blog code

FIDO ALIRO

Written by

admin

in

Here’s a minimal JavaScript snippet you can drop into a test page (or try live at webauthn.io) to register a credential – exactly what your company’s web apps would call:

JavaScript

navigator.credentials.create({
  publicKey: {
    challenge: new Uint8Array(32), // random server challenge
    rp: { name: "MyCorp", id: "mycorp.com" },
    user: { id: new Uint8Array(16), name: "user@example.com", displayName: "Jane Doe" },
    pubKeyCredParams: [{ alg: -7, type: "public-key" }], // ES256
    authenticatorSelection: { userVerification: "preferred" },
    attestation: "direct"
  }
}).then(cred => {
  console.log("Public key registered:", cred.id);
  // send cred.response.attestationObject + clientDataJSON to your backend
}).catch(err => console.error(err));

On the backend you would verify the attestation certificate chain and store the public key – classic PKI flow you already know.

For Aliro, the practical view is lower-level because it’s an NFC/BLE protocol (APDUs), but the research repo at github.com/kormax/aliro shows the exact commands you would see when implementing a reader or wallet integration. The most certificate-focused one is LOAD CERTIFICATE:

apdu

CLA=80 INS=D1 P1=00 P2=00 Data = <compressed ASN.1 certificate>

The certificate itself is a compressed TLV structure you decompress to standard X.509 DER fields: profile marker, serial, issuer, validity dates, subject, public key (EC point), and signature. You validate it against your stored reader-group root key exactly the way you validate any enterprise cert today. After that comes AUTH1 for mutual signing, then EXCHANGE over the secure channel. Compare this to FIDO2: both use ECDSA signatures and certificate chains, but Aliro adds the offline “mailbox” and precise UWB ranging for physical security.

You can play with FIDO2 today on your own laptop in under two minutes. For Aliro, watch for the first production smart-lock firmware updates from Nordic/Qorvo or Kastle Systems – their reference designs are already shipping with the protocol. Next time we can zoom into provisioning flows or revocation lists and connect them to the exact certificate fields

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts