webauthn_rp

auth.rs (94356B)

---

 #[cfg(doc)]
 use super::{
     super::response::{
         Backup, CollectedClientData, Flag,
         auth::AuthenticatorData,
         register::{
             AuthenticatorExtensionOutputStaticState, ClientExtensionsOutputsStaticState,
             DynamicState, StaticState,
         },
     },
     AsciiDomain, AsciiDomainStatic, DomainOrigin, Url,
     register::{self, PublicKeyCredentialCreationOptions},
 };
 use super::{
     super::{
         AuthenticatedCredential,
         response::{
             AuthenticatorAttachment,
             auth::{
                 Authentication, AuthenticatorExtensionOutput, DiscoverableAuthentication,
                 HmacSecret, NonDiscoverableAuthentication,
                 error::{AuthCeremonyErr, ExtensionErr, OneOrTwo},
             },
             register::{CompressedPubKey, CredentialProtectionPolicy},
         },
     },
     BackupReq, Ceremony, CeremonyOptions, Challenge, CredentialId, CredentialMediationRequirement,
     Credentials, ExtensionReq, Hint, Origin, PrfInput, PublicKeyCredentialDescriptor, RpId,
     SentChallenge, THREE_HUNDRED_THOUSAND, TimedCeremony, UserVerificationRequirement,
     auth::error::{InvalidTimeout, SecondFactorErr},
 };
 use core::{
     borrow::Borrow,
     cmp::Ordering,
     hash::{Hash, Hasher},
     num::{NonZeroU32, NonZeroU64},
     time::Duration,
 };
 #[cfg(any(doc, not(feature = "serializable_server_state")))]
 use std::time::Instant;
 #[cfg(any(doc, feature = "serializable_server_state"))]
 use std::time::SystemTime;
 /// Contains error types.
 pub mod error;
 /// Contains functionality to serialize data to a client.
 #[cfg_attr(docsrs, doc(cfg(feature = "serde")))]
 #[cfg(feature = "serde")]
 mod ser;
 /// Contains functionality to (de)serialize [`DiscoverableAuthenticationServerState`] and
 /// [`NonDiscoverableAuthenticationServerState`] to a data store.
 #[cfg_attr(docsrs, doc(cfg(feature = "serializable_server_state")))]
 #[cfg(feature = "serializable_server_state")]
 pub mod ser_server_state;
 /// Controls how [signature counter](https://www.w3.org/TR/webauthn-3/#signature-counter) is enforced.
 ///
 /// Note that if the previous signature counter is positive and the new counter is not strictly greater, then the
 /// authenticator is likely a clone (i.e., there are at least two copies of the private key).
 #[derive(Clone, Copy, Debug, Default)]
 pub enum SignatureCounterEnforcement {
     /// Fail the authentication ceremony if the counter is less than or equal to the previous value when the
     /// previous value is positive.
     #[default]
     Fail,
     /// When the counter is less than the previous value, don't fail and update the value.
     ///
     /// Note in the special case that the new signature counter is 0, [`DynamicState::sign_count`] _won't_
     /// be updated since that would allow an attacker to permanently disable the counter.
     Update,
     /// When the counter is less than the previous value, don't fail but don't update the value.
     Ignore,
 }
 impl SignatureCounterEnforcement {
     /// Validates the signature counter based on `self`.
     const fn validate(self, prev: u32, cur: u32) -> Result<u32, AuthCeremonyErr> {
         if prev == 0 || cur > prev {
             Ok(cur)
         } else {
             match self {
                 Self::Fail => Err(AuthCeremonyErr::SignatureCounter),
                 // When the new counter is `0`, we use the previous counter to avoid an attacker from
                 // being able to permanently disable it.
                 Self::Update => Ok(if cur == 0 { prev } else { cur }),
                 Self::Ignore => Ok(prev),
             }
         }
     }
 }
 /// Owned version of [`PrfInput`].
 ///
 /// When relying on [`NonDiscoverableCredentialRequestOptions`], it's recommended to use credential-specific PRF
 /// inputs that are continuously rolled over. One uses this type for such a thing.
 #[derive(Clone, Debug)]
 pub struct PrfInputOwned {
     /// [`first`](https://www.w3.org/TR/webauthn-3/#dom-authenticationextensionsprfvalues-first).
     pub first: Vec<u8>,
     /// [`second`](https://www.w3.org/TR/webauthn-3/#dom-authenticationextensionsprfvalues-second).
     pub second: Option<Vec<u8>>,
     /// Note this is only applicable for authenticators that implement the
     /// [`prf`](https://www.w3.org/TR/webauthn-3/#prf-extension) extension on top of the
     /// [`hmac-secret`](https://fidoalliance.org/specs/fido-v2.2-ps-20250228/fido-client-to-authenticator-protocol-v2.2-ps-20250228.html#sctn-hmac-secret-extension)
     /// extension since the data is encrypted and is part of the [`AuthenticatorData`].
     pub ext_req: ExtensionReq,
 }
 /// The [defined extensions](https://www.w3.org/TR/webauthn-3/#sctn-defined-extensions) to send to the client.
 #[derive(Clone, Copy, Debug, Default)]
 pub struct Extension<'prf_first, 'prf_second> {
     /// [`prf`](https://www.w3.org/TR/webauthn-3/#prf-extension).
     ///
     /// If both [`CredentialSpecificExtension::prf`] and this are [`Some`], then `CredentialSpecificExtension::prf`
     /// takes priority.
     ///
     /// Note `ExtensionReq` is only applicable for authenticators that implement the
     /// [`prf`](https://www.w3.org/TR/webauthn-3/#prf-extension) extension on top of the
     /// [`hmac-secret`](https://fidoalliance.org/specs/fido-v2.2-ps-20250228/fido-client-to-authenticator-protocol-v2.2-ps-20250228.html#sctn-hmac-secret-extension)
     /// extension since the data is encrypted and is part of the [`AuthenticatorData`].
     pub prf: Option<(PrfInput<'prf_first, 'prf_second>, ExtensionReq)>,
 }
 /// The [defined extensions](https://www.w3.org/TR/webauthn-3/#sctn-defined-extensions) to send to the client that
 /// are credential-specific which among other things implies a non-discoverable request.
 #[derive(Clone, Debug, Default)]
 pub struct CredentialSpecificExtension {
     /// [`prf`](https://www.w3.org/TR/webauthn-3/#prf-extension).
     ///
     /// If both [`Extension::prf`] and this are [`Some`], then this take priority.
     pub prf: Option<PrfInputOwned>,
 }
 /// Registered credential used in
 /// [`allowCredentials`](https://www.w3.org/TR/webauthn-3/#dom-publickeycredentialrequestoptions-allowcredentials).
 #[derive(Clone, Debug)]
 pub struct AllowedCredential {
     /// The registered credential.
     pub credential: PublicKeyCredentialDescriptor<Vec<u8>>,
     /// Credential-specific extensions.
     pub extension: CredentialSpecificExtension,
 }
 impl From<PublicKeyCredentialDescriptor<Vec<u8>>> for AllowedCredential {
     #[inline]
     fn from(credential: PublicKeyCredentialDescriptor<Vec<u8>>) -> Self {
         Self {
             credential,
             extension: CredentialSpecificExtension::default(),
         }
     }
 }
 impl From<AllowedCredential> for PublicKeyCredentialDescriptor<Vec<u8>> {
     #[inline]
     fn from(credential: AllowedCredential) -> Self {
         credential.credential
     }
 }
 /// Queue of unique [`AllowedCredential`]s.
 #[derive(Clone, Debug, Default)]
 pub struct AllowedCredentials {
     /// Allowed credentials.
     creds: Vec<AllowedCredential>,
     /// Number of `AllowedCredential`s that have PRF inputs.
     ///
     /// Useful to help serialization.
     prf_count: usize,
 }
 impl Credentials for AllowedCredentials {
     type Credential = AllowedCredential;
     /// # Examples
     ///
     /// ```
     /// # use webauthn_rp::request::{auth::AllowedCredentials, Credentials};
     /// assert!(AllowedCredentials::with_capacity(1).as_ref().is_empty());
     /// ```
     #[inline]
     fn with_capacity(capacity: usize) -> Self {
         Self {
             creds: Vec::with_capacity(capacity),
             prf_count: 0,
         }
     }
     /// # Examples
     ///
     /// ```
     /// # #[cfg(all(feature = "bin", feature = "custom"))]
     /// # use webauthn_rp::{bin::Decode, response::bin::DecodeAuthTransportsErr};
     /// # use webauthn_rp::{
     /// #     request::{auth::AllowedCredentials, PublicKeyCredentialDescriptor, Credentials},
     /// #     response::{AuthTransports, CredentialId},
     /// # };
     /// /// Retrieves the `AuthTransports` associated with the unique `cred_id`
     /// /// from the database.
     /// # #[cfg(all(feature = "bin", feature = "custom"))]
     /// fn get_transports(cred_id: CredentialId<&[u8]>) -> Result<AuthTransports, DecodeAuthTransportsErr> {
     ///     // ⋮
     /// #     AuthTransports::decode(32)
     /// }
     /// let mut creds = AllowedCredentials::with_capacity(1);
     /// assert!(creds.as_ref().is_empty());
     /// // `CredentialId::try_from` only exists when `custom` is enabled; and even then, it is
     /// // likely never needed since the `CredentialId` was originally sent from the client and is likely
     /// // stored in a database which would be fetched by `UserHandle` or `Authentication::raw_id`.
     /// # #[cfg(all(feature = "bin", feature = "custom"))]
     /// let id = CredentialId::try_from(vec![0; 16])?;
     /// # #[cfg(all(feature = "bin", feature = "custom"))]
     /// let transports = get_transports((&id).into())?;
     /// # #[cfg(all(feature = "bin", feature = "custom"))]
     /// assert!(creds.push(PublicKeyCredentialDescriptor { id, transports }.into()));
     /// # #[cfg(all(feature = "bin", feature = "custom"))]
     /// let id_copy = CredentialId::try_from(vec![0; 16])?;
     /// # #[cfg(all(feature = "bin", feature = "custom"))]
     /// let transports_2 = AuthTransports::NONE;
     /// // Duplicate `CredentialId`s don't get added.
