olastor / age-plugin-fido2-hmac Goto Github PK

Find a way to simulate a fido2 token somehow so that automatic e2e testing can be done.

• Improve messages
• Handle cases where controller implementations deviate from spec

Hi,
Thanks for this great plugin. I was happily using the previous version on my M2 Mac. I first tried to use the new version by downloading from the releases page but got a format error with both the Darwin assets. Next, I tried to build but got an error 'openssl/ec.h not found'. I have mediocre skills and will probably need to spend many hours on this. Can you pl. check?

• Lint/Test
• Release on new Tag

Is it possible to implement a caching mechanism for the PIN so it doesn't require you to enter it every time if you are decrypting files in bulk?

The current design requires the fido2 token to be present for every operation, which is a big inconvenience. This is because the symmetric key (the HMAC challenge response) is directly used as the encryption key.

One way to solve this would be to use the symmetric key as a seed to generate an asymmetric key pair, and use the public key as the recipient. I chose to keep it simple and not do it because this exceeded my knowledge and the amount of complexity I was comfortable dealing with. However, if there's a well defined and secure way of deriving keypairs from 32 random bytes, the spec could in the future be changed to use that instead (while still keeping backwards compatibility to the current format).

Hi again,
Attempting to decrypt files encrypted with multiple public keys throws the error:
age: error: fido2-hmac plugin: Decrypting multiple stanzas not supported

Both a regular age private key and the age-se-plugin (remko/age-se-plugin) decrypt multiple stanzas just fine.