1
0
mirror of https://github.com/trezor/trezor-firmware.git synced 2024-12-04 21:48:17 +00:00
trezor-firmware/core/src/apps/webauthn
matejcik e629a72c3a refactor(core): move app registrations to a single handler function
apps.webauthn.boot() does not need an if-condition because it's only
called from session.py when the usb interface is enabled

This means that they do not need to be stored in RAM at all. The obvious
drawback is that we need to hand-edit the if/elif sequence, but we don't
register new handlers all that often so 🤷
2021-05-06 13:14:21 +02:00
..
metadata core/webauthn: update metadata 2019-11-16 10:53:10 +00:00
res common/defs/fido: add namecheap 2021-03-15 17:22:12 +01:00
__init__.py refactor(core): move app registrations to a single handler function 2021-05-06 13:14:21 +02:00
add_resident_credential.py style(core): use more recent type annotation syntax 2021-04-01 11:12:30 +02:00
common.py core/webauthn: Implement support for Ed25519 signatures in FIDO2. 2020-03-12 15:45:26 +01:00
confirm.py style(core): use more recent type annotation syntax 2021-04-01 11:12:30 +02:00
credential.py style(core): use more recent type annotation syntax 2021-04-01 11:12:30 +02:00
fido2.py style(core): use more recent type annotation syntax 2021-04-01 11:12:30 +02:00
knownapps.py style(core): use more recent type annotation syntax 2021-04-01 11:12:30 +02:00
knownapps.py.mako style(core): use more recent type annotation syntax 2021-04-01 11:12:30 +02:00
list_resident_credentials.py refactor(core/ui): raise exception on dialog cancel by default 2021-03-30 22:34:01 +02:00
README.md core/webauth: Update readme with Ed25519 algorithm and certificates. 2020-04-09 21:05:28 +02:00
remove_resident_credential.py style(core): use more recent type annotation syntax 2021-04-01 11:12:30 +02:00
resident_credentials.py style(core): use more recent type annotation syntax 2021-04-01 11:12:30 +02:00

WebAuthn

MAINTAINER = Andrew R. Kozlik andrew.kozlik@satoshilabs.com

AUTHOR = Andrew R. Kozlik andrew.kozlik@satoshilabs.com

REVIEWER = Jan Pochyla jan.pochyla@satoshilabs.com, Ondrej Vejpustek ondrej.vejpustek@satoshilabs.com


This app implements WebAuthn authenticator functionality in accordance with the following specifications:

Supported features and algorithms

This implementation supports client-side credential storage on the device and user verification by PIN entry, making the Trezor T a first-factor roaming authenticator usable for passwordless login.

User verification

The device is capable of verifying the user within itself by direct PIN entry via the touchscreen. Client PIN is not supported, because it is less secure than direct PIN verification. The authenticatorClientPIN command is therefore implemented only to the extent required by the hmac-secret extension. Namely, only the getKeyAgreement subcommand is supported.

Credential selection

Credential selection is supported directly on the device. The authenticatorGetNextAssertion command is therefore not implemented.

Public key credential algorithms

  • COSE algorithm ES256 (-7): ECDSA using the NIST P-256 curve with SHA-256.
  • COSE algorithm EdDSA (-8): Pure EdDSA using the Ed25519 curve.

Extenstions

  • hmac-secret extension.

Attestation types

  • Basic attestation for login.microsoft.com.
  • Self attestation for all other sites.

AAGUID

The AAGUID is a 128-bit globally unique identifier indicating the type (e.g. make and model) of the authenticator. The AAGUID for Trezor T is d6d0bdc3-62ee-c4db-de8d-7a656e4a4487.

Certificates for basic attestation