Stability | experimental |
---|---|
Safe Haskell | Safe-Inferred |
Language | Haskell2010 |
This module contains Haskell-friendly types for structures used in WebAuthn that are used throughout this library. These types are modelled according to the following conventions:
- If a structure has the same semantics for both the
registration and
authentication WebAuthn
ceremonies, then its type is
parametrized by a
c
parameter of kindCeremonyKind
. If such types have differing fields, GADTs are used to distinguish between them, where the constructor name is the type name with a...Registration
or...Authentication
suffix - If the raw bytes are needed for verification purposes of a structure, then
its type is parametrized by a
raw
parameter of kindBool
. Only ifraw ~
, the raw bytes of the necessary structures has to be present in the type. The typeTrue
RawField
is used as a helper type for this. - In order to avoid duplicate record fields, all fields are prefixed with the initials of the constructor name.
- Every type should have a
ToJSON
instance for pretty-printing purposes. This JSON encoding doesn't correspond to any encoding used for sending/receiving these structures, it's only used for pretty-printing, which is why it doesn't need to be standardized. For encoding these structures fromto JSON for sendingreceiving, see theWebIDL
module - Fields of the WebAuthn standard that are optional (for writing) but have
defaults (making them non-optional for reading) are encoded as
non-optional fields, while the defaults are exposed in the
Defaults
module. The alternative of making these fields optional would allow RP not having to specify them, which seems like a less safer option, since the defaults might not be what is really needed, and they might change. The root cause why this decision had to be made is that such assymetrical reading/writing fields don't map nicely to Haskell's records.
TODO: (spec) This library does not currently implement extensions. In order to fully comply with level 2 of the webauthn spec extensions are required. At least, we wish the library to offer a typeclass implementable by relying parties to allow extensions in a scheme similar to the attestation statement formats. Ideally, we would implement all 8 extensions tracked by IANA.
Synopsis
- data CredentialType = CredentialTypePublicKey
- data AuthenticatorTransport
- data AuthenticatorAttachment
- data ResidentKeyRequirement
- data UserVerificationRequirement
- data AttestationConveyancePreference
- data AttestationChain (p :: ProtocolKind) where
- data AttestationKind
- data AttestationType (k :: AttestationKind) where
- data VerifiableAttestationType
- newtype RpId = RpId {}
- newtype RelyingPartyName = RelyingPartyName {}
- newtype UserHandle = UserHandle {}
- generateUserHandle :: MonadRandom m => m UserHandle
- newtype UserAccountDisplayName = UserAccountDisplayName {}
- newtype UserAccountName = UserAccountName {}
- newtype CredentialId = CredentialId {}
- generateCredentialId :: MonadRandom m => m CredentialId
- newtype Challenge = Challenge {}
- generateChallenge :: MonadRandom m => m Challenge
- newtype Timeout = Timeout {}
- newtype AssertionSignature = AssertionSignature {}
- newtype RpIdHash = RpIdHash {}
- newtype ClientDataHash = ClientDataHash {}
- newtype Origin = Origin {}
- newtype SignatureCounter = SignatureCounter {}
- newtype PublicKeyBytes = PublicKeyBytes {}
- data AuthenticationExtensionsClientInputs = AuthenticationExtensionsClientInputs {
- data AuthenticationExtensionsClientOutputs = AuthenticationExtensionsClientOutputs {
- data AuthenticatorExtensionOutputs = AuthenticatorExtensionOutputs {
- data CredentialRpEntity = CredentialRpEntity {}
- data CredentialUserEntity = CredentialUserEntity {}
- data CredentialParameters = CredentialParameters {}
- data CredentialDescriptor = CredentialDescriptor {}
- data AuthenticatorSelectionCriteria = AuthenticatorSelectionCriteria {}
- data AuthenticatorDataFlags = AuthenticatorDataFlags {}
- data CollectedClientData (c :: CeremonyKind) raw = CollectedClientData {
- ccdChallenge :: Challenge
- ccdOrigin :: Origin
- ccdCrossOrigin :: Maybe Bool
- ccdRawData :: RawField raw
- data AttestedCredentialData (c :: CeremonyKind) raw where
- data AuthenticatorData (c :: CeremonyKind) raw = AuthenticatorData {}
- data AttestationObject raw = forall a.AttestationStatementFormat a => AttestationObject {
- aoAuthData :: AuthenticatorData 'Registration raw
- aoFmt :: a
- aoAttStmt :: AttStmt a
- data AuthenticatorResponse (c :: CeremonyKind) raw where
- AuthenticatorResponseRegistration :: {..} -> AuthenticatorResponse 'Registration raw
- AuthenticatorResponseAuthentication :: {..} -> AuthenticatorResponse 'Authentication raw
- data SomeAttestationType = forall k. SomeAttestationType (AttestationType k)
- class (Eq (AttStmt a), Show (AttStmt a), ToJSON (AttStmt a), Typeable a, Show a, Exception (AttStmtVerificationError a)) => AttestationStatementFormat a where
- type AttStmt a :: Type
- type AttStmtVerificationError a :: Type
