lib.rs (67851B)
1 //! [![git]](https://git.philomathiclife.com/webauthn_rp/log.html) [![crates-io]](https://crates.io/crates/webauthn_rp) [![docs-rs]](crate) 2 //! 3 //! [git]: https://git.philomathiclife.com/git_badge.svg 4 //! [crates-io]: https://img.shields.io/badge/crates.io-fc8d62?style=for-the-badge&labelColor=555555&logo=rust 5 //! [docs-rs]: https://img.shields.io/badge/docs.rs-66c2a5?style=for-the-badge&labelColor=555555&logo=docs.rs 6 //! 7 //! `webauthn_rp` is a library for _server-side_ 8 //! [Web Authentication (WebAuthn)](https://www.w3.org/TR/webauthn-3/#sctn-rp-operations) Relying Party 9 //! (RP) operations. 10 //! 11 //! The purpose of a server-side RP library is to be modular so that any client can be used with it as a backend 12 //! _including_ native applications—WebAuthn technically only covers web applications; however it's relatively easy 13 //! to adapt to native applications as well. It achieves this by not assuming how data is sent to/from the client; 14 //! having said that, there are pre-defined serialization formats for "common" deployments which can be used when 15 //! [`serde`](#serde) is enabled. 16 //! 17 //! ## `webauthn_rp` in action 18 //! 19 //! ```no_run 20 //! use core::convert; 21 //! use webauthn_rp::{ 22 //! AuthenticatedCredential64, DiscoverableAuthentication64, DiscoverableAuthenticationServerState, 23 //! DiscoverableCredentialRequestOptions, CredentialCreationOptions64, RegisteredCredential64, 24 //! Registration, RegistrationServerState64, 25 //! hash::hash_set::FixedCapHashSet, 26 //! request::{ 27 //! PublicKeyCredentialDescriptor, RpId, 28 //! auth::AuthenticationVerificationOptions, 29 //! register::{ 30 //! Nickname, PublicKeyCredentialUserEntity64, RegistrationVerificationOptions, 31 //! UserHandle64, Username, 32 //! }, 33 //! }, 34 //! response::{ 35 //! CredentialId, 36 //! auth::error::AuthCeremonyErr, 37 //! register::{CompressedPubKeyOwned, DynamicState, error::RegCeremonyErr}, 38 //! }, 39 //! }; 40 //! # #[cfg(feature = "serde")] 41 //! use serde::de::{Deserialize, Deserializer}; 42 //! # #[cfg(feature = "serde_relaxed")] 43 //! use serde_json::Error as JsonErr; 44 //! /// The RP ID our application uses. 45 //! const RP_ID: &RpId = &RpId::from_static_domain("example.com").unwrap(); 46 //! /// The registration verification options. 47 //! const REG_OPTS: &RegistrationVerificationOptions::<'static, 'static, &'static str, &'static str> = &RegistrationVerificationOptions::new(); 48 //! /// The authentication verification options. 49 //! const AUTH_OPTS: &AuthenticationVerificationOptions::<'static, 'static, &'static str, &'static str> = &AuthenticationVerificationOptions::new(); 50 //! /// Error we return in our application when a function fails. 51 //! enum AppErr { 52 //! /// WebAuthn registration ceremony failed. 53 //! RegCeremony(RegCeremonyErr), 54 //! /// WebAuthn authentication ceremony failed. 55 //! AuthCeremony(AuthCeremonyErr), 56 //! /// Unable to insert a WebAuthn ceremony. 57 //! WebAuthnCeremonyCreation, 58 //! /// WebAuthn ceremony does not exist; thus the ceremony could not be completed. 59 //! MissingWebAuthnCeremony, 60 //! /// General error related to JSON deserialization. 61 //! # #[cfg(feature = "serde_relaxed")] 62 //! Json(JsonErr), 63 //! /// No account exists associated with a particular `UserHandle64`. 64 //! NoAccount, 65 //! /// No credential exists associated with a particular `CredentialId`. 66 //! NoCredential, 67 //! /// `CredentialId` exists but the associated `UserHandle64` does not match. 68 //! CredentialUserIdMismatch, 69 //! } 70 //! # #[cfg(feature = "serde_relaxed")] 71 //! impl From<JsonErr> for AppErr { 72 //! fn from(value: JsonErr) -> Self { 73 //! Self::Json(value) 74 //! } 75 //! } 76 //! impl From<RegCeremonyErr> for AppErr { 77 //! fn from(value: RegCeremonyErr) -> Self { 78 //! Self::RegCeremony(value) 79 //! } 80 //! } 81 //! impl From<AuthCeremonyErr> for AppErr { 82 //! fn from(value: AuthCeremonyErr) -> Self { 83 //! Self::AuthCeremony(value) 84 //! } 85 //! } 86 //! /// First-time account creation. 87 //! /// 88 //! /// This gets sent from the user after an account is created on their side. The registration ceremony 89 //! /// still has to be successfully completed for the account to be created server side. In the event of an error, 90 //! /// the user should delete the created passkey since it won't be usable. 91 //! struct AccountReg<'a, 'b> { 92 //! registration: Registration, 93 //! user_name: Username<'a>, 94 //! user_display_name: Nickname<'b>, 95 //! } 96 //! # #[cfg(feature = "serde")] 97 //! impl<'de: 'a + 'b, 'a, 'b> Deserialize<'de> for AccountReg<'a, 'b> { 98 //! fn deserialize<D>(deserializer: D) -> Result<Self, D::Error> 99 //! where 100 //! D: Deserializer<'de>, 101 //! { 102 //! // ⋮ 103 //! # panic!(""); 104 //! } 105 //! } 106 //! /// Starts account creation. 107 //! /// 108 //! /// This only makes sense for greenfield deployments since account information (e.g., user name) would likely 109 //! /// already exist otherwise. This is similar to credential creation except a random `UserHandle64` is generated and 110 //! /// will be used for subsequent credential registrations. 111 //! # #[cfg(feature = "serde_relaxed")] 112 //! fn start_account_creation( 113 //! reg_ceremonies: &mut FixedCapHashSet<RegistrationServerState64>, 114 //! ) -> Result<Vec<u8>, AppErr> { 115 //! let user_id = UserHandle64::new(); 116 //! let (server, client) = 117 //! CredentialCreationOptions64::first_passkey_with_blank_user_info( 118 //! RP_ID, &user_id, 119 //! ) 120 //! .start_ceremony() 121 //! .unwrap_or_else(|_e| { 122 //! unreachable!("we don't manually mutate the options and we assume the server clock is functioning; thus this won't error") 123 //! }); 124 //! if reg_ceremonies.insert_remove_all_expired(server).is_some_and(convert::identity) 125 //! { 126 //! Ok(serde_json::to_vec(&client) 127 //! .unwrap_or_else(|_e| unreachable!("bug in RegistrationClientState64::serialize"))) 128 //! } else { 129 //! Err(AppErr::WebAuthnCeremonyCreation) 130 //! } 131 //! } 132 //! /// Finishes account creation. 133 //! /// 134 //! /// Pending a successful registration ceremony, a new account associated with the randomly generated 135 //! /// `UserHandle64` will be created with a corresponding passkey entry. This passkey will be used to 136 //! /// log into the application. 137 //! /// 138 //! /// Note if this errors, then the user should be notified to delete the passkey created on their 139 //! /// authenticator. 140 //! # #[cfg(feature = "serde_relaxed")] 141 //! fn finish_account_creation( 142 //! reg_ceremonies: &mut FixedCapHashSet<RegistrationServerState64>, 143 //! client_data: &[u8], 144 //! ) -> Result<(), AppErr> { 145 //! let account = serde_json::from_slice::<AccountReg<'_, '_>>(client_data)?; 146 //! insert_account( 147 //! &account, 148 //! reg_ceremonies 149 //! // `Registration::challenge_relaxed` is available iff `serde_relaxed` is enabled. 150 //! .take(&account.registration.challenge_relaxed()?) 151 //! .ok_or(AppErr::MissingWebAuthnCeremony)? 152 //! .verify( 153 //! RP_ID, 154 //! &account.registration, 155 //! REG_OPTS, 156 //! )?, 157 //! ) 158 //! } 159 //! /// Starts passkey registration. 160 //! /// 161 //! /// This is used for _existing_ accounts where the user is already logged in and wants to register another 162 //! /// passkey. This is similar to account creation except we already have the user entity info and we need to 163 //! /// fetch the registered `PublicKeyCredentialDescriptor`s to avoid accidentally overwriting a passkey on 164 //! /// the authenticator. 165 //! # #[cfg(feature = "serde_relaxed")] 166 //! fn start_cred_registration( 167 //! user_id: &UserHandle64, 168 //! reg_ceremonies: &mut FixedCapHashSet<RegistrationServerState64>, 169 //! ) -> Result<Vec<u8>, AppErr> { 170 //! let (entity, creds) = select_user_info(user_id)?.ok_or(AppErr::NoAccount)?; 171 //! let (server, client) = CredentialCreationOptions64::passkey(RP_ID, entity, creds) 172 //! .start_ceremony() 173 //! .unwrap_or_else(|_e| { 174 //! unreachable!("we don't manually mutate the options and we assume the server clock is functioning; thus this won't error") 175 //! }); 176 //! if reg_ceremonies.insert_remove_all_expired(server).is_some_and(convert::identity) 177 //! { 178 //! Ok(serde_json::to_vec(&client) 179 //! .unwrap_or_else(|_e| unreachable!