| Stability | experimental |
|---|---|
| Safe Haskell | None |
| Language | Haskell2010 |
Crypto.WebAuthn.Model.Types
Description
This module contains the same top-level definitions as JavaScript,
but with the types containing a more Haskell-friendly structure.
Note: The ToJSON instances of these types are for pretty-printing purposes
only.
TODO: (spec) This library does not currently implement extensions. In order to fully comply with level 2 of the webauthn spec extensions are required. At least, we wish the library to offer a typeclass implementable by relying parties to allow extensions in a scheme similar to the attestation statement formats. Ideally, we would implement all 8 extensions tracked by IANA.
Synopsis
- data CredentialType = CredentialTypePublicKey
- data AuthenticatorTransport
- data AuthenticatorAttachment
- data ResidentKeyRequirement
- data UserVerificationRequirement
- data AttestationConveyancePreference
- data AttestationChain (p :: ProtocolKind) where
- data AttestationKind
- data AttestationType (k :: AttestationKind) where
- data VerifiableAttestationType
- newtype RpId = RpId {}
- newtype RelyingPartyName = RelyingPartyName {}
- newtype UserHandle = UserHandle {}
- generateUserHandle :: MonadRandom m => m UserHandle
- newtype UserAccountDisplayName = UserAccountDisplayName {}
- newtype UserAccountName = UserAccountName {}
- newtype CredentialId = CredentialId {}
- generateCredentialId :: MonadRandom m => m CredentialId
- newtype Challenge = Challenge {}
- generateChallenge :: MonadRandom m => m Challenge
- newtype Timeout = Timeout {}
- newtype AssertionSignature = AssertionSignature {}
- newtype RpIdHash = RpIdHash {}
- newtype ClientDataHash = ClientDataHash {}
- newtype Origin = Origin {}
- newtype SignatureCounter = SignatureCounter {}
- newtype PublicKeyBytes = PublicKeyBytes {}
- data AuthenticationExtensionsClientInputs = AuthenticationExtensionsClientInputs {
- data AuthenticationExtensionsClientOutputs = AuthenticationExtensionsClientOutputs {
- data AuthenticatorExtensionOutputs = AuthenticatorExtensionOutputs {
- data CredentialRpEntity = CredentialRpEntity {}
- data CredentialUserEntity = CredentialUserEntity {}
- data CredentialParameters = CredentialParameters {}
- data CredentialDescriptor = CredentialDescriptor {}
- data AuthenticatorSelectionCriteria = AuthenticatorSelectionCriteria {}
- data AuthenticatorDataFlags = AuthenticatorDataFlags {}
- data CollectedClientData (c :: CeremonyKind) raw = CollectedClientData {
- ccdChallenge :: Challenge
- ccdOrigin :: Origin
- ccdCrossOrigin :: Bool
- ccdRawData :: RawField raw
- data AttestedCredentialData (c :: CeremonyKind) raw where
- data AuthenticatorData (c :: CeremonyKind) raw = AuthenticatorData {}
- data AttestationObject raw = forall a.AttestationStatementFormat a => AttestationObject {
- aoAuthData :: AuthenticatorData 'Registration raw
- aoFmt :: a
- aoAttStmt :: AttStmt a
- data AuthenticatorResponse (c :: CeremonyKind) raw where
- AuthenticatorResponseRegistration :: {..} -> AuthenticatorResponse 'Registration raw
- AuthenticatorResponseAuthentication :: {..} -> AuthenticatorResponse 'Authentication raw
- data SomeAttestationType = forall k. SomeAttestationType (AttestationType k)
- class (Eq (AttStmt a), Show (AttStmt a), ToJSON (AttStmt a), Typeable a, Show a, Exception (AttStmtVerificationError a)) => AttestationStatementFormat a where
- type AttStmt a :: Type
- type AttStmtVerificationError a :: Type
- asfIdentifier :: a -> Text
- asfVerify :: a -> DateTime -> AttStmt a -> AuthenticatorData 'Registration 'True -> ClientDataHash -> Validation (NonEmpty (AttStmtVerificationError a)) SomeAttestationType
- asfTrustAnchors :: a -> VerifiableAttestationType -> CertificateStore
- asfDecode :: a -> HashMap Text Term -> Either Text (AttStmt a)
- asfEncode :: a -> AttStmt a -> Term
- data SomeAttestationStatementFormat = forall a.AttestationStatementFormat a => SomeAttestationStatementFormat a
- data SupportedAttestationStatementFormats
- singletonAttestationStatementFormat :: SomeAttestationStatementFormat -> SupportedAttestationStatementFormats
- lookupAttestationStatementFormat :: Text -> SupportedAttestationStatementFormats -> Maybe SomeAttestationStatementFormat
- data RawField (raw :: Bool) where
- data CredentialOptions (c :: CeremonyKind) where
- data Credential (c :: CeremonyKind) raw = Credential {}
- stripRawCredential :: forall c raw. SingI c => Credential c raw -> Credential c 'False
Enumerations
data CredentialType Source #
(spec) This enumeration defines the valid credential types. It is an extension point; values can be added to it in the future, as more credential types are defined. The values of this enumeration are used for versioning the Authentication Assertion and attestation structures according to the type of the authenticator.