     /// # #[cfg(all(feature = "bin", feature = "custom"))]
     /// assert!(!creds.push(
     ///     PublicKeyCredentialDescriptor {
     ///         id: id_copy,
     ///         transports: transports_2
     ///     }
     ///     .into()
     /// ));
     /// # Ok::<_, webauthn_rp::AggErr>(())
     /// ```
     #[expect(
         clippy::arithmetic_side_effects,
         reason = "comment explains how overflow is not possible"
     )]
     #[inline]
     fn push(&mut self, cred: Self::Credential) -> bool {
         self.creds
             .iter()
             .try_fold((), |(), c| {
                 if c.credential.id == cred.credential.id {
                     Err(())
                 } else {
                     Ok(())
                 }
             })
             .is_ok_and(|()| {
                 // This can't overflow since `self.creds.push` would `panic` since
                 // `self.prf_count <= self.creds.len()`.
                 self.prf_count += usize::from(cred.extension.prf.is_some());
                 self.creds.push(cred);
                 true
             })
     }
     #[inline]
     fn len(&self) -> usize {
         self.creds.len()
     }
 }
 impl AsRef<[AllowedCredential]> for AllowedCredentials {
     #[inline]
     fn as_ref(&self) -> &[AllowedCredential] {
         self.creds.as_slice()
     }
 }
 impl From<&AllowedCredentials> for Vec<CredInfo> {
     #[inline]
     fn from(value: &AllowedCredentials) -> Self {
         let len = value.creds.len();
         value
             .creds
             .iter()
             .fold(Self::with_capacity(len), |mut creds, cred| {
                 creds.push(CredInfo {
                     id: cred.credential.id.clone(),
                     ext: (&cred.extension).into(),
                 });
                 creds
             })
     }
 }
 impl From<AllowedCredentials> for Vec<PublicKeyCredentialDescriptor<Vec<u8>>> {
     #[inline]
     fn from(value: AllowedCredentials) -> Self {
         let mut creds = Self::with_capacity(value.creds.len());
         value.creds.into_iter().fold((), |(), cred| {
             creds.push(cred.credential);
         });
         creds
     }
 }
 impl From<Vec<PublicKeyCredentialDescriptor<Vec<u8>>>> for AllowedCredentials {
     #[inline]
     fn from(value: Vec<PublicKeyCredentialDescriptor<Vec<u8>>>) -> Self {
         let mut creds = Self::with_capacity(value.len());
         value.into_iter().fold((), |(), credential| {
             _ = creds.push(AllowedCredential {
                 credential,
                 extension: CredentialSpecificExtension { prf: None },
             });
         });
         creds
     }
 }
 /// The [`CredentialRequestOptions`](https://www.w3.org/TR/credential-management-1/#dictdef-credentialrequestoptions)
 /// to send to the client when authenticating a discoverable credentential.
 ///
 /// Upon saving the [`DiscoverableAuthenticationServerState`] returned from [`Self::start_ceremony`], one MUST send
 /// [`DiscoverableAuthenticationClientState`] to the client ASAP. After receiving the newly created
 /// [`DiscoverableAuthentication`], it is validated using [`DiscoverableAuthenticationServerState::verify`].
 #[derive(Debug)]
 pub struct DiscoverableCredentialRequestOptions<'rp_id, 'prf_first, 'prf_second> {
     /// [`mediation`](https://www.w3.org/TR/credential-management-1/#enumdef-credentialmediationrequirement).
     pub mediation: CredentialMediationRequirement,
     /// `public-key` [credential type](https://www.w3.org/TR/credential-management-1/#sctn-cred-type-registry).
     pub public_key: PublicKeyCredentialRequestOptions<'rp_id, 'prf_first, 'prf_second>,
 }
 impl<'rp_id, 'prf_first, 'prf_second>
     DiscoverableCredentialRequestOptions<'rp_id, 'prf_first, 'prf_second>
 {
     /// Creates a `DiscoverableCredentialRequestOptions` containing [`CredentialMediationRequirement::default`] and
     /// [`PublicKeyCredentialRequestOptions::passkey`].
     ///
     /// # Examples
     ///
     /// ```
     /// # use webauthn_rp::request::{auth::DiscoverableCredentialRequestOptions, AsciiDomain, RpId, UserVerificationRequirement};
     /// assert!(matches!(
     ///     DiscoverableCredentialRequestOptions::passkey(&RpId::Domain(AsciiDomain::try_from("example.com".to_owned())?)).public_key.user_verification,
     ///     UserVerificationRequirement::Required
     /// ));
     /// # Ok::<_, webauthn_rp::AggErr>(())
     /// ```
     #[expect(single_use_lifetimes, reason = "false positive")]
     #[inline]
     #[must_use]
     pub fn passkey<'a: 'rp_id>(rp_id: &'a RpId) -> Self {
         Self {
             mediation: CredentialMediationRequirement::default(),
             public_key: PublicKeyCredentialRequestOptions::passkey(rp_id),
         }
     }
     /// Begins the [authentication ceremony](https://www.w3.org/TR/webauthn-3/#authentication-ceremony) consuming
     /// `self`. Note that the expiration [`Instant`]/[`SystemTime`] is saved, so
     /// `DiscoverableAuthenticationClientState` MUST be sent ASAP. In order to complete authentication, the returned
     /// `DiscoverableAuthenticationServerState` MUST be saved so that it can later be used to verify the credential
     /// assertion with [`DiscoverableAuthenticationServerState::verify`].
     ///
     /// # Errors
     ///
     /// Errors iff `self` contains incompatible configuration.
     #[inline]
     pub fn start_ceremony(
         self,
     ) -> Result<
         (
             DiscoverableAuthenticationServerState,
             DiscoverableAuthenticationClientState<'rp_id, 'prf_first, 'prf_second>,
         ),
         InvalidTimeout,
     > {
         #[cfg(not(feature = "serializable_server_state"))]
         let res = Instant::now();
         #[cfg(feature = "serializable_server_state")]
         let res = SystemTime::now();
         res.checked_add(Duration::from_millis(
             NonZeroU64::from(self.public_key.timeout).get(),
         ))
         .ok_or(InvalidTimeout)
         .map(|expiration| {
             (
                 DiscoverableAuthenticationServerState(AuthenticationServerState {
                     challenge: SentChallenge(self.public_key.challenge.0),
                     user_verification: self.public_key.user_verification,
                     extensions: self.public_key.extensions.into(),
                     expiration,
                 }),
                 DiscoverableAuthenticationClientState(self),
             )
         })
     }
     /// Same as [`Self::start_ceremony`] except the raw challenge is returned instead of
     /// [`DiscoverableAuthenticationClientState`].
     ///
     /// Note this is useful when one configures the authentication ceremony client-side and only needs the
     /// server-generated challenge. It's of course essential that `self` is configured exactly the same as
     /// how it is configured client-side. See
     /// [`challengeURL`](https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-challengeURL) for more
     /// information.
     ///
     /// # Errors
     ///
     /// Read [`Self::start_ceremony`].
     #[inline]
     pub fn start_ceremony_challenge_only(
         self,
     ) -> Result<(DiscoverableAuthenticationServerState, [u8; 16]), InvalidTimeout> {
         self.start_ceremony()
             .map(|(server, client)| (server, client.0.public_key.challenge.into_array()))
     }
 }
 /// The [`CredentialRequestOptions`](https://www.w3.org/TR/credential-management-1/#dictdef-credentialrequestoptions)
 /// to send to the client when authenticating non-discoverable credententials.
 ///
 /// Upon saving the [`NonDiscoverableAuthenticationServerState`] returned from [`Self::start_ceremony`], one MUST send
 /// [`NonDiscoverableAuthenticationClientState`] to the client ASAP. After receiving the newly created
 /// [`NonDiscoverableAuthentication`], it is validated using [`NonDiscoverableAuthenticationServerState::verify`].
 #[derive(Debug)]
 pub struct NonDiscoverableCredentialRequestOptions<'rp_id, 'prf_first, 'prf_second> {
     /// [`mediation`](https://www.w3.org/TR/credential-management-1/#enumdef-credentialmediationrequirement).
     mediation: CredentialMediationRequirement,
     /// [`PublicKeyCredentialRequestOptions`](https://www.w3.org/TR/webauthn-3/#dictdef-publickeycredentialrequestoptions).
     options: PublicKeyCredentialRequestOptions<'rp_id, 'prf_first, 'prf_second>,
     /// [`allowCredentials`](https://www.w3.org/TR/webauthn-3/#dom-publickeycredentialrequestoptions-allowcredentials).
     allow_credentials: AllowedCredentials,
 }
 impl<'rp_id, 'prf_first, 'prf_second>
     NonDiscoverableCredentialRequestOptions<'rp_id, 'prf_first, 'prf_second>
 {
     /// Returns a mutable reference to the `CredentialMediationRequirement`.
     #[inline]
     pub const fn mediation(&mut self) -> &mut CredentialMediationRequirement {
         &mut self.mediation
     }
     /// Returns a mutable reference to the configurable options.
     #[inline]
     pub const fn options(
         &mut self,
     ) -> &mut PublicKeyCredentialRequestOptions<'rp_id, 'prf_first, 'prf_second> {
         &mut self.options
     }
     /// Returns a reference to the [`AllowedCredential`]s.
     #[inline]
     #[must_use]
     pub const fn allow_credentials(&self) -> &AllowedCredentials {
         &self.allow_credentials
     }
     /// Creates a `NonDiscoverableCredentialRequestOptions` containing
     /// [`CredentialMediationRequirement::Optional`],
     /// [`PublicKeyCredentialRequestOptions::second_factor`], and the passed [`AllowedCredentials`].
     ///
     /// # Errors
     ///
     /// Errors iff `allow_credentials` is empty.
     ///
     /// # Examples
     ///
     /// ```
     /// # #[cfg(all(feature = "bin", feature = "custom"))]
     /// # use webauthn_rp::{bin::Decode, response::bin::DecodeAuthTransportsErr};
     /// # use webauthn_rp::{
     /// #     request::{
     /// #         auth::{AllowedCredentials, NonDiscoverableCredentialRequestOptions},
     /// #         AsciiDomain, RpId, PublicKeyCredentialDescriptor, Credentials
     /// #     },
     /// #     response::{AuthTransports, CredentialId},
     /// # };
     /// /// Retrieves the `AuthTransports` associated with the unique `cred_id`
     /// /// from the database.
     /// # #[cfg(all(feature = "bin", feature = "custom"))]
     /// fn get_transports(cred_id: CredentialId<&[u8]>) -> Result<AuthTransports, DecodeAuthTransportsErr> {
     ///     // ⋮
     /// #     AuthTransports::decode(32)
     /// }
     /// let mut creds = AllowedCredentials::with_capacity(1);
     /// assert!(creds.as_ref().is_empty());
     /// // `CredentialId::try_from` only exists when `custom` is enabled; and even then, it is
     /// // likely never needed since the `CredentialId` was originally sent from the client and is likely
     /// // stored in a database which would be fetched by `UserHandle` or `Authentication::raw_id`.
     /// # #[cfg(all(feature = "bin", feature = "custom"))]
     /// let id = CredentialId::try_from(vec![0; 16])?;
     /// # #[cfg(all(feature = "bin", feature = "custom"))]
     /// let transports = get_transports((&id).into())?;
     /// # #[cfg(all(feature = "bin", feature = "custom"))]
     /// assert!(creds.push(PublicKeyCredentialDescriptor { id, transports }.into()));
     /// # #[cfg(all(feature = "bin", feature = "custom"))]
     /// assert_eq!(
     ///     NonDiscoverableCredentialRequestOptions::second_factor(&RpId::Domain(AsciiDomain::try_from("example.com".to_owned())?), creds)?
     ///         .allow_credentials()
     ///         .len(),
     ///     1
     /// );
     /// # Ok::<_, webauthn_rp::AggErr>(())
     /// ```
     #[expect(single_use_lifetimes, reason = "false positive")]
     #[inline]
     pub fn second_factor<'a: 'rp_id>(
         rp_id: &'a RpId,
         allow_credentials: AllowedCredentials,
     ) -> Result<Self, SecondFactorErr> {
         if allow_credentials.is_empty() {
             Err(SecondFactorErr)
         } else {
             Ok(Self {
                 mediation: CredentialMediationRequirement::default(),
                 options: PublicKeyCredentialRequestOptions::second_factor(rp_id),
                 allow_credentials,
             })
         }
     }
     /// Begins the [authentication ceremony](https://www.w3.org/TR/webauthn-3/#authentication-ceremony) consuming
     /// `self`. Note that the expiration [`Instant`]/[`SystemTime`] is saved, so `NonDiscoverableAuthenticationClientState`
     /// MUST be sent ASAP. In order to complete authentication, the returned `NonDiscoverableAuthenticationServerState`
     /// MUST be saved so that it can later be used to verify the credential assertion with
     /// [`NonDiscoverableAuthenticationServerState::verify`].
