Bringing Modern Authentication APIs (FIDO2 WebAuthn, Passkeys) to Linux Desktop
github.comThere are a few mentions of "platform authenticators", but do we even have such a thing on Linux? There isn't even a standard X.509 certificate/key store, unless you count GPG which has little application support. Firefox and Chrome use separate UNENCRYPTED NSS stores, LibreOffice and some others just hijacks the Firefox store, KDE apps use GPG through Kleopatra, some apps keep p12 files...
What we desperately need is a simple protocol with a set of basic functions like sign, encrypt and verify that every program uses (like Microsoft's CryptoAPI), then let the user pick a provider depending on their needs. You could have one provider that stores a dir of unencrypted key files if you really don't care, have the files encrypted and request a password on each use, one that talks to a smartcard, maybe a one that uses a connected smartphone with a secure element to do the crypto...
This project is the first that I've seen doing something like that, but it seems to only focus on FIDO/webauthn/whatever. Hopefully it can be eventually generalized to other cryptography uses too (HTTP client certs, S/MIME, PDF signing, encrypted disks/folders...).
Thanks franga2000! As you rightly mention, this project is focused on authentication, and specifically acting as a client device as per WebAuthn spec [1]. The role of the client device is to marshal requests from apps (such a web browser), to authenticator devices. These could be roaming authenticators like USB/NFC security keys, BLE devices, or a phone app. Optionally, the client device can provide access to a platform authenticator -- as one of the options.
I agree a platform key store would be great to have, and in fact would be a great choice as a backend for the platform authenticator.
This is not dissimilar from how Android apps can interact with the platform's KeyStore API [1], or the Fido2ApiClient [2] for FIDO authentication. When interacting with the FIDO APIs, apps cannot manage their own keys. However, they can interact with all authenticators, including the platform authenticator, backed by the KeyStore.
I do not believe that FIDO2/WebAuthn can be generalised to a crypto API (happy to chat further about this). Rather, we need two separate APIs - like KeyStore and Fido2ApiClient on Android, and Windows' CryptoAPI and WebAuthn.
> There are a few mentions of "platform authenticators", but do we even have such a thing on Linux?
FIDO2 platform authenticators require a Trusted Platform Module (as well as a user verification mechanism). Until we have a generic crypto API which can be restricted to using TPM as its backend, I believe we can use one of the interfaces from the TPM2 software stack (TSS) [4].
[1] https://www.w3.org/TR/webauthn/#client-device [2] https://developer.android.com/training/articles/keystore [3] https://developers.google.com/android/reference/com/google/a... [4] https://github.com/tpm2-software
WebAuthN: https://en.wikipedia.org/wiki/WebAuthn
FIDO2: https://en.wikipedia.org/wiki/FIDO2_Project
Arch/WebAuthN: https://wiki.archlinux.org/title/WebAuthn
U2F/FIDO2: https://wiki.archlinux.org/title/Universal_2nd_Factor
TPM: https://wiki.archlinux.org/title/Trusted_Platform_Module#Oth...
Seahorse: https://en.wikipedia.org/wiki/Seahorse_(software)
GNOME Keyring: https://en.wikipedia.org/wiki/GNOME_Keyring
tpmfido: https://github.com/psanford/tpm-fido
"PEP 543 – A Unified TLS API for Python" (withdrawn*) https://peps.python.org/pep-0543/#interfaces
> Specifying which trust database should be used to validate certificates presented by a remote peer.
certifi-system-store https://github.com/tiran/certifi-system-store/blob/main/src/...
truststore/_openssl.py: https://github.com/sethmlarson/truststore/blob/main/src/trus...
"Help us test system trust stores in Python" (2022) https://sethmlarson.dev/blog/help-test-system-trust-stores-i... :
python -m pip install \
--use-feature=truststore Flask