« All posts

Implementing FIDO's passkey-export format: cxf-kit and 5 spec bugs found

cxf-kit is the first TypeScript implementation of FIDO's CXF passkey-export standard, exposing five spec bugs found during development.

The FIDO Alliance's Credential Exchange Format (CXF) — the first standard for moving passkeys, passwords, and TOTP secrets between credential managers — now has its first TypeScript implementation, cxf-kit. It includes data models, a parser, serializer, conformance validator, and CLI, built directly against the spec's CDDL grammar and interop-tested against Bitwarden's Rust implementation.

Implementing the spec line-by-line surfaced five distinct issues: the spec's own Appendix A example contradicts its CDDL grammar and violates its own ISO 3166-2 and WiFi-enum formatting rules; a CDDL typo turns a string enum into a map type; a grammar contradiction defines an array as simultaneously required-non-empty and defaulted-to-empty; and the spec never defines how file credential bytes should be packaged in an export, forcing every implementer to invent their own convention. All five are documented with evidence in the repo and will be reported upstream.

The implementation emphasizes security-conscious defaults: a lossless round-trip guarantee even for nonconforming inputs, hardened archive reading against decompression bombs and path traversal, and a CLI inspect command whose secret-leakage is actively tested for on every CI run. For engineers building or maintaining credential managers, this is a useful independent reference on CXF's real-world rough edges.