Constructors
| CredentialTypePublicKey |
Instances
data AuthenticatorTransport Source #
(spec) Authenticators may implement various transports for communicating with clients. This enumeration defines hints as to how clients might communicate with a particular authenticator in order to obtain an assertion for a specific credential. Note that these hints represent the WebAuthn Relying Party's best belief as to how an authenticator may be reached. A Relying Party will typically learn of the supported transports for a public key credential via getTransports().
Constructors
| AuthenticatorTransportUSB | (spec) Indicates the respective authenticator can be contacted over removable USB. |
| AuthenticatorTransportNFC | (spec) Indicates the respective authenticator can be contacted over Near Field Communication (NFC). |
| AuthenticatorTransportBLE | (spec) Indicates the respective authenticator can be contacted over Bluetooth Smart (Bluetooth Low Energy / BLE). |
| AuthenticatorTransportInternal | (spec) Indicates the respective authenticator is contacted using a client device-specific transport, i.e., it is a platform authenticator. These authenticators are not removable from the client device. |
Instances
data AuthenticatorAttachment Source #
(spec) This enumeration’s values describe authenticators'
attachment modalities.
Relying Parties use this to
express a preferred authenticator attachment modality
when calling navigator.credentials.create()
to create a credential.
Constructors
| AuthenticatorAttachmentPlatform | (spec) This value indicates platform attachment. |
| AuthenticatorAttachmentCrossPlatform | (spec) This value indicates cross-platform attachment. |
Instances
data ResidentKeyRequirement Source #
(spec) This enumeration’s values describe the Relying Party's requirements for client-side discoverable credentials (formerly known as resident credentials or resident keys):
Constructors
| ResidentKeyRequirementDiscouraged | (spec) This value indicates the Relying Party prefers creating a server-side credential, but will accept a client-side discoverable credential. |
| ResidentKeyRequirementPreferred | (spec) This value indicates the Relying Party
strongly prefers creating a client-side discoverable credential,
but will accept a server-side credential.
For example, user agents SHOULD guide the user through setting up user verification
if needed to create a client-side discoverable credential
in this case. This takes precedence over the setting of |
| ResidentKeyRequirementRequired | (spec) This value indicates the Relying Party requires a client-side discoverable credential, and is prepared to receive an error if a client-side discoverable credential cannot be created. |
Instances
data UserVerificationRequirement Source #
(spec) A WebAuthn Relying Party may require user verification for some of its operations but not for others, and may use this type to express its needs.
Constructors
| UserVerificationRequirementRequired | (spec) This value indicates that the Relying Party requires user verification for the operation and will fail the operation if the response does not have the UV flag set. |
| UserVerificationRequirementPreferred | (spec) This value indicates that the Relying Party prefers user verification for the operation if possible, but will not fail the operation if the response does not have the UV flag set. |
| UserVerificationRequirementDiscouraged | (spec) This value indicates that the Relying Party does not want user verification employed during the operation (e.g., in the interest of minimizing disruption to the user interaction flow). |
Instances
data AttestationConveyancePreference Source #
(spec) WebAuthn Relying Parties may use AttestationConveyancePreference to specify their preference regarding attestation conveyance during credential generation.
