ctap

package module
v0.0.0-...-a896e00 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 20, 2024 License: MIT Imports: 14 Imported by: 0

README

Go Library for FIDO CTAP2

Go Reference Go Report Card

Introduction

This library implements FIDO Client to Authenticator Protocol(CTAP) 2.1.

Installation

go get github.com/tpc3/go-ctap

Features

  • Command request and response struct
  • Command function
  • PinUvAuth utility
  • wrap PC/SC card

CTAP1 isn't implemented

Usage

Get device
  • NFC: call ctap_pcsc.NewDevice(card *scard.Card)
  • USB: WIP
Get PinUvAuthToken

call (ctap.Device).GetPinUvAuthToken(permission, rpId, pin)

Call CTAP commands

call (ctap.Device).<command_name>

Read example directory to get more usage.

Documentation

Index

Constants

View Source 
const AuthenticatorClientPINCommandId uint8 = 0x06
View Source 
const AuthenticatorCredentialManagementCommandId uint8 = 0x0A
View Source 
const AuthenticatorGetAssertionCommandId uint8 = 0x02
View Source 
const AuthenticatorGetInfoCommandId uint8 = 0x04
View Source 
const AuthenticatorGetNextAssertionCommandId uint8 = 0x08
View Source 
const AuthenticatorMakeCredentialCommandId uint8 = 0x01

Variables

View Source 
var ErrCTAPStatus = errors.New("CTAP status code")
View Source 
var ErrProtocolUnsupported = errors.New("protocol unsupported")

Functions

This section is empty.

Types

type AuthenticatorCTAPVersion 

type AuthenticatorCTAPVersion string
const (
	AuthenticatorCTAPVersion1       AuthenticatorCTAPVersion = "U2F_V2"
	AuthenticatorCTAPVersion2_0     AuthenticatorCTAPVersion = "FIDO_2_0"
	AuthenticatorCTAPVersion2_1_PRE AuthenticatorCTAPVersion = "FIDO_2_1_PRE"
	AuthenticatorCTAPVersion2_1     AuthenticatorCTAPVersion = "FIDO_2_1"
)

type AuthenticatorClientPINRequest 

type AuthenticatorClientPINRequest struct {
	// Optional
	PinUvAuthProtocol uint `cbor:"1,keyasint,omitempty"`
	// Required
	SubCommand AuthenticatorClientPINRequestSubCommand `cbor:"2,keyasint"`
	// Optional
	KeyAgreement *PinUvAuthProtocolKey `cbor:"3,keyasint,omitempty"`
	// Optional
	PinUvAuthParam []byte `cbor:"4,keyasint,omitempty"`
	// Optional
	NewPinEnc []byte `cbor:"5,keyasint,omitempty"`
	// Optional
	PinHashEnc []byte `cbor:"6,keyasint,omitempty"`
	// Optional
	Permissions PinUvAuthTokenPermission `cbor:"4,keyasint,omitempty"`
	// Optional
	RPID string `cbor:"10,keyasint,omitempty"`
}

https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#authenticatorMakeCredential

type AuthenticatorClientPINRequestOptions 

type AuthenticatorClientPINRequestOptions struct {
	UP bool  `cbor:"up,omitempty"`
	UV *bool `cbor:"uv,omitempty"`
}

type AuthenticatorClientPINRequestSubCommand 

type AuthenticatorClientPINRequestSubCommand uint
const (
	AuthenticatorClientPINRequestSubCommandGetPINRetries                            AuthenticatorClientPINRequestSubCommand = 0x01
	AuthenticatorClientPINRequestSubCommandGetKeyAgreement                          AuthenticatorClientPINRequestSubCommand = 0x02
	AuthenticatorClientPINRequestSubCommandSetPIN                                   AuthenticatorClientPINRequestSubCommand = 0x03
	AuthenticatorClientPINRequestSubCommandChangePIN                                AuthenticatorClientPINRequestSubCommand = 0x04
	AuthenticatorClientPINRequestSubCommandGetPINToken                              AuthenticatorClientPINRequestSubCommand = 0x05
	AuthenticatorClientPINRequestSubCommandGetPinUvAuthTokenUsingUvWithPermissions  AuthenticatorClientPINRequestSubCommand = 0x06
	AuthenticatorClientPINRequestSubCommandGetUVRetries                             AuthenticatorClientPINRequestSubCommand = 0x07
	AuthenticatorClientPINRequestSubCommandGetPinUvAuthTokenUsingPinWithPermissions AuthenticatorClientPINRequestSubCommand = 0x09
)

