-
-
Notifications
You must be signed in to change notification settings - Fork 175
/
Fido2Configuration.cs
130 lines (109 loc) · 4.38 KB
/
Fido2Configuration.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
using System.Runtime.Serialization;
namespace Fido2NetLib;
public class Fido2Configuration
{
private IReadOnlySet<string> _origins;
private IReadOnlySet<string> _fullyQualifiedOrigins;
/// <summary>
/// Create the configuration for Fido2.
/// </summary>
public Fido2Configuration()
{
}
/// <summary>
/// This member specifies a time, in milliseconds, that the caller is willing to wait for the call to complete.
/// This is treated as a hint, and MAY be overridden by the client.
/// </summary>
public uint Timeout { get; set; } = 60000;
/// <summary>
/// TimestampDriftTolerance specifies a time in milliseconds that will be allowed for clock drift on a timestamped attestation.
/// </summary>
public int TimestampDriftTolerance { get; set; } = 0; //Pretty sure 0 will never work - need a better default?
/// <summary>
/// The size of the challenges sent to the client
/// </summary>
public int ChallengeSize { get; set; } = 16;
/// <summary>
/// The effective domain of the RP. Should be unique and will be used as the identity for the RP.
/// </summary>
public string ServerDomain { get; set; }
/// <summary>
/// A human-friendly name of the RP.
/// </summary>
public string ServerName { get; set; }
/// <summary>
/// A serialized URL which resolves to an image associated with the entity. For example, this could be a user’s avatar or a Relying Party's logo. This URL MUST be an a priori authenticated URL. Authenticators MUST accept and store a 128-byte minimum length for an icon member’s value. Authenticators MAY ignore an icon member’s value if its length is greater than 128 bytes. The URL’s scheme MAY be "data" to avoid fetches of the URL, at the cost of needing more storage.
/// </summary>
public string ServerIcon { get; set; }
/// <summary>
/// Server origins, including protocol host and port.
/// </summary>
public IReadOnlySet<string> Origins
{
get
{
_origins ??= new HashSet<string>(0);
return _origins;
}
set
{
_origins = value;
_fullyQualifiedOrigins = new HashSet<string>(value.Select(o => o.ToFullyQualifiedOrigin()), StringComparer.OrdinalIgnoreCase);
}
}
/// <summary>
/// Fully Qualified Server origins, generated automatically from Origins.
/// </summary>
public IReadOnlySet<string> FullyQualifiedOrigins
{
get
{
if (_fullyQualifiedOrigins == null)
{
Origins = new HashSet<string>(0);
}
return _fullyQualifiedOrigins;
}
}
/// <summary>
/// Metadata service cache directory path.
/// </summary>
public string MDSCacheDirPath { get; set; }
/// <summary>
/// List of metadata statuses for an authenticator that should cause attestations to be rejected.
/// </summary>
public AuthenticatorStatus[] UndesiredAuthenticatorMetadataStatuses { get; set; } =
[
AuthenticatorStatus.ATTESTATION_KEY_COMPROMISE,
AuthenticatorStatus.USER_VERIFICATION_BYPASS,
AuthenticatorStatus.USER_KEY_REMOTE_COMPROMISE,
AuthenticatorStatus.USER_KEY_PHYSICAL_COMPROMISE,
AuthenticatorStatus.REVOKED
];
/// <summary>
/// Whether or not to accept a backup eligible credential
/// </summary>
public CredentialBackupPolicy BackupEligibleCredentialPolicy { get; set; } = CredentialBackupPolicy.Allowed;
/// <summary>
/// Whether or not to accept a backed up credential
/// </summary>
public CredentialBackupPolicy BackedUpCredentialPolicy { get; set; } = CredentialBackupPolicy.Allowed;
public enum CredentialBackupPolicy
{
/// <summary>
/// This value indicates that the Relying Party requires backup eligible or backed up credentials.
/// </summary>
[EnumMember(Value = "required")]
Required,
/// <summary>
/// This value indicates that the Relying Party allows backup eligible or backed up credentials.
/// </summary>
[EnumMember(Value = "allowed")]
Allowed,
/// <summary>
/// This value indicates that the Relying Party does not allow backup eligible or backed up credentials.
/// </summary>
[EnumMember(Value = "disallowed")]
Disallowed
}
}