- asfIdentifier :: a -> Text
- asfVerify :: a -> DateTime -> AttStmt a -> AuthenticatorData 'Registration 'True -> ClientDataHash -> Validation (NonEmpty (AttStmtVerificationError a)) SomeAttestationType
- asfTrustAnchors :: a -> VerifiableAttestationType -> CertificateStore
- asfDecode :: a -> HashMap Text Term -> Either Text (AttStmt a)
- asfEncode :: a -> AttStmt a -> Term
- data SomeAttestationStatementFormat = forall a.AttestationStatementFormat a => SomeAttestationStatementFormat a
- data SupportedAttestationStatementFormats
- singletonAttestationStatementFormat :: SomeAttestationStatementFormat -> SupportedAttestationStatementFormats
- lookupAttestationStatementFormat :: Text -> SupportedAttestationStatementFormats -> Maybe SomeAttestationStatementFormat
- data RawField (raw :: Bool) where
- data CredentialOptions (c :: CeremonyKind) where
- data Credential (c :: CeremonyKind) raw = Credential {}
Enumerations
data CredentialType Source #
(spec) This enumeration defines the valid credential types. It is an extension point; values can be added to it in the future, as more credential types are defined. The values of this enumeration are used for versioning the Authentication Assertion and attestation structures according to the type of the authenticator.
To decode/encode this type from/to its standard string, use
decodeCredentialType
/encodeCredentialType
.
Instances
data AuthenticatorTransport Source #
(spec) Authenticators may implement various transports for communicating with clients. This enumeration defines hints as to how clients might communicate with a particular authenticator in order to obtain an assertion for a specific credential. Note that these hints represent the WebAuthn Relying Party's best belief as to how an authenticator may be reached. A Relying Party will typically learn of the supported transports for a public key credential via getTransports().
To decode/encode this type from/to its standard string, use
decodeAuthenticatorTransport
/encodeAuthenticatorTransport
.
AuthenticatorTransportUSB | (spec) Indicates the respective authenticator can be contacted over removable USB. |
AuthenticatorTransportNFC | (spec) Indicates the respective authenticator can be contacted over Near Field Communication (NFC). |
AuthenticatorTransportBLE | (spec) Indicates the respective authenticator can be contacted over Bluetooth Smart (Bluetooth Low Energy / BLE). |
AuthenticatorTransportInternal | (spec) Indicates the respective authenticator is contacted using a client device-specific transport, i.e., it is a platform authenticator. These authenticators are not removable from the client device. |
AuthenticatorTransportUnknown Text | (spec) An unknown authenticator transport. Note that according to the current version 2 of the WebAuthn standard, unknown fields must be ignored, which is a bit misleading because such unknown values still need to be stored. Draft version 3 of the standard fixes this. |
Instances
data AuthenticatorAttachment Source #
(spec) This enumeration’s values describe authenticators'
attachment modalities.
Relying Parties use this to
express a preferred authenticator attachment modality
when calling navigator.credentials.create()
to create a credential.
To decode/encode this type from/to its standard string, use
decodeAuthenticatorAttachment
/encodeAuthenticatorAttachment
.
AuthenticatorAttachmentPlatform | (spec) This value indicates platform attachment. |
AuthenticatorAttachmentCrossPlatform | (spec) This value indicates cross-platform attachment. |
Instances
data ResidentKeyRequirement Source #
(spec) This enumeration’s values describe the Relying Party's requirements for client-side discoverable credentials (formerly known as resident credentials or resident keys):
To decode/encode this type from/to its standard string, use
decodeResidentKeyRequirement
/encodeResidentKeyRequirement
.
ResidentKeyRequirementDiscouraged | (spec) This value indicates the Relying Party prefers creating a server-side credential, but will accept a client-side discoverable credential. |
ResidentKeyRequirementPreferred | (spec) This value indicates the Relying Party
strongly prefers creating a client-side discoverable credential,
but will accept a server-side credential.
For example, user agents SHOULD guide the user through setting up user verification
if needed to create a client-side discoverable credential
in this case. This takes precedence over the setting of |
ResidentKeyRequirementRequired | (spec) This value indicates the Relying Party requires a client-side discoverable credential, and is prepared to receive an error if a client-side discoverable credential cannot be created. |
Instances
data UserVerificationRequirement Source #
(spec) A WebAuthn Relying Party may require user verification for some of its operations but not for others, and may use this type to express its needs.
To decode/encode this type from/to its standard string, use
decodeUserVerificationRequirement
/encodeUserVerificationRequirement
.
