Version 3 (#42)

- Data model improvements
- Password manager export parsers

Author: MichaelGrafnetter

.github/README.md

@@ -27,11 +27,11 @@ The [DSInternals.Passkeys](https://www.powershellgallery.com/packages/DSInternal
 
 See [Yubico's blog](https://www.yubico.com/blog/microsoft-strengthens-phishing-resistant-security-for-entra-id-with-fido2-provisioning-apis/) for more details on the API.
 
-## FIDO2 UI
+## Passkey UI
 
-The project also contains a simple Windows GUI tool called `FIDO2 UI`, which is built on top of the `DSInternals.Win32.WebAuthn` library:
+The project also contains a simple Windows GUI tool called `Passkey UI`, which is built on top of the `DSInternals.Win32.WebAuthn` library:
 
-![FIDO2 UI Screenshot](../Documentation/Screenshots/fido2_ui.png)
+![Passkey UI Screenshot](../Documentation/Screenshots/fido2_ui.png)
 
 The only purpose of this tool is to demonstrate the usage of the WebAuthn API.
 
@@ -42,7 +42,7 @@ The only purpose of this tool is to demonstrate the usage of the WebAuthn API.
 [![NuGet Gallery Downloads](https://img.shields.io/nuget/dt/DSInternals.Win32.WebAuthn.svg?label=NuGet%20Gallery%20Downloads&logo=NuGet)](https://www.nuget.org/packages/DSInternals.Win32.WebAuthn/)
 
 - The `DSInternals.Passkeys` PowerShell module is published in the [PowerShell Gallery](https://www.powershellgallery.com/packages/DSInternals.Passkeys).
-- The latest version of the `FIDO2 UI` can be downloaded from the [Releases section](https://github.com/MichaelGrafnetter/webauthn-interop/releases/latest).
+- The latest version of the `Passkey UI` can be downloaded from the [Releases section](https://github.com/MichaelGrafnetter/webauthn-interop/releases/latest).
 - The `DSInternals.Win32.WebAuthn` library is published in the [NuGet Gallery](https://www.nuget.org/packages/DSInternals.Win32.WebAuthn/).
 
 ## .NET API Usage

Documentation/CHANGELOG.md

@@ -4,6 +4,20 @@ All notable changes to this project will be documented in this file. The format
 
 ## [Unreleased]
 
+## [3.0] - 2026-05-07
+
+### Added
+
+- Added Credential Exchange Format (CXF) parsing.
+- Added Bitwarden vault export support, covering both encrypted and cleartext exports.
+- Added KeePassXC passkey export parsing.
+- Added a software authenticator with Ed25519 signing for offline testing without a physical authenticator.
+- Added User Verification Method (UVM), Secure Payment Confirmation (SPC), PRF, Large Blob, Credential Properties, and Remote Desktop client override extension models.
+
+### Changed
+
+- Modernized the `WebAuthnApi` surface, including async cancellation handling and clearer marshaling of assertion/attestation options structs.
+
 ## [2.1.1] - 2026-04-05
 
 ### Fixed
@@ -93,7 +107,9 @@ This is a bugfix release. Huge thanks to @aseigler for reporting and fixing the
 
 - Initial version
 
-[Unreleased]: https://github.com/MichaelGrafnetter/webauthn-interop/compare/v2.1...HEAD
+[Unreleased]: https://github.com/MichaelGrafnetter/webauthn-interop/compare/v3.0...HEAD
+[3.0]: https://github.com/MichaelGrafnetter/webauthn-interop/compare/v2.1.1...v3.0
+[2.1.1]: https://github.com/MichaelGrafnetter/webauthn-interop/compare/v2.1...v2.1.1
 [2.1]: https://github.com/MichaelGrafnetter/webauthn-interop/compare/v2.0...v2.1
 [2.0]: https://github.com/MichaelGrafnetter/webauthn-interop/compare/v1.0.6...v2.0
 [1.0.6]: https://github.com/MichaelGrafnetter/webauthn-interop/compare/v1.0.5...v1.0.6

Src/DSInternals.Passkeys/DSInternals.Passkeys.psd1

@@ -8,7 +8,7 @@
 RootModule = 'DSInternals.Passkeys.psm1'
 