     ///
     /// # Errors
     ///
     /// Errors iff `self` contains incompatible configuration.
     #[inline]
     pub fn start_ceremony(
         self,
     ) -> Result<
         (
             NonDiscoverableAuthenticationServerState,
             NonDiscoverableAuthenticationClientState<'rp_id, 'prf_first, 'prf_second>,
         ),
         InvalidTimeout,
     > {
         #[cfg(not(feature = "serializable_server_state"))]
         let res = Instant::now();
         #[cfg(feature = "serializable_server_state")]
         let res = SystemTime::now();
         res.checked_add(Duration::from_millis(
             NonZeroU64::from(self.options.timeout).get(),
         ))
         .ok_or(InvalidTimeout)
         .map(|expiration| {
             (
                 NonDiscoverableAuthenticationServerState {
                     state: AuthenticationServerState {
                         challenge: SentChallenge(self.options.challenge.0),
                         user_verification: self.options.user_verification,
                         extensions: self.options.extensions.into(),
                         expiration,
                     },
                     allow_credentials: Vec::from(&self.allow_credentials),
                 },
                 NonDiscoverableAuthenticationClientState(self),
             )
         })
     }
 }
 /// The [`PublicKeyCredentialRequestOptions`](https://www.w3.org/TR/webauthn-3/#dictdef-publickeycredentialrequestoptions)
 /// to send to the client when authenticating a credential.
 ///
 /// This does _not_ contain [`allowCredentials`](https://www.w3.org/TR/webauthn-3/#dom-publickeycredentialrequestoptions-allowcredentials).
 #[derive(Debug)]
 pub struct PublicKeyCredentialRequestOptions<'rp_id, 'prf_first, 'prf_second> {
     /// [`challenge`](https://www.w3.org/TR/webauthn-3/#dom-publickeycredentialrequestoptions-challenge).
     pub challenge: Challenge,
     /// [`timeout`](https://www.w3.org/TR/webauthn-3/#dom-publickeycredentialrequestoptions-timeout).
     ///
     /// Note we require a positive value despite the spec allowing an optional nonnegative value. This jives
     /// with the fact that in-memory storage is required when `serializable_server_state` is not enabled
     /// when authenticating credentials as no timeout would make out-of-memory (OOM) conditions more likely.
     pub timeout: NonZeroU32,
     /// [`rpId`](https://www.w3.org/TR/webauthn-3/#dom-publickeycredentialrequestoptions-rpid).
     ///
     /// This MUST be the same as the [`PublicKeyCredentialCreationOptions::rp_id`] used when the credential was registered.
     pub rp_id: &'rp_id RpId,
     /// [`userVerification`](https://www.w3.org/TR/webauthn-3/#dom-publickeycredentialrequestoptions-userverification).
     pub user_verification: UserVerificationRequirement,
     /// [`hints`](https://www.w3.org/TR/webauthn-3/#dom-publickeycredentialrequestoptions-hints).
     pub hints: Hint,
     /// [`extensions`](https://www.w3.org/TR/webauthn-3/#dom-publickeycredentialrequestoptions-extensions).
     pub extensions: Extension<'prf_first, 'prf_second>,
 }
 impl<'rp_id> PublicKeyCredentialRequestOptions<'rp_id, '_, '_> {
     /// Creates a `PublicKeyCredentialRequestOptions` with [`Self::user_verification`] set to
     /// [`UserVerificationRequirement::Required`] and [`Self::timeout`] set to 5 minutes,
     ///
     /// Note `rp_id` _must_ be the same as the [`PublicKeyCredentialCreationOptions::rp_id`] when the
     /// credential was registered.
     ///
     /// # Examples
     ///
     /// ```
     /// # use webauthn_rp::request::{auth::PublicKeyCredentialRequestOptions, AsciiDomain, RpId, UserVerificationRequirement};
     /// assert!(matches!(
     ///     PublicKeyCredentialRequestOptions::passkey(&RpId::Domain(AsciiDomain::try_from("example.com".to_owned())?)).user_verification,
     ///     UserVerificationRequirement::Required
     /// ));
     /// # Ok::<_, webauthn_rp::AggErr>(())
     /// ```
     #[expect(single_use_lifetimes, reason = "false positive")]
     #[inline]
     #[must_use]
     pub fn passkey<'a: 'rp_id>(rp_id: &'a RpId) -> Self {
         Self {
             challenge: Challenge::new(),
             timeout: THREE_HUNDRED_THOUSAND,
             rp_id,
             user_verification: UserVerificationRequirement::Required,
             hints: Hint::None,
             extensions: Extension::default(),
         }
     }
     /// Creates a `PublicKeyCredentialRequestOptions` with [`Self::user_verification`] set to
     /// [`UserVerificationRequirement::Discouraged`] and [`Self::timeout`] set to 5 minutes.
     ///
     /// Note `rp_id` _must_ be the same as the [`PublicKeyCredentialCreationOptions::rp_id`] when the
     /// credentials were registered.
     ///
     /// # Examples
     ///
     /// ```
     /// # use webauthn_rp::request::{auth::PublicKeyCredentialRequestOptions, AsciiDomain, RpId, UserVerificationRequirement};
     /// assert!(matches!(
     ///     PublicKeyCredentialRequestOptions::second_factor(&RpId::Domain(AsciiDomain::try_from("example.com".to_owned())?)).user_verification,
     ///     UserVerificationRequirement::Discouraged
     /// ));
     /// # Ok::<_, webauthn_rp::AggErr>(())
     /// ```
     #[expect(single_use_lifetimes, reason = "false positive")]
     #[inline]
     #[must_use]
     pub fn second_factor<'a: 'rp_id>(rp_id: &'a RpId) -> Self {
         let mut opts = Self::passkey(rp_id);
         opts.user_verification = UserVerificationRequirement::Discouraged;
         opts
     }
 }
 /// Container of a [`DiscoverableCredentialRequestOptions`] that has been used to start the authentication ceremony.
 /// This gets sent to the client ASAP.
 #[derive(Debug)]
 pub struct DiscoverableAuthenticationClientState<'rp_id, 'prf_first, 'prf_second>(
     DiscoverableCredentialRequestOptions<'rp_id, 'prf_first, 'prf_second>,
 );
 impl<'rp_id, 'prf_first, 'prf_second>
     DiscoverableAuthenticationClientState<'rp_id, 'prf_first, 'prf_second>
 {
     /// Returns the `DiscoverableCredentialRequestOptions` that was used to start an authentication ceremony.
     #[inline]
     #[must_use]
     pub const fn options(
         &self,
     ) -> &DiscoverableCredentialRequestOptions<'rp_id, 'prf_first, 'prf_second> {
         &self.0
     }
 }
 /// Container of a [`NonDiscoverableCredentialRequestOptions`] that has been used to start the authentication
 /// ceremony. This gets sent to the client ASAP.
 #[derive(Debug)]
 pub struct NonDiscoverableAuthenticationClientState<'rp_id, 'prf_first, 'prf_second>(
     NonDiscoverableCredentialRequestOptions<'rp_id, 'prf_first, 'prf_second>,
 );
 impl<'rp_id, 'prf_first, 'prf_second>
     NonDiscoverableAuthenticationClientState<'rp_id, 'prf_first, 'prf_second>
 {
     /// Returns the `NonDiscoverableCredentialRequestOptions` that was used to start an authentication ceremony.
     #[inline]
     #[must_use]
     pub const fn options(
         &self,
     ) -> &NonDiscoverableCredentialRequestOptions<'rp_id, 'prf_first, 'prf_second> {
         &self.0
     }
 }
 /// The possible combinations of an [`AuthenticatedCredential`]'s [`StaticState`]'s
 /// `extensions.hmac_secret` and `client_extension_results.prf`.
 ///
 /// Note we ensure in `crate::verify_static_and_dynamic_state` that `hmac_secret` does not exist when
 /// `prf` does not exist, `hmac_secret` does not exist or is `false` when `prf` is `false`, or
 /// `hmac_secret` does not exist or is `true` when `prf` is `true`.
 #[derive(Clone, Copy)]
 enum CredPrf {
     /// No `prf` or `hmac_secret`.
     None,
     /// `prf.enabled` is `false` but there is no `hmac_secret`.
     FalseNoHmac,
     /// `prf.enabled` and `hmac_secret` are `false`.
     FalseFalseHmac,
     /// `prf.enabled` is `true` but there is no `hmac_secret`.
     TrueNoHmac,
     /// `prf.enabled` and `hmac_secret` are `true`.
     TrueTrueHmac,
 }
 impl CredPrf {
     /// Returns `true` iff `self` is allowed to have an `HmacSecret` response.
     ///
     /// Note many authenticators allow PRF to be used during authentication even when not requested during
     /// registration even for authenticators (e.g., CTAP-based ones) that implement PRF on top of the `hmac-secret`
     /// extension; thus we allow `Self::None` and `Self::TrueNoHmac`.
     const fn is_prf_capable(self) -> bool {
         matches!(self, Self::None | Self::TrueNoHmac | Self::TrueTrueHmac)
     }
 }
 /// `PrfInput` and `PrfInputOwned` without the actual data sent to reduce memory usage when storing
 /// [`DiscoverableAuthenticationServerState`] in an in-memory collection.
 #[derive(Clone, Copy, Debug)]
 enum ServerPrfInfo {
     /// No `PrfInput`.
     None,
     /// `PrfInput::second` was `None`.
     One(ExtensionReq),
     /// `PrfInput::second` was `Some`.
     Two(ExtensionReq),
 }
 impl ServerPrfInfo {
     /// Validates `val` based on the passed arguments.
     ///
     /// It's not possible to request the PRF extension without sending `UserVerificationRequirement::Required`;
     /// thus `user_verified` will always be `true` when sending PRF; otherwise ceremony validation will error.
