PeculiarVentures/fortify PeculiarVentures/fortify

  • This repository has been archived on 03/Sep/2024
  • Stars
    star
    114
  • Rank 308,031 (Top 7 %)
  • Language
    TypeScript
  • License
    Other
  • Created over 7 years ago
  • Updated 2 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
PeculiarVentures/fortify
github

PeculiarVentures

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Fortify enables web applications to use smart cards, local certificate stores and do certificate enrollment. This is the desktop application repository.

Fortify logo

Fortify Desktop

Fortify enables web applications to use smart cards, local certificate stores and do certificate enrollment. For Mac, Windows, and Linux.

License: AGPL v3 github release version github release downloads

Background

Fortify is a client application that you install that runs in the background as a tray application in Windows, OSX, and Linux that provides these missing capabilities to authorized applications.

It does this by binding to 127.0.0.1 and listening to a high-order well-known port for incoming requests. Browsers allow web applications to initiate sessions to this address, over that session a Fortify enabled application establishes a secure session and if approved by the user is allowed to access these missing capabilities.

Architecture

Fortify is a Node.js application based on Electron and it accesses all cryptographic implementations via node-webcrypto-p11. This library was designed to provide a WebCrypto compatible API to Node.js applications but it also extends the WebCrypto API to provide basic access to certificate stores.

It uses another Peculiar Ventures project called PVPKCS11 to access the OSX KeyStore, Mozilla NSS or Windows CryptoAPI via this PKCS#11 wrapper.

It also uses pcsclite to listen for a smart card or security token insertions and removals, when new insertions are detected it inspects the ATR of the card. If it is a known card the client attempts to load the PKCS#11 library associated with the card. If that succeeds events in the webcrypto-socket protocol are used to let the web application know about the availability of the new cryptographic and certificate provider.

Ironically, despite the complication of the PKCS#11 API, this approach enables the code to maintain a fairly easy to understand structure.

The application also includes a tray application that is used to help with debugging, access a test application and manage which domains can access the service.

How does it work?

At the core of Fortify is a library called 2key-ratchet. This implements a Double Ratchet protocol similar to what is used by Signal. In this protocol each peer has an identity key pair, we use the public keys from each participant to compute a short numeric value since in the protocol the peers prove control of the respective private keys we know that once the keys are authenticated we are talking to the same โ€œidentityโ€.

Since 2key-ratchet uses WebCrypto we leverage the fact that keys generated in a web application are bound to the same origin, we also (when possible) utilize non-exportable keys to mitigate the risks of these approved keys from being stolen.

This gives us an origin bound identity for the web application that the Fortify client uses as the principal in an Access Control List. This means if you visit a new site (a new origin), even if operated by the same organization, you will need to approve their access to use Fortify.

For good measure (and browser compatibility) this exchange is also performed over a TLS session. At installation time a local CA is created, this CA is used to create an SSL certificate for 127.0.0.1. The private key of the CA is then deleted once the SSL certificate is created and the Root CA of the certificate chain is installed as a locally trusted CA. This prevents the CA from being abused to issue certificates for other origins.

The protocol used by Fortify use a /.wellknown/ (not yet registered) location for capability discovery. The core protocol itself is Protobuf based.

We call this protocol webcrypto-socket. You can think of the protocol as a Remote Procedure Call or (RPC) to the local cryptographic and certificate implementations in your operating system.

How can I use it?

Since the client SDK that implements the webcrypto-socket protocol is a superset of WebCrypto, with slight modifications, if you have an web application that uses WebCrypto you can also use locally enrolled certificates and/or smart cards.

We have also created a number of web componentss that make using it easy, for example:

Installing

Binaries

Visit the the official website to find the installer you need.

Building from source

git clone [email protected]:PeculiarVentures/fortify.git
cd fortify
yarn
yarn build
yarn start

More Repositories

1

PKI.js

PKI.js is a pure JavaScript library implementing the formats that are used in PKI applications (signing, encryption, certificate requests, OCSP and TSP requests/responses). It is built on WebCrypto (Web Cryptography API) and requires no plug-ins.
TypeScript
1,300
star
2

ASN1.js

ASN1js is a pure JavaScript library implementing a full ASN.1 BER decoder and encoder.
TypeScript
267
star
3

webcrypto

A WebCrypto Polyfill for NodeJS
TypeScript
183
star
4

GammaCV

GammaCV is a WebGL accelerated Computer Vision library for browser
JavaScript
175
star
5

graphene

A simple layer for interacting with PKCS #11 / PKCS11 / CryptoKI for Node in TypeScript. (Keywords: Javascript, PKCS#11, Crypto, Smart Card, HSM)
TypeScript
162
star
6

webcrypto-liner

webcrypto-liner is a polyfill that let's down-level User Agents (like IE/Edge) use libraries that depend on WebCrypto. (Keywords: Javascript, WebCrypto, Shim, Polyfill)
TypeScript
149
star
7

