#
1.40 |
|
19-Jul-2023 |
djm |
Ensure FIDO/PKCS11 libraries contain expected symbols
This checks via nlist(3) that candidate provider libraries contain one of the symbols that we will require prior to dlopen(), which can cause a number of side effects, including execution of constructors.
Feedback deraadt; ok markus
|
Revision tags: OPENBSD_7_2_BASE OPENBSD_7_3_BASE
|
#
1.39 |
|
20-Jul-2022 |
djm |
when enrolling a resident key on a security token, check if a credential with matching application and user ID strings already exists. if so, prompt the user for confirmation before overwriting the credential.
patch from Pedro Martelletto via GHPR329
NB. cranks SSH_SK_VERSION_MAJOR, so any third-party FIDO middleware implementations will need to adjust
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.38 |
|
14-Jan-2022 |
djm |
ssh-sk: free a resident key's user id
From Pedro Martelletto; ok dtucker & me
|
#
1.37 |
|
02-Nov-2021 |
djm |
Better handle FIDO keys on tokens that provide user verification (UV) on the device itself, including biometric keys.
Query the token during key creation to determine whether it supports on-token UV and, if so, clear the SSH_SK_USER_VERIFICATION_REQD flag in the key so that ssh(1) doesn't automatically prompty for PIN later.
When making signatures with the key, query the token's capabilities again and check whether the token is able (right now) to perform user- verification without a PIN. If it is then the PIN prompt is bypassed and user verification delegated to the token. If not (e.g. the token is biometric capable, but no biometric are enrolled), then fall back to user verification via the usual PIN prompt.
Work by Pedro Martelletto; ok myself and markus@
NB. cranks SSH_SK_VERSION_MAJOR
|
#
1.36 |
|
28-Oct-2021 |
djm |
When downloading resident keys from a FIDO token, pass back the user ID that was used when the key was created and append it to the filename the key is written to (if it is not the default).
Avoids keys being clobbered if the user created multiple resident keys with the same application string but different user IDs.
feedback Pedro Martelletto; ok markus
NB. increments SSH_SK_VERSION_MAJOR
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.35 |
|
26-Feb-2021 |
djm |
a bit more debugging behind #ifdef DEBUG_SK
|
#
1.34 |
|
18-Feb-2021 |
djm |
unbreak SK_DEBUG builds
from https://github.com/openssh/openssh-portable/pull/225 by ZenithalHourlyRate
|
#
1.33 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.32 |
|
09-Sep-2020 |
djm |
when writing an attestation blob for a FIDO key, record all the data needed to verify the attestation. Previously we were missing the "authenticator data" that is included in the signature.
spotted by Ian Haken feedback Pedro Martelletto and Ian Haken; ok markus@
|
#
1.31 |
|
27-Aug-2020 |
djm |
preserve verify-required for resident FIDO keys
When downloading a resident, verify-required key from a FIDO token, preserve the verify-required in the private key that is written to disk. Previously we weren't doing that because of lack of support in the middleware API.
from Pedro Martelletto; ok markus@ and myself
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.30 |
|
28-Apr-2020 |
djm |
when signing a challenge using a FIDO toke, perform the hashing in the middleware layer rather than in ssh code. This allows middlewares that call APIs that perform the hashing implicitly (including Microsoft's AFAIK). ok markus@
|
#
1.29 |
|
06-Mar-2020 |
markus |
return correct error in sshsk_ed25519_sig; ok djm
|
#
1.28 |
|
28-Feb-2020 |
djm |
better error message when trying to use a FIDO key function and SecurityKeyProvider is empty
|
#
1.27 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.26 |
|
28-Jan-2020 |
djm |
changes to support FIDO attestation
Allow writing to disk the attestation certificate that is generated by the FIDO token at key enrollment time. These certificates may be used by an out-of-band workflow to prove that a particular key is held in trustworthy hardware.
Allow passing in a challenge that will be sent to the card during key enrollment. These are needed to build an attestation workflow that resists replay attacks.
ok markus@
|
#
1.25 |
|
25-Jan-2020 |
djm |
improve the error message for u2f enrollment errors by making ssh-keygen be solely responsible for printing the error message and convertint some more common error responses from the middleware to a useful ssherr.h status code. more detail remains visible via -v of course.
also remove indepedent copy of sk-api.h declarations in sk-usbhid.c and just include it.
feedback & ok markus@
|
#
1.24 |
|
06-Jan-2020 |
djm |
Extends the SK API to accept a set of key/value options for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each.
