = operationResponse.release(); - SetEvent(App::s_hPluginOpCompletedEvent.get()); - return S_OK; - } - catch (...) - { - HRESULT localHr = wil::ResultFromCaughtException(); - { - winrt::com_ptr curApp = winrt::Microsoft::UI::Xaml::Application::Current().as(); - std::lock_guard lock(curApp->m_pluginOperationOptionsMutex); - curApp->m_pluginOperationStatus.performOperationStatus = localHr; - } - SetEvent(App::s_hPluginOpCompletedEvent.get()); - return localHr; - } - } - - /* - * This function is invoked by the platform to request the plugin to cancel an ongoing operation. - */ - HRESULT STDMETHODCALLTYPE ContosoPlugin::EXPERIMENTAL_PluginCancelOperation( - /* [out] */ __RPC__in EXPERIMENTAL_PCWEBAUTHN_PLUGIN_CANCEL_OPERATION_REQUEST) - { - SetEvent(App::s_pluginOpRequestRecievedEvent.get()); - com_ptr curApp = winrt::Microsoft::UI::Xaml::Application::Current().as(); - curApp->GetDispatcherQueue().TryEnqueue([curApp]() - { - curApp->PluginCancelAction(); - }); - return S_OK; - } - - /* - * This is a sample implementation of a factory method that creates an instance of the Class that implements the EXPERIMENTAL_IPluginAuthenticator interface. - * Refer: pluginauthenticator.h/pluginauthenticator.idl for the interface definition. - */ - HRESULT __stdcall ContosoPluginFactory::CreateInstance( - ::IUnknown* outer, - GUID const& iid, - void** result) noexcept - { - *result = nullptr; - - if (outer) - { - return CLASS_E_NOAGGREGATION; - } - - try - { - return make()->QueryInterface(iid, result); - } - catch (...) - { - return winrt::to_hresult(); - } - } - - HRESULT __stdcall ContosoPluginFactory::LockServer(BOOL) noexcept - { - return S_OK; - } - -} diff --git a/apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/PluginRegistrationManager.cpp.sample b/apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/PluginRegistrationManager.cpp.sample deleted file mode 100644 index c5a5a52bfa5..00000000000 --- a/apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/PluginRegistrationManager.cpp.sample +++ /dev/null @@ -1,126 +0,0 @@ -#include "pch.h" -#include "MainPage.xaml.h" -#include "PluginRegistrationManager.h" -#include - -namespace winrt::PasskeyManager::implementation { - PluginRegistrationManager::PluginRegistrationManager() : - m_pluginRegistered(false), - m_initialized(false), - m_pluginState(EXPERIMENTAL_PLUGIN_AUTHENTICATOR_STATE::PluginAuthenticatorState_Unknown) - { - Initialize(); - m_webAuthnDll.reset(LoadLibraryExW(L"webauthn.dll", nullptr, LOAD_LIBRARY_SEARCH_SYSTEM32)); - } - - PluginRegistrationManager::~PluginRegistrationManager() - { - } - - HRESULT PluginRegistrationManager::Initialize() - { - HRESULT hr = RefreshPluginState(); - RETURN_HR_IF_EXPECTED(S_OK, RefreshPluginState() == NTE_NOT_FOUND); - RETURN_HR(hr); - } - - HRESULT PluginRegistrationManager::RegisterPlugin() - { - // Get the function pointer of WebAuthNPluginAddAuthenticator - auto webAuthNPluginAddAuthenticator = GetProcAddressByFunctionDeclaration( - m_webAuthnDll.get(), - EXPERIMENTAL_WebAuthNPluginAddAuthenticator); - RETURN_HR_IF_NULL(E_FAIL, webAuthNPluginAddAuthenticator); - - /* - * This section creates a sample authenticatorInfo blob to include in the registration - * request. This blob must CBOR encoded using the format defined - * in https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#authenticatorGetInfo - * - * 'AAGUID' maybe used to fetch information about the authenticator from the FIDO Metadata Service and other sources. - * Refer: https://fidoalliance.org/metadata/ - * - * 'extensions' field is used to perform feature detection on the authenticator - * and maybe used to determine if the authenticator is filtered out. - */ - std::string tempAaguidStr{ c_pluginAaguid }; - tempAaguidStr.erase(std::remove(tempAaguidStr.begin(), tempAaguidStr.end(), L'-'), tempAaguidStr.end()); - std::transform(tempAaguidStr.begin(), tempAaguidStr.end(), tempAaguidStr.begin(), [](unsigned char c) { return static_cast(std::toupper(c)); }); - // The following hex strings represent the encoding of - // {1: ["FIDO_2_0", "FIDO_2_1"], 2: ["prf", "hmac-secret"], 3: h'/* AAGUID */', 4: {"rk": true, "up": true, "uv": true}, - // 9: ["internal"], 10: [{"alg": -7, "type": "public-key"}]} - std::string authenticatorInfoStrPart1 = "A60182684649444F5F325F30684649444F5F325F310282637072666B686D61632D7365637265740350"; - std::string authenticatorInfoStrPart2 = "04A362726BF5627570F5627576F5098168696E7465726E616C0A81A263616C672664747970656A7075626C69632D6B6579"; - std::string fullAuthenticatorInfoStr = authenticatorInfoStrPart1 + tempAaguidStr + authenticatorInfoStrPart2; - std::vector authenticatorInfo = hexStringToBytes(fullAuthenticatorInfoStr); - - // Validate that c_pluginClsid is a valid CLSID - CLSID CLSID_ContosoPluginAuthenticator; - RETURN_IF_FAILED(CLSIDFromString(c_pluginClsid, &CLSID_ContosoPluginAuthenticator)); - - EXPERIMENTAL_WEBAUTHN_PLUGIN_ADD_AUTHENTICATOR_OPTIONS addOptions{}; - addOptions.pwszAuthenticatorName = c_pluginName; - addOptions.pwszPluginRpId = c_pluginRpId; - addOptions.pwszPluginClsId = c_pluginClsid; - addOptions.pbAuthenticatorInfo = authenticatorInfo.data(); - addOptions.cbAuthenticatorInfo = static_cast(authenticatorInfo.size()); - - EXPERIMENTAL_PWEBAUTHN_PLUGIN_ADD_AUTHENTICATOR_RESPONSE addResponse; - RETURN_IF_FAILED(webAuthNPluginAddAuthenticator(&addOptions, &addResponse)); - - // The response from plugin contains the public key used to sign plugin operation requests. Stash it for later use. - wil::unique_hkey hKey; - RETURN_IF_WIN32_ERROR(RegCreateKeyEx( - HKEY_CURRENT_USER, - c_pluginRegistryPath, - 0, - nullptr, - REG_OPTION_NON_VOLATILE, - KEY_WRITE, - nullptr, - &hKey, - nullptr)); - - RETURN_IF_WIN32_ERROR(RegSetValueEx( - hKey.get(), - c_windowsPluginRequestSigningKeyRegKeyName, - 0, - REG_BINARY, - addResponse->pbOpSignPubKey, - addResponse->cbOpSignPubKey)); - return S_OK; - } - - HRESULT PluginRegistrationManager::UnregisterPlugin() - { - // Get the function pointer of WebAuthNPluginRemoveAuthenticator - auto webAuthNPluginRemoveAuthenticator = GetProcAddressByFunctionDeclaration( - m_webAuthnDll.get(), - EXPERIMENTAL_WebAuthNPluginRemoveAuthenticator); - RETURN_HR_IF_NULL(E_FAIL, webAuthNPluginRemoveAuthenticator); - - RETURN_HR(webAuthNPluginRemoveAuthenticator(c_pluginClsid)); - } - - HRESULT PluginRegistrationManager::RefreshPluginState() - { - // Reset the plugin state and registration status - m_pluginRegistered = false; - m_pluginState = EXPERIMENTAL_PLUGIN_AUTHENTICATOR_STATE::PluginAuthenticatorState_Unknown; - - // Get handle to EXPERIMENTAL_WebAuthNPluginGetAuthenticatorState which takes in a GUID and returns EXPERIMENTAL_PLUGIN_AUTHENTICATOR_STATE - auto webAuthNPluginGetAuthenticatorState = GetProcAddressByFunctionDeclaration( - m_webAuthnDll.get(), - EXPERIMENTAL_WebAuthNPluginGetAuthenticatorState); - RETURN_HR_IF_NULL(E_FAIL, webAuthNPluginGetAuthenticatorState); - - // Get the plugin state - EXPERIMENTAL_PLUGIN_AUTHENTICATOR_STATE localPluginState; - RETURN_IF_FAILED(webAuthNPluginGetAuthenticatorState(c_pluginClsid, &localPluginState)); - - // If the EXPERIMENTAL_WebAuthNPluginGetAuthenticatorState function succeeded, that indicates the plugin is registered and localPluginState is the valid plugin state - m_pluginRegistered = true; - m_pluginState = localPluginState; - return S_OK; - } -} \ No newline at end of file diff --git a/apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/PluginRegistrationManager.h.sample b/apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/PluginRegistrationManager.h.sample deleted file mode 100644 index df0d3b6949b..00000000000 --- a/apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/PluginRegistrationManager.h.sample +++ /dev/null @@ -1,80 +0,0 @@ -#pragma once -#include "pch.h" -#include -#include -#include -#include -#include - -constexpr wchar_t c_pluginName[] = L"Contoso Passkey Manager"; -constexpr wchar_t c_pluginRpId[] = L"contoso.com"; - -/* The AAGUID is a unique identifier for the FIDO authenticator model. -*'AAGUID' maybe used to fetch information about the authenticator from the FIDO Metadata Service and other sources. -* Refer: https://fidoalliance.org/metadata/ -*/ -constexpr char c_pluginAaguid[] = "########-####-####-####-############"; -static_assert(c_pluginAaguid[1] != '#', "Please replace the ##### above with your AAGUID or a value you generated by running guidgen"); - -/* Generate a GUID using guidgen and replace below and in Package.appxmanifest file */ -constexpr wchar_t c_pluginClsid[] = L"{########-####-####-####-############}"; -static_assert(c_pluginClsid[1] != '#', "Please replace the ##### above with a GUID you generated by running guidgen"); - - -constexpr wchar_t c_pluginSigningKeyName[] = L"TestAppPluginIdKey"; -constexpr wchar_t c_pluginRegistryPath[] = L"Software\\Contoso\\PasskeyManager"; -constexpr wchar_t c_windowsPluginRequestSigningKeyRegKeyName[] = L"RequestSigningKeyBlob"; -constexpr wchar_t c_windowsPluginVaultLockedRegKeyName[] = L"VaultLocked"; -constexpr wchar_t c_windowsPluginSilentOperationRegKeyName[] = L"SilentOperation"; -constexpr wchar_t c_windowsPluginDBUpdateInd[] = L"SilentOperation"; - -namespace winrt::PasskeyManager::implementation -{ - class PluginRegistrationManager - { - public: - static PluginRegistrationManager& getInstance() - { - static PluginRegistrationManager instance; - return instance; - } - - // Initialize function which calls GetPluginState to check if the plugin is already registered - HRESULT Initialize(); - - HRESULT RegisterPlugin(); - HRESULT UnregisterPlugin(); - - HRESULT RefreshPluginState(); - - bool IsPluginRegistered() const - { - return m_pluginRegistered; - } - - EXPERIMENTAL_PLUGIN_AUTHENTICATOR_STATE GetPluginState() const - { - return m_pluginState; - } - - private: - EXPERIMENTAL_PLUGIN_AUTHENTICATOR_STATE m_pluginState; - bool m_initialized = false; - bool m_pluginRegistered = false; - wil::unique_hmodule m_webAuthnDll; - - PluginRegistrationManager(); - ~PluginRegistrationManager(); - PluginRegistrationManager(const PluginRegistrationManager&) = delete; - PluginRegistrationManager& operator=(const PluginRegistrationManager&) = delete; - - void UpdatePasskeyOperationStatusText(hstring const& statusText) - { - com_ptr curApp = winrt::Microsoft::UI::Xaml::Application::Current().as(); - curApp->GetDispatcherQueue().TryEnqueue([curApp, statusText]() - { - curApp->m_window.Content().try_as().Content().try_as()->UpdatePasskeyOperationStatusText(statusText); - }); - } - }; -}; \ No newline at end of file diff --git a/apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/pluginauthenticator.h.sample b/apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/pluginauthenticator.h.sample deleted file mode 100644 index 3e5bfcb80c9..00000000000 --- a/apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/pluginauthenticator.h.sample +++ /dev/null @@ -1,239 +0,0 @@ - - -/* this ALWAYS GENERATED file contains the definitions for the interfaces */ - - - /* File created by MIDL compiler version 8.01.0628 */ -/* @@MIDL_FILE_HEADING( ) */ - - - -/* verify that the version is high enough to compile this file*/ -#ifndef __REQUIRED_RPCNDR_H_VERSION__ -#define __REQUIRED_RPCNDR_H_VERSION__ 501 -#endif - -/* verify that the version is high enough to compile this file*/ -#ifndef __REQUIRED_RPCSAL_H_VERSION__ -#define __REQUIRED_RPCSAL_H_VERSION__ 100 -#endif - -#include "rpc.h" -#include "rpcndr.h" - -#ifndef __RPCNDR_H_VERSION__ -#error this stub requires an updated version of -#endif /* __RPCNDR_H_VERSION__ */ - -#ifndef COM_NO_WINDOWS_H -#include "windows.h" -#include "ole2.h" -#endif /*COM_NO_WINDOWS_H*/ - -#ifndef __pluginauthenticator_h__ -#define __pluginauthenticator_h__ - -#if defined(_MSC_VER) && (_MSC_VER >= 1020) -#pragma once -#endif - -#ifndef DECLSPEC_XFGVIRT -#if defined(_CONTROL_FLOW_GUARD_XFG) -#define DECLSPEC_XFGVIRT(base, func) __declspec(xfg_virtual(base, func)) -#else -#define DECLSPEC_XFGVIRT(base, func) -#endif -#endif - -/* Forward Declarations */ - -#ifndef __EXPERIMENTAL_IPluginAuthenticator_FWD_DEFINED__ -#define __EXPERIMENTAL_IPluginAuthenticator_FWD_DEFINED__ -typedef interface EXPERIMENTAL_IPluginAuthenticator EXPERIMENTAL_IPluginAuthenticator; - -#endif /* __EXPERIMENTAL_IPluginAuthenticator_FWD_DEFINED__ */ - - -/* header files for imported files */ -#include "oaidl.h" -#include "webauthn.h" - -#ifdef __cplusplus -extern "C"{ -#endif - - -/* interface __MIDL_itf_pluginauthenticator_0000_0000 */ -/* [local] */ - -typedef struct _EXPERIMENTAL_WEBAUTHN_PLUGIN_OPERATION_REQUEST - { - HWND hWnd; - GUID transactionId; - DWORD cbRequestSignature; - /* [size_is] */ byte *pbRequestSignature; - DWORD cbEncodedRequest; - /* [size_is] */ byte *pbEncodedRequest; - } EXPERIMENTAL_WEBAUTHN_PLUGIN_OPERATION_REQUEST; - -typedef struct _EXPERIMENTAL_WEBAUTHN_PLUGIN_OPERATION_REQUEST *EXPERIMENTAL_PWEBAUTHN_PLUGIN_OPERATION_REQUEST; - -typedef const EXPERIMENTAL_WEBAUTHN_PLUGIN_OPERATION_REQUEST *EXPERIMENTAL_PCWEBAUTHN_PLUGIN_OPERATION_REQUEST; - -typedef struct _EXPERIMENTAL_WEBAUTHN_PLUGIN_OPERATION_RESPONSE - { - DWORD cbEncodedResponse; - /* [size_is] */ byte *pbEncodedResponse; - } EXPERIMENTAL_WEBAUTHN_PLUGIN_OPERATION_RESPONSE; - -typedef struct _EXPERIMENTAL_WEBAUTHN_PLUGIN_OPERATION_RESPONSE *EXPERIMENTAL_PWEBAUTHN_PLUGIN_OPERATION_RESPONSE; - -typedef const EXPERIMENTAL_WEBAUTHN_PLUGIN_OPERATION_RESPONSE *EXPERIMENTAL_PCWEBAUTHN_PLUGIN_OPERATION_RESPONSE; - -typedef struct _EXPERIMENTAL_WEBAUTHN_PLUGIN_CANCEL_OPERATION_REQUEST - { - GUID transactionId; - DWORD cbRequestSignature; - /* [size_is] */ byte *pbRequestSignature; - } EXPERIMENTAL_WEBAUTHN_PLUGIN_CANCEL_OPERATION_REQUEST; - -typedef struct _EXPERIMENTAL_WEBAUTHN_PLUGIN_CANCEL_OPERATION_REQUEST *EXPERIMENTAL_PWEBAUTHN_PLUGIN_CANCEL_OPERATION_REQUEST; - -typedef const EXPERIMENTAL_WEBAUTHN_PLUGIN_CANCEL_OPERATION_REQUEST *EXPERIMENTAL_PCWEBAUTHN_PLUGIN_CANCEL_OPERATION_REQUEST; - - - -extern RPC_IF_HANDLE __MIDL_itf_pluginauthenticator_0000_0000_v0_0_c_ifspec; -extern RPC_IF_HANDLE __MIDL_itf_pluginauthenticator_0000_0000_v0_0_s_ifspec; - -#ifndef __EXPERIMENTAL_IPluginAuthenticator_INTERFACE_DEFINED__ -#define __EXPERIMENTAL_IPluginAuthenticator_INTERFACE_DEFINED__ - -/* interface EXPERIMENTAL_IPluginAuthenticator */ -/* [unique][version][uuid][object] */ - - -EXTERN_C const IID IID_EXPERIMENTAL_IPluginAuthenticator; - -#if defined(__cplusplus) && !defined(CINTERFACE) - - MIDL_INTERFACE("e6466e9a-b2f3-47c5-b88d-89bc14a8d998") - EXPERIMENTAL_IPluginAuthenticator : public IUnknown - { - public: - virtual HRESULT STDMETHODCALLTYPE EXPERIMENTAL_PluginMakeCredential( - /* [in] */ __RPC__in EXPERIMENTAL_PCWEBAUTHN_PLUGIN_OPERATION_REQUEST request, - /* [out] */ __RPC__deref_out_opt EXPERIMENTAL_PWEBAUTHN_PLUGIN_OPERATION_RESPONSE *response) = 0; - - virtual HRESULT STDMETHODCALLTYPE EXPERIMENTAL_PluginGetAssertion( - /* [in] */ __RPC__in EXPERIMENTAL_PCWEBAUTHN_PLUGIN_OPERATION_REQUEST request, - /* [out] */ __RPC__deref_out_opt EXPERIMENTAL_PWEBAUTHN_PLUGIN_OPERATION_RESPONSE *response) = 0; - - virtual HRESULT STDMETHODCALLTYPE EXPERIMENTAL_PluginCancelOperation( - /* [in] */ __RPC__in EXPERIMENTAL_PCWEBAUTHN_PLUGIN_CANCEL_OPERATION_REQUEST request) = 0; - - }; - - -#else /* C style interface */ - - typedef struct EXPERIMENTAL_IPluginAuthenticatorVtbl - { - BEGIN_INTERFACE - - DECLSPEC_XFGVIRT(IUnknown, QueryInterface) - HRESULT ( STDMETHODCALLTYPE *QueryInterface )( - __RPC__in EXPERIMENTAL_IPluginAuthenticator * This, - /* [in] */ __RPC__in REFIID riid, - /* [annotation][iid_is][out] */ - _COM_Outptr_ void **ppvObject); - - DECLSPEC_XFGVIRT(IUnknown, AddRef) - ULONG ( STDMETHODCALLTYPE *AddRef )( - __RPC__in EXPERIMENTAL_IPluginAuthenticator * This); - - DECLSPEC_XFGVIRT(IUnknown, Release) - ULONG ( STDMETHODCALLTYPE *Release )( - __RPC__in EXPERIMENTAL_IPluginAuthenticator * This); - - DECLSPEC_XFGVIRT(EXPERIMENTAL_IPluginAuthenticator, EXPERIMENTAL_PluginMakeCredential) - HRESULT ( STDMETHODCALLTYPE *EXPERIMENTAL_PluginMakeCredential )( - __RPC__in EXPERIMENTAL_IPluginAuthenticator * This, - /* [in] */ __RPC__in EXPERIMENTAL_PCWEBAUTHN_PLUGIN_OPERATION_REQUEST request, - /* [out] */ __RPC__deref_out_opt EXPERIMENTAL_PWEBAUTHN_PLUGIN_OPERATION_RESPONSE *response); - - DECLSPEC_XFGVIRT(EXPERIMENTAL_IPluginAuthenticator, EXPERIMENTAL_PluginGetAssertion) - HRESULT ( STDMETHODCALLTYPE *EXPERIMENTAL_PluginGetAssertion )( - __RPC__in EXPERIMENTAL_IPluginAuthenticator * This, - /* [in] */ __RPC__in EXPERIMENTAL_PCWEBAUTHN_PLUGIN_OPERATION_REQUEST request, - /* [out] */ __RPC__deref_out_opt EXPERIMENTAL_PWEBAUTHN_PLUGIN_OPERATION_RESPONSE *response); - - DECLSPEC_XFGVIRT(EXPERIMENTAL_IPluginAuthenticator, EXPERIMENTAL_PluginCancelOperation) - HRESULT ( STDMETHODCALLTYPE *EXPERIMENTAL_PluginCancelOperation )( - __RPC__in EXPERIMENTAL_IPluginAuthenticator * This, - /* [in] */ __RPC__in EXPERIMENTAL_PCWEBAUTHN_PLUGIN_CANCEL_OPERATION_REQUEST request); - - END_INTERFACE - } EXPERIMENTAL_IPluginAuthenticatorVtbl; - - interface EXPERIMENTAL_IPluginAuthenticator - { - CONST_VTBL struct EXPERIMENTAL_IPluginAuthenticatorVtbl *lpVtbl; - }; - - - -#ifdef COBJMACROS - - -#define EXPERIMENTAL_IPluginAuthenticator_QueryInterface(This,riid,ppvObject) \ - ( (This)->lpVtbl -> QueryInterface(This,riid,ppvObject) ) - -#define EXPERIMENTAL_IPluginAuthenticator_AddRef(This) \ - ( (This)->lpVtbl -> AddRef(This) ) - -#define EXPERIMENTAL_IPluginAuthenticator_Release(This) \ - ( (This)->lpVtbl -> Release(This) ) - - -#define EXPERIMENTAL_IPluginAuthenticator_EXPERIMENTAL_PluginMakeCredential(This,request,response) \ - ( (This)->lpVtbl -> EXPERIMENTAL_PluginMakeCredential(This,request,response) ) - -#define EXPERIMENTAL_IPluginAuthenticator_EXPERIMENTAL_PluginGetAssertion(This,request,response) \ - ( (This)->lpVtbl -> EXPERIMENTAL_PluginGetAssertion(This,request,response) ) - -#define EXPERIMENTAL_IPluginAuthenticator_EXPERIMENTAL_PluginCancelOperation(This,request) \ - ( (This)->lpVtbl -> EXPERIMENTAL_PluginCancelOperation(This,request) ) - -#endif /* COBJMACROS */ - - -#endif /* C style interface */ - - - - -#endif /* __EXPERIMENTAL_IPluginAuthenticator_INTERFACE_DEFINED__ */ - - -/* Additional Prototypes for ALL interfaces */ - -unsigned long __RPC_USER HWND_UserSize( __RPC__in unsigned long *, unsigned long , __RPC__in HWND * ); -unsigned char * __RPC_USER HWND_UserMarshal( __RPC__in unsigned long *, __RPC__inout_xcount(0) unsigned char *, __RPC__in HWND * ); -unsigned char * __RPC_USER HWND_UserUnmarshal(__RPC__in unsigned long *, __RPC__in_xcount(0) unsigned char *, __RPC__out HWND * ); -void __RPC_USER HWND_UserFree( __RPC__in unsigned long *, __RPC__in HWND * ); - -unsigned long __RPC_USER HWND_UserSize64( __RPC__in unsigned long *, unsigned long , __RPC__in HWND * ); -unsigned char * __RPC_USER HWND_UserMarshal64( __RPC__in unsigned long *, __RPC__inout_xcount(0) unsigned char *, __RPC__in HWND * ); -unsigned char * __RPC_USER HWND_UserUnmarshal64(__RPC__in unsigned long *, __RPC__in_xcount(0) unsigned char *, __RPC__out HWND * ); -void __RPC_USER HWND_UserFree64( __RPC__in unsigned long *, __RPC__in HWND * ); - -/* end of Additional Prototypes */ - -#ifdef __cplusplus -} -#endif - -#endif - - diff --git a/apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/webauthn.h.sample b/apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/webauthn.h.sample deleted file mode 100644 index 2f50e771bed..00000000000 --- a/apps/desktop/desktop_native/windows_plugin_authenticator/src/samples/webauthn.h.sample +++ /dev/null @@ -1,1727 +0,0 @@ -// Copyright (c) Microsoft Corporation. All rights reserved. -// Licensed under the MIT License. - -#ifndef __WEBAUTHN_H_ -#define __WEBAUTHN_H_ - -#pragma once - -#include - -#pragma region Desktop Family or OneCore Family -#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM) - -#ifdef __cplusplus -extern "C" { -#endif - -#ifndef WINAPI -#define WINAPI __stdcall -#endif - -#ifndef INITGUID -#define INITGUID -#include -#undef INITGUID -#else -#include -#endif - -//+------------------------------------------------------------------------------------------ -// API Version Information. -// Caller should check for WebAuthNGetApiVersionNumber to check the presence of relevant APIs -// and features for their usage. -//------------------------------------------------------------------------------------------- - -#define WEBAUTHN_API_VERSION_1 1 -// WEBAUTHN_API_VERSION_1 : Baseline Version -// Data Structures and their sub versions: -// - WEBAUTHN_RP_ENTITY_INFORMATION : 1 -// - WEBAUTHN_USER_ENTITY_INFORMATION : 1 -// - WEBAUTHN_CLIENT_DATA : 1 -// - WEBAUTHN_COSE_CREDENTIAL_PARAMETER : 1 -// - WEBAUTHN_COSE_CREDENTIAL_PARAMETERS : Not Applicable -// - WEBAUTHN_CREDENTIAL : 1 -// - WEBAUTHN_CREDENTIALS : Not Applicable -// - WEBAUTHN_CREDENTIAL_EX : 1 -// - WEBAUTHN_CREDENTIAL_LIST : Not Applicable -// - WEBAUTHN_EXTENSION : Not Applicable -// - WEBAUTHN_EXTENSIONS : Not Applicable -// - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS : 3 -// - WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS : 4 -// - WEBAUTHN_COMMON_ATTESTATION : 1 -// - WEBAUTHN_CREDENTIAL_ATTESTATION : 3 -// - WEBAUTHN_ASSERTION : 1 -// Extensions: -// - WEBAUTHN_EXTENSIONS_IDENTIFIER_HMAC_SECRET -// APIs: -// - WebAuthNGetApiVersionNumber -// - WebAuthNIsUserVerifyingPlatformAuthenticatorAvailable -// - WebAuthNAuthenticatorMakeCredential -// - WebAuthNAuthenticatorGetAssertion -// - WebAuthNFreeCredentialAttestation -// - WebAuthNFreeAssertion -// - WebAuthNGetCancellationId -// - WebAuthNCancelCurrentOperation -// - WebAuthNGetErrorName -// - WebAuthNGetW3CExceptionDOMError -// Transports: -// - WEBAUTHN_CTAP_TRANSPORT_USB -// - WEBAUTHN_CTAP_TRANSPORT_NFC -// - WEBAUTHN_CTAP_TRANSPORT_BLE -// - WEBAUTHN_CTAP_TRANSPORT_INTERNAL - -#define WEBAUTHN_API_VERSION_2 2 -// WEBAUTHN_API_VERSION_2 : Delta From WEBAUTHN_API_VERSION_1 -// Added Extensions: -// - WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_PROTECT -// - -#define WEBAUTHN_API_VERSION_3 3 -// WEBAUTHN_API_VERSION_3 : Delta From WEBAUTHN_API_VERSION_2 -// Data Structures and their sub versions: -// - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS : 4 -// - WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS : 5 -// - WEBAUTHN_CREDENTIAL_ATTESTATION : 4 -// - WEBAUTHN_ASSERTION : 2 -// Added Extensions: -// - WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_BLOB -// - WEBAUTHN_EXTENSIONS_IDENTIFIER_MIN_PIN_LENGTH -// - -#define WEBAUTHN_API_VERSION_4 4 -// WEBAUTHN_API_VERSION_4 : Delta From WEBAUTHN_API_VERSION_3 -// Data Structures and their sub versions: -// - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS : 5 -// - WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS : 6 -// - WEBAUTHN_ASSERTION : 3 -// - WEBAUTHN_CREDENTIAL_DETAILS : 1 -// APIs: -// - WebAuthNGetPlatformCredentialList -// - WebAuthNFreePlatformCredentialList -// - WebAuthNDeletePlatformCredential -// - -#define WEBAUTHN_API_VERSION_5 5 -// WEBAUTHN_API_VERSION_5 : Delta From WEBAUTHN_API_VERSION_4 -// Data Structures and their sub versions: -// - WEBAUTHN_CREDENTIAL_DETAILS : 2 -// Extension Changes: -// - Enabled LARGE_BLOB Support -// - -#define WEBAUTHN_API_VERSION_6 6 -// WEBAUTHN_API_VERSION_6 : Delta From WEBAUTHN_API_VERSION_5 -// Data Structures and their sub versions: -// - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS : 6 -// - WEBAUTHN_CREDENTIAL_ATTESTATION : 5 -// - WEBAUTHN_ASSERTION : 4 -// Transports: -// - WEBAUTHN_CTAP_TRANSPORT_HYBRID - -#define WEBAUTHN_API_VERSION_7 7 -// WEBAUTHN_API_VERSION_7 : Delta From WEBAUTHN_API_VERSION_6 -// Data Structures and their sub versions: -// - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS : 7 -// - WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS : 7 -// - WEBAUTHN_CREDENTIAL_ATTESTATION : 6 -// - WEBAUTHN_ASSERTION : 5 - -#define WEBAUTHN_API_VERSION_8 8 -// WEBAUTHN_API_VERSION_8 : Delta From WEBAUTHN_API_VERSION_7 -// Data Structures and their sub versions: -// - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS : 8 -// - WEBAUTHN_CREDENTIAL_DETAILS : 3 -// - WEBAUTHN_CREDENTIAL_ATTESTATION : 7 -// - WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS : 8 - -#define WEBAUTHN_API_CURRENT_VERSION WEBAUTHN_API_VERSION_8 - -//+------------------------------------------------------------------------------------------ -// Information about an RP Entity -//------------------------------------------------------------------------------------------- - -#define WEBAUTHN_RP_ENTITY_INFORMATION_CURRENT_VERSION 1 - -typedef struct _WEBAUTHN_RP_ENTITY_INFORMATION { - // Version of this structure, to allow for modifications in the future. - // This field is required and should be set to CURRENT_VERSION above. - DWORD dwVersion; - - // Identifier for the RP. This field is required. - PCWSTR pwszId; - - // Contains the friendly name of the Relying Party, such as "Acme Corporation", "Widgets Inc" or "Awesome Site". - // This field is required. - PCWSTR pwszName; - - // Optional URL pointing to RP's logo. - PCWSTR pwszIcon; -} WEBAUTHN_RP_ENTITY_INFORMATION, *PWEBAUTHN_RP_ENTITY_INFORMATION; -typedef const WEBAUTHN_RP_ENTITY_INFORMATION *PCWEBAUTHN_RP_ENTITY_INFORMATION; - -//+------------------------------------------------------------------------------------------ -// Information about an User Entity -//------------------------------------------------------------------------------------------- -#define WEBAUTHN_MAX_USER_ID_LENGTH 64 - -#define WEBAUTHN_USER_ENTITY_INFORMATION_CURRENT_VERSION 1 - -typedef struct _WEBAUTHN_USER_ENTITY_INFORMATION { - // Version of this structure, to allow for modifications in the future. - // This field is required and should be set to CURRENT_VERSION above. - DWORD dwVersion; - - // Identifier for the User. This field is required. - DWORD cbId; - _Field_size_bytes_(cbId) - PBYTE pbId; - - // Contains a detailed name for this account, such as "john.p.smith@example.com". - PCWSTR pwszName; - - // Optional URL that can be used to retrieve an image containing the user's current avatar, - // or a data URI that contains the image data. - PCWSTR pwszIcon; - - // For User: Contains the friendly name associated with the user account by the Relying Party, such as "John P. Smith". - PCWSTR pwszDisplayName; -} WEBAUTHN_USER_ENTITY_INFORMATION, *PWEBAUTHN_USER_ENTITY_INFORMATION; -typedef const WEBAUTHN_USER_ENTITY_INFORMATION *PCWEBAUTHN_USER_ENTITY_INFORMATION; - -//+------------------------------------------------------------------------------------------ -// Information about client data. -//------------------------------------------------------------------------------------------- - -#define WEBAUTHN_HASH_ALGORITHM_SHA_256 L"SHA-256" -#define WEBAUTHN_HASH_ALGORITHM_SHA_384 L"SHA-384" -#define WEBAUTHN_HASH_ALGORITHM_SHA_512 L"SHA-512" - -#define WEBAUTHN_CLIENT_DATA_CURRENT_VERSION 1 - -typedef struct _WEBAUTHN_CLIENT_DATA { - // Version of this structure, to allow for modifications in the future. - // This field is required and should be set to CURRENT_VERSION above. - DWORD dwVersion; - - // Size of the pbClientDataJSON field. - DWORD cbClientDataJSON; - // UTF-8 encoded JSON serialization of the client data. - _Field_size_bytes_(cbClientDataJSON) - PBYTE pbClientDataJSON; - - // Hash algorithm ID used to hash the pbClientDataJSON field. - LPCWSTR pwszHashAlgId; -} WEBAUTHN_CLIENT_DATA, *PWEBAUTHN_CLIENT_DATA; -typedef const WEBAUTHN_CLIENT_DATA *PCWEBAUTHN_CLIENT_DATA; - -//+------------------------------------------------------------------------------------------ -// Information about credential parameters. -//------------------------------------------------------------------------------------------- - -#define WEBAUTHN_CREDENTIAL_TYPE_PUBLIC_KEY L"public-key" - -#define WEBAUTHN_COSE_ALGORITHM_ECDSA_P256_WITH_SHA256 -7 -#define WEBAUTHN_COSE_ALGORITHM_ECDSA_P384_WITH_SHA384 -35 -#define WEBAUTHN_COSE_ALGORITHM_ECDSA_P521_WITH_SHA512 -36 - -#define WEBAUTHN_COSE_ALGORITHM_RSASSA_PKCS1_V1_5_WITH_SHA256 -257 -#define WEBAUTHN_COSE_ALGORITHM_RSASSA_PKCS1_V1_5_WITH_SHA384 -258 -#define WEBAUTHN_COSE_ALGORITHM_RSASSA_PKCS1_V1_5_WITH_SHA512 -259 - -#define WEBAUTHN_COSE_ALGORITHM_RSA_PSS_WITH_SHA256 -37 -#define WEBAUTHN_COSE_ALGORITHM_RSA_PSS_WITH_SHA384 -38 -#define WEBAUTHN_COSE_ALGORITHM_RSA_PSS_WITH_SHA512 -39 - -#define WEBAUTHN_COSE_CREDENTIAL_PARAMETER_CURRENT_VERSION 1 - -typedef struct _WEBAUTHN_COSE_CREDENTIAL_PARAMETER { - // Version of this structure, to allow for modifications in the future. - DWORD dwVersion; - - // Well-known credential type specifying a credential to create. - LPCWSTR pwszCredentialType; - - // Well-known COSE algorithm specifying the algorithm to use for the credential. - LONG lAlg; -} WEBAUTHN_COSE_CREDENTIAL_PARAMETER, *PWEBAUTHN_COSE_CREDENTIAL_PARAMETER; -typedef const WEBAUTHN_COSE_CREDENTIAL_PARAMETER *PCWEBAUTHN_COSE_CREDENTIAL_PARAMETER; - -typedef struct _WEBAUTHN_COSE_CREDENTIAL_PARAMETERS { - DWORD cCredentialParameters; - _Field_size_(cCredentialParameters) - PWEBAUTHN_COSE_CREDENTIAL_PARAMETER pCredentialParameters; -} WEBAUTHN_COSE_CREDENTIAL_PARAMETERS, *PWEBAUTHN_COSE_CREDENTIAL_PARAMETERS; -typedef const WEBAUTHN_COSE_CREDENTIAL_PARAMETERS *PCWEBAUTHN_COSE_CREDENTIAL_PARAMETERS; - -//+------------------------------------------------------------------------------------------ -// Information about credential. -//------------------------------------------------------------------------------------------- -#define WEBAUTHN_CREDENTIAL_CURRENT_VERSION 1 - -typedef struct _WEBAUTHN_CREDENTIAL { - // Version of this structure, to allow for modifications in the future. - DWORD dwVersion; - - // Size of pbID. - DWORD cbId; - // Unique ID for this particular credential. - _Field_size_bytes_(cbId) - PBYTE pbId; - - // Well-known credential type specifying what this particular credential is. - LPCWSTR pwszCredentialType; -} WEBAUTHN_CREDENTIAL, *PWEBAUTHN_CREDENTIAL; -typedef const WEBAUTHN_CREDENTIAL *PCWEBAUTHN_CREDENTIAL; - -typedef struct _WEBAUTHN_CREDENTIALS { - DWORD cCredentials; - _Field_size_(cCredentials) - PWEBAUTHN_CREDENTIAL pCredentials; -} WEBAUTHN_CREDENTIALS, *PWEBAUTHN_CREDENTIALS; -typedef const WEBAUTHN_CREDENTIALS *PCWEBAUTHN_CREDENTIALS; - -//+------------------------------------------------------------------------------------------ -// Information about credential with extra information, such as, dwTransports -//------------------------------------------------------------------------------------------- - -#define WEBAUTHN_CTAP_TRANSPORT_USB 0x00000001 -#define WEBAUTHN_CTAP_TRANSPORT_NFC 0x00000002 -#define WEBAUTHN_CTAP_TRANSPORT_BLE 0x00000004 -#define WEBAUTHN_CTAP_TRANSPORT_TEST 0x00000008 -#define WEBAUTHN_CTAP_TRANSPORT_INTERNAL 0x00000010 -#define WEBAUTHN_CTAP_TRANSPORT_HYBRID 0x00000020 -#define WEBAUTHN_CTAP_TRANSPORT_FLAGS_MASK 0x0000003F - -#define WEBAUTHN_CREDENTIAL_EX_CURRENT_VERSION 1 - -typedef struct _WEBAUTHN_CREDENTIAL_EX { - // Version of this structure, to allow for modifications in the future. - DWORD dwVersion; - - // Size of pbID. - DWORD cbId; - // Unique ID for this particular credential. - _Field_size_bytes_(cbId) - PBYTE pbId; - - // Well-known credential type specifying what this particular credential is. - LPCWSTR pwszCredentialType; - - // Transports. 