This library has moved its development to https://github.com/tweag/webauthn
arianvp / haskell-fido2 Goto Github PK
View Code? Open in Web Editor NEWA library for parsing and validating webauthn/fido2 credentials
License: Apache License 2.0
A library for parsing and validating webauthn/fido2 credentials
License: Apache License 2.0
This library has moved its development to https://github.com/tweag/webauthn
Perhaps we can store the EC2 Points in compressed form (x
coordinate plus sign) instead of x/y
coordinates. This eliminates a whole bunch of cryptographic security vulnerabilities by construction
Originally posted by @arianvp in #21 (comment)
Webauthn and COSE are footguns in this regard; and we should convert to compressed form as close to the boundary as possible. Check if cryptonite
supports this.
Maybe take inspiration from https://github.com/webauthn4j/webauthn4j
I think my employer will probably want to avoid EC256 if possible. EdDSA seems easier to implement though; as the signature format isn't legacy but COSE (though this is underspecified in the spec currently. See w3c/webauthn#1441)
Perhaps we should not implement all the crypto primitives using cryptonite
ourselves; but just wrap the https://github.com/Yubico/libfido2 C library.
Then we dont have to deal with anything related to parsing or crypto ourselves and make it somebody else's problem...
libfido2
depends on OpenSSL
and libcbor
I was given access to the FIDO2 conformance tests by the FIDO Alliance.
They sent me a username and password in plain text (LOL. ironic) so I can download the test tool.
The test tool is an electron application and no source code is available. It only runs on Mac or Windows.
I don't think I can distribute it freely, so we can't add it to CI.
One downside of a verify
that returns a bool is that you can forget to call it. One way to mitigate this (until we get Linear Haskell ๐) is to fuse deserialization of the message with verification, something like
verifyAndDecode :: PublicKey -> Message ByteString -> Signature -> Maybe DecodedMessage
is there a sensible decode operation for the message to do this with?
A different option would be to return some kind of validity token of which the constructor is not exposed, and to have remaining functions take such a token as input.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.