OpenSK is an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.

Overview

OpenSK logo

markdownlint pylint Cargo check Cargo format Coverage Status

OpenSK

This repository contains a Rust implementation of a FIDO2 authenticator.

We developed this as a Tock OS application and it has been successfully tested on the following boards:

Disclaimer

This project is proof-of-concept and a research platform. It is NOT meant for a daily usage. It's still under development and as such comes with a few limitations:

FIDO2

The stable branch implements the published CTAP2.0 specifications and is FIDO certified.

FIDO2 certified L1

It already contains some preview features of 2.1, that you can try by adding the flag --ctap2.1 to the deploy command. The full CTAP2.1 specification is work in progress in the develop branch and is tested less thoroughly.

Cryptography

We're currently still in the process on making the ARM® CryptoCell-310 embedded in the Nordic nRF52840 chip work to get hardware-accelerated cryptography. In the meantime we implemented the required cryptography algorithms (ECDSA, ECC secp256r1, HMAC-SHA256 and AES256) in Rust as a placeholder. Those implementations are research-quality code and haven't been reviewed. They don't provide constant-time guarantees and are not designed to be resistant against side-channel attacks.

Installation

For a more detailed guide, please refer to our installation guide.

  1. If you just cloned this repository, run the following script (Note: you only need to do this once):

    ./setup.sh
  2. Next step is to install Tock OS as well as the OpenSK application on your board. Run:

    # Nordic nRF52840-DK board
    ./deploy.py --board=nrf52840dk --opensk
    # Nordic nRF52840-Dongle
    ./deploy.py --board=nrf52840_dongle --opensk
  3. Finally you need to inject the cryptographic material if you enabled batch attestation or CTAP1/U2F compatibility (which is the case by default):

    ./tools/configure.py \
        --certificate=crypto_data/opensk_cert.pem \
        --private-key=crypto_data/opensk.key
  4. On Linux, you may want to avoid the need for root privileges to interact with the key. For that purpose we provide a udev rule file that can be installed with the following command:

    sudo cp rules.d/55-opensk.rules /etc/udev/rules.d/ &&
    sudo udevadm control --reload

Customization

If you build your own security key, depending on the hardware you use, there are a few things you can personalize:

  1. If you have multiple buttons, choose the buttons responsible for user presence in main.rs.
  2. Decide whether you want to use batch attestation. There is a boolean flag in ctap/mod.rs. It is mandatory for U2F, and you can create your own self-signed certificate. The flag is used for FIDO2 and has some privacy implications. Please check WebAuthn for more information.
  3. Decide whether you want to use signature counters. Currently, only global signature counters are implemented, as they are the default option for U2F. The flag in ctap/mod.rs only turns them off for FIDO2. The most privacy preserving solution is individual or no signature counters. Again, please check WebAuthn for documentation.
  4. Depending on your available flash storage, choose an appropriate maximum number of supported residential keys and number of pages in ctap/storage.rs.
  5. Change the default level for the credProtect extension in ctap/mod.rs. When changing the default, resident credentials become undiscoverable without user verification. This helps privacy, but can make usage less comfortable for credentials that need less protection.
  6. Increase the default minimum length for PINs in ctap/storage.rs. The current minimum is 4. Values from 4 to 63 are allowed. Requiring longer PINs can help establish trust between users and relying parties. It makes user verification harder to break, but less convenient. NIST recommends at least 6-digit PINs in section 5.1.9.1: https://pages.nist.gov/800-63-3/sp800-63b.html You can add relying parties to the list of readers of the minimum PIN length.

3D printed enclosure

To protect and carry your key, we partnered with a professional designer and we are providing a custom enclosure that can be printed on both professional 3D printers and hobbyist models.

All the required files can be downloaded from Thingiverse including the STEP file, allowing you to easily make the modifications you need to further customize it.

Development and testing

Printing panic messages to the console

By default, libtock-rs blinks some LEDs when the userspace application panicks. This is not always convenient as the panic message is lost. In order to enable a custom panic handler that first writes the panic message via Tock's console driver, before faulting the app, you can use the --panic-console flag of the deploy.py script.

