Module webauthn_authenticator_rs::ctap2

Available on crate feature ctap2 only.

This package provides a CTAP 2.0, CTAP 2.1-PRE and CTAP 2.1 protocol implementation on top of Token, allowing you to interface with FIDO authenticators.

The main interface for this package is CtapAuthenticator.

Warning

This is “alpha” quality code: it still a work in progress, and missing core functionality.

There are edge cases that which cause you to be locked out of your authenticator.

The API is not final, and subject to change without warning.

Known issues

There are many limitations with this implementation, which are intended to be addressed in the future:

• lock-outs aren’t handled; this will just use up all your PIN and UV retries without warning, potentially locking you out.

  This also doesn’t fall-back to PIN auth if UV (fingerprint) auth is locked out.

• multiple authenticators doesn’t work particularly well, and connecting devices while an action is in progress doesn’t work

• cancellations and timeouts

• session management (re-using pin_uv_auth_token)

• U2F compatibility and fall-back

• secured state

Many CTAP2 features are unsupported:

• creating and using discoverable credentials

• large blobs (authenticatorLargeBlobs)

• enterprise attestation

• request extensions

Features

• Basic registration and authentication with a CLI interface (or implement your own)

• Bluetooth Low Energy, caBLE / Hybrid, NFC and USB HID authenticators

• CTAP 2.1 and NFC authenticator selection

• Fingerprint (biometric) authentication, enrollment and management (CTAP 2.1 and 2.1-PRE)

• Built-in user verification

• Setting and changing device PINs

• PIN/UV Auth Protocol One and Protocol Two, getPinToken, getPinUvAuthTokenUsingPinWithPermissions, and getPinUvAuthTokenUsingUvWithPermissions

• Factory-resetting authenticators

• configuring user verification and minimum PIN length requirements

• managing discoverable credentials

Examples

• webauthn-authenticator-rs/examples/authenticate.rs works with any crate::AuthenticatorBackend, including CtapAuthenticator.

• fido-key-manager will connect to a key, pull hardware information, and let you reconfigure the key (reset, PIN, fingerprints, etc.)

Device-specific issues

• Some YubiKey USB tokens provide a USB CCID (smartcard) interface, in addition to a USB HID FIDO interface, which will be detected as an “NFC reader”.

  This only provides access to the PIV, OATH or OpenPGP applets, not FIDO.

  Use USBTransport for these tokens.

Platform-specific issues

See fido-key-manager/README.md.

Modules

• commands
  CTAP 2 commands.

Structs

• Ctap20Authenticator
  CTAP 2.0 protocol implementation.
• Ctap21Authenticator
  CTAP 2.1 protocol implementation.
• Ctap21PreAuthenticator
  CTAP 2.1-PRE protocol implementation.
• GetInfoResponse
  authenticatorGetInfo response type.

Enums

• CtapAuthenticator
  Abstraction for different versions of the CTAP2 protocol.

Traits

• BiometricAuthenticatorctap2-management
  Biometric management commands for Ctap21Authenticator and Ctap21PreAuthenticator.
• CBORCommand
  Common trait for all CBOR commands.
• CBORResponse
  Common trait for all CBOR responses.
• CredentialManagementAuthenticatorctap2-management
  CTAP 2.1 and 2.1-PRE discoverable credential management commands.
• SoloKeyAuthenticatorvendor-solokey
  SoloKey (Trussed) vendor-specific commands.
• YubiKeyAuthenticatorvendor-yubikey
  YubiKey vendor-specific commands.

Functions

• select_one_device
  Selects an authenticator device to use from a TokenEvent stream.
• select_one_device_predicate
  Selects an authenticator device to use from a TokenEvent stream.
• select_one_device_version
  Selects an authenticator device to use from a TokenEvent stream, using a specific CTAP version.
• select_one_token
  Selects one Token from an Iterator of Tokens.