Add Nix flake for mciasctl and mciasgrpcctl

Vendor dependencies and expose control program binaries via nix build. Uses nixpkgs-unstable for Go 1.26 support. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 21:01:21 -07:00
parent 35e96444aa
commit 115f23a3ea
2485 changed files with 6802335 additions and 0 deletions
--- a/vendor/github.com/go-webauthn/webauthn/webauthn/authenticator.go
+++ b/vendor/github.com/go-webauthn/webauthn/webauthn/authenticator.go
@@ -0,0 +1,60 @@
+package webauthn
+
+import (
+	"github.com/go-webauthn/webauthn/protocol"
+)
+
+// Authenticator represents a specific authenticator in the context of a [Credential].
+type Authenticator struct {
+	// The AAGUID of the authenticator. An AAGUID is defined as an array containing the globally unique
+	// identifier of the authenticator model being sought.
+	AAGUID []byte `json:"AAGUID"`
+
+	// SignCount is a representation of the number of times the Authenticator or Credential have been used to login.
+	// Upon a new login operation, the Relying Party compares the stored signature counter value with the new SignCount
+	// value returned in the assertion’s authenticator data. If this new SignCount value is less than or equal to the
+	// stored value, a cloned authenticator may exist, or the authenticator may be malfunctioning.
+	SignCount uint32 `json:"signCount"`
+
+	// CloneWarning is a signal that the authenticator may be cloned, i.e. at least two copies of the
+	// credential private key may exist and are being used in parallel. Relying Parties should incorporate
+	// this information into their risk scoring. Whether the Relying Party updates the stored signature
+	// counter value in this case, or not, or fails the authentication ceremony or not, is Relying Party-specific.
+	CloneWarning bool `json:"cloneWarning"`
+
+	// Attachment is the authenticatorAttachment value returned by the request.
+	Attachment protocol.AuthenticatorAttachment `json:"attachment"`
+}
+
+// SelectAuthenticator allow for easy marshaling of authenticator options that are provided to the user.
+func SelectAuthenticator(att string, rrk *bool, uv string) protocol.AuthenticatorSelection {
+	return protocol.AuthenticatorSelection{
+		AuthenticatorAttachment: protocol.AuthenticatorAttachment(att),
+		RequireResidentKey:      rrk,
+		UserVerification:        protocol.UserVerificationRequirement(uv),
+	}
+}
+
+// UpdateCounter updates the authenticator and either sets the clone warning value or the sign count.
+//
+// Step 17 of §7.2. about verifying attestation. If the signature counter value authData.signCount
+// is nonzero or the value stored in conjunction with credential’s id attribute is nonzero, then
+// run the following sub-step:
+//
+//	If the signature counter value authData.signCount is
+//
+//	→ Greater than the signature counter value stored in conjunction with credential’s id attribute.
+//	Update the stored signature counter value, associated with credential’s id attribute, to be the value of
+//	authData.signCount.
+//
+//	→ Less than or equal to the signature counter value stored in conjunction with credential’s id attribute.
+//	This is a signal that the authenticator may be cloned, see CloneWarning above for more information.
+func (a *Authenticator) UpdateCounter(authDataCount uint32) {
+	if authDataCount <= a.SignCount && (authDataCount != 0 || a.SignCount != 0) {
+		a.CloneWarning = true
+
+		return
+	}
+
+	a.SignCount = authDataCount
+}