Constructors
| AttestationConveyancePreferenceNone | (spec) This value indicates that the Relying Party is not interested in authenticator attestation. For example, in order to potentially avoid having to obtain user consent to relay identifying information to the Relying Party, or to save a roundtrip to an Attestation CA or Anonymization CA. This is the default value. |
| AttestationConveyancePreferenceIndirect | (spec) This value indicates that the Relying Party prefers an attestation conveyance yielding verifiable attestation statements, but allows the client to decide how to obtain such attestation statements. The client MAY replace the authenticator-generated attestation statements with attestation statements generated by an Anonymization CA, in order to protect the user’s privacy, or to assist Relying Parties with attestation verification in a heterogeneous ecosystem. Note: There is no guarantee that the Relying Party will obtain a verifiable attestation statement in this case. For example, in the case that the authenticator employs self attestation. |
| AttestationConveyancePreferenceDirect | (spec) This value indicates that the Relying Party wants to receive the attestation statement as generated by the authenticator. |
| AttestationConveyancePreferenceEnterprise | (spec) This value indicates that the Relying Party
wants to receive an attestation statement
that may include uniquely identifying information. This is intended for controlled deployments
within an enterprise where the organization wishes to tie registrations to specific authenticators.
User agents MUST NOT provide such an attestation unless the user agent or authenticator configuration
permits it for the requested If permitted, the user agent SHOULD signal to the authenticator (at invocation time) that enterprise attestation is requested, and convey the resulting AAGUID and attestation statement, unaltered, to the Relying Party. |
Instances
data AttestationChain (p :: ProtocolKind) where Source #
An X.509 certificate chain that can be used to verify an attestation statement
Constructors
| Fido2Chain :: NonEmpty SignedCertificate -> AttestationChain 'Fido2 | For Fido 2, we can have a chain consisting of multiple certificates. |
| FidoU2FCert :: SignedCertificate -> AttestationChain 'FidoU2F | For Fido U2F, we can only have a single certificate, which is then also
used to generate the |
Instances
| Eq (AttestationChain p) Source # | |
Defined in Crypto.WebAuthn.Model.Types Methods (==) :: AttestationChain p -> AttestationChain p -> Bool # (/=) :: AttestationChain p -> AttestationChain p -> Bool # | |
| Show (AttestationChain p) Source # | |
Defined in Crypto.WebAuthn.Model.Types Methods showsPrec :: Int -> AttestationChain p -> ShowS # show :: AttestationChain p -> String # showList :: [AttestationChain p] -> ShowS # | |
| ToJSON (AttestationChain p) Source # | |
Defined in Crypto.WebAuthn.Model.Types Methods toJSON :: AttestationChain p -> Value # toEncoding :: AttestationChain p -> Encoding # toJSONList :: [AttestationChain p] -> Value # toEncodingList :: [AttestationChain p] -> Encoding # | |
data AttestationKind Source #
A Haskell kind for the attestation type, indicating whether we have verifiable information about the authenticator that created the public key credential.
Constructors
| Unverifiable | An unverifiable attestation type. This includes None and Self attestation. This kind indicates that we do not have any information about the authenticator model used. |
| Verifiable ProtocolKind | A verifiable attestation type. This includes Basic, AttCA and AnonCA attestation. This kind indicates that we have verifiable information about the authenticator model used. |
data AttestationType (k :: AttestationKind) where Source #
(spec) WebAuthn supports several attestation types, defining the semantics of attestation statements and their underlying trust models:
Constructors
| AttestationTypeNone :: AttestationType 'Unverifiable | (spec) In this case, no attestation information is available. See also § 8.7 None Attestation Statement Format. |
| AttestationTypeSelf :: AttestationType 'Unverifiable | (spec) In the case of self attestation, also known as surrogate basic attestation UAFProtocol, the Authenticator does not have any specific attestation key pair. Instead it uses the credential private key to create the attestation signature. Authenticators without meaningful protection measures for an attestation private key typically use this attestation type. |
| AttestationTypeVerifiable | Grouping of attestations that are verifiable by a certificate chain |
Fields
| |
Instances
| Eq (AttestationType k) Source # | |
Defined in Crypto.WebAuthn.Model.Types Methods (==) :: AttestationType k -> AttestationType k -> Bool # (/=) :: AttestationType k -> AttestationType k -> Bool # | |
| Show (AttestationType k) Source # | |