At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O
This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier.
feedback, fixes and ok markus@
|
#
1.23 |
|
30-Dec-2019 |
djm |
translate and return error codes; retry on bad PIN
Define some well-known error codes in the SK API and pass them back via ssh-sk-helper.
Use the new "wrong PIN" error code to retry PIN prompting during ssh-keygen of resident keys.
feedback and ok markus@
|
#
1.22 |
|
30-Dec-2019 |
djm |
improve some error messages; ok markus@
|
#
1.21 |
|
30-Dec-2019 |
djm |
SK API and sk-helper error/PIN passing
Allow passing a PIN via the SK API (API major crank) and let the ssh-sk-helper API follow.
Also enhance the ssh-sk-helper API to support passing back an error code instead of a complete reply. Will be used to signal "wrong PIN", etc.
feedback and ok markus@
|
#
1.20 |
|
30-Dec-2019 |
djm |
resident keys support in SK API
Adds a sk_load_resident_keys() function to the security key API that accepts a security key provider and a PIN and returns a list of keys.
Implement support for this in the usbhid middleware.
feedback and ok markus@
|
#
1.19 |
|
30-Dec-2019 |
djm |
Factor out parsing of struct sk_enroll_response
We'll reuse this for extracting resident keys from a device.
feedback and ok markus@
|
#
1.18 |
|
13-Dec-2019 |
djm |
use ssh-sk-helper for all security key signing operations
This extracts and refactors the client interface for ssh-sk-helper from ssh-agent and generalises it for use by the other programs. This means that most OpenSSH tools no longer need to link against libfido2 or directly interact with /dev/uhid*
requested by, feedback and ok markus@
|
#
1.17 |
|
27-Nov-2019 |
djm |
remove stray semicolon after closing brace of function; from Michael Forney
|
#
1.16 |
|
19-Nov-2019 |
djm |
adjust on-wire signature encoding for ecdsa-sk keys to better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne
NB. if you are depending on security keys (already?) then make sure you update both your clients and servers.
|
#
1.15 |
|
18-Nov-2019 |
naddy |
add the missing WITH_OPENSSL ifdefs after the ED25519-SK addition; ok djm@
|
#
1.14 |
|
16-Nov-2019 |
djm |
tweak debug message
|
#
1.13 |
|
16-Nov-2019 |
djm |
a little debug() in the security key interface
|
#
1.12 |
|
14-Nov-2019 |
djm |
directly support U2F/FIDO2 security keys in OpenSSH by linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging.
|
#
1.11 |
|
13-Nov-2019 |
markus |
fix check for sig_s; noted by qsa at qualys.com
|
#
1.10 |
|
12-Nov-2019 |
djm |
allow an empty attestation certificate returned by a security key enrollment - these are possible for tokens that only offer self- attestation. This also needs support from the middleware.
ok markus@
|
#
1.9 |
|
12-Nov-2019 |
markus |
remove extra layer for ed25519 signature; ok djm@
|
#
1.8 |
|
12-Nov-2019 |
markus |
check sig_r and sig_s for ssh-sk keys; ok djm
|
#
1.7 |
|
12-Nov-2019 |
markus |
update sk-api to version 2 for ed25519 support; ok djm
|
#
1.6 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_assemble(); ok djm
|
#
1.5 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_inner_sig(); ok djm
|
#
1.4 |
|
12-Nov-2019 |
markus |
rename sshsk_ecdsa_sign() to sshsk_sign(); ok djm
|
#
1.3 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_inner_sig(); ok djm@
|
#
1.2 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_assemble(); ok djm@
|
#
1.1 |
|
31-Oct-2019 |
djm |
U2F/FIDO middleware interface
Supports enrolling (generating) keys and signatures.
feedback & ok markus@
|
#
1.39 |
|
20-Jul-2022 |
djm |
when enrolling a resident key on a security token, check if a credential with matching application and user ID strings already exists. if so, prompt the user for confirmation before overwriting the credential.
patch from Pedro Martelletto via GHPR329
NB. cranks SSH_SK_VERSION_MAJOR, so any third-party FIDO middleware implementations will need to adjust
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.38 |
|
14-Jan-2022 |
djm |
ssh-sk: free a resident key's user id
From Pedro Martelletto; ok dtucker & me
|
#
1.37 |
|
02-Nov-2021 |
djm |
Better handle FIDO keys on tokens that provide user verification (UV) on the device itself, including biometric keys.