type AuthenticatorClientPINResponse 

type AuthenticatorClientPINResponse struct {
	// Optional
	KeyAgreement *PinUvAuthProtocolKey `cbor:"1,keyasint,omitempty"`
	// Optional
	PinUvAuthToken []byte `cbor:"2,keyasint,omitempty"`
	// Optional
	PinRetries uint `cbor:"3,keyasint,omitempty"`
	// Optional
	PowerCycleState bool `cbor:"4,keyasint,omitempty"`
	// Optional
	UvRetries uint `cbor:"5,keyasint,omitempty"`
}

https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#authenticatorMakeCredential

type AuthenticatorCredentialManagementRequest 

type AuthenticatorCredentialManagementRequest struct {
	SubCommand        AuthenticatorCredentialManagementRequestSubCommand        `cbor:"1,keyasint"`
	SubCommandParams  *AuthenticatorCredentialManagementRequestSubCommandParams `cbor:"2,keyasint,omitempty"`
	PinUvAuthProtocol uint                                                      `cbor:"3,keyasint,omitempty"`
	PinUvAuthParam    []byte                                                    `cbor:"4,keyasint,omitempty"`
}

https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#authenticatorMakeCredential

type AuthenticatorCredentialManagementRequestSubCommand 

type AuthenticatorCredentialManagementRequestSubCommand uint
const (
	AuthenticatorCredentialManagementRequestSubCommandGetCredsMetadata                     AuthenticatorCredentialManagementRequestSubCommand = 0x01
	AuthenticatorCredentialManagementRequestSubCommandEnumlateRPsBegin                     AuthenticatorCredentialManagementRequestSubCommand = 0x02
	AuthenticatorCredentialManagementRequestSubCommandEnumlateRPsGetNextRP                 AuthenticatorCredentialManagementRequestSubCommand = 0x03
	AuthenticatorCredentialManagementRequestSubCommandEnumlateCredentialsBegin             AuthenticatorCredentialManagementRequestSubCommand = 0x04
	AuthenticatorCredentialManagementRequestSubCommandEnumlateCredentialsGetNextCredential AuthenticatorCredentialManagementRequestSubCommand = 0x05
	AuthenticatorCredentialManagementRequestSubCommandDeleteCredential                     AuthenticatorCredentialManagementRequestSubCommand = 0x06
	AuthenticatorCredentialManagementRequestSubCommandUpdateUserInformation                AuthenticatorCredentialManagementRequestSubCommand = 0x07
)

type AuthenticatorCredentialManagementRequestSubCommandParams 

type AuthenticatorCredentialManagementRequestSubCommandParams struct {
	RPIDHash     []byte                              `cbor:"1,keyasint,omitempty"`
	CredentialID *fido.PublicKeyCredentialDescriptor `cbor:"2,keyasint,omitempty"`
	User         *fido.PublicKeyCredentialUserEntity `cbor:"3,keyasint,omitempty"`
}

type AuthenticatorCredentialManagementResponse 

type AuthenticatorCredentialManagementResponse struct {
	ExistingResidentCredentialsCount             uint                               `cbor:"1,keyasint,omitempty"`
	MaxPossibleRemainingResidentCredentialsCount uint                               `cbor:"2,keyasint,omitempty"`
	RP                                           fido.PublicKeyCredentialRpEntity   `cbor:"3,keyasint,omitempty"`
	RPIDHash                                     []byte                             `cbor:"4,keyasint,omitempty"`
	TotalRPs                                     uint                               `cbor:"5,keyasint,omitempty"`
	User                                         fido.PublicKeyCredentialUserEntity `cbor:"6,keyasint,omitempty"`
	CredentialID                                 fido.PublicKeyCredentialDescriptor `cbor:"7,keyasint,omitempty"`
	PublicKey                                    *cose.Key                          `cbor:"8,keyasint,omitempty"`
	TotalCredentials                             uint                               `cbor:"9,keyasint,omitempty"`
	CredProtect                                  uint                               `cbor:"10,keyasint,omitempty"`
	LargeBlobKey                                 []byte                             `cbor:"11,keyasint,omitempty"`
	ThirdPartyPayment                            bool                               `cbor:"12,keyasint,omitempty"`
}

https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#authenticatorMakeCredential