("bug in RegistrationClientState64::serialize"))) 180 //! } else { 181 //! Err(AppErr::WebAuthnCeremonyCreation) 182 //! } 183 //! } 184 //! /// Finishes passkey registration. 185 //! /// 186 //! /// Pending a successful registration ceremony, a new credential associated with the `UserHandle64` 187 //! /// will be created. This passkey can then be used to log into the application just like any other registered 188 //! /// passkey. 189 //! /// 190 //! /// Note if this errors, then the user should be notified to delete the passkey created on their 191 //! /// authenticator. 192 //! # #[cfg(feature = "serde_relaxed")] 193 //! fn finish_cred_registration( 194 //! reg_ceremonies: &mut FixedCapHashSet<RegistrationServerState64>, 195 //! client_data: &[u8], 196 //! ) -> Result<(), AppErr> { 197 //! // `Registration::from_json_custom` is available iff `serde_relaxed` is enabled. 198 //! let registration = Registration::from_json_custom(client_data)?; 199 //! insert_credential( 200 //! reg_ceremonies 201 //! // `Registration::challenge_relaxed` is available iff `serde_relaxed` is enabled. 202 //! .take(®istration.challenge_relaxed()?) 203 //! .ok_or(AppErr::MissingWebAuthnCeremony)? 204 //! .verify( 205 //! RP_ID, 206 //! ®istration, 207 //! REG_OPTS, 208 //! )?, 209 //! ) 210 //! } 211 //! /// Starts the passkey authentication ceremony. 212 //! # #[cfg(feature = "serde_relaxed")] 213 //! fn start_auth( 214 //! auth_ceremonies: &mut FixedCapHashSet<DiscoverableAuthenticationServerState>, 215 //! ) -> Result<Vec<u8>, AppErr> { 216 //! let (server, client) = DiscoverableCredentialRequestOptions::passkey(RP_ID) 217 //! .start_ceremony() 218 //! .unwrap_or_else(|_e| { 219 //! unreachable!("we don't manually mutate the options and we assume the server clock is functioning; thus this won't error") 220 //! }); 221 //! if auth_ceremonies.insert_remove_all_expired(server).is_some_and(convert::identity) 222 //! { 223 //! Ok(serde_json::to_vec(&client).unwrap_or_else(|_e| { 224 //! unreachable!("bug in DiscoverableAuthenticationClientState::serialize") 225 //! })) 226 //! } else { 227 //! Err(AppErr::WebAuthnCeremonyCreation) 228 //! } 229 //! } 230 //! /// Finishes the passkey authentication ceremony. 231 //! # #[cfg(feature = "serde_relaxed")] 232 //! fn finish_auth( 233 //! auth_ceremonies: &mut FixedCapHashSet<DiscoverableAuthenticationServerState>, 234 //! client_data: &[u8], 235 //! ) -> Result<(), AppErr> { 236 //! // `DiscoverableAuthentication64::from_json_custom` is available iff `serde_relaxed` is enabled. 237 //! let authentication = 238 //! DiscoverableAuthentication64::from_json_custom(client_data)?; 239 //! let mut cred = select_credential( 240 //! authentication.raw_id(), 241 //! authentication.response().user_handle(), 242 //! )? 243 //! .ok_or(AppErr::NoCredential)?; 244 //! if auth_ceremonies 245 //! // `DiscoverableAuthentication64::challenge_relaxed` is available iff `serde_relaxed` is enabled. 246 //! .take(&authentication.challenge_relaxed()?) 247 //! .ok_or(AppErr::MissingWebAuthnCeremony)? 248 //! .verify( 249 //! RP_ID, 250 //! &authentication, 251 //! &mut cred, 252 //! AUTH_OPTS, 253 //! )? 254 //! { 255 //! update_credential(cred.id(), cred.dynamic_state()) 256 //! } else { 257 //! Ok(()) 258 //! } 259 //! } 260 //! /// Writes `account` and `cred` to storage. 261 //! /// 262 //! /// # Errors 263 //! /// 264 //! /// Errors iff writing `account` or `cred` errors, there already exists a credential using the same 265 //! /// `CredentialId`, or there already exists an account using the same `UserHandle64`. 266 //! fn insert_account( 267 //! account: &AccountReg<'_, '_>, 268 //! cred: RegisteredCredential64<'_>, 269 //! ) -> Result<(), AppErr> { 270 //! // ⋮ 271 //! # Ok(()) 272 //! } 273 //! /// Fetches the user info and registered credentials associated with `user_id`. 274 //! /// 275 //! /// # Errors 276 //! /// 277 //! /// Errors iff fetching the data errors. 278 //! fn select_user_info( 279 //! user_id: &UserHandle64, 280 //! ) -> Result< 281 //! Option<( 282 //! PublicKeyCredentialUserEntity64<'static, 'static, '_>, 283 //! Vec<PublicKeyCredentialDescriptor<Vec<u8>>>, 284 //! )>, 285 //! AppErr, 286 //! > { 287 //! // ⋮ 288 //! # Ok(None) 289 //! } 290 //! /// Writes `cred` to storage. 291 //! /// 292 //! /// # Errors 293 //! /// 294 //! /// Errors iff writing `cred` errors, there already exists a credential using the same `CredentialId`, 295 //! /// or there does not exist an account under the `UserHandle64`. 296 //! fn insert_credential( 297 //! cred: RegisteredCredential64<'_>, 298 //! ) -> Result<(), AppErr> { 299 //! // ⋮ 300 //! # Ok(()) 301 //! } 302 //! /// Fetches the `AuthenticatedCredential` associated with `cred_id` ensuring `user_id` matches the 303 //! /// `UserHandle64` associated with the account. 304 //! /// 305 //! /// # Errors 306 //! /// 307 //! /// Errors iff fetching the data errors or the `user_id` does not match the stored `UserHandle64`. 308 //! fn select_credential<'cred, 'user>( 309 //! cred_id: CredentialId<&'cred [u8]>, 310 //! user_id: &'user UserHandle64, 311 //! ) -> Result< 312 //! Option< 313 //! AuthenticatedCredential64< 314 //! 'cred, 315 //! 'user, 316 //! CompressedPubKeyOwned, 317 //! >, 318 //! >, 319 //! AppErr, 320 //! > { 321 //! // ⋮ 322 //! # Ok(None) 323 //! } 324 //! /// Overwrites the current `DynamicState` associated with `cred_id` with `dynamic_state`. 325 //! /// 326 //! /// # Errors 327 //! /// 328 //! /// Errors iff writing errors or `cred_id` does not exist. 329 //! fn update_credential( 330 //! cred_id: CredentialId<&[u8]>, 331 //! dynamic_state: DynamicState, 332 //! ) -> Result<(), AppErr> { 333 //! // ⋮ 334 //! # Ok(()) 335 //! } 336 //! ``` 337 //! 338 //! ## Cargo "features" 339 //! 340 //! [`custom`](#custom) or both [`bin`](#bin) and [`serde`](#serde) must be enabled; otherwise a [`compile_error`] 341 //! will occur. 342 //! 343 //! ### `bin` 344 //! 345 //! Enables binary (de)serialization via [`Encode`] and [`Decode`]. Since registered credentials will almost always 346 //! have to be saved to persistent storage, _some_ form of (de)serialization is necessary. In the event `bin` is 347 //! unsuitable or only partially suitable (e.g., human-readable output is desired), one will need to enable 348 //! [`custom`](#custom) to allow construction of certain types (e.g., [`AuthenticatedCredential`]). 349 //! 350 //! If possible and desired, one may wish to save the data "directly" to avoid any potential temporary allocations. 351 //! For example [`StaticState::encode`] will return a [`Vec`] containing hundreds (and possibly thousands in the 352 //! extreme case) of bytes if the underlying public key is an RSA key. This additional allocation and copy of data 353 //! is obviously avoided if [`StaticState`] is stored as a 354 //! [composite type](https://www.postgresql.org/docs/current/rowtypes.html) or its fields are stored in separate 355 //! columns when written to a relational database (RDB). 356 //! 357 //! ### `custom` 358 //! 359 //! Exposes functions (e.g., [`AuthenticatedCredential::new`]) that allows one to construct instances of types that 360 //! cannot be constructed when [`bin`](#bin) or [`serde`](#serde) is not enabled. 361 //! 362 //! ### `serde` 363 //! 364 //! This feature _strictly_ adheres to the JSON-motivated definitions. You _will_ encounter clients that send data 365 //! that cannot be deserialized using this feature. For many [`serde_relaxed`](#serde_relaxed) should be used 366 //! instead. 367 //! 368 //! Enables (de)serialization of data sent to/from the client via [`serde`](https://docs.rs/serde/latest/serde/) 369 //! based on the JSON-motivated definitions (e.g., 370 //! [`RegistrationResponseJSON`](https://www.w3.org/TR/webauthn-3/#dictdef-registrationresponsejson)). Since 371 //! data has to be sent to/from the client, _some_ form of (de)serialization is necessary. In the event `serde` 372 //! is unsuitable or only partially suitable, one will need to enable [`custom`](#custom) to allow construction 373 //! of certain types (e.g., [`Registration`]). 374 //! 375 //! Code is _strongly_ encouraged to rely on the [`Deserialize`] implementations as much as possible to reduce the 376 //! chances of improperly deserializing the client data. 377 //! 