0 implies no transport restrictions. - DWORD dwTransports; -} WEBAUTHN_CREDENTIAL_EX, *PWEBAUTHN_CREDENTIAL_EX; -typedef const WEBAUTHN_CREDENTIAL_EX *PCWEBAUTHN_CREDENTIAL_EX; - -//+------------------------------------------------------------------------------------------ -// Information about credential list with extra information -//------------------------------------------------------------------------------------------- - -typedef struct _WEBAUTHN_CREDENTIAL_LIST { - DWORD cCredentials; - _Field_size_(cCredentials) - PWEBAUTHN_CREDENTIAL_EX *ppCredentials; -} WEBAUTHN_CREDENTIAL_LIST, *PWEBAUTHN_CREDENTIAL_LIST; -typedef const WEBAUTHN_CREDENTIAL_LIST *PCWEBAUTHN_CREDENTIAL_LIST; - -//+------------------------------------------------------------------------------------------ -// Information about linked devices -//------------------------------------------------------------------------------------------- - -#define CTAPCBOR_HYBRID_STORAGE_LINKED_DATA_VERSION_1 1 -#define CTAPCBOR_HYBRID_STORAGE_LINKED_DATA_CURRENT_VERSION CTAPCBOR_HYBRID_STORAGE_LINKED_DATA_VERSION_1 - -typedef struct _CTAPCBOR_HYBRID_STORAGE_LINKED_DATA -{ - // Version - DWORD dwVersion; - - // Contact Id - DWORD cbContactId; - _Field_size_bytes_(cbContactId) - PBYTE pbContactId; - - // Link Id - DWORD cbLinkId; - _Field_size_bytes_(cbLinkId) - PBYTE pbLinkId; - - // Link secret - DWORD cbLinkSecret; - _Field_size_bytes_(cbLinkSecret) - PBYTE pbLinkSecret; - - // Authenticator Public Key - DWORD cbPublicKey; - _Field_size_bytes_(cbPublicKey) - PBYTE pbPublicKey; - - // Authenticator Name - PCWSTR pwszAuthenticatorName; - - // Tunnel server domain - WORD wEncodedTunnelServerDomain; -} CTAPCBOR_HYBRID_STORAGE_LINKED_DATA, *PCTAPCBOR_HYBRID_STORAGE_LINKED_DATA; -typedef const CTAPCBOR_HYBRID_STORAGE_LINKED_DATA *PCCTAPCBOR_HYBRID_STORAGE_LINKED_DATA; - -//+------------------------------------------------------------------------------------------ -// Credential Information for WebAuthNGetPlatformCredentialList API -//------------------------------------------------------------------------------------------- - -#define WEBAUTHN_CREDENTIAL_DETAILS_VERSION_1 1 -#define WEBAUTHN_CREDENTIAL_DETAILS_VERSION_2 2 -#define WEBAUTHN_CREDENTIAL_DETAILS_VERSION_3 3 -#define WEBAUTHN_CREDENTIAL_DETAILS_CURRENT_VERSION WEBAUTHN_CREDENTIAL_DETAILS_VERSION_3 - -typedef struct _WEBAUTHN_CREDENTIAL_DETAILS { - // Version of this structure, to allow for modifications in the future. - DWORD dwVersion; - - // Size of pbCredentialID. - DWORD cbCredentialID; - _Field_size_bytes_(cbCredentialID) - PBYTE pbCredentialID; - - // RP Info - PWEBAUTHN_RP_ENTITY_INFORMATION pRpInformation; - - // User Info - PWEBAUTHN_USER_ENTITY_INFORMATION pUserInformation; - - // Removable or not. - BOOL bRemovable; - - // - // The following fields have been added in WEBAUTHN_CREDENTIAL_DETAILS_VERSION_2 - // - - // Backed Up or not. - BOOL bBackedUp; - - // - // The following fields have been added in WEBAUTHN_CREDENTIAL_DETAILS_VERSION_3 - // - PCWSTR pwszAuthenticatorName; - - // The logo is expected to be in the svg format - DWORD cbAuthenticatorLogo; - _Field_size_bytes_(cbAuthenticatorLogo) - PBYTE pbAuthenticatorLogo; - - // ThirdPartyPayment Credential or not. - BOOL bThirdPartyPayment; - -} WEBAUTHN_CREDENTIAL_DETAILS, *PWEBAUTHN_CREDENTIAL_DETAILS; -typedef const WEBAUTHN_CREDENTIAL_DETAILS *PCWEBAUTHN_CREDENTIAL_DETAILS; - -typedef struct _WEBAUTHN_CREDENTIAL_DETAILS_LIST { - DWORD cCredentialDetails; - _Field_size_(cCredentialDetails) - PWEBAUTHN_CREDENTIAL_DETAILS *ppCredentialDetails; -} WEBAUTHN_CREDENTIAL_DETAILS_LIST, *PWEBAUTHN_CREDENTIAL_DETAILS_LIST; -typedef const WEBAUTHN_CREDENTIAL_DETAILS_LIST *PCWEBAUTHN_CREDENTIAL_DETAILS_LIST; - -#define WEBAUTHN_GET_CREDENTIALS_OPTIONS_VERSION_1 1 -#define WEBAUTHN_GET_CREDENTIALS_OPTIONS_CURRENT_VERSION WEBAUTHN_GET_CREDENTIALS_OPTIONS_VERSION_1 - -typedef struct _WEBAUTHN_GET_CREDENTIALS_OPTIONS { - // Version of this structure, to allow for modifications in the future. - DWORD dwVersion; - - // Optional. - LPCWSTR pwszRpId; - - // Optional. BrowserInPrivate Mode. Defaulting to FALSE. - BOOL bBrowserInPrivateMode; -} WEBAUTHN_GET_CREDENTIALS_OPTIONS, *PWEBAUTHN_GET_CREDENTIALS_OPTIONS; -typedef const WEBAUTHN_GET_CREDENTIALS_OPTIONS *PCWEBAUTHN_GET_CREDENTIALS_OPTIONS; - -//+------------------------------------------------------------------------------------------ -// PRF values. -//------------------------------------------------------------------------------------------- - -#define WEBAUTHN_CTAP_ONE_HMAC_SECRET_LENGTH 32 - -// SALT values below by default are converted into RAW Hmac-Secret values as per PRF extension. -// - SHA-256(UTF8Encode("WebAuthn PRF") || 0x00 || Value) -// -// Set WEBAUTHN_AUTHENTICATOR_HMAC_SECRET_VALUES_FLAG in dwFlags in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS, -// if caller wants to provide RAW Hmac-Secret SALT values directly. In that case, -// values if provided MUST be of WEBAUTHN_CTAP_ONE_HMAC_SECRET_LENGTH size. - -typedef struct _WEBAUTHN_HMAC_SECRET_SALT { - // Size of pbFirst. - DWORD cbFirst; - _Field_size_bytes_(cbFirst) - PBYTE pbFirst; // Required - - // Size of pbSecond. - DWORD cbSecond; - _Field_size_bytes_(cbSecond) - PBYTE pbSecond; -} WEBAUTHN_HMAC_SECRET_SALT, *PWEBAUTHN_HMAC_SECRET_SALT; -typedef const WEBAUTHN_HMAC_SECRET_SALT *PCWEBAUTHN_HMAC_SECRET_SALT; - -typedef struct _WEBAUTHN_CRED_WITH_HMAC_SECRET_SALT { - // Size of pbCredID. - DWORD cbCredID; - _Field_size_bytes_(cbCredID) - PBYTE pbCredID; // Required - - // PRF Values for above credential - PWEBAUTHN_HMAC_SECRET_SALT pHmacSecretSalt; // Required -} WEBAUTHN_CRED_WITH_HMAC_SECRET_SALT, *PWEBAUTHN_CRED_WITH_HMAC_SECRET_SALT; -typedef const WEBAUTHN_CRED_WITH_HMAC_SECRET_SALT *PCWEBAUTHN_CRED_WITH_HMAC_SECRET_SALT; - -typedef struct _WEBAUTHN_HMAC_SECRET_SALT_VALUES { - PWEBAUTHN_HMAC_SECRET_SALT pGlobalHmacSalt; - - DWORD cCredWithHmacSecretSaltList; - _Field_size_(cCredWithHmacSecretSaltList) - PWEBAUTHN_CRED_WITH_HMAC_SECRET_SALT pCredWithHmacSecretSaltList; -} WEBAUTHN_HMAC_SECRET_SALT_VALUES, *PWEBAUTHN_HMAC_SECRET_SALT_VALUES; -typedef const WEBAUTHN_HMAC_SECRET_SALT_VALUES *PCWEBAUTHN_HMAC_SECRET_SALT_VALUES; - -//+------------------------------------------------------------------------------------------ -// Hmac-Secret extension -//------------------------------------------------------------------------------------------- - -#define WEBAUTHN_EXTENSIONS_IDENTIFIER_HMAC_SECRET L"hmac-secret" -// Below type definitions is for WEBAUTHN_EXTENSIONS_IDENTIFIER_HMAC_SECRET -// MakeCredential Input Type: BOOL. -// - pvExtension must point to a BOOL with the value TRUE. -// - cbExtension must contain the sizeof(BOOL). -// MakeCredential Output Type: BOOL. -// - pvExtension will point to a BOOL with the value TRUE if credential -// was successfully created with HMAC_SECRET. -// - cbExtension will contain the sizeof(BOOL). -// GetAssertion Input Type: Not Supported -// GetAssertion Output Type: Not Supported - -//+------------------------------------------------------------------------------------------ -// credProtect extension -//------------------------------------------------------------------------------------------- - -#define WEBAUTHN_USER_VERIFICATION_ANY 0 -#define WEBAUTHN_USER_VERIFICATION_OPTIONAL 1 -#define WEBAUTHN_USER_VERIFICATION_OPTIONAL_WITH_CREDENTIAL_ID_LIST 2 -#define WEBAUTHN_USER_VERIFICATION_REQUIRED 3 - -typedef struct _WEBAUTHN_CRED_PROTECT_EXTENSION_IN { - // One of the above WEBAUTHN_USER_VERIFICATION_* values - DWORD dwCredProtect; - // Set the following to TRUE to require authenticator support for the credProtect extension - BOOL bRequireCredProtect; -} WEBAUTHN_CRED_PROTECT_EXTENSION_IN, *PWEBAUTHN_CRED_PROTECT_EXTENSION_IN; -typedef const WEBAUTHN_CRED_PROTECT_EXTENSION_IN *PCWEBAUTHN_CRED_PROTECT_EXTENSION_IN; - - -#define WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_PROTECT L"credProtect" -// Below type definitions is for WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_PROTECT -// MakeCredential Input Type: WEBAUTHN_CRED_PROTECT_EXTENSION_IN. -// - pvExtension must point to a WEBAUTHN_CRED_PROTECT_EXTENSION_IN struct -// - cbExtension will contain the sizeof(WEBAUTHN_CRED_PROTECT_EXTENSION_IN). -// MakeCredential Output Type: DWORD. -// - pvExtension will point to a DWORD with one of the above WEBAUTHN_USER_VERIFICATION_* values -// if credential was successfully created with CRED_PROTECT. -// - cbExtension will contain the sizeof(DWORD). -// GetAssertion Input Type: Not Supported -// GetAssertion Output Type: Not Supported - -//+------------------------------------------------------------------------------------------ -// credBlob extension -//------------------------------------------------------------------------------------------- - -typedef struct _WEBAUTHN_CRED_BLOB_EXTENSION { - // Size of pbCredBlob. - DWORD cbCredBlob; - _Field_size_bytes_(cbCredBlob) - PBYTE pbCredBlob; -} WEBAUTHN_CRED_BLOB_EXTENSION, *PWEBAUTHN_CRED_BLOB_EXTENSION; -typedef const WEBAUTHN_CRED_BLOB_EXTENSION *PCWEBAUTHN_CRED_BLOB_EXTENSION; - - -#define WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_BLOB L"credBlob" -// Below type definitions is for WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_BLOB -// MakeCredential Input Type: WEBAUTHN_CRED_BLOB_EXTENSION. -// - pvExtension must point to a WEBAUTHN_CRED_BLOB_EXTENSION struct -// - cbExtension must contain the sizeof(WEBAUTHN_CRED_BLOB_EXTENSION). -// MakeCredential Output Type: BOOL. -// - pvExtension will point to a BOOL with the value TRUE if credBlob was successfully created -// - cbExtension will contain the sizeof(BOOL). -// GetAssertion Input Type: BOOL. -// - pvExtension must point to a BOOL with the value TRUE to request the credBlob. -// - cbExtension must contain the sizeof(BOOL). -// GetAssertion Output Type: WEBAUTHN_CRED_BLOB_EXTENSION. -// - pvExtension will point to a WEBAUTHN_CRED_BLOB_EXTENSION struct if the authenticator -// returns the credBlob in the signed extensions -// - cbExtension will contain the sizeof(WEBAUTHN_CRED_BLOB_EXTENSION). - -//+------------------------------------------------------------------------------------------ -// minPinLength extension -//------------------------------------------------------------------------------------------- - -#define WEBAUTHN_EXTENSIONS_IDENTIFIER_MIN_PIN_LENGTH L"minPinLength" -// Below type definitions is for WEBAUTHN_EXTENSIONS_IDENTIFIER_MIN_PIN_LENGTH -// MakeCredential Input Type: BOOL. -// - pvExtension must point to a BOOL with the value TRUE to request the minPinLength. -// - cbExtension must contain the sizeof(BOOL). -// MakeCredential Output Type: DWORD. -// - pvExtension will point to a DWORD with the minimum pin length if returned by the authenticator -// - cbExtension will contain the sizeof(DWORD). -// GetAssertion Input Type: Not Supported -// GetAssertion Output Type: Not Supported - -//+------------------------------------------------------------------------------------------ -// Information about Extensions. -//------------------------------------------------------------------------------------------- -typedef struct _WEBAUTHN_EXTENSION { - LPCWSTR pwszExtensionIdentifier; - DWORD cbExtension; - PVOID pvExtension; -} WEBAUTHN_EXTENSION, *PWEBAUTHN_EXTENSION; -typedef const WEBAUTHN_EXTENSION *PCWEBAUTHN_EXTENSION; - -typedef struct _WEBAUTHN_EXTENSIONS { - DWORD cExtensions; - _Field_size_(cExtensions) - PWEBAUTHN_EXTENSION pExtensions; -} WEBAUTHN_EXTENSIONS, *PWEBAUTHN_EXTENSIONS; -typedef const WEBAUTHN_EXTENSIONS *PCWEBAUTHN_EXTENSIONS; - -//+------------------------------------------------------------------------------------------ -// Options. -//------------------------------------------------------------------------------------------- - -#define WEBAUTHN_AUTHENTICATOR_ATTACHMENT_ANY 0 -#define WEBAUTHN_AUTHENTICATOR_ATTACHMENT_PLATFORM 1 -#define WEBAUTHN_AUTHENTICATOR_ATTACHMENT_CROSS_PLATFORM 2 -#define WEBAUTHN_AUTHENTICATOR_ATTACHMENT_CROSS_PLATFORM_U2F_V2 3 - -#define WEBAUTHN_USER_VERIFICATION_REQUIREMENT_ANY 0 -#define WEBAUTHN_USER_VERIFICATION_REQUIREMENT_REQUIRED 1 -#define