README

Go FIDO U2F Library

This Go package implements the parts of the FIDO U2F specification required on the server side of an application.

Build Status

Features

  • Native Go implementation
  • No dependancies other than the Go standard library
  • Token attestation certificate verification

Usage

Please visit http://godoc.org/github.com/tstranex/u2f for the full documentation.

How to enrol a new token
app_id := "http://localhost"

// Send registration request to the browser.
c, _ := NewChallenge(app_id, []string{app_id})
req, _ := c.RegisterRequest()

// Read response from the browser.
var resp RegisterResponse
reg, err := Register(resp, c, nil)
if err != nil {
    // Registration failed.
}

// Store registration in the database.
How to perform an authentication
// Fetch registration and counter from the database.
var reg Registration
var counter uint32

// Send authentication request to the browser.
c, _ := NewChallenge(app_id, []string{app_id})
req, _ := c.SignRequest(reg)

// Read response from the browser.
var resp SignResponse
newCounter, err := reg.Authenticate(resp, c, counter)
if err != nil {
    // Authentication failed.
}

// Store updated counter in the database.

Installation

$ go get github.com/tstranex/u2f

Example

See u2fdemo/main.go for an full example server. To run it:

$ go install github.com/tstranex/u2f/u2fdemo
$ ./bin/u2fdemo

Open https://localhost:3483 in Chrome. Ignore the SSL warning (due to the self-signed certificate for localhost). You can then test registering and authenticating using your token.

Changelog

  • 2016-12-18: The package has been updated to work with the new U2F Javascript 1.1 API specification. This causes some breaking changes.

    SignRequest has been replaced by WebSignRequest which now includes multiple registrations. This is useful when the user has multiple devices registered since you can now authenticate against any of them with a single request.

    WebRegisterRequest has been introduced, which should generally be used instead of using RegisterRequest directly. It includes the list of existing registrations with the new registration request. If the user's device already matches one of the existing registrations, it will refuse to re-register.

    Challenge.RegisterRequest has been replaced by NewWebRegisterRequest.

License

The Go FIDO U2F Library is licensed under the MIT License.

Documentation

Overview

    Package u2f implements the server-side parts of the FIDO Universal 2nd Factor (U2F) specification.

    Applications will usually persist Challenge and Registration objects in a database.

    To enrol a new token:

    app_id := "http://localhost"
    c, _ := NewChallenge(app_id, []string{app_id})
    req, _ := u2f.NewWebRegisterRequest(c, existingTokens)
    // Send the request to the browser.
    var resp RegisterResponse
    // Read resp from the browser.
    reg, err := Register(resp, c)
    if err != nil {
         // Registration failed.
    }
    // Store reg in the database.
    

    To perform an authentication:

    var regs []Registration
    // Fetch regs from the database.
    c, _ := NewChallenge(app_id, []string{app_id})
    req, _ := c.SignRequest(regs)
    // Send the request to the browser.
    var resp SignResponse
    // Read resp from the browser.
    new_counter, err := reg.Authenticate(resp, c)
    if err != nil {
        // Authentication failed.
    }
    reg.Counter = new_counter
    // Store updated Registration in the database.
    

    The FIDO U2F specification can be found here: https://fidoalliance.org/specifications/download

    Index

    Constants

    This section is empty.

    Variables

    View Source
    var ErrCounterTooLow = errors.New("u2f: counter too low")

      ErrCounterTooLow is raised when the counter value received from the device is lower than last stored counter value. This may indicate that the device has been cloned (or is malfunctioning). The application may choose to disable the particular device as precaution.

      Functions

      This section is empty.

      Types

      type Challenge

      type Challenge struct {
      	Challenge     []byte
      	Timestamp     time.Time
      	AppID         string
      	TrustedFacets []string
      }

        Challenge represents a single transaction between the server and authenticator. This data will typically be stored in a database.

        func NewChallenge

        func NewChallenge(appID string, trustedFacets []string) (*Challenge, error)

          NewChallenge generates a challenge for the given application.

          func (*Challenge) SignRequest

          func (c *Challenge) SignRequest(regs []Registration) *WebSignRequest

            SignRequest creates a request to initiate an authentication.

            type ClientData

            type ClientData struct {
            	Typ       string          `json:"typ"`
            	Challenge string          `json:"challenge"`
            	Origin    string          `json:"origin"`
            	CIDPubKey json.RawMessage `json:"cid_pubkey"`
            }

              ClientData as defined by the FIDO U2F Raw Message Formats specification.

              type Config

              type Config struct {
              	// SkipAttestationVerify controls whether the token attestation
              	// certificate should be verified on registration. Ideally it should
              	// always be verified. However, there is currently no public list of
              	// trusted attestation root certificates so it may be necessary to skip.
              	SkipAttestationVerify bool
              