Query the token during key creation to determine whether it supports on-token UV and, if so, clear the SSH_SK_USER_VERIFICATION_REQD flag in the key so that ssh(1) doesn't automatically prompty for PIN later.
When making signatures with the key, query the token's capabilities again and check whether the token is able (right now) to perform user- verification without a PIN. If it is then the PIN prompt is bypassed and user verification delegated to the token. If not (e.g. the token is biometric capable, but no biometric are enrolled), then fall back to user verification via the usual PIN prompt.
Work by Pedro Martelletto; ok myself and markus@
NB. cranks SSH_SK_VERSION_MAJOR
|
#
1.36 |
|
28-Oct-2021 |
djm |
When downloading resident keys from a FIDO token, pass back the user ID that was used when the key was created and append it to the filename the key is written to (if it is not the default).
Avoids keys being clobbered if the user created multiple resident keys with the same application string but different user IDs.
feedback Pedro Martelletto; ok markus
NB. increments SSH_SK_VERSION_MAJOR
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.35 |
|
26-Feb-2021 |
djm |
a bit more debugging behind #ifdef DEBUG_SK
|
#
1.34 |
|
18-Feb-2021 |
djm |
unbreak SK_DEBUG builds
from https://github.com/openssh/openssh-portable/pull/225 by ZenithalHourlyRate
|
#
1.33 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.32 |
|
09-Sep-2020 |
djm |
when writing an attestation blob for a FIDO key, record all the data needed to verify the attestation. Previously we were missing the "authenticator data" that is included in the signature.
spotted by Ian Haken feedback Pedro Martelletto and Ian Haken; ok markus@
|
#
1.31 |
|
27-Aug-2020 |
djm |
preserve verify-required for resident FIDO keys
When downloading a resident, verify-required key from a FIDO token, preserve the verify-required in the private key that is written to disk. Previously we weren't doing that because of lack of support in the middleware API.
from Pedro Martelletto; ok markus@ and myself
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.30 |
|
28-Apr-2020 |
djm |
when signing a challenge using a FIDO toke, perform the hashing in the middleware layer rather than in ssh code. This allows middlewares that call APIs that perform the hashing implicitly (including Microsoft's AFAIK). ok markus@
|
#
1.29 |
|
06-Mar-2020 |
markus |
return correct error in sshsk_ed25519_sig; ok djm
|
#
1.28 |
|
28-Feb-2020 |
djm |
better error message when trying to use a FIDO key function and SecurityKeyProvider is empty
|
#
1.27 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.26 |
|
28-Jan-2020 |
djm |
changes to support FIDO attestation
Allow writing to disk the attestation certificate that is generated by the FIDO token at key enrollment time. These certificates may be used by an out-of-band workflow to prove that a particular key is held in trustworthy hardware.
Allow passing in a challenge that will be sent to the card during key enrollment. These are needed to build an attestation workflow that resists replay attacks.
ok markus@
|
#
1.25 |
|
25-Jan-2020 |
djm |
improve the error message for u2f enrollment errors by making ssh-keygen be solely responsible for printing the error message and convertint some more common error responses from the middleware to a useful ssherr.h status code. more detail remains visible via -v of course.
also remove indepedent copy of sk-api.h declarations in sk-usbhid.c and just include it.
feedback & ok markus@
|
#
1.24 |
|
06-Jan-2020 |
djm |
Extends the SK API to accept a set of key/value options for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each.
At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O
This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier.
feedback, fixes and ok markus@
|
#
1.23 |
|
30-Dec-2019 |
djm |
translate and return error codes; retry on bad PIN
Define some well-known error codes in the SK API and pass them back via ssh-sk-helper.
Use the new "wrong PIN" error code to retry PIN prompting during ssh-keygen of resident keys.
feedback and ok markus@
|
#
1.22 |
|
30-Dec-2019 |
djm |
improve some error messages; ok markus@
|
#
1.21 |
|
30-Dec-2019 |
djm |
SK API and sk-helper error/PIN passing
Allow passing a PIN via the SK API (API major crank) and let the ssh-sk-helper API follow.