378 //! Note that clients are free to send data in whatever form works best, so there is no requirement the 379 //! JSON-motivated definitions are used even when JSON is sent. This is especially relevant since the JSON-motivated 380 //! definitions were only added in [WebAuthn Level 3](https://www.w3.org/TR/webauthn-3/); thus many deployments only 381 //! partially conform. Some specific deviations that may require partial customization of deserialization are the 382 //! following: 383 //! 384 //! * [`ArrayBuffer`](https://webidl.spec.whatwg.org/#idl-ArrayBuffer)s encoded using something other than 385 //! base64url. 386 //! * `ArrayBuffer`s that are encoded multiple times (including the use of different encodings each time). 387 //! * Missing fields (e.g., 388 //! [`transports`](https://www.w3.org/TR/webauthn-3/#dom-authenticatorattestationresponsejson-transports)). 389 //! * Different field names (e.g., `extensions` instead of 390 //! [`clientExtensionResults`](https://www.w3.org/TR/webauthn-3/#dom-registrationresponsejson-clientextensionresults)). 391 //! 392 //! ### `serde_relaxed` 393 //! 394 //! Automatically enables [`serde`](#serde) in addition to "relaxed" [`Deserialize`] implementations 395 //! (e.g., [`RegistrationRelaxed`]). Roughly "relaxed" translates to unknown fields being ignored and only 396 //! the fields necessary for construction of the type are required. Case still matters, duplicate fields are still 397 //! forbidden, and interrelated data validation is still performed when applicable. This can be useful when one 398 //! wants to accommodate non-conforming clients or clients that implement older versions of the spec. 399 //! 400 //! ### `serializable_server_state` 401 //! 402 //! Automatically enables [`bin`](#bin) in addition to [`Encode`] and [`Decode`] implementations for 403 //! [`RegistrationServerState`], [`DiscoverableAuthenticationServerState`], and 404 //! [`NonDiscoverableAuthenticationServerState`]. Less accurate [`SystemTime`] is used instead of [`Instant`] for 405 //! timeout enforcement. This should be enabled if you don't desire to use in-memory collections to store the instances 406 //! of those types. 407 //! 408 //! Note even when written to persistent storage, an application should still periodically remove expired ceremonies. 409 //! If one is using a relational database (RDB); then one can achieve this by storing [`SentChallenge`], 410 //! the `Vec` returned from [`Encode::encode`], and [`TimedCeremony::expiration`] and periodically remove all rows 411 //! whose expiration exceeds the current date and time. 412 //! 413 //! ## Registration and authentication 414 //! 415 //! Both [registration](https://www.w3.org/TR/webauthn-3/#registration-ceremony) and 416 //! [authentication](https://www.w3.org/TR/webauthn-3/#authentication-ceremony) ceremonies rely on "challenges", and 417 //! these challenges are inherently temporary. For this reason the data associated with challenge completion can 418 //! often be stored in memory without concern for out-of-memory (OOM) conditions. There are several benefits to 419 //! storing such data in memory: 420 //! 421 //! * No data manipulation 422 //! * By leveraging move semantics, the data sent to the client cannot be mutated once the ceremony begins. 423 //! * Improved timeout enforcement 424 //! * By ensuring the same machine that started the ceremony is also used to finish the ceremony, deviation of 425 //! system clocks is not a concern. Additionally, allowing serialization requires the use of some form of 426 //! cross-platform "timestamp" (e.g., [Unix time](https://en.wikipedia.org/wiki/Unix_time)) which differ in 427 //! implementation (e.g., platforms implement leap seconds in different ways) and are often not monotonically 428 //! increasing. If data resides in memory, a monotonic [`Instant`] can be used instead. 429 //! 430 //! It is for those reasons data like [`RegistrationServerState`] are not serializable by default and require the 431 //! use of in-memory collections (e.g., [`FixedCapHashSet`]). To better ensure OOM is not a concern, RPs should set 432 //! reasonable timeouts. Since ceremonies can only be completed by moving data (e.g., 433 //! [`RegistrationServerState::verify`]), ceremony completion is guaranteed to free up the memory used— 434 //! `RegistrationServerState` instances are as small as 48 bytes on `x86_64-unknown-linux-gnu` platforms. To avoid 435 //! issues related to incomplete ceremonies, RPs can periodically iterate the collection for expired ceremonies and 436 //! remove such data. Other techniques can be employed as well to mitigate OOM, but they are application specific 437 //! and out-of-scope. If this is undesirable, one can enable [`serializable_server_state`](#serializable_server_state) 438 //! so that `RegistrationServerState`, [`DiscoverableAuthenticationServerState`], and 439 //! [`NonDiscoverableAuthenticationServerState`] implement [`Encode`] and [`Decode`]. Another reason one may need to 440 //! store this information persistently is for load-balancing purposes where the server that started the ceremony is 441 //! not guaranteed to be the server that finishes the ceremony. 442 //! 443 //! ## Supported signature algorithms 444 //! 445 //! The only supported signature algorithms are the following: 446 //! 447 //! * Ed25519 as defined in [RFC 8032 § 5.1](https://www.rfc-editor.org/rfc/rfc8032#section-5.1). This corresponds 448 //! to [`CoseAlgorithmIdentifier::Eddsa`]. 449 //! * ECDSA as defined in [SEC 1 Version 2.0 § 4.1](https://www.secg.org/sec1-v2.pdf#subsection.4.1) using SHA-256 450 //! as the hash function and NIST P-256 as defined in 451 //! [NIST SP 800-186 § 3.2.1.3](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186.pdf#%5B%7B%22num%22%3A229%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C70%2C275%2C0%5D) 452 //! for the underlying elliptic curve. This corresponds to [`CoseAlgorithmIdentifier::Es256`]. 453 //! * ECDSA as defined in SEC 1 Version 2.0 § 4.1 using SHA-384 as the hash function and NIST P-384 as defined in 454 //! [NIST SP 800-186 § 3.2.1.4](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186.pdf#%5B%7B%22num%22%3A232%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C70%2C264%2C0%5D) 455 //! for the underlying elliptic curve. This corresponds to [`CoseAlgorithmIdentifier::Es384`]. 456 //! * RSASSA-PKCS1-v1_5 as defined in [RFC 8017 § 8.2](https://www.rfc-editor.org/rfc/rfc8017#section-8.2) using 457 //! SHA-256 as the hash function. This corresponds to [`CoseAlgorithmIdentifier::Rs256`]. 458 //! 459 //! ## Correctness of code 460 //! 461 //! This library more strictly adheres to the spec than many other similar libraries including but not limited to 462 //! the following ways: 463 //! 464 //! * [CTAP2 canonical CBOR encoding form](https://fidoalliance.org/specs/fido-v2.2-rd-20230321/fido-client-to-authenticator-protocol-v2.2-rd-20230321.html#ctap2-canonical-cbor-encoding-form). 465 //! * `Deserialize` implementations requiring _exact_ conformance (e.g., not allowing unknown data). 466 //! * More thorough interrelated data validation (e.g., all places a Credential ID exists must match). 467 //! * Implement a lot of recommended (i.e., SHOULD) criteria (e.g., 468 //! [User display names conforming to the Nickname Profile as defined in RFC 8266](https://www.w3.org/TR/webauthn-3/#dom-publickeycredentialentity-name)). 469 //! 470 //! Unfortunately like almost all software, this library has not been formally verified; however great care is 471 //! employed in the following ways: 472 //! 473 //! * Leverage move semantics to prevent mutation of data once in a static state. 474 //! * Ensure a great many invariants via types. 475 //! * Reduce code duplication. 476 //! * Reduce variable mutation allowing for simpler algebraic reasoning. 477 //! * `panic`-free code[^note] (i.e., define true/total functions). 478 //! * Ensure arithmetic "side effects" don't occur (e.g., overflow). 479 //! * Aggressive use of compiler and [Clippy](https://doc.rust-lang.org/stable/clippy/lints.html) lints. 480 //! * Unit tests for common cases, edge cases, and error cases. 481 //! 482 //! ## Cryptographic libraries 483 //! 