# Example on Nordic nRF52840-DK board
./deploy.py --board=nrf52840dk --opensk --panic-console

Debugging memory allocations

You may want to track memory allocations to understand the heap usage of OpenSK. This can be useful if you plan to port it to a board with fewer available RAM for example. To do so, you can enable the --debug-allocations flag of the deploy.py script. This enables a custom (userspace) allocator that prints a message to the console for each allocation and deallocation operation.

The additional output looks like the following.

# Allocation of 256 byte(s), aligned on 1 byte(s). The allocated address is
# 0x2002401c. After this operation, 2 pointers have been allocated, totalling
# 384 bytes (the total heap usage may be larger, due to alignment and
# fragmentation of allocations within the heap).
alloc[256, 1] = 0x2002401c (2 ptrs, 384 bytes)
# Deallocation of 64 byte(s), aligned on 1 byte(s), from address 0x2002410c.
# After this operation, 1 pointers are allocated, totalling 512 bytes.
dealloc[64, 1] = 0x2002410c (1 ptrs, 512 bytes)

A tool is provided to analyze such reports, in tools/heapviz. This tool parses the console output, identifies the lines corresponding to (de)allocation operations, and first computes some statistics:

  • Address range used by the heap over this run of the program,
  • Peak heap usage (how many useful bytes are allocated),
  • Peak heap consumption (how many bytes are used by the heap, including unavailable bytes between allocated blocks, due to alignment constraints and memory fragmentation),
  • Fragmentation overhead (difference between heap consumption and usage).

Then, the heapviz tool displays an animated "movie" of the allocated bytes in heap memory. Each frame in this "movie" shows bytes that are currently allocated, that were allocated but are now freed, and that have never been allocated. A new frame is generated for each (de)allocation operation. This tool uses the ncurses library, that you may have to install beforehand.

You can control the tool with the following parameters:

  • --logfile (required) to provide the file which contains the console output to parse,
  • --fps (optional) to customize the number of frames per second in the movie animation.
cargo run --manifest-path tools/heapviz/Cargo.toml -- --logfile console.log --fps 50

Contributing

See Contributing.md.

Reporting a Vulnerability

See SECURITY.md.

Comments
  • Requests for USB dongle  without additional hardware.

    Requests for USB dongle without additional hardware.

    Very excited about yesterday's update。 I very much expect to get rid of the hardware (jlink) dependency。 I have one usb dongle (52840 dongle),and have a try with nrfutil.

    ./deploy.py --board=nrf52840_dongle --opensk --programmer=nordicdfu fatal: This board doesn't support flashing over DFU.

    then I checked deploy.py file.Then changed parameters: ./deploy.py --board=nrf52840_dongle_dfu --opensk --programmer=nordicdfu

    I see ,it needs nrfutil command with version 5.1. AttributeError: 'dict' object has no attribute 'iteritems'。

    Can you tell me if my operation is correct,and nrfutil's version.

    Thanks !

    Specifications

    • Version:
    • Platform: ubuntu 16.04 i686 ,python 3.5.
    opened by xaqfan 30
  • Cannot generate ssh keys with ed25519-sk

    Cannot generate ssh keys with ed25519-sk

    I'm trying to create ssh keys with ed25519-sk instead of ecdsa-sk but I receive this error: Key enrollment failed: requested feature not supported . This is my Openssh version: **OpenSSH_8.4p1 Debian-5, OpenSSL 1.1.1k **

    I'm using a nrf52840 dongle with the last updates of the stable branch.

    Any idea why is this happening? Thanks in advance.

    enhancement 
    opened by gelintonx 28
  • Is there a way to store a key/secret in the dongle?

    Is there a way to store a key/secret in the dongle?

    Is there an API in the OpenSK that I can use to store a secret string mapped to a username and retrieve it later on?

    If not, can I exploit the FIDO register call to store a secret string mapped to a username? Is there any field in the FIDO2 protocol that is stored on the authenticator and is returned during authentication? I need it for the research prototype, so any hack/ideas would help.

    question 
    opened by tarun14110 20
  • OpenSK does not work properly on Microsoft Edge

    OpenSK does not work properly on Microsoft Edge

    Expected Behavior

    I can register the OpenSK key on my Google account

    Actual Behavior

    When I try to register the OpenSK key on my Google account, it gets stuck on the confirmation page Here are the logs:

    two-step-verification?rapt=***:1 Unchecked runtime.lastError: Could not establish connection. Receiving end does not exist.
    two-step-verification?rapt=***:1 Unchecked runtime.lastError: Could not establish connection. Receiving end does not exist.
    two-step-verification?rapt=***:1 Unchecked runtime.lastError: Could not establish connection. Receiving end does not exist.
    two-step-verification?rapt=***:1 Unchecked runtime.lastError: Could not establish connection. Receiving end does not exist.
    

