1
0
mirror of https://github.com/trezor/trezor-firmware.git synced 2025-02-28 23:32:05 +00:00
trezor-firmware/core/src/apps/webauthn
matejcik a79279115e core: move confirm_signal evaluation into concrete Layout implementations
Apart from making the code more correct for its users in
apps.common.confirm and elsewhere, this fixes a problem where the
confirm_signal would be scheduled before the dialog is rendered.
By making sure that handle_rendering is scheduled (i.e., listed in
create_tasks) before confirm_signal, we can be sure to render at least
once and thus appear in the UI test results.
2020-01-23 15:45:10 +01:00
..
metadata core/webauthn: update metadata 2019-11-16 10:53:10 +00:00
res common/defs: add Faceboook to recognized apps 2020-01-16 15:35:45 +00:00
__init__.py core/usb: reorder endpoints 2019-11-13 13:21:39 +01:00
add_resident_credential.py core: create top-level storage module 2019-10-31 16:21:56 +01:00
confirm.py core: auto-generate list of FIDO known apps 2019-12-09 16:31:46 +01:00
credential.py core: auto-generate list of FIDO known apps 2019-12-09 16:31:46 +01:00
fido2.py core: move confirm_signal evaluation into concrete Layout implementations 2020-01-23 15:45:10 +01:00
knownapps.py common/defs: add Faceboook to recognized apps 2020-01-16 15:35:45 +00:00
knownapps.py.mako webauthn: Add use_self_attestation flag to FIDO apps. 2019-12-11 15:29:52 +01:00
list_resident_credentials.py core: create top-level storage module 2019-10-31 16:21:56 +01:00
README.md core/webauthn: Add AAGUID to README.md. 2019-12-10 15:56:41 +01:00
remove_resident_credential.py core/webauthn: rename storage.webauthn to storage.resident_credentials 2019-11-08 12:47:54 +01:00
resident_credentials.py core/webauthn: rename storage.webauthn to storage.resident_credentials 2019-11-08 12:47:54 +01:00

WebAuthn

MAINTAINER = Andrew R. Kozlik andrew.kozlik@satoshilabs.com

AUTHOR = Andrew R. Kozlik andrew.kozlik@satoshilabs.com

REVIEWER = Jan Pochyla jan.pochyla@satoshilabs.com, Ondrej Vejpustek ondrej.vejpustek@satoshilabs.com


This app implements WebAuthn authenticator functionality in accordance with the following specifications:

Supported features and algorithms

This implementation supports client-side credential storage on the device and user verification by PIN entry, making the Trezor T a first-factor roaming authenticator usable for passwordless login.

User verification

The device is capable of verifying the user within itself by direct PIN entry via the touchscreen. Client PIN is not supported, because it is less secure than direct PIN verification. The authenticatorClientPIN command is therefore implemented only to the extent required by the hmac-secret extension. Namely, only the getKeyAgreement subcommand is supported.

Credential selection

Credential selection is supported directly on the device. The authenticatorGetNextAssertion command is therefore not implemented.

Public key credential algorithms

  • COSE algorithm ES256 (-7): ECDSA using the NIST P-256 curve with SHA-256.

Extenstions

  • hmac-secret extension.

Attestation types

  • Self attestation.

AAGUID

The AAGUID is a 128-bit globally unique identifier indicating the type (e.g. make and model) of the authenticator. The AAGUID for Trezor T is d6d0bdc3-62ee-c4db-de8d-7a656e4a4487.