Provided by: libcrypt-u2f-server-perl_0.43-1build1_amd64 bug

NAME

       Crypt::U2F::Server::Simple - Register and Authenticate U2F compatible security devices

SYNOPSIS

         use Crypt::U2F::Server:Simple;

         my $crypter = Crypt::U2F::Server::Simple->new(
             appId  => 'Perl',
             origin => 'http://search.cpan.org'
         );

         # Generate a registration request
         my $registerRequest = $crypter->registrationChallenge();

         # Give $registerRequest to client, receive $registrationData from client
         # NB: if Crypt::U2F::Server::Simple has been recreated (web process for example), challenge
         #     value must be restored (value only, not JSON blob):
         #$crypter->setChallenge($challenge)
         my ($keyHandle, $userKey) = $crypter->registrationVerify($registrationData)

         # Generate an authentication request (using the previously generated key handle and user key)
         my $authrequest = $crypter->authenticationChallenge();

         # Send $authrequest to client, receive $authSignature
         # NB: if Crypt::U2F::Server::Simple has been recreated (web process for example), challenge
         #     value must be restored (value only, not JSON blob):
         #$crypter->setChallenge($challenge)
         my $authok = $crypter->authenticationVerify($authSignature);

DESCRIPTION

       This module implements the server side of U2F authentication through Yubico's C library.

       Both registration and authentication are two step processes that each must be run in the
       same instance of this perl module. To clarify You can run registration from another
       instance than authentication, or even in another program on another server. But, as far as
       it is currently implemented, you must run both registration steps in the same instance of
       this module, the same goes for authentication. Needs more testing, really.

       A successful registration of a key yields to two scalars, a key handle and a public key.
       It is your responsibility to keep them safe somewhere and reload them into this module
       whenever you want to do authentication.

INSTALLATION

       This module requires the Yubico u2f-server shared library installed, please see the
       official project page at <https://developers.yubico.com/libu2f-server/> on how to do that.

NO MULTITHREADING

       The way this is currently implemented, i doubt very much that multithreadingm will work.
       Multi-Forking should be OK as long as you only call new() after forking, though. Also
       using more than one instance of this module in your program. This isn't really tested at
       the moment, though...

ALPHA WARNING

       As already stated above, at this time Crypt::U2F::Server and Crypt::U2F::Server::Simple
       have seen only very limited testing and the modules are still subject to change.

       That isn't to say that you shouldn't use this at all. Rather, if you are interested, you
       should test this a lot and report any bugs you find!

FUNCTION DESCRIPTION

   lastError()
       Probably the most important function of all, therefore mention first. If something goes
       wrong (but not HorriblyWrong[tm]), you'll get the last error description of whatever
       happened.

       If something fails during new(), call it with the full name:

           my $oooops = Crypt::U2F::Server::Simple::lastError();

       If you already got an instance, you can use that as well:

           my $oooops = $auth->lastError();

       Errors are global over all instances of this module.

       If things go HorriblyWrong[tm], your program might crash. Or get remote-buffer-overflow-
       exploited or something. In these case, lastError() might not work reliably. You know, just
       the usual crypto stuff...

   new()
       This comes in two forms, depending if you do authentication in the same instance as the
       registration steps.

       The simple form (only registration or registration+authentication) only requires the
       arguments appId and origin:

           my $auth = Crypt::U2F::Server::Simple->new(
               appId  => 'Perl',
               origin => 'http://search.cpan.org'
           );

       If you only do authentication, you have to supply the keyHandle and publicKey data as
       well:

           my $auth = Crypt::U2F::Server::Simple->new(
               appId     => 'Perl',
               origin    => 'http://search.cpan.org',
               keyHandle => $keyHandleData
               publicKey => $publicKeyData
           );

       For security, i would recommend creating a new instance for each and every authentication
       request.

       If something goes wrong during initialization, $auth will be undef.

       To enable Yubico library debug, set debug to 1:

           my $auth = Crypt::U2F::Server::Simple->new(
               appId  => 'Perl',
               origin => 'http://search.cpan.org',
               debug  => 1
           );

   registrationChallenge()
           my $challenge = $auth->registrationChallenge();

       Gives you a unique registration challenge on every call. This is a JSON string and should
       be send to the client (called a "host" for whatever reason) as is.

       If something goes wrong, $challenge will be undef.

       $challenge is a JSON blob that contains a hash. Here are the main keys

       version: the protocol version
       appId: the appId given in new()
       challenge: the challenge value

   registrationVerify()
           my ($keyHandle, $publicKey) = $auth->registrationVerify($reply);

       If the client (the "host") accepts the challenge, it will send you another JSON blob
       ($reply).

       If everything goes well and registration succeeds, you will get the key handle and public
       key of, well client key. If it fails, you will get undef.

       $keyHandle and $publicKey will get set internally for direct following authentication in
       the same instance, you need to store it in some persistent way yourself for future
       authentication.

       As an added bonus, $publicKey will be a binary blob, so you may have to convert it to
       something like Base64 for easier handling. See MIME::Base64 on how to do that. Make sure
       you un-encode before loading it into this module!

   authenticationChallenge()
       This function generates an authentication challenge. To do that, it needs keyHandle and
       publicKey, since this is key dependent.

           my $challenge = $auth->authenticationChallenge();

       Otherwise, this works the same as the registration challenge. You get a JSON blob, send
       that to the client and get an answer.

       The JSON blob structure is described in registrationChallenge() doc.

   authenticationVerify()
       After you get the authentication answer, you need to verify it:

           my $isValid = $auth->authenticationVerify($reply);

       $isValid is true if authentication succeedsr. If something went wrong (library error, fake
       user), $isValid is false, in which case you can look into lastError() to see what went
       wrong.

   setChallenge()
       If Crypt::U2F::Server::Simple has been recreated since registrationChallenge() or
       authenticationChallenge() usage, challenge value must be restored:

           $auth->setChallenge($challenge)

       Note that $challenge must be the string value of challenge, not the JSON blob.  See
       registrationChallenge() doc to get challenge description.

SEE ALSO

       See Crypt::U2F::Server for the low level library if you want better headaches.

       There are two examples in the tarball for registration and authentication.

BUGS

       Yes, there should be some in there. First of all, this is crypto stuff, so it's broken by
       default (it only depends on the time it takes to happen).

       Also, at the moment, this module has seen only very limited testing.

AUTHOR

       Rene Schickbauer, <rene.schickbauer@magnapowertrain.com>
       Xavier Guimard, <x.guimard@free.fr>

COPYRIGHT AND LICENSE

       Adapted as a Perl library by Rene 'cavac' Schickbauer

       This roughly based on u2f-server.c from Yubico's C library, see
       <https://developers.yubico.com/libu2f-server/>

       In order for this to work, you need to install that library.

       This adaption is (C) 2014-2018 Rene 'cavac' Schickbauer and 2018 Xavier Guimard, but as it
       is based on Yubico's code, the licence below applies!

       We, the community, would hereby thank Yubico for open sourcing their code!

           /*
           * Copyright (c) 2014 Yubico AB
           * All rights reserved.
           *
           * Redistribution and use in source and binary forms, with or without
           * modification, are permitted provided that the following conditions are
           * met:
           *
           * * Redistributions of source code must retain the above copyright
           * notice, this list of conditions and the following disclaimer.
           *
           * * Redistributions in binary form must reproduce the above
           * copyright notice, this list of conditions and the following
           * disclaimer in the documentation and/or other materials provided
           * with the distribution.
           *
           * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
           * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
           * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
           * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
           * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
           * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
           * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
           * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
           * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
           * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
           * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
           */