version 1.20, 2019/12/30 09:21:16 |
version 1.21, 2019/12/30 09:23:28 |
|
|
/* Enroll a U2F key (private key generation) */ |
/* Enroll a U2F key (private key generation) */ |
int (*sk_enroll)(int alg, const uint8_t *challenge, |
int (*sk_enroll)(int alg, const uint8_t *challenge, |
size_t challenge_len, const char *application, uint8_t flags, |
size_t challenge_len, const char *application, uint8_t flags, |
struct sk_enroll_response **enroll_response); |
const char *pin, struct sk_enroll_response **enroll_response); |
|
|
/* Sign a challenge */ |
/* Sign a challenge */ |
int (*sk_sign)(int alg, const uint8_t *message, size_t message_len, |
int (*sk_sign)(int alg, const uint8_t *message, size_t message_len, |
const char *application, |
const char *application, |
const uint8_t *key_handle, size_t key_handle_len, |
const uint8_t *key_handle, size_t key_handle_len, |
uint8_t flags, struct sk_sign_response **sign_response); |
uint8_t flags, const char *pin, |
|
struct sk_sign_response **sign_response); |
|
|
/* Enumerate resident keys */ |
/* Enumerate resident keys */ |
int (*sk_load_resident_keys)(const char *pin, |
int (*sk_load_resident_keys)(const char *pin, |
|
|
/* Built-in version */ |
/* Built-in version */ |
int ssh_sk_enroll(int alg, const uint8_t *challenge, |
int ssh_sk_enroll(int alg, const uint8_t *challenge, |
size_t challenge_len, const char *application, uint8_t flags, |
size_t challenge_len, const char *application, uint8_t flags, |
struct sk_enroll_response **enroll_response); |
const char *pin, struct sk_enroll_response **enroll_response); |
int ssh_sk_sign(int alg, const uint8_t *message, size_t message_len, |
int ssh_sk_sign(int alg, const uint8_t *message, size_t message_len, |
const char *application, |
const char *application, |
const uint8_t *key_handle, size_t key_handle_len, |
const uint8_t *key_handle, size_t key_handle_len, |
uint8_t flags, struct sk_sign_response **sign_response); |
uint8_t flags, const char *pin, struct sk_sign_response **sign_response); |
int ssh_sk_load_resident_keys(const char *pin, |
int ssh_sk_load_resident_keys(const char *pin, |
struct sk_resident_key ***rks, size_t *nrks); |
struct sk_resident_key ***rks, size_t *nrks); |
|
|
|
|
|
|
int |
int |
sshsk_enroll(int type, const char *provider_path, const char *application, |
sshsk_enroll(int type, const char *provider_path, const char *application, |
uint8_t flags, struct sshbuf *challenge_buf, struct sshkey **keyp, |
uint8_t flags, const char *pin, struct sshbuf *challenge_buf, |
struct sshbuf *attest) |
struct sshkey **keyp, struct sshbuf *attest) |
{ |
{ |
struct sshsk_provider *skp = NULL; |
struct sshsk_provider *skp = NULL; |
struct sshkey *key = NULL; |
struct sshkey *key = NULL; |
|
|
int alg; |
int alg; |
|
|
debug("%s: provider \"%s\", application \"%s\", flags 0x%02x, " |
debug("%s: provider \"%s\", application \"%s\", flags 0x%02x, " |
"challenge len %zu", __func__, provider_path, application, |
"challenge len %zu%s", __func__, provider_path, application, |
flags, challenge_buf == NULL ? 0 : sshbuf_len(challenge_buf)); |
flags, challenge_buf == NULL ? 0 : sshbuf_len(challenge_buf), |
|
(pin != NULL && *pin != '\0') ? " with-pin" : ""); |
|
|
*keyp = NULL; |
*keyp = NULL; |
if (attest) |
if (attest) |
|
|
/* XXX validate flags? */ |
/* XXX validate flags? */ |
/* enroll key */ |
/* enroll key */ |
if ((r = skp->sk_enroll(alg, challenge, challenge_len, application, |
if ((r = skp->sk_enroll(alg, challenge, challenge_len, application, |
flags, &resp)) != 0) { |
flags, pin, &resp)) != 0) { |
error("Security key provider %s returned failure %d", |
error("Security key provider %s returned failure %d", |
provider_path, r); |
provider_path, r); |
r = SSH_ERR_INVALID_FORMAT; /* XXX error codes in API? */ |
r = SSH_ERR_INVALID_FORMAT; /* XXX error codes in API? */ |
|
|
int |
int |
sshsk_sign(const char *provider_path, struct sshkey *key, |
sshsk_sign(const char *provider_path, struct sshkey *key, |
u_char **sigp, size_t *lenp, const u_char *data, size_t datalen, |
u_char **sigp, size_t *lenp, const u_char *data, size_t datalen, |
u_int compat) |
u_int compat, const char *pin) |
{ |
{ |
struct sshsk_provider *skp = NULL; |
struct sshsk_provider *skp = NULL; |
int r = SSH_ERR_INTERNAL_ERROR; |
int r = SSH_ERR_INTERNAL_ERROR; |
|
|
struct sshbuf *inner_sig = NULL, *sig = NULL; |
struct sshbuf *inner_sig = NULL, *sig = NULL; |
uint8_t message[32]; |
uint8_t message[32]; |
|
|
debug("%s: provider \"%s\", key %s, flags 0x%02x", __func__, |
debug("%s: provider \"%s\", key %s, flags 0x%02x%s", __func__, |
provider_path, sshkey_type(key), key->sk_flags); |
provider_path, sshkey_type(key), key->sk_flags, |
|
(pin != NULL && *pin != '\0') ? " with-pin" : ""); |
|
|
if (sigp != NULL) |
if (sigp != NULL) |
*sigp = NULL; |
*sigp = NULL; |
|
|
if ((r = skp->sk_sign(alg, message, sizeof(message), |
if ((r = skp->sk_sign(alg, message, sizeof(message), |
key->sk_application, |
key->sk_application, |
sshbuf_ptr(key->sk_key_handle), sshbuf_len(key->sk_key_handle), |
sshbuf_ptr(key->sk_key_handle), sshbuf_len(key->sk_key_handle), |
key->sk_flags, &resp)) != 0) { |
key->sk_flags, pin, &resp)) != 0) { |
debug("%s: sk_sign failed with code %d", __func__, r); |
debug("%s: sk_sign failed with code %d", __func__, r); |
goto out; |
goto out; |
} |
} |