Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Webauthn HID client #12

Open
wants to merge 34 commits into
base: master
Choose a base branch
from
Open

Webauthn HID client #12

wants to merge 34 commits into from

Conversation

daeMOn63
Copy link

No description provided.

@daeMOn63
add go.mod
1684339
@daeMOn63
add new HID commands and CBOR command support
1a80ea5
@daeMOn63
add ctap2token getInfo()
7a3d30e
@daeMOn63
add ctap2token example
6dacead
@daeMOn63
add CTAP2 makeCredential support
070ceb5
@daeMOn63
add complete ctap2/webauthn flow example
d60d73f
@daeMOn63
add reset command
45e882f
@daeMOn63
add GetNextAssertion
e701732
@daeMOn63
fix tests
e706c46
@daeMOn63
extracted pin handling to dedicated package
8ee9dd2
@daeMOn63
add webauthn registeration handling
c405ddc
@daeMOn63
add webauthn ctap2 authenticate
acdfab1
@daeMOn63
examples cleanup
acab0e9
@daeMOn63
fix webauthn demos and cleanup encoding issues
8a1578c
@daeMOn63
u2ftoken: parse register response
f755187
@daeMOn63
tidy mod
187936d
@daeMOn63
webauthn: ctap1 register support
c79788d
@daeMOn63
webauthn: ctap1 authenticate support
e374739
@daeMOn63
webauthn: ctap1 handle excluded credentials
b53d4e0
@daeMOn63
webauthn: ctap1 fix authenticate allowed credentials
1027f71
@daeMOn63
add device selection doc
368d6db
@daeMOn63
add CLI webauthn implementation
b2043b8 
- add a CLI webauthn implementation, trying to match as close as possible
browsers behavior.
- includes device selection when multiple authenticators are plugged in.
- includes working examples on webauthn.io and demo.yubico.com public
  webauthn servers, see webauth/example package.
- support usb authenticators, using either FIDO U2F/CTAP1 or CTAP2 protocols
@daeMOn63 daeMOn63 changed the base branch from ctap2 to master September 28, 2020 12:40
@daeMOn63
improve request cancelation handling
91a9b6b
@daeMOn63
renamed device selection document
4f13633
@daeMOn63
improve pin input
f026a3e 
pin input now use golang.org/x/crypto/ssh/terminal to not be
echoed on stdout anymore. The library is expected to work on *any* go
supported OS terminals, but only tested on linux.
awly
awly reviewed Jan 21, 2021
View reviewed changes
u2ftoken/token.go Outdated Show resolved Hide resolved
u2ftoken/example/main.go Outdated Show resolved Hide resolved
titanous
titanous reviewed Jan 21, 2021
View reviewed changes
Copy link
Contributor

@titanous titanous left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Posting my incomplete review from a few months ago. Will do another pass later.

crypto/cose.go Outdated Show resolved Hide resolved
webauthn/types.go Outdated Show resolved Hide resolved
ctap2token/example/main.go Outdated Show resolved Hide resolved
crypto/cose.go
BaseIV []byte `cbor:"5,keyasint,omitempty"`
}

func (k *COSEKey) CBOREncode() ([]byte, error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
func (k *COSEKey) CBOREncode() ([]byte, error) {
func (k *COSEKey) MarshalCBOR() ([]byte, error) {

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't rename, this cause infinite loop as MarshalCBOR() makes the struct implement cbor.Marshaler interface (see https://github.com/fxamacker/cbor/blob/ee962ff86de23bc964f19d8e4a1a23171b05e58b/encode.go#L28-L29 and https://github.com/fxamacker/cbor/blob/ee962ff86de23bc964f19d8e4a1a23171b05e58b/encode.go#L99-L101)

crypto/cose.go Outdated Show resolved Hide resolved
ctap2token/pin/pin.go
return getpasswd(h.Stdin)
}

func (h *InteractiveHandler) SetPIN(token *ctap2token.Token) ([]byte, error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems like most of this handler should be abstracted out into a helper that other handlers can use? I'd expect it to only do the collection from stdin and then call a shared function that does all the work.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, done.

ctap2token/pin/pin.go Outdated Show resolved Hide resolved
ctap2token/pin/pin.go Outdated Show resolved Hide resolved
ctap2token/token.go Outdated Show resolved Hide resolved
doc/WEBAUTHN_DEVICE_SELECTION.md Outdated Show resolved Hide resolved
titanous
titanous reviewed Feb 7, 2021
View reviewed changes
ctap2token/token.go Outdated Show resolved Hide resolved
ctap2token/token.go Outdated Show resolved Hide resolved
ctap2token/token.go Outdated
}

// MakeCredentialResponse
// TODO: structure may be different with different kind of attestations.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this TODO still pending?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm no. The MakeCredentialResponse structure is fixed and only the content of AttSmt may vary, but since it's a map[string]interface{} we should be good to store anything. Thanks, removed.

ctap2token/token.go Outdated Show resolved Hide resolved
ctap2token/token.go Outdated Show resolved Hide resolved
webauthn/token.go Outdated Show resolved Hide resolved
webauthn/token.go Outdated Show resolved Hide resolved
webauthn/types.go Outdated Show resolved Hide resolved
webauthn/types.go Outdated Show resolved Hide resolved
webauthn/types.go Outdated Show resolved Hide resolved
@rgl rgl mentioned this pull request Feb 24, 2021
Closed
@daeMOn63
fix #14 getAssertion issue with HyperSecu Mini
b785fc1 
HyperSecu Mini tokens are reporting errors when calling GetAssertion.
It seems these tokens don't support the transports field being set on
the CredentialDescriptor. Luckily it's optionnal so we can safely remove
it.
@daeMOn63
add extra check for pin before input
840ab5f 
HyperSecu mini tokens returns wrong error on timeout
that we can catch in order to avoid asking for user pin
when it's not set
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@awly awly awly left review comments

@titanous titanous titanous left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@daeMOn63 @titanous @awly