484 //! This library does not rely on _any_ sensitive data (e.g., private keys) as only signature verification is 485 //! ever performed. This means that the only thing that matters with the libraries used is their algorithmic 486 //! correctness and not other normally essential aspects like susceptibility to side-channel attacks. While I 487 //! personally believe the libraries that are used are at least as "secure" as alternatives even when dealing with 488 //! sensitive data, one only needs to audit the correctness of the libraries to be confident in their use. In fact 489 //! [`curve25519_dalek`](https://docs.rs/curve25519-dalek/latest/curve25519_dalek/#backends) has been formally 490 //! verified when the [`fiat`](https://github.com/mit-plv/fiat-crypto) backend is used making it _objectively_ 491 //! better than many other libraries whose correctness has not been proven. Two additional benefits of the library 492 //! choices are simpler APIs making it more likely their use is correct and better cross-platform compatibility. 493 //! 494 //! [^note]: `panic`s related to memory allocations or stack overflow are possible since such issues are not 495 //! formally guarded against. 496 #![expect( 497 clippy::multiple_crate_versions, 498 reason = "RustCrypto hasn't updated rand yet" 499 )] 500 #![cfg_attr(docsrs, feature(doc_cfg))] 501 #[cfg(not(any(feature = "custom", all(feature = "bin", feature = "serde"))))] 502 compile_error!("'custom' must be enabled or both 'bin' and 'serde' must be enabled"); 503 #[cfg(feature = "serializable_server_state")] 504 use crate::request::{ 505 auth::ser_server_state::{ 506 DecodeDiscoverableAuthenticationServerStateErr, 507 DecodeNonDiscoverableAuthenticationServerStateErr, 508 EncodeNonDiscoverableAuthenticationServerStateErr, 509 }, 510 register::ser_server_state::DecodeRegistrationServerStateErr, 511 }; 512 #[cfg(any(feature = "bin", feature = "custom"))] 513 use crate::response::error::CredentialIdErr; 514 #[cfg(feature = "serde_relaxed")] 515 use crate::response::ser_relaxed::SerdeJsonErr; 516 #[cfg(doc)] 517 use crate::{ 518 hash::hash_set::FixedCapHashSet, 519 request::{ 520 AsciiDomain, DomainOrigin, Port, PublicKeyCredentialDescriptor, RpId, Scheme, 521 TimedCeremony, Url, 522 auth::{AllowedCredential, AllowedCredentials, PublicKeyCredentialRequestOptions}, 523 register::{ 524 CoseAlgorithmIdentifier, Nickname, PublicKeyCredentialCreationOptions, 525 PublicKeyCredentialUserEntity, UserHandle16, UserHandle64, Username, 526 }, 527 }, 528 response::{ 529 CollectedClientData, Flag, SentChallenge, 530 auth::{self, Authentication, DiscoverableAuthenticatorAssertion}, 531 register::{ 532 self, Aaguid, Attestation, AttestationObject, AttestedCredentialData, 533 AuthenticatorExtensionOutput, ClientExtensionsOutputs, CompressedPubKey, 534 CredentialPropertiesOutput, 535 }, 536 }, 537 }; 538 #[cfg(feature = "bin")] 539 use crate::{ 540 request::register::bin::{DecodeNicknameErr, DecodeUsernameErr}, 541 response::{ 542 bin::DecodeAuthTransportsErr, 543 register::bin::{DecodeDynamicStateErr, DecodeStaticStateErr}, 544 }, 545 }; 546 use crate::{ 547 request::{ 548 auth::error::{InvalidTimeout, NonDiscoverableCredentialRequestOptionsErr}, 549 error::{AsciiDomainErr, DomainOriginParseErr, PortParseErr, SchemeParseErr, UrlErr}, 550 register::{ 551 ResidentKeyRequirement, USER_HANDLE_MAX_LEN, UserHandle, 552 error::{CreationOptionsErr, NicknameErr, UsernameErr}, 553 }, 554 }, 555 response::{ 556 AuthTransports, CredentialId, 557 auth::error::{AuthCeremonyErr, AuthenticatorDataErr as AuthAuthDataErr}, 558 error::CollectedClientDataErr, 559 register::{ 560 CredentialProtectionPolicy, DynamicState, Metadata, StaticState, UncompressedPubKey, 561 error::{ 562 AaguidErr, AttestationObjectErr, AuthenticatorDataErr as RegAuthDataErr, 563 RegCeremonyErr, 564 }, 565 }, 566 }, 567 }; 568 #[cfg(all(doc, feature = "bin"))] 569 use bin::{Decode, Encode}; 570 #[cfg(doc)] 571 use core::str::FromStr; 572 use core::{ 573 convert, 574 error::Error, 575 fmt::{self, Display, Formatter}, 576 ops::Not, 577 }; 578 #[cfg(all(doc, feature = "serde_relaxed"))] 579 use response::register::ser_relaxed::RegistrationRelaxed; 580 #[cfg(all(doc, feature = "serde"))] 581 use serde::Deserialize; 582 #[cfg(all(doc, feature = "serde_relaxed"))] 583 use serde_json::de::{Deserializer, StreamDeserializer}; 584 #[cfg(feature = "serializable_server_state")] 585 use std::time::SystemTimeError; 586 #[cfg(doc)] 587 use std::time::{Instant, SystemTime}; 588 /// Contains functionality to (de)serialize data to a data store. 589 #[cfg_attr(docsrs, doc(cfg(feature = "bin")))] 590 #[cfg(feature = "bin")] 591 pub mod bin; 592 /// Contains functionality for fixed-capacity hash maps and sets. 593 pub mod hash; 594 /// Functionality for starting ceremonies. 595 /// 596 /// # What kind of credential should I create? 597 /// 598 /// Without partitioning the possibilities _too_ much, the following are possible authentication flows: 599 /// 600 /// | Label | Username | Password | Client-side credential | Authenticator-side user verification | Recommended | 601 /// |-------|----------|----------|------------------------|--------------------------------------|:-----------:| 602 /// | 1 | Yes | Yes | Required | Yes | ❌ | 603 /// | 2 | Yes | Yes | Required | No | ❌ | 604 /// | 3 | Yes | Yes | Optional | Yes | ❌ | 605 /// | <a name="label4">4</a> | Yes | Yes | Optional | No | ✅ | 606 /// | 5 | Yes | No | Required | Yes | ❌ | 607 /// | 6 | Yes | No | Required | No | ❌ | 608 /// | <a name="label7">7</a> | Yes | No | Optional | Yes | ❔ | 609 /// | 8 | Yes | No | Optional | No | ❌ | 610 /// | 9 | No | Yes | Required | Yes | ❌ | 611 /// | 10 | No | Yes | Required | No | ❌ | 612 /// | 11 | No | Yes | Optional | Yes | ❌ | 613 /// | 12 | No | Yes | Optional | No | ❌ | 614 /// | <a name="label13">13</a> | No | No | Required | Yes | ✅ | 615 /// | 14 | No | No | Required | No | ❌ | 616 /// | 15 | No | No | Optional | Yes | ❌ | 617 /// | 16 | No | No | Optional | No | ❌ | 618 /// 619 /// * All `Label`s with both `Password` and `Authenticator-side user verification` set to `Yes` are not recommended 620 /// since the verification done on the authenticator is likely the same "factor" as a password; thus it does not 621 /// add benefit but only serves as an annoyance to users. 622 /// * All `Label`s with `Username` or `Password` set to `Yes` and `Client-side credential` set to `Required` are not 623 /// recommended since you may preclude authenticators that are storage constrained (e.g., security keys). 624 /// * All `Label`s with `Username` set to `No` and `Client-side credential` set to `Optional` are not possible since 625 /// RPs would not have a way to identify the set of encrypted credentials to pass to the unknown user. 626 /// * All `Label`s with `Password` and `Authenticator-side user verification` set to `No` are not recommended since 627 /// those are single-factor authentication schemes; thus anyone possessing the credential without also passing 628 /// some form of user verification (e.g., password) would authenticate. 629 /// * [`Label 7`](#label7) is possible for RPs that are comfortable passing an encrypted credential to a potential user 630 /// without having that user first pass another form of authentication. For many RPs passing such information even 631 /// if encrypted is not desirable though. 632 /// * [`Label 4`](#label4) is ideal as a single-factor flow incorporated within a wider multi-factor authentication (MFA) 633 /// setup. The easiest way to register such a credential is with 634 /// [`CredentialCreationOptions::second_factor`]. 635 /// * [`Label 13`](#label13) is ideal for passkey setups as it allows for pleasant UX where a user does not have to type a 636 /// username nor password while still being secured with MFA with one of the factors being based on public-key 637 /// cryptography which for many is the most secure form of single-factor authentication. The easiest way to register 638 /// such a credential is with [`CredentialCreationOptions::passkey`]. 639 /// 640 /// Two other reasons one may prefer to construct client-side credentials is richer support for extensions (e.g., 641 /// [`largeBlobKey`](https://fidoalliance.org/specs/fido-v2.2-rd-20230321/fido-client-to-authenticator-protocol-v2.2-rd-20230321.html#sctn-largeBlobKey-extension) 642 /// for CTAP 2.2 authenticators) and the ability to use both discoverable and nondiscoverable requests. The former is not 643 /// relevant for this library—at least currently—since the only extensions supported are applicable for both 644 /// client-side and server-side credentials. The latter can be important especially if an RP wants the ability to 645 /// seamlessly transition from a username and password scheme to a userless and passwordless one in the future. 