UserVerificationRequirementRequired | (spec) This value indicates that the Relying Party requires user verification for the operation and will fail the operation if the response does not have the UV flag set. |
UserVerificationRequirementPreferred | (spec) This value indicates that the Relying Party prefers user verification for the operation if possible, but will not fail the operation if the response does not have the UV flag set. |
UserVerificationRequirementDiscouraged | (spec) This value indicates that the Relying Party does not want user verification employed during the operation (e.g., in the interest of minimizing disruption to the user interaction flow). |
Instances
data AttestationConveyancePreference Source #
(spec) WebAuthn Relying Parties may use AttestationConveyancePreference to specify their preference regarding attestation conveyance during credential generation.
To decode/encode this type from/to its standard string, use
decodeAttestationConveyancePreference
/encodeAttestationConveyancePreference
.
AttestationConveyancePreferenceNone | (spec) This value indicates that the Relying Party is not interested in authenticator attestation. For example, in order to potentially avoid having to obtain user consent to relay identifying information to the Relying Party, or to save a roundtrip to an Attestation CA or Anonymization CA. This is the default value. |
AttestationConveyancePreferenceIndirect | (spec) This value indicates that the Relying Party prefers an attestation conveyance yielding verifiable attestation statements, but allows the client to decide how to obtain such attestation statements. The client MAY replace the authenticator-generated attestation statements with attestation statements generated by an Anonymization CA, in order to protect the user’s privacy, or to assist Relying Parties with attestation verification in a heterogeneous ecosystem. Note: There is no guarantee that the Relying Party will obtain a verifiable attestation statement in this case. For example, in the case that the authenticator employs self attestation. |
AttestationConveyancePreferenceDirect | (spec) This value indicates that the Relying Party wants to receive the attestation statement as generated by the authenticator. |
AttestationConveyancePreferenceEnterprise | (spec) This value indicates that the Relying Party
wants to receive an attestation statement
that may include uniquely identifying information. This is intended for controlled deployments
within an enterprise where the organization wishes to tie registrations to specific authenticators.
User agents MUST NOT provide such an attestation unless the user agent or authenticator configuration
permits it for the requested If permitted, the user agent SHOULD signal to the authenticator (at invocation time) that enterprise attestation is requested, and convey the resulting AAGUID and attestation statement, unaltered, to the Relying Party. |
Instances
data AttestationChain (p :: ProtocolKind) where Source #
An X.509 certificate chain that can be used to verify an attestation statement
Fido2Chain :: NonEmpty SignedCertificate -> AttestationChain 'Fido2 | For Fido 2, we can have a chain consisting of multiple certificates. |
FidoU2FCert :: SignedCertificate -> AttestationChain 'FidoU2F | For Fido U2F, we can only have a single certificate, which is then also
used to generate the |
Instances
ToJSON (AttestationChain p) Source # | |
Defined in Crypto.WebAuthn.Model.Types toJSON :: AttestationChain p -> Value # toEncoding :: AttestationChain p -> Encoding # toJSONList :: [AttestationChain p] -> Value # toEncodingList :: [AttestationChain p] -> Encoding # | |
Show (AttestationChain p) Source # | |
Defined in Crypto.WebAuthn.Model.Types showsPrec :: Int -> AttestationChain p -> ShowS # show :: AttestationChain p -> String # showList :: [AttestationChain p] -> ShowS # | |
Eq (AttestationChain p) Source # | |
Defined in Crypto.WebAuthn.Model.Types (==) :: AttestationChain p -> AttestationChain p -> Bool # (/=) :: AttestationChain p -> AttestationChain p -> Bool # |
data AttestationKind Source #
A Haskell kind for the attestation type, indicating whether we have verifiable information about the authenticator that created the public key credential.
