notes

webauthn-authenticator-rs/examples/authenticate.rs

@@ -162,6 +162,9 @@ impl CableOpt {
 pub struct Win10RdpOpt {
     #[clap(long)]
     pub test_mode: bool,
+
+    #[clap(long)]
+    pub device_list: bool,
 }
 
 
@@ -251,6 +254,13 @@ impl Provider {
                 if o.test_mode {
                     rdp.enable_test_mode();
                 }
+                if o.device_list {
+                    let devices = rdp.get_device_list().unwrap();
+                    info!("{} device(s) found:", devices.len());
+                    for device in devices {
+                        info!("  {device:?}");
+                    }
+                }
                 Box::new(rdp)
             }
         }

webauthn-authenticator-rs/src/win10/mod.rs

@@ -15,7 +15,33 @@
 //! 
 //! * [`Win10Rdp`][] (available with `--features win10-rdp`), which uses the
 //!   [WebAuthn Terminal Services Virtual Channel Protocol][rdpewa].
-//!   
+//!
+//! ## Useful registry keys:
+//! 
+//! * `HKCU\SOFTWARE\Microsoft\CtapTest`:
+//!   * `ClientPin` (SZ)
+//!   * `InvalidCount` (DWORD)
+//!   * `SignCount` (DWORD)
+//!   * `Credentials`:
+//!     * (hex credential ID)
+//!       * `containerName` (SZ)
+//!       * `createTime` (BINARY)
+//!       * `id` (SZ)
+//!       * `name` (SZ)
+//!       * `icon` (SZ)
+//!       * `displayName` (SZ)
+//! * `HKCU\SOFTWARE\Microsoft\Cryptograpdy\FIDO`:
+//!   * (paired hybrid devices)
+//!     * `Name`
+//!     * `Data`
+//! * `HKLM\SOFTWARE\Microsoft\Cryptography\FIDO`:
+//!   * `DebugMode` (DWORD)
+//!   * `WebAuthNTimeout` (DWORD)
+//! * `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{F8A1793B-7873-4046-B2A7-1F318747F427}\Test`:
+//!   * `SuppressPasskeyCreatedDialog` (DWORD)
+//! * `HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services`:
+//!   * `fDisableWebAuthn` (DWORD): disable remote redirection
+//! 
 //! [`AuthenticatorBackend`]: crate::AuthenticatorBackend
 //! [`Win10Rdp`]: rdp::Win10Rdp
 //! [rdpewa]: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpewa/68f2df2e-7c40-4a93-9bb0-517e4283a991

webauthn-authenticator-rs/src/win10/rdp/channel.rs

@@ -226,10 +226,11 @@ impl Connection {
     pub fn transcieve_cbor<'a, C, R>(
         &self,
         cmd: C,
+        cmd_id: u8,
         flags: u32,
         timeout_ms: u32,
         transaction_id: Uuid,
-        webauthn_para: WebauthnPara,
+        webauthn_para: Option<WebauthnPara>,
     ) -> Result<(ChannelResponse, Option<R>)>
     where
         C: CBORCommand<Response = R>,
@@ -240,14 +241,16 @@ impl Connection {
 
         // Parcel into a message
         let req = ChannelRequest {
-            command: 5,
+            command: cmd_id,
             flags,
             timeout_ms,
             transaction_id,
-            webauthn_para: Some(webauthn_para),
+            webauthn_para,
             request: Some(ByteBuf::from(cbor)),
+            filter_hybrid_transport: None,
         };
 
+        trace!(?req);
         let req = serde_cbor_2::to_vec(&req).map_err(|_| E_FAIL)?;
         let resp = self.transceive_raw(&req)?;
 

webauthn-authenticator-rs/src/win10/rdp/message.rs

@@ -17,10 +17,13 @@ pub struct ChannelRequest {
     pub webauthn_para: Option<WebauthnPara>,
     #[serde(skip_serializing_if = "Option::is_none")]
     pub request: Option<ByteBuf>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    /// Only supported on Windows 11 23H2
+    pub filter_hybrid_transport: Option<bool>,
 }
 
 /// <https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpewa/508c6afe-166c-4b4b-8a1f-8604d0d95c10>
-#[derive(Deserialize, Serialize, Debug, Clone, PartialEq)]
+#[derive(Default, Deserialize, Serialize, Debug, Clone, PartialEq)]
 #[serde(rename_all = "camelCase")]
 pub struct WebauthnPara {
     pub wnd: isize,
@@ -41,7 +44,7 @@ pub struct ChannelResponse {
     pub device_info: Option<DeviceInfo>,
     pub status: u8,
     pub response: Option<ByteBuf>,
-    // TODO: deviceInfoList
+    pub device_info_list: Option<Vec<DeviceInfo>>,
 }
 
 /// <https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpewa/ef4bafb6-0801-4c17-9238-99e3efdc0798>
@@ -84,6 +87,7 @@ pub const CMD_API_VERSION: ChannelRequest = ChannelRequest {
     timeout_ms: 0,
     transaction_id: Uuid::nil(),
     webauthn_para: None,
+    filter_hybrid_transport: None,
 };
 
 pub const CMD_IUVPA: ChannelRequest = ChannelRequest {
@@ -93,6 +97,7 @@ pub const CMD_IUVPA: ChannelRequest = ChannelRequest {
     timeout_ms: 0,
     transaction_id: Uuid::nil(),
     webauthn_para: None,
+    filter_hybrid_transport: None,
 };
 
 #[cfg(test)]

webauthn-authenticator-rs/src/win10/rdp/mod.rs

@@ -280,7 +280,14 @@ impl AuthenticatorBackendHashedClientData for Win10Rdp {
         };
 
         let (channel_response, ret) = c
-            .transcieve_cbor(mc, flags, timeout_ms, Uuid::nil(), webauthn_para)
+            .transcieve_cbor(
+                mc,
+                5,
+                flags,
+                timeout_ms,
+                Uuid::new_v4(),
+                Some(webauthn_para),
+            )
             .map_err(|_| WebauthnCError::Internal)?;
 
         drop(window);
@@ -395,7 +402,14 @@ impl AuthenticatorBackendHashedClientData for Win10Rdp {
         };
 
         let (channel_response, ret) = c
-            .transcieve_cbor(ga, flags, timeout_ms, Uuid::nil(), webauthn_para)
+            .transcieve_cbor(
+                ga,
+                5,
+                flags,
+                timeout_ms,
+                Uuid::new_v4(),
+                Some(webauthn_para),
+            )
             .map_err(|_| WebauthnCError::Internal)?;
 
         drop(window);