Webauthn Rust Core

Webauthn is a modern approach to hardware based authentication, consisting of a user with an authenticator device, a browser or client that interacts with the device, and a server that is able to generate challenges and verify the authenticator's validity.

⚠️ WARNING ⚠️

This library implements and exposes the raw elements to create a Webauthn Relying Party. Many of these components have many sharp edges and the ability to confuse users, accidentally allow security bypasses, and more. If possible you SHOULD use Webauthn-RS instead of this crate!

However, if you want to do something truly custom or specific, and you understand the risks, then this library is for you.

Why OpenSSL?

A question I expect is why OpenSSL rather than some other pure-Rust cryptographic providers. There are two major justfications.

The first is that if this library will be used in corporate or major deployments, then cryptographic audits may have to be performed. It is much easier to point toward OpenSSL which has already undergone much more review and auditing than using a series of Rust crates which (while still great!) have not seen the same level of scrutiny.

The second is that OpenSSL is the only library I have found that allows us to reconstruct an EC public key from its X/Y points or an RSA public key from its n/e for use with signature verification. Without this, we are not able to parse authenticator credentials to perform authentication.

Resources

• Specification: https://www.w3.org/TR/webauthn-3
• JSON details: https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0-rd-20180702.html
• Write up on interactions: https://medium.com/@herrjemand/introduction-to-webauthn-api-5fd1fb46c285