646 /// 647 /// Note the table is purely informative. While helper functions 648 /// (e.g., [`CredentialCreationOptions::passkey`]) only exist for [`Label 4`](#label4) and 649 /// [`Label 13`](#label13), one can create any credential since all fields in [`CredentialCreationOptions`] 650 /// and [`PublicKeyCredentialRequestOptions`] are accessible. 651 pub mod request; 652 /// Functionality for completing ceremonies. 653 /// 654 /// Read [`request`] for more information about what credentials one should create. 655 pub mod response; 656 #[doc(inline)] 657 pub use crate::{ 658 request::{ 659 auth::{ 660 DiscoverableAuthenticationClientState, DiscoverableAuthenticationServerState, 661 DiscoverableCredentialRequestOptions, NonDiscoverableAuthenticationClientState, 662 NonDiscoverableAuthenticationServerState, NonDiscoverableCredentialRequestOptions, 663 }, 664 register::{ 665 CredentialCreationOptions, CredentialCreationOptions16, CredentialCreationOptions64, 666 RegistrationClientState, RegistrationClientState16, RegistrationClientState64, 667 RegistrationServerState, RegistrationServerState16, RegistrationServerState64, 668 }, 669 }, 670 response::{ 671 auth::{ 672 DiscoverableAuthentication, DiscoverableAuthentication16, DiscoverableAuthentication64, 673 NonDiscoverableAuthentication, NonDiscoverableAuthentication16, 674 NonDiscoverableAuthentication64, 675 }, 676 register::Registration, 677 }, 678 }; 679 /// Error returned in [`RegCeremonyErr::Credential`] and [`AuthenticatedCredential::new`]. 680 #[derive(Clone, Copy, Debug, Eq, PartialEq)] 681 pub enum CredentialErr { 682 /// Variant when [`CredentialProtectionPolicy::UserVerificationRequired`], but 683 /// [`DynamicState::user_verified`] is `false`. 684 CredProtectUserVerificationRequiredWithoutUserVerified, 685 /// Variant when [`AuthenticatorExtensionOutput::hmac_secret`] is `Some(true)` and 686 /// [`DynamicState::user_verified`] is `false`. 687 HmacSecretWithoutUserVerified, 688 /// Variant when [`AuthenticatorExtensionOutput::hmac_secret`] is `Some(true)`, but 689 /// [`ClientExtensionsOutputs::prf`] is `Some(AuthenticationExtensionsPRFOutputs { enabled: false })` 690 /// or `AuthenticatorExtensionOutput::hmac_secret` is `Some`, but 691 /// `ClientExtensionsOutputs::prf` is `None`. 692 HmacSecretWithoutPrf, 693 /// Variant when [`ClientExtensionsOutputs::prf`] is 694 /// `Some(AuthenticationExtensionsPRFOutputs { enabled: true })`, but 695 /// [`AuthenticatorExtensionOutput::hmac_secret`] is `Some(false)`. 696 PrfWithoutHmacSecret, 697 /// Variant when [`ResidentKeyRequirement::Required`] was sent, but 698 /// [`CredentialPropertiesOutput::rk`] is `Some(false)`. 699 ResidentKeyRequiredServerCredentialCreated, 700 } 701 impl Display for CredentialErr { 702 #[inline] 703 fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result { 704 f.write_str(match *self { 705 Self::CredProtectUserVerificationRequiredWithoutUserVerified => { 706 "credProtect requires user verification, but the user is not verified" 707 } 708 Self::HmacSecretWithoutUserVerified => { 709 "hmac-secret was enabled, but the user is not verified" 710 } 711 Self::HmacSecretWithoutPrf => "hmac-secret was enabled but prf was not", 712 Self::PrfWithoutHmacSecret => "prf was enabled, but hmac-secret was not", 713 Self::ResidentKeyRequiredServerCredentialCreated => { 714 "server-side credential was created, but a client-side credential is required" 715 } 716 }) 717 } 718 } 719 impl Error for CredentialErr {} 720 /// Checks if the `static_state` and `dynamic_state` are valid. 721 /// 722 /// # Errors 723 /// 724 /// Errors iff `static_state` or `dynamc_state` are invalid. 725 fn verify_static_and_dynamic_state<T>( 726 static_state: &StaticState<T>, 727 dynamic_state: DynamicState, 728 ) -> Result<(), CredentialErr> { 729 if dynamic_state.user_verified { 730 Ok(()) 731 } else if matches!( 732 static_state.extensions.cred_protect, 733 CredentialProtectionPolicy::UserVerificationRequired 734 ) { 735 Err(CredentialErr::CredProtectUserVerificationRequiredWithoutUserVerified) 736 } else if static_state 737 .extensions 738 .hmac_secret 739 .is_some_and(convert::identity) 740 { 741 Err(CredentialErr::HmacSecretWithoutUserVerified) 742 } else { 743 Ok(()) 744 } 745 .and_then(|()| { 746 static_state.client_extension_results.prf.map_or_else( 747 || { 748 if static_state.extensions.hmac_secret.is_none() { 749 Ok(()) 750 } else { 751 Err(CredentialErr::HmacSecretWithoutPrf) 752 } 753 }, 754 |prf| { 755 if prf.enabled { 756 if static_state.extensions.hmac_secret.is_some_and(Not::not) { 757 Err(CredentialErr::PrfWithoutHmacSecret) 758 } else { 759 Ok(()) 760 } 761 } else if static_state 762 .extensions 763 .hmac_secret 764 .is_some_and(convert::identity) 765 { 766 Err(CredentialErr::HmacSecretWithoutPrf) 767 } else { 768 Ok(()) 769 } 770 }, 771 ) 772 }) 773 } 774 /// Registered credential that needs to be saved server-side to perform future 775 /// [authentication ceremonies](https://www.w3.org/TR/webauthn-3/#authentication-ceremony) with 776 /// [`AuthenticatedCredential`]. 777 /// 778 /// When saving `RegisteredCredential` to persistent storage, one will almost always want to save the contained data 779 /// separately. The reasons for this are the following: 780 /// 781 /// * [`CredentialId`] 782 /// * MUST be globally unique, and it will likely be easier to enforce such uniqueness when it's separate. 783 /// * Fetching the [`AuthenticatedCredential`] by [`Authentication::raw_id`] when completing the 784 /// authentication ceremony via [`DiscoverableAuthenticationServerState::verify`] or 785 /// [`NonDiscoverableAuthenticationServerState::verify`] will likely be easier than alternatives. 786 /// * [`AuthTransports`] 787 /// * Fetching [`CredentialId`]s and associated `AuthTransports` by [`UserHandle`] will likely make credential 788 /// registration easier since one should set [`PublicKeyCredentialCreationOptions::exclude_credentials`] to 789 /// the [`PublicKeyCredentialDescriptor`]s belonging to a `UserHandle` in order to avoid accidentally 790 /// overwriting an existing credential on the authenticator. 791 /// * Fetching `CredentialId`s and associated `AuthTransports` by `UserHandle` will likely make starting 792 /// authentication ceremonies easier for [`NonDiscoverableCredentialRequestOptions`]. 793 /// * [`UserHandle`] 794 /// * Fetching the [`AuthenticatedCredential`] by [`DiscoverableAuthentication::raw_id`] must also coincide with 795 /// verifying the associated `UserHandle` matches [`DiscoverableAuthenticatorAssertion::user_handle`]. 796 /// * Fetching [`CredentialId`]s and associated [`AuthTransports`] by `UserHandle` will likely make credential 797 /// registration easier since one should set [`PublicKeyCredentialCreationOptions::exclude_credentials`] to 798 /// the [`PublicKeyCredentialDescriptor`]s belonging to a `UserHandle` in order to avoid accidentally 799 /// overwriting an existing credential on the authenticator. 800 /// * Fetching `CredentialId`s and associated `AuthTransports` by `UserHandle` will likely make starting 801 /// authentication ceremonies easier for [`NonDiscoverableCredentialRequestOptions`]. 802 /// * [`DynamicState`] 803 /// * `DynamicState` is the only part that is ever updated after a successful authentication ceremony 804 /// via [`DiscoverableAuthenticationServerState::verify`] or 805 /// [`NonDiscoverableAuthenticationServerState::verify`]. It being separate allows for smaller and quicker 806 /// updates. 807 /// * [`Metadata`] 808 /// * Informative data that is never used during authentication ceremonies; consequently, one may wish to 809 /// not even save this information. 810 /// * [`StaticState`] 811 /// * All other data exists as part of `StaticState`. 812 /// 813 /// It is for those reasons that `RegisteredCredential` does not implement [`Encode`] or [`Decode`]; instead its parts 814 /// do. 815 /// 816 /// Note that [`RpId`] and user information other than the `UserHandle` are not stored in `RegisteredCredential`. 