Awesome
fido2 authenticator library
Warning: NOT PRODUCTION READY!
Getting started
The following steps are required to get started:
- Add this repository to your project (make sure you call the
pull-deps.sh
script to fetch the required cbor library) - Implement a basic application that acts as a raw usb hid device
- Define the following functions (take a look at the example here):
pub fn rand() u32
- Get a 32 bit (true) random numberpub fn millis() u32
- The time in milliseconds since startup (or something similar)pub fn load(allocator: std.mem.Allocator) fido.Resources.LoadError![]u8
- Load data from memory (the first four bytes encode the data length and MUST NOT be returned)pub fn store(data: []const u8) void
- Store the given data to memory (the first four bytes encode the length)pub fn request_permission(user: ?*const fido.data.User, rp: ?*const fido.data.RelyingParty) bool
- Request permission from the user (e.g., button press)
- On startup call
fido.Authenticator.new_default
to instantiate an authenticator
// call this on start up
auth = fido.Authenticator.new_default(
[_]u8{
...
},
.{
.rand = Impl.rand,
.millis = Impl.millis,
.load = Impl.load,
.store = Impl.store,
.request_permission = Impl.requestPermission,
},
);
- On receiving a usb packet call
fido.transport_specific_bindings.ctaphid.handle(buffer[0..bufsize], &auth)
wherebuffer
contains the raw data andauth
is the authenticator instance ctaphid.handle
will either return null (if its still in the process of assembling the request) or an iterator (containing the response). You can callnext()
on the iterator to get the next CTAPHID packet to send to the client.
// example of sending a CTAPHID response (tinyusb)
if (response != null) {
while (response.?.next()) |r| {
while (!tudHidReady()) {
tudTask();
// wait until ready
}
_ = tudHidReport(0, r);
}
}
Examples
Platform | Architecture | Link |
---|---|---|
nRF52840-MDK USB Dongle | Arm | candy-stick-nrf |
Supported transport specific bindings
binding | supported? |
---|---|
USB | ✅ |
NFC | |
Bluetooth |
Supported commands
command | supported? |
---|---|
authenticatorMakeCredential | ✅ |
authenticatorGetAssertion | ✅ |
authenticatorGetNextAssertion | |
authenticatorGetInfo | ✅ |
authenticatorClientPin | ✅ |
authenticatorReset | ✅ |
authenticatorBioEnrollment | |
authenticatorCredentialManagement | |
authenticatorSelection | |
authenticatorLargeBlobs | |
authenticatorConfig |
Crypto
TODO: rewrite this section
Resources
- CTAP2 - FIDO Alliance
- WebAuthn - W3C
- CBOR RFC8949 - C. Bormann and P. Hoffman