Metadata service access

tweag / webauthn

A library for parsing and validating webauthn/fido2 credentials

Apache License 2.0

34 stars 11 forks source link

Metadata service access #10

Closed infinisil closed 2 years ago

infinisil commented 3 years ago

The metadata service by the FIDO Alliance gives information on each authenticator, which the library should expose. Information: https://fidoalliance.org/metadata/

arianvp commented 2 years ago

An interface like https://www.npmjs.com/package/fido-mds3 would be super useful:


-- Given the MDS URI and the Root fingerprint, create the service
createService :: URI -> X509FingerPrint -> IO MetadataService

-- | FIDO2
findByAAGUID :: AAGUID -> ForceRefresh -> MetadataService -> IO (Maybe MetadataPayloadEntry)

-- | U2F
findByAttestationCertificateKeyIdentifier :: X509FingerPrint -> ForceRefresh -> MetadataService -> IO (Maybe MetadataPayloadEntry)

(Or equivalant MTL stack)

infinisil commented 2 years ago

I've thought and discussed this with @ErinvanderVeen. He made a good argument that a security critical server commonly shouldn't have access to the internet, or only in very restricted forms. Implementing this updating in Haskell would imply that it needs internet access.

As an alternative, I believe it might be a better idea to handle at least the updating of the metadata blob with a rather simple systemd service + timer, which just runs essentially a curl http://mds.fidoallianc.org/ every month, and signals to the server process when it happens. The server process then just needs to reread the file when that happens.

Either way, an interface like this is probably needed in the end and we're planning to add support for it :)

infinisil commented 2 years ago

Metadata access now works well using #66 https://github.com/tweag/webauthn/blob/44e89a1519b7d9a809209a3e4907daf782091650/src/Crypto/WebAuthn/Metadata/Service/Processing.hs#L147-L155 In #74 this will be used to do attestation statement certificate chain validation. #74 also adds a MetadataFetch.hs module to the server example code which shows how the metadata can be fetched.

Note that the library is currently fully pure, but in the future there's the possibility of adding impure code for e.g. doing this metadata fetching, but also handling the temporary storage of pending operations (see https://github.com/tweag/webauthn/blob/master/server/src/PendingOps.hs) and random generation.