-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathProjectNotes.txt
More file actions
54 lines (40 loc) · 2.35 KB
/
ProjectNotes.txt
File metadata and controls
54 lines (40 loc) · 2.35 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
https://deno.land/x/fido2
https://github.com/webauthn-open-source/fido2-lib
https://deno.land/x/fido2@3.5.3/dist/main.js
^All functions currently available in the library
https://fido-tools.github.io/fido2-library/Fido2Lib.html
^Documentation
https://webauthn-open-source.github.io/fido2-lib/Fido2Lib.html
^Documentation of some of the Fido2 params
https://www.w3.org/TR/webauthn
^webauth specs
https://www.iana.org/assignments/cose/cose.xhtml
^Cose params used by "crytoParams"
cryptoParams: [-7, -257] =
-7 ECDSA w/ SHA-256
-257 RSASSA-PKCS1-v1_5 using SHA-256
(both deprecated)
-9 ECDSA using P-256 curve and SHA-256
-19 EdDSA using Ed25519 curve
-37 RSASSA-PSS w/ SHA-256
If left unspecified, Chrome uses the default values of ES256 (-7) and RS256 (-257).
https://chromium.googlesource.com/chromium/src/+/main/content/browser/webauth/pub_key_cred_params.md
Probably most authenticators support -7 and -257
https://guptadeepak.com/implementing-fido2-authentication-a-developers-step-by-step-guide/
^Similar implementation
https://deno.land/x/fido2@3.5.3/types/main.d.ts
^More clear way to view the types
https://github.com/webauthn-open-source/fido2-lib/blob/master/examples/u2f-migrated-example.js
^Possible example usage, if it's not wrong or outdated
The FIDO2 "appid" extension, often used within libraries like fido2-lib, provides backward compatibility for WebAuthn with legacy FIDO U2F credentials
allowCredentials are used to append a credentialId to assertionOptions when credentials are not "discoverable credentials"
How to handle "signcount" or "prevCounter":
Let storedSignCount be the stored signature counter value associated with credential.id.
If authData.signCount is nonzero or storedSignCount is nonzero, then run the following sub-step:
If authData.signCount is
greater than storedSignCount:
Update storedSignCount to be the value of authData.signCount.
less than or equal to storedSignCount:
This is a signal that the authenticator may be cloned, i.e. at least two copies of the credential private key may exist and are being used in parallel. Relying Parties should incorporate this information into their risk scoring. Whether the Relying Party updates storedSignCount in this case, or not, or fails the authentication ceremony or not, is Relying Party-specific.
Running the server:
deno run --allow-net --allow-read --allow-write server.ts