     /// However when we _don't_ send the PRF extension _and_ we don't error on an unsolicited response, it's
     /// possible to receive an `HmacSecret` without the user having been verified; thus we only ensure
     /// `user_verified` is true when we don't error on unsolicted responses _and_ we didn't send the PRF extension.
     const fn validate(
         self,
         user_verified: bool,
         cred_prf: CredPrf,
         hmac: HmacSecret,
         err_unsolicited: bool,
     ) -> Result<(), ExtensionErr> {
         match hmac {
             HmacSecret::None => match self {
                 Self::None => Ok(()),
                 Self::One(req) | Self::Two(req) => {
                     if matches!(req, ExtensionReq::Allow) {
                         if cred_prf.is_prf_capable() {
                             Ok(())
                         } else {
                             Err(ExtensionErr::PrfRequestedForPrfIncapableCred)
                         }
                     } else {
                         match cred_prf {
                             CredPrf::None | CredPrf::TrueNoHmac => Ok(()),
                             CredPrf::FalseNoHmac | CredPrf::FalseFalseHmac => {
                                 Err(ExtensionErr::PrfRequestedForPrfIncapableCred)
                             }
                             CredPrf::TrueTrueHmac => Err(ExtensionErr::MissingHmacSecret),
                         }
                     }
                 }
             },
             HmacSecret::One => match self {
                 Self::None => {
                     if err_unsolicited {
                         Err(ExtensionErr::ForbiddenHmacSecret)
                     } else if cred_prf.is_prf_capable() {
                         if user_verified {
                             Ok(())
                         } else {
                             Err(ExtensionErr::UserNotVerifiedHmacSecret)
                         }
                     } else {
                         Err(ExtensionErr::PrfRequestedForPrfIncapableCred)
                     }
                 }
                 Self::One(_) => {
                     if cred_prf.is_prf_capable() {
                         Ok(())
                     } else {
                         Err(ExtensionErr::PrfRequestedForPrfIncapableCred)
                     }
                 }
                 Self::Two(_) => Err(ExtensionErr::InvalidHmacSecretValue(
                     OneOrTwo::Two,
                     OneOrTwo::One,
                 )),
             },
             HmacSecret::Two => match self {
                 Self::None => {
                     if err_unsolicited {
                         Err(ExtensionErr::ForbiddenHmacSecret)
                     } else if cred_prf.is_prf_capable() {
                         if user_verified {
                             Ok(())
                         } else {
                             Err(ExtensionErr::UserNotVerifiedHmacSecret)
                         }
                     } else {
                         Err(ExtensionErr::PrfRequestedForPrfIncapableCred)
                     }
                 }
                 Self::One(_) => Err(ExtensionErr::InvalidHmacSecretValue(
                     OneOrTwo::One,
                     OneOrTwo::Two,
                 )),
                 Self::Two(_) => {
                     if cred_prf.is_prf_capable() {
                         Ok(())
                     } else {
                         Err(ExtensionErr::PrfRequestedForPrfIncapableCred)
                     }
                 }
             },
         }
     }
 }
 #[cfg(test)]
 impl PartialEq for ServerPrfInfo {
     fn eq(&self, other: &Self) -> bool {
         match *self {
             Self::None => matches!(*other, Self::None),
             Self::One(req) => matches!(*other, Self::One(req2) if req == req2),
             Self::Two(req) => matches!(*other, Self::Two(req2) if req == req2),
         }
     }
 }
 impl From<Option<(PrfInput<'_, '_>, ExtensionReq)>> for ServerPrfInfo {
     fn from(value: Option<(PrfInput<'_, '_>, ExtensionReq)>) -> Self {
         value.map_or(Self::None, |val| {
             val.0
                 .second
                 .map_or_else(|| Self::One(val.1), |_| Self::Two(val.1))
         })
     }
 }
 impl From<&PrfInputOwned> for ServerPrfInfo {
     fn from(value: &PrfInputOwned) -> Self {
         value
             .second
             .as_ref()
             .map_or_else(|| Self::One(value.ext_req), |_| Self::Two(value.ext_req))
     }
 }
 /// `Extension` without the actual data sent to reduce memory usage when storing [`AuthenticationServerState`]
 /// in an in-memory collection.
 #[derive(Clone, Copy, Debug)]
 struct ServerExtensionInfo {
     /// `Extension::prf`.
     prf: ServerPrfInfo,
 }
 impl From<Extension<'_, '_>> for ServerExtensionInfo {
     fn from(value: Extension<'_, '_>) -> Self {
         Self {
             prf: value.prf.into(),
         }
     }
 }
 #[cfg(test)]
 impl PartialEq for ServerExtensionInfo {
     fn eq(&self, other: &Self) -> bool {
         self.prf == other.prf
     }
 }
 /// `CredentialSpecificExtension` without the actual data sent to reduce memory usage when storing [`AuthenticationServerState`]
 /// in an in-memory collection.
 #[derive(Clone, Copy, Debug)]
 struct ServerCredSpecificExtensionInfo {
     /// `CredentialSpecificExtension::prf`.
     prf: ServerPrfInfo,
 }
 #[cfg(test)]
 impl PartialEq for ServerCredSpecificExtensionInfo {
     fn eq(&self, other: &Self) -> bool {
         self.prf == other.prf
     }
 }
 impl From<&CredentialSpecificExtension> for ServerCredSpecificExtensionInfo {
     fn from(value: &CredentialSpecificExtension) -> Self {
         Self {
             prf: value
                 .prf
                 .as_ref()
                 .map_or(ServerPrfInfo::None, ServerPrfInfo::from),
         }
     }
 }
 impl ServerExtensionInfo {
     /// Validates the extensions.
     ///
     /// Note that this MUST only be called internally by `auth::validate_extensions`.
     const fn validate_extensions(
         self,
         user_verified: bool,
         auth_ext: AuthenticatorExtensionOutput,
         error_unsolicited: bool,
         cred_prf: CredPrf,
     ) -> Result<(), ExtensionErr> {
         ServerPrfInfo::validate(
             self.prf,
             user_verified,
             cred_prf,
             auth_ext.hmac_secret,
             error_unsolicited,
         )
     }
 }
 /// Validates the extensions.
 fn validate_extensions(
     ext: ServerExtensionInfo,
     user_verified: bool,
     cred_ext: Option<ServerCredSpecificExtensionInfo>,
     auth_ext: AuthenticatorExtensionOutput,
     error_unsolicited: bool,
     cred_prf: CredPrf,
 ) -> Result<(), ExtensionErr> {
     cred_ext.map_or_else(
         || {
             // No credental-specific extensions, so we can simply focus on `ext`.
             ext.validate_extensions(user_verified, auth_ext, error_unsolicited, cred_prf)
         },
         |c_ext| {
             // Must carefully process each extension based on overlap and which gets priority over the other.
             if matches!(c_ext.prf, ServerPrfInfo::None) {
                 ext.prf.validate(
                     user_verified,
                     cred_prf,
                     auth_ext.hmac_secret,
                     error_unsolicited,
                 )
             } else {
                 c_ext.prf.validate(
                     user_verified,
                     cred_prf,
                     auth_ext.hmac_secret,
                     error_unsolicited,
                 )
             }
         },
     )
 }
 /// [`AllowedCredential`] with less data to reduce memory usage when storing [`AuthenticationServerState`]
 /// in an in-memory collection.
 #[derive(Debug)]
 struct CredInfo {
     /// The Credential ID.
     id: CredentialId<Vec<u8>>,
     /// Any credential-specific extensions.
     ext: ServerCredSpecificExtensionInfo,
 }
 #[cfg(test)]
 impl PartialEq for CredInfo {
     fn eq(&self, other: &Self) -> bool {
         self.id == other.id && self.ext == other.ext
     }
 }
 /// Controls how to handle a change in [`DynamicState::authenticator_attachment`].
 ///
 /// Note when `DynamicState::authenticator_attachment` is [`AuthenticatorAttachment::None`], then it will
 /// be updated regardless. Similarly when [`Authentication::authenticator_attachment`] is
 /// `AuthenticatorAttachment::None`, it will never update `DynamicState::authenticator_attachment`.
 #[derive(Clone, Copy, Debug)]
 pub enum AuthenticatorAttachmentEnforcement {
     /// Fail the authentication ceremony if [`AuthenticatorAttachment`] is not the same.
     ///
     /// The contained `bool` represents if `AuthenticatorAttachment` must be sent.
     Fail(bool),
     /// Update [`DynamicState::authenticator_attachment`] to the sent [`AuthenticatorAttachment`].
     ///
     /// The contained `bool` represents if `AuthenticatorAttachment` must be sent.
     Update(bool),
     /// Do not update [`DynamicState::authenticator_attachment`] to the sent [`AuthenticatorAttachment`].
     ///
     /// The contained `bool` represents if `AuthenticatorAttachment` must be sent.
     Ignore(bool),
 }
 impl AuthenticatorAttachmentEnforcement {
     /// Validates `cur` based on `self` and `prev`.
     const fn validate(
         self,
         prev: AuthenticatorAttachment,
         cur: AuthenticatorAttachment,
     ) -> Result<AuthenticatorAttachment, AuthCeremonyErr> {
         match cur {
             AuthenticatorAttachment::None => match self {
                 Self::Fail(require) | Self::Update(require) | Self::Ignore(require) => {
                     if require {
                         Err(AuthCeremonyErr::MissingAuthenticatorAttachment)
                     } else {
                         // We don't overwrite the previous one with [`AuthenticatorAttachment::None`].
                         Ok(prev)
                     }
                 }
             },
             AuthenticatorAttachment::Platform => match self {
                 Self::Fail(_) => {
                     if matches!(prev, AuthenticatorAttachment::CrossPlatform) {
                         Err(AuthCeremonyErr::AuthenticatorAttachmentMismatch)
                     } else {
                         // We don't fail when we previously had [`AuthenticatorAttachment::None`].
                         Ok(cur)
                     }
                 }
                 Self::Update(_) => Ok(cur),
                 Self::Ignore(_) => {
                     if matches!(prev, AuthenticatorAttachment::None) {
                         // We overwrite the previous one when it is [`AuthenticatorAttachment::None`].
                         Ok(cur)
                     } else {
                         Ok(prev)
                     }
                 }
             },
             AuthenticatorAttachment::CrossPlatform => match self {
                 Self::Fail(_) => {
                     if matches!(prev, AuthenticatorAttachment::Platform) {
                         Err(AuthCeremonyErr::AuthenticatorAttachmentMismatch)
                     } else {
                         // We don't fail when we previously had [`AuthenticatorAttachment::None`].
                         Ok(cur)
                     }
                 }
                 Self::Update(_) => Ok(cur),
                 Self::Ignore(_) => {
                     if matches!(prev, AuthenticatorAttachment::None) {
                         // We overwrite the previous one when it is [`AuthenticatorAttachment::None`].
                         Ok(cur)
                     } else {
                         Ok(prev)
                     }
                 }
             },
         }
     }
 }
 impl Default for AuthenticatorAttachmentEnforcement {
     /// Returns [`Self::Ignore`] containing `false`.
     #[inline]
     fn default() -> Self {
         Self::Ignore(false)
     }
 }
 /// Additional verification options to perform in [`DiscoverableAuthenticationServerState::verify`] and
 /// [`NonDiscoverableAuthenticationServerState::verify`].
 #[derive(Clone, Copy, Debug)]
 pub struct AuthenticationVerificationOptions<'origins, 'top_origins, O, T> {
     /// Origins to use for [origin validation](https://www.w3.org/TR/webauthn-3/#sctn-validating-origin).
     ///
     /// When this is empty, the origin that will be used will be based on the [`RpId`] passed to
     /// [`DiscoverableAuthenticationServerState::verify`] or [`NonDiscoverableAuthenticationServerState::verify`].
     /// If [`RpId::Domain`] or [`RpId::StaticDomain`], then the [`DomainOrigin`] returned from passing
     /// [`AsciiDomain::as_ref`] and [`AsciiDomainStatic::as_str`] to [`DomainOrigin::new`] respectively will be
     /// used; otherwise the [`Url`] in [`RpId::Url`] will be used.
     pub allowed_origins: &'origins [O],
     /// [Top-level origins](https://html.spec.whatwg.org/multipage/webappapis.html#concept-environment-top-level-origin)
     /// to use for [origin validation](https://www.w3.org/TR/webauthn-3/#sctn-validating-origin).
     ///
     /// When this is `Some`, [`CollectedClientData::cross_origin`] is allowed to be `true`. When the contained
     /// `slice` is empty, [`CollectedClientData::top_origin`] must be `None`. When this is `None`,
     /// `CollectedClientData::cross_origin` must be `false` and `CollectedClientData::top_origin` must be `None`.
     pub allowed_top_origins: Option<&'top_origins [T]>,
     /// The required [`Backup`] state of the credential.
