Module ctap2

Available on crate feature ctap2 only.

Expand description

This package provides a CTAP 2.0, CTAP 2.1-PRE and CTAP 2.1 protocol implementation on top of Token, allowing you to interface with FIDO authenticators.

The main interface for this package is CtapAuthenticator.

§Warning

This is “alpha” quality code: it still a work in progress, and missing core functionality.

There are edge cases that which cause you to be locked out of your authenticator.

The API is not final, and subject to change without warning.

§Known issues

There are many limitations with this implementation, which are intended to be addressed in the future:

lock-outs aren’t handled; this will just use up all your PIN and UV retries without warning, potentially locking you out.

This also doesn’t fall-back to PIN auth if UV (fingerprint) auth is locked out.
multiple authenticators doesn’t work particularly well, and connecting devices while an action is in progress doesn’t work
cancellations and timeouts
session management (re-using pin_uv_auth_token)
U2F compatibility and fall-back
secured state

Many CTAP2 features are unsupported:

creating and using discoverable credentials
large blobs (authenticatorLargeBlobs)
enterprise attestation
request extensions

§Features

Basic registration and authentication with a CLI interface (or implement your own)
Bluetooth Low Energy, caBLE / Hybrid, NFC and USB HID authenticators
CTAP 2.1 and NFC authenticator selection
Fingerprint (biometric) authentication, enrollment and management (CTAP 2.1 and 2.1-PRE)
Built-in user verification
Setting and changing device PINs
PIN/UV Auth Protocol One and Protocol Two, getPinToken, getPinUvAuthTokenUsingPinWithPermissions, and getPinUvAuthTokenUsingUvWithPermissions
Factory-resetting authenticators
configuring user verification and minimum PIN length requirements
managing discoverable credentials

§Examples

webauthn-authenticator-rs/examples/authenticate.rs works with any crate::AuthenticatorBackend, including CtapAuthenticator.
fido-key-manager will connect to a key, pull hardware information, and let you reconfigure the key (reset, PIN, fingerprints, etc.)

§Device-specific issues

Some YubiKey USB tokens provide a USB CCID (smartcard) interface, in addition to a USB HID FIDO interface, which will be detected as an “NFC reader”.

This only provides access to the PIV, OATH or OpenPGP applets, not FIDO.

Use USBTransport for these tokens.

§Platform-specific issues

See fido-key-manager/README.md.

Modules§

commands: CTAP 2 commands.

Structs§

Ctap20Authenticator: CTAP 2.0 protocol implementation.
Ctap21Authenticator: CTAP 2.1 protocol implementation.
Ctap21PreAuthenticator: CTAP 2.1-PRE protocol implementation.
GetInfoResponse: authenticatorGetInfo response type.

Enums§

CtapAuthenticator: Abstraction for different versions of the CTAP2 protocol.

Traits§

BiometricAuthenticatorctap2-management: Biometric management commands for Ctap21Authenticator and Ctap21PreAuthenticator.
CBORCommand: Common trait for all CBOR commands.
CBORResponse: Common trait for all CBOR responses.
CredentialManagementAuthenticatorctap2-management: CTAP 2.1 and 2.1-PRE discoverable credential management commands.
SoloKeyAuthenticatorvendor-solokey: SoloKey (Trussed) vendor-specific commands.
YubiKeyAuthenticatorvendor-yubikey: YubiKey vendor-specific commands.

Functions§

select_one_device: Selects an authenticator device to use from a TokenEvent stream.
select_one_device_predicate: Selects an authenticator device to use from a TokenEvent stream.
select_one_device_version: Selects an authenticator device to use from a TokenEvent stream, using a specific CTAP version.
select_one_token: Selects one Token from an Iterator of Tokens.

Module ctap2Copy item path