type AuthenticatorGetAssertionRequest 

type AuthenticatorGetAssertionRequest struct {
	// Required
	RPID string `cbor:"1,keyasint"`
	// Required
	ClientDataHash []byte `cbor:"2,keyasint"`
	// Optional
	AllowList []fido.PublicKeyCredentialDescriptor `cbor:"3,keyasint,omitempty"`
	// Optional
	Extensions map[string]interface{} `cbor:"4,keyasint,omitempty"`
	// Optional
	Options AuthenticatorGetAssertionRequestOptions `cbor:"5,keyasint,omitempty"`
	// Optional
	PinUvAuthParam []byte `cbor:"6,keyasint,omitempty"`
	// Optional
	PinUvAuthProtocol uint `cbor:"7,keyasint,omitempty"`
}

https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#authenticatorMakeCredential

type AuthenticatorGetAssertionRequestOptions 

type AuthenticatorGetAssertionRequestOptions struct {
	UP bool  `cbor:"up,omitempty"`
	UV *bool `cbor:"uv,omitempty"`
}

type AuthenticatorGetAssertionResponse 

type AuthenticatorGetAssertionResponse struct {
	// Required
	Credential fido.PublicKeyCredentialDescriptor `cbor:"1,keyasint"`
	// Required
	// Can be Decoded by AuthenticatorData.UnmarshalBinary()
	AuthData []byte `cbor:"2,keyasint"`
	// Required
	Signature []byte `cbor:"3,keyasint"`
	// Optional
	User fido.PublicKeyCredentialUserEntity `cbor:"4,keyasint,omitempty"`
	// Optional
	NumberOfCredentials int `cbor:"5,keyasint,omitempty"`
	// Optional
	UserSelected bool `cbor:"6,keyasint,omitempty"`
	// Optional
	LargeBlobKey []byte `cbor:"7,keyasint,omitempty"`
}

https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#authenticatorMakeCredential

type AuthenticatorGetInfoResopnseOptionID 

type AuthenticatorGetInfoResopnseOptionID string

type AuthenticatorGetInfoResponse 

type AuthenticatorGetInfoResponse struct {
	// Required
	Version []string `cbor:"1,keyasint"`
	// Optional
	Extensions []string `cbor:"2,keyasint,omitempty"`
	// Required
	AAGUID []byte `cbor:"3,keyasint"`
	// Optional
	Options map[AuthenticatorGetInfoResopnseOptionID]bool `cbor:"4,keyasint,omitempty"`
	// Optional
	MaxMsgSize uint `cbor:"5,keyasint,omitempty"`
	// Optional
	PinUvAuthProtocols []uint `cbor:"6,keyasint,omitempty"`
	// Optional
	MaxCredentialCountInList uint `cbor:"7,keyasint,omitempty"`
	// Optional
	MaxCredentialIdLength uint `cbor:"8,keyasint,omitempty"`
	// Optional
	Transports []string `cbor:"9,keyasint,omitempty"`
	// Optional
	Algorithms []fido.PublicKeyCredentialParameters `cbor:"10,keyasint,omitempty"`
	// Optional
	MaxSerializedLargeBlobArray uint `cbor:"11,keyasint,omitempty"`
	// Optional
	ForcePINChange bool `cbor:"12,keyasint,omitempty"`
	// Optional
	MinPINLength uint `cbor:"13,keyasint,omitempty"`
	// Optional
	FirmwareVersion uint `cbor:"14,keyasint,omitempty"`
	// Optional
	MaxCredBlobLength uint `cbor:"15,keyasint,omitempty"`
	// Optional
	MaxRPIDsForSetMinPINLength uint `cbor:"16,keyasint,omitempty"`
	// Optional
	PreferredPlatformUvAttempts uint `cbor:"17,keyasint,omitempty"`
	// Optional
	UvModality uint `cbor:"18,keyasint,omitempty"`
	// Optional
	Certifications map[any]any `cbor:"19,keyasint,omitempty"`
	// Optional
	RemainingDiscoverableCredentials uint `cbor:"20,keyasint,omitempty"`
	// Optional
	VendorPrototypeConfigCommands []uint `cbor:"21,keyasint,omitempty"`
}

https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#authenticatorMakeCredential

func (*AuthenticatorGetInfoResponse) IsOptionTrue 

func (i *AuthenticatorGetInfoResponse) IsOptionTrue(option AuthenticatorGetInfoResopnseOptionID) bool