     ///
     /// Note that `None` is _not_ the same as `Some(BackupReq::None)` as the latter indicates that any [`Backup`]
     /// is allowed. This is rarely what you want; instead, `None` indicates that [`BackupReq::from`] applied to
     /// [`DynamicState::backup`] will be used in [`DiscoverableAuthenticationServerState::verify`] and
     /// [`NonDiscoverableAuthenticationServerState::verify`] and
     pub backup_requirement: Option<BackupReq>,
     /// Error when unsolicited extensions are sent back iff `true`.
     pub error_on_unsolicited_extensions: bool,
     /// Dictates what happens when [`Authentication::authenticator_attachment`] is not the same as
     /// [`DynamicState::authenticator_attachment`].
     pub auth_attachment_enforcement: AuthenticatorAttachmentEnforcement,
     /// [`DynamicState::user_verified`] will be set to `true` iff [`Flag::user_verified`] when `true`.
     pub update_uv: bool,
     /// Dictates what happens when [`AuthenticatorData::sign_count`] is not updated to a strictly greater value.
     pub sig_counter_enforcement: SignatureCounterEnforcement,
     /// [`CollectedClientData::from_client_data_json_relaxed`] is used to extract [`CollectedClientData`] iff `true`.
     #[cfg_attr(docsrs, doc(cfg(feature = "serde_relaxed")))]
     #[cfg(feature = "serde_relaxed")]
     pub client_data_json_relaxed: bool,
 }
 impl<O, T> AuthenticationVerificationOptions<'_, '_, O, T> {
     /// Returns `Self` such that [`Self::allowed_origins`] is empty, [`Self::allowed_top_origins`] is `None`,
     /// [`Self::backup_requirement`] is `None`, [`Self::error_on_unsolicited_extensions`] is `true`,
     /// [`Self::auth_attachment_enforcement`] is [`AuthenticatorAttachmentEnforcement::default`],
     /// [`Self::update_uv`] is `false`, [`Self::sig_counter_enforcement`] is
     /// [`SignatureCounterEnforcement::default`], and [`Self::client_data_json_relaxed`] is `true`.
     ///
     /// Note `O` and `T` should implement `PartialEq<Origin<'_>>` (e.g., `&str`).
     #[inline]
     #[must_use]
     pub const fn new() -> Self {
         Self {
             allowed_origins: [].as_slice(),
             allowed_top_origins: None,
             backup_requirement: None,
             error_on_unsolicited_extensions: true,
             auth_attachment_enforcement: AuthenticatorAttachmentEnforcement::Ignore(false),
             update_uv: false,
             sig_counter_enforcement: SignatureCounterEnforcement::Fail,
             #[cfg(feature = "serde_relaxed")]
             client_data_json_relaxed: true,
         }
     }
 }
 impl<O, T> Default for AuthenticationVerificationOptions<'_, '_, O, T> {
     /// Same as [`Self::new`].
     #[inline]
     fn default() -> Self {
         Self::new()
     }
 }
 // This is essentially the `DiscoverableCredentialRequestOptions` used to create it; however to reduce
 // memory usage, we remove all unnecessary data making an instance of this 48 bytes in size
 // `x86_64-unknown-linux-gnu` platforms.
 //
 /// State needed to be saved when beginning the authentication ceremony.
 ///
 /// Saves the necessary information associated with the [`DiscoverableCredentialRequestOptions`] used to create it
 /// via [`DiscoverableCredentialRequestOptions::start_ceremony`] so that authentication of a credential can be
 /// performed with [`Self::verify`].
 ///
 /// `DiscoverableAuthenticationServerState` implements [`Borrow`] of [`SentChallenge`]; thus to obtain the correct
 /// `DiscoverableAuthenticationServerState` associated with a [`DiscoverableAuthentication`], one should use its
 /// corresponding [`DiscoverableAuthentication::challenge`].
 #[derive(Debug)]
 pub struct DiscoverableAuthenticationServerState(AuthenticationServerState);
 impl DiscoverableAuthenticationServerState {
     /// Verifies `response` is valid based on `self` consuming `self` and updating `cred`. Returns `true`
     /// iff `cred` was mutated.
     ///
     /// `rp_id` MUST be the same as the [`PublicKeyCredentialRequestOptions::rp_id`] used when starting the
     /// ceremony.
     ///
     /// It is _essential_ to save [`AuthenticatedCredential::dynamic_state`] overwriting the original value iff `Ok(true)`
     /// is returned.
     ///
     /// # Errors
     ///
     /// Errors iff `response` is not valid according to the
     /// [authentication ceremony](https://www.w3.org/TR/webauthn-3/#sctn-verifying-assertion) or violates any
     /// of the settings in `options`.
     #[inline]
     pub fn verify<
         'a,
         const USER_LEN: usize,
         O: PartialEq<Origin<'a>>,
         T: PartialEq<Origin<'a>>,
         EdKey: AsRef<[u8]>,
         P256Key: AsRef<[u8]>,
         P384Key: AsRef<[u8]>,
         RsaKey: AsRef<[u8]>,
     >(
         self,
         rp_id: &RpId,
         response: &'a DiscoverableAuthentication<USER_LEN>,
         cred: &mut AuthenticatedCredential<
             '_,
             '_,
             USER_LEN,
             CompressedPubKey<EdKey, P256Key, P384Key, RsaKey>,
         >,
         options: &AuthenticationVerificationOptions<'_, '_, O, T>,
     ) -> Result<bool, AuthCeremonyErr> {
         // Step 6 item 2.
         if cred.user_id == response.response.user_handle() {
             // Step 6 item 2.
             if cred.id == response.raw_id {
                 self.0.verify(true, rp_id, response, cred, options, None)
             } else {
                 Err(AuthCeremonyErr::CredentialIdMismatch)
             }
         } else {
             Err(AuthCeremonyErr::UserHandleMismatch)
         }
     }
     #[cfg(all(test, feature = "custom", feature = "serializable_server_state"))]
     fn is_eq(&self, other: &Self) -> bool {
         self.0.is_eq(&other.0)
     }
 }
 // This is essentially the `NonDiscoverableCredentialRequestOptions` used to create it; however to reduce
 // memory usage, we remove all unnecessary data making an instance of this as small as 80 bytes in size on
 // `x86_64-unknown-linux-gnu` platforms. This does not include the size of each `CredInfo` which should exist
 // elsewhere on the heap but obviously contributes memory overall.
 /// State needed to be saved when beginning the authentication ceremony.
 ///
 /// Saves the necessary information associated with the [`NonDiscoverableCredentialRequestOptions`] used to create
 /// it via [`NonDiscoverableCredentialRequestOptions::start_ceremony`] so that authentication of a credential can be
 /// performed with [`Self::verify`].
 ///
 /// `NonDiscoverableAuthenticationServerState` implements [`Borrow`] of [`SentChallenge`]; thus to obtain the
 /// correct `NonDiscoverableAuthenticationServerState` associated with a [`NonDiscoverableAuthentication`], one
 /// should use its corresponding [`NonDiscoverableAuthentication::challenge`].
 #[derive(Debug)]
 pub struct NonDiscoverableAuthenticationServerState {
     /// Most server state.
     state: AuthenticationServerState,
     /// The set of credentials that are allowed.
     allow_credentials: Vec<CredInfo>,
 }
 impl NonDiscoverableAuthenticationServerState {
     /// Verifies `response` is valid based on `self` consuming `self` and updating `cred`. Returns `true`
     /// iff `cred` was mutated.
     ///
     /// `rp_id` MUST be the same as the [`PublicKeyCredentialRequestOptions::rp_id`] used when starting the
     /// ceremony.
     ///
     /// It is _essential_ to save [`AuthenticatedCredential::dynamic_state`] overwriting the original value iff `Ok(true)`
     /// is returned.
     ///
     /// # Errors
     ///
     /// Errors iff `response` is not valid according to the
     /// [authentication ceremony](https://www.w3.org/TR/webauthn-3/#sctn-verifying-assertion) or violates any
     /// of the settings in `options`.
     #[inline]
     pub fn verify<
         'a,
         const USER_LEN: usize,
         O: PartialEq<Origin<'a>>,
         T: PartialEq<Origin<'a>>,
         EdKey: AsRef<[u8]>,
         P256Key: AsRef<[u8]>,
         P384Key: AsRef<[u8]>,
         RsaKey: AsRef<[u8]>,
     >(
         self,
         rp_id: &RpId,
         response: &'a NonDiscoverableAuthentication<USER_LEN>,
         cred: &mut AuthenticatedCredential<
             '_,
             '_,
             USER_LEN,
             CompressedPubKey<EdKey, P256Key, P384Key, RsaKey>,
         >,
         options: &AuthenticationVerificationOptions<'_, '_, O, T>,
     ) -> Result<bool, AuthCeremonyErr> {
         response
             .response
             .user_handle()
             .as_ref()
             .map_or(Ok(()), |user| {
                 // Step 6 item 1.
                 if *user == cred.user_id() {
                     Ok(())
                 } else {
                     Err(AuthCeremonyErr::UserHandleMismatch)
                 }
             })
             .and_then(|()| {
                 self.allow_credentials
                     .iter()
                     // Step 5.
                     .find(|c| c.id == response.raw_id)
                     .ok_or(AuthCeremonyErr::NoMatchingAllowedCredential)
                     .and_then(|c| {
                         // Step 6 item 1.
                         if c.id == cred.id {
                             self.state
                                 .verify(false, rp_id, response, cred, options, Some(c.ext))
                         } else {
                             Err(AuthCeremonyErr::CredentialIdMismatch)
                         }
                     })
             })
     }
     #[cfg(all(test, feature = "custom", feature = "serializable_server_state"))]
     fn is_eq(&self, other: &Self) -> bool {
         self.state.is_eq(&other.state) && self.allow_credentials == other.allow_credentials
     }
 }
 // This is essentially the `PublicKeyCredentialRequestOptions` used to create it; however to reduce
 // memory usage, we remove all unnecessary data making an instance of this 48 bytes in size on
 // `x86_64-unknown-linux-gnu` platforms.
 /// Shared state used by [`DiscoverableAuthenticationServerState`] and [`NonDiscoverableAuthenticationServerState`].
 #[derive(Debug)]
 struct AuthenticationServerState {
     // This is a `SentChallenge` since we need `AuthenticationServerState` to be fetchable after receiving the
     // response from the client. This response must obviously be constructable; thus its challenge is a
     // `SentChallenge`.
     //
     // This must never be mutated since we want to ensure it is actually a `Challenge` (which
     // can only be constructed via `Challenge::new`). This is guaranteed to be true iff
     // `serializable_server_state` is not enabled.
     /// [`challenge`](https://www.w3.org/TR/webauthn-3/#dom-publickeycredentialrequestoptions-challenge).
     challenge: SentChallenge,
     /// [`userVerification`](https://www.w3.org/TR/webauthn-3/#dom-publickeycredentialrequestoptions-userverification).
     user_verification: UserVerificationRequirement,
     /// [`extensions`](https://www.w3.org/TR/webauthn-3/#dom-publickeycredentialrequestoptions-extensions).
     extensions: ServerExtensionInfo,
     /// `Instant` the ceremony expires.
     #[cfg(not(feature = "serializable_server_state"))]
     expiration: Instant,
     /// `SystemTime` the ceremony expires.
     #[cfg(feature = "serializable_server_state")]
     expiration: SystemTime,
 }
 impl AuthenticationServerState {
     /// Verifies `response` is valid based on `self` consuming `self` and updating `cred`. Returns `true`
     /// iff `cred` was mutated.
     ///
     /// `rp_id` MUST be the same as the [`PublicKeyCredentialRequestOptions::rp_id`] used when starting the
     /// ceremony.
