version 1.2, 2019/11/01 12:10:43 |
version 1.3, 2019/11/12 19:32:30 |
|
|
For use in the SSH protocol, we wish to avoid server-side parsing of ASN.1 |
For use in the SSH protocol, we wish to avoid server-side parsing of ASN.1 |
format data in the pre-authentication attack surface. Therefore, the |
format data in the pre-authentication attack surface. Therefore, the |
signature format used on the wire in SSH2_USERAUTH_REQUEST packets will |
signature format used on the wire in SSH2_USERAUTH_REQUEST packets will |
be reformatted slightly: |
be reformatted slightly and the ecdsa_signature_blob value has the encoding: |
|
|
mpint r |
mpint r |
mpint s |
mpint s |
|
|
/* Flags */ |
/* Flags */ |
#define SSH_SK_USER_PRESENCE_REQD 0x01 |
#define SSH_SK_USER_PRESENCE_REQD 0x01 |
|
|
|
/* Algs */ |
|
#define SSH_SK_ECDSA 0x00 |
|
#define SSH_SK_ED25519 0x01 |
|
|
struct sk_enroll_response { |
struct sk_enroll_response { |
uint8_t *public_key; |
uint8_t *public_key; |
size_t public_key_len; |
size_t public_key_len; |
|
|
uint32_t sk_api_version(void); |
uint32_t sk_api_version(void); |
|
|
/* Enroll a U2F key (private key generation) */ |
/* Enroll a U2F key (private key generation) */ |
int sk_enroll(const uint8_t *challenge, size_t challenge_len, |
int sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len, |
const char *application, uint8_t flags, |
const char *application, uint8_t flags, |
struct sk_enroll_response **enroll_response); |
struct sk_enroll_response **enroll_response); |
|
|
/* Sign a challenge */ |
/* Sign a challenge */ |
int sk_sign(const uint8_t *message, size_t message_len, |
int sk_sign(int alg, const uint8_t *message, size_t message_len, |
const char *application, |
const char *application, |
const uint8_t *key_handle, size_t key_handle_len, |
const uint8_t *key_handle, size_t key_handle_len, |
uint8_t flags, struct sk_sign_response **sign_response); |
uint8_t flags, struct sk_sign_response **sign_response); |