type AuthenticatorMakeCredentialRequest 

type AuthenticatorMakeCredentialRequest struct {
	// Required
	ClientDataHash []byte `cbor:"1,keyasint"`
	// Required
	RP fido.PublicKeyCredentialRpEntity `cbor:"2,keyasint"`
	// Required
	User fido.PublicKeyCredentialUserEntity `cbor:"3,keyasint"`
	// Required
	PubKeyCredParams []fido.PublicKeyCredentialParameters `cbor:"4,keyasint"`
	// Optional
	ExcludeList []fido.PublicKeyCredentialDescriptor `cbor:"5,keyasint,omitempty"`
	// Optional
	Extensions map[string]interface{} `cbor:"6,keyasint,omitempty"`
	// Optional
	Options AuthenticatorMakeCredentialRequestOptions `cbor:"7,keyasint,omitempty"`
	// Optional
	PinUvAuthParam []byte `cbor:"8,keyasint,omitempty"`
	// Optional
	PinUvAuthProtocol uint `cbor:"9,keyasint,omitempty"`
	// Optional
	EnterpriseAttestation uint `cbor:"10,keyasint,omitempty"`
}

https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#authenticatorMakeCredential

type AuthenticatorMakeCredentialRequestOptions 

type AuthenticatorMakeCredentialRequestOptions struct {
	RK bool  `cbor:"rk,omitempty"`
	UP bool  `cbor:"up,omitempty"`
	UV *bool `cbor:"uv,omitempty"`
}

type AuthenticatorMakeCredentialResponse 

type AuthenticatorMakeCredentialResponse struct {
	// Required
	Fmt string `cbor:"1,keyasint"`
	// Required
	// Can be Decoded by AuthenticatorData.UnmarshalBinary()
	AuthData []byte `cbor:"2,keyasint"`
	// Required
	AttStmt cbor.RawMessage `cbor:"3,keyasint"`
	// Optional
	EpAtt bool `cbor:"4,keyasint,omitempty"`
	// Optional
	LargeBlobKey []byte `cbor:"5,keyasint,omitempty"`
}

https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#authenticatorMakeCredential

type CTAPStatusError 

type CTAPStatusError uint8

func (CTAPStatusError) Error 

func (e CTAPStatusError) Error() string

func (CTAPStatusError) GetName 

func (e CTAPStatusError) GetName() string

func (CTAPStatusError) Unwrap 

func (e CTAPStatusError) Unwrap() error

type Device 

type Device struct {
	DeviceImpl
	Info              *AuthenticatorGetInfoResponse
	PinUVAuthProtocol PinUVAuthProtocol
}

func (*Device) ClientPIN 

func (d *Device) ClientPIN(req AuthenticatorClientPINRequest) (resp *AuthenticatorClientPINResponse, err error)

https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#authnrClientPin-cmd-dfn

func (*Device) CredentialManagement 

func (d *Device) CredentialManagement(req AuthenticatorCredentialManagementRequest) (resp *AuthenticatorCredentialManagementResponse, err error)

https://fidoalliance.org/specs/fido-v2.2-rd-20230321/fido-client-to-authenticator-protocol-v2.2-rd-20230321.html#authenticatorCredentialManagement

func (*Device) GetAssertion 

func (d *Device) GetAssertion(req AuthenticatorGetAssertionRequest) (resp *AuthenticatorGetAssertionResponse, err error)

https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#authenticatorGetAssertion

func (*Device) GetInfo 

func (d *Device) GetInfo() (resp *AuthenticatorGetInfoResponse, err error)

https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#authenticatorGetInfo

func (*Device) GetNextAssertion 

func (d *Device) GetNextAssertion(req AuthenticatorGetAssertionRequest) (resp *AuthenticatorGetAssertionResponse, err error)

https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#authenticatorGetNextAssertion

func (*Device) GetPinUvAuthToken 

func (d *Device) GetPinUvAuthToken(permission PinUvAuthTokenPermission, rpID string, pin string) ([]byte, error)

rpId is optional(can be empty) to use UV, pin == ""

func (*Device) Init 

func (d *Device) Init() error

func (*Device) MakeCredential 

func (d *Device) MakeCredential(req AuthenticatorMakeCredentialRequest) (resp *AuthenticatorMakeCredentialResponse, err error)

https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#authenticatorMakeCredential

func (*Device) PrototypeCredentialManagement 

func (d *Device) PrototypeCredentialManagement(req AuthenticatorCredentialManagementRequest) (resp *AuthenticatorCredentialManagementResponse, err error)