817 /// RPs that wish to store such information must do so on their own. Since user information is likely the same 818 /// for a given `UserHandle` and `RpId` is likely static, it makes little sense to store such information 819 /// automatically. Types like [`Username`] implement `Encode` and `Decode` to assist such a thing. 820 /// 821 /// When registering a credential, [`AttestedCredentialData::aaguid`], [`AttestedCredentialData::credential_id`], 822 /// and [`AttestedCredentialData::credential_public_key`] will be the sources for [`Metadata::aaguid`], 823 /// [`Self::id`], and [`StaticState::credential_public_key`] respectively. The [`PublicKeyCredentialUserEntity::id`] 824 /// associated with the [`CredentialCreationOptions`] used to create the `RegisteredCredential` via 825 /// [`RegistrationServerState::verify`] will be the source for [`Self::user_id`]. 826 /// 827 /// The only way to create this is via `RegistrationServerState::verify`. 828 #[derive(Debug)] 829 pub struct RegisteredCredential<'reg, const USER_LEN: usize> { 830 /// The credential ID. 831 /// 832 /// For client-side credentials, this is a unique identifier; but for server-side 833 /// credentials, this _is_ the credential (i.e., the encrypted private key and necessary information). 834 id: CredentialId<&'reg [u8]>, 835 /// Hints for how the client might communicate with the authenticator containing the credential. 836 transports: AuthTransports, 837 /// The identifier for the user. 838 /// 839 /// Unlike [`Self::id`] which is globally unique for an RP, this is unique up to "user" (i.e., 840 /// multiple [`CredentialId`]s will often exist for the same `UserHandle`). 841 user_id: UserHandle<USER_LEN>, 842 /// Immutable state returned during registration. 843 static_state: StaticState<UncompressedPubKey<'reg>>, 844 /// State that can change during authentication ceremonies. 845 dynamic_state: DynamicState, 846 /// Metadata. 847 metadata: Metadata<'reg>, 848 } 849 impl<'reg, const USER_LEN: usize> RegisteredCredential<'reg, USER_LEN> { 850 /// The credential ID. 851 /// 852 /// For client-side credentials, this is a unique identifier; but for server-side 853 /// credentials, this _is_ the credential (i.e., the encrypted private key and necessary information). 854 #[inline] 855 #[must_use] 856 pub const fn id(&self) -> CredentialId<&'reg [u8]> { 857 self.id 858 } 859 /// Hints for how the client might communicate with the authenticator containing the credential. 860 #[inline] 861 #[must_use] 862 pub const fn transports(&self) -> AuthTransports { 863 self.transports 864 } 865 /// The identifier for the user. 866 /// 867 /// Unlike [`Self::id`] which is globally unique for an RP, this is unique up to "user" (i.e., 868 /// multiple [`CredentialId`]s will often exist for the same `UserHandle`). 869 #[inline] 870 #[must_use] 871 pub const fn user_id(&self) -> &UserHandle<USER_LEN> { 872 &self.user_id 873 } 874 /// Immutable state returned during registration. 875 #[inline] 876 #[must_use] 877 pub const fn static_state(&self) -> StaticState<UncompressedPubKey<'reg>> { 878 self.static_state 879 } 880 /// State that can change during authentication ceremonies. 881 #[inline] 882 #[must_use] 883 pub const fn dynamic_state(&self) -> DynamicState { 884 self.dynamic_state 885 } 886 /// Metadata. 887 #[inline] 888 #[must_use] 889 pub const fn metadata(&self) -> Metadata<'reg> { 890 self.metadata 891 } 892 /// Constructs a `RegisteredCredential` based on the passed arguments. 893 /// 894 /// # Errors 895 /// 896 /// Errors iff the passed arguments are invalid. Read [`CredentialErr`] 897 /// for more information. 898 #[inline] 899 fn new<'a: 'reg>( 900 id: CredentialId<&'a [u8]>, 901 transports: AuthTransports, 902 user_id: UserHandle<USER_LEN>, 903 static_state: StaticState<UncompressedPubKey<'a>>, 904 dynamic_state: DynamicState, 905 metadata: Metadata<'a>, 906 ) -> Result<Self, CredentialErr> { 907 verify_static_and_dynamic_state(&static_state, dynamic_state).and_then(|()| { 908 if !matches!(metadata.resident_key, ResidentKeyRequirement::Required) 909 || metadata 910 .client_extension_results 911 .cred_props 912 .as_ref() 913 .is_none_or(|props| props.rk.is_none_or(convert::identity)) 914 { 915 Ok(Self { 916 id, 917 transports, 918 user_id, 919 static_state, 920 dynamic_state, 921 metadata, 922 }) 923 } else { 924 Err(CredentialErr::ResidentKeyRequiredServerCredentialCreated) 925 } 926 }) 927 } 928 /// Returns the contained data consuming `self`. 929 #[inline] 930 #[must_use] 931 pub const fn into_parts( 932 self, 933 ) -> ( 934 CredentialId<&'reg [u8]>, 935 AuthTransports, 936 UserHandle<USER_LEN>, 937 StaticState<UncompressedPubKey<'reg>>, 938 DynamicState, 939 Metadata<'reg>, 940 ) { 941 ( 942 self.id, 943 self.transports, 944 self.user_id, 945 self.static_state, 946 self.dynamic_state, 947 self.metadata, 948 ) 949 } 950 /// Returns the contained data. 951 #[inline] 952 #[must_use] 953 pub const fn as_parts( 954 &self, 955 ) -> ( 956 CredentialId<&'reg [u8]>, 957 AuthTransports, 958 &UserHandle<USER_LEN>, 959 StaticState<UncompressedPubKey<'reg>>, 960 DynamicState, 961 Metadata<'reg>, 962 ) { 963 ( 964 self.id, 965 self.transports, 966 &self.user_id, 967 self.static_state, 968 self.dynamic_state, 969 self.metadata, 970 ) 971 } 972 } 973 /// `RegisteredCredential` based on a [`UserHandle64`]. 974 pub type RegisteredCredential64<'reg> = RegisteredCredential<'reg, USER_HANDLE_MAX_LEN>; 975 /// `RegisteredCredential` based on a [`UserHandle16`]. 976 pub type RegisteredCredential16<'reg> = RegisteredCredential<'reg, 16>; 977 /// Credential used in authentication ceremonies. 978 /// 979 /// Similar to [`RegisteredCredential`] except designed to only contain the necessary data to complete 980 /// authentication ceremonies. In particular there is no [`AuthTransports`] or [`Metadata`], 981 /// [`StaticState::credential_public_key`] is [`CompressedPubKey`] that can own or borrow its data, [`Self::id`] is 982 /// based on the [`CredentialId`] passed to [`Self::new`] which itself must be from [`Authentication::raw_id`], and 983 /// [`Self::user_id`] is based on the [`UserHandle`] passed to [`Self::new`] which itself must be the value in 984 /// persistent storage associated with the `CredentialId`. 985 /// 986 /// When [`DiscoverableAuthentication`] is used, one can use [`DiscoverableAuthenticatorAssertion::user_handle`] 987 /// for `Self::user_id` so long as it matches the value in persistent storage. 988 /// 989 /// Note `PublicKey` should be `CompressedPubKey` for this to be useful. 990 /// 991 /// The only way to create this is via `Self::new`. 992 #[derive(Debug)] 993 pub struct AuthenticatedCredential<'cred, 'user, const USER_LEN: usize, PublicKey> { 994 /// The credential ID. 995 /// 996 /// For client-side credentials, this is a unique identifier; but for server-side 997 /// credentials, this _is_ the credential (i.e., the encrypted private key and necessary information). 998 id: CredentialId<&'cred [u8]>, 999 /// The identifier for the user. 1000 /// 1001 /// Unlike [`Self::id`] which is globally unique for an RP, this is unique up to "user" (i.e., 1002 /// multiple [`CredentialId`]s will often exist for the same `UserHandle`). 1003 user_id: &'user UserHandle<USER_LEN>, 1004 /// Immutable state returned during registration. 1005 static_state: StaticState<PublicKey>, 1006 /// State that can change during authentication ceremonies. 1007 dynamic_state: DynamicState, 1008 } 1009 impl<'cred, 'user, const USER_LEN: usize, PublicKey> 1010 AuthenticatedCredential<'cred, 'user, USER_LEN, PublicKey> 1011 { 1012 /// The credential ID. 1013 /// 1014 /// For client-side credentials, this is a unique identifier; but for server-side 1015 /// credentials, this _is_ the credential (i.e., the encrypted private key and necessary information). 1016 #[inline] 1017 #[must_use] 1018 pub const fn id(&self) -> CredentialId<&'cred [u8]> { 1019 self.id 1020 } 1021 /// The identifier for the user. 1022 /// 1023 /// Unlike [`Self::id`] which is globally unique for an RP, this is unique up to "user" (i.e., 1024 /// multiple [`CredentialId`]s will often exist for the same `UserHandle`). 1025 #[inline] 1026 #[must_use] 1027 pub const fn user_id(&self) -> &'user UserHandle<USER_LEN> { 1028 self.user_id 1029 } 1030 /// Immutable state returned during registration. 