WEBAUTHN_USER_VERIFICATION_REQUIREMENT_PREFERRED 2 -#define WEBAUTHN_USER_VERIFICATION_REQUIREMENT_DISCOURAGED 3 - -#define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_ANY 0 -#define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_NONE 1 -#define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_INDIRECT 2 -#define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_DIRECT 3 - -#define WEBAUTHN_ENTERPRISE_ATTESTATION_NONE 0 -#define WEBAUTHN_ENTERPRISE_ATTESTATION_VENDOR_FACILITATED 1 -#define WEBAUTHN_ENTERPRISE_ATTESTATION_PLATFORM_MANAGED 2 - -#define WEBAUTHN_LARGE_BLOB_SUPPORT_NONE 0 -#define WEBAUTHN_LARGE_BLOB_SUPPORT_REQUIRED 1 -#define WEBAUTHN_LARGE_BLOB_SUPPORT_PREFERRED 2 - -#define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_1 1 -#define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_2 2 -#define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_3 3 -#define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_4 4 -#define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_5 5 -#define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_6 6 -#define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_7 7 -#define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_8 8 -#define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_CURRENT_VERSION WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_8 - -typedef struct _WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS { - // Version of this structure, to allow for modifications in the future. - DWORD dwVersion; - - // Time that the operation is expected to complete within. - // This is used as guidance, and can be overridden by the platform. - DWORD dwTimeoutMilliseconds; - - // Credentials used for exclusion. - WEBAUTHN_CREDENTIALS CredentialList; - - // Optional extensions to parse when performing the operation. - WEBAUTHN_EXTENSIONS Extensions; - - // Optional. Platform vs Cross-Platform Authenticators. - DWORD dwAuthenticatorAttachment; - - // Optional. Require key to be resident or not. Defaulting to FALSE. - BOOL bRequireResidentKey; - - // User Verification Requirement. - DWORD dwUserVerificationRequirement; - - // Attestation Conveyance Preference. - DWORD dwAttestationConveyancePreference; - - // Reserved for future Use - DWORD dwFlags; - - // - // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_2 - // - - // Cancellation Id - Optional - See WebAuthNGetCancellationId - GUID *pCancellationId; - - // - // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_3 - // - - // Exclude Credential List. If present, "CredentialList" will be ignored. - PWEBAUTHN_CREDENTIAL_LIST pExcludeCredentialList; - - // - // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_4 - // - - // Enterprise Attestation - DWORD dwEnterpriseAttestation; - - // Large Blob Support: none, required or preferred - // - // NTE_INVALID_PARAMETER when large blob required or preferred and - // bRequireResidentKey isn't set to TRUE - DWORD dwLargeBlobSupport; - - // Optional. Prefer key to be resident. Defaulting to FALSE. When TRUE, - // overrides the above bRequireResidentKey. - BOOL bPreferResidentKey; - - // - // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_5 - // - - // Optional. BrowserInPrivate Mode. Defaulting to FALSE. - BOOL bBrowserInPrivateMode; - - // - // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_6 - // - - // Enable PRF - BOOL bEnablePrf; - - // - // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_7 - // - - // Optional. Linked Device Connection Info. - PCTAPCBOR_HYBRID_STORAGE_LINKED_DATA pLinkedDevice; - - // Size of pbJsonExt - DWORD cbJsonExt; - _Field_size_bytes_(cbJsonExt) - PBYTE pbJsonExt; - - // - // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_8 - // - - // PRF extension "eval" values which will be converted into HMAC-SECRET values according to WebAuthn Spec. - // Set WEBAUTHN_AUTHENTICATOR_HMAC_SECRET_VALUES_FLAG in dwFlags above, if caller wants to provide RAW Hmac-Secret SALT values directly. - // In that case, values provided MUST be of WEBAUTHN_CTAP_ONE_HMAC_SECRET_LENGTH size. - PWEBAUTHN_HMAC_SECRET_SALT pPRFGlobalEval; - - // PublicKeyCredentialHints (https://w3c.github.io/webauthn/#enum-hints) - DWORD cCredentialHints; - _Field_size_(cCredentialHints) - LPCWSTR *ppwszCredentialHints; - - // Enable ThirdPartyPayment - BOOL bThirdPartyPayment; - -} WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS, *PWEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS; -typedef const WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS *PCWEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS; - -#define WEBAUTHN_CRED_LARGE_BLOB_OPERATION_NONE 0 -#define WEBAUTHN_CRED_LARGE_BLOB_OPERATION_GET 1 -#define WEBAUTHN_CRED_LARGE_BLOB_OPERATION_SET 2 -#define WEBAUTHN_CRED_LARGE_BLOB_OPERATION_DELETE 3 - -#define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_1 1 -#define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_2 2 -#define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_3 3 -#define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_4 4 -#define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_5 5 -#define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_6 6 -#define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_7 7 -#define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_8 8 -#define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_CURRENT_VERSION WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_8 - -/* - Information about flags. -*/ - -#define WEBAUTHN_AUTHENTICATOR_HMAC_SECRET_VALUES_FLAG 0x00100000 - -typedef struct _WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS { - // Version of this structure, to allow for modifications in the future. - DWORD dwVersion; - - // Time that the operation is expected to complete within. - // This is used as guidance, and can be overridden by the platform. - DWORD dwTimeoutMilliseconds; - - // Allowed Credentials List. - WEBAUTHN_CREDENTIALS CredentialList; - - // Optional extensions to parse when performing the operation. - WEBAUTHN_EXTENSIONS Extensions; - - // Optional. Platform vs Cross-Platform Authenticators. - DWORD dwAuthenticatorAttachment; - - // User Verification Requirement. - DWORD dwUserVerificationRequirement; - - // Flags - DWORD dwFlags; - - // - // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_2 - // - - // Optional identifier for the U2F AppId. Converted to UTF8 before being hashed. Not lower cased. - PCWSTR pwszU2fAppId; - - // If the following is non-NULL, then, set to TRUE if the above pwszU2fAppid was used instead of - // PCWSTR pwszRpId; - BOOL *pbU2fAppId; - - // - // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_3 - // - - // Cancellation Id - Optional - See WebAuthNGetCancellationId - GUID *pCancellationId; - - // - // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_4 - // - - // Allow Credential List. If present, "CredentialList" will be ignored. - PWEBAUTHN_CREDENTIAL_LIST pAllowCredentialList; - - // - // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_5 - // - - DWORD dwCredLargeBlobOperation; - - // Size of pbCredLargeBlob - DWORD cbCredLargeBlob; - _Field_size_bytes_(cbCredLargeBlob) - PBYTE pbCredLargeBlob; - - // - // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_6 - // - - // PRF values which will be converted into HMAC-SECRET values according to WebAuthn Spec. - PWEBAUTHN_HMAC_SECRET_SALT_VALUES pHmacSecretSaltValues; - - // Optional. BrowserInPrivate Mode. Defaulting to FALSE. - BOOL bBrowserInPrivateMode; - - // - // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_7 - // - - // Optional. Linked Device Connection Info. - PCTAPCBOR_HYBRID_STORAGE_LINKED_DATA pLinkedDevice; - - // Optional. Allowlist MUST contain 1 credential applicable for Hybrid transport. - BOOL bAutoFill; - - // Size of pbJsonExt - DWORD cbJsonExt; - _Field_size_bytes_(cbJsonExt) - PBYTE pbJsonExt; - - // - // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_8 - // - - // PublicKeyCredentialHints (https://w3c.github.io/webauthn/#enum-hints) - DWORD cCredentialHints; - _Field_size_(cCredentialHints) - LPCWSTR *ppwszCredentialHints; - -} WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS, *PWEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS; -typedef const WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS *PCWEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS; - - -//+------------------------------------------------------------------------------------------ -// Attestation Info. -// -//------------------------------------------------------------------------------------------- -#define WEBAUTHN_ATTESTATION_DECODE_NONE 0 -#define WEBAUTHN_ATTESTATION_DECODE_COMMON 1 -// WEBAUTHN_ATTESTATION_DECODE_COMMON supports format types -// L"packed" -// L"fido-u2f" - -#define WEBAUTHN_ATTESTATION_VER_TPM_2_0 L"2.0" - -typedef struct _WEBAUTHN_X5C { - // Length of X.509 encoded certificate - DWORD cbData; - // X.509 encoded certificate bytes - _Field_size_bytes_(cbData) - PBYTE pbData; -} WEBAUTHN_X5C, *PWEBAUTHN_X5C; - -// Supports either Self or Full Basic Attestation - -// Note, new fields will be added to the following data structure to -// support additional attestation format types, such as, TPM. -// When fields are added, the dwVersion will be incremented. -// -// Therefore, your code must make the following check: -// "if (dwVersion >= WEBAUTHN_COMMON_ATTESTATION_CURRENT_VERSION)" - -#define WEBAUTHN_COMMON_ATTESTATION_CURRENT_VERSION 1 - -typedef struct _WEBAUTHN_COMMON_ATTESTATION { - // Version of this structure, to allow for modifications in the future. - DWORD dwVersion; - - // Hash and Padding Algorithm - // - // The following won't be set for "fido-u2f" which assumes "ES256". - PCWSTR pwszAlg; - LONG lAlg; // COSE algorithm - - // Signature that was generated for this attestation. - DWORD cbSignature; - _Field_size_bytes_(cbSignature) - PBYTE pbSignature; - - // Following is set for Full Basic Attestation. If not, set then, this is Self Attestation. - // Array of X.509 DER encoded certificates. The first certificate is the signer, leaf certificate. - DWORD cX5c; - _Field_size_(cX5c) - PWEBAUTHN_X5C pX5c; - - // Following are also set for tpm - PCWSTR pwszVer; // L"2.0" - DWORD cbCertInfo; - _Field_size_bytes_(cbCertInfo) - PBYTE pbCertInfo; - DWORD cbPubArea; - _Field_size_bytes_(cbPubArea) - PBYTE pbPubArea; -} WEBAUTHN_COMMON_ATTESTATION, *PWEBAUTHN_COMMON_ATTESTATION; -typedef const WEBAUTHN_COMMON_ATTESTATION *PCWEBAUTHN_COMMON_ATTESTATION; - -#define WEBAUTHN_ATTESTATION_TYPE_PACKED L"packed" -#define WEBAUTHN_ATTESTATION_TYPE_U2F L"fido-u2f" -#define WEBAUTHN_ATTESTATION_TYPE_TPM L"tpm" -#define WEBAUTHN_ATTESTATION_TYPE_NONE L"none" - -#define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_1 1 -#define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_2 2 -#define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_3 