You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
trezor-firmware/core/src/apps/webauthn
Andrew Kozlik 4cd88e16f7
feat(core): Introduce use_compact option for FIDO2.
1 year ago
..
metadata fix(core): remove tcDisplay from metadata/trezor-ctap2.json 3 years ago
res chore(common/defs/fido): add proton 2 years ago
README.md docs: fix typos in comments 3 years ago
__init__.py chore(core): decrease webauthn size by 1270 bytes 2 years ago
add_resident_credential.py feat(core/ui): implement webauthn layouts for UI2 2 years ago
common.py
credential.py feat(core): Don't store blank names in FIDO2 credentials. 1 year ago
fido2.py feat(core): Introduce use_compact option for FIDO2. 1 year ago
knownapps.py feat(core): Introduce use_compact option for FIDO2. 1 year ago
knownapps.py.mako feat(core): Introduce use_compact option for FIDO2. 1 year ago
list_resident_credentials.py chore(core): decrease webauthn size by 1270 bytes 2 years ago
remove_resident_credential.py feat(core/ui): implement webauthn layouts for UI2 2 years ago
resident_credentials.py chore(core): decrease webauthn size by 1270 bytes 2 years ago

README.md

WebAuthn

MAINTAINER = Andrew R. Kozlik andrew.kozlik@satoshilabs.com

AUTHOR = Andrew R. Kozlik andrew.kozlik@satoshilabs.com

REVIEWER = Jan Pochyla jan.pochyla@satoshilabs.com, Ondrej Vejpustek ondrej.vejpustek@satoshilabs.com


This app implements WebAuthn authenticator functionality in accordance with the following specifications:

Supported features and algorithms

This implementation supports client-side credential storage on the device and user verification by PIN entry, making the Trezor T a first-factor roaming authenticator usable for passwordless login.

User verification

The device is capable of verifying the user within itself by direct PIN entry via the touchscreen. Client PIN is not supported, because it is less secure than direct PIN verification. The authenticatorClientPIN command is therefore implemented only to the extent required by the hmac-secret extension. Namely, only the getKeyAgreement subcommand is supported.

Credential selection

Credential selection is supported directly on the device. The authenticatorGetNextAssertion command is therefore not implemented.

Public key credential algorithms

  • COSE algorithm ES256 (-7): ECDSA using the NIST P-256 curve with SHA-256.
  • COSE algorithm EdDSA (-8): Pure EdDSA using the Ed25519 curve.

Extensions

  • hmac-secret extension.

Attestation types

  • Basic attestation for login.microsoft.com.
  • Self attestation for all other sites.

AAGUID

The AAGUID is a 128-bit globally unique identifier indicating the type (e.g. make and model) of the authenticator. The AAGUID for Trezor T is d6d0bdc3-62ee-c4db-de8d-7a656e4a4487.

Certificates for basic attestation