Documentation ¶
Overview ¶
Package u2f implements the server-side parts of the FIDO Universal 2nd Factor (U2F) specification.
Applications will usually persist Challenge and Registration objects in a database.
To enrol a new token:
app_id := "http://localhost" c, _ := NewChallenge(app_id, []string{app_id}) req, _ := u2f.NewWebRegisterRequest(c, existingTokens) // Send the request to the browser. var resp RegisterResponse // Read resp from the browser. reg, err := Register(resp, c) if err != nil { // Registration failed. } // Store reg in the database.
To perform an authentication:
var regs []Registration // Fetch regs from the database. c, _ := NewChallenge(app_id, []string{app_id}) req, _ := c.SignRequest(regs) // Send the request to the browser. var resp SignResponse // Read resp from the browser. new_counter, err := reg.Authenticate(resp, c) if err != nil { // Authentication failed. } reg.Counter = new_counter // Store updated Registration in the database.
The FIDO U2F specification can be found here: https://fidoalliance.org/specifications/download
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ErrCounterTooLow = errors.New("u2f: counter too low")
ErrCounterTooLow is raised when the counter value received from the device is lower than last stored counter value. This may indicate that the device has been cloned (or is malfunctioning). The application may choose to disable the particular device as precaution.
Functions ¶
This section is empty.
Types ¶
type Challenge ¶
Challenge represents a single transaction between the server and authenticator. This data will typically be stored in a database.
func NewChallenge ¶
NewChallenge generates a challenge for the given application.
func (*Challenge) SignRequest ¶
func (c *Challenge) SignRequest(regs []Registration) *WebSignRequest
SignRequest creates a request to initiate an authentication.
type ClientData ¶
type ClientData struct { Typ string `json:"typ"` Challenge string `json:"challenge"` Origin string `json:"origin"` CIDPubKey json.RawMessage `json:"cid_pubkey"` }
ClientData as defined by the FIDO U2F Raw Message Formats specification.
type Config ¶
type Config struct { // SkipAttestationVerify controls whether the token attestation // certificate should be verified on registration. Ideally it should // always be verified. However, there is currently no public list of // trusted attestation root certificates so it may be necessary to skip. SkipAttestationVerify bool // RootAttestationCertPool overrides the default root certificates used // to verify client attestations. If nil, this defaults to the roots that are // bundled in this library. RootAttestationCertPool *x509.CertPool }
Config contains configurable options for the package.
type JwkKey ¶
type JwkKey struct { KTy string `json:"kty"` Crv string `json:"crv"` X string `json:"x"` Y string `json:"y"` }
JwkKey represents a public key used by a browser for the Channel ID TLS extension.
type RegisterRequest ¶
RegisterRequest as defined by the FIDO U2F Javascript API 1.1.
type RegisterResponse ¶
type RegisterResponse struct { Version string `json:"version"` RegistrationData string `json:"registrationData"` ClientData string `json:"clientData"` }
RegisterResponse as defined by the FIDO U2F Javascript API 1.1.
type RegisteredKey ¶
type RegisteredKey struct { Version string `json:"version"` KeyHandle string `json:"keyHandle"` AppID string `json:"appId"` }
RegisteredKey as defined by the FIDO U2F Javascript API 1.1.
type Registration ¶
type Registration struct { // Raw serialized registration data as received from the token. Raw []byte KeyHandle []byte PubKey ecdsa.PublicKey // AttestationCert can be nil for Authenticate requests. AttestationCert *x509.Certificate }
Registration represents a single enrolment or pairing between an application and a token. This data will typically be stored in a database.
func Register ¶
func Register(resp RegisterResponse, c Challenge, config *Config) (*Registration, error)
Register validates a RegisterResponse message to enrol a new token. An error is returned if any part of the response fails to validate. The returned Registration should be stored by the caller.
func (*Registration) Authenticate ¶
func (reg *Registration) Authenticate(resp SignResponse, c Challenge, counter uint32) (newCounter uint32, err error)
Authenticate validates a SignResponse authentication response. An error is returned if any part of the response fails to validate. The counter should be the counter associated with appropriate device (i.e. resp.KeyHandle). The latest counter value is returned, which the caller should store.
func (*Registration) MarshalBinary ¶
func (r *Registration) MarshalBinary() ([]byte, error)
MarshalBinary implements encoding.BinaryUnmarshaler.
func (*Registration) UnmarshalBinary ¶
func (r *Registration) UnmarshalBinary(data []byte) error
UnmarshalBinary implements encoding.BinaryMarshaler.
type SignResponse ¶
type SignResponse struct { KeyHandle string `json:"keyHandle"` SignatureData string `json:"signatureData"` ClientData string `json:"clientData"` }
SignResponse as defined by the FIDO U2F Javascript API 1.1.
type TrustedFacets ¶
type TrustedFacets struct { Version struct { Major int `json:"major"` Minor int `json:"minor"` } `json:"version"` Ids []string `json:"ids"` }
TrustedFacets as defined by the FIDO AppID and Facet Specification.
type TrustedFacetsEndpoint ¶
type TrustedFacetsEndpoint struct {
TrustedFacets []TrustedFacets `json:"trustedFacets"`
}
TrustedFacetsEndpoint is a container of TrustedFacets. It is used as the response for an appId URL endpoint.
type WebRegisterRequest ¶
type WebRegisterRequest struct { AppID string `json:"appId"` RegisterRequests []RegisterRequest `json:"registerRequests"` RegisteredKeys []RegisteredKey `json:"registeredKeys"` }
WebRegisterRequest contains the parameters needed for the u2f.register() high-level Javascript API function as defined by the FIDO U2F Javascript API 1.1.
func NewWebRegisterRequest ¶
func NewWebRegisterRequest(c *Challenge, regs []Registration) *WebRegisterRequest
NewWebRegisterRequest creates a request to enrol a new token. regs is the list of the user's existing registration. The browser will refuse to re-register a device if it has an existing registration.
type WebSignRequest ¶
type WebSignRequest struct { AppID string `json:"appId"` Challenge string `json:"challenge"` RegisteredKeys []RegisteredKey `json:"registeredKeys"` }
WebSignRequest contains the parameters needed for the u2f.sign() high-level Javascript API function as defined by the FIDO U2F Javascript API 1.1.