Defined in Crypto.WebAuthn.Model.Types Methods showsPrec :: Int -> AttestationType k -> ShowS # show :: AttestationType k -> String # showList :: [AttestationType k] -> ShowS # | |
| ToJSON (AttestationType k) Source # | |
Defined in Crypto.WebAuthn.Model.Types Methods toJSON :: AttestationType k -> Value # toEncoding :: AttestationType k -> Encoding # toJSONList :: [AttestationType k] -> Value # toEncodingList :: [AttestationType k] -> Encoding # | |
data VerifiableAttestationType Source #
An attestation type that is verifiable, indicating that we can have trusted information about the authenticator that created the public key credential
Constructors
| VerifiableAttestationTypeUncertain | Attestation statements conveying attestations of type AttCA or AnonCA use the same data structure as those of type Basic, so the three attestation types are, in general, distinguishable only with externally provided knowledge regarding the contents of the attestation certificates conveyed in the attestation statement. |
| VerifiableAttestationTypeBasic | (spec) In the case of basic attestation UAFProtocol, the authenticator’s attestation key pair is specific to an authenticator "model", i.e., a "batch" of authenticators. Thus, authenticators of the same, or similar, model often share the same attestation key pair. See § 14.4.1 Attestation Privacy for further information. |
| VerifiableAttestationTypeAttCA | (spec) In this case, an authenticator is based on a Trusted Platform Module (TPM) and holds an authenticator-specific "endorsement key" (EK). This key is used to securely communicate with a trusted third party, the Attestation CA TCG-CMCProfile-AIKCertEnroll (formerly known as a "Privacy CA"). The authenticator can generate multiple attestation identity key pairs (AIK) and requests an Attestation CA to issue an AIK certificate for each. Using this approach, such an authenticator can limit the exposure of the EK (which is a global correlation handle) to Attestation CA(s). AIKs can be requested for each authenticator-generated public key credential individually, and conveyed to Relying Parties as attestation certificates. |
| VerifiableAttestationTypeAnonCA | (spec) In this case, the authenticator uses an Anonymization CA which dynamically generates per-[credential](https:/w3c.github.iowebappsec-credential-management/#concept-credential) attestation certificates such that the attestation statements presented to Relying Parties do not provide uniquely identifiable information, e.g., that might be used for tracking purposes. |
Instances
Newtypes
(spec) A valid domain string
identifying the WebAuthn Relying Party
on whose behalf a given registration
or authentication ceremony is being performed.
A public key credential
can only be used for authentication
with the same entity (as identified by RpId) it was registered with.
By default, the RpId for a WebAuthn operation is set to the caller’s
origin's
effective domain.
This default MAY be overridden by the caller, as long as the caller-specified RpId value
is a registrable domain suffix of or is equal to
the caller’s origin's
effective domain.
TODO: RpId is used for both https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrpentity-id
and https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrequestoptions-rpid, but the former
uses DOMString, while the latter uses USVString. Is this a bug in the spec or is there an actual difference?
Instances
| Eq RpId Source # | |
| Ord RpId Source # | |
| Show RpId Source # | |
| IsString RpId Source # | |
Defined in Crypto.WebAuthn.Model.Types Methods fromString :: String -> RpId # | |
| ToJSON RpId Source # | |
Defined in Crypto.WebAuthn.Model.Types | |
| Convert RpId Source # | |
| Encode RpId Source # | |
| Decode RpId Source # | |
| type IDL RpId Source # | |
newtype RelyingPartyName Source #
(spec) A human-palatable identifier for the Relying Party, intended only for display. For example, "ACME Corporation", "Wonderful Widgets, Inc." or "ОАО Примертех".
- Relying Parties SHOULD perform
enforcement, as prescribed in Section 2.3 of RFC8266
for the Nickname Profile of the PRECIS FreeformClass RFC8264,
when setting
RelyingPartyNames value, or displaying the value to the user. - This string MAY contain language and direction metadata. Relying Parties SHOULD consider providing this information. See § 6.4.2 Language and Direction Encoding about how this metadata is encoded.
Constructors
| RelyingPartyName | |
Fields | |
Instances
newtype UserHandle Source #
(spec) The user handle is specified by a Relying Party,
as the value of id, and used to map
a specific public key credential
to a specific user account with the Relying Party.
Authenticators in turn map
RP IDs and user handle pairs to public key credential sources.
A user handle is an opaque byte sequence
with a maximum size of 64 bytes, and is not meant to be displayed to the user.
