go-fdo-server
is a server implementation of FIDO Device Onboard specification in Go.
- Go 1.23.0 or later
- A Go module initialized with
go mod init
The update-deps.sh
script updates all dependencies in your Go module to their latest versions and cleans up the go.mod
and go.sum
files.
To update your dependencies, simply run the script:
./update-deps.sh
The example server application can be built with go build
directly
$ go build -o fdo_server ./cmd/fdo_server/
$ ./fdo_server
Usage:
fdo_server [--] [options]
Server options:
-command-date
Use fdo.command FSIM to have device run "date --utc"
-db string
SQLite database file path
-db-pass string
SQLite database encryption-at-rest passphrase
-debug
Print HTTP contents
-download file
Use fdo.download FSIM for each file (flag may be used multiple times)
-ext-http addr
External address devices should connect to (default "127.0.0.1:${LISTEN_PORT}")
-http addr
The address to listen on (default "localhost:8080")
-import-voucher path
Import a PEM encoded voucher file at path
-insecure-tls
Listen with a self-signed TLS certificate
-print-owner-public type
Print owner public key of type and exit
-resale-guid guid
Voucher guid to extend for resale
-resale-key path
The path to a PEM-encoded x.509 public key for the next owner
-reuse-cred
Perform the Credential Reuse Protocol in TO2
-upload file
Use fdo.upload FSIM for each file (flag may be used multiple times)
-upload-dir path
The directory path to put file uploads (default "uploads")
-wget url
Use fdo.wget FSIM for each url (flag may be used multiple times)
Key types:
- RSA2048RESTR
- RSAPKCS
- RSAPSS
- SECP256R1
- SECP384R1
Encryption suites:
- A128GCM
- A192GCM
- A256GCM
- AES-CCM-64-128-128 (not implemented)
- AES-CCM-64-128-256 (not implemented)
- COSEAES128CBC
- COSEAES128CTR
- COSEAES256CBC
- COSEAES256CTR
Key exchange suites:
- DHKEXid14
- DHKEXid15
- ASYMKEX2048
- ASYMKEX3072
- ECDH256
- ECDH384
This guide provides instructions to set up and run the FDO server and client instances for different roles: Manufacturer, Rendezvous (RV), and Owner.
Start the FDO server with the test database:
./fdo_server -http 127.0.0.1:8038 -db ./mfg.db -db-pass <db-password> -debug
This server instance acts as the Manufacturer.
Start another instance of the FDO server on a different port with a different database:
./fdo_server -http 127.0.0.1:8041 -db ./rv.db -db-pass <db-password> -debug
This server instance acts as the RV.
Start another instance of the FDO server on a different port with a different database:
./fdo_server -http 127.0.0.1:8043 -db ./own.db -db-pass <db-password> -debug
This server instance acts as the Owner.
Send a POST request to create new RV info data, which is stored in the Manufacturer’s database:
curl --location --request POST 'http://localhost:8038/api/v1/rvinfo' \
--header 'Content-Type: text/plain' \
--data-raw '[[[5,"127.0.0.1"],[3,8041],[12,1],[2,"127.0.0.1"],[4,8041]]]'
To bypass the TO1 protocol set RVBypass using
curl --location --request POST 'http://localhost:8038/api/v1/rvinfo' \
--header 'Content-Type: text/plain' \
--data-raw '[[[5,"127.0.0.1"],[3,8041],[14],[12,1],[2,"127.0.0.1"],[4,8041]]]'
Send a GET request to fetch the current RV info data:
curl --location --request GET 'http://localhost:8038/api/v1/rvinfo'
Send a PUT request to update the existing RV info data:
curl --location --request PUT 'http://localhost:8038/api/v1/rvinfo' \
--header 'Content-Type: text/plain' \
--data-raw '[[[5,"127.0.0.1"],[3,8041],[14,false],[12,1],[2,"127.0.0.1"],[4,8041]]]'
Send a POST request to create new owner redirect data, which is stored in the Owner’s database:
curl --location --request POST 'http://localhost:8043/api/v1/owner/redirect' \
--header 'Content-Type: text/plain' \
--data-raw '[["127.0.0.1","127.0.0.1",8043,3]]'
Use GET and PUT requests to view and update existing owner redirect data.
Fetch a Voucher Fetch a voucher using curl and save it to a file named ownervoucher:
curl --location --request GET 'http://localhost:8038/api/v1/vouchers?guid=<guid>' -o ownervoucher
Post the Voucher to RV and Owner Server Post the fetched voucher to the RV and Owner server using curl:
curl -X POST 'http://localhost:8041/api/v1/owner/vouchers' -d @ownervoucher
curl -X POST 'http://localhost:8043/api/v1/owner/vouchers' -d @ownervoucher
For Running the FDO GO Client setup, please refer to the FDO Go Client README.
Execute the TO0 by providing DI GUID from FDO GO Client:
curl --location --request GET 'http://localhost:8043/api/v1/to0/<guid>'
TO0 will be completed in the respective Owner and RV.
- Container runtime (Docker or Podman)
- Make
build
: Builds the Server image.run
: Runs the Server container.clean
: Removes the Server image.all
: Builds the Server image and then runs the container.
The following variables can be set to customize the behavior of the make run
command:
CONTAINER_RUNTIME
: The container runtime executable to use (default:docker
).IMAGE_NAME
: The name of the container image (default:fdo_server
).CONTAINER_NAME
: The name of the container (default:fdo_server
).DB_PATH
: The path to the SQLite database file (default:./test.db
).DB_PASS
: The SQLite database encryption-at-rest passphrase. NOTE:This field should be populated before starting the container.NETWORK
: The container network setting (default:host
).DEBUG
: Debug flag to print HTTP contents (default:--debug
).HTTP_ADDR
: The address to listen on (default:localhost:8080
).EXT_HTTP_ADDR
: The external address devices should connect to (default:127.0.0.1:8080
).UPLOAD_DIR
: The directory path to put file uploads (default:uploads
).DOWNLOAD_FILES
: Files to use withfdo.download
FSIM (can be multiple files).UPLOAD_FILES
: Files to use withfdo.upload
FSIM (can be multiple files).IMPORT_VOUCHER
: Path to import a PEM encoded voucher file.INSECURE_TLS
: Flag to listen with a self-signed TLS certificate.PRINT_OWNER_PUBLIC
: Type of owner public key to print and exit.RESALE_GUID
: Voucher GUID to extend for resale.RESALE_KEY
: Path to a PEM-encoded x.509 public key for the next owner.REUSE_CRED
: Flag to perform the Credential Reuse Protocol in TO2.WGET_URLS
: URLs to use withfdo.wget
FSIM (can be multiple URLs).
To build the container image, run:
make build
To start the FDO Go service as a container, run:
make run
This will start the container with the specified network settings and database path.
make copy
This will copy the files uploaded using fdo.upload FSIM module to app-data
folder present in host system.
To stop the container, run:
make stop
To build and run the container in one step, run:
make all
NOTE: Supports all server parameters specified in the building section. Use network mode based on the host machine and requirements.