summaryrefslogtreecommitdiffstats
path: root/PROTOCOL.u2f (follow)
Commit message (Collapse)AuthorAgeFilesLines
* upstream: when writing an attestation blob for a FIDO key, record alldjm@openbsd.org2020-09-091-80/+18
| | | | | | | | | | the data needed to verify the attestation. Previously we were missing the "authenticator data" that is included in the signature. spotted by Ian Haken feedback Pedro Martelletto and Ian Haken; ok markus@ OpenBSD-Commit-ID: 8439896e63792b2db99c6065dd9a45eabbdb7e0a
* upstream: Add RCS IDs to the few files that are missing them; fromdjm@openbsd.org2020-08-311-0/+1
| | | | | | Pedro Martelletto OpenBSD-Commit-ID: 39aa37a43d0c75ec87f1659f573d3b5867e4a3b3
* upstream: Add support for FIDO webauthn (verification only).djm@openbsd.org2020-06-221-0/+26
| | | | | | | | webauthn is a standard for using FIDO keys in web browsers. webauthn signatures are a slightly different format to plain FIDO signatures - this support allows verification of these. Feedback and ok markus@ OpenBSD-Commit-ID: ab7e3a9fb5782d99d574f408614d833379e564ad
* upstream: fix non-ASCII quote that snuck in; spotted by Gabrieldjm@openbsd.org2020-05-271-1/+1
| | | | | | Kihlman OpenBSD-Commit-ID: 04bcde311de2325d9e45730c744c8de079b49800
* upstream: clarify role of FIDO tokens in multi-factordjm@openbsd.org2020-05-271-0/+7
| | | | | | authentictation; mostly from Pedro Martelletto OpenBSD-Commit-ID: fbe05685a1f99c74b1baca7130c5a03c2df7c0ac
* upstream: when signing a challenge using a FIDO toke, perform thedjm@openbsd.org2020-05-011-1/+1
| | | | | | | | hashing in the middleware layer rather than in ssh code. This allows middlewares that call APIs that perform the hashing implicitly (including Microsoft's AFAIK). ok markus@ OpenBSD-Commit-ID: c9fc8630aba26c75d5016884932f08a5a237f37d
* upstream: Fix some typos and an incorrect word in docs. Patch fromdtucker@openbsd.org2020-02-211-2/+2
| | | | | | itoama at live.jp via github PR#172. OpenBSD-Commit-ID: 166ee8f93a7201fef431b9001725ab8b269d5874
* upstream: changes to support FIDO attestationdjm@openbsd.org2020-01-291-9/+12
| | | | | | | | | | | | | | | Allow writing to disk the attestation certificate that is generated by the FIDO token at key enrollment time. These certificates may be used by an out-of-band workflow to prove that a particular key is held in trustworthy hardware. Allow passing in a challenge that will be sent to the card during key enrollment. These are needed to build an attestation workflow that resists replay attacks. ok markus@ OpenBSD-Commit-ID: 457dc3c3d689ba39eed328f0817ed9b91a5f78f6
* upstream: improve the error message for u2f enrollment errors bydjm@openbsd.org2020-01-261-0/+1
| | | | | | | | | | | | | making ssh-keygen be solely responsible for printing the error message and convertint some more common error responses from the middleware to a useful ssherr.h status code. more detail remains visible via -v of course. also remove indepedent copy of sk-api.h declarations in sk-usbhid.c and just include it. feedback & ok markus@ OpenBSD-Commit-ID: a4a8ffa870d9a3e0cfd76544bcdeef5c9fb1f1bb
* upstream: Extends the SK API to accept a set of key/value optionsdjm@openbsd.org2020-01-061-7/+40
| | | | | | | | | | | | | | | | | | | | for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each. At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier. feedback, fixes and ok markus@ OpenBSD-Commit-ID: 973ce11704609022ab36abbdeb6bc23c8001eabc