    Steps to Reproduce the Problem

    1. Flash the OpenSK firmware to nRF52840-Dongle
    2. Open https://myaccount.google.com/signinoptions/two-step-verification on Microsoft Edge
    3. Click "Add security key", and click "Next"
    4. Tap the button on the OpenSK key

    Specifications

    • Version: latest stable
    • Platform: Windows
    opened by ghost 18
  • Add Feitian USB Dongle

    Add Feitian USB Dongle

    Feitian created an hardware dongle according to nRF52840 design, please refer to https://feitiantech.github.io/OpenSK_USB/hardware/ . There is no need to change anything to Google OpenSK source code, download the OpenSK firmware to Feitian Dongle, and it can work.

    documentation cla: yes 
    opened by geofli 18
  • nRF52840 USB dongle can not work with source code from stable and develop branches

    nRF52840 USB dongle can not work with source code from stable and develop branches

    Expected Behavior

    nRF52840 USB dongle should work with source code on stable branch or develop branch

    Actual Behavior

    Neither stable nor develop branch work.

    Following below steps

    1. ./reset.sh
    2. ./setup.sh
    3. ./deploy.py --board=nrf52840_dongle_dfu --opensk --programmer=nordicdfu
    Have switched nrf52840 usb dongle to bootloader mode.
    4. ./tools/configure.py \
        --certificate=crypto_data/opensk_cert.pem \
        --private-key=crypto_data/opensk.key
    

    If I use source code from stable branch, step 4 reports error 0xF2.

    info: Private key is valid.
    info: Certificate is valid.
    DEBUG:fido2.hid.macos:Found CTAP device: 4295020873
    DEBUG:fido2.hid:SEND: ffffffff8600084859dd5c0a590e2f
    DEBUG:fido2.hid:RECV: ffffffff8600114859dd5c0a590e2f00000001020100000500000000000000000000000000000000000000000000000000000000000000000000000000000000
    DEBUG:fido2.hid:SEND: 0000000190000104
    DEBUG:fido2.hid:RECV: 00000001900001f20000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    Traceback (most recent call last):
      File "./tools/configure.py", line 204, in <module>
        main(parser.parse_args())
      File "./tools/configure.py", line 134, in main
        for authenticator in tqdm(get_opensk_devices(args.batch)):
      File "./tools/configure.py", line 72, in get_opensk_devices
        return [ctap2.CTAP2(dev)]
      File "/Users/gaofeng/.pyenv/versions/3.8.8/lib/python3.8/site-packages/fido2/ctap2/base.py", line 643, in __init__
        self._info = self.get_info()
      File "/Users/gaofeng/.pyenv/versions/3.8.8/lib/python3.8/site-packages/fido2/ctap2/base.py", line 695, in get_info
        return self.send_cbor(Ctap2.CMD.GET_INFO, parse=Info)
      File "/Users/gaofeng/.pyenv/versions/3.8.8/lib/python3.8/site-packages/fido2/ctap2/base.py", line 675, in send_cbor
        raise CtapError(status)
    fido2.ctap.CtapError: CTAP error: 0xF2 - UNKNOWN
    

    If I checkout code to develop branch, after step 3, nrf52840 usb dongle behaves like

    https://user-images.githubusercontent.com/10238809/126742034-fdf49cec-d0c0-4173-aeb3-64b33207f636.mp4

    Even if I perform ./deploy.py --board=nrf52840_dongle_dfu --erase_storage --programmer=nordicdfu before step 3, behavior is same.

    What's the matter?