     ///
     /// It is _essential_ to save [`AuthenticatedCredential::dynamic_state`] overwriting the original value iff `Ok(true)`
     /// is returned.
     ///
     /// # Errors
     ///
     /// Errors iff `response` is not valid according to the
     /// [authentication ceremony](https://www.w3.org/TR/webauthn-3/#sctn-verifying-assertion) or violates any
     /// of the settings in `options`.
     fn verify<
         'a,
         const USER_LEN: usize,
         const DISCOVERABLE: bool,
         O: PartialEq<Origin<'a>>,
         T: PartialEq<Origin<'a>>,
         EdKey: AsRef<[u8]>,
         P256Key: AsRef<[u8]>,
         P384Key: AsRef<[u8]>,
         RsaKey: AsRef<[u8]>,
     >(
         self,
         discoverable: bool,
         rp_id: &RpId,
         response: &'a Authentication<USER_LEN, DISCOVERABLE>,
         cred: &mut AuthenticatedCredential<
             '_,
             '_,
             USER_LEN,
             CompressedPubKey<EdKey, P256Key, P384Key, RsaKey>,
         >,
         options: &AuthenticationVerificationOptions<'_, '_, O, T>,
         cred_ext: Option<ServerCredSpecificExtensionInfo>,
     ) -> Result<bool, AuthCeremonyErr> {
         // [Authentication ceremony](https://www.w3.org/TR/webauthn-3/#sctn-verifying-assertion)
         // is handled by:
         //
         // 1. Calling code.
         // 2. Client code and the construction of `resp` (hopefully via [`Authentication::deserialize`]).
         // 3. Client code and the construction of `resp` (hopefully via [`AuthenticatorAssertion::deserialize`]).
         // 4. Client code and the construction of `resp` (hopefully via [`ClientExtensionsOutputs::deserialize`]).
         // 5. [`NonDiscoverableAuthenticationServerState::verify`].
         // 6. [`DiscoverableAuthenticationServerState::verify`] and [`NonDiscoverableAuthenticationServerState::verify`].
         // 7. Informative only in that it defines variables.
         // 8. [`Self::partial_validate`].
         // 9. [`Self::partial_validate`].
         // 10. [`Self::partial_validate`].
         // 11. [`Self::partial_validate`].
         // 12. [`Self::partial_validate`].
         // 13. [`Self::partial_validate`].
         // 14. [`Self::partial_validate`].
         // 15. [`Self::partial_validate`].
         // 16. [`Self::partial_validate`].
         // 17. [`Self::partial_validate`].
         // 18. [`Self::partial_validate`].
         // 19. [`Self::partial_validate`].
         // 20. [`Self::partial_validate`].
         // 21. [`Self::partial_validate`].
         // 22. Below.
         // 23. Below.
         // 24. Below.
         // 25. Below.
 
         // Steps 8–21.
         self.partial_validate(
             rp_id,
             response,
             (&cred.static_state.credential_public_key).into(),
             &CeremonyOptions {
                 allowed_origins: options.allowed_origins,
                 allowed_top_origins: options.allowed_top_origins,
                 backup_requirement: options
                     .backup_requirement
                     .unwrap_or_else(|| BackupReq::from(cred.dynamic_state.backup)),
                 #[cfg(feature = "serde_relaxed")]
                 client_data_json_relaxed: options.client_data_json_relaxed,
             },
         )
         .map_err(AuthCeremonyErr::from)
         .and_then(|auth_data| {
             options
                 .auth_attachment_enforcement
                 .validate(
                     cred.dynamic_state.authenticator_attachment,
                     response.authenticator_attachment,
                 )
                 .and_then(|auth_attachment| {
                     let flags = auth_data.flags();
                     // Step 23.
                     validate_extensions(
                         self.extensions,
                         flags.user_verified,
                         cred_ext,
                         auth_data.extensions(),
                         options.error_on_unsolicited_extensions,
                         cred.static_state.client_extension_results.prf.map_or(
                             CredPrf::None,
                             |prf| {
                                 if prf.enabled {
                                     cred.static_state
                                         .extensions
                                         .hmac_secret
                                         .map_or(CredPrf::TrueNoHmac, |_| CredPrf::TrueTrueHmac)
                                 } else {
                                     cred.static_state
                                         .extensions
                                         .hmac_secret
                                         .map_or(CredPrf::FalseNoHmac, |_| CredPrf::FalseFalseHmac)
                                 }
                             },
                         ),
                     )
                     .map_err(AuthCeremonyErr::Extension)
                     .and_then(|()| {
                         // Step 22.
                         options
                             .sig_counter_enforcement
                             .validate(cred.dynamic_state.sign_count, auth_data.sign_count())
                             .and_then(|sig_counter| {
                                 let prev_dyn_state = cred.dynamic_state;
                                 // Step 24 item 2.
                                 cred.dynamic_state.backup = flags.backup;
                                 if options.update_uv && flags.user_verified {
                                     // Step 24 item 3.
                                     cred.dynamic_state.user_verified = true;
                                 }
                                 // Step 24 item 1.
                                 cred.dynamic_state.sign_count = sig_counter;
                                 cred.dynamic_state.authenticator_attachment = auth_attachment;
                                 // Step 25.
                                 if flags.user_verified {
                                     Ok(())
                                 } else {
                                     match cred.static_state.extensions.cred_protect {
                                         CredentialProtectionPolicy::None | CredentialProtectionPolicy::UserVerificationOptional => Ok(()),
                                         CredentialProtectionPolicy::UserVerificationOptionalWithCredentialIdList => {
                                             if discoverable {
                                                 Err(AuthCeremonyErr::DiscoverableCredProtectCredentialIdList)
                                             } else {
                                                 Ok(())
                                             }
                                         }
                                         CredentialProtectionPolicy::UserVerificationRequired => {
                                             Err(AuthCeremonyErr::UserNotVerifiedCredProtectRequired)
                                         }
                                     }
                                 }.inspect_err(|_| {
                                     cred.dynamic_state = prev_dyn_state;
                                 }).map(|()| {
                                     prev_dyn_state != cred.dynamic_state
                                 })
                             })
                     })
                 })
         })
     }
     #[cfg(all(test, feature = "custom", feature = "serializable_server_state"))]
     fn is_eq(&self, other: &Self) -> bool {
         self.challenge == other.challenge
             && self.user_verification == other.user_verification
             && self.extensions == other.extensions
             && self.expiration == other.expiration
     }
 }
 impl TimedCeremony for AuthenticationServerState {
     #[cfg(any(doc, not(feature = "serializable_server_state")))]
     #[inline]
     fn expiration(&self) -> Instant {
         self.expiration
     }
     #[cfg(all(not(doc), feature = "serializable_server_state"))]
     #[inline]
     fn expiration(&self) -> SystemTime {
         self.expiration
     }
 }
 impl TimedCeremony for DiscoverableAuthenticationServerState {
     #[cfg(any(doc, not(feature = "serializable_server_state")))]
     #[inline]
     fn expiration(&self) -> Instant {
         self.0.expiration()
     }
     #[cfg(all(not(doc), feature = "serializable_server_state"))]
     #[inline]
     fn expiration(&self) -> SystemTime {
         self.0.expiration()
     }
 }
 impl TimedCeremony for NonDiscoverableAuthenticationServerState {
     #[cfg(any(doc, not(feature = "serializable_server_state")))]
     #[inline]
     fn expiration(&self) -> Instant {
         self.state.expiration()
     }
     #[cfg(all(not(doc), feature = "serializable_server_state"))]
     #[inline]
     fn expiration(&self) -> SystemTime {
         self.state.expiration()
     }
 }
 impl<const USER_LEN: usize, const DISCOVERABLE: bool> Ceremony<USER_LEN, DISCOVERABLE>
     for AuthenticationServerState
 {
     type R = Authentication<USER_LEN, DISCOVERABLE>;
     fn rand_challenge(&self) -> SentChallenge {
         self.challenge
     }
     #[cfg(not(feature = "serializable_server_state"))]
     fn expiry(&self) -> Instant {
         self.expiration
     }
     #[cfg(feature = "serializable_server_state")]
     fn expiry(&self) -> SystemTime {
         self.expiration
     }
     fn user_verification(&self) -> UserVerificationRequirement {
         self.user_verification
     }
 }
 impl Borrow<SentChallenge> for AuthenticationServerState {
     #[inline]
     fn borrow(&self) -> &SentChallenge {
         &self.challenge
     }
 }
 impl PartialEq for AuthenticationServerState {
     #[inline]
     fn eq(&self, other: &Self) -> bool {
         self.challenge == other.challenge
     }
 }
 impl PartialEq<&Self> for AuthenticationServerState {
     #[inline]
     fn eq(&self, other: &&Self) -> bool {
         *self == **other
     }
 }
 impl PartialEq<AuthenticationServerState> for &AuthenticationServerState {
     #[inline]
     fn eq(&self, other: &AuthenticationServerState) -> bool {
         **self == *other
     }
 }
 impl Eq for AuthenticationServerState {}
 impl Hash for AuthenticationServerState {
     #[inline]
     fn hash<H: Hasher>(&self, state: &mut H) {
         self.challenge.hash(state);
     }
 }
 impl PartialOrd for AuthenticationServerState {
     #[inline]
     fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
         Some(self.cmp(other))
     }
 }
 impl Ord for AuthenticationServerState {
     #[inline]
     fn cmp(&self, other: &Self) -> Ordering {
         self.challenge.cmp(&other.challenge)
     }
 }
 impl Borrow<SentChallenge> for DiscoverableAuthenticationServerState {
     #[inline]
     fn borrow(&self) -> &SentChallenge {
         self.0.borrow()
     }
 }
 impl PartialEq for DiscoverableAuthenticationServerState {
     #[inline]
     fn eq(&self, other: &Self) -> bool {
         self.0 == other.0
     }
 }
 impl PartialEq<&Self> for DiscoverableAuthenticationServerState {
     #[inline]
     fn eq(&self, other: &&Self) -> bool {
         self.0 == other.0
     }
 }
 impl PartialEq<DiscoverableAuthenticationServerState> for &DiscoverableAuthenticationServerState {
     #[inline]
     fn eq(&self, other: &DiscoverableAuthenticationServerState) -> bool {
         self.0 == other.0
     }
 }
 impl Eq for DiscoverableAuthenticationServerState {}
 impl Hash for DiscoverableAuthenticationServerState {
     #[inline]
     fn hash<H: Hasher>(&self, state: &mut H) {
         self.0.hash(state);
     }
 }
 impl PartialOrd for DiscoverableAuthenticationServerState {
     #[inline]
     fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
         Some(self.cmp(other))
     }
 }
 impl Ord for DiscoverableAuthenticationServerState {
     #[inline]
     fn cmp(&self, other: &Self) -> Ordering {
         self.0.cmp(&other.0)