Constructors
| UserHandle | |
Fields | |
Instances
generateUserHandle :: MonadRandom m => m UserHandle Source #
(spec) A user handle is an opaque byte sequence with a maximum size of 64 bytes, and is not meant to be displayed to the user.
newtype UserAccountDisplayName Source #
(spec) A human-palatable name for the user account, intended only for display. For example, "Alex Müller" or "田中倫". The Relying Party SHOULD let the user choose this, and SHOULD NOT restrict the choice more than necessary.
- Relying Parties SHOULD perform
enforcement, as prescribed in Section 2.3 of RFC8266
for the Nickname Profile of the PRECIS FreeformClass RFC8264,
when setting
cueDisplayNames value, or displaying the value to the user. - This string MAY contain language and direction metadata. Relying Parties SHOULD consider providing this information. See § 6.4.2 Language and Direction Encoding about how this metadata is encoded.
Constructors
| UserAccountDisplayName | |
Fields | |
Instances
newtype UserAccountName Source #
(spec) A human-palatable identifier for a user account.
It is intended only for display, i.e., aiding the user in determining the difference between user accounts with
similar cueDisplayNames. For example, "alexm", "alex.mueller@example.com" or "+14255551234".
- The Relying Party MAY let the user choose this value.
The Relying Party SHOULD perform enforcement,
as prescribed in Section 3.4.3 of RFC8265
for the UsernameCasePreserved Profile of the PRECIS IdentifierClass
RFC8264, when setting
UserAccountNames value, or displaying the value to the user. - This string MAY contain language and direction metadata. Relying Parties SHOULD consider providing this information. See § 6.4.2 Language and Direction Encoding about how this metadata is encoded.
Constructors
| UserAccountName | |
Fields | |
Instances
newtype CredentialId Source #
(spec) A probabilistically-unique byte sequence identifying a public key credential source and its authentication assertions.
Constructors
| CredentialId | |
Fields | |
Instances
generateCredentialId :: MonadRandom m => m CredentialId Source #
(spec) Generates a random CredentialId using 16 random bytes.
This is only useful for authenticators, not for relying parties.
This function is only included for completeness and testing purposes.
(spec) This member contains a challenge intended to be used for generating the newly created credential’s attestation object. See the § 13.4.3 Cryptographic Challenges security consideration.
Constructors
| Challenge | |
Fields | |
Instances
| Eq Challenge Source # | |
| Ord Challenge Source # | |
| Show Challenge Source # | |
| ToJSON Challenge Source # | |
Defined in Crypto.WebAuthn.Model.Types | |
| Convert Challenge Source # | |
| Encode Challenge Source # | |
| Decode Challenge Source # | |
| type IDL Challenge Source # | |
generateChallenge :: MonadRandom m => m Challenge Source #
(spec) In order to prevent replay attacks, the challenges MUST contain enough entropy to make guessing them infeasible. Challenges SHOULD therefore be at least 16 bytes long.
(spec) This member specifies a time, in milliseconds, that the caller is willing to wait for the call to complete. This is treated as a hint, and MAY be overridden by the client.
newtype AssertionSignature Source #
(spec) An assertion signature is produced when the authenticatorGetAssertion method is invoked. It represents an assertion by the authenticator that the user has consented to a specific transaction, such as logging in, or completing a purchase. Thus, an assertion signature asserts that the authenticator possessing a particular credential private key has established, to the best of its ability, that the user requesting this transaction is the same user who consented to creating that particular public key credential. It also asserts additional information, termed client data, that may be useful to the caller, such as the means by which user consent was provided, and the prompt shown to the user by the authenticator. The assertion signature format is illustrated in Figure 4, below.
Constructors
| AssertionSignature | |
Fields | |
Instances
(spec) SHA-256 hash of the RP ID the credential is scoped to.
Constructors
| RpIdHash | |
Fields | |
newtype ClientDataHash Source #
(spec) This is the hash (computed using SHA-256) of the JSON-compatible serialization of client data, as constructed by the client.