    Steps to Reproduce the Problem

    1. ./reset.sh
    2. ./setup.sh
    3. ./deploy.py --board=nrf52840_dongle_dfu --opensk --programmer=nordicdfu
    Have switched nrf52840 usb dongle to bootloader mode.
    4. ./tools/configure.py \
        --certificate=crypto_data/opensk_cert.pem \
        --private-key=crypto_data/opensk.key
    

    on either stable or develop branch.

    bug 
    opened by geofli 16
  • lost access to bootloader on makerdiary nRF52840 MDK USB Dongle after flash

    lost access to bootloader on makerdiary nRF52840 MDK USB Dongle after flash

    Expected Behavior

    Holding button while plugging to computer enter UF2 flash mode ( ie presenting a mass storage device to the host )

    Actual Behavior

    Holding button while plugging to computer does nothing

    Steps to Reproduce the Problem

    1. generate firmware with ./deploy.py --board=nrf52840_mdk_dfu --programmer=none --opensk
    2. convert hex file to uf2 with uf2conv.py firmware.hex -c -f 0xADA52840
    3. flash by copying the resulting uf2 file to the mass storage device presented.

    Specifications

    • Version: b0c1b73897816edb757a163943f7b36a55f76a19
    • Platform: linux

    Comments/Questions

    Apologies if I missed something, I chose nrf52840_mdk_dfu as the board since it was the only one mentioning mdk and I tried before nrf52840_dongle but the button was not recognized ( I was able though to enter UF2 mode with that firmware flashed ).

    The dongle works perfectly as is, webauthn.io test is successful. I just can't set it back to bootloader mode to flash or update something else. Just want to confirm I need a debugger probe at that point to be able to update opensk and/or change the firmware running at that point. Thank you in advance for your pointers.

    opened by gled-rs 14
  • Failed to load

    Failed to load "resident" ssh key generated by OpenSK device

    Expected Behavior

      After successfully generating the residential ssh keys by ssh-keygen -t ecdsa-sk -O resident, the private key should can be load to another computer via the OpenSK devices by ssh-add -K, but it failed to load.

    Actual Behavior

      Generation step on residental key seems to be successful, but when I tried to load the key to anthoer PC, by pluging in the OpenSK device and ssh-add -K, it shows Enter PIN for authenticator: Provider "internal" returned failure -1 Unable to load resident keys: invalid format   (the PIN was set correctly.)   After enable verbose mode by ssh-add -K -v, it shows Enter PIN for authenticator: debug1: start_helper: starting /usr/lib/ssh/ssh-sk-helper debug1: sshsk_load_resident: provider "internal", have-pin debug1: sk_probe: 1 device(s) detected debug1: sk_probe: selecting sk by touch debug1: ssh_sk_load_resident_keys: trying /dev/hidraw5 debug1: check_sk_options: option uv is unknown debug1: read_rks: get metadata for /dev/hidraw5 failed: FIDO_ERR_MISSING_PARAMETER debug1: ssh_sk_load_resident_keys: read_rks failed for /dev/hidraw5 Provider "internal" returned failure -1 debug1: ssh-sk-helper: sshsk_load_resident failed: invalid format debug1: main: reply len 8 debug1: client_converse: helper returned error -4 Unable to load resident keys: invalid format   which makes me confused.

    Steps to Reproduce the Problem

    1. Generate a pair of residental ssh key by ssh-keygen -t ecdsa-sk -O resident.
    2. Plug the OpenSK device to another PC.
    3. Try to load the key generated to that PC ssh-add -K -v

    Specifications

    • Device: Nordic nRF52840 Dongle
    • Version: c6d3f51 of develop branch
    • Platform: Arch Linux

      I would appreciate it if you could do me a favour to solve that problem. Looking forward to your reply on your earliest convenience.

    opened by JunASAKA 13
  • Support ed25519 crypto algorithm

    Support ed25519 crypto algorithm

    Fixes #335

    This PR uses external ed25519-dalek crate for crypto implementation, which lead to several changes I'd like to get feedback on:

    1. ed25519-dalek requires Rust 2021. For that, I've made some changes to third-party/libtock-rs submodule, which are commited in https://github.com/egor-duda/libtock-rs/tree/ed25519. They change rust-toolchain channel to nightly-2021-10-21 and update asm code to use numbered labels due to enabled #[deny(named_asm_labels)].
    2. This change also causes new warnings about llvm_asm! macro being deprecated, and I don't know ARM assembly that well to be able to properly migrate from llvm_asm! to asm!. As a temporary workaround, I've removed -D warnings in deploy.py
    3. Crypto structs in ed25519-dalek do not implement Clone and Eq, so instead of deriving those traits for PrivateKey, I've implemented them explicitly. Not sure if that is correct way to do that.