Unverifiable | An unverifiable attestation type. This includes None and Self attestation. This kind indicates that we do not have any information about the authenticator model used. |
Verifiable ProtocolKind | A verifiable attestation type. This includes Basic, AttCA and AnonCA attestation. This kind indicates that we have verifiable information about the authenticator model used. |
data AttestationType (k :: AttestationKind) where Source #
(spec) WebAuthn supports several attestation types, defining the semantics of attestation statements and their underlying trust models:
AttestationTypeNone :: AttestationType 'Unverifiable | (spec) In this case, no attestation information is available. See also § 8.7 None Attestation Statement Format. |
AttestationTypeSelf :: AttestationType 'Unverifiable | (spec) In the case of self attestation, also known as surrogate basic attestation UAFProtocol, the Authenticator does not have any specific attestation key pair. Instead it uses the credential private key to create the attestation signature. Authenticators without meaningful protection measures for an attestation private key typically use this attestation type. |
AttestationTypeVerifiable | Grouping of attestations that are verifiable by a certificate chain |
|
Instances
ToJSON (AttestationType k) Source # | |
Defined in Crypto.WebAuthn.Model.Types toJSON :: AttestationType k -> Value # toEncoding :: AttestationType k -> Encoding # toJSONList :: [AttestationType k] -> Value # toEncodingList :: [AttestationType k] -> Encoding # | |
Show (AttestationType k) Source # | |
Defined in Crypto.WebAuthn.Model.Types showsPrec :: Int -> AttestationType k -> ShowS # show :: AttestationType k -> String # showList :: [AttestationType k] -> ShowS # | |
Eq (AttestationType k) Source # | |
Defined in Crypto.WebAuthn.Model.Types (==) :: AttestationType k -> AttestationType k -> Bool # (/=) :: AttestationType k -> AttestationType k -> Bool # |
data VerifiableAttestationType Source #
An attestation type that is verifiable, indicating that we can have trusted information about the authenticator that created the public key credential
VerifiableAttestationTypeUncertain | Attestation statements conveying attestations of type AttCA or AnonCA use the same data structure as those of type Basic, so the three attestation types are, in general, distinguishable only with externally provided knowledge regarding the contents of the attestation certificates conveyed in the attestation statement. |
VerifiableAttestationTypeBasic | (spec) In the case of basic attestation UAFProtocol, the authenticator’s attestation key pair is specific to an authenticator "model", i.e., a "batch" of authenticators. Thus, authenticators of the same, or similar, model often share the same attestation key pair. See § 14.4.1 Attestation Privacy for further information. |
VerifiableAttestationTypeAttCA | (spec) In this case, an authenticator is based on a Trusted Platform Module (TPM) and holds an authenticator-specific "endorsement key" (EK). This key is used to securely communicate with a trusted third party, the Attestation CA TCG-CMCProfile-AIKCertEnroll (formerly known as a "Privacy CA"). The authenticator can generate multiple attestation identity key pairs (AIK) and requests an Attestation CA to issue an AIK certificate for each. Using this approach, such an authenticator can limit the exposure of the EK (which is a global correlation handle) to Attestation CA(s). AIKs can be requested for each authenticator-generated public key credential individually, and conveyed to Relying Parties as attestation certificates. |
VerifiableAttestationTypeAnonCA | (spec) In this case, the authenticator uses an Anonymization CA which dynamically generates per-[credential](https:/w3c.github.iowebappsec-credential-management/#concept-credential) attestation certificates such that the attestation statements presented to Relying Parties do not provide uniquely identifiable information, e.g., that might be used for tracking purposes. |
Instances
Newtypes
(spec) A valid domain string
identifying the WebAuthn Relying Party
on whose behalf a given registration
or authentication ceremony is being performed.
A public key credential
can only be used for authentication
with the same entity (as identified by RpId
) it was registered with.
By default, the RpId
for a WebAuthn operation is set to the caller’s
origin's
effective domain.
This default MAY be overridden by the caller, as long as the caller-specified RpId
value
is a registrable domain suffix of or is equal to
the caller’s origin's
effective domain.
TODO: RpId
is used for both https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrpentity-id
and https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrequestoptions-rpid, but the former
uses DOMString, while the latter uses USVString. Is this a bug in the spec or is there an actual difference?
newtype RelyingPartyName Source #
(spec) A human-palatable identifier for the Relying Party, intended only for display. For example, "ACME Corporation", "Wonderful Widgets, Inc." or "ОАО Примертех".
- Relying Parties SHOULD perform
enforcement, as prescribed in Section 2.3 of RFC8266
for the Nickname Profile of the PRECIS FreeformClass RFC8264,
when setting
RelyingPartyName
s value, or displaying the value to the user. - This string MAY contain language and direction metadata. Relying Parties SHOULD consider providing this information. See § 6.4.2 Language and Direction Encoding about how this metadata is encoded.
Instances
newtype UserHandle Source #
(spec) The user handle is specified by a Relying Party,
as the value of id
, and used to map
a specific public key credential
to a specific user account with the Relying Party.
Authenticators in turn map
RP IDs and user handle pairs to public key credential sources.
A user handle is an opaque byte sequence
with a maximum size of 64 bytes, and is not meant to be displayed to the user.
Instances
generateUserHandle :: MonadRandom m => m UserHandle Source #
(spec) A user handle is an opaque byte sequence with a maximum size of 64 bytes, and is not meant to be displayed to the user.
newtype UserAccountDisplayName Source #
(spec) A human-palatable name for the user account, intended only for display. For example, "Alex Müller" or "田中倫". The Relying Party SHOULD let the user choose this, and SHOULD NOT restrict the choice more than necessary.
- Relying Parties SHOULD perform
enforcement, as prescribed in Section 2.3 of RFC8266
for the Nickname Profile of the PRECIS FreeformClass RFC8264,
when setting
cueDisplayName
s value, or displaying the value to the user. - This string MAY contain language and direction metadata. Relying Parties SHOULD consider providing this information. See § 6.4.2 Language and Direction Encoding about how this metadata is encoded.