              	// RootAttestationCertPool overrides the default root certificates used
              	// to verify client attestations. If nil, this defaults to the roots that are
              	// bundled in this library.
              	RootAttestationCertPool *x509.CertPool
              }

                Config contains configurable options for the package.

                type JwkKey

                type JwkKey struct {
                	KTy string `json:"kty"`
                	Crv string `json:"crv"`
                	X   string `json:"x"`
                	Y   string `json:"y"`
                }

                  JwkKey represents a public key used by a browser for the Channel ID TLS extension.

                  type RegisterRequest

                  type RegisterRequest struct {
                  	Version   string `json:"version"`
                  	Challenge string `json:"challenge"`
                  }

                    RegisterRequest as defined by the FIDO U2F Javascript API 1.1.

                    type RegisterResponse

                    type RegisterResponse struct {
                    	Version          string `json:"version"`
                    	RegistrationData string `json:"registrationData"`
                    	ClientData       string `json:"clientData"`
                    }

                      RegisterResponse as defined by the FIDO U2F Javascript API 1.1.

                      type RegisteredKey

                      type RegisteredKey struct {
                      	Version   string `json:"version"`
                      	KeyHandle string `json:"keyHandle"`
                      	AppID     string `json:"appId"`
                      }

                        RegisteredKey as defined by the FIDO U2F Javascript API 1.1.

                        type Registration

                        type Registration struct {
                        	// Raw serialized registration data as received from the token.
                        	Raw []byte
                        
                        	KeyHandle []byte
                        	PubKey    ecdsa.PublicKey
                        
                        	// AttestationCert can be nil for Authenticate requests.
                        	AttestationCert *x509.Certificate
                        }

                          Registration represents a single enrolment or pairing between an application and a token. This data will typically be stored in a database.

                          func Register

                          func Register(resp RegisterResponse, c Challenge, config *Config) (*Registration, error)

                            Register validates a RegisterResponse message to enrol a new token. An error is returned if any part of the response fails to validate. The returned Registration should be stored by the caller.

                            func (*Registration) Authenticate

                            func (reg *Registration) Authenticate(resp SignResponse, c Challenge, counter uint32) (newCounter uint32, err error)

                              Authenticate validates a SignResponse authentication response. An error is returned if any part of the response fails to validate. The counter should be the counter associated with appropriate device (i.e. resp.KeyHandle). The latest counter value is returned, which the caller should store.

                              func (*Registration) MarshalBinary

                              func (r *Registration) MarshalBinary() ([]byte, error)

                                MarshalBinary implements encoding.BinaryUnmarshaler.

                                func (*Registration) UnmarshalBinary

                                func (r *Registration) UnmarshalBinary(data []byte) error

                                  UnmarshalBinary implements encoding.BinaryMarshaler.

                                  type SignResponse

                                  type SignResponse struct {
                                  	KeyHandle     string `json:"keyHandle"`
                                  	SignatureData string `json:"signatureData"`
                                  	ClientData    string `json:"clientData"`
                                  }

                                    SignResponse as defined by the FIDO U2F Javascript API 1.1.

                                    type TrustedFacets

                                    type TrustedFacets struct {
                                    	Version struct {
                                    		Major int `json:"major"`
                                    		Minor int `json:"minor"`
                                    	} `json:"version"`
                                    	Ids []string `json:"ids"`
                                    }

                                      TrustedFacets as defined by the FIDO AppID and Facet Specification.

                                      type TrustedFacetsEndpoint

                                      type TrustedFacetsEndpoint struct {
                                      	TrustedFacets []TrustedFacets `json:"trustedFacets"`
                                      }

                                        TrustedFacetsEndpoint is a container of TrustedFacets. It is used as the response for an appId URL endpoint.

                                        type WebRegisterRequest

                                        type WebRegisterRequest struct {
                                        	AppID            string            `json:"appId"`
                                        	RegisterRequests []RegisterRequest `json:"registerRequests"`
                                        	RegisteredKeys   []RegisteredKey   `json:"registeredKeys"`
                                        }

                                          WebRegisterRequest contains the parameters needed for the u2f.register() high-level Javascript API function as defined by the FIDO U2F Javascript API 1.1.

                                          func NewWebRegisterRequest

                                          func NewWebRegisterRequest(c *Challenge, regs []Registration) *WebRegisterRequest

                                            NewWebRegisterRequest creates a request to enrol a new token. regs is the list of the user's existing registration. The browser will refuse to re-register a device if it has an existing registration.

                                            type WebSignRequest

                                            type WebSignRequest struct {
                                            	AppID          string          `json:"appId"`
                                            	Challenge      string          `json:"challenge"`
                                            	RegisteredKeys []RegisteredKey `json:"registeredKeys"`
                                            }

                                              WebSignRequest contains the parameters needed for the u2f.sign() high-level Javascript API function as defined by the FIDO U2F Javascript API 1.1.

                                              Directories

                                              Path Synopsis