libwebauthn 0.6.0

FIDO2 (WebAuthn) and FIDO U2F platform library for Linux written in Rust
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123

# libwebauthn

A Linux-native implementation of FIDO2 and FIDO U2F Platform API, fully written in Rust.

This library supports multiple transports (see [Transports](#Transports) for a list) via a pluggable interface, making it easy to add additional backends.

## Credentials for Linux Project

This repository is now part of the [Credentials for Linux][linux-credentials] project, and was previously known as **xdg-credentials-portal**.

The [Credentials for Linux][linux-credentials] project aims to offer FIDO2 platform functionality (FIDO U2F, and WebAuthn) on Linux, over a [D-Bus Portal interface][xdg-portal].

_Looking for the D-Bus API proposal?_ Check out [credentialsd][credentialsd].

## Features

- FIDO U2F
  - ๐ŸŸข Registration (U2F_REGISTER)
  - ๐ŸŸข Authentication (U2F_AUTHENTICATE)
  - ๐ŸŸข Version (U2F_VERSION)
- FIDO2
  - ๐ŸŸข Create credential
  - ๐ŸŸข Verify assertion
  - ๐ŸŸข Biometric user verification
  - ๐ŸŸข Discoverable credentials (resident keys)
  - ๐ŸŸข Related origins (WebAuthn L3 ยง5.11)
- FIDO2 to FIDO U2F downgrade
  - ๐ŸŸข Basic functionality
  - ๐ŸŸข Support for excludeList and pre-flight requests
- PIN/UV Protocols
  - ๐ŸŸข PIN/UV Auth Protocol One
  - ๐ŸŸข PIN/UV Auth Protocol Two
- PIN/UV Operations
  - ๐ŸŸข GetPinToken
  - ๐ŸŸข GetPinUvAuthTokenUsingPinWithPermissions
  - ๐ŸŸข GetPinUvAuthTokenUsingUvWithPermissions
- [Passkey Authentication][passkeys]
  - ๐ŸŸข Discoverable credentials (resident keys)
  - ๐ŸŸข Hybrid transport (caBLE v2): QR-initiated transactions
  - ๐ŸŸข Hybrid transport (caBLE v2): State-assisted transactions (remember this phone)
  - ๐ŸŸข Hybrid transport (CTAP 2.3): direct BLE L2CAP data channel, QR-initiated, no tunnel server

## Runtime requirements

Validating the relying party ID against the calling origin requires the [Public Suffix List][psl]. The built-in `SystemPublicSuffixList::auto()` loader reads it from the standard system path, probing the binary `.dafsa` format first and falling back to the text `.dat` format. The `publicsuffix` package on Debian/Ubuntu ships both. On Fedora the binary `.dafsa` file is shipped by `publicsuffix-list-dafsa` (a transitive dependency of `libpsl`, so usually already installed), while the text `.dat` file requires the optional `publicsuffix-list` package. On Arch only the text `.dat` format is packaged. Callers wiring their own list don't need a system package.

## Transports

|                              | FIDO U2F              | WebAuthn (FIDO2)      |
| ---------------------------- | --------------------- | --------------------- |
| **USB (HID)**                | ๐ŸŸข Supported (hidapi) | ๐ŸŸข Supported (hidapi) |
| **Bluetooth Low Energy**     | ๐ŸŸข Supported (bluez)  | ๐ŸŸข Supported (bluez)  |
| **NFC**                      | ๐ŸŸข Supported (pcsc or libnfc) | ๐ŸŸข Supported (pcsc or libnfc) |
| **TPM 2.0 (Platform)**       | ๐ŸŸ  Planned ([#4][#4]) | ๐ŸŸ  Planned ([#4][#4]) |
| **CTAP 2.3 hybrid (QR-initiated, BLE only)**    | N/A                   | ๐ŸŸข Supported          |

