CTAP (client-to-authenticator-protocol) device backed by python's keyring library
Project description
This library provides an implementation of a virtual CTAP2 (client-to-authenticator-protocol) device, which uses the keyring library as its backend.
One may use this implementation as a reference for CTAP2-compatible devices, or to use ones host machine as an authenticator, rather than using an external one.
A common use-case would be to use this library as an authenticator for a webauthn flow, storing keys and retrieving assertions on a machine’s configured keyring.
- Supported features are:
The make-credential, get-assertion, get-next-assertion and get-info CTAP2 flows
The management of keys using the following COSE algorithms: RS1, RS256, PS256, EC256, EdDSA
The use of any available keyring as a backend for the created key-pairs (e.g. WinCred, Keychain, …)
User presence & verification on OSX and Windows, via Touch-ID and Windows-Hello
Storing keys in a secure manner, with no PII (personal-identifying-information) attached to them
Installation
Run the following (on a darwin machine):
$ pip install ctap-keyring-device
Using This Library
Make Credential Flow
from fido2.webauthn import PublicKeyCredentialCreationOptions, PublicKeyCredentialType, PublicKeyCredentialParameters
from ctap_keyring_device.ctap_keyring_device import CtapKeyringDevice
from fido2.client import Fido2Client
from fido2 import cose
import base64
device = CtapKeyringDevice.list_devices()[0]
origin = 'https://rp.pasten.com'
client = Fido2Client(device, origin)
rp = {'id': 'pasten.com', 'name': origin[8:], 'icon': '...'}
user = {'id': 'danny@pasten.io', 'name': 'Danny Shemesh', 'icon': '...', 'displayName': 'Danny Pastanny'}
challenge = base64.b64encode(b'my-challenge')
timeout_ms = 30_000
pub_key_cred_params = [PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, cose.ES256.ALGORITHM)]
options = PublicKeyCredentialCreationOptions(rp, user, challenge, pub_key_cred_params, timeout=timeout_ms)
attestation, client_data = client.make_credential(options)Get Assertion Flow
from fido2.webauthn import PublicKeyCredentialRequestOptions, PublicKeyCredentialType, \
PublicKeyCredentialParameters, PublicKeyCredentialDescriptor, UserVerificationRequirement
from ctap_keyring_device.ctap_keyring_device import CtapKeyringDevice
from fido2.client import Fido2Client
from fido2 import cose
import base64
device = CtapKeyringDevice.list_devices()[0]
origin = 'https://rp.pasten.com'
client = Fido2Client(device, origin)
challenge = base64.b64encode(b'my-challenge')
rp = {'id': 'pasten.com', 'name': origin[8:], 'icon': '...'}
credential_id = b'.......'
allow_list = [
PublicKeyCredentialDescriptor(PublicKeyCredentialType.PUBLIC_KEY, credential_id)
]
timeout_ms = 30_000
pub_key_cred_params = [PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, cose.ES256.ALGORITHM)]
options = PublicKeyCredentialRequestOptions(challenge=challenge, rp_id=rp['id'],
allow_credentials=allow_list, timeout=timeout_ms,
user_verification=UserVerificationRequirement.PREFERRED)
assertions, client_data = client.get_assertion(options)See examples in ctap-keyring-device/tests.
CTAP Flow Diagrams
Make Credential Flow
Get Assertion Flow
Security Considerations
Using this library will help one utilize their machine’s keyring as a CTAP2-compliant FIDO authenticator.
Credentials are stores on the configured keyring, which defaults to a sensible implementation, per the platform the code is running on (e.g. keychain on OSX, WinCred on Windows, …)
The make-credentials flow will create a key-pair for signing, using the requested COSE algorithm.
Private keys are encrypted with a random UUID4 as the passphrase, using hazmat’s BestAvailableEncryption.
Credential IDs comprise of <UUID5-of-user-id>_<key-passphrase>, and are sent back to the requesting client; it is assumed that the credential ID is kept in a remote machine, and is always provided in the allow-list of a ctap get-assertion request.
The above allows us to generate and store our keys in a manner that renders key exposure as less risky, due to the key being encrypted; and not storing the user-id directly, making it harder to use the key, even if decrypted.
On top of the mentioned safeguards, one may request the UV (user-verification) option, in order to trigger a 2nd factor before returning an assertion; Touch-ID / Password prompt is used on OSX, and Windows-Hello on Windows.
Making Releases
A CI/CD pipeline is setup on github - once a PR is merged to master, a pre-release will be automatically deployed to github; When a release is tagged, it will be automatically deployed to pypi.
Running Tests
To run the tests locally, install and invoke tox.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for ctap-keyring-device-1.0.5.tar.gz
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 7c14099e0128f509adf7c23a3d7f6ac7d18a3bacd953d484d1a0474ac9776762 |
|
| MD5 | ab4d9fa4c2b8481a1c7211c6ff74dce5 |
|
| BLAKE2b-256 | aa39d829e3911bc98b0d3dfe2b25d141e49e6d3ed93dd03754cf3e40bcce7499 |
Hashes for ctap_keyring_device-1.0.5-py2.py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | b48dc326500a422f87aeefa3e94d6c9498d3c7158971a959b3fd2547b8bb0d7d |
|
| MD5 | 5754ab23ebb57f563c53b048ccaab552 |
|
| BLAKE2b-256 | 5587549e37a72d61314086e38102584e17e6e5a8fdb84c95cc25d0e2b98f3ce9 |