js-zxing-pdf417

Javascript port of the PDF417 detector and decoder from http://github.com/zxing/zxing (Keywords: Barcode, PDF 417, Javascript)
JavaScript
142
star
8

xadesjs

A pure Typescript/Javascript implementation of XAdES based on XMLDSIGjs. (Keywords: WebCrypto, XMLDSIG, XADES, eIDAS, Trust List, X.509, CRL, OCSP)
TypeScript
140
star
9

node-webcrypto-ossl

A WebCrypto Polyfill for Node in TypeScript built on OpenSSL.
C++
128
star
10

2key-ratchet

2key-ratchet is an implementation of a Double Ratchet protocol and X3DH in TypeScript utilizing WebCrypto.
TypeScript
109
star
11

pkcs11js

A Node.js implementation of the PKCS#11 2.40 interface
C++
107
star
12

x509

@peculiar/x509 is an easy to use TypeScript/Javascript library based on @peculiar/asn1-schema that makes generating X.509 Certificates and Certificate Requests as well as validating certificate chains easy
TypeScript
81
star
13

pv-certificates-viewer

Web components for viewing lists of certificates and certificates
TypeScript
61
star
14

xmldsigjs

XMLDSIGjs provides an implementation of XMLDSIG in Typescript/Javascript based on WebCrypto
TypeScript
45
star
15

node-webcrypto-p11

A WebCrypto Polyfill for Node in typescript built on PKCS#11.
TypeScript
43
star
16

asn1-schema

asn1-schema is a collection of TypeScript schemas that make working with common ASN.1 objects easy
TypeScript
33
star
17

tl-create

tl-create is a cross-platform command line tool to create a X.509 trust list from various trust stores. (Keywords: CABFORUM, eIDAS, WebPKI)
HTML
33
star
18

pvpkcs11

pvpkcs11 consists of a input validation library and a set of PKCS#11 implementations that wrap operating system and browser cryptographic implementations.
C++
32
star
19

csrhelp

csrhelp.peculiarventures.com - A site that helps users generate SSL certificate requests (Keywords: WebCrypto, PKIjs, PKCS#10, CSR)
JavaScript
27
star
20

webcrypto-core

A input validation layer for WebCrypto polyfills.
TypeScript
27
star
21

tsprotobuf

tsprotobuf is a helper library that contains functions that make working with ProtoBuf easier in Typescript.
TypeScript
21
star
22

xml-core

xml-core is a set of classes that make it easier to work with XML within the browser and node.
TypeScript
19
star
23

CAdES.js

CAdESjs is an implementation of CAdES (CMS Advanced Electronic Signatures)in pure Javascript.
JavaScript
18
star
24

webcrypto-local

webcrypto-local is a cross platform service that provides access to PKCS#11 implementations over a protocol we call webcrypto-socket.
TypeScript
18
star
25

fortify-tools

Fortify enables web applications to use smart cards, local certificate stores and do certificate enrollment. This is the "Tool" application used in the Fortify desktop application.
JavaScript
15
star
26

ByteStream.js

ByteStream.js is a set of classes manipulating bytes and bits with optimized for speed perfomance
TypeScript
13
star
27

acme-ts

Provides client and server implementations of ACME (RFC 8555) in TypeScript. It enables you to build solutions that provide complete and robust certificate lifecycle management.
TypeScript
12
star
28

fortify-examples

Fortify enables web applications to use smart cards, local certificate stores and do certificate enrollment. This is a set of examples of how to use Fortify in your own applications.
JavaScript
8
star
29

pvutils

pvutils is a set of common utility functions used in various Peculiar Ventures Javascript based projects.
TypeScript
7
star
30

acme-cs

Provides client and server implementations of ACME (RFC 8555) in C-Sharp. It enables you to build solutions that provide complete and robust certificate lifecycle management.
C#
6
star
31

graphene-cli

The graphene-cli is a cross-platform command line tool for working with PKCS#11 devices
TypeScript
5
star
32

webcrypto-docs

5
star
33

pv-webcrypto-tests

A basic test suite for WebCrypto.
JavaScript
5
star
34

PVCertViewer

Example certificate viewer based on PKIjs
JavaScript
5
star
35

webcrypto.dev-examples

Peculiar Ventures' webcrypto.dev is a collection of cryptography and X.509 certificate libraries, making it easier for developers to integrate these technologies into their projects.
TypeScript
4
star
36

json-schema

This package uses ES2015 decorators to simplify JSON schema creation and use
TypeScript
3
star
37

pvtsutils

pvtsutils is a set of common utility functions used in various Peculiar Ventures TypeScript based projects.
TypeScript
3
star
38

validatewallet.com

validatewallet.com website
HTML
2
star
39

Font.js

FontJS (Font.js) is a packages for TrueType font parsing and manipulation
TypeScript
2
star
40

peculiar-react-components

JavaScript
2
star
41

validatewallet

HTML
1
star
42

ExamplePDFs

1
star
43

pkcs11test

Simple CLI application for PKCS#11 testing based on WebCrypto library
TypeScript
1
star
44

peculiar-ui

TypeScript
1
star