Awesome

fido2 authenticator library

GitHub GitHub Workflow Status

Warning: NOT PRODUCTION READY!

Getting started

The following steps are required to get started:

Add this repository to your project (make sure you call the pull-deps.sh script to fetch the required cbor library)
Implement a basic application that acts as a raw usb hid device
Define the following functions (take a look at the example here):

pub fn rand() u32 - Get a 32 bit (true) random number
pub fn millis() u32 - The time in milliseconds since startup (or something similar)
pub fn load(allocator: std.mem.Allocator) fido.Resources.LoadError![]u8 - Load data from memory (the first four bytes encode the data length and MUST NOT be returned)
pub fn store(data: []const u8) void - Store the given data to memory (the first four bytes encode the length)
pub fn request_permission(user: ?*const fido.data.User, rp: ?*const fido.data.RelyingParty) bool - Request permission from the user (e.g., button press)

On startup call fido.Authenticator.new_default to instantiate an authenticator

// call this on start up
auth = fido.Authenticator.new_default(
    [_]u8{
        ...      
    },                                                                          
    .{                          
        .rand = Impl.rand,
        .millis = Impl.millis,
        .load = Impl.load,     
        .store = Impl.store,
        .request_permission = Impl.requestPermission,
    },
);

On receiving a usb packet call fido.transport_specific_bindings.ctaphid.handle(buffer[0..bufsize], &auth) where buffer contains the raw data and auth is the authenticator instance
ctaphid.handle will either return null (if its still in the process of assembling the request) or an iterator (containing the response). You can call next() on the iterator to get the next CTAPHID packet to send to the client.

// example of sending a CTAPHID response (tinyusb)
if (response != null) {
    while (response.?.next()) |r| {
        while (!tudHidReady()) {
            tudTask();
            // wait until ready
        }

        _ = tudHidReport(0, r);
    }
}

Examples

Platform	Architecture	Link
nRF52840-MDK USB Dongle	Arm	candy-stick-nrf

Supported transport specific bindings

binding	supported?
USB	✅
NFC
Bluetooth

Supported commands

command	supported?
`authenticatorMakeCredential`	✅
`authenticatorGetAssertion`	✅
`authenticatorGetNextAssertion`
`authenticatorGetInfo`	✅
`authenticatorClientPin`	✅
`authenticatorReset`	✅
`authenticatorBioEnrollment`
`authenticatorCredentialManagement`
`authenticatorSelection`
`authenticatorLargeBlobs`
`authenticatorConfig`

Crypto

TODO: rewrite this section

Resources

CTAP2 - FIDO Alliance
WebAuthn - W3C
CBOR RFC8949 - C. Bormann and P. Hoffman