Instances
ToJSON UserAccountDisplayName Source # | |
Defined in Crypto.WebAuthn.Model.Types toJSON :: UserAccountDisplayName -> Value # toEncoding :: UserAccountDisplayName -> Encoding # toJSONList :: [UserAccountDisplayName] -> Value # | |
IsString UserAccountDisplayName Source # | |
Defined in Crypto.WebAuthn.Model.Types | |
Show UserAccountDisplayName Source # | |
Defined in Crypto.WebAuthn.Model.Types showsPrec :: Int -> UserAccountDisplayName -> ShowS # show :: UserAccountDisplayName -> String # showList :: [UserAccountDisplayName] -> ShowS # | |
Eq UserAccountDisplayName Source # | |
Defined in Crypto.WebAuthn.Model.Types | |
Encode UserAccountDisplayName Source # | |
Decode m UserAccountDisplayName Source # | |
type JSON UserAccountDisplayName Source # | |
newtype UserAccountName Source #
(spec) A human-palatable identifier for a user account.
It is intended only for display, i.e., aiding the user in determining the difference between user accounts with
similar cueDisplayName
s. For example, "alexm", "alex.mueller@example.com" or "+14255551234".
- The Relying Party MAY let the user choose this value.
The Relying Party SHOULD perform enforcement,
as prescribed in Section 3.4.3 of RFC8265
for the UsernameCasePreserved Profile of the PRECIS IdentifierClass
RFC8264, when setting
UserAccountName
s value, or displaying the value to the user. - This string MAY contain language and direction metadata. Relying Parties SHOULD consider providing this information. See § 6.4.2 Language and Direction Encoding about how this metadata is encoded.
Instances
newtype CredentialId Source #
(spec) A probabilistically-unique byte sequence identifying a public key credential source and its authentication assertions.
Instances
generateCredentialId :: MonadRandom m => m CredentialId Source #
(spec) Generates a random CredentialId
using 16 random bytes.
This is only useful for authenticators, not for relying parties.
This function is only included for completeness and testing purposes.
(spec) This member contains a challenge intended to be used for generating the newly created credential’s attestation object. See the § 13.4.3 Cryptographic Challenges security consideration.
generateChallenge :: MonadRandom m => m Challenge Source #
(spec) In order to prevent replay attacks, the challenges MUST contain enough entropy to make guessing them infeasible. Challenges SHOULD therefore be at least 16 bytes long.
(spec) This member specifies a time, in milliseconds, that the caller is willing to wait for the call to complete. This is treated as a hint, and MAY be overridden by the client.
newtype AssertionSignature Source #
(spec) An assertion signature is produced when the authenticatorGetAssertion method is invoked. It represents an assertion by the authenticator that the user has consented to a specific transaction, such as logging in, or completing a purchase. Thus, an assertion signature asserts that the authenticator possessing a particular credential private key has established, to the best of its ability, that the user requesting this transaction is the same user who consented to creating that particular public key credential. It also asserts additional information, termed client data, that may be useful to the caller, such as the means by which user consent was provided, and the prompt shown to the user by the authenticator. The assertion signature format is illustrated in Figure 4, below.
Instances
ToJSON AssertionSignature Source # | |
Defined in Crypto.WebAuthn.Model.Types toJSON :: AssertionSignature -> Value # toEncoding :: AssertionSignature -> Encoding # toJSONList :: [AssertionSignature] -> Value # toEncodingList :: [AssertionSignature] -> Encoding # | |
Show AssertionSignature Source # | |
Defined in Crypto.WebAuthn.Model.Types showsPrec :: Int -> AssertionSignature -> ShowS # show :: AssertionSignature -> String # showList :: [AssertionSignature] -> ShowS # | |
Eq AssertionSignature Source # | |
Defined in Crypto.WebAuthn.Model.Types (==) :: AssertionSignature -> AssertionSignature -> Bool # (/=) :: AssertionSignature -> AssertionSignature -> Bool # | |
Encode AssertionSignature Source # | |
Defined in Crypto.WebAuthn.Encoding.Internal.WebAuthnJson type JSON AssertionSignature Source # | |
Decode m AssertionSignature Source # | |
type JSON AssertionSignature Source # | |
(spec) SHA-256 hash of the RP ID the credential is scoped to.
newtype ClientDataHash Source #
(spec) This is the hash (computed using SHA-256) of the JSON-compatible serialization of client data, as constructed by the client.