    I've added --with-ed25519 option to deploy.py, and tested on nrf52840_dongle with openssh (ssh-keygen -t ed25519-sk) with PIN both enabled and disabled. I'm not sure is there is some webauthn test site which allows selecting specific crypto algorithm, would appreciate any pointers.

    opened by egor-duda 12
  • Should clear all credentials/PIN after flashing the new firmware?

    Should clear all credentials/PIN after flashing the new firmware?

    Currently, after you flash a new firmware to OpenSK, existing PIN/credentials (resident or non-resident) are still valid, you can still use them to authenticate to online services.

    Should OpenSK clear all existing Credentials(resident or non-resident), PIN and other security parameters if it has been updated to the new firmware?

    question 
    opened by geofli 12
  • OpenSK firmware can not work well with nRF52840 dongle after 2e419fe77b37255778fe13166cdc891caee3b334

    OpenSK firmware can not work well with nRF52840 dongle after 2e419fe77b37255778fe13166cdc891caee3b334

    Expected Behavior

    Before (include) 2e419fe77b37255778fe13166cdc891caee3b334, when insert nRF52840 USB dongle to USB port, LEDs are off. When receiving CTAP2/U2F command, LEDs will blink and wait for user presence. After user press the button, it response correctly.

    Actual Behavior

    Now (after 2e419fe77b37255778fe13166cdc891caee3b334), after insert to USB port, LEDs are blinking even if it is in idle. OpenSK does not work after user presses button.

    Steps to Reproduce the Problem

    1. Download firmware to nRF52840 dongle as usual.
    2. Replug it to USB port, take a look at the LED status, they are blinking, different from before.
    3. Test it on https://webauthn.io/ or other test website.
    4. Make credential and press button.

    I tested source code from 752bf47ed5caa2265e1d3884a40798fd7a2e95d6 to latest. It has same behavior.

    bug 
    opened by geofli 12
  • Cargo Error:

    Cargo Error: "error[E0635]: unknown feature `proc_macro_span_shrink`" when building.

    Actual Behavior

      When running deploy script(develop branch) to build openSK or erase_storage for nrf52840_dongle with "./deploy.py --board=nrf52840_dongle_dfu --erase_storage --programmer=nordicdfu", it goes wrong showing "error[E0635]: unknown feature 'proc_macro_span_shrink'". More info shows below:

    info: Building example erase_storage Compiling proc-macro2 v1.0.44 Compiling num-iter v0.1.43 Compiling num-rational v0.3.2 error[E0635]: unknown feature 'proc_macro_span_shrink' --> /home/herrscherzero/.cargo/registry/src/github.com-1ecc6299db9ec823/proc-macro2-1.0.44/src/lib.rs:92:30 | 92 | feature(proc_macro_span, proc_macro_span_shrink) | ^^^^^^^^^^^^^^^^^^^^^^ `error: aborting due to previous error` For more information about this error, try 'rustc --explain E0635'. error: could not compile 'proc-macro2' `To learn more, run the command again with --verbose.` `warning: build failed, waiting for other jobs to finish...` `error: build failed` `fatal: Failed to execute cargo: Command '['cargo', 'build', '--release', '--target=thumbv7em-none-eabi', '--features=with_ctap1', '--example', 'erase_storage']' returned non-zero exit status 101.`

    Specifications

    • Version: f2fac83
    • Platform: Arch Linux (x86_64)
    opened by JunASAKA 0
  • LED flashing light blue after flashing, cannot enter DFU mode

    LED flashing light blue after flashing, cannot enter DFU mode

    Expected Behavior

    Being able to use OpenSK after flashing

    Actual Behavior

    Led flashing light blue rapidly, cannot enter DFU mode by pressing the button while plugging in.

    lsusb output:

    Bus 003 Device 053: ID 1915:521f Nordic Semiconductor ASA OpenSK
    

    dmesg output:

    [ 4676.899717] usb 3-1: new full-speed USB device number 53 using xhci_hcd
    [ 4677.081222] usb 3-1: New USB device found, idVendor=1915, idProduct=521f, bcdDevice= 0.01
    [ 4677.081233] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
    [ 4677.081238] usb 3-1: Product: OpenSK
    [ 4677.081242] usb 3-1: Manufacturer: Nordic Semiconductor ASA
    [ 4677.081245] usb 3-1: SerialNumber: v1.0
    [ 4677.085530] hid-generic 0003:1915:521F.0031: hiddev96,hidraw6: USB HID v1.10 Device [Nordic Semiconductor ASA OpenSK] on usb-0000:00:14.0-1/input0
    