3 -#define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_4 4 -#define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_5 5 -#define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_6 6 -#define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_7 7 -#define WEBAUTHN_CREDENTIAL_ATTESTATION_CURRENT_VERSION WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_7 - -typedef struct _WEBAUTHN_CREDENTIAL_ATTESTATION { - // Version of this structure, to allow for modifications in the future. - DWORD dwVersion; - - // Attestation format type - PCWSTR pwszFormatType; - - // Size of cbAuthenticatorData. - DWORD cbAuthenticatorData; - // Authenticator data that was created for this credential. - _Field_size_bytes_(cbAuthenticatorData) - PBYTE pbAuthenticatorData; - - // Size of CBOR encoded attestation information - //0 => encoded as CBOR null value. - DWORD cbAttestation; - //Encoded CBOR attestation information - _Field_size_bytes_(cbAttestation) - PBYTE pbAttestation; - - DWORD dwAttestationDecodeType; - // Following depends on the dwAttestationDecodeType - // WEBAUTHN_ATTESTATION_DECODE_NONE - // NULL - not able to decode the CBOR attestation information - // WEBAUTHN_ATTESTATION_DECODE_COMMON - // PWEBAUTHN_COMMON_ATTESTATION; - PVOID pvAttestationDecode; - - // The CBOR encoded Attestation Object to be returned to the RP. - DWORD cbAttestationObject; - _Field_size_bytes_(cbAttestationObject) - PBYTE pbAttestationObject; - - // The CredentialId bytes extracted from the Authenticator Data. - // Used by Edge to return to the RP. - DWORD cbCredentialId; - _Field_size_bytes_(cbCredentialId) - PBYTE pbCredentialId; - - // - // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_2 - // - - WEBAUTHN_EXTENSIONS Extensions; - - // - // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_3 - // - - // One of the WEBAUTHN_CTAP_TRANSPORT_* bits will be set corresponding to - // the transport that was used. - DWORD dwUsedTransport; - - // - // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_4 - // - - BOOL bEpAtt; - BOOL bLargeBlobSupported; - BOOL bResidentKey; - - // - // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_5 - // - - BOOL bPrfEnabled; - - // - // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_6 - // - - DWORD cbUnsignedExtensionOutputs; - _Field_size_bytes_(cbUnsignedExtensionOutputs) - PBYTE pbUnsignedExtensionOutputs; - - // - // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_7 - // - - PWEBAUTHN_HMAC_SECRET_SALT pHmacSecret; - - // ThirdPartyPayment Credential or not. - BOOL bThirdPartyPayment; - -} WEBAUTHN_CREDENTIAL_ATTESTATION, *PWEBAUTHN_CREDENTIAL_ATTESTATION; -typedef const WEBAUTHN_CREDENTIAL_ATTESTATION *PCWEBAUTHN_CREDENTIAL_ATTESTATION; - - -//+------------------------------------------------------------------------------------------ -// authenticatorGetAssertion output. -//------------------------------------------------------------------------------------------- - -#define WEBAUTHN_CRED_LARGE_BLOB_STATUS_NONE 0 -#define WEBAUTHN_CRED_LARGE_BLOB_STATUS_SUCCESS 1 -#define WEBAUTHN_CRED_LARGE_BLOB_STATUS_NOT_SUPPORTED 2 -#define WEBAUTHN_CRED_LARGE_BLOB_STATUS_INVALID_DATA 3 -#define WEBAUTHN_CRED_LARGE_BLOB_STATUS_INVALID_PARAMETER 4 -#define WEBAUTHN_CRED_LARGE_BLOB_STATUS_NOT_FOUND 5 -#define WEBAUTHN_CRED_LARGE_BLOB_STATUS_MULTIPLE_CREDENTIALS 6 -#define WEBAUTHN_CRED_LARGE_BLOB_STATUS_LACK_OF_SPACE 7 -#define WEBAUTHN_CRED_LARGE_BLOB_STATUS_PLATFORM_ERROR 8 -#define WEBAUTHN_CRED_LARGE_BLOB_STATUS_AUTHENTICATOR_ERROR 9 - -#define WEBAUTHN_ASSERTION_VERSION_1 1 -#define WEBAUTHN_ASSERTION_VERSION_2 2 -#define WEBAUTHN_ASSERTION_VERSION_3 3 -#define WEBAUTHN_ASSERTION_VERSION_4 4 -#define WEBAUTHN_ASSERTION_VERSION_5 5 -#define WEBAUTHN_ASSERTION_CURRENT_VERSION WEBAUTHN_ASSERTION_VERSION_5 - -typedef struct _WEBAUTHN_ASSERTION { - // Version of this structure, to allow for modifications in the future. - DWORD dwVersion; - - // Size of cbAuthenticatorData. - DWORD cbAuthenticatorData; - // Authenticator data that was created for this assertion. - _Field_size_bytes_(cbAuthenticatorData) - PBYTE pbAuthenticatorData; - - // Size of pbSignature. - DWORD cbSignature; - // Signature that was generated for this assertion. - _Field_size_bytes_(cbSignature) - PBYTE pbSignature; - - // Credential that was used for this assertion. - WEBAUTHN_CREDENTIAL Credential; - - // Size of User Id - DWORD cbUserId; - // UserId - _Field_size_bytes_(cbUserId) - PBYTE pbUserId; - - // - // Following fields have been added in WEBAUTHN_ASSERTION_VERSION_2 - // - - WEBAUTHN_EXTENSIONS Extensions; - - // Size of pbCredLargeBlob - DWORD cbCredLargeBlob; - _Field_size_bytes_(cbCredLargeBlob) - PBYTE pbCredLargeBlob; - - DWORD dwCredLargeBlobStatus; - - // - // Following fields have been added in WEBAUTHN_ASSERTION_VERSION_3 - // - - PWEBAUTHN_HMAC_SECRET_SALT pHmacSecret; - - // - // Following fields have been added in WEBAUTHN_ASSERTION_VERSION_4 - // - - // One of the WEBAUTHN_CTAP_TRANSPORT_* bits will be set corresponding to - // the transport that was used. - DWORD dwUsedTransport; - - // - // Following fields have been added in WEBAUTHN_ASSERTION_VERSION_5 - // - - DWORD cbUnsignedExtensionOutputs; - _Field_size_bytes_(cbUnsignedExtensionOutputs) - PBYTE pbUnsignedExtensionOutputs; -} WEBAUTHN_ASSERTION, *PWEBAUTHN_ASSERTION; -typedef const WEBAUTHN_ASSERTION *PCWEBAUTHN_ASSERTION; - -//+------------------------------------------------------------------------------------------ -// APIs. -//------------------------------------------------------------------------------------------- - -DWORD -WINAPI -WebAuthNGetApiVersionNumber(); - -HRESULT -WINAPI -WebAuthNIsUserVerifyingPlatformAuthenticatorAvailable( - _Out_ BOOL *pbIsUserVerifyingPlatformAuthenticatorAvailable); - - -HRESULT -WINAPI -WebAuthNAuthenticatorMakeCredential( - _In_ HWND hWnd, - _In_ PCWEBAUTHN_RP_ENTITY_INFORMATION pRpInformation, - _In_ PCWEBAUTHN_USER_ENTITY_INFORMATION pUserInformation, - _In_ PCWEBAUTHN_COSE_CREDENTIAL_PARAMETERS pPubKeyCredParams, - _In_ PCWEBAUTHN_CLIENT_DATA pWebAuthNClientData, - _In_opt_ PCWEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS pWebAuthNMakeCredentialOptions, - _Outptr_result_maybenull_ PWEBAUTHN_CREDENTIAL_ATTESTATION *ppWebAuthNCredentialAttestation); - - -HRESULT -WINAPI -WebAuthNAuthenticatorGetAssertion( - _In_ HWND hWnd, - _In_ LPCWSTR pwszRpId, - _In_ PCWEBAUTHN_CLIENT_DATA pWebAuthNClientData, - _In_opt_ PCWEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS pWebAuthNGetAssertionOptions, - _Outptr_result_maybenull_ PWEBAUTHN_ASSERTION *ppWebAuthNAssertion); - -void -WINAPI -WebAuthNFreeCredentialAttestation( - _In_opt_ PWEBAUTHN_CREDENTIAL_ATTESTATION pWebAuthNCredentialAttestation); - -void -WINAPI -WebAuthNFreeAssertion( - _In_ PWEBAUTHN_ASSERTION pWebAuthNAssertion); - -HRESULT -WINAPI -WebAuthNGetCancellationId( - _Out_ GUID* pCancellationId); - -HRESULT -WINAPI -WebAuthNCancelCurrentOperation( - _In_ const GUID* pCancellationId); - -// Returns NTE_NOT_FOUND when credentials are not found. -HRESULT -WINAPI -WebAuthNGetPlatformCredentialList( - _In_ PCWEBAUTHN_GET_CREDENTIALS_OPTIONS pGetCredentialsOptions, - _Outptr_result_maybenull_ PWEBAUTHN_CREDENTIAL_DETAILS_LIST *ppCredentialDetailsList); - -void -WINAPI -WebAuthNFreePlatformCredentialList( - _In_ PWEBAUTHN_CREDENTIAL_DETAILS_LIST pCredentialDetailsList); - -HRESULT -WINAPI -WebAuthNDeletePlatformCredential( - _In_ DWORD cbCredentialId, - _In_reads_bytes_(cbCredentialId) const BYTE *pbCredentialId - ); - -// -// Returns the following Error Names: -// L"Success" - S_OK -// L"InvalidStateError" - NTE_EXISTS -// L"ConstraintError" - HRESULT_FROM_WIN32(ERROR_NOT_SUPPORTED), -// NTE_NOT_SUPPORTED, -// NTE_TOKEN_KEYSET_STORAGE_FULL -// L"NotSupportedError" - NTE_INVALID_PARAMETER -// L"NotAllowedError" - NTE_DEVICE_NOT_FOUND, -// NTE_NOT_FOUND, -// HRESULT_FROM_WIN32(ERROR_CANCELLED), -// NTE_USER_CANCELLED, -// HRESULT_FROM_WIN32(ERROR_TIMEOUT) -// L"UnknownError" - All other hr values -// -PCWSTR -WINAPI -WebAuthNGetErrorName( - _In_ HRESULT hr); - -HRESULT -WINAPI -WebAuthNGetW3CExceptionDOMError( - _In_ HRESULT hr); - -typedef enum _EXPERIMENTAL_PLUGIN_AUTHENTICATOR_STATE -{ - PluginAuthenticatorState_Unknown = 0, - PluginAuthenticatorState_Disabled, - PluginAuthenticatorState_Enabled -} EXPERIMENTAL_PLUGIN_AUTHENTICATOR_STATE; - -// -// Plugin Authenticator API: WebAuthNPluginGetAuthenticatorState: Get Plugin Authenticator State -// -HRESULT -WINAPI -EXPERIMENTAL_WebAuthNPluginGetAuthenticatorState( - _In_ LPCWSTR pwszPluginClsId, - _Out_ EXPERIMENTAL_PLUGIN_AUTHENTICATOR_STATE* pluginAuthenticatorState -); - -// -// Plugin Authenticator API: WebAuthNAddPluginAuthenticator: Add Plugin Authenticator -// - -typedef struct _EXPERIMENTAL_WEBAUTHN_PLUGIN_ADD_AUTHENTICATOR_OPTIONS { - // Authenticator Name - LPCWSTR pwszAuthenticatorName; - - // Plugin COM ClsId - LPCWSTR pwszPluginClsId; - - // Plugin RPID (Optional. Required for a nested WebAuthN call originating from a plugin) - LPCWSTR pwszPluginRpId; - - // Plugin Authenticator Logo for the Light themes. base64 svg (Optional) - LPCWSTR pwszLightThemeLogo; - - // Plugin Authenticator Logo for the Dark themes. base64 svg (Optional) - LPCWSTR pwszDarkThemeLogo; - - // CTAP CBOR encoded authenticatorGetInfo - DWORD cbAuthenticatorInfo; - _Field_size_bytes_(cbAuthenticatorInfo) - PBYTE pbAuthenticatorInfo; - -} EXPERIMENTAL_WEBAUTHN_PLUGIN_ADD_AUTHENTICATOR_OPTIONS, *EXPERIMENTAL_PWEBAUTHN_PLUGIN_ADD_AUTHENTICATOR_OPTIONS; -typedef const EXPERIMENTAL_WEBAUTHN_PLUGIN_ADD_AUTHENTICATOR_OPTIONS *EXPERIMENTAL_PCWEBAUTHN_PLUGIN_ADD_AUTHENTICATOR_OPTIONS; - -typedef struct _EXPERIMENTAL_WEBAUTHN_PLUGIN_ADD_AUTHENTICATOR_RESPONSE { - // Plugin operation signing Public Key - Used to sign the request in the EXPERIMENTAL_PluginPerformOperation. Refer pluginauthenticator.h. - DWORD cbOpSignPubKey; - _Field_size_bytes_(cbOpSignPubKey) - PBYTE pbOpSignPubKey; - -} EXPERIMENTAL_WEBAUTHN_PLUGIN_ADD_AUTHENTICATOR_RESPONSE, *EXPERIMENTAL_PWEBAUTHN_PLUGIN_ADD_AUTHENTICATOR_RESPONSE; -typedef const EXPERIMENTAL_WEBAUTHN_PLUGIN_ADD_AUTHENTICATOR_RESPONSE *EXPERIMENTAL_PCWEBAUTHN_PLUGIN_ADD_AUTHENTICATOR_RESPONSE; - -HRESULT -WINAPI -EXPERIMENTAL_WebAuthNPluginAddAuthenticator( - _In_ EXPERIMENTAL_PCWEBAUTHN_PLUGIN_ADD_AUTHENTICATOR_OPTIONS pPluginAddAuthenticatorOptions, - _Outptr_result_maybenull_ EXPERIMENTAL_PWEBAUTHN_PLUGIN_ADD_AUTHENTICATOR_RESPONSE *ppPluginAddAuthenticatorResponse); - -void -WINAPI -EXPERIMENTAL_WebAuthNPluginFreeAddAuthenticatorResponse( - _In_opt_ EXPERIMENTAL_PWEBAUTHN_PLUGIN_ADD_AUTHENTICATOR_RESPONSE pPluginAddAuthenticatorResponse); - -// -// Plugin Authenticator API: WebAuthNRemovePluginAuthenticator: Remove Plugin Authenticator -// - -HRESULT -WINAPI -EXPERIMENTAL_WebAuthNPluginRemoveAuthenticator( - _In_ LPCWSTR pwszPluginClsId); - -// -// Plugin