Instances
ToJSON ClientDataHash Source # | |
Defined in Crypto.WebAuthn.Model.Types toJSON :: ClientDataHash -> Value # toEncoding :: ClientDataHash -> Encoding # toJSONList :: [ClientDataHash] -> Value # toEncodingList :: [ClientDataHash] -> Encoding # | |
Show ClientDataHash Source # | |
Defined in Crypto.WebAuthn.Model.Types showsPrec :: Int -> ClientDataHash -> ShowS # show :: ClientDataHash -> String # showList :: [ClientDataHash] -> ShowS # | |
Eq ClientDataHash Source # | |
Defined in Crypto.WebAuthn.Model.Types (==) :: ClientDataHash -> ClientDataHash -> Bool # (/=) :: ClientDataHash -> ClientDataHash -> Bool # |
newtype SignatureCounter Source #
Instances
newtype PublicKeyBytes Source #
The encoding of a CosePublicKey
Instances
ToJSON PublicKeyBytes Source # | |
Defined in Crypto.WebAuthn.Model.Types toJSON :: PublicKeyBytes -> Value # toEncoding :: PublicKeyBytes -> Encoding # toJSONList :: [PublicKeyBytes] -> Value # toEncodingList :: [PublicKeyBytes] -> Encoding # | |
Show PublicKeyBytes Source # | |
Defined in Crypto.WebAuthn.Model.Types showsPrec :: Int -> PublicKeyBytes -> ShowS # show :: PublicKeyBytes -> String # showList :: [PublicKeyBytes] -> ShowS # | |
Eq PublicKeyBytes Source # | |
Defined in Crypto.WebAuthn.Model.Types (==) :: PublicKeyBytes -> PublicKeyBytes -> Bool # (/=) :: PublicKeyBytes -> PublicKeyBytes -> Bool # |
Extensions (unimplemented, see module documentation)
data AuthenticationExtensionsClientInputs Source #
(spec) This is a dictionary containing the client extension input values for zero or more WebAuthn Extensions. TODO: Extensions are not implemented by this library, see Crypto.WebAuthn.Model.Types.
Instances
data AuthenticationExtensionsClientOutputs Source #
(spec) This is a dictionary containing the client extension output values for zero or more WebAuthn Extensions. TODO: Extensions are not implemented by this library, see Crypto.WebAuthn.Model.Types.
Instances
data AuthenticatorExtensionOutputs Source #
Instances
Dictionaries
data CredentialRpEntity Source #
(spec) The CredentialRpEntity
dictionary is used to supply additional
Relying Party attributes when creating a new credential.
CredentialRpEntity | |
|
Instances
data CredentialUserEntity Source #
(spec) The CredentialUserEntity
dictionary is used to supply additional
user account attributes when creating a new credential.
CredentialUserEntity | |
|
Instances
data CredentialParameters Source #
(spec) This dictionary is used to supply additional parameters when creating a new credential.
CredentialParameters | |
|
Instances
data CredentialDescriptor Source #
(spec) This dictionary contains the attributes that are specified by a caller when referring to a
public key credential as an input parameter to the
create() or
get() methods.
It mirrors the fields of the Credential
object returned by the latter methods.
CredentialDescriptor | |
|
Instances
data AuthenticatorSelectionCriteria Source #
(spec) WebAuthn Relying Parties
may use the AuthenticatorSelectionCriteria
dictionary to specify their
requirements regarding authenticator attributes.
AuthenticatorSelectionCriteria | |
|
Instances
data AuthenticatorDataFlags Source #
AuthenticatorDataFlags | |
|
Instances
data CollectedClientData (c :: CeremonyKind) raw Source #
(spec) The client data represents the contextual bindings of both the WebAuthn Relying Party and the client.
For binary serialization of thes type, see
Crypto.WebAuthn.Encoding.Binary. If decoded with
decodeCollectedClientData
, the
ccdRawData
field is filled out with the raw bytes, while
encodeRawCollectedClientData
can be used
to fill out this field when constructing this value otherwise. Unchecked
invariant: If raw ~
, then
'Crypto.WebAuthn.Encoding.Binary.encodeRawCollectedClientData c = c',
ensuring that the True
ccdRawData
field should always correspond to its
encoding. This means that if raw ~
, it's not safe to modify
individual fields. To make changes, first use
True
stripRawCollectedClientData
, make the
changes on the result, then call
encodeRawCollectedClientData
on that. Note
however that any modifications also invalidate signatures over the binary
data, specifically araSignature
and aoAttStmt
.
CollectedClientData | |
|
Instances
data AttestedCredentialData (c :: CeremonyKind) raw where Source #
(spec) Attested credential data is a variable-length byte array added to the authenticator data when generating an attestation object for a given credential.
AttestedCredentialData | |
| |
NoAttestedCredentialData :: AttestedCredentialData 'Authentication raw |
Instances
ToJSON (AttestedCredentialData c raw) Source # | |
Defined in Crypto.WebAuthn.Model.Types toJSON :: AttestedCredentialData c raw -> Value # toEncoding :: AttestedCredentialData c raw -> Encoding # toJSONList :: [AttestedCredentialData c raw] -> Value # toEncodingList :: [AttestedCredentialData c raw] -> Encoding # | |
Show (AttestedCredentialData c raw) Source # | |
Defined in Crypto.WebAuthn.Model.Types showsPrec :: Int -> AttestedCredentialData c raw -> ShowS # show :: AttestedCredentialData c raw -> String # showList :: [AttestedCredentialData c raw] -> ShowS # | |
Eq (AttestedCredentialData c raw) Source # | |
Defined in Crypto.WebAuthn.Model.Types (==) :: AttestedCredentialData c raw -> AttestedCredentialData c raw -> Bool # (/=) :: AttestedCredentialData c raw -> AttestedCredentialData c raw -> Bool # |
data AuthenticatorData (c :: CeremonyKind) raw Source #
(spec) The authenticator data structure encodes contextual bindings made by the authenticator. These bindings are controlled by the authenticator itself, and derive their trust from the WebAuthn Relying Party's assessment of the security properties of the authenticator. In one extreme case, the authenticator may be embedded in the client, and its bindings may be no more trustworthy than the client data. At the other extreme, the authenticator may be a discrete entity with high-security hardware and software, connected to the client over a secure channel. In both cases, the Relying Party receives the authenticator data in the same format, and uses its knowledge of the authenticator to make trust decisions.