* upstream: document SK API changes in PROTOCOL.u2fdjm@openbsd.org2019-12-301-2/+20
| | | | | | ok markus@ OpenBSD-Commit-ID: 52622363c103a3c4d3d546050480ffe978a32186
* upstream: basic support for generating FIDO2 resident keysdjm@openbsd.org2019-12-301-0/+2
| | | | | | | | | "ssh-keygen -t ecdsa-sk|ed25519-sk -x resident" will generate a device-resident key. feedback and ok markus@ OpenBSD-Commit-ID: 8e1b3c56a4b11d85047bd6c6c705b7eef4d58431
* upstream: SSH U2F keys can now be used as host keys. Fix a gardennaddy@openbsd.org2019-12-211-5/+1
| | | | | | path sentence. ok markus@ OpenBSD-Commit-ID: 67d7971ca1a020acd6c151426c54bd29d784bd6b
* upstream: add a note about the 'extensions' field in the signeddjm@openbsd.org2019-12-131-0/+4
| | | | | | object OpenBSD-Commit-ID: 67c01e0565b258e0818c1ccfe1f1aeaf9a0d4c7b
* upstream: some more corrections for documentation problems spotteddjm@openbsd.org2019-12-111-2/+12
| | | | | | | | | by Ron Frederick document certifiate private key format correct flags type for sk-ssh-ed25519@openssh.com keys OpenBSD-Commit-ID: fc4e9a1ed7f9f7f9dd83e2e2c59327912e933e74
* upstream: loading security keys into ssh-agent used the extensiondjm@openbsd.org2019-12-111-1/+1
| | | | | | | constraint "sk-provider@openssh.com", not "sk@openssh.com"; spotted by Ron Frederick OpenBSD-Commit-ID: dbfba09edbe023abadd5f59c1492df9073b0e51d
* upstream: chop some unnecessary and confusing verbiage from thedjm@openbsd.org2019-12-111-10/+3
| | | | | | security key protocol description; feedback from Ron Frederick OpenBSD-Commit-ID: 048c9483027fbf9c995e5a51b3ac502989085a42
* upstream: tweak wordingdjm@openbsd.org2019-11-281-4/+4
| | | | OpenBSD-Commit-ID: bd002ca1599b71331faca735ff5f6de29e32222e
* upstream: adjust on-wire signature encoding for ecdsa-sk keys todjm@openbsd.org2019-11-191-5/+8
| | | | | | | | | better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne NB. if you are depending on security keys (already?) then make sure you update both your clients and servers. OpenBSD-Commit-ID: 53d88d8211f0dd02a7954d3af72017b1a79c0679
* upstream: document ed25519-sk pubkey, private key and certificatedjm@openbsd.org2019-11-181-5/+40
| | | | | | formats OpenBSD-Commit-ID: 795a7c1c80315412e701bef90e31e376ea2f3c88
* upstream: correct order or ecdsa-sk private key fieldsdjm@openbsd.org2019-11-181-1/+1
| | | | OpenBSD-Commit-ID: 4d4a0c13226a79f0080ce6cbe74f73b03ed8092e
* upstream: correct description of fields in pub/private keys (wasdjm@openbsd.org2019-11-181-0/+3
| | | | | | missing curve name); spotted by Sebastian Kinne OpenBSD-Commit-ID: 2a11340dc7ed16200342d384fb45ecd4fcce26e7
* upstream: remove extra layer for ed25519 signature; ok djm@markus@openbsd.org2019-11-121-0/+8
| | | | OpenBSD-Commit-ID: 7672d9d0278b4bf656a12d3aab0c0bfe92a8ae47
* upstream: update sk-api to version 2 for ed25519 support; ok djmmarkus@openbsd.org2019-11-121-3/+7
| | | | OpenBSD-Commit-ID: 77aa4d5b6ab17987d8a600907b49573940a0044a
* upstream: fix miscellaneous text problems; ok djm@naddy@openbsd.org2019-11-021-8/+8
| | | | OpenBSD-Commit-ID: 0cbf411a14d8fa0b269b69cbb1b4fc0ca699fe9f
* upstream: Protocol documentation for U2F/FIDO keys in OpenSSHdjm@openbsd.org2019-10-311-0/+224
OpenBSD-Commit-ID: 8f3247317c2909870593aeb306dff848bc427915