With this small application it is possible to use any FIDO2 authenticator, which supports the HMAC-Secret extension, to generate as many symmetric cryptographic keys as you want.
The output depends on the used credential (created once) and an input string.
The secret will be derived from the input by the authenticator
(so the same input + credential will always result in the same key).
# clone and ce into the repo
python -m venv venv
source ./venv/bin/activate
pip install -r requirements.txtPreparation to use the script from any location:
KEYGEN_DIR="<path to repo>"
source $KEYGEN_DIR/venv/bin/activateFirstly, a credential has to be created:
CREDENTIAL=$(python "$KEYGEN_DIR/fidokeygenerator.py" --init "[email protected]")
echo $CREDENTIALNow you can derive keys from any input:
echo 'some input to digest' | python3 "$KEYGEN_DIR/fidokeygenerator.py" "$CREDENTIAL"
To see all options run
python3 fidokeygenerator.py --help
In this mode the application will create a Unix-socket and listens for connections,
which provide the input to digest.
By using --cache the generated secrets will be cached so you don't have to interact with your authenticator after the initial request
(except when a unencountered input is sent).
python3 "$KEYGEN_DIR/fidokeygenerator.py" --server "<path for the .sock file>" --cache "$CREDENTIAL"Some examples are shown in my Blog: Extra factor for Monero Wallet, Key for Bormatic.
Most of the code was taken from python-fido2 hmac_secret example.
MIT