Open Firstyear opened 5 years ago
Thanks @Firstyear , you are right that I should have made it clear that this is not yet ready for use, I will do that now.
BTW I am starting to look again at it and implementing the remaining features, would you like to work together on the same one or are you thinking of taking a different approach in yours?
Thanks for that! That would be really helpful.
Well, initially I thought I was going to do it very differently, but the more I implement the more I see similarities and overlap in our code.
Here is my repo here: https://github.com/Firstyear/webauthn-rs
I think that it would not be too difficult to merge back together to collaborate on this, and would be great to have help and review. I've been following the rfc/standards a lot, and using them as comments, and I was starting to implement testing for the crypto/decode operation correctness. I also have some improvements in the byte parsing/structs compared to your impl. I also found some of your json looks like it may be not the same as the rfc requires (mainly around challenges for authentication vs registration). There is also a difference in cred_id storage (you use string, but rfc should be vec
So have a look at my code and if it seems okay, I'd be happy to rework it to work on this together :)
Thanks, I'll take a look at yours and then we can decide how to proceed then!
BTW I have started refactoring mine according to https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0-rd-20180702.html in addition to the RFC, it seems to specify the format of the JSON objects in a more practical way.
Hey there, thought you may be interested to know that today I started to write the crypto verification parts for the registration process. The starting parts can be found here https://github.com/Firstyear/webauthn-rs/blob/master/src/crypto.rs and obviously have some links to the lib.rs.
Hope that helps!
Hi there,
I noticed this crate while I was trying to implement my own rust webauthn server for actix. I was following your code, and I have noticed that you don't seem to implement any of the cryptographic operations required for webauthn.
I could be missing something, but if this is the case, I think it's a security risk to publish this to crates.io until you have verification of the security robustness and correctness of this crate. Can I please ask you yank the crate from crates.io until you have implemented the correct cryptographic handling of webauthn keys?
Thanks,
https://crates.io/crates/webauthn