Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement signing using FIDO sign extension and ARKG #14

Draft
wants to merge 37 commits into
base: funke
Choose a base branch
from
Draft

Implement signing using FIDO sign extension and ARKG #14

wants to merge 37 commits into from

Conversation

emlun
Copy link

@emlun emlun commented Nov 14, 2024

This implements using our proposed WebAuthn sign extension to create credential keypairs and using them to sign credential issuances and presentations. This also implements using ARKG to generate public keys; this currently has no benefit since we still need to sign using the credential private key during the issuance flow, but we anticipate an updated OpenID4VCI profile where this signature will not be needed, enabling a much smoother user experience where public keys can be generated fully automatically even without the security key present.

If either the browser or the authenticator doesn't support the sign extension, the wallet falls back to using PRF based keys like before. Also, at the moment the ARKG implementation only works if there is exactly 1 ARKG-compatible key in the wallet. We'll need to decide what to do if there's more than one.

As of now, this imports the jose module as a submodule so that we can make the SignJWT.sign() function support a customizable signFunction parameter. I've pushed this branch of the jose repository into the wallet-frontend repo, so that we don't need any new repos just for this. So all you should need to do to get this initialized is:

$ git submodule update --init lib/jose/

In order to try/test this you'll also need a browser that supports the WebAuthn sign extension. I have a custom branch of Firefox that does that, I'll look into how I can best share that with y'all.

I haven't yet been able to test this in the Funke context, so it's possible that some things might break...

emlun added 30 commits November 14, 2024 16:13
@emlun
Delete unnecessary state needPrfRetry
03068c7
@emlun
Use switch statement for some keystore error handling
abcf12f
@emlun
Extract type alias LoginWebauthnError
e8e9507
@emlun
Handle "canceled" error in signupWebauthn and loginWebauthn
91a4691
@emlun
Break keystore test cases across multiple lines
cef5eea 
Emacs struggles with very long lines, making it very cumbersome to work with the
file.
@emlun
Add polyfill for PRF extension input/output types
ebe13c4
@emlun
Move creation of PRF extension inputs inside stateless keystore module
89e72f4
@emlun
Add utility functions for working with sign extension
8a56e15
@emlun
Extract function parseCoseKeyEc2Public
cd3fe8a
@emlun
Prepare for using sign extension
926a78b
@emlun
Implement hash_to_field
f599ee3
@emlun
Import ec.ts from Yubico demo-website project
034690e
@emlun
Include curve parameters in hash_to_curve suite
445bb32
@emlun
Greatly expand tests of ec module
96416f4
@emlun
Extract common functions to util module
e460a7f
@emlun
Extract asyncAssertThrows to new testutil module
a6cd41c
@emlun
Add function util.toHex
46aeb81
@emlun
Implement ARKG-P256ADD-ECDH
a986844
@emlun
Fix HMAC in arkgHmacKem
ff01d1c 
See: Yubico/arkg-rfc#21
@emlun
Extract function arkg.getEcInstance
cf3a297
@emlun
Add links to defining sections in ARKG spec
c1169c9
@emlun
Change info parameter in ARKG tests
6f82888
@emlun
Fix HKDF arguments
a3175a8
@emlun
Import jose package as submodule
e6c404e
@emlun
Move lib/jose/ submodule remote to wwwallet/wallet-frontend
3967447
@emlun
Move cbor-web from devDependencies to dependencies
68f8c60
@emlun
Implement signing using sign extension and ARKG
3f6fd74
@emlun
Add UI feedback to WebAuthn signing ceremonies
dfa7bcb
@emlun
Merge branch 'master' into sign-extension-arkg
eea69fb
@emlun
Merge remote-tracking branch 'origin/wwwallet-sync' into sign-extensi…
b0165f9 
…on-arkg
@emlun emlun force-pushed the sign-extension-arkg branch from fc90187 to b0165f9 Compare November 25, 2024 16:49
@emlun emlun requested a review from kkmanos November 25, 2024 16:49
@emlun emlun force-pushed the sign-extension-arkg branch from 5a54ea4 to b0fdf2c Compare November 25, 2024 17:15
@emlun emlun mentioned this pull request Nov 25, 2024
Merged
emlun added 3 commits November 26, 2024 10:58
@emlun
Check out submodules in GitHub Actions build
3bbdb16
@emlun
Set unwrapKey usage on main key when created
677c997 
This fixes possible issues with rotating the key immediately after creating it,
where otherwise it wouldn't be possible to re-wrap private keys without first
taking a detour through session storage to get `importMainKey` to add the
"unwrapKey" usage.
@emlun
Show progress counter in sign-ext credential issuance signing dialog
c3f160f
@emlun emlun force-pushed the sign-extension-arkg branch from 4a61cb5 to c3f160f Compare November 26, 2024 11:31
@emlun emlun marked this pull request as draft November 26, 2024 11:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kkmanos kkmanos Awaiting requested review from kkmanos

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@emlun