Package com.yubico.webauthn

Interface CredentialRecord

All Superinterfaces:

ToPublicKeyCredentialDescriptor

All Known Implementing Classes:

RegisteredCredential

@Deprecated
public interface CredentialRecord
extends ToPublicKeyCredentialDescriptor

Deprecated.

EXPERIMENTAL: This is an experimental feature. It is likely to change or be deleted before reaching a mature release.

An abstraction of properties of a stored WebAuthn credential.

See Also:

• Credential Record in Web Authentication Level 3 (Editor's Draft)

Method Summary

Modifier and Type	Method	Description
static ByteArray	cosePublicKeyFromEs256Raw(ByteArray es256RawKey)	Deprecated. Convert a credential public key from U2F format to COSE_Key format.
@NonNull ByteArray	getCredentialId()	Deprecated. EXPERIMENTAL: This is an experimental feature.
@NonNull ByteArray	getPublicKeyCose()	Deprecated. EXPERIMENTAL: This is an experimental feature.
long	getSignatureCount()	Deprecated. EXPERIMENTAL: This is an experimental feature.
Optional<Set<AuthenticatorTransport>>	getTransports()	Deprecated. EXPERIMENTAL: This is an experimental feature.
@NonNull ByteArray	getUserHandle()	Deprecated. EXPERIMENTAL: This is an experimental feature.
Optional<Boolean>	isBackedUp()	Deprecated. EXPERIMENTAL: This is an experimental feature.
Optional<Boolean>	isBackupEligible()	Deprecated. EXPERIMENTAL: This is an experimental feature.
default PublicKeyCredentialDescriptor	toPublicKeyCredentialDescriptor()	Deprecated. This default implementation of ToPublicKeyCredentialDescriptor.toPublicKeyCredentialDescriptor() sets the id field to the return value of getCredentialId() and the transports field to the return value of getTransports().

Method Details

getCredentialId

@Deprecated
@NonNull
@NonNull ByteArray getCredentialId()

Deprecated.

EXPERIMENTAL: This is an experimental feature. It is likely to change or be deleted before reaching a mature release.

The credential ID of the credential.

Implementations MUST NOT return null.

See Also:

• Credential ID
• RegistrationResult.getKeyId()
• PublicKeyCredentialDescriptor.getId()

getUserHandle

@Deprecated
@NonNull
@NonNull ByteArray getUserHandle()

Deprecated.

EXPERIMENTAL: This is an experimental feature. It is likely to change or be deleted before reaching a mature release.

The user handle of the user the credential is registered to.

Implementations MUST NOT return null.

See Also:

• User Handle
• UserIdentity.getId()

getPublicKeyCose

@Deprecated
@NonNull
@NonNull ByteArray getPublicKeyCose()

Deprecated.

EXPERIMENTAL: This is an experimental feature. It is likely to change or be deleted before reaching a mature release.

The credential public key encoded in COSE_Key format, as defined in Section 7 of RFC 8152.

This is used to verify the signature in authentication assertions.

If your database has credentials encoded in U2F (raw) format, you may need to use cosePublicKeyFromEs256Raw(ByteArray) to convert them before returning them in this method.

Implementations MUST NOT return null.

See Also:

• AttestedCredentialData.getCredentialPublicKey()
• RegistrationResult.getPublicKeyCose()

getSignatureCount

@Deprecated
long getSignatureCount()

Deprecated.

EXPERIMENTAL: This is an experimental feature. It is likely to change or be deleted before reaching a mature release.

The stored signature count of the credential.

This is used to validate the signature counter in authentication assertions.

See Also:

• §6.1. Authenticator Data
• AuthenticatorData.getSignatureCounter()
• AssertionResult.getSignatureCount()

getTransports

@Deprecated
Optional<Set<AuthenticatorTransport>> getTransports()

Deprecated.

EXPERIMENTAL: This is an experimental feature. It is likely to change or be deleted before reaching a mature release.

Transport hints as to how the client might communicate with the authenticator this credential is bound to.

Implementations SHOULD return the value returned by AuthenticatorAttestationResponse.getTransports() when the credential was created. That value SHOULD NOT be modified.

Implementations MUST NOT return null.

This is used to set PublicKeyCredentialDescriptor.getTransports() in excludeCredentials in RelyingParty.startRegistration(StartRegistrationOptions) and and allowCredentials in RelyingParty.startAssertion(StartAssertionOptions).

See Also:

• getTransports() in 5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)
• transports in 5.8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor)
• AuthenticatorAttestationResponse.getTransports()
• PublicKeyCredentialDescriptor.getTransports()

isBackupEligible

@Deprecated
Optional<Boolean> isBackupEligible()

Deprecated.

EXPERIMENTAL: This is an experimental feature. It is likely to change or be deleted before reaching a mature release. EXPERIMENTAL: This feature is from a not yet mature standard; it could change as the standard matures.

The state of the BE flag when this credential was registered, if known.

If absent, it is not known whether or not this credential is backup eligible.

If present and true, the credential is backup eligible: it can be backed up in some way, most commonly by syncing the private key to a cloud account.

If present and false, the credential is not backup eligible: it cannot be backed up in any way.

CredentialRecord implementations SHOULD return the first known value returned by RegistrationResult.isBackupEligible() or AssertionResult.isBackupEligible(), if known. If unknown, CredentialRecord implementations SHOULD return Optional.empty().

Implementations MUST NOT return null.

isBackedUp

@Deprecated
Optional<Boolean> isBackedUp()

Deprecated.

EXPERIMENTAL: This is an experimental feature. It is likely to change or be deleted before reaching a mature release. EXPERIMENTAL: This feature is from a not yet mature standard; it could change as the standard matures.

The last known state of the BS flag for this credential, if known.

If absent, the backup state of the credential is not known.

If present and true, the credential is believed to be currently backed up.

If present and false, the credential is believed to not be currently backed up.

CredentialRecord implementations SHOULD return the most recent value returned by AssertionResult.isBackedUp() or RegistrationResult.isBackedUp(), if known. If unknown, CredentialRecord implementations SHOULD return Optional.empty().

Implementations MUST NOT return null.

toPublicKeyCredentialDescriptor

default PublicKeyCredentialDescriptor toPublicKeyCredentialDescriptor()

Deprecated.

This default implementation of ToPublicKeyCredentialDescriptor.toPublicKeyCredentialDescriptor() sets the id field to the return value of getCredentialId() and the transports field to the return value of getTransports().

Specified by:

toPublicKeyCredentialDescriptor in interface ToPublicKeyCredentialDescriptor

See Also:

• credential descriptor for a credential record in Web Authentication Level 3 (Editor's Draft)

cosePublicKeyFromEs256Raw

static ByteArray cosePublicKeyFromEs256Raw(ByteArray es256RawKey)

Deprecated.

Convert a credential public key from U2F format to COSE_Key format.

The U2F JavaScript API encoded credential public keys in ALG_KEY_ECC_X962_RAW format as specified in FIDO Registry §3.6.2 Public Key Representation Formats. If your database has credential public keys stored in this format, those public keys need to be converted to COSE_Key format before they can be used by a CredentialRecord instance. This function performs the conversion.

If your application has only used the navigator.credentials.create() API to register credentials, you likely do not need this function.

Parameters:

es256RawKey - a credential public key in ALG_KEY_ECC_X962_RAW format as specified in FIDO Registry §3.6.2 Public Key Representation Formats.

Returns:

a credential public key in COSE_Key format, suitable to be returned by getPublicKeyCose().

See Also:

• RegisteredCredential.RegisteredCredentialBuilder.publicKeyEs256Raw(ByteArray)