     }
 }
 impl Borrow<SentChallenge> for NonDiscoverableAuthenticationServerState {
     #[inline]
     fn borrow(&self) -> &SentChallenge {
         self.state.borrow()
     }
 }
 impl PartialEq for NonDiscoverableAuthenticationServerState {
     #[inline]
     fn eq(&self, other: &Self) -> bool {
         self.state == other.state
     }
 }
 impl PartialEq<&Self> for NonDiscoverableAuthenticationServerState {
     #[inline]
     fn eq(&self, other: &&Self) -> bool {
         self.state == other.state
     }
 }
 impl PartialEq<NonDiscoverableAuthenticationServerState>
     for &NonDiscoverableAuthenticationServerState
 {
     #[inline]
     fn eq(&self, other: &NonDiscoverableAuthenticationServerState) -> bool {
         self.state == other.state
     }
 }
 impl Eq for NonDiscoverableAuthenticationServerState {}
 impl Hash for NonDiscoverableAuthenticationServerState {
     #[inline]
     fn hash<H: Hasher>(&self, state: &mut H) {
         self.state.hash(state);
     }
 }
 impl PartialOrd for NonDiscoverableAuthenticationServerState {
     #[inline]
     fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
         Some(self.cmp(other))
     }
 }
 impl Ord for NonDiscoverableAuthenticationServerState {
     #[inline]
     fn cmp(&self, other: &Self) -> Ordering {
         self.state.cmp(&other.state)
     }
 }
 #[cfg(test)]
 mod tests {
     #[cfg(all(feature = "custom", not(any(feature = "bin", feature = "serde"))))]
     use super::{
         super::super::{
             AuthenticatedCredential, DynamicState, StaticState, UserHandle,
             response::{
                 Backup,
                 auth::{DiscoverableAuthenticatorAssertion, HmacSecret},
                 register::{
                     AuthenticationExtensionsPrfOutputs, AuthenticatorExtensionOutputStaticState,
                     ClientExtensionsOutputsStaticState, CredentialProtectionPolicy, Ed25519PubKey,
                 },
             },
         },
         AuthCeremonyErr, AuthenticationVerificationOptions, AuthenticatorAttachment,
         AuthenticatorAttachmentEnforcement, CompressedPubKey, DiscoverableAuthentication,
         ExtensionErr, OneOrTwo, PrfInput, SignatureCounterEnforcement,
     };
     #[cfg(all(
         feature = "custom",
         any(
             feature = "serializable_server_state",
             not(any(feature = "bin", feature = "serde"))
         )
     ))]
     use super::{
         super::{super::AggErr, Challenge, CredentialId, RpId, UserVerificationRequirement},
         DiscoverableCredentialRequestOptions, ExtensionReq,
     };
     #[cfg(all(feature = "custom", feature = "serializable_server_state"))]
     use super::{
         super::{
             super::bin::{Decode as _, Encode as _},
             AsciiDomain, AuthTransports,
         },
         AllowedCredential, AllowedCredentials, CredentialSpecificExtension, Credentials as _,
         DiscoverableAuthenticationServerState, Extension, NonDiscoverableAuthenticationServerState,
         NonDiscoverableCredentialRequestOptions, PrfInputOwned, PublicKeyCredentialDescriptor,
     };
     #[cfg(all(feature = "custom", not(any(feature = "bin", feature = "serde"))))]
     use ed25519_dalek::{Signer as _, SigningKey};
     #[cfg(all(
         feature = "custom",
         any(
             feature = "serializable_server_state",
             not(any(feature = "bin", feature = "serde"))
         )
     ))]
     use rsa::sha2::{Digest as _, Sha256};
     #[cfg(all(
         feature = "custom",
         any(
             feature = "serializable_server_state",
             not(any(feature = "bin", feature = "serde"))
         )
     ))]
     const CBOR_BYTES: u8 = 0b010_00000;
     #[cfg(all(
         feature = "custom",
         any(
             feature = "serializable_server_state",
             not(any(feature = "bin", feature = "serde"))
         )
     ))]
     const CBOR_TEXT: u8 = 0b011_00000;
     #[cfg(all(
         feature = "custom",
         any(
             feature = "serializable_server_state",
             not(any(feature = "bin", feature = "serde"))
         )
     ))]
     const CBOR_MAP: u8 = 0b101_00000;
     #[test]
     #[cfg(all(feature = "custom", feature = "serializable_server_state"))]
     fn eddsa_auth_ser() -> Result<(), AggErr> {
         let rp_id = RpId::Domain(AsciiDomain::try_from("example.com".to_owned())?);
         let mut creds = AllowedCredentials::with_capacity(1);
         _ = creds.push(AllowedCredential {
             credential: PublicKeyCredentialDescriptor {
                 id: CredentialId::try_from(vec![0; 16])?,
                 transports: AuthTransports::NONE,
             },
             extension: CredentialSpecificExtension {
                 prf: Some(PrfInputOwned {
                     first: Vec::new(),
                     second: Some(Vec::new()),
                     ext_req: ExtensionReq::Require,
                 }),
             },
         });
         let mut opts = NonDiscoverableCredentialRequestOptions::second_factor(&rp_id, creds)?;
         opts.options.user_verification = UserVerificationRequirement::Required;
         opts.options.challenge = Challenge(0);
         opts.options.extensions = Extension { prf: None };
         let client_data_json = br#"{"type":"webauthn.get","challenge":"AAAAAAAAAAAAAAAAAAAAAA","origin":"https://example.com","crossOrigin":false}"#.to_vec();
         // We over-allocate by 32 bytes. See [`AuthenticatorAssertion::new`] for more information.
         let mut authenticator_data = Vec::with_capacity(164);
         authenticator_data.extend_from_slice(
             [
                 // rpIdHash.
                 // This will be overwritten later.
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 // flags.
                 // UP, UV, and ED (right-to-left).
                 0b1000_0101,
                 // signCount.
                 // 0 as 32-bit big endian.
                 0,
                 0,
                 0,
                 0,
                 CBOR_MAP | 1,
                 CBOR_TEXT | 11,
                 b'h',
                 b'm',
                 b'a',
                 b'c',
                 b'-',
                 b's',
                 b'e',
                 b'c',
                 b'r',
                 b'e',
                 b't',
                 CBOR_BYTES | 24,
                 // Length is 80.
                 80,
                 // Two HMAC outputs concatenated and encrypted.
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
             ]
             .as_slice(),
         );
         authenticator_data[..32]
             .copy_from_slice(Sha256::digest(rp_id.as_ref().as_bytes()).as_slice());
         authenticator_data
             .extend_from_slice(Sha256::digest(client_data_json.as_slice()).as_slice());
         authenticator_data.truncate(132);
         let server = opts.start_ceremony()?.0;
         assert!(
             server.is_eq(&NonDiscoverableAuthenticationServerState::decode(
                 server.encode()?.as_slice()
             )?)
         );
         let mut opts_2 = DiscoverableCredentialRequestOptions::passkey(&rp_id);
         opts_2.public_key.challenge = Challenge(0);
         opts_2.public_key.extensions = Extension { prf: None };
         let server_2 = opts_2.start_ceremony()?.0;
         assert!(
             server_2.is_eq(&DiscoverableAuthenticationServerState::decode(
                 server_2
                     .encode()
                     .map_err(AggErr::EncodeDiscoverableAuthenticationServerState)?
                     .as_slice()
             )?)
         );
         Ok(())
     }
     #[cfg(all(feature = "custom", not(any(feature = "bin", feature = "serde"))))]
     #[derive(Clone, Copy)]
     struct TestResponseOptions {
         user_verified: bool,
         hmac: HmacSecret,
     }
     #[cfg(all(feature = "custom", not(any(feature = "bin", feature = "serde"))))]
     #[derive(Clone, Copy)]
     enum PrfCredOptions {
         None,
         FalseNoHmac,
         FalseHmacFalse,
         TrueNoHmac,
         TrueHmacTrue,
     }
     #[cfg(all(feature = "custom", not(any(feature = "bin", feature = "serde"))))]
     #[derive(Clone, Copy)]
     struct TestCredOptions {
         cred_protect: CredentialProtectionPolicy,
         prf: PrfCredOptions,
     }
     #[cfg(all(feature = "custom", not(any(feature = "bin", feature = "serde"))))]
     #[derive(Clone, Copy)]
     enum PrfUvOptions {
         /// `true` iff `UserVerificationRequirement::Required` should be used; otherwise
         /// `UserVerificationRequirement::Preferred` is used.
         None(bool),
         Prf((PrfInput<'static, 'static>, ExtensionReq)),
     }
     #[cfg(all(feature = "custom", not(any(feature = "bin", feature = "serde"))))]
     #[derive(Clone, Copy)]
     struct TestRequestOptions {
         error_unsolicited: bool,
         prf_uv: PrfUvOptions,
     }
     #[cfg(all(feature = "custom", not(any(feature = "bin", feature = "serde"))))]
     #[derive(Clone, Copy)]
     struct TestOptions {
         request: TestRequestOptions,
         response: TestResponseOptions,
         cred: TestCredOptions,
     }
     #[cfg(all(feature = "custom", not(any(feature = "bin", feature = "serde"))))]
     fn generate_client_data_json() -> Vec<u8> {
         let mut json = Vec::with_capacity(256);
         json.extend_from_slice(br#"{"type":"webauthn.get","challenge":"AAAAAAAAAAAAAAAAAAAAAA","origin":"https://example.com","crossOrigin":false}"#.as_slice());
         json
     }
     #[cfg(all(feature = "custom", not(any(feature = "bin", feature = "serde"))))]
     fn generate_authenticator_data_public_key_sig(
         opts: TestResponseOptions,
     ) -> (
         Vec<u8>,
         CompressedPubKey<[u8; 32], [u8; 32], [u8; 48], Vec<u8>>,
         Vec<u8>,
     ) {
         let mut authenticator_data = Vec::with_capacity(256);
         authenticator_data.extend_from_slice(
             [
                 // RP ID HASH.
                 // This will be overwritten later.
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 0,
                 // FLAGS.
                 // UP, UV, AT, and ED (right-to-left).
                 0b0000_0001
                     | if opts.user_verified {
                         0b0000_0100
                     } else {
                         0b0000_0000
                     }
                     | if matches!(opts.hmac, HmacSecret::None) {
                         0
                     } else {
                         0b1000_0000
                     },
                 // COUNTER.
                 // 0 as 32-bit big endian.
                 0,
                 0,
                 0,
                 0,
             ]
             .as_slice(),
         );
         authenticator_data[..32]
             .copy_from_slice(Sha256::digest("example.com".as_bytes()).as_slice());
         match opts.hmac {
             HmacSecret::None => {}
             HmacSecret::One => {
                 authenticator_data.extend_from_slice(
                     [
                         CBOR_MAP | 1,
                         // CBOR text of length 11.
                         CBOR_TEXT | 11,
                         b'h',
                         b'm',
                         b'a',
                         b'c',
                         b'-',
                         b's',
                         b'e',
                         b'c',
                         b'r',
                         b'e',
                         b't',
                         CBOR_BYTES | 24,
                         48,
                     ]
                     .as_slice(),
                 );
                 authenticator_data.extend_from_slice([0; 48].as_slice());
             }
             HmacSecret::Two => {
                 authenticator_data.extend_from_slice(
                     [
                         CBOR_MAP | 1,
                         // CBOR text of length 11.
