Conformance test server

Author: uzyn

.gitignore

@@ -5,3 +5,5 @@ zig-out/
 CLAUDE.md
 copilot-instructions.md
 codex.md
+**/.claude
+

conformance/Conformance-Test-API.md

@@ -0,0 +1,75 @@
+# FIDO2 Conformance Test Server
+
+This is a minimal implementation of a FIDO2 conformance test server that implements the required API for FIDO2 conformance testing. It uses the Passcay library for server-side WebAuthn operations.
+
+It implements [FIDO2: Conformance testing server API](https://github.com/fido-alliance/conformance-test-tools-resources/blob/main/docs/FIDO2/Server/Conformance-Test-API.md)
+
+## Overview
+
+This project implements a complete HTTP server using Karl Seguin's http.zig library to create a FIDO2 conformance test server. It demonstrates how to use the Passcay library for FIDO2 operations and provides a working HTTP API that conforms to the FIDO2 conformance testing requirements.
+
+The implementation supports both ES256 (ECDSA with P-256) and RS256 (RSA-PKCS1-v1_5 with SHA-256) signature algorithms for WebAuthn operations.
+
+## Features
+
+- Complete HTTP server implementation with all required FIDO2 endpoints
+- In-memory storage for user credentials and challenges
+- Support for both ES256 and RS256 verification
+- Built-in verification tests for both algorithms
+- Comprehensive error handling and JSON responses
+- Challenge generation and verification
+- Base64URL encoding utilities
+
+## HTTP API Endpoints
+
+The server implements the following endpoints required by the FIDO2 conformance test suite:
+
+### Registration (Attestation)
+
+- `POST /attestation/options` - Get options for WebAuthn credential creation
+- `POST /attestation/result` - Register a new credential with attestation
+
+### Authentication (Assertion)
+
+- `POST /assertion/options` - Get options for WebAuthn credential verification
+- `POST /assertion/result` - Verify an existing credential
+
+## Building and Running
+
+To build and run the server:
+
+```bash
+# Navigate to the conformance directory
+cd conformance
+
+# Build the server
+zig build
+
+# Run the server
+zig build run
+```
+
+The server will:
+1. Run verification tests for ES256 and RS256 to ensure the Passcay library is working correctly
+2. Start an HTTP server on port 8080 (configurable in main.zig)
+3. Accept requests on all the required FIDO2 endpoints
+
+## Test Data
+
+The implementation includes test data for both ES256 and RS256:
+
+## Usage with Conformance Tools
+
+The FIDO2 conformance test tool can be configured to use the following URLs:
+
+- Registration:
+  - Options URL: `http://localhost:8080/attestation/options`
+  - Result URL: `http://localhost:8080/attestation/result`
+
+- Authentication:
+  - Options URL: `http://localhost:8080/assertion/options`
+  - Result URL: `http://localhost:8080/assertion/result`
+
+## Security Considerations
+
+This implementation is intended for testing purposes only.