Also enhance the ssh-sk-helper API to support passing back an error code instead of a complete reply. Will be used to signal "wrong PIN", etc.
feedback and ok markus@
|
#
1.20 |
|
30-Dec-2019 |
djm |
resident keys support in SK API
Adds a sk_load_resident_keys() function to the security key API that accepts a security key provider and a PIN and returns a list of keys.
Implement support for this in the usbhid middleware.
feedback and ok markus@
|
#
1.19 |
|
30-Dec-2019 |
djm |
Factor out parsing of struct sk_enroll_response
We'll reuse this for extracting resident keys from a device.
feedback and ok markus@
|
#
1.18 |
|
13-Dec-2019 |
djm |
use ssh-sk-helper for all security key signing operations
This extracts and refactors the client interface for ssh-sk-helper from ssh-agent and generalises it for use by the other programs. This means that most OpenSSH tools no longer need to link against libfido2 or directly interact with /dev/uhid*
requested by, feedback and ok markus@
|
#
1.17 |
|
27-Nov-2019 |
djm |
remove stray semicolon after closing brace of function; from Michael Forney
|
#
1.16 |
|
19-Nov-2019 |
djm |
adjust on-wire signature encoding for ecdsa-sk keys to better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne
NB. if you are depending on security keys (already?) then make sure you update both your clients and servers.
|
#
1.15 |
|
18-Nov-2019 |
naddy |
add the missing WITH_OPENSSL ifdefs after the ED25519-SK addition; ok djm@
|
#
1.14 |
|
16-Nov-2019 |
djm |
tweak debug message
|
#
1.13 |
|
16-Nov-2019 |
djm |
a little debug() in the security key interface
|
#
1.12 |
|
14-Nov-2019 |
djm |
directly support U2F/FIDO2 security keys in OpenSSH by linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging.
|
#
1.11 |
|
13-Nov-2019 |
markus |
fix check for sig_s; noted by qsa at qualys.com
|
#
1.10 |
|
12-Nov-2019 |
djm |
allow an empty attestation certificate returned by a security key enrollment - these are possible for tokens that only offer self- attestation. This also needs support from the middleware.
ok markus@
|
#
1.9 |
|
12-Nov-2019 |
markus |
remove extra layer for ed25519 signature; ok djm@
|
#
1.8 |
|
12-Nov-2019 |
markus |
check sig_r and sig_s for ssh-sk keys; ok djm
|
#
1.7 |
|
12-Nov-2019 |
markus |
update sk-api to version 2 for ed25519 support; ok djm
|
#
1.6 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_assemble(); ok djm
|
#
1.5 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_inner_sig(); ok djm
|
#
1.4 |
|
12-Nov-2019 |
markus |
rename sshsk_ecdsa_sign() to sshsk_sign(); ok djm
|
#
1.3 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_inner_sig(); ok djm@
|
#
1.2 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_assemble(); ok djm@
|
#
1.1 |
|
31-Oct-2019 |
djm |
U2F/FIDO middleware interface
Supports enrolling (generating) keys and signatures.
feedback & ok markus@
|
#
1.38 |
|
14-Jan-2022 |
djm |
ssh-sk: free a resident key's user id
From Pedro Martelletto; ok dtucker & me
|
#
1.37 |
|
02-Nov-2021 |
djm |
Better handle FIDO keys on tokens that provide user verification (UV) on the device itself, including biometric keys.
Query the token during key creation to determine whether it supports on-token UV and, if so, clear the SSH_SK_USER_VERIFICATION_REQD flag in the key so that ssh(1) doesn't automatically prompty for PIN later.
When making signatures with the key, query the token's capabilities again and check whether the token is able (right now) to perform user- verification without a PIN. If it is then the PIN prompt is bypassed and user verification delegated to the token. If not (e.g. the token is biometric capable, but no biometric are enrolled), then fall back to user verification via the usual PIN prompt.
Work by Pedro Martelletto; ok myself and markus@
NB. cranks SSH_SK_VERSION_MAJOR
|
#
1.36 |
|
28-Oct-2021 |
djm |
When downloading resident keys from a FIDO token, pass back the user ID that was used when the key was created and append it to the filename the key is written to (if it is not the default).