Constructors
| ClientDataHash | |
Fields | |
Instances
| Eq ClientDataHash Source # | |
Defined in Crypto.WebAuthn.Model.Types Methods (==) :: ClientDataHash -> ClientDataHash -> Bool # (/=) :: ClientDataHash -> ClientDataHash -> Bool # | |
| Show ClientDataHash Source # | |
Defined in Crypto.WebAuthn.Model.Types Methods showsPrec :: Int -> ClientDataHash -> ShowS # show :: ClientDataHash -> String # showList :: [ClientDataHash] -> ShowS # | |
| ToJSON ClientDataHash Source # | |
Defined in Crypto.WebAuthn.Model.Types Methods toJSON :: ClientDataHash -> Value # toEncoding :: ClientDataHash -> Encoding # toJSONList :: [ClientDataHash] -> Value # toEncodingList :: [ClientDataHash] -> Encoding # | |
newtype SignatureCounter Source #
Constructors
| SignatureCounter | |
Fields | |
Instances
newtype PublicKeyBytes Source #
The encoding of a CosePublicKey
Constructors
| PublicKeyBytes | |
Fields | |
Instances
| Eq PublicKeyBytes Source # | |
Defined in Crypto.WebAuthn.Model.Types Methods (==) :: PublicKeyBytes -> PublicKeyBytes -> Bool # (/=) :: PublicKeyBytes -> PublicKeyBytes -> Bool # | |
| Show PublicKeyBytes Source # | |
Defined in Crypto.WebAuthn.Model.Types Methods showsPrec :: Int -> PublicKeyBytes -> ShowS # show :: PublicKeyBytes -> String # showList :: [PublicKeyBytes] -> ShowS # | |
| ToJSON PublicKeyBytes Source # | |
Defined in Crypto.WebAuthn.Model.Types Methods toJSON :: PublicKeyBytes -> Value # toEncoding :: PublicKeyBytes -> Encoding # toJSONList :: [PublicKeyBytes] -> Value # toEncodingList :: [PublicKeyBytes] -> Encoding # | |
Extensions (unimplemented, see module documentation)
data AuthenticationExtensionsClientInputs Source #
(spec) This is a dictionary containing the client extension input values for zero or more WebAuthn Extensions. TODO: Extensions are not implemented by this library, see Crypto.WebAuthn.Model.
Constructors
| AuthenticationExtensionsClientInputs | |
Instances
data AuthenticationExtensionsClientOutputs Source #
(spec) This is a dictionary containing the client extension output values for zero or more WebAuthn Extensions. TODO: Extensions are not implemented by this library, see Crypto.WebAuthn.Model.
Constructors
| AuthenticationExtensionsClientOutputs | |
Instances
data AuthenticatorExtensionOutputs Source #
Constructors
| AuthenticatorExtensionOutputs | |
Instances
| Eq AuthenticatorExtensionOutputs Source # | |
Defined in Crypto.WebAuthn.Model.Types | |
| Show AuthenticatorExtensionOutputs Source # | |
Defined in Crypto.WebAuthn.Model.Types Methods showsPrec :: Int -> AuthenticatorExtensionOutputs -> ShowS # show :: AuthenticatorExtensionOutputs -> String # showList :: [AuthenticatorExtensionOutputs] -> ShowS # | |
| ToJSON AuthenticatorExtensionOutputs Source # | |
Defined in Crypto.WebAuthn.Model.Types Methods toJSON :: AuthenticatorExtensionOutputs -> Value # toEncoding :: AuthenticatorExtensionOutputs -> Encoding # toJSONList :: [AuthenticatorExtensionOutputs] -> Value # toEncodingList :: [AuthenticatorExtensionOutputs] -> Encoding # | |
Dictionaries
data CredentialRpEntity Source #
(spec) The CredentialRpEntity dictionary is used to supply additional
Relying Party attributes when creating a new credential.
Constructors
| CredentialRpEntity | |
Fields
| |
Instances
data CredentialUserEntity Source #
(spec) The CredentialUserEntity dictionary is used to supply additional
user account attributes when creating a new credential.
Constructors
| CredentialUserEntity | |
Fields
| |
Instances
data CredentialParameters Source #
(spec) This dictionary is used to supply additional parameters when creating a new credential.
Constructors
| CredentialParameters | |
Fields
| |
Instances
data CredentialDescriptor Source #
(spec) This dictionary contains the attributes that are specified by a caller when referring to a
public key credential as an input parameter to the
create() or
get() methods.
It mirrors the fields of the Credential object returned by the latter methods.
Constructors
| CredentialDescriptor | |
Fields
| |
Instances
data AuthenticatorSelectionCriteria Source #
(spec) WebAuthn Relying Parties
may use the AuthenticatorSelectionCriteria dictionary to specify their
requirements regarding authenticator attributes.