conformance/README.md

@@ -0,0 +1,129 @@
+const std = @import("std");
+
+// Although this function looks imperative, note that its job is to
+// declaratively construct a build graph that will be executed by an external
+// runner.
+pub fn build(b: *std.Build) void {
+    // Standard target options allows the person running `zig build` to choose
+    // what target to build for. Here we do not override the defaults, which
+    // means any target is allowed, and the default is native. Other options
+    // for restricting supported target set are available.
+    const target = b.standardTargetOptions(.{});
+
+    // Standard optimization options allow the person running `zig build` to select
+    // between Debug, ReleaseSafe, ReleaseFast, and ReleaseSmall. Here we do not
+    // set a preferred release mode, allowing the user to decide how to optimize.
+    const optimize = b.standardOptimizeOption(.{});
+
+    // Get the dependencies
+    const passcay = b.dependency("passcay", .{
+        .target = target,
+        .optimize = optimize,
+    });
+    
+    const httpz = b.dependency("httpz", .{
+        .target = target,
+        .optimize = optimize,
+    });
+
+    // This creates a "module", which represents a collection of source files alongside
+    // some compilation options, such as optimization mode and linked system libraries.
+    // Every executable or library we compile will be based on one or more modules.
+    const lib_mod = b.createModule(.{
+        // `root_source_file` is the Zig "entry point" of the module. If a module
+        // only contains e.g. external object files, you can make this `null`.
+        // In this case the main source file is merely a path, however, in more
+        // complicated build scripts, this could be a generated file.
+        .root_source_file = b.path("src/root.zig"),
+        .target = target,
+        .optimize = optimize,
+    });
+
+    // We will also create a module for our other entry point, 'main.zig'.
+    const exe_mod = b.createModule(.{
+        // `root_source_file` is the Zig "entry point" of the module. If a module
+        // only contains e.g. external object files, you can make this `null`.
+        // In this case the main source file is merely a path, however, in more
+        // complicated build scripts, this could be a generated file.
+        .root_source_file = b.path("src/main.zig"),
+        .target = target,
+        .optimize = optimize,
+    });
+
+    // Add dependencies to our exe module
+    exe_mod.addImport("conformance_lib", lib_mod);
+    exe_mod.addImport("passcay", passcay.module("passcay"));
+    exe_mod.addImport("httpz", httpz.module("httpz"));
+
+    // Now, we will create a static library based on the module we created above.
+    // This creates a `std.Build.Step.Compile`, which is the build step responsible
+    // for actually invoking the compiler.
+    const lib = b.addLibrary(.{
+        .linkage = .static,
+        .name = "conformance",
+        .root_module = lib_mod,
+    });
+
+    // This declares intent for the library to be installed into the standard
+    // location when the user invokes the "install" step (the default step when
+    // running `zig build`).
+    b.installArtifact(lib);
+
+    // This creates another `std.Build.Step.Compile`, but this one builds an executable
+    // rather than a static library.
+    const exe = b.addExecutable(.{
+        .name = "conformance-server",
+        .root_module = exe_mod,
+    });
+
+    // No external libraries needed
+
+    // This declares intent for the executable to be installed into the
+    // standard location when the user invokes the "install" step (the default
+    // step when running `zig build`).
+    b.installArtifact(exe);
+
+    // This *creates* a Run step in the build graph, to be executed when another
+    // step is evaluated that depends on it. The next line below will establish
+    // such a dependency.
+    const run_cmd = b.addRunArtifact(exe);
+
+    // By making the run step depend on the install step, it will be run from the
+    // installation directory rather than directly from within the cache directory.
+    // This is not necessary, however, if the application depends on other installed
+    // files, this ensures they will be present and in the expected location.
+    run_cmd.step.dependOn(b.getInstallStep());
+
+    // This allows the user to pass arguments to the application in the build
+    // command itself, like this: `zig build run -- arg1 arg2 etc`
+    if (b.args) |args| {
+        run_cmd.addArgs(args);
+    }
+
+    // This creates a build step. It will be visible in the `zig build --help` menu,
+    // and can be selected like this: `zig build run`
+    // This will evaluate the `run` step rather than the default, which is "install".
+    const run_step = b.step("run", "Run the app");
+    run_step.dependOn(&run_cmd.step);
+
+    // Creates a step for unit testing. This only builds the test executable
+    // but does not run it.
+    const lib_unit_tests = b.addTest(.{
+        .root_module = lib_mod,
+    });
+
+    const run_lib_unit_tests = b.addRunArtifact(lib_unit_tests);
+
+    const exe_unit_tests = b.addTest(.{
+        .root_module = exe_mod,
+    });
+
+    const run_exe_unit_tests = b.addRunArtifact(exe_unit_tests);
+
+    // Similar to creating the run step earlier, this exposes a `test` step to
+    // the `zig build --help` menu, providing a way for the user to request
+    // running the unit tests.
+    const test_step = b.step("test", "Run unit tests");
+    test_step.dependOn(&run_lib_unit_tests.step);
+    test_step.dependOn(&run_exe_unit_tests.step);
+}

conformance/build.zig

@@ -0,0 +1,66 @@
+.{
+    // This is the default name used by packages depending on this one. For
+    // example, when a user runs `zig fetch --save <url>`, this field is used
+    // as the key in the `dependencies` table. Although the user can choose a
+    // different name, most users will stick with this provided value.
+    //
+    // It is redundant to include "zig" in this name because it is already
+    // within the Zig package namespace.
+    .name = .conformance,
+
+    // This is a [Semantic Version](https://semver.org/).
+    // In a future version of Zig it will be used for package deduplication.
+    .version = "0.0.0",
+
+    // Together with name, this represents a globally unique package
+    // identifier. This field is generated by the Zig toolchain when the
+    // package is first created, and then *never changes*. This allows
+    // unambiguous detection of one package being an updated version of
+    // another.
+    //
+    // When forking a Zig project, this id should be regenerated (delete the
+    // field and run `zig build`) if the upstream project is still maintained.
+    // Otherwise, the fork is *hostile*, attempting to take control over the
+    // original project's identity. Thus it is recommended to leave the comment
+    // on the following line intact, so that it shows up in code reviews that
+    // modify the field.
+    .fingerprint = 0xe81515e7170e9611, // Changing this has security and trust implications.
+
+    // Tracks the earliest Zig version that the package considers to be a
+    // supported use case.
+    .minimum_zig_version = "0.14.0",
+
+    // This field is optional.
+    // Each dependency must either provide a `url` and `hash`, or a `path`.
+    // `zig build --fetch` can be used to fetch all dependencies of a package, recursively.
+    // Once all dependencies are fetched, `zig build` no longer requires
+    // internet connectivity.
+    .dependencies = .{
+        // Using passcay from parent directory
+        .passcay = .{
+            .path = "..",
+        },
+        // HTTP server library
+        .httpz = .{
+            .url = "https://github.com/karlseguin/http.zig/archive/37d7cb9819b804ade5f4b974b82f8dd0622225ed.tar.gz",
+            .hash = "1220691d0180da6d113ea3c61239d37435c7a1d070ce3603ae6a6c853c3888cdf769",
+        },
+    },
+
+    // Specifies the set of files and directories that are included in this package.
+    // Only files and directories listed here are included in the `hash` that
+    // is computed for this package. Only files listed here will remain on disk
+    // when using the zig package manager. As a rule of thumb, one should list
+    // files required for compilation plus any license(s).
+    // Paths are relative to the build root. Use the empty string (`""`) to refer to
+    // the build root itself.
+    // A directory listed here means that all files within, recursively, are included.
+    .paths = .{
+        "build.zig",
+        "build.zig.zon",
+        "src",
+        // For example...
+        //"LICENSE",
+        //"README.md",
+    },
+}