OpenSK

Go to file

egor-duda 41780e9e33 Move protocol-specific user presence checking code from Env to CTAP library (#501 )

* Common duration type for ctap library independent of TockOS

* Implement Env-specific ctap-hid channels for I/O
Common I/O Status, Error and Result types

* Move common user presence checking code to ctap library

* Move CtapHidChannel and UserPresence traits, with their accompanying
types to separate API mods. Remove Default implementations of methods
in these traits, to keep all implementation details inside of concrete
Env types.

Rename methods in UserPresence trait, for better readability.

Remove duplicate code for finding appropriate HID channel for given
transport.

Rework check_user_presence() function so that there's no more need for
quick_check() method in UserPresence trait. To short-circuit user
presence check, Env implementation may use wait_with_timeout() method.

* Fix button press wait with zero timeout for TockEnv

* Fix formatting

* Remove type for duration, use embedded_time::duration::Milliseconds
directly, for better readability.

Treat any unconfirmed result of user presence check as an error, which
maps more naturally to CTAP spec status codes.

Remove unneeded underscores in trait definition.

Store usb endpoint directly, in TockEnv channels, to avoid unneeded
conversions.

* No need for separate error type for send_keepalive_up_needed()

* Document UserPresence trait and types.

Remove unused parameters in UserPresence trait's methods.

Add conversion function from UserPresence errors to Ctap2 status codes.

Do not check button status when tock user presence wait is called with
zero timeout.

* Make test environment always report success sending data

* Rename CtapHidChannel to HidConnection, rename *_hid_channel ->
*_hid_connection, for clarity. Use "Channel" to refer to the logical
connection from authenticator to one client, and use "Connection" to
refer to physical connection of authenticator to platform, on which
clients run.

Remove channel parameter from user presence API, it's not needed.

* Remove duplicate comments.

Co-authored-by: kaczmarczyck <43844792+kaczmarczyck@users.noreply.github.com>

2022-06-23 16:34:27 +02:00

.github

Add ed25519 to local and github tests

2022-05-20 10:31:52 +02:00

boards/nordic

Create a 2nd USB interface for the Vendor HID (#472 )

2022-05-03 10:35:35 +02:00

bootloader

enforces Module imports granularity (#445 )

2022-03-14 20:44:48 +01:00

docs

roll back fuzzing install script, documentation instead (#439 )

2022-03-08 03:09:48 +01:00

examples

Allow read_slice to return a Vec

2022-06-03 11:16:43 +02:00

fuzz

Fix pylint configuration, script and matcher (#491 )

2022-06-07 20:39:22 +02:00

libraries

Accommodate Store requirements for max_word_writes and max_page_erases

2022-06-07 17:04:18 +03:00

maintainers

Also restore index for check

2022-06-22 11:26:02 +02:00

metadata

Fix indentation

2020-11-23 20:33:01 +01:00

patches

Connect Vendor HID interface between USB driver and CTAP app (#490 )

2022-06-20 07:31:31 +02:00

reproducible

Changed reproducible

2020-10-09 15:15:22 +00:00

rules.d

Initial commit

2020-01-30 11:47:29 +01:00

src

Move protocol-specific user presence checking code from Env to CTAP library (#501 )

2022-06-23 16:34:27 +02:00

third_party

Connect Vendor HID interface between USB driver and CTAP app (#490 )

2022-06-20 07:31:31 +02:00

tools

Fix libfido in configure (#499 )

2022-06-13 13:46:15 +02:00

.gitignore

Add some fuzz subdirs to gitignore

2022-03-22 18:20:42 +08:00

.gitmodules

Ignore dirty submodules

2020-11-30 08:46:02 -08:00

.markdownlint.json

Initial commit

2020-01-30 11:47:29 +01:00

.pylintrc

Fix pylint configuration, script and matcher (#491 )

2022-06-07 20:39:22 +02:00

build.rs

enforces Module imports granularity (#445 )

