{"id":20913813,"url":"https://github.com/ellerh/softfido","last_synced_at":"2025-07-10T00:09:05.196Z","repository":{"id":145467869,"uuid":"233227379","full_name":"ellerh/softfido","owner":"ellerh","description":"A software FIDO2/U2F authenticator","archived":false,"fork":false,"pushed_at":"2023-12-18T16:58:36.000Z","size":161,"stargazers_count":43,"open_issues_count":2,"forks_count":8,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-05-13T09:40:11.104Z","etag":null,"topics":["fido2","pkcs11","rust","u2f","usbip"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ellerh.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-01-11T12:21:10.000Z","updated_at":"2025-02-17T23:29:12.000Z","dependencies_parsed_at":"2024-11-18T15:52:26.431Z","dependency_job_id":null,"html_url":"https://github.com/ellerh/softfido","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/ellerh/softfido","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ellerh%2Fsoftfido","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ellerh%2Fsoftfido/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ellerh%2Fsoftfido/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ellerh%2Fsoftfido/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ellerh","download_url":"https://codeload.github.com/ellerh/softfido/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ellerh%2Fsoftfido/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264505780,"owners_count":23618970,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["fido2","pkcs11","rust","u2f","usbip"],"created_at":"2024-11-18T15:22:53.187Z","updated_at":"2025-07-10T00:09:05.163Z","avatar_url":"https://github.com/ellerh.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Softfido\n\nSoftfido is a software implementation of a\n[FIDO2/U2F](https://fidoalliance.org/fido2/) authenticator.  Most\nFIDO2 authenticators are based on hardware like USB sticks or TPM-like\nchips in smartphones.  Softfido instead implements a virtual USB\ndevice (via [USBIP](https://wiki.archlinux.org/index.php/USB/IP)) so\nthat webbrowsers can talk to it.\n\nThe cryptographic operations are delegated to\n[SoftHSM](https://www.opendnssec.org/softhsm/). In theory other PKCS11\nmodules could be used, but I only tested with SoftHSM.\n\n# Build\n\n```\ncargo build\n```\n\nSome USBIP related kernel headers must be installed during the build.\n\n# Use\n\n## Set up SoftHSM\n\nCreate a SoftHSM token with the following command:\n\n```\nsofthsm2-util --init-token --free --label softfido\n```\n\n## Start Softfido\n\n```softfido --token-label softfido```\n\nThis should print something like\n```\nsoftfido::crypto: Generating secret key...\nsoftfido::crypto: Generating token counter...\nSoftfido server running.\n```\n\nYou may need to specify the --pkcs11-module argument if libsofthsm2.so\nis not installed in /usr/lib/softhsm/libsofthsm2.so.\n\n## Kernel module\n\nInsert the vhci-hcd module with:\n```modprobe vhci-hcd```\n\nConnect the kernel module to the server:\n```usbip attach -r 127.0.0.1 -d 1-1```\n\nAfter that `lsusb -d 0:0 -v` should describe the virtual USB device.\n`ls -l /sys/class/hidraw/` should also list a link to a vhci_hcd\ndevice.\n\n## Device permissions\n\nTo allow non-root users to open the virtual hidraw device, its\npermissions must be setup accordingly.  This can be done manually with\n`chmod` or with an udev rule like so:\n\n```\nSUBSYSTEM==\"hidraw\", ATTRS{manufacturer}==\"Fakecompany\", \\\n,ATTRS{product}==\"Softproduct\", TAG+=\"uaccess\", GROUP=\"plugdev\", MODE=\"0660\"\n```\n\n## Testing\n\nThe `python/` directory contains some (interactive) tests. You can run\nthem with ```python3 softfido_tests.py```.  The tests require the\n[`fido2` Python module](https://pypi.org/project/fido2/).\n\n## Test in browser\n\nYou can test the authenticator on [Yubico's test\npage](https://demo.yubico.com/webauthn-technical/registration) or\n[webauthn.io](https://webauthn.io/).\n\nAt the time of writing, Firefox supports U2F but not FIDO2.  Chromium\nsupports both.  In my experience, the only website that uses FIDO2\nwhen available is github.com; all others use U2F even if the device\nand the browser would support FIDO2.\n\n# Webauthn with a TPM\n\nSome time after I had started Softfido, I found [James Bottomley's\nWebauthn on TPM\nproject](https://blog.hansenpartnership.com/webauthn-in-linux-with-a-tpm-via-the-hid-gadget/).\nHe describes the technical issues pretty well.  He uses the [HID\nGadget](https://www.kernel.org/doc/html/latest/usb/gadget_hid.html)\nmachinery, which would probably have been a bit easier than USBIP.\nOTOH, with USBIP the authenticator can run on a different machine than\nthe kernel module which is useful to sidestep kernel bugs.  During\ndevelopment I had a few kernel crashes/lockups. After debugging my\ncode, the only kernel related issue that I'm aware off is that the\nkernel cannot properly hibernate as long as the virtual device is\nconnected.  Removing the kernel module `rmmod vhci-hcd` before\nhibernating is advisable.\n\n# Caution\n\nSoftfido is just a hobby project of mine to learn a bit about Rust,\nUSB, FIDO2, and cryptography.  The code is potentially insecure.  Use\nit at your own risk.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fellerh%2Fsoftfido","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fellerh%2Fsoftfido","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fellerh%2Fsoftfido/lists"}