 # Version number of this module.
-ModuleVersion = '2.1.1'
+ModuleVersion = '3.0.0'
 
 # Supported PSEditions
 CompatiblePSEditions = @('Desktop','Core')
@@ -196,7 +196,7 @@ PrivateData = @{
 
         # ReleaseNotes of this module
         ReleaseNotes = @'
-- Fixed CredentialId and AuthenticatorId properties not being displayed as Base64Url strings in the output of Get-PasskeyWindowsHello and Get-PasskeyAuthenticator cmdlets.
+- TODO
 '@
 
         # Prerelease string of this module

Src/DSInternals.Passkeys/DSInternals.Passkeys.psm1

@@ -514,7 +514,7 @@ function New-Passkey
 
     try {
         [DSInternals.Win32.WebAuthn.WebAuthnApi] $api = [DSInternals.Win32.WebAuthn.WebAuthnApi]::new()
-        [DSInternals.Win32.WebAuthn.PublicKeyCredential] $credential = $api.AuthenticatorMakeCredential($Options.PublicKeyOptions)
+        [DSInternals.Win32.WebAuthn.AttestationPublicKeyCredential] $credential = $api.AuthenticatorMakeCredential($Options.PublicKeyOptions)
 
         switch ($Options.GetType()) {
             ([DSInternals.Win32.WebAuthn.EntraID.MicrosoftGraphWebauthnCredentialCreationOptions]) {
@@ -594,7 +594,7 @@ Tests a passkey with a hint that a security key should be used.
 #>
 function Test-Passkey
 {
-    [OutputType([DSInternals.Win32.WebAuthn.PublicKeyCredential])]
+    [OutputType([DSInternals.Win32.WebAuthn.AssertionPublicKeyCredential])]
     [CmdletBinding()]
     param(
         [Parameter(Mandatory = $true)]
@@ -620,7 +620,7 @@ function Test-Passkey
 
         [Parameter(Mandatory = $false)]
         [Alias("AuthenticatorType", "CredentialHint", "PublicKeyCredentialHint")]
-        [DSInternals.Win32.WebAuthn.PublicKeyCredentialHint] $Hint
+        [DSInternals.Win32.WebAuthn.PublicKeyCredentialHint] $Hint = [DSInternals.Win32.WebAuthn.PublicKeyCredentialHint]::None
     )
 
     try {
@@ -642,6 +642,9 @@ function Test-Passkey
 
         [DSInternals.Win32.WebAuthn.WebAuthnApi] $api = [DSInternals.Win32.WebAuthn.WebAuthnApi]::new()
 
+        [string] $credentialHint = [DSInternals.Win32.WebAuthn.PublicKeyCredentialHintExtensions]::ToJsonString($Hint)
+        [string[]] $credentialHints = if (![string]::IsNullOrEmpty($credentialHint)) { @($credentialHint) } else { $null }
+
         $response = $api.AuthenticatorGetAssertion(
             $RelyingPartyId,
             $challengeBytes,
@@ -650,14 +653,12 @@ function Test-Passkey
             $timeoutMilliseconds,
             $allowCredentials,
             $null,  # extensions
-            [DSInternals.Win32.WebAuthn.CredentialLargeBlobOperation]::None,
-            $null,  # largeBlob
             $false, # browserInPrivateMode
             $null,  # linkedDevice
             $false, # autoFill
-            $Hint,  # credentialHints
-            $null,  # remoteWebOrigin
+            $credentialHints,
             $null,  # authenticatorId
+            $null,  # remoteWebOrigin
             $null,  # publicKeyCredentialRequestOptionsJson
             [DSInternals.Win32.WebAuthn.WindowHandle]::ForegroundWindow
         )

Src/DSInternals.Win32.WebAuthn.Adapter.Tests/WebAuthnApiAdapterTester.cs

@@ -79,7 +79,7 @@ public void WebAuthN_MakeCredential_MSAccount()
             );
 
             var webauthn = new WebAuthnApiAdapter();
-            var response = webauthn.AuthenticatorMakeCredential(options);
+            var response = RunInteractiveWebAuthnTest(() => webauthn.AuthenticatorMakeCredential(options));
 