                         CBOR_TEXT | 11,
                         b'h',
                         b'm',
                         b'a',
                         b'c',
                         b'-',
                         b's',
                         b'e',
                         b'c',
                         b'r',
                         b'e',
                         b't',
                         CBOR_BYTES | 24,
                         80,
                     ]
                     .as_slice(),
                 );
                 authenticator_data.extend_from_slice([0; 80].as_slice());
             }
         }
         let len = authenticator_data.len();
         authenticator_data
             .extend_from_slice(Sha256::digest(generate_client_data_json().as_slice()).as_slice());
         let sig_key = SigningKey::from_bytes(&[0; 32]);
         let sig = sig_key.sign(authenticator_data.as_slice()).to_vec();
         authenticator_data.truncate(len);
         (
             authenticator_data,
             CompressedPubKey::Ed25519(Ed25519PubKey::from(sig_key.verifying_key().to_bytes())),
             sig,
         )
     }
     #[cfg(all(feature = "custom", not(any(feature = "bin", feature = "serde"))))]
     fn validate(options: TestOptions) -> Result<(), AggErr> {
         let rp_id = RpId::Domain("example.com".to_owned().try_into()?);
         let user = UserHandle::from([0; 1]);
         let (authenticator_data, credential_public_key, signature) =
             generate_authenticator_data_public_key_sig(options.response);
         let credential_id = CredentialId::try_from(vec![0; 16])?;
         let authentication = DiscoverableAuthentication::new(
             credential_id.clone(),
             DiscoverableAuthenticatorAssertion::new(
                 generate_client_data_json(),
                 authenticator_data,
                 signature,
                 user,
             ),
             AuthenticatorAttachment::None,
         );
         let auth_opts = AuthenticationVerificationOptions::<'static, 'static, &str, &str> {
             allowed_origins: [].as_slice(),
             allowed_top_origins: None,
             auth_attachment_enforcement: AuthenticatorAttachmentEnforcement::Update(false),
             backup_requirement: None,
             error_on_unsolicited_extensions: options.request.error_unsolicited,
             sig_counter_enforcement: SignatureCounterEnforcement::Fail,
             update_uv: false,
             #[cfg(feature = "serde_relaxed")]
             client_data_json_relaxed: false,
         };
         let mut opts = DiscoverableCredentialRequestOptions::passkey(&rp_id);
         opts.public_key.challenge = Challenge(0);
         opts.public_key.user_verification = UserVerificationRequirement::Preferred;
         match options.request.prf_uv {
             PrfUvOptions::None(required) => {
                 if required {
                     opts.public_key.user_verification = UserVerificationRequirement::Required;
                 };
             }
             PrfUvOptions::Prf(input) => {
                 opts.public_key.user_verification = UserVerificationRequirement::Required;
                 opts.public_key.extensions.prf = Some(input);
             }
         }
         let mut cred = AuthenticatedCredential::new(
             (&credential_id).into(),
             &user,
             StaticState {
                 credential_public_key,
                 extensions: AuthenticatorExtensionOutputStaticState {
                     cred_protect: options.cred.cred_protect,
                     hmac_secret: match options.cred.prf {
                         PrfCredOptions::None
                         | PrfCredOptions::FalseNoHmac
                         | PrfCredOptions::TrueNoHmac => None,
                         PrfCredOptions::FalseHmacFalse => Some(false),
                         PrfCredOptions::TrueHmacTrue => Some(true),
                     },
                 },
                 client_extension_results: ClientExtensionsOutputsStaticState {
                     prf: match options.cred.prf {
                         PrfCredOptions::None => None,
                         PrfCredOptions::FalseNoHmac | PrfCredOptions::FalseHmacFalse => {
                             Some(AuthenticationExtensionsPrfOutputs { enabled: false })
                         }
                         PrfCredOptions::TrueNoHmac | PrfCredOptions::TrueHmacTrue => {
                             Some(AuthenticationExtensionsPrfOutputs { enabled: true })
                         }
                     },
                 },
             },
             DynamicState {
                 user_verified: true,
                 backup: Backup::NotEligible,
                 sign_count: 0,
                 authenticator_attachment: AuthenticatorAttachment::None,
             },
         )?;
         opts.start_ceremony()?
             .0
             .verify(&rp_id, &authentication, &mut cred, &auth_opts)
             .map_err(AggErr::AuthCeremony)
             .map(|_| ())
     }
     /// Test all, and only, possible `UserNotVerified` errors.
     /// 4 * 5 * 3 * 2 * 5 = 600 tests.
     /// We ignore this due to how long it takes (around 4 seconds or so).
     #[cfg(all(feature = "custom", not(any(feature = "bin", feature = "serde"))))]
     #[ignore]
     #[test]
     fn test_uv_required_err() {
         const ALL_CRED_PROTECT_OPTIONS: [CredentialProtectionPolicy; 4] = [
             CredentialProtectionPolicy::None,
             CredentialProtectionPolicy::UserVerificationOptional,
             CredentialProtectionPolicy::UserVerificationOptionalWithCredentialIdList,
             CredentialProtectionPolicy::UserVerificationRequired,
         ];
         const ALL_PRF_CRED_OPTIONS: [PrfCredOptions; 5] = [
             PrfCredOptions::None,
             PrfCredOptions::FalseNoHmac,
             PrfCredOptions::FalseHmacFalse,
             PrfCredOptions::TrueNoHmac,
             PrfCredOptions::TrueHmacTrue,
         ];
         const ALL_HMAC_OPTIONS: [HmacSecret; 3] =
             [HmacSecret::None, HmacSecret::One, HmacSecret::Two];
         const ALL_UNSOLICIT_OPTIONS: [bool; 2] = [false, true];
         const ALL_NOT_FALSE_PRF_UV_OPTIONS: [PrfUvOptions; 5] = [
             PrfUvOptions::None(true),
             PrfUvOptions::Prf((
                 PrfInput {
                     first: [].as_slice(),
                     second: None,
                 },
                 ExtensionReq::Require,
             )),
             PrfUvOptions::Prf((
                 PrfInput {
                     first: [].as_slice(),
                     second: None,
                 },
                 ExtensionReq::Allow,
             )),
             PrfUvOptions::Prf((
                 PrfInput {
                     first: [].as_slice(),
                     second: Some([].as_slice()),
                 },
                 ExtensionReq::Require,
             )),
             PrfUvOptions::Prf((
                 PrfInput {
                     first: [].as_slice(),
                     second: Some([].as_slice()),
                 },
                 ExtensionReq::Allow,
             )),
         ];
         for cred_protect in ALL_CRED_PROTECT_OPTIONS {
             for prf in ALL_PRF_CRED_OPTIONS {
                 for hmac in ALL_HMAC_OPTIONS {
                     for error_unsolicited in ALL_UNSOLICIT_OPTIONS {
                         for prf_uv in ALL_NOT_FALSE_PRF_UV_OPTIONS {
                             assert!(validate(TestOptions {
                                 request: TestRequestOptions {
                                     error_unsolicited,
                                     prf_uv,
                                 },
                                 response: TestResponseOptions {
                                     user_verified: false,
                                     hmac,
                                 },
                                 cred: TestCredOptions { cred_protect, prf, },
                             }).map_or_else(|err| matches!(err, AggErr::AuthCeremony(auth_err) if matches!(auth_err, AuthCeremonyErr::UserNotVerified)), |_| false));
                         }
                     }
                 }
             }
         }
     }
     /// Test all, and only, possible `UserNotVerified` errors.
     /// 4 * 5 * 2 * 2 = 80 tests.
     #[cfg(all(feature = "custom", not(any(feature = "bin", feature = "serde"))))]
     #[test]
     fn test_forbidden_hmac() {
         const ALL_CRED_PROTECT_OPTIONS: [CredentialProtectionPolicy; 4] = [
             CredentialProtectionPolicy::None,
             CredentialProtectionPolicy::UserVerificationOptional,
             CredentialProtectionPolicy::UserVerificationOptionalWithCredentialIdList,
             CredentialProtectionPolicy::UserVerificationRequired,
         ];
         const ALL_PRF_CRED_OPTIONS: [PrfCredOptions; 5] = [
             PrfCredOptions::None,
             PrfCredOptions::FalseNoHmac,
             PrfCredOptions::FalseHmacFalse,
             PrfCredOptions::TrueNoHmac,
             PrfCredOptions::TrueHmacTrue,
         ];
         const ALL_HMAC_OPTIONS: [HmacSecret; 2] = [HmacSecret::One, HmacSecret::Two];
         const ALL_UV_OPTIONS: [bool; 2] = [false, true];
         for cred_protect in ALL_CRED_PROTECT_OPTIONS {
             for prf in ALL_PRF_CRED_OPTIONS {
                 for hmac in ALL_HMAC_OPTIONS {
                     for user_verified in ALL_UV_OPTIONS {
                         assert!(validate(TestOptions {
                             request: TestRequestOptions {
                                 error_unsolicited: true,
                                 prf_uv: PrfUvOptions::None(false),
                             },
                             response: TestResponseOptions {
                                 user_verified,
                                 hmac,
                             },
                             cred: TestCredOptions { cred_protect, prf, },
                         }).map_or_else(|err| matches!(err, AggErr::AuthCeremony(auth_err) if matches!(auth_err, AuthCeremonyErr::Extension(ext_err) if matches!(ext_err, ExtensionErr::ForbiddenHmacSecret))), |_| false));
                     }
                 }
             }
         }
     }
     #[cfg(all(feature = "custom", not(any(feature = "bin", feature = "serde"))))]
     #[test]
     fn test_prf() -> Result<(), AggErr> {
         let mut opts = TestOptions {
             request: TestRequestOptions {
                 error_unsolicited: false,
                 prf_uv: PrfUvOptions::Prf((
                     PrfInput {
                         first: [].as_slice(),
                         second: None,
                     },
                     ExtensionReq::Allow,
                 )),
             },
             response: TestResponseOptions {
                 user_verified: true,
                 hmac: HmacSecret::None,
             },
             cred: TestCredOptions {
                 cred_protect: CredentialProtectionPolicy::None,
                 prf: PrfCredOptions::None,
             },
         };
         validate(opts)?;
         opts.request.prf_uv = PrfUvOptions::Prf((
             PrfInput {
                 first: [].as_slice(),
                 second: None,
             },
             ExtensionReq::Require,
         ));
         opts.cred.prf = PrfCredOptions::TrueHmacTrue;
         assert!(validate(opts).map_or_else(|e| matches!(e, AggErr::AuthCeremony(auth_err) if matches!(auth_err, AuthCeremonyErr::Extension(ext_err) if matches!(ext_err, ExtensionErr::MissingHmacSecret))), |_| false));
         opts.response.hmac = HmacSecret::One;
         opts.request.prf_uv = PrfUvOptions::Prf((
             PrfInput {
                 first: [].as_slice(),
                 second: None,
             },
             ExtensionReq::Allow,
         ));
         opts.cred.prf = PrfCredOptions::TrueNoHmac;
         validate(opts)?;
         opts.response.hmac = HmacSecret::Two;
         assert!(validate(opts).map_or_else(|e| matches!(e, AggErr::AuthCeremony(auth_err) if matches!(auth_err, AuthCeremonyErr::Extension(ext_err) if matches!(ext_err, ExtensionErr::InvalidHmacSecretValue(OneOrTwo::One, OneOrTwo::Two)))), |_| false));
         opts.response.hmac = HmacSecret::One;
         opts.cred.prf = PrfCredOptions::FalseNoHmac;
         assert!(validate(opts).map_or_else(|e| matches!(e, AggErr::AuthCeremony(auth_err) if matches!(auth_err, AuthCeremonyErr::Extension(ext_err) if matches!(ext_err, ExtensionErr::PrfRequestedForPrfIncapableCred))), |_| false));
         opts.response.user_verified = false;
         opts.request.prf_uv = PrfUvOptions::None(false);
         opts.cred.prf = PrfCredOptions::TrueHmacTrue;
         assert!(validate(opts).map_or_else(|e| matches!(e, AggErr::AuthCeremony(auth_err) if matches!(auth_err, AuthCeremonyErr::Extension(ext_err) if matches!(ext_err, ExtensionErr::UserNotVerifiedHmacSecret))), |_| false));
         Ok(())
     }
 }