For the binary serialization of this type, see
Crypto.WebAuthn.Encoding.Binary. If decoded with
decodeAuthenticatorData
, the adRawData
field is filled out with the binary serialization, while
encodeRawAuthenticatorData
can be used to
fill out this field when constructing this value otherwise. This also
applies to raw acdCredentialPublicKeyBytes
field in
adAttestedCredentialData
. Unchecked invariant: If raw ~
, then
'Crypto.WebAuthn.Encoding.Binary.encodeRawAuthenticatorData d = d', ensuring
that the True
adRawData
and acdCredentialPublicKeyBytes
fields should always
correspond to their respective binary serializations. This means that if
raw ~
, it's not safe to modify individual fields. To make changes,
first use True
stripRawAuthenticatorData
, make
the changes on the result, then call
encodeRawAuthenticatorData
on that. Note
however that any modifications also invalidate signatures over the binary
data, specifically araSignature
and aoAttStmt
.
AuthenticatorData | |
|
Instances
data AttestationObject raw Source #
For the binary
serialization
of this type, see Crypto.WebAuthn.Encoding.Binary. If decoded with
decodeAttestationObject
, the aoAuthData
field is filled out with the binary serialization of its fields, while
encodeRawAttestationObject
can be used to
fill out this field when constructing this value otherwise. Unchecked
invariant: If raw ~
, then
'Crypto.WebAuthn.Encoding.Binary.encodeRawAttestationObject o = o', ensuring
that the binary fields of the True
aoAuthData
field should always correspond to
their respective serializations. This means that if raw ~
, it's not
safe to modify individual fields. To make changes, first use
True
stripRawAttestationObject
, make the
changes on the result, then call
encodeRawAttestationObject
on that. Note
however that any modifications also invalidate signatures over the binary
data, specifically aoAttStmt
. The
encodeAttestationObject
can be used to get
the binary encoding of this type when raw ~
.True
forall a.AttestationStatementFormat a => AttestationObject | |
|
Instances
data AuthenticatorResponse (c :: CeremonyKind) raw where Source #
(spec) Authenticators respond to Relying Party requests by returning an object derived from the `AuthenticatorResponse` interface
AuthenticatorResponseRegistration | (spec) The AuthenticatorAttestationResponse interface represents the authenticator's response to a client’s request for the creation of a new public key credential. It contains information about the new credential that can be used to identify it for later use, and metadata that can be used by the WebAuthn Relying Party to assess the characteristics of the credential during registration. |
| |
AuthenticatorResponseAuthentication | (spec) The AuthenticatorAssertionResponse interface represents an authenticator's response to a client’s request for generation of a new authentication assertion given the WebAuthn Relying Party's challenge and OPTIONAL list of credentials it is aware of. This response contains a cryptographic signature proving possession of the credential private key, and optionally evidence of user consent to a specific transaction. |
|
Instances
Attestation Statement Formats
data SomeAttestationType Source #
The result from verifying an attestation statement.
Either the result is verifiable, in which case k ~
, the
Verifiable
AttestationType
contains a verifiable certificate chain.
Or the result is not verifiable, in which case k ~
, the
Unverifiable
AttestationType
is None or Self.
forall k. SomeAttestationType (AttestationType k) |
class (Eq (AttStmt a), Show (AttStmt a), ToJSON (AttStmt a), Typeable a, Show a, Exception (AttStmtVerificationError a)) => AttestationStatementFormat a where Source #
(spec) This class is used to specify an attestation statement format's identifier and attestation statement structure
type AttStmt a :: Type Source #
The type of a fully-decoded and structurally valid attestation statement
type AttStmtVerificationError a :: Type Source #
The type of verification errors that can occur when verifying this
attestation statement using asfVerify
asfIdentifier :: a -> Text Source #
(spec) Attestation statement formats are identified by a string, called an attestation statement format identifier, chosen by the author of the attestation statement format.
Attestation statement format identifiers SHOULD be registered in the IANA "WebAuthn Attestation Statement Format Identifiers" registry IANA-WebAuthn-Registries established by RFC8809. All registered attestation statement format identifiers are unique amongst themselves as a matter of course.