## Example programs

Examples live in [`libwebauthn/examples/`](libwebauthn/examples) and are grouped by purpose:
`ceremony/` for register and authenticate flows, `features/` for per-feature demos
(extensions, preflight, PRF, device selection), and `management/` for CTAP2 admin
operations. All examples share helpers from `examples/common/`.

```
$ cd libwebauthn
$ git submodule update --init
```

The basic ceremony examples (register + authenticate) cover all transports. The
WebAuthn examples consume and emit JSON per the [WebAuthn IDL][webauthn].

| Transport                        | FIDO U2F                                                                                                                 | WebAuthn (FIDO2) [^ro]                                                                                                                                                          |
| -------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **USB (HID)**                    | `cargo run --example u2f_hid`                                                                                            | `cargo run --example webauthn_hid`                                                                                                            |
| **Bluetooth (BLE)**              | `cargo run --example u2f_ble`                                                                                            | `cargo run --example webauthn_ble`                                                                                                            |
| **NFC** [^nfc]                   | `cargo run --features nfc-backend-pcsc --example u2f_nfc`<br>`cargo run --features nfc-backend-libnfc --example u2f_nfc` | `cargo run --features nfc-backend-pcsc --example webauthn_nfc`<br>`cargo run --features nfc-backend-libnfc --example webauthn_nfc` |
| **Hybrid (caBLE v2 + CTAP 2.3)** | โ€”                                                                                                                        | `cargo run --example webauthn_cable`                                                                                                          |
| **Hybrid (caBLE v2)**            | โ€”                                                                                                                        | `cargo run --example webauthn_cable_wss`                                                                                                      |

[^nfc]: `nfc-backend-pcsc` is pure userspace and recommended on most systems. `nfc-backend-libnfc` requires the `libnfc` system library. Both can be enabled together; the first FIDO device found by either backend is used.

[^ro]: The ceremony examples run with related origins disabled (they are same-origin, so it never applies). The bundled reqwest-backed [related-origins](https://www.w3.org/TR/webauthn-3/#sctn-related-origins) source is shown in the `webauthn_related_origins_hid` example below, behind the optional `reqwest-related-origins-source` feature. Consumers that ship their own HTTP stack can implement `HttpClient` or `RelatedOriginsSource` directly.

Additional HID-only examples cover specific FIDO2 features and authenticator management:

```
# WebAuthn extension and preflight demos
$ cargo run --example webauthn_extensions_hid
$ cargo run --example webauthn_preflight_hid
$ cargo run --example webauthn_prf_hid
$ cargo run --example prf_replay -- CREDENTIAL_ID FIRST_PRF_INPUT
$ cargo run --example device_selection_hid

# Related origins (reqwest-backed well-known fetch)
$ cargo run --features reqwest-related-origins-source --example webauthn_related_origins_hid

# CTAP2 authenticator management
$ cargo run --example change_pin_hid
$ cargo run --example bio_enrollment_hid
$ cargo run --example authenticator_config_hid
$ cargo run --example cred_management_hid
```

## Contributing

We welcome contributions!

Join the discussion on Matrix at `#credentials-for-linux:matrix.org`.

If you don't know where to start, check out the _Issues_ tab.

[xdg-portal]: https://flatpak.github.io/xdg-desktop-portal/portal-docs.html
[linux-credentials]: https://github.com/linux-credentials
[credentialsd]: https://github.com/linux-credentials/credentialsd
[webauthn]: https://www.w3.org/TR/webauthn/
[passkeys]: https://fidoalliance.org/passkeys/
[#10]: https://github.com/linux-credentials/libwebauthn/issues/10
[#3]: https://github.com/linux-credentials/libwebauthn/issues/3
[#4]: https://github.com/linux-credentials/libwebauthn/issues/4
[#17]: https://github.com/linux-credentials/libwebauthn/issues/17
[#18]: https://github.com/linux-credentials/libwebauthn/issues/18
[#31]: https://github.com/linux-credentials/libwebauthn/issues/31
[psl]: https://publicsuffix.org/