PIBIO_ENGINE_IDENTIFY_FEATURE_SET_SECURE_FN callback function (winbio_adapter.h)

Called by the Windows Biometric Framework to build a template from the current feature set and locate a matching template in the database. If a match can be found, the engine adapter must fill the Identity, SubFactor, Authorization, and AuthorizationSize fields.

Syntax

PIBIO_ENGINE_IDENTIFY_FEATURE_SET_SECURE_FN PibioEngineIdentifyFeatureSetSecureFn;

HRESULT PibioEngineIdentifyFeatureSetSecureFn(
  PWINBIO_PIPELINE Pipeline,
  const UCHAR *Nonce,
  SIZE_T NonceSize,
  const UCHAR *KeyIdentifier,
  SIZE_T KeyIdentifierSize,
  PWINBIO_IDENTITY Identity,
  PWINBIO_BIOMETRIC_SUBTYPE SubFactor,
  PWINBIO_REJECT_DETAIL RejectDetail,
  PUCHAR *Authorization,
  PSIZE_T AuthorizationSize
)
{...}

Parameters

Pipeline

Pointer to a WINBIO_PIPELINE structure associated with the biometric unit performing the operation.

Nonce

Pointer to a buffer that contains a nonce.

NonceSize

Size, in bytes, of the buffer specified by the Nonce parameter.

KeyIdentifier

Pointer to a buffer that contains an identifier for the key from a previous call to EngineAdapterCreateKey

KeyIdentifierSize

Size, in bytes, of the buffer specified by the KeyIdentifier parameter.

Identity

Pointer to a WINBIO_IDENTITY structure that contains the SID of the template recovered from the database. This value is returned only if a match is found.

SubFactor

RejectDetail

Pointer to a variable that receives additional information if a capture failure prevents the engine from performing a matching operation. If the most recent capture succeeded, set this parameter to zero.

Authorization

An HMAC. See remarks section.

AuthorizationSize

Size, in bytes, of the buffer specified by the Authorization parameter.

Return value

WINBIO_E_INVALID_KEY_IDENTIFIER must be returned in the case where the key cannot be used for whatever reason. When WINBIO_E_INVALID_KEY_IDENTIFIER is returned, the sensor and TPM will be re-provisioned.

Remarks

The Authorization buffer contains the following SHA256_HMAC:

SHA256_HMAC(Key, SHA256(Nonce || 0xffffffe2 || SHA256(AccountSid)))

  • Key

    Key is the HMAC key passed in by EngineAdapterCreateKey, and identified by the KeyIdentifier parameter.

  • Nonce

    Nonce is the Nonce parameter.

  • 0xffffffe2

    A 32-bit unsigned integer in big-endian format.

  • AccountSid

    The account SID of the user referenced by the Identity parameter. The SID bytes can be obtained from the WINBIO_IDENTITY structure.

Examples

Here is a pseudocode implementation of the SHA256 HMAC calculation:

// Hash the AccountSid.
    assert(Identity->Type == WINBIO_ID_TYPE_SID);
    hashHandle = CreateHash(SHA256_ALGORITHM);
    HashData(
        hashHandle, 
        Identity->Value.AccountSid.Data, 
        Identity->Value.AccountSid.Size);
    identityHash = FinishHash(hashHandle);

    // Hash the parameters.
    BYTE bytes[] = {0xff, 0xff, 0xff, 0xe2};
    hashHandle = CreateHash(SHA256_ALGORITHM);
    HashData(hashHandle, Nonce, NonceSize);
    HashData(hashHandle, bytes, sizeof(bytes));
    HashData(hashHandle, identityHash, SHA256_DIGEST_LENGTH);
    parameterHash = FinishHash(hashHandle);

    // Calculate the authorization HMAC
    key, keySize = GetKeyFromIdentifier(KeyIdentifier, KeyIdentifierSize);
    hashHandle = CreateHash(HMAC_SHA256_ALGORITHM, key, keySize);
    HashData(hashHandle, parameterHash, SHA256_DIGEST_LENGTH);
    authorization = FinishHash(hashHandle);

Requirements

Requirement Value
Minimum supported client Windows 10 [desktop apps only]
Minimum supported server Windows Server 2016 [desktop apps only]
Target Platform Windows
Header winbio_adapter.h (include Winbio_adapter.h)