Authenticator API: WebAuthNPluginAuthenticatorUpdateDetails: Update Credential Metadata for Browser AutoFill Scenarios -// - -typedef struct _EXPERIMENTAL_WEBAUTHN_PLUGIN_UPDATE_AUTHENTICATOR_DETAILS { - // Authenticator Name (Optional) - LPCWSTR pwszAuthenticatorName; - - // Plugin COM ClsId - LPCWSTR pwszPluginClsId; - - // Plugin COM New ClsId (Optional) - LPCWSTR pwszNewPluginClsId; - - // Plugin Authenticator Logo for the Light themes. base64 svg (Optional) - LPCWSTR pwszLightThemeLogo; - - // Plugin Authenticator Logo for the Dark themes. base64 svg (Optional) - LPCWSTR pwszDarkThemeLogo; - - // CTAP CBOR encoded authenticatorGetInfo (Optional) - DWORD cbAuthenticatorInfo; - _Field_size_bytes_(cbAuthenticatorInfo) - PBYTE pbAuthenticatorInfo; - -} EXPERIMENTAL_WEBAUTHN_PLUGIN_UPDATE_AUTHENTICATOR_DETAILS, *EXPERIMENTAL_PWEBAUTHN_PLUGIN_UPDATE_AUTHENTICATOR_DETAILS; -typedef const EXPERIMENTAL_WEBAUTHN_PLUGIN_UPDATE_AUTHENTICATOR_DETAILS *EXPERIMENTAL_PCWEBAUTHN_PLUGIN_UPDATE_AUTHENTICATOR_DETAILS; - -HRESULT -WINAPI -EXPERIMENTAL_WebAuthNPluginUpdateAuthenticatorDetails( - _In_ EXPERIMENTAL_PCWEBAUTHN_PLUGIN_UPDATE_AUTHENTICATOR_DETAILS pPluginUpdateAuthenticatorDetails); - -#endif //__midl - -// -// Plugin Authenticator API: WebAuthNPluginAuthenticatorAddCredentials: Add Credential Metadata for Browser AutoFill Scenarios -// - - -typedef struct _EXPERIMENTAL_WEBAUTHN_PLUGIN_CREDENTIAL_DETAILS { - // Size of pbCredentialId. - DWORD cbCredentialId; - - // Credential Identifier bytes. This field is required. - #ifdef __midl - [size_is(cbCredentialId)] - #else - _Field_size_bytes_(cbCredentialId) - #endif - PBYTE pbCredentialId; - - // Identifier for the RP. This field is required. - PWSTR pwszRpId; - - // Contains the friendly name of the Relying Party, such as "Acme Corporation", "Widgets Inc" or "Awesome Site". - // This field is required. - PWSTR pwszRpName; - - // Identifier for the User. This field is required. - DWORD cbUserId; - - // User Identifier bytes. This field is required. - #ifdef __midl - [size_is(cbUserId)] - #else - _Field_size_bytes_(cbUserId) - #endif - PBYTE pbUserId; - - // Contains a detailed name for this account, such as "john.p.smith@example.com". - PWSTR pwszUserName; - - // For User: Contains the friendly name associated with the user account such as "John P. Smith". - PWSTR pwszUserDisplayName; - -} EXPERIMENTAL_WEBAUTHN_PLUGIN_CREDENTIAL_DETAILS, *EXPERIMENTAL_PWEBAUTHN_PLUGIN_CREDENTIAL_DETAILS; -typedef const EXPERIMENTAL_WEBAUTHN_PLUGIN_CREDENTIAL_DETAILS *EXPERIMENTAL_PCWEBAUTHN_PLUGIN_CREDENTIAL_DETAILS; - -typedef struct _EXPERIMENTAL_WEBAUTHN_PLUGIN_CREDENTIAL_DETAILS_LIST { - // Plugin COM ClsId - PWSTR pwszPluginClsId; - - // count of credentials - DWORD cCredentialDetails; - - #ifdef __midl - [size_is(cCredentialDetails)] - #else - _Field_size_(cCredentialDetails) - #endif - EXPERIMENTAL_PWEBAUTHN_PLUGIN_CREDENTIAL_DETAILS *pCredentialDetails; - -} EXPERIMENTAL_WEBAUTHN_PLUGIN_CREDENTIAL_DETAILS_LIST, *EXPERIMENTAL_PWEBAUTHN_PLUGIN_CREDENTIAL_DETAILS_LIST; -typedef const EXPERIMENTAL_WEBAUTHN_PLUGIN_CREDENTIAL_DETAILS_LIST *EXPERIMENTAL_PCWEBAUTHN_PLUGIN_CREDENTIAL_DETAILS_LIST; - -#ifndef __midl - -HRESULT -WINAPI -EXPERIMENTAL_WebAuthNPluginAuthenticatorAddCredentials( - _In_ EXPERIMENTAL_PWEBAUTHN_PLUGIN_CREDENTIAL_DETAILS_LIST pCredentialDetailsList); - -// -// Plugin Authenticator API: WebAuthNPluginAuthenticatorRemoveCredentials: Remove Credential Metadata for Browser AutoFill Scenarios -// - -HRESULT -WINAPI -EXPERIMENTAL_WebAuthNPluginAuthenticatorRemoveCredentials( - _In_ EXPERIMENTAL_PWEBAUTHN_PLUGIN_CREDENTIAL_DETAILS_LIST pCredentialDetailsList); - -// -// Plugin Authenticator API: WebAuthNPluginAuthenticatorRemoveCredentials: Remove All Credential Metadata for Browser AutoFill Scenarios -// - -HRESULT -WINAPI -EXPERIMENTAL_WebAuthNPluginAuthenticatorRemoveAllCredentials( - _In_ LPCWSTR pwszPluginClsId); - -// -// Plugin Authenticator API: WebAuthNPluginAuthenticatorGetAllCredentials: Get All Credential Metadata cached for Browser AutoFill Scenarios -// -HRESULT -WINAPI -EXPERIMENTAL_WebAuthNPluginAuthenticatorGetAllCredentials( - _In_ LPCWSTR pwszPluginClsId, - _Outptr_result_maybenull_ EXPERIMENTAL_PWEBAUTHN_PLUGIN_CREDENTIAL_DETAILS_LIST *ppCredentialDetailsList); - -// -// Hello UV API for Plugin: WebAuthNPluginPerformUv: Perform Hello UV related operations -// - -typedef enum _EXPERIMENTAL_WEBAUTHN_PLUGIN_PERFORM_UV_OPERATION_TYPE -{ - PerformUv = 1, - GetUvCount, - GetPubKey -} EXPERIMENTAL_WEBAUTHN_PLUGIN_PERFORM_UV_OPERATION_TYPE; - -typedef struct _EXPERIMENTAL_WEBAUTHN_PLUGIN_PERFORM_UV { - HWND hwnd; - GUID* transactionId; - EXPERIMENTAL_WEBAUTHN_PLUGIN_PERFORM_UV_OPERATION_TYPE type; - PCWSTR pwszUsername; - PCWSTR pwszContext; -} EXPERIMENTAL_WEBAUTHN_PLUGIN_PERFORM_UV, *EXPERIMENTAL_PWEBAUTHN_PLUGIN_PERFROM_UV; -typedef const EXPERIMENTAL_WEBAUTHN_PLUGIN_PERFORM_UV *EXPERIMENTAL_PCWEBAUTHN_PLUGIN_PERFORM_UV; - -typedef struct _EXPERIMENTAL_WEBAUTHN_PLUGIN_PERFORM_UV_RESPONSE { - DWORD cbResponse; - PBYTE pbResponse; -} EXPERIMENTAL_WEBAUTHN_PLUGIN_PERFORM_UV_RESPONSE, *EXPERIMENTAL_PWEBAUTHN_PLUGIN_PERFORM_UV_RESPONSE; -typedef const EXPERIMENTAL_WEBAUTHN_PLUGIN_PERFORM_UV_RESPONSE *EXPERIMENTAL_PCWEBAUTHN_PLUGIN_PERFORM_UV_RESPONSE; - -HRESULT -WINAPI -EXPERIMENTAL_WebAuthNPluginPerformUv( - _In_ EXPERIMENTAL_PCWEBAUTHN_PLUGIN_PERFORM_UV pPluginPerformUv, - _Outptr_result_maybenull_ EXPERIMENTAL_PWEBAUTHN_PLUGIN_PERFORM_UV_RESPONSE *ppPluginPerformUvRespose); - -void -WINAPI -EXPERIMENTAL_WebAuthNPluginFreePerformUvResponse( - _In_opt_ EXPERIMENTAL_PWEBAUTHN_PLUGIN_PERFORM_UV_RESPONSE ppPluginPerformUvResponse); - -#define EXPERIMENTAL_WEBAUTHN_CTAPCBOR_AUTHENTICATOR_OPTIONS_VERSION_1 1 -#define EXPERIMENTAL_WEBAUTHN_CTAPCBOR_AUTHENTICATOR_OPTIONS_CURRENT_VERSION EXPERIMENTAL_WEBAUTHN_CTAPCBOR_AUTHENTICATOR_OPTIONS_VERSION_1 -typedef struct _EXPERIMENTAL_WEBAUTHN_CTAPCBOR_AUTHENTICATOR_OPTIONS { - //Version of this structure, to allow for modifications in the future. - DWORD dwVersion; - - // Following have following values: - // +1 - TRUE - // 0 - Not defined - // -1 - FALSE - //up: "true" | "false" - LONG lUp; - //uv: "true" | "false" - LONG lUv; - //rk: "true" | "false" - LONG lRequireResidentKey; -} EXPERIMENTAL_WEBAUTHN_CTAPCBOR_AUTHENTICATOR_OPTIONS, *EXPERIMENTAL_PWEBAUTHN_CTAPCBOR_AUTHENTICATOR_OPTIONS; -typedef const EXPERIMENTAL_WEBAUTHN_CTAPCBOR_AUTHENTICATOR_OPTIONS *EXPERIMENTAL_PCWEBAUTHN_CTAPCBOR_AUTHENTICATOR_OPTIONS; - -#define EXPERIMENTAL_WEBAUTHN_CTAPCBOR_ECC_PUBLIC_KEY_VERSION_1 1 -#define EXPERIMENTAL_WEBAUTHN_CTAPCBOR_ECC_PUBLIC_KEY_CURRENT_VERSION EXPERIMENTAL_WEBAUTHN_CTAPCBOR_ECC_PUBLIC_KEY_VERSION_1 -typedef struct _EXPERIMENTAL_WEBAUTHN_CTAPCBOR_ECC_PUBLIC_KEY { - //Version of this structure, to allow for modifications in the future. - DWORD dwVersion; - - // Key type - LONG lKty; - - // Hash Algorithm: ES256, ES384, ES512 - LONG lAlg; - - // Curve - LONG lCrv; - - //Size of "x" (X Coordinate) - DWORD cbX; - - //"x" (X Coordinate) data. Big Endian. - PBYTE pbX; - - //Size of "y" (Y Coordinate) - DWORD cbY; - - //"y" (Y Coordinate) data. Big Endian. - PBYTE pbY; -} EXPERIMENTAL_WEBAUTHN_CTAPCBOR_ECC_PUBLIC_KEY, *EXPERIMENTAL_PWEBAUTHN_CTAPCBOR_ECC_PUBLIC_KEY; -typedef const EXPERIMENTAL_WEBAUTHN_CTAPCBOR_ECC_PUBLIC_KEY *EXPERIMENTAL_PCWEBAUTHN_CTAPCBOR_ECC_PUBLIC_KEY; - -#define EXPERIMENTAL_WEBAUTHN_CTAPCBOR_HMAC_SALT_EXTENSION_VERSION_1 1 -#define EXPERIMENTAL_WEBAUTHN_CTAPCBOR_HMAC_SALT_EXTENSION_CURRENT_VERSION EXPERIMENTAL_WEBAUTHN_CTAPCBOR_HMAC_SALT_EXTENSION_VERSION_1 -typedef struct _EXPERIMENTAL_WEBAUTHN_CTAPCBOR_HMAC_SALT_EXTENSION { - //Version of this structure, to allow for modifications in the future. - DWORD dwVersion; - - // Platform's key agreement public key - EXPERIMENTAL_PWEBAUTHN_CTAPCBOR_ECC_PUBLIC_KEY pKeyAgreement; - - DWORD cbEncryptedSalt; - PBYTE pbEncryptedSalt; - - DWORD cbSaltAuth; - PBYTE pbSaltAuth; -} EXPERIMENTAL_WEBAUTHN_CTAPCBOR_HMAC_SALT_EXTENSION, *EXPERIMENTAL_PWEBAUTHN_CTAPCBOR_HMAC_SALT_EXTENSION; -typedef const EXPERIMENTAL_WEBAUTHN_CTAPCBOR_HMAC_SALT_EXTENSION *EXPERIMENTAL_PCWEBAUTHN_CTAPCBOR_HMAC_SALT_EXTENSION; - -#define EXPERIMENTAL_WEBAUTHN_CTAPCBOR_MAKE_CREDENTIAL_REQUEST_VERSION_1 1 -#define EXPERIMENTAL_WEBAUTHN_CTAPCBOR_MAKE_CREDENTIAL_REQUEST_CURRENT_VERSION EXPERIMENTAL_WEBAUTHN_CTAPCBOR_MAKE_CREDENTIAL_REQUEST_VERSION_1 -typedef struct _EXPERIMENTAL_WEBAUTHN_CTAPCBOR_MAKE_CREDENTIAL_REQUEST { - //Version of this structure, to allow for modifications in the future. - DWORD dwVersion; - - //Input RP ID. Raw UTF8 bytes before conversion. - //These are the bytes to be hashed in the Authenticator Data. - DWORD cbRpId; - PBYTE pbRpId; - - //Client Data Hash - DWORD cbClientDataHash; - PBYTE pbClientDataHash; - - //RP Information - PCWEBAUTHN_RP_ENTITY_INFORMATION pRpInformation; - - //User Information - PCWEBAUTHN_USER_ENTITY_INFORMATION pUserInformation; - - // Crypto Parameters - WEBAUTHN_COSE_CREDENTIAL_PARAMETERS WebAuthNCredentialParameters; - - //Credentials used for exclusion - WEBAUTHN_CREDENTIAL_LIST CredentialList; - - //Optional extensions to parse when performing the operation. - DWORD cbCborExtensionsMap; - PBYTE pbCborExtensionsMap; - - // Authenticator Options (Optional) - EXPERIMENTAL_PWEBAUTHN_CTAPCBOR_AUTHENTICATOR_OPTIONS pAuthenticatorOptions; - - // Pin Auth (Optional) - BOOL fEmptyPinAuth; // Zero length PinAuth is included in the request - DWORD cbPinAuth; - PBYTE pbPinAuth; - - //"hmac-secret": true extension - LONG lHmacSecretExt; - - // "hmac-secret-mc" extension - EXPERIMENTAL_PWEBAUTHN_CTAPCBOR_HMAC_SALT_EXTENSION pHmacSecretMcExtension; - - //"prf" extension - LONG lPrfExt; - DWORD cbHmacSecretSaltValues; - PBYTE pbHmacSecretSaltValues; - - //"credProtect" extension. Nonzero if present - DWORD dwCredProtect; - - // Nonzero if present - DWORD dwPinProtocol; - - // Nonzero if present - DWORD dwEnterpriseAttestation; - - //"credBlob" extension. Nonzero if present - DWORD cbCredBlobExt; - PBYTE pbCredBlobExt; - - //"largeBlobKey": true extension - LONG lLargeBlobKeyExt; - - //"largeBlob": extension - DWORD dwLargeBlobSupport; - - //"minPinLength": true extension - LONG lMinPinLengthExt; - - // "json" extension. Nonzero if present - DWORD cbJsonExt; - PBYTE pbJsonExt; -} EXPERIMENTAL_WEBAUTHN_CTAPCBOR_MAKE_CREDENTIAL_REQUEST, *EXPERIMENTAL_PWEBAUTHN_CTAPCBOR_MAKE_CREDENTIAL_REQUEST; -typedef const EXPERIMENTAL_WEBAUTHN_CTAPCBOR_MAKE_CREDENTIAL_REQUEST *EXPERIMENTAL_PCWEBAUTHN_CTAPCBOR_MAKE_CREDENTIAL_REQUEST; - -_Success_(return == S_OK) -HRESULT -WINAPI -EXPERIMENTAL_WebAuthNEncodeMakeCredentialResponse( - _In_ PCWEBAUTHN_CREDENTIAL_ATTESTATION pCredentialAttestation, - _Out_ DWORD *pcbResp, - _Outptr_result_buffer_maybenull_(*pcbResp) BYTE **ppbResp - ); - -_Success_(return == S_OK) -HRESULT -WINAPI -EXPERIMENTAL_WebAuthNDecodeMakeCredentialRequest( - _In_ DWORD cbEncoded, - _In_reads_bytes_(cbEncoded) const BYTE *pbEncoded, - _Outptr_ EXPERIMENTAL_PWEBAUTHN_CTAPCBOR_MAKE_CREDENTIAL_REQUEST *ppMakeCredentialRequest - ); - -void -WINAPI -EXPERIMENTAL_WebAuthNFreeDecodedMakeCredentialRequest( - _In_opt_ EXPERIMENTAL_PWEBAUTHN_CTAPCBOR_MAKE_CREDENTIAL_REQUEST pMakeCredentialRequest - ); - -#define EXPERIMENTAL_WEBAUTHN_CTAPCBOR_GET_ASSERTION_REQUEST_VERSION_1 1 -#define EXPERIMENTAL_WEBAUTHN_CTAPCBOR_GET_ASSERTION_REQUEST_CURRENT_VERSION EXPERIMENTAL_WEBAUTHN_CTAPCBOR_GET_ASSERTION_REQUEST_VERSION_1 -typedef struct _EXPERIMENTAL_WEBAUTHN_CTAPCBOR_GET_ASSERTION_REQUEST { - //Version of this structure, to allow for modifications in the future. - DWORD dwVersion; - - //RP ID. After UTF8 to Unicode conversion, - PCWSTR pwszRpId; - - //Input RP ID. Raw UTF8 bytes before conversion. - //These are the bytes to be hashed in the Authenticator Data. - DWORD cbRpId; - PBYTE pbRpId; - - //Client Data Hash - DWORD cbClientDataHash; - PBYTE pbClientDataHash; - - //Credentials used for inclusion - WEBAUTHN_CREDENTIAL_LIST CredentialList; - - //Optional extensions to parse when performing the operation. - DWORD cbCborExtensionsMap; - PBYTE pbCborExtensionsMap; - - // Authenticator Options (Optional) - EXPERIMENTAL_PWEBAUTHN_CTAPCBOR_AUTHENTICATOR_OPTIONS pAuthenticatorOptions; - - // Pin Auth (Optional) - BOOL fEmptyPinAuth; // Zero length PinAuth is included in the request - DWORD cbPinAuth; - PBYTE pbPinAuth; - - // HMAC Salt Extension (Optional) - EXPERIMENTAL_PWEBAUTHN_CTAPCBOR_HMAC_SALT_EXTENSION pHmacSaltExtension; - - // PRF Extension - DWORD cbHmacSecretSaltValues; - PBYTE pbHmacSecretSaltValues; - - DWORD dwPinProtocol; - - //"credBlob": true extension - LONG lCredBlobExt; - - //"largeBlobKey": true extension - LONG lLargeBlobKeyExt; - - //"largeBlob" extension - DWORD dwCredLargeBlobOperation; - DWORD cbCredLargeBlobCompressed; - PBYTE pbCredLargeBlobCompressed; - DWORD dwCredLargeBlobOriginalSize; - - // "json" extension. Nonzero if present - DWORD cbJsonExt; - PBYTE pbJsonExt; -} EXPERIMENTAL_WEBAUTHN_CTAPCBOR_GET_ASSERTION_REQUEST, *EXPERIMENTAL_PWEBAUTHN_CTAPCBOR_GET_ASSERTION_REQUEST; -typedef const EXPERIMENTAL_WEBAUTHN_CTAPCBOR_GET_ASSERTION_REQUEST *EXPERIMENTAL_PCWEBAUTHN_CTAPCBOR_GET_ASSERTION_REQUEST; - -_Success_(return == S_OK) -HRESULT -WINAPI -EXPERIMENTAL_WebAuthNDecodeGetAssertionRequest( - _In_ DWORD cbEncoded, - _In_reads_bytes_(cbEncoded) const BYTE *pbEncoded, - _Outptr_ EXPERIMENTAL_PWEBAUTHN_CTAPCBOR_GET_ASSERTION_REQUEST *ppGetAssertionRequest - ); - -void -WINAPI -EXPERIMENTAL_WebAuthNFreeDecodedGetAssertionRequest( - _In_opt_ EXPERIMENTAL_PWEBAUTHN_CTAPCBOR_GET_ASSERTION_REQUEST pGetAssertionRequest - ); - -typedef struct _EXPERIMENTAL_WEBAUTHN_CTAPCBOR_GET_ASSERTION_RESPONSE { - // [1] credential (optional) - // [2] authenticatorData - // [3] signature - WEBAUTHN_ASSERTION WebAuthNAssertion; - - // [4] user (optional) - PCWEBAUTHN_USER_ENTITY_INFORMATION pUserInformation; - - // [5] numberOfCredentials (optional) - DWORD dwNumberOfCredentials; - - // [6] userSelected (optional) - LONG lUserSelected; - - // [7] largeBlobKey (optional) - DWORD cbLargeBlobKey; - PBYTE pbLargeBlobKey; - - // [8] unsignedExtensionOutputs - DWORD cbUnsignedExtensionOutputs; - PBYTE pbUnsignedExtensionOutputs; -} EXPERIMENTAL_WEBAUTHN_CTAPCBOR_GET_ASSERTION_RESPONSE, *EXPERIMENTAL_PWEBAUTHN_CTAPCBOR_GET_ASSERTION_RESPONSE; -typedef const EXPERIMENTAL_PWEBAUTHN_CTAPCBOR_GET_ASSERTION_RESPONSE *EXPERIMENTAL_PCWEBAUTHN_CTAPCBOR_GET_ASSERTION_RESPONSE; - -_Success_(return == S_OK) -HRESULT -WINAPI -EXPERIMENTAL_WebAuthNEncodeGetAssertionResponse( - _In_ EXPERIMENTAL_PCWEBAUTHN_CTAPCBOR_GET_ASSERTION_RESPONSE pGetAssertionResponse, - _Out_ DWORD *pcbResp, - _Outptr_result_buffer_maybenull_(*pcbResp) BYTE **ppbResp - ); - -#endif //__midl - - -#ifdef __cplusplus -} // Balance extern "C" above -#endif - -#endif // WINAPI_FAMILY_PARTITION -#pragma endregion - diff --git a/apps/desktop/desktop_native/windows_plugin_authenticator/src/util.rs b/apps/desktop/desktop_native/windows_plugin_authenticator/src/util.rs index 035d9df06cf..7e6ba9d26c0 100644 --- a/apps/desktop/desktop_native/windows_plugin_authenticator/src/util.rs +++ b/apps/desktop/desktop_native/windows_plugin_authenticator/src/util.rs @@ -77,9 +77,7 @@ pub fn file_log(msg: &str) { } } -pub fn debug_log(message: &str) { - file_log(message) -} +pub fn debug_log(message: &str) {} // Helper function to convert Windows wide string (UTF-16) to Rust String pub unsafe fn wstr_to_string( diff --git a/apps/desktop/electron-builder.json b/apps/desktop/electron-builder.json index f4c60b3afb7..6703dbb1c20 100644 --- a/apps/desktop/electron-builder.json +++ b/apps/desktop/electron-builder.json @@ -1,6 +1,4 @@ { - "$schema": "https://raw.githubusercontent.com/electron-userland/electron-builder/master/packages/app-builder-lib/scheme.json", - "extraMetadata": { "name": "bitwarden" }, @@ -90,10 +88,9 @@ }, "win": { "electronUpdaterCompatibility": ">=0.0.1", - "target": ["appx"], + "target": ["portable", "nsis-web", "appx"], "signtoolOptions": { - "sign": "./sign.js", - "publisherName": "CN=com.bitwarden.localdevelopment" + "sign": "./sign.js" }, "extraFiles": [ { @@ -165,9 +162,8 @@ "artifactName": "${productName}-Portable-${version}.${ext}" }, "appx": { - "artifactName": "${productName}-${arch}.${ext}", - "customManifestPath": "./custom-appx-manifest.xml", - "publisher": "CN=com.bitwarden.localdevelopment" + "artifactName": "${productName}-${version}-${arch}.${ext}", + "customManifestPath": "./custom-appx-manifest.xml" }, "deb": { "artifactName": "${productName}-${version}-${arch}.${ext}", diff --git a/apps/desktop/package.json b/apps/desktop/package.json index 9b9ccec9f2a..9488828c146 100644 --- a/apps/desktop/package.json +++ b/apps/desktop/package.json @@ -1,7 +1,7 @@ { "name": "@bitwarden/desktop", "description": "A secure and free password manager for all of your devices.", - "version": "2025.6.4", + "version": "2025.6.0", "keywords": [ "bitwarden", "password", @@ -67,7 +67,6 @@ "upload:mas": "xcrun altool --upload-app --type osx --file \"$(find ./dist/mas-universal/Bitwarden*.pkg)\" --apiKey $APP_STORE_CONNECT_AUTH_KEY --apiIssuer $APP_STORE_CONNECT_TEAM_ISSUER", "test": "jest", "test:watch": "jest --watch", - "test:watch:all": "jest --watchAll", - "local:win": "cd desktop_native/napi && npm run build && cd ../.. && npm run build:dev && npm run pack:win" + "test:watch:all": "jest --watchAll" } } diff --git a/apps/desktop/sign.ps1 b/apps/desktop/sign.ps1 deleted file mode 100644 index 7709b3be8f3783970d353b93f862be63c64dca70..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 166 zcmZXMOA5kJ5Cm%-@D8~^-osz^x^f>c5RD0fpNA35>0^rEP6nEpp056m6<0bQ9C6KQF5Dh}*ev8D8i)U&qgS>{gQB=hFu=OuBmFOZ~%IhoX@{F;qhW41RP+5b_6 NL}@D6l$?PD857z^95(;} diff --git a/apps/desktop/src/autofill/services/desktop-autofill.service.ts b/apps/desktop/src/autofill/services/desktop-autofill.service.ts index 44cf6c0052a..7e60c6b8d76 100644 --- a/apps/desktop/src/autofill/services/desktop-autofill.service.ts +++ b/apps/desktop/src/autofill/services/desktop-autofill.service.ts @@ -61,6 +61,10 @@ export class DesktopAutofillService implements OnDestroy { .pipe( distinctUntilChanged(), switchMap((enabled) => { + if (!enabled) { + return EMPTY; + } + return this.accountService.activeAccount$.pipe( map((account) => account?.id), filter((userId): userId is UserId => userId != null), @@ -80,44 +84,43 @@ export class DesktopAutofillService implements OnDestroy { /** Give metadata about all available credentials in the users vault */ async sync(cipherViews: CipherView[]) { - this.logService.info("Syncing autofill credentials: ", cipherViews.length); - // const status = await this.status(); - // if (status.type === "error") { - // return this.logService.error("Error getting autofill status", status.error); - // } + const status = await this.status(); + if (status.type === "error") { + return this.logService.error("Error getting autofill status", status.error); + } - // if (!status.value.state.enabled) { - // // Autofill is disabled - // return; - // } + if (!status.value.state.enabled) { + // Autofill is disabled + return; + } let fido2Credentials: NativeAutofillFido2Credential[]; let passwordCredentials: NativeAutofillPasswordCredential[]; - fido2Credentials = (await getCredentialsForAutofill(cipherViews)).map((credential) => ({ - type: "fido2", - ...credential, - })); + if (status.value.support.password) { + passwordCredentials = cipherViews + .filter( + (cipher) => + cipher.type === CipherType.Login && + cipher.login.uris?.length > 0 && + cipher.login.uris.some((uri) => uri.match !== UriMatchStrategy.Never) && + cipher.login.uris.some((uri) => !Utils.isNullOrWhitespace(uri.uri)) && + !Utils.isNullOrWhitespace(cipher.login.username), + ) + .map((cipher) => ({ + type: "password", + cipherId: cipher.id, + uri: cipher.login.uris.find((uri) => uri.match !== UriMatchStrategy.Never).uri, + username: cipher.login.username, + })); + } - // Mock a couple of passkeys for testing purposes - fido2Credentials.push({ - type: "fido2", - cipherId: "mock-cipher-id-1", - credentialId: "passkey1", - rpId: "webauthn.io", - userHandle: "passkey1", - userName: "Mock passkey1", - }); - fido2Credentials.push({ - type: "fido2", - cipherId: "mock-cipher-id-2", - credentialId: "passkey2", - rpId: "webauthn.io", - userHandle: "passkey2", - userName: "Mock passkey2", - }); - - this.logService.info("Found FIDO2 credentials", fido2Credentials.length); + if (status.value.support.fido2) { + fido2Credentials = (await getCredentialsForAutofill(cipherViews)).map((credential) => ({ + type: "fido2", + ...credential, + })); + } const syncResult = await ipc.autofill.runCommand({ namespace: "autofill", diff --git a/apps/desktop/src/package.json b/apps/desktop/src/package.json index 1394c43ff54..a3d811e572f 100644 --- a/apps/desktop/src/package.json +++ b/apps/desktop/src/package.json @@ -2,7 +2,7 @@ "name": "@bitwarden/desktop", "productName": "Bitwarden", "description": "A secure and free password manager for all of your devices.", - "version": "2025.6.19", + "version": "2025.6.0", "author": "Bitwarden Inc. (https://bitwarden.com)", "homepage": "https://bitwarden.com", "license": "GPL-3.0", diff --git a/apps/desktop/src/platform/main/autofill/native-autofill.main.ts b/apps/desktop/src/platform/main/autofill/native-autofill.main.ts index 28b53ebfde1..d4bf8036a79 100644 --- a/apps/desktop/src/platform/main/autofill/native-autofill.main.ts +++ b/apps/desktop/src/platform/main/autofill/native-autofill.main.ts @@ -28,7 +28,7 @@ export class NativeAutofillMain { } async init() { - const enableWindowsPasskeyProvider = true; + const enableWindowsPasskeyProvider = false; if (enableWindowsPasskeyProvider) { this.windowsMain.initWindows(); this.windowsMain.setupWindowsRendererIPCHandlers();