2022-03-14 20:44:48 +01:00

Cargo.toml

Use ed25519-compact crate instead of ed25519-dalek

2022-05-16 21:48:43 +03:00

deploy.py

Disable patches check on github

2022-06-21 19:58:43 +02:00

fuzzing_setup.sh

roll back fuzzing install script, documentation instead (#439 )

2022-03-08 03:09:48 +01:00

layout.ld

Bump Tock kernel version (#374 )

2021-09-10 08:32:34 +02:00

LICENSE

Initial commit

2020-01-30 11:47:29 +01:00

nrf52840_layout_a.ld

New boards with layouts for dual partition setups (#387 )

2021-10-06 18:33:40 +02:00

nrf52840_layout_b.ld

New boards with layouts for dual partition setups (#387 )

2021-10-06 18:33:40 +02:00

nrf52840_layout.ld

Merge branch 'master' into no_wfr

2020-04-30 16:18:41 +02:00

OpenSK.code-workspace

Use a vscode workspace instead of local settings.

2020-12-10 10:02:48 +01:00

README.md

fix broken link (#412 )

2021-11-19 13:10:16 +01:00

reset.sh

Install elf2tab in its own directory.

2020-09-29 12:56:21 +02:00

run_desktop_tests.sh

No need for specific feature, use std instead

2022-06-05 22:40:32 +03:00

rust-toolchain

Update rust-toolchain to be a symlink to third_party/libtock-rs/rust-toolchain.

2020-08-07 15:09:07 +02:00

rustfmt.toml

enforces Module imports granularity (#445 )

2022-03-14 20:44:48 +01:00

SECURITY.md

adds and links new security policy

2021-07-09 11:52:16 +02:00

setup-submodules.sh

Do not set the stack size outside prod (#415 )

2021-11-30 18:11:42 +01:00

setup.sh

Fix libfido in configure (#499 )

2022-06-13 13:46:15 +02:00

README.md

OpenSK

This repository contains a Rust implementation of a FIDO2 authenticator. We developed OpenSK as a Tock OS application.

We intend to bring a full open source experience to security keys, from application to operating system. You can even 3D print your own open source enclosure! You can see OpenSK in action in this video on YouTube!

You are viewing the branch for developers. New features are developed here before they are stabilized. If you instead want to use the FIDO certified firmware, please go back to the stable branch.

FIDO2

The develop branch implements the CTAP2.1 specification. This branch is not FIDO certified. The implementation is backwards compatible to CTAP2.0. Additionally, OpenSK supports U2F, and non-discoverable credentials created with either protocol are compatible with the other.

⚠️ Disclaimer

This project is proof-of-concept and a research platform. It is NOT meant for a daily usage. It comes with a few limitations:

This branch is under development, and therefore less rigorously tested than the stable branch.
The cryptography implementations are not resistent against side-channel attacks.

We're still in the process of integrating the ARM® CryptoCell-310 embedded in the Nordic nRF52840 chip to enable hardware-accelerated cryptography. Our placeholder implementations of required cryptography algorithms (ECDSA, ECC secp256r1, HMAC-SHA256 and AES256) in Rust are research-quality code. They haven't been reviewed and don't provide constant-time guarantees.

Hardware

You will need one the following supported boards:

Nordic nRF52840-DK development kit. This board is more convenient for development and debug scenarios as the JTAG probe is already on the board.
Nordic nRF52840 Dongle to have a more practical form factor.
Makerdiary nRF52840-MDK USB dongle.
Feitian OpenSK dongle.

Installation

To install OpenSK,

follow the general setup steps,
then continue with the instructions for your specific hardware:

To test whether the installation was successful, visit a demo website and try to register and login. Please check our Troubleshooting and Debugging section if you have problems with the installation process or during development. To find out what else you can do with your OpenSK, see Customization.

Contributing

See Contributing.md.

Reporting a Vulnerability

See SECURITY.md.