1031 #[inline] 1032 #[must_use] 1033 pub const fn static_state(&self) -> &StaticState<PublicKey> { 1034 &self.static_state 1035 } 1036 /// State that can change during authentication ceremonies. 1037 #[inline] 1038 #[must_use] 1039 pub const fn dynamic_state(&self) -> DynamicState { 1040 self.dynamic_state 1041 } 1042 /// Constructs an `AuthenticatedCredential` based on the passed arguments. 1043 /// 1044 /// # Errors 1045 /// 1046 /// Errors iff the passed arguments are invalid. Read [`CredentialErr`] 1047 /// for more information. 1048 #[expect(single_use_lifetimes, reason = "false positive")] 1049 #[cfg_attr(docsrs, doc(cfg(any(feature = "bin", feature = "custom"))))] 1050 #[cfg(any(feature = "bin", feature = "custom"))] 1051 #[inline] 1052 pub fn new<'a: 'cred, 'b: 'user>( 1053 id: CredentialId<&'a [u8]>, 1054 user_id: &'b UserHandle<USER_LEN>, 1055 static_state: StaticState<PublicKey>, 1056 dynamic_state: DynamicState, 1057 ) -> Result<Self, CredentialErr> { 1058 verify_static_and_dynamic_state(&static_state, dynamic_state).map(|()| Self { 1059 id, 1060 user_id, 1061 static_state, 1062 dynamic_state, 1063 }) 1064 } 1065 /// Returns the contained data consuming `self`. 1066 #[inline] 1067 #[must_use] 1068 pub fn into_parts( 1069 self, 1070 ) -> ( 1071 CredentialId<&'cred [u8]>, 1072 &'user UserHandle<USER_LEN>, 1073 StaticState<PublicKey>, 1074 DynamicState, 1075 ) { 1076 (self.id, self.user_id, self.static_state, self.dynamic_state) 1077 } 1078 /// Returns the contained data. 1079 #[inline] 1080 #[must_use] 1081 pub const fn as_parts( 1082 &self, 1083 ) -> ( 1084 CredentialId<&'cred [u8]>, 1085 &'user UserHandle<USER_LEN>, 1086 &StaticState<PublicKey>, 1087 DynamicState, 1088 ) { 1089 ( 1090 self.id, 1091 self.user_id, 1092 self.static_state(), 1093 self.dynamic_state, 1094 ) 1095 } 1096 } 1097 use response::register::{CompressedPubKeyBorrowed, CompressedPubKeyOwned}; 1098 /// `AuthenticatedCredential` based on a [`UserHandle64`]. 1099 pub type AuthenticatedCredential64<'cred, 'user, PublicKey> = 1100 AuthenticatedCredential<'cred, 'user, USER_HANDLE_MAX_LEN, PublicKey>; 1101 /// `AuthenticatedCredential` based on a [`UserHandle16`]. 1102 pub type AuthenticatedCredential16<'cred, 'user, PublicKey> = 1103 AuthenticatedCredential<'cred, 'user, 16, PublicKey>; 1104 /// `AuthenticatedCredential` that owns the key data. 1105 pub type AuthenticatedCredentialOwned<'cred, 'user, const USER_LEN: usize> = 1106 AuthenticatedCredential<'cred, 'user, USER_LEN, CompressedPubKeyOwned>; 1107 /// `AuthenticatedCredential` that borrows the key data. 1108 pub type AuthenticatedCredentialBorrowed<'cred, 'user, 'key, const USER_LEN: usize> = 1109 AuthenticatedCredential<'cred, 'user, USER_LEN, CompressedPubKeyBorrowed<'key>>; 1110 /// Convenience aggregate error that rolls up all errors into one. 1111 #[derive(Debug)] 1112 pub enum AggErr { 1113 /// Variant when [`AsciiDomain::try_from`] errors. 1114 AsciiDomain(AsciiDomainErr), 1115 /// Variant when [`Url::from_str`] errors. 1116 Url(UrlErr), 1117 /// Variant when [`Scheme::try_from`] errors. 1118 Scheme(SchemeParseErr), 1119 /// Variant when [`DomainOrigin::try_from`] errors. 1120 DomainOrigin(DomainOriginParseErr), 1121 /// Variant when [`Port::from_str`] errors. 1122 Port(PortParseErr), 1123 /// Variant when [`DiscoverableCredentialRequestOptions::start_ceremony`] or 1124 /// [`NonDiscoverableCredentialRequestOptions::start_ceremony`] 1125 /// error. 1126 InvalidTimeout(InvalidTimeout), 1127 /// Variant when [`CredentialCreationOptions::start_ceremony`] errors. 1128 CreationOptions(CreationOptionsErr), 1129 /// Variant when [`NonDiscoverableCredentialRequestOptions::start_ceremony`] errors. 1130 NonDiscoverableCredentialRequestOptions(NonDiscoverableCredentialRequestOptionsErr), 1131 /// Variant when [`Nickname::try_from`] errors. 1132 Nickname(NicknameErr), 1133 /// Variant when [`Username::try_from`] errors. 1134 Username(UsernameErr), 1135 /// Variant when [`RegistrationServerState::verify`] errors. 1136 RegCeremony(RegCeremonyErr), 1137 /// Variant when [`DiscoverableAuthenticationServerState::verify`] or. 1138 /// [`NonDiscoverableAuthenticationServerState::verify`] error. 1139 AuthCeremony(AuthCeremonyErr), 1140 /// Variant when [`AttestationObject::try_from`] errors. 1141 AttestationObject(AttestationObjectErr), 1142 /// Variant when [`register::AuthenticatorData::try_from`] errors. 1143 RegAuthenticatorData(RegAuthDataErr), 1144 /// Variant when [`auth::AuthenticatorData::try_from`] errors. 1145 AuthAuthenticatorData(AuthAuthDataErr), 1146 /// Variant when [`CollectedClientData::from_client_data_json`] errors. 1147 CollectedClientData(CollectedClientDataErr), 1148 /// Variant when [`CollectedClientData::from_client_data_json_relaxed`] errors or any of the [`Deserialize`] 1149 /// implementations error when relying on [`Deserializer`] or [`StreamDeserializer`]. 1150 #[cfg_attr(docsrs, doc(cfg(feature = "serde_relaxed")))] 1151 #[cfg(feature = "serde_relaxed")] 1152 SerdeJson(SerdeJsonErr), 1153 /// Variant when [`Aaguid::try_from`] errors. 1154 Aaguid(AaguidErr), 1155 /// Variant when [`AuthTransports::decode`] errors. 1156 #[cfg_attr(docsrs, doc(cfg(feature = "bin")))] 1157 #[cfg(feature = "bin")] 1158 DecodeAuthTransports(DecodeAuthTransportsErr), 1159 /// Variant when [`StaticState::decode`] errors. 1160 #[cfg_attr(docsrs, doc(cfg(feature = "bin")))] 1161 #[cfg(feature = "bin")] 1162 DecodeStaticState(DecodeStaticStateErr), 1163 /// Variant when [`DynamicState::decode`] errors. 1164 #[cfg_attr(docsrs, doc(cfg(feature = "bin")))] 1165 #[cfg(feature = "bin")] 1166 DecodeDynamicState(DecodeDynamicStateErr), 1167 /// Variant when [`Nickname::decode`] errors. 1168 #[cfg_attr(docsrs, doc(cfg(feature = "bin")))] 1169 #[cfg(feature = "bin")] 1170 DecodeNickname(DecodeNicknameErr), 1171 /// Variant when [`Username::decode`] errors. 1172 #[cfg_attr(docsrs, doc(cfg(feature = "bin")))] 1173 #[cfg(feature = "bin")] 1174 DecodeUsername(DecodeUsernameErr), 1175 /// Variant when [`RegistrationServerState::decode`] errors. 1176 #[cfg_attr(docsrs, doc(cfg(feature = "serializable_server_state")))] 1177 #[cfg(feature = "serializable_server_state")] 1178 DecodeRegistrationServerState(DecodeRegistrationServerStateErr), 1179 /// Variant when [`DiscoverableAuthenticationServerState::decode`] errors. 1180 #[cfg_attr(docsrs, doc(cfg(feature = "serializable_server_state")))] 1181 #[cfg(feature = "serializable_server_state")] 1182 DecodeDiscoverableAuthenticationServerState(DecodeDiscoverableAuthenticationServerStateErr), 1183 /// Variant when [`NonDiscoverableAuthenticationServerState::decode`] errors. 1184 #[cfg_attr(docsrs, doc(cfg(feature = "serializable_server_state")))] 1185 #[cfg(feature = "serializable_server_state")] 1186 DecodeNonDiscoverableAuthenticationServerState( 1187 DecodeNonDiscoverableAuthenticationServerStateErr, 1188 ), 1189 /// Variant when [`RegistrationServerState::encode`] errors. 1190 #[cfg_attr(docsrs, doc(cfg(feature = "serializable_server_state")))] 1191 #[cfg(feature = "serializable_server_state")] 1192 EncodeRegistrationServerState(SystemTimeError), 1193 /// Variant when [`DiscoverableAuthenticationServerState::encode`] errors. 1194 #[cfg_attr(docsrs, doc(cfg(feature = "serializable_server_state")))] 1195 #[cfg(feature = "serializable_server_state")] 1196 EncodeDiscoverableAuthenticationServerState(SystemTimeError), 1197 /// Variant when [`NonDiscoverableAuthenticationServerState::encode`] errors. 1198 #[cfg_attr(docsrs, doc(cfg(feature = "serializable_server_state")))] 1199 #[cfg(feature = "serializable_server_state")] 1200 EncodeNonDiscoverableAuthenticationServerState( 1201 EncodeNonDiscoverableAuthenticationServerStateErr, 1202 ), 1203 /// Variant when [`AuthenticatedCredential::new`] errors. 1204 #[cfg_attr(docsrs, doc(cfg(any(feature = "bin", feature = "custom"))))] 1205 #[cfg(any(feature = "bin", feature = "custom"))] 1206 Credential(CredentialErr), 1207 /// Variant when [`CredentialId::try_from`] or [`CredentialId::decode`] errors. 