{"id":24352303,"url":"https://github.com/gsora/fidati","last_synced_at":"2025-04-10T00:27:25.625Z","repository":{"id":54979070,"uuid":"308387935","full_name":"gsora/fidati","owner":"gsora","description":"DIY FIDO2 U2F token","archived":false,"fork":false,"pushed_at":"2023-08-06T17:07:04.000Z","size":7144,"stargazers_count":40,"open_issues_count":1,"forks_count":3,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-03-24T02:11:42.356Z","etag":null,"topics":["arm","fido2","go","golang","golang-application","golang-library","tamago","u2f","u2f-key"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gsora.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-10-29T16:32:57.000Z","updated_at":"2025-03-09T21:26:43.000Z","dependencies_parsed_at":"2024-06-18T23:59:57.073Z","dependency_job_id":"e9c2465d-06ab-40b7-a6af-698260299828","html_url":"https://github.com/gsora/fidati","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gsora%2Ffidati","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gsora%2Ffidati/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gsora%2Ffidati/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gsora%2Ffidati/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gsora","download_url":"https://codeload.github.com/gsora/fidati/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248133173,"owners_count":21053183,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["arm","fido2","go","golang","golang-application","golang-library","tamago","u2f","u2f-key"],"created_at":"2025-01-18T15:48:05.689Z","updated_at":"2025-04-10T00:27:25.592Z","avatar_url":"https://github.com/gsora.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# `fidati`: DIY FIDO2 U2F token\n\n`fidati` is a FIDO2 U2F token implementation for the F-Secure USB Armory Mk.II, written in Go by leveraging the [Tamago](https://github.com/usbarmory/tamago) compiler.\n\nThis repository holds a developer-friendly Tamago firmware, for a more user-friendly one check out [`GoKey`](https://github.com/usbarmory/gokey).\n\n## Project status: **PoC**\n\nThis project is still very much a Proof-of-Concept and should be handled as such: **there are exactly zero guarantees about the safety/security of fidati**.\n\nCode is still work-in-progress, expect bugs/bad practices and so on.\n\nWhat works:\n - HID interface\n - key generation\n - site registration\n - site authentication\n\n`fidati` uses the microSD card as its support for persistency. \n\nCurrently no filesystem is supported, so `fidati` will use up the entire microSD space if needed.\n\nThis means that `fidati` can only be ran from the Armory eMMC - a future revision will fix this.\n\nTo prepare a microSD for `fidati`, zero out the first 512 bytes:\n\n```bash\ndd if=/dev/zero of=/dev/mmcblk0 bs=512 count=1\n```\n\nNo relying party private key is stored, the microSD is only used to store a monotonic counter.\n\nFor more details about how `fidati` deterministic key derivation works, see [here](https://www.yubico.com/blog/yubicos-u2f-key-wrapping/).\n\n## Building and running\n\nYou can run `fidati` with or without a bootloader.\n\nBy default the project `Makefile` produces a binary with logging disabled.\n\nTo enable logging append `TARGET=\"'usbarmory debug fidati_logs'\"` to the `make` parameters.\n\n`fidati` as a library disables logging by default.\n\nTo enable it, build your program with the `fidati_logs` build tag.\n\n### Booting via U-Boot\n\n```\n$ make\n```\n\nThis command will produce a self-standing ELF executable, `fidati`, which can be booted via U-Boot in the usual way:\n\n```\next4load mmc 0:1 0x80800000 /fidati\nbootelf 0x80800000\n```\n\n### Booting without a bootloader\n\n```\n$ make imx\n```\n\nThis command will produce a i.MX native image, `fidati.imx`, which can be flashed to either the internal Armory eMMC or a microSD.\n\nRefer to [these instructions](https://github.com/usbarmory/usbarmory/wiki/Boot-Modes-(Mk-II)#flashing-imx-native-images) for further instructions.\n\n## Usage as a library\n\n`fidati` can be used as a library, by importing the `github.com/gsora/fidati` package and invoking the `ConfigureUSB()` function.\n\nSee `firmware/main.go` and `firmware/usb.go` for an example.\n\n## Technical details\n\n`fidati` implements the bare minimum functionality to act as a FIDO2 U2F token, as detailed by the [FIDO Alliance](https://fidoalliance.org/specifications/download/).\n\nA default attestation certificate and private key are contained in this repository, in the `/certs` directory.\n\nA CLI tool \u0026ndash; `gen-cert` \u0026ndash; is available for those who want to generate their own certificate and private key.\n\nFor each relying party, given their `appID` and a device-specific master key `fidati` derives in a deterministic fashion an ECDSA private key, which will then be used in the registration and authentication phase.\n\nThe derivation algorithm is defined as follows:\n\n```\nnonce := (32 secure random bytes)\nrelyingPartyPrivateKey := HMAC-SHA256(MasterKey, appID, nonce)\nkeyHandle := HMAC-SHA256(MasterKey, appID, relyingPartyPrivateKey) + nonce\n```\n\nTo derive the private key back given a `keyHandle` and `appID`, one must extract the `nonce` by reading the last 32 bytes of `keyHandle` and then execute the algorithm again.\n\n## Debugging\n\nTo test U2F token registration and login, the following tools can be used:\n - https://mdp.github.io/u2fdemo/\n - https://demo.yubico.com/webauthn-technical/registration\n - https://github.com/Yubico/java-webauthn-server/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgsora%2Ffidati","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgsora%2Ffidati","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgsora%2Ffidati/lists"}