Unregistered attestation statement format identifiers SHOULD use lowercase reverse domain-name naming, using a domain name registered by the developer, in order to assure uniqueness of the identifier. All attestation statement format identifiers MUST be a maximum of 32 octets in length and MUST consist only of printable USASCII characters, excluding backslash and doublequote, i.e., VCHAR as defined in RFC5234 but without %x22 and %x5c.
Note: This means attestation statement format identifiers based on domain names MUST incorporate only LDH Labels RFC5890.
Attestation statement formats that may exist in multiple versions SHOULD
include a version in their identifier. In effect, different versions are
thus treated as different formats, e.g., packed2
as a new version of the
§ 8.2 Packed Attestation Statement Format.
asfVerify :: a -> DateTime -> AttStmt a -> AuthenticatorData 'Registration 'True -> ClientDataHash -> Validation (NonEmpty (AttStmtVerificationError a)) SomeAttestationType Source #
(spec) The procedure to verify an attestation statement
asfTrustAnchors :: a -> VerifiableAttestationType -> CertificateStore Source #
The trusted root certificates specifically for this attestation statement format. For attestation statement chain validation, these certificates are used, in addition to the ones from the metadata registry
(spec) step 20: If validation is successful, obtain a list of acceptable trust anchors (i.e. attestation root certificates) for that attestation type and attestation statement format fmt, from a trusted source or from policy.
While for the attestation statement formats we implement, none of them use
the VerifiableAttestationType
, it is implied that it could be used by
the above sentence from the spec.
asfDecode :: a -> HashMap Text Term -> Either Text (AttStmt a) Source #
A decoder for the attestation statement syntax.
The attStmt
CBOR map is given as an input. See
Generating an Attestation Object
asfEncode :: a -> AttStmt a -> Term Source #
An encoder for the attestation statement syntax.
The attStmt
CBOR map is expected as the result. See
Generating an Attestation Object
Instances
data SomeAttestationStatementFormat Source #
An arbitrary attestation statement format.
In contrast to AttestationStatementFormat
, this type can be put into a list.
This is used for singletonAttestationStatementFormat
forall a.AttestationStatementFormat a => SomeAttestationStatementFormat a |
data SupportedAttestationStatementFormats Source #
A type representing the set of supported attestation statement formats.
The constructor is intentionally not exported, use
singletonAttestationStatementFormat
instead to construct it and
lookupAttestationStatementFormat
to look up formats. <>
can be used to
combine multiple formats. mempty
can be used for not supporting any formats.
Instances
singletonAttestationStatementFormat :: SomeAttestationStatementFormat -> SupportedAttestationStatementFormats Source #
Creates a SupportedAttestationStatementFormats
-Map containing a single
supported format.
lookupAttestationStatementFormat Source #
:: Text | The desired format, e.g. "android-safetynet" or "none" |
-> SupportedAttestationStatementFormats | The attestation statement formats
that should be supported. The value of |
-> Maybe SomeAttestationStatementFormat |
Attempt to find the desired attestation statement format in a map of supported formats. Can then be used to perform attestation.
Raw fields
Top-level types
data CredentialOptions (c :: CeremonyKind) where Source #
A type encompassing the credential options, both for creation and requesting. The CeremonyKind araument specifies which.
Values of this type are send to the client to create and get a credential. After they have been sent, they have to be stored awaiting the response from the client for further validation. At least the following fields have to be stored, the others are not currently used.
For verifyRegistrationResponse
:
corChallenge
ascUserVerification
ofcorAuthenticatorSelection
corPubKeyCredParams
corUser
(of whichcueId
is used in theverifyRegistrationResponse
, and it and the other fields are need to be stored permanently by the relying party as the user entity).
For verifyAuthenticationResponse
:
Depending on implementation choices by the RP, some of these fields might additionally be constants, and could thus also be omitted when storing.
CredentialOptionsRegistration | |
| |
CredentialOptionsAuthentication | (spec) The |
|
Instances
data Credential (c :: CeremonyKind) raw Source #
(spec) The Credential
interface contains the attributes that are returned to the caller when a new credential is created, or a new assertion is requested.
This type has nested fields which use a binary encoding that needs to be
preserved for verification purposes. The binary encoding of these fields can
be removed or recomputed using functions from
Crypto.WebAuthn.Encoding.Binary. Specifically
stripRawCredential
and
encodeRawCredential
respectively.
Unchecked invariant: If raw ~
, then
'Crypto.WebAuthn.Encoding.Binary.encodeRawCredential c = c', ensuring that
the binary fields should always correspond to the values respective
serializations. This means that if True
raw ~
, it's not safe to modify
individual fields. To make changes, first use
True
stripRawCredential
, make the changes on
the result, then call encodeRawCredential
on that. Note however that any modifications also invalidate signatures over
the binary data, specifically araSignature
and aoAttStmt
.
Credential | |
|