Avoids keys being clobbered if the user created multiple resident keys with the same application string but different user IDs.
feedback Pedro Martelletto; ok markus
NB. increments SSH_SK_VERSION_MAJOR
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.35 |
|
26-Feb-2021 |
djm |
a bit more debugging behind #ifdef DEBUG_SK
|
#
1.34 |
|
18-Feb-2021 |
djm |
unbreak SK_DEBUG builds
from https://github.com/openssh/openssh-portable/pull/225 by ZenithalHourlyRate
|
#
1.33 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.32 |
|
09-Sep-2020 |
djm |
when writing an attestation blob for a FIDO key, record all the data needed to verify the attestation. Previously we were missing the "authenticator data" that is included in the signature.
spotted by Ian Haken feedback Pedro Martelletto and Ian Haken; ok markus@
|
#
1.31 |
|
27-Aug-2020 |
djm |
preserve verify-required for resident FIDO keys
When downloading a resident, verify-required key from a FIDO token, preserve the verify-required in the private key that is written to disk. Previously we weren't doing that because of lack of support in the middleware API.
from Pedro Martelletto; ok markus@ and myself
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.30 |
|
28-Apr-2020 |
djm |
when signing a challenge using a FIDO toke, perform the hashing in the middleware layer rather than in ssh code. This allows middlewares that call APIs that perform the hashing implicitly (including Microsoft's AFAIK). ok markus@
|
#
1.29 |
|
06-Mar-2020 |
markus |
return correct error in sshsk_ed25519_sig; ok djm
|
#
1.28 |
|
28-Feb-2020 |
djm |
better error message when trying to use a FIDO key function and SecurityKeyProvider is empty
|
#
1.27 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.26 |
|
28-Jan-2020 |
djm |
changes to support FIDO attestation
Allow writing to disk the attestation certificate that is generated by the FIDO token at key enrollment time. These certificates may be used by an out-of-band workflow to prove that a particular key is held in trustworthy hardware.
Allow passing in a challenge that will be sent to the card during key enrollment. These are needed to build an attestation workflow that resists replay attacks.
ok markus@
|
#
1.25 |
|
25-Jan-2020 |
djm |
improve the error message for u2f enrollment errors by making ssh-keygen be solely responsible for printing the error message and convertint some more common error responses from the middleware to a useful ssherr.h status code. more detail remains visible via -v of course.
also remove indepedent copy of sk-api.h declarations in sk-usbhid.c and just include it.
feedback & ok markus@
|
#
1.24 |
|
06-Jan-2020 |
djm |
Extends the SK API to accept a set of key/value options for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each.
At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O
This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier.
feedback, fixes and ok markus@
|
#
1.23 |
|
30-Dec-2019 |
djm |
translate and return error codes; retry on bad PIN
Define some well-known error codes in the SK API and pass them back via ssh-sk-helper.
Use the new "wrong PIN" error code to retry PIN prompting during ssh-keygen of resident keys.
feedback and ok markus@
|
#
1.22 |
|
30-Dec-2019 |
djm |
improve some error messages; ok markus@
|
#
1.21 |
|
30-Dec-2019 |
djm |
SK API and sk-helper error/PIN passing
Allow passing a PIN via the SK API (API major crank) and let the ssh-sk-helper API follow.
Also enhance the ssh-sk-helper API to support passing back an error code instead of a complete reply. Will be used to signal "wrong PIN", etc.
feedback and ok markus@
|
#
1.20 |
|
30-Dec-2019 |
djm |
resident keys support in SK API
Adds a sk_load_resident_keys() function to the security key API that accepts a security key provider and a PIN and returns a list of keys.
Implement support for this in the usbhid middleware.
feedback and ok markus@
|
#
1.19 |
|
30-Dec-2019 |
djm |
Factor out parsing of struct sk_enroll_response
We'll reuse this for extracting resident keys from a device.
feedback and ok markus@
|
#
1.18 |
|
13-Dec-2019 |
djm |
use ssh-sk-helper for all security key signing operations
This extracts and refactors the client interface for ssh-sk-helper from ssh-agent and generalises it for use by the other programs. This means that most OpenSSH tools no longer need to link against libfido2 or directly interact with /dev/uhid*
requested by, feedback and ok markus@
|
#
1.17 |
|
27-Nov-2019 |
djm |
remove stray semicolon after closing brace of function; from Michael Forney
|
#
1.16 |
|
19-Nov-2019 |
djm |
adjust on-wire signature encoding for ecdsa-sk keys to better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne
NB. if you are depending on security keys (already?) then make sure you update both your clients and servers.
