[security]: please remove this crate from crates.io until crypto is implemented

[Firstyear]

Hi there,

I noticed this crate while I was trying to implement my own rust webauthn server for actix. I was following your code, and I have noticed that you don't seem to implement any of the cryptographic operations required for webauthn.

I could be missing something, but if this is the case, I think it's a security risk to publish this to crates.io until you have verification of the security robustness and correctness of this crate. Can I please ask you yank the crate from crates.io until you have implemented the correct cryptographic handling of webauthn keys?

Thanks,

https://crates.io/crates/webauthn

[tiziano88]

Thanks @Firstyear , you are right that I should have made it clear that this is not yet ready for use, I will do that now.

BTW I am starting to look again at it and implementing the remaining features, would you like to work together on the same one or are you thinking of taking a different approach in yours?

[Firstyear]

Thanks for that! That would be really helpful.

Well, initially I thought I was going to do it very differently, but the more I implement the more I see similarities and overlap in our code.

Here is my repo here: https://github.com/Firstyear/webauthn-rs

I think that it would not be too difficult to merge back together to collaborate on this, and would be great to have help and review. I've been following the rfc/standards a lot, and using them as comments, and I was starting to implement testing for the crypto/decode operation correctness. I also have some improvements in the byte parsing/structs compared to your impl. I also found some of your json looks like it may be not the same as the rfc requires (mainly around challenges for authentication vs registration). There is also a difference in cred_id storage (you use string, but rfc should be vec). Generally just little changes all over, but nothing major.

So have a look at my code and if it seems okay, I'd be happy to rework it to work on this together :)

[tiziano88]

Thanks, I'll take a look at yours and then we can decide how to proceed then!

BTW I have started refactoring mine according to https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0-rd-20180702.html in addition to the RFC, it seems to specify the format of the JSON objects in a more practical way.

[Firstyear]

Hey there, thought you may be interested to know that today I started to write the crypto verification parts for the registration process. The starting parts can be found here https://github.com/Firstyear/webauthn-rs/blob/master/src/crypto.rs and obviously have some links to the lib.rs.

Hope that helps!