             Assert.IsNotNull(response);
         }
@@ -126,7 +126,7 @@ public void WebAuthN_GetAssertion_MSAccount_CredentialList()
             );
 
             var webauthn = new WebAuthnApiAdapter();
-            var response = webauthn.AuthenticatorGetAssertion(options);
+            var response = RunInteractiveWebAuthnTest(() => webauthn.AuthenticatorGetAssertion(options));
 
             Assert.IsNotNull(response);
         }
@@ -153,7 +153,8 @@ public void WebAuthN_GetAssertion_MSAccount_Usernameless()
                 );
 
             var webauthn = new WebAuthnApiAdapter();
-            var response = webauthn.AuthenticatorGetAssertion(options, Fido2NetLib.Objects.AuthenticatorAttachment.Platform);
+            var response = RunInteractiveWebAuthnTest(() =>
+                webauthn.AuthenticatorGetAssertion(options, Fido2NetLib.Objects.AuthenticatorAttachment.Platform));
 
             Assert.IsNotNull(response);
         }
@@ -184,5 +185,22 @@ public void WebAuthN_GetAssertion_Cancel()
             Assert.ThrowsExactly<OperationCanceledException>(() =>
                 webauthn.AuthenticatorGetAssertionAsync(options, null, source.Token).GetAwaiter().GetResult());
         }
+
+        [System.Diagnostics.CodeAnalysis.SuppressMessage("MSTest.Analyzers", "MSTEST0025", Justification = "Uses AssertInconclusiveException when interactive WebAuthn UI is unavailable.")]
+        private static T RunInteractiveWebAuthnTest<T>(Func<T> action)
+        {
+            try
+            {
+                return action();
+            }
+            catch (Exception ex) when (IsInteractiveWebAuthnUnavailable(ex))
+            {
+                throw new AssertInconclusiveException("Interactive WebAuthn UI is unavailable or was cancelled in this test environment.", ex);
+            }
+        }
+
+        private static bool IsInteractiveWebAuthnUnavailable(Exception ex) =>
+            ex is UnauthorizedAccessException or OperationCanceledException or System.ComponentModel.Win32Exception
+            || ex.InnerException is System.ComponentModel.Win32Exception { NativeErrorCode: 5 or 1223 };
     }
 }

Src/DSInternals.Win32.WebAuthn.Adapter.Tests/packages.lock.json

@@ -49,6 +49,11 @@
         "resolved": "9.18.0",
         "contentHash": "jlgewzgbgEFIoplbpdWNPKo/+R9ELej0iL1sdKrVeMzQ0aZCvRCdi/X/4AjRaBqkXoDTWFrOjgVXRukZYSVO+w=="
       },
+      "libsodium": {
+        "type": "Transitive",
+        "resolved": "1.0.20.1",
+        "contentHash": "pkiceEqJDQFHjbga3k/oPfTVX9g+GKJZ1VrkuiLhaymt9YNw1Dr7cX9hNuZuNaWcr9WD0moW55k4pMwzQ7JaZQ=="
+      },
       "Microsoft.ApplicationInsights": {
         "type": "Transitive",
         "resolved": "2.23.0",
@@ -170,6 +175,7 @@
           "Microsoft.Bcl.Memory": "[10.0.5, )",
           "Microsoft.Identity.Client": "[4.80.0, )",
           "Microsoft.NET.ILLink.Tasks": "[10.0.3, )",
+          "NSec.Cryptography": "[25.4.0, )",
           "System.Diagnostics.EventLog": "[9.0.3, )",
           "System.Formats.Cbor": "[9.0.3, )",
           "System.IdentityModel.Tokens.Jwt": "[8.15.0, )"
@@ -178,7 +184,7 @@
       "dsinternals.win32.webauthn.adapter": {
         "type": "Project",
         "dependencies": {
-          "DSInternals.Win32.WebAuthn": "[2.0.0, )",
+          "DSInternals.Win32.WebAuthn": "[2.1.0, )",
           "Fido2.Models": "[4.0.0, )",
           "Microsoft.Bcl.Memory": "[10.0.5, )"
         }
@@ -213,6 +219,15 @@
         "resolved": "10.0.3",
         "contentHash": "0B6nZyCHWXnvmlB559oduOspVdNOnpNXPjhpWVMovLPAsDVG7A4jJR9rzECf67JUzxP8/ee/wA8clwIzJcWNFA=="
       },
+      "NSec.Cryptography": {
+        "type": "CentralTransitive",
+        "requested": "[25.4.0, )",
+        "resolved": "25.4.0",
+        "contentHash": "Z3wPpG0xefMLmhn9T+Ka/EzAmMQPT0THL/5E4lf9cXI/N9rbGH0G23ZFpRcPnD0ast2k7ieG6QSVNIjmfPCXBQ==",
+        "dependencies": {
+          "libsodium": "[1.0.20.1, 1.0.21)"
+        }
+      },
       "System.Diagnostics.EventLog": {
         "type": "CentralTransitive",
         "requested": "[9.0.3, )",

