Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace AuthenticationExtensionsAuthenticatorInputs with CDDL #1440

Merged
merged 5 commits into from
Jul 1, 2020
Merged

Replace AuthenticationExtensionsAuthenticatorInputs with CDDL #1440

Changes from 3 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
dea84e1
Remove unused WebIDL type AuthenticationExtensionsAuthenticatorInputs
emlun Jun 10, 2020
2cf8fa4
Add formal CDDL definition for authenticator extension in/outputs
emlun Jun 11, 2020
3ca23a8
Implement suggestion from @equalsJeffH
emlun Jun 17, 2020
99321ef
Restore AuthenticationExtensionsAuthenticatorInputs type name and use…
emlun Jun 25, 2020
26f7da8
Expand descriptions of how to extend authenticator extension CDDL
emlun Jun 25, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 55 additions & 10 deletions index.bs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -293,6 +293,10 @@ spec: RFC5280; urlPrefix: https://tools.ietf.org/html/rfc5280
type: dfn
text: SubjectPublicKeyInfo; url: section-4.1.2.7

spec: RFC8610; urlPrefix: https://tools.ietf.org/html/rfc8610
type: dfn
text: group sockets; url: section-3.9

</pre> <!-- class=anchors -->

<!-- L128 spec:webappsec-credential-management-1; type:dictionary; for:/; text:CredentialRequestOptions -->
Expand Down Expand Up @@ -864,7 +868,7 @@ below and in [[#index-defined-elsewhere]].
as defined in [[!FIDO-CTAP]].

: CDDL
:: This specification describes the syntax of all [=CBOR=]-encoded data using the CBOR Data Definition Language (CDDL) [[!RFC8610]].
:: This specification describes the syntax of all [=CBOR=]-encoded data using the CBOR Data Definition Language (<dfn>CDDL</dfn>) [[!RFC8610]].

: COSE
:: CBOR Object Signing and Encryption (COSE) [[!RFC8152]]. The IANA COSE Algorithms registry established by this specification is also used.
Expand Down Expand Up @@ -2859,7 +2863,7 @@ The subsections below define the data types used for conveying [=WebAuthn extens

Note: [=Authenticator extension outputs=] are conveyed as a part of [=Authenticator data=] (see [Table 1](#table-authData)).

Note: The types defined below&mdash;{{AuthenticationExtensionsClientInputs}}, {{AuthenticationExtensionsClientOutputs}}, and {{AuthenticationExtensionsAuthenticatorInputs}}&mdash;are applicable to both [=registration extensions=] and [=authentication extensions=]. The "Authentication..." portion of their names should be regarded as meaning "WebAuthentication..."
Note: The types defined below &mdash; {{AuthenticationExtensionsClientInputs}} and {{AuthenticationExtensionsClientOutputs}} &mdash; are applicable to both [=registration extensions=] and [=authentication extensions=]. The "Authentication..." portion of their names should be regarded as meaning "WebAuthentication..."


### Authentication Extensions Client Inputs (dictionary {{AuthenticationExtensionsClientInputs}}) ### {#iface-authentication-extensions-client-inputs}
Expand All @@ -2882,13 +2886,26 @@ This is a dictionary containing the [=client extension input=] values for zero o
This is a dictionary containing the [=client extension output=] values for zero or more [=WebAuthn Extensions=].


### Authentication Extensions Authenticator Inputs (typedef {{AuthenticationExtensionsAuthenticatorInputs}}) ### {#iface-authentication-extensions-authenticator-inputs}
### Authentication Extensions Authenticator Inputs (CDDL type `extensionInputs`) ### {#iface-authentication-extensions-authenticator-inputs}

<xmp class="idl">
typedef record<DOMString, DOMString> AuthenticationExtensionsAuthenticatorInputs;
</xmp>
```
extensionInputs = { * $$extensionInput .within ( tstr => any ) }
```

The [=CDDL=] type `extensionInputs` defines a [=CBOR=] map
containing the [=authenticator extension input=] values for zero or more [=WebAuthn Extensions=].

This type is not exposed to the [=[RP]=], but is used by the [=client=] and [=authenticator=].


### Authentication Extensions Authenticator Outputs (CDDL type `extensionOutputs`) ### {#iface-authentication-extensions-authenticator-outputs}

This is a dictionary containing the [=authenticator extension input=] values for zero or more [=WebAuthn Extensions=].
```
extensionOutputs = { * $$extensionOutput .within ( tstr => any ) }
```

The [=CDDL=] type `extensionOutputs` defines a [=CBOR=] map
containing the [=authenticator extension output=] values for zero or more [=WebAuthn Extensions=].


## Supporting Data Structures ## {#sctn-supporting-data-structures}
Expand Down Expand Up @@ -5253,10 +5270,29 @@ as taking a Boolean client argument, set to [TRUE] to signify that the extension

Extensions that only affect client processing need not specify [=authenticator extension input=]. Extensions that have
authenticator processing MUST specify the method of computing the [=authenticator extension input=] from the [=client extension
input=]. For extensions that do not require input parameters and are defined as taking a Boolean [=client extension input=]
value set to [TRUE], this method SHOULD consist of passing an [=authenticator extension input=] value of [TRUE] (CBOR major type
input=],
and MUST define extensions for the [=CDDL=] types
<code>[[#iface-authentication-extensions-authenticator-inputs|extensionInputs]]</code>
and <code>[[#iface-authentication-extensions-authenticator-outputs|extensionOutputs]]</code>
by defining an additional choice for the `$$extensionInput` and `$$extensionOutput` [=group sockets=].
Extensions that do not require input parameters, and are thus defined as taking a Boolean [=client extension input=]
value set to [TRUE],
SHOULD define the [=authenticator extension input=] also as the constant Boolean value [TRUE] (CBOR major type
7, value 21).

The following example defines that an extension with [=extension identifier|identifier=] `webauthnExample_foobar`
takes an unsigned integer as [=authenticator extension input=],
and returns an array of at least one byte string as [=authenticator extension output=]:

<pre class="example">
$$extensionInput //= (
webauthnExample_foobar: uint
)
$$extensionOutput //= (
webauthnExample_foobar: [+ bytes]
)
</pre>

Note: Extensions should aim to define authenticator arguments that are as small as possible. Some authenticators communicate
over low-bandwidth links such as Bluetooth Low-Energy or NFC.

Expand Down Expand Up @@ -5510,6 +5546,12 @@ This extension enables use of a user verification method.
: Authenticator extension input
:: The Boolean value [TRUE], encoded in CBOR (major type 7, value 21).

```
$$extensionInput //= (
uvm: true,
)
```

: Authenticator extension processing
:: The [=authenticator=] sets the [=authenticator extension output=] to be one or more user verification methods indicating the method(s) used
by the user to authorize the operation, as defined below. This extension can be added to attestation objects and assertions.
Expand All @@ -5519,7 +5561,10 @@ This extension enables use of a user verification method.
using the CBOR syntax defined below:

```
uvmFormat = [ 1*3 uvmEntry ]
$$extensionOutput //= (
uvm: [ 1*3 uvmEntry ],
)

uvmEntry = [
userVerificationMethod: uint .size 4,
keyProtectionType: uint .size 2,
Expand Down