soft-u2f

Three-part Javascript implementation of a software-based U2F device. Includes a convenient abstraction for the browser which provides a SubtleCrypto-based device or a shim if the browser doesn't support the latest crypto. Additionally, a Node.js-compatible version is attached, which uses Node's own crypto.

Building

To build, simply call npm start. All files will be output by default to the dist directory, but you can modify build settings by tinkering with the webpack configuration, webpack.config.js, and the typescript compiler configuration, tsconfig.json (not recommended).

Testing

Before you run tests for the browser implementation you must start up the local test server:

node ./test-server/server.js

For the Browser

In another terminal, call npm test and open the IP listed by Karma in the browser you wish to test.

For Node

To test the Node implementation, simply open another terminal and call mocha.

Usage

In the Browser

HTML

<head>
    <script src="https://cdn.rawgit.com/alinVD/soft-u2f/master/dist/softU2F.js"></script>
</head>

Javascript

// 1. Create virtual U2F device
var device = createSoftU2FDevice();

// 2. Get a registration challenge from the server
var regReq = getRegistrationRequestFromServer();

// 3. Register the device to the account you just got a challenge from
var regRes = device.register(regReq.appID, regReq.challenge, yourServerDomain, regReq.userID);
var keyID = regRes.keyID; // you can use this to export the keypair you just generated
sendRegistrationResponseToServer(regRes.response);

// 4. Now the user needs to save their U2F credential
var extKeyPair = device.export(keyID, aUint8ArrayPasswordWhichWillBeDisposedOf);
saveEncryptedKeyPairToJSONFile(extKeyPair);

// 4. Alternatively, or as an additional measure, have the user write down the raw private in case something happens to the key file
var extPrivate = device.exportRaw(keyID);
window.alert('Write this on a sticky: ' + extPrivate);