Src/DSInternals.Win32.WebAuthn.Adapter/DSInternals.Win32.WebAuthn.Adapter.csproj

@@ -6,12 +6,12 @@
     <PackageId>DSInternals.Win32.WebAuthn.Adapter</PackageId>
     <Product>WebAuthn Interop Assembly Adapter</Product>
     <Title>WebAuthn Interop Assembly Adapter</Title>
-    <Version>2.1.0</Version>
-    <AssemblyVersion>2.1.0</AssemblyVersion>
-    <ProductVersion>2.1.0</ProductVersion>
-    <FileVersion>2.1.0</FileVersion>
+    <Version>3.0.0</Version>
+    <AssemblyVersion>3.0.0</AssemblyVersion>
+    <ProductVersion>3.0.0</ProductVersion>
+    <FileVersion>3.0.0</FileVersion>
     <Description>Bridge between Fido2.Models and DSInternals.Win32.WebAuthn packages</Description>
-    <PackageReleaseNotes>- Updated DSInternals.Win32.WebAuthn dependency to 2.1.0.</PackageReleaseNotes>
+    <PackageReleaseNotes>- Updated DSInternals.Win32.WebAuthn dependency to 3.0.0 and aligned with the new API surface.</PackageReleaseNotes>
   </PropertyGroup>
 
   <PropertyGroup Condition="'$(Configuration)'=='Release'">

Src/DSInternals.Win32.WebAuthn.Adapter/packages.lock.json

@@ -23,6 +23,11 @@
         "resolved": "9.18.0",
         "contentHash": "jlgewzgbgEFIoplbpdWNPKo/+R9ELej0iL1sdKrVeMzQ0aZCvRCdi/X/4AjRaBqkXoDTWFrOjgVXRukZYSVO+w=="
       },
+      "libsodium": {
+        "type": "Transitive",
+        "resolved": "1.0.20.1",
+        "contentHash": "pkiceEqJDQFHjbga3k/oPfTVX9g+GKJZ1VrkuiLhaymt9YNw1Dr7cX9hNuZuNaWcr9WD0moW55k4pMwzQ7JaZQ=="
+      },
       "Microsoft.Extensions.DependencyInjection.Abstractions": {
         "type": "Transitive",
         "resolved": "10.0.0",
@@ -72,6 +77,7 @@
           "Microsoft.Bcl.Memory": "[10.0.5, )",
           "Microsoft.Identity.Client": "[4.80.0, )",
           "Microsoft.NET.ILLink.Tasks": "[10.0.3, )",
+          "NSec.Cryptography": "[25.4.0, )",
           "System.Diagnostics.EventLog": "[9.0.3, )",
           "System.Formats.Cbor": "[9.0.3, )",
           "System.IdentityModel.Tokens.Jwt": "[8.15.0, )"
@@ -92,6 +98,15 @@
         "resolved": "10.0.3",
         "contentHash": "0B6nZyCHWXnvmlB559oduOspVdNOnpNXPjhpWVMovLPAsDVG7A4jJR9rzECf67JUzxP8/ee/wA8clwIzJcWNFA=="
       },
+      "NSec.Cryptography": {
+        "type": "CentralTransitive",
+        "requested": "[25.4.0, )",
+        "resolved": "25.4.0",
+        "contentHash": "Z3wPpG0xefMLmhn9T+Ka/EzAmMQPT0THL/5E4lf9cXI/N9rbGH0G23ZFpRcPnD0ast2k7ieG6QSVNIjmfPCXBQ==",
+        "dependencies": {
+          "libsodium": "[1.0.20.1, 1.0.21)"
+        }
+      },
       "System.Diagnostics.EventLog": {
         "type": "CentralTransitive",
         "requested": "[9.0.3, )",