Skip to content

Commit

Permalink
fix some docs
Browse files Browse the repository at this point in the history
  • Loading branch information
micolous committed Apr 18, 2023
1 parent 7b87e53 commit 1aed237
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 14 deletions.
29 changes: 18 additions & 11 deletions cable-tunnel-server/README.md
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
# webauthn-rs caBLE tunnel server

**Important:** it is only necessary for an *authenticator vendor* to run a caBLE
tunnel service for their devices. Initiators (such as browsers and client
applications) connect to a tunnel service of the *authenticator's* choosing.

**Warning:** this is still a work in progress, and not yet fully implemented.

However, you can run a single-task tunnel service with the `backend` alone:
[see `./backend/README.md` for instructions][0].

**Important:** it is only necessary for an *authenticator vendor* to run a caBLE
tunnel server for their devices. Initiators (such as browsers and client
applications) connect to a tunnel server of the authenticator's choosing.

[0]: ./backend/README.md

## Background
Expand All @@ -27,14 +27,14 @@ As far as the tunnel server is concerned, what happens is:

2. The authenticator connects to a tunnel server of its choosing, using HTTPS.

3. The authenticator makes a WebSocket request to `/cable/new/${TUNNEL_ID}`.
3. The authenticator makes a WebSocket request to `/cable/new/${TUNNEL_ID}`[^new].

4. The tunnel server responds with a WebSocket handshake, and includes a 3 byte
routing ID in the HTTP response headers to indicate which task is serving
the request.

5. The authenticator transmits the tunnel server ID and routing ID as as an
encrypted Bluetooth Low Energy advertisement to the initiator.
5. The authenticator transmits the tunnel server ID and routing ID to the
initiator using an encrypted Bluetooth Low Energy advertisement.

6. The initiator decrypts the advertisement, and connects to the tunnel server
using HTTPS.
Expand All @@ -44,8 +44,8 @@ As far as the tunnel server is concerned, what happens is:

8. The tunnel server responds with a WebSocket handshake.

9. The tunnel server relays WebSocket messages between the authenticator and
initiator.
9. The tunnel server relays binary WebSocket messages between the authenticator
and initiator.

The initiator starts a Noise channel with the authenticator for further
communication such that the tunnel server cannot read their communications, and
Expand All @@ -56,6 +56,13 @@ limits, the tunnel server implementations are very simple. The tunnel server
itself does not need to concern itself with the minutae of the Noise protocol -
it only needs to pass binary messages across the tunnel verbatim.

[^new]:
This [follows Google's caBLE URL convention][2]. The URL used to establish a
new channel [is not part of the FIDO 2.2 specification][3].

[2]: https://source.chromium.org/chromium/chromium/src/+/main:device/fido/cable/v2_handshake.cc?q=symbol%3A%5Cbdevice%3A%3Acablev2%3A%3Atunnelserver%3A%3AGetNewTunnelURL%5Cb%20case%3Ayes
[3]: https://fidoalliance.org/specs/fido-v2.2-rd-20230321/fido-client-to-authenticator-protocol-v2.2-rd-20230321.html#ref-for-client-platform①⓪

## Design

`webauthn-rs`' caBLE tunnel server consists of three parts:
Expand Down Expand Up @@ -85,8 +92,8 @@ task.
### Frontend

**Warning:** The `frontend` is not yet fully implemented, and does not yet do
everything described here. This would be necessary for a larger scale deployment
of a caBLE tunnel server.
everything described here. This would be necessary to operate a
high-availability caBLE tunnel service.

**Source:** [`./frontend/`][frontend]

Expand Down
6 changes: 3 additions & 3 deletions cable-tunnel-server/backend/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -62,13 +62,13 @@ To run the server with HTTPS and strict `Origin` header checks:
--origin cable.example.com
```

> **Important:** caBLE has an algorithm to deriving tunnel server domain names
> -- you cannot host the service on arbitrary domain names of your choosing.
> **Important:** caBLE has an algorithm to deriving tunnel server domain names
> you cannot host the service on an arbitrary domain name of your choosing.
>
> Run [`webauthn-authenticator-rs`' `cable_domain` example][cable_domain] to
> derive hostnames at the command line.
[cable_domain]: ../../webauthn-authenticator-rs/example/cable_domain.rs
[cable_domain]: ../../webauthn-authenticator-rs/examples/cable_domain.rs

## Logging

Expand Down

0 comments on commit 1aed237

Please sign in to comment.