1208 #[cfg_attr(docsrs, doc(cfg(any(feature = "bin", feature = "custom"))))] 1209 #[cfg(any(feature = "bin", feature = "custom"))] 1210 CredentialId(CredentialIdErr), 1211 } 1212 impl From<AsciiDomainErr> for AggErr { 1213 #[inline] 1214 fn from(value: AsciiDomainErr) -> Self { 1215 Self::AsciiDomain(value) 1216 } 1217 } 1218 impl From<UrlErr> for AggErr { 1219 #[inline] 1220 fn from(value: UrlErr) -> Self { 1221 Self::Url(value) 1222 } 1223 } 1224 impl From<SchemeParseErr> for AggErr { 1225 #[inline] 1226 fn from(value: SchemeParseErr) -> Self { 1227 Self::Scheme(value) 1228 } 1229 } 1230 impl From<DomainOriginParseErr> for AggErr { 1231 #[inline] 1232 fn from(value: DomainOriginParseErr) -> Self { 1233 Self::DomainOrigin(value) 1234 } 1235 } 1236 impl From<PortParseErr> for AggErr { 1237 #[inline] 1238 fn from(value: PortParseErr) -> Self { 1239 Self::Port(value) 1240 } 1241 } 1242 impl From<InvalidTimeout> for AggErr { 1243 #[inline] 1244 fn from(value: InvalidTimeout) -> Self { 1245 Self::InvalidTimeout(value) 1246 } 1247 } 1248 impl From<CreationOptionsErr> for AggErr { 1249 #[inline] 1250 fn from(value: CreationOptionsErr) -> Self { 1251 Self::CreationOptions(value) 1252 } 1253 } 1254 impl From<NonDiscoverableCredentialRequestOptionsErr> for AggErr { 1255 #[inline] 1256 fn from(value: NonDiscoverableCredentialRequestOptionsErr) -> Self { 1257 Self::NonDiscoverableCredentialRequestOptions(value) 1258 } 1259 } 1260 impl From<NicknameErr> for AggErr { 1261 #[inline] 1262 fn from(value: NicknameErr) -> Self { 1263 Self::Nickname(value) 1264 } 1265 } 1266 impl From<UsernameErr> for AggErr { 1267 #[inline] 1268 fn from(value: UsernameErr) -> Self { 1269 Self::Username(value) 1270 } 1271 } 1272 impl From<RegCeremonyErr> for AggErr { 1273 #[inline] 1274 fn from(value: RegCeremonyErr) -> Self { 1275 Self::RegCeremony(value) 1276 } 1277 } 1278 impl From<AuthCeremonyErr> for AggErr { 1279 #[inline] 1280 fn from(value: AuthCeremonyErr) -> Self { 1281 Self::AuthCeremony(value) 1282 } 1283 } 1284 impl From<AttestationObjectErr> for AggErr { 1285 #[inline] 1286 fn from(value: AttestationObjectErr) -> Self { 1287 Self::AttestationObject(value) 1288 } 1289 } 1290 impl From<RegAuthDataErr> for AggErr { 1291 #[inline] 1292 fn from(value: RegAuthDataErr) -> Self { 1293 Self::RegAuthenticatorData(value) 1294 } 1295 } 1296 impl From<AuthAuthDataErr> for AggErr { 1297 #[inline] 1298 fn from(value: AuthAuthDataErr) -> Self { 1299 Self::AuthAuthenticatorData(value) 1300 } 1301 } 1302 impl From<CollectedClientDataErr> for AggErr { 1303 #[inline] 1304 fn from(value: CollectedClientDataErr) -> Self { 1305 Self::CollectedClientData(value) 1306 } 1307 } 1308 #[cfg_attr(docsrs, doc(cfg(feature = "serde_relaxed")))] 1309 #[cfg(feature = "serde_relaxed")] 1310 impl From<SerdeJsonErr> for AggErr { 1311 #[inline] 1312 fn from(value: SerdeJsonErr) -> Self { 1313 Self::SerdeJson(value) 1314 } 1315 } 1316 impl From<AaguidErr> for AggErr { 1317 #[inline] 1318 fn from(value: AaguidErr) -> Self { 1319 Self::Aaguid(value) 1320 } 1321 } 1322 #[cfg_attr(docsrs, doc(cfg(feature = "bin")))] 1323 #[cfg(feature = "bin")] 1324 impl From<DecodeAuthTransportsErr> for AggErr { 1325 #[inline] 1326 fn from(value: DecodeAuthTransportsErr) -> Self { 1327 Self::DecodeAuthTransports(value) 1328 } 1329 } 1330 #[cfg_attr(docsrs, doc(cfg(feature = "bin")))] 1331 #[cfg(feature = "bin")] 1332 impl From<DecodeStaticStateErr> for AggErr { 1333 #[inline] 1334 fn from(value: DecodeStaticStateErr) -> Self { 1335 Self::DecodeStaticState(value) 1336 } 1337 } 1338 #[cfg_attr(docsrs, doc(cfg(feature = "bin")))] 1339 #[cfg(feature = "bin")] 1340 impl From<DecodeDynamicStateErr> for AggErr { 1341 #[inline] 1342 fn from(value: DecodeDynamicStateErr) -> Self { 1343 Self::DecodeDynamicState(value) 1344 } 1345 } 1346 #[cfg_attr(docsrs, doc(cfg(feature = "bin")))] 1347 #[cfg(feature = "bin")] 1348 impl From<DecodeNicknameErr> for AggErr { 1349 #[inline] 1350 fn from(value: DecodeNicknameErr) -> Self { 1351 Self::DecodeNickname(value) 1352 } 1353 } 1354 #[cfg_attr(docsrs, doc(cfg(feature = "bin")))] 1355 #[cfg(feature = "bin")] 1356 impl From<DecodeUsernameErr> for AggErr { 1357 #[inline] 1358 fn from(value: DecodeUsernameErr) -> Self { 1359 Self::DecodeUsername(value) 1360 } 1361 } 1362 #[cfg_attr(docsrs, doc(cfg(feature = "serializable_server_state")))] 1363 #[cfg(feature = "serializable_server_state")] 1364 impl From<DecodeRegistrationServerStateErr> for AggErr { 1365 #[inline] 1366 fn from(value: DecodeRegistrationServerStateErr) -> Self { 1367 Self::DecodeRegistrationServerState(value) 1368 } 1369 } 1370 #[cfg_attr(docsrs, doc(cfg(feature = "serializable_server_state")))] 1371 #[cfg(feature = "serializable_server_state")] 1372 impl From<DecodeDiscoverableAuthenticationServerStateErr> for AggErr { 1373 #[inline] 1374 fn from(value: DecodeDiscoverableAuthenticationServerStateErr) -> Self { 1375 Self::DecodeDiscoverableAuthenticationServerState(value) 1376 } 1377 } 1378 #[cfg_attr(docsrs, doc(cfg(feature = "serializable_server_state")))] 1379 #[cfg(feature = "serializable_server_state")] 1380 impl From<DecodeNonDiscoverableAuthenticationServerStateErr> for AggErr { 1381 #[inline] 1382 fn from(value: DecodeNonDiscoverableAuthenticationServerStateErr) -> Self { 1383 Self::DecodeNonDiscoverableAuthenticationServerState(value) 1384 } 1385 } 1386 #[cfg_attr(docsrs, doc(cfg(feature = "serializable_server_state")))] 1387 #[cfg(feature = "serializable_server_state")] 1388 impl From<EncodeNonDiscoverableAuthenticationServerStateErr> for AggErr { 1389 #[inline] 1390 fn from(value: EncodeNonDiscoverableAuthenticationServerStateErr) -> Self { 1391 Self::EncodeNonDiscoverableAuthenticationServerState(value) 1392 } 1393 } 1394 #[cfg_attr(docsrs, doc(cfg(any(feature = "bin", feature = "custom"))))] 1395 #[cfg(any(feature = "bin", feature = "custom"))] 1396 impl From<CredentialErr> for AggErr { 1397 #[inline] 1398 fn from(value: CredentialErr) -> Self { 1399 Self::Credential(value) 1400 } 1401 } 1402 #[cfg_attr(docsrs, doc(cfg(any(feature = "bin", feature = "custom"))))] 1403 #[cfg(any(feature = "bin", feature = "custom"))] 1404 impl From<CredentialIdErr> for AggErr { 1405 #[inline] 1406 fn from(value: CredentialIdErr) -> Self { 1407 Self::CredentialId(value) 1408 } 1409 } 1410 impl Display for AggErr { 1411 #[inline] 1412 fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result { 1413 match *self { 1414 Self::AsciiDomain(err) => err.fmt(f), 1415 Self::Url(err) => err.fmt(f), 1416 Self::Scheme(err) => err.fmt(f), 1417 Self::DomainOrigin(ref err) => err.fmt(f), 1418 Self::Port(ref err) => err.fmt(f), 1419 Self::InvalidTimeout(err) => err.fmt(f), 1420 Self::CreationOptions(err) => err.fmt(f), 1421 Self::NonDiscoverableCredentialRequestOptions(err) => err.fmt(f), 1422 Self::Nickname(err) => err.fmt(f), 1423 Self::Username(err) => err.fmt(f), 1424 Self::RegCeremony(ref err) => err.fmt(f), 1425 Self::AuthCeremony(ref err) => err.fmt(f), 1426 Self::AttestationObject(err) => err.fmt(f), 1427 Self::RegAuthenticatorData(err) => err.fmt(f), 1428 Self::AuthAuthenticatorData(err) => err.fmt(f), 1429 Self::CollectedClientData(ref err) => err.fmt(f), 1430 #[cfg(feature = "serde_relaxed")] 1431 Self::SerdeJson(ref err) => err.fmt(f), 1432 Self::Aaguid(err) => err.fmt(f), 1433 #[cfg(feature = "bin")] 1434 Self::DecodeAuthTransports(err) => err.fmt(f), 1435 #[cfg(feature = "bin")] 1436 Self::DecodeStaticState(err) => err.fmt(f), 1437 #[cfg(feature = "bin")] 1438 Self::DecodeDynamicState(err) => err.fmt(f), 1439 #[cfg(feature = "bin")] 1440 Self::DecodeNickname(err) => err.fmt(f), 1441 #[cfg(feature = "bin")] 1442 Self::DecodeUsername(err) => err.fmt(f), 1443 #[cfg(feature = "serializable_server_state")] 1444 Self::DecodeRegistrationServerState(err) => err.fmt(f), 1445 #[cfg(feature = "serializable_server_state")] 1446 Self::DecodeDiscoverableAuthenticationServerState(err) => err.fmt(f), 1447 #[cfg(feature = "serializable_server_state")] 1448 Self::DecodeNonDiscoverableAuthenticationServerState(err) => err.fmt(f), 1449 #[cfg(feature = "serializable_server_state")] 1450 Self::EncodeRegistrationServerState(ref err) => err.fmt(f), 1451 #[cfg(feature = "serializable_server_state")] 1452 Self::EncodeDiscoverableAuthenticationServerState(ref err) => err.fmt(f), 1453 #[cfg(feature = "serializable_server_state")] 1454 Self::EncodeNonDiscoverableAuthenticationServerState(ref err) => err.fmt(f), 1455 #[cfg(any(feature = "bin", feature = "custom"))] 1456 Self::Credential(err) => err.fmt(f), 1457 #[cfg(any(feature = "bin", feature = "custom"))] 1458 Self::CredentialId(err) => err.fmt(f), 1459 } 1460 } 1461 } 1462 impl Error for AggErr {}