    Steps to Reproduce the Problem

    1. git clone https://github.com/google/OpenSK.git
    2. curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs/ | sh
    3. source $HOME/ .cargo/env
    4. cd OpenSK
    5. ./setup.sh
    6. ./deploy.py --board=nrf52840_mdk_dfu --opensk --programmer=none
    7. python3 uf2conv.py -c -f 0xada52840 -o target/opensk.uf2 target/nrf52840_mdk_dfu_merged.hex
    8. Copy opensk.uf2 to usb dongle

    Specifications

    • Version: a79abc2
    • Platform: nRF52840-MDK
    opened by Tiebe 1
  • cargo_clippy github workflow fails on forked repo

    cargo_clippy github workflow fails on forked repo

    After pushing changes to fork repo, cargo_clippy workflow fails with error "Resource not accessible by integration", see e.g. https://github.com/egor-duda/OpenSK/actions/runs/2547812258 This also hides real clippy errors because next run: cargo clippy ... command is not run after actions-rs/clippy-check failure.

    This is caused by actions-rs/clippy-check#2, due to inability of clippy-check to add annotations, while running with read-only token.

    Adding check for running clippy-check action only in main repo fixes this issue, and starts reporting cargo clippy errors in forked repos

    diff --git a/.github/workflows/cargo_clippy.yml b/.github/workflows/cargo_clippy.yml
    index 7d10e1c..ac4e08d 100644
    --- a/.github/workflows/cargo_clippy.yml
    +++ b/.github/workflows/cargo_clippy.yml
    @@ -23,6 +23,7 @@ jobs:
             run: ./setup.sh
     
           - uses: actions-rs/[email protected]
    +        if: github.repository == 'google/OpenSK'
             with:
               token: ${{ secrets.GITHUB_TOKEN }}
               args: --all-targets --features std
    
    
    bug 
    opened by egor-duda 1
  • Configure in deploy with vendor_hid

    Configure in deploy with vendor_hid

    The configure command currently only supports the first usage page. However, we only accept it from vendor_hid if the compile flag is set. We can either:

    • Allow the vendor configure command on both usage pages.
    • Implement a flag in our configure script to run on either usage page.

    The latter could be tricky, since we rely on libfido, and they only speak with the correct FIDO usage page OOTB.

    bug 
    opened by kaczmarczyck 0
  • Implementing OpenSK-based FIDO2 emulator for QEMU

    Implementing OpenSK-based FIDO2 emulator for QEMU

    I've made a quick-and-dirty prototype of virtual FIDO2 authenticator for QEMU using OpenSK application. The purpose is similar to #288, but instead of creating a CTAP library and linking it into QEMU, I've patched QEMU to add a fido2 device, which uses socket-connected chardev. Then I've modified main OpenSK application to listen on a unix socket and, after connection from QEMU, to process all CTAP requests/responses via that socket connection.

    To go beyond prototype, I suppose I have to:

    1. Create separate NonEmbeddedEnv (naming suggestions are welcome) for running on non-embedded OS
    2. Implement file-based storage for persistent authenticator data. Currently I've used TestEnv with its BufferStorage, which means that master key is being lost after OpenSK application restart, making all previously created credentials invalid
    3. Move main protocol I/O function from loop in src/main.rs to Env, and implement socket- or stdio- based I/O in NonEmbeddedEnv
    4. Implement user-presence checking in new NonEmbeddedEnv

    Obviously, all this new NonEmbeddedEnv stuff should not be compiled in when building token-targeted version of an application.

    Is this a viable plan?

    enhancement 
    opened by egor-duda 10
Releases(ctap2.0)
  • ctap2.0(Jun 23, 2021)

    Except for some bugfixes that we applied after and which don't alter the CTAP2 behavior, this is the firmware that we had certified by the FIDO Alliance running on the Nordic nRF52840 dongle board.

    Source code(tar.gz)
    Source code(zip)
Owner
Google
Google ❤️ Open Source
Google
A paseto implementation in rust.