Superseded https://fidoalliance.org/specs/fido-v2.2-rd-20230321/fido-client-to-authenticator-protocol-v2.2-rd-20230321.html#prototypeAuthenticatorCredentialManagement

type DeviceImpl 

type DeviceImpl interface {
	Init() error
	SendCommand(command byte, data []byte) ([]byte, error)
}

type PinUVAuthProtocol 

type PinUVAuthProtocol interface {
	Version() uint
	Initialize()
	Encapsulate(*PinUvAuthProtocolKey) (*PinUvAuthProtocolKey, []byte, error)
	Encrypt([]byte, []byte) []byte
	Decrypt([]byte, []byte) ([]byte, error)
	Authenticate([]byte, []byte) []byte
}

type PinUVAuthProtocol1 

type PinUVAuthProtocol1 struct {
	KeyAgreementKey *ecdsa.PrivateKey
	PinUvAuthToken  []byte
}

func (*PinUVAuthProtocol1) Authenticate 

func (p *PinUVAuthProtocol1) Authenticate(key []byte, message []byte) []byte

func (*PinUVAuthProtocol1) Decrypt 

func (p *PinUVAuthProtocol1) Decrypt(key []byte, demCipherText []byte) ([]byte, error)

func (*PinUVAuthProtocol1) Encapsulate 

func (p *PinUVAuthProtocol1) Encapsulate(peerCoseKey *PinUvAuthProtocolKey) (*PinUvAuthProtocolKey, []byte, error)

func (*PinUVAuthProtocol1) Encrypt 

func (p *PinUVAuthProtocol1) Encrypt(key []byte, demPlainText []byte) []byte

func (*PinUVAuthProtocol1) Initialize 

func (p *PinUVAuthProtocol1) Initialize()

func (*PinUVAuthProtocol1) Version 

func (p *PinUVAuthProtocol1) Version() uint

type PinUVAuthProtocol2 

type PinUVAuthProtocol2 struct {
	KeyAgreementKey *ecdsa.PrivateKey
	PinUvAuthToken  []byte
}

func (*PinUVAuthProtocol2) Authenticate 

func (p *PinUVAuthProtocol2) Authenticate(key []byte, message []byte) []byte

func (*PinUVAuthProtocol2) Decrypt 

func (p *PinUVAuthProtocol2) Decrypt(key []byte, demCipherText []byte) ([]byte, error)

func (*PinUVAuthProtocol2) Encapsulate 

func (p *PinUVAuthProtocol2) Encapsulate(peerCoseKey *PinUvAuthProtocolKey) (*PinUvAuthProtocolKey, []byte, error)

func (*PinUVAuthProtocol2) Encrypt 

func (p *PinUVAuthProtocol2) Encrypt(key []byte, demPlainText []byte) []byte

func (*PinUVAuthProtocol2) Initialize 

func (p *PinUVAuthProtocol2) Initialize()

func (*PinUVAuthProtocol2) Version 

func (p *PinUVAuthProtocol2) Version() uint

type PinUvAuthProtocolKey 

type PinUvAuthProtocolKey struct {
	*cose.Key
}

func (*PinUvAuthProtocolKey) UnmarshalCBOR 

func (k *PinUvAuthProtocolKey) UnmarshalCBOR(data []byte) error

type PinUvAuthTokenPermission 

type PinUvAuthTokenPermission uint

https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#gettingPinUvAuthToken 

const (
	PinUvAuthTokenPermissionMakeCredential             PinUvAuthTokenPermission = 0x01
	PinUvAuthTokenPermissionGetAssertion               PinUvAuthTokenPermission = 0x02
	PinUvAuthTokenPermissionCredentialManagement       PinUvAuthTokenPermission = 0x04
	PinUvAuthTokenPermissionBioEnrollment              PinUvAuthTokenPermission = 0x08
	PinUvAuthTokenPermissionLargeBlobWrite             PinUvAuthTokenPermission = 0x10
	PinUvAuthTokenPermissionAuthenticatorConfiguration PinUvAuthTokenPermission = 0x20
)

Source Files

View all Source files

Directories

Path Synopsis
example
cmd command
pcsc command
impl
ctap_pcsc

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.