arno
/
trezor-firmware
mirror of https://github.com/trezor/trezor-firmware.git
1
0
Fork 0
Code Issues Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'bf20537f41'
${ noResults }
trezor-firmware/core/src/apps/webauthn
History
Andrew Kozlik 8ae0535e69
core/webauthn: Fix attestation statement format to use a list in the x5c field. 		4 years ago
..
metadata core/webauthn: update metadata 5 years ago
res common/defs: add Faceboook to recognized apps 5 years ago
README.md core/webauthn: Add AAGUID to README.md. 5 years ago
__init__.py core/usb: reorder endpoints 5 years ago
add_resident_credential.py core/webauthn: Clean up bytes/bytearray typing around uctypes. 4 years ago
common.py core/webauthn: Implement support for Ed25519 signatures in FIDO2. 4 years ago
confirm.py core: auto-generate list of FIDO known apps 5 years ago
credential.py core/webauthn: Remove indistinguishable credentials from the allow list. 4 years ago
fido2.py core/webauthn: Fix attestation statement format to use a list in the x5c field. 4 years ago
knownapps.py common/defs: add Faceboook to recognized apps 5 years ago
knownapps.py.mako webauthn: Add use_self_attestation flag to FIDO apps. 5 years ago
list_resident_credentials.py core/webauthn: Add algorithm and curve to WebAuthnListResidentCredentials response. 4 years ago
remove_resident_credential.py core/webauthn: rename storage.webauthn to storage.resident_credentials 5 years ago
resident_credentials.py core/webauthn: rename storage.webauthn to storage.resident_credentials 5 years ago

README.md

WebAuthn

MAINTAINER = Andrew R. Kozlik andrew.kozlik@satoshilabs.com

AUTHOR = Andrew R. Kozlik andrew.kozlik@satoshilabs.com

REVIEWER = Jan Pochyla jan.pochyla@satoshilabs.com, Ondrej Vejpustek ondrej.vejpustek@satoshilabs.com

This app implements WebAuthn authenticator functionality in accordance with the following specifications:

Supported features and algorithms

This implementation supports client-side credential storage on the device and user verification by PIN entry, making the Trezor T a first-factor roaming authenticator usable for passwordless login.

User verification

The device is capable of verifying the user within itself by direct PIN entry via the touchscreen. Client PIN is not supported, because it is less secure than direct PIN verification. The authenticatorClientPIN command is therefore implemented only to the extent required by the hmac-secret extension. Namely, only the getKeyAgreement subcommand is supported.

Credential selection

Credential selection is supported directly on the device. The authenticatorGetNextAssertion command is therefore not implemented.

Public key credential algorithms

  • COSE algorithm ES256 (-7): ECDSA using the NIST P-256 curve with SHA-256.

Extenstions

  • hmac-secret extension.

Attestation types

  • Self attestation.

AAGUID

The AAGUID is a 128-bit globally unique identifier indicating the type (e.g. make and model) of the authenticator. The AAGUID for Trezor T is d6d0bdc3-62ee-c4db-de8d-7a656e4a4487.