Paseto Rust Paseto is everything you love about JOSE (JWT, JWE, JWS) without any of the many design deficits that plague the JOSE standards. This is d

Instructure, Inc. 145 Sep 14, 2022
ROCCA cipher implementation for Rust.

ROCCA for Rust This is a Rust implementation of the ROCCA authenticated cipher, ported from the Zig implementation. ROCCA is key committing, has a 256

Frank Denis 5 Sep 13, 2022
RSA implementation in pure Rust

RSA A portable RSA implementation in pure Rust. ⚠️ WARNING: This crate has been audited by a 3rd party, but a full blog post with the results and the

Rust Crypto 310 Sep 19, 2022
An implementation for an authentication API for Rocket applications.

rocket_auth rocket_auth provides a ready-to-use backend agnostic API for authentication management. For more information visit the documentation at ht

null 53 Sep 15, 2022
An implementation of webauthn components for Rustlang servers

Webauthn-rs Webauthn is a modern approach to hardware based authentication, consisting of a user with an authenticator device, a browser or client tha

Kanidm 188 Sep 24, 2022
A minimal jwt implementation for OIDC

Compact JWT Json Web Tokens (JWT) are a popular method for creating signed transparent tokens that can be verified by clients and servers. They are en

Kanidm 4 Dec 29, 2021
WebCipher - JWT encryption/decryption algorithms + a JWK Store implementation

webcipher provides JWT authentication utilities and storage mechanism for caching keys and optimizing decryption/encryption processes.

Wavy 1 May 1, 2022
Fast, simple and REST compliant file-server with public/private key authentication written in Rust

stormi Stormi is a fast and simple file-server with public/private key authentication How does it work? Stormi accepts multipart/form-data form with m

Polygon 2 Aug 5, 2022
Rust library for HTTP authentication. Parses challenge lists, responds to Basic and Digest challenges. Likely to be extended with server support and additional auth schemes.

Rust library for HTTP authentication. Parses challenge lists, responds to Basic and Digest challenges. Likely to be extended with server support and a

Scott Lamb 3 Jun 10, 2022
Tools for manipulating JSON Web Tokens, JWS, JWE, and JWK in Rust

Rusty JWT Tools A collection of JWT utilities. This repository is part of the source code of Wire. You can find more information at wire.com or by con

Wire Swiss GmbH 2 Sep 3, 2022
Highly flexible library to manage and orchestrate JWT workflow

JWT Vault Highly flexible library to manage and orchestrate JWT workflow Examples | Website | Chat TODO Add more examples Improve coverage Features Ma

Saurav Gupta 62 Aug 17, 2022
A OAuth2 server library, for use in combination with actix or other frontends, featuring a set of configurable and pluggable backends.

oxide-auth A OAuth2 server library, for use in combination with common web servers, featuring a set of configurable and pluggable backends. About oxid

null 435 Sep 17, 2022
Decode, explore, and sign JWTs

JWT Explorer A utility for inspecting, modifying, and attacking JWTs. Supports Windows and Linux and probably also works on macOS but this has not bee

David Young 10 Jun 16, 2022
Simple backend app with Actix-web, JWT and MongoDB

Actix Web JWT Example Simple backend app with Actix-web, JWT and MongoDB (JWT Token, Protect Route, Login & Register) While developing the web service

Emre 113 Sep 7, 2022
JWT lib in rust

jsonwebtoken API documentation on docs.rs See JSON Web Tokens for more information on what JSON Web Tokens are. Installation Add the following to Carg

Vincent Prouillet 994 Sep 15, 2022
Example application using a Vue frontend with Rust backend that has authentication + authorization.

This project contains a Rust server that serves a single page application and has authentication + JWT-based authorization.

null 41 Sep 15, 2022
Authorization Server with Rust using Tonic

authorization-server Authorization Server with Rust using Tonic. Function implemented User registration and profile store Change password Login Token

sora 3 Oct 5, 2021
Extensible, strongly-typed Rust OAuth2 client library

OAuth2 An extensible, strongly-typed implementation of OAuth2 (RFC 6749). Documentation is available on docs.rs. Release notes are available on GitHub

David Ramos 535 Sep 15, 2022
An auth system/library for Rust applications

Rust : Forbidden (WIP) An experimental auth library for Rust applications. Goals This crate is to define a common set of traits and idioms to provide

Mario Montoya 8 May 23, 2022