|
#
1.15 |
|
18-Nov-2019 |
naddy |
add the missing WITH_OPENSSL ifdefs after the ED25519-SK addition; ok djm@
|
#
1.14 |
|
16-Nov-2019 |
djm |
tweak debug message
|
#
1.13 |
|
16-Nov-2019 |
djm |
a little debug() in the security key interface
|
#
1.12 |
|
14-Nov-2019 |
djm |
directly support U2F/FIDO2 security keys in OpenSSH by linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging.
|
#
1.11 |
|
13-Nov-2019 |
markus |
fix check for sig_s; noted by qsa at qualys.com
|
#
1.10 |
|
12-Nov-2019 |
djm |
allow an empty attestation certificate returned by a security key enrollment - these are possible for tokens that only offer self- attestation. This also needs support from the middleware.
ok markus@
|
#
1.9 |
|
12-Nov-2019 |
markus |
remove extra layer for ed25519 signature; ok djm@
|
#
1.8 |
|
12-Nov-2019 |
markus |
check sig_r and sig_s for ssh-sk keys; ok djm
|
#
1.7 |
|
12-Nov-2019 |
markus |
update sk-api to version 2 for ed25519 support; ok djm
|
#
1.6 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_assemble(); ok djm
|
#
1.5 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_inner_sig(); ok djm
|
#
1.4 |
|
12-Nov-2019 |
markus |
rename sshsk_ecdsa_sign() to sshsk_sign(); ok djm
|
#
1.3 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_inner_sig(); ok djm@
|
#
1.2 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_assemble(); ok djm@
|
#
1.1 |
|
31-Oct-2019 |
djm |
U2F/FIDO middleware interface
Supports enrolling (generating) keys and signatures.
feedback & ok markus@
|
#
1.37 |
|
02-Nov-2021 |
djm |
Better handle FIDO keys on tokens that provide user verification (UV) on the device itself, including biometric keys.
Query the token during key creation to determine whether it supports on-token UV and, if so, clear the SSH_SK_USER_VERIFICATION_REQD flag in the key so that ssh(1) doesn't automatically prompty for PIN later.
When making signatures with the key, query the token's capabilities again and check whether the token is able (right now) to perform user- verification without a PIN. If it is then the PIN prompt is bypassed and user verification delegated to the token. If not (e.g. the token is biometric capable, but no biometric are enrolled), then fall back to user verification via the usual PIN prompt.
Work by Pedro Martelletto; ok myself and markus@
NB. cranks SSH_SK_VERSION_MAJOR
|
#
1.36 |
|
28-Oct-2021 |
djm |
When downloading resident keys from a FIDO token, pass back the user ID that was used when the key was created and append it to the filename the key is written to (if it is not the default).
Avoids keys being clobbered if the user created multiple resident keys with the same application string but different user IDs.
feedback Pedro Martelletto; ok markus
NB. increments SSH_SK_VERSION_MAJOR
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.35 |
|
26-Feb-2021 |
djm |
a bit more debugging behind #ifdef DEBUG_SK
|
#
1.34 |
|
18-Feb-2021 |
djm |
unbreak SK_DEBUG builds
from https://github.com/openssh/openssh-portable/pull/225 by ZenithalHourlyRate
|
#
1.33 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.32 |
|
09-Sep-2020 |
djm |
when writing an attestation blob for a FIDO key, record all the data needed to verify the attestation. Previously we were missing the "authenticator data" that is included in the signature.
spotted by Ian Haken feedback Pedro Martelletto and Ian Haken; ok markus@
|
#
1.31 |
|
27-Aug-2020 |
djm |
preserve verify-required for resident FIDO keys
When downloading a resident, verify-required key from a FIDO token, preserve the verify-required in the private key that is written to disk. Previously we weren't doing that because of lack of support in the middleware API.
