Webauthn-rs
Webauthn is a modern approach to hardware based authentication, consisting of a user with an authenticator device, a browser or client that interacts with the device, and a server that is able to generate challenges and verify the authenticators validity.
Users are able to enroll their own tokens through a registration process to be associated to their accounts, and then are able to login using the token which performas a cryptographic authentication.
This library aims to provide useful functions and frameworks allowing you to integrate webauthn into rust web servers. This means the library implements the Relying Party component of the FIDO2 workflow. We provide template and example javascript to demonstrate the browser interactions required.
Examples
As this library aims to be usable in a variety of contexts, we have provided examples in the examples folder. These examples should demonstrate secure and valid use, so please report any issues found, and we'd love to see more examples contributed!
Known Supported Keys/Harwdare
- Yubico 5c + MacOS 10.14 + Firefox/Edge
- Yubico 5ci + iPadOS 14 + Safari/Brave
- TouchID + iPadOS + Safari
- Windows Hello + Windows 10 + Chrome
If your key/browser combination don't work (generally due to missing crypto routines) please open an issue so that I can help you generate vectors and add support!
FIDO Compliance
This library has been carefully implemented to follow the w3c standard for webauthn processing to ensure correct behaviour. However, not all elements of the standard are implemented (yet). This means the library is not yet FIDO compliant. It is a goal to improve this library to meet that standard over time as more test vectors and hardware becomes available, but the current focus has been on supporting the most popular key types.
Feedback
The current design of the traits and configuration is open to feedback on how it can be improved - please use this library and contact the project on what can be improved!
Why OpenSSL?
A question I expect is why OpenSSL rather than some other pure-Rust cryptographic providers. There are two major justfications.
The first is that if this library will be used in corporate or major deployments, then cryptographic audits may have to be performed. It is much easier to point toward OpenSSL which has already undergone much more review and auditing than using a series of Rust crates which (while still great!) have not seen the same level of scrutiny.
The second is that OpenSSL is the only library I have found that allows us to reconstruct an EC public key from it's X/Y points or an RSA public key from it's n/e for use with signature verification. Without this, we are not able to parse authenticator credentials to perform authentication.
Resources
- Specification: https://w3c.github.io/webauthn/
- JSON details: https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0-rd-20180702.html
- Write up on interactions: https://medium.com/@herrjemand/introduction-to-webauthn-api-5fd1fb46c285