Constructors
| AuthenticatorSelectionCriteria | |
Fields
| |
Instances
data AuthenticatorDataFlags Source #
Constructors
| AuthenticatorDataFlags | |
Fields
| |
Instances
data CollectedClientData (c :: CeremonyKind) raw Source #
(spec) The client data represents the contextual bindings of both the WebAuthn Relying Party and the client.
Constructors
| CollectedClientData | |
Fields
| |
Instances
data AttestedCredentialData (c :: CeremonyKind) raw where Source #
(spec) Attested credential data is a variable-length byte array added to the authenticator data when generating an attestation object for a given credential.
Constructors
| AttestedCredentialData | |
Fields
| |
| NoAttestedCredentialData :: AttestedCredentialData 'Authentication raw | |
Instances
| Eq (AttestedCredentialData c raw) Source # | |
Defined in Crypto.WebAuthn.Model.Types Methods (==) :: AttestedCredentialData c raw -> AttestedCredentialData c raw -> Bool # (/=) :: AttestedCredentialData c raw -> AttestedCredentialData c raw -> Bool # | |
| Show (AttestedCredentialData c raw) Source # | |
Defined in Crypto.WebAuthn.Model.Types Methods showsPrec :: Int -> AttestedCredentialData c raw -> ShowS # show :: AttestedCredentialData c raw -> String # showList :: [AttestedCredentialData c raw] -> ShowS # | |
| ToJSON (AttestedCredentialData c raw) Source # | |
Defined in Crypto.WebAuthn.Model.Types Methods toJSON :: AttestedCredentialData c raw -> Value # toEncoding :: AttestedCredentialData c raw -> Encoding # toJSONList :: [AttestedCredentialData c raw] -> Value # toEncodingList :: [AttestedCredentialData c raw] -> Encoding # | |
data AuthenticatorData (c :: CeremonyKind) raw Source #
(spec) The authenticator data structure encodes contextual bindings made by the authenticator. These bindings are controlled by the authenticator itself, and derive their trust from the WebAuthn Relying Party's assessment of the security properties of the authenticator. In one extreme case, the authenticator may be embedded in the client, and its bindings may be no more trustworthy than the client data. At the other extreme, the authenticator may be a discrete entity with high-security hardware and software, connected to the client over a secure channel. In both cases, the Relying Party receives the authenticator data in the same format, and uses its knowledge of the authenticator to make trust decisions.
Constructors
| AuthenticatorData | |
Fields
| |
Instances
data AttestationObject raw Source #
Constructors
| forall a.AttestationStatementFormat a => AttestationObject | |
Fields
| |
Instances
data AuthenticatorResponse (c :: CeremonyKind) raw where Source #
(spec) Authenticators respond to Relying Party requests by returning an object derived from the `AuthenticatorResponse` interface
Constructors
| AuthenticatorResponseRegistration | (spec) The AuthenticatorAttestationResponse interface represents the authenticator's response to a client’s request for the creation of a new public key credential. It contains information about the new credential that can be used to identify it for later use, and metadata that can be used by the WebAuthn Relying Party to assess the characteristics of the credential during registration. |
Fields
| |
| AuthenticatorResponseAuthentication | (spec) The AuthenticatorAssertionResponse interface represents an authenticator's response to a client’s request for generation of a new authentication assertion given the WebAuthn Relying Party's challenge and OPTIONAL list of credentials it is aware of. This response contains a cryptographic signature proving possession of the credential private key, and optionally evidence of user consent to a specific transaction. |
Fields
| |
Instances
Attestation Statement Formats
data SomeAttestationType Source #
The result from verifying an attestation statement.
Either the result is verifiable, in which case k ~ , the
VerifiableAttestationType contains a verifiable certificate chain.
Or the result is not verifiable, in which case k ~ , the
UnverifiableAttestationType is None or Self.
Constructors
| forall k. SomeAttestationType (AttestationType k) |
class (Eq (AttStmt a), Show (AttStmt a), ToJSON (AttStmt a), Typeable a, Show a, Exception (AttStmtVerificationError a)) => AttestationStatementFormat a where Source #
(spec) This class is used to specify an attestation statement format's identifier and attestation statement structure
Associated Types
type AttStmt a :: Type Source #
The type of a fully-decoded and structurally valid attestation statement
type AttStmtVerificationError a :: Type Source #
The type of verification errors that can occur when verifying this
attestation statement using asfVerify
Methods
asfIdentifier :: a -> Text Source #
(spec) Attestation statement formats are identified by a string, called an attestation statement format identifier, chosen by the author of the attestation statement format.
Attestation statement format identifiers SHOULD be registered in the IANA "WebAuthn Attestation Statement Format Identifiers" registry IANA-WebAuthn-Registries established by RFC8809. All registered attestation statement format identifiers are unique amongst themselves as a matter of course.
Unregistered attestation statement format identifiers SHOULD use lowercase reverse domain-name naming, using a domain name registered by the developer, in order to assure uniqueness of the identifier. All attestation statement format identifiers MUST be a maximum of 32 octets in length and MUST consist only of printable USASCII characters, excluding backslash and doublequote, i.e., VCHAR as defined in RFC5234 but without %x22 and %x5c.
Note: This means attestation statement format identifiers based on domain names MUST incorporate only LDH Labels RFC5890.
Attestation statement formats that may exist in multiple versions SHOULD
include a version in their identifier. In effect, different versions are
thus treated as different formats, e.g., packed2 as a new version of the
§ 8.2 Packed Attestation Statement Format.
asfVerify :: a -> DateTime -> AttStmt a -> AuthenticatorData 'Registration 'True -> ClientDataHash -> Validation (NonEmpty (AttStmtVerificationError a)) SomeAttestationType Source #
(spec) The procedure to verify an attestation statement
asfTrustAnchors :: a -> VerifiableAttestationType -> CertificateStore Source #
The trusted root certificates specifically for this attestation statement format. For attestation statement chain validation, these certificates are used, in addition to the ones from the metadata registry
(spec) step 20: If validation is successful, obtain a list of acceptable trust anchors (i.e. attestation root certificates) for that attestation type and attestation statement format fmt, from a trusted source or from policy.
While for the attestation statement formats we implement, none of them use
the VerifiableAttestationType, it is implied that it could be used by
the above sentence from the spec.
asfDecode :: a -> HashMap Text Term -> Either Text (AttStmt a) Source #
A decoder for the attestation statement syntax.
The attStmt CBOR map is given as an input. See
Generating an Attestation Object
asfEncode :: a -> AttStmt a -> Term Source #
An encoder for the attestation statement syntax.
The attStmt CBOR map is expected as the result. See
Generating an Attestation Object
Instances
data SomeAttestationStatementFormat Source #
An arbitrary attestation statement format.
In contrast to AttestationStatementFormat, this type can be put into a list.
This is used for singletonAttestationStatementFormat
Constructors
| forall a.AttestationStatementFormat a => SomeAttestationStatementFormat a |
data SupportedAttestationStatementFormats Source #
A type representing the set of supported attestation statement formats.
The constructor is intentionally not exported, use
singletonAttestationStatementFormat instead to construct it and
lookupAttestationStatementFormat to look up formats. <> can be used to
combine multiple formats. mempty can be used for not supporting any formats.
Instances
singletonAttestationStatementFormat :: SomeAttestationStatementFormat -> SupportedAttestationStatementFormats Source #
Creates a SupportedAttestationStatementFormats-Map containing a single
supported format.
lookupAttestationStatementFormat :: Text -> SupportedAttestationStatementFormats -> Maybe SomeAttestationStatementFormat Source #
Attempt to find the desired attestation statement format in a map of supported formats. Can then be used to perform attestation.
Raw fields
Top-level types
data CredentialOptions (c :: CeremonyKind) where Source #
A type encompassing the credential options, both for creation and requesting. The CeremonyKind araument specifies which.
Constructors
| CredentialOptionsRegistration | |
Fields
| |
| CredentialOptionsAuthentication | (spec) The |
Fields
| |
Instances
data Credential (c :: CeremonyKind) raw Source #
(spec) The Credential interface contains the attributes that are returned to the caller when a new credential is created, or a new assertion is requested.
Constructors
| Credential | |
Fields
| |
Instances
stripRawCredential :: forall c raw. SingI c => Credential c raw -> Credential c 'False Source #
Removes all raw fields from a Credential, useful for
e.g. pretty-printing only the desired fields. This is the counterpart to
encodeRawCredential