from Pedro Martelletto; ok markus@ and myself
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.30 |
|
28-Apr-2020 |
djm |
when signing a challenge using a FIDO toke, perform the hashing in the middleware layer rather than in ssh code. This allows middlewares that call APIs that perform the hashing implicitly (including Microsoft's AFAIK). ok markus@
|
#
1.29 |
|
06-Mar-2020 |
markus |
return correct error in sshsk_ed25519_sig; ok djm
|
#
1.28 |
|
28-Feb-2020 |
djm |
better error message when trying to use a FIDO key function and SecurityKeyProvider is empty
|
#
1.27 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.26 |
|
28-Jan-2020 |
djm |
changes to support FIDO attestation
Allow writing to disk the attestation certificate that is generated by the FIDO token at key enrollment time. These certificates may be used by an out-of-band workflow to prove that a particular key is held in trustworthy hardware.
Allow passing in a challenge that will be sent to the card during key enrollment. These are needed to build an attestation workflow that resists replay attacks.
ok markus@
|
#
1.25 |
|
25-Jan-2020 |
djm |
improve the error message for u2f enrollment errors by making ssh-keygen be solely responsible for printing the error message and convertint some more common error responses from the middleware to a useful ssherr.h status code. more detail remains visible via -v of course.
also remove indepedent copy of sk-api.h declarations in sk-usbhid.c and just include it.
feedback & ok markus@
|
#
1.24 |
|
06-Jan-2020 |
djm |
Extends the SK API to accept a set of key/value options for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each.
At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O
This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier.
feedback, fixes and ok markus@
|
#
1.23 |
|
30-Dec-2019 |
djm |
translate and return error codes; retry on bad PIN
Define some well-known error codes in the SK API and pass them back via ssh-sk-helper.
Use the new "wrong PIN" error code to retry PIN prompting during ssh-keygen of resident keys.
feedback and ok markus@
|
#
1.22 |
|
30-Dec-2019 |
djm |
improve some error messages; ok markus@
|
#
1.21 |
|
30-Dec-2019 |
djm |
SK API and sk-helper error/PIN passing
Allow passing a PIN via the SK API (API major crank) and let the ssh-sk-helper API follow.
Also enhance the ssh-sk-helper API to support passing back an error code instead of a complete reply. Will be used to signal "wrong PIN", etc.
feedback and ok markus@
|
#
1.20 |
|
30-Dec-2019 |
djm |
resident keys support in SK API
Adds a sk_load_resident_keys() function to the security key API that accepts a security key provider and a PIN and returns a list of keys.
Implement support for this in the usbhid middleware.
feedback and ok markus@
|
#
1.19 |
|
30-Dec-2019 |
djm |
Factor out parsing of struct sk_enroll_response
We'll reuse this for extracting resident keys from a device.
feedback and ok markus@
|
#
1.18 |
|
13-Dec-2019 |
djm |
use ssh-sk-helper for all security key signing operations
This extracts and refactors the client interface for ssh-sk-helper from ssh-agent and generalises it for use by the other programs. This means that most OpenSSH tools no longer need to link against libfido2 or directly interact with /dev/uhid*
requested by, feedback and ok markus@
|
#
1.17 |
|
27-Nov-2019 |
djm |
remove stray semicolon after closing brace of function; from Michael Forney
|
#
1.16 |
|
19-Nov-2019 |
djm |
adjust on-wire signature encoding for ecdsa-sk keys to better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne
NB. if you are depending on security keys (already?) then make sure you update both your clients and servers.
|
#
1.15 |
|
18-Nov-2019 |
naddy |
add the missing WITH_OPENSSL ifdefs after the ED25519-SK addition; ok djm@
|
#
1.14 |
|
16-Nov-2019 |
djm |
tweak debug message
|
#
1.13 |
|
16-Nov-2019 |
djm |
a little debug() in the security key interface
|
#
1.12 |
|
14-Nov-2019 |
djm |
directly support U2F/FIDO2 security keys in OpenSSH by linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging.
|
#
1.11 |
|
13-Nov-2019 |
markus |
fix check for sig_s; noted by qsa at qualys.com
|
#
1.10 |
|
12-Nov-2019 |
djm |
allow an empty attestation certificate returned by a security key enrollment - these are possible for tokens that only offer self- attestation. This also needs support from the middleware.
ok markus@
|
#
1.9 |
|
12-Nov-2019 |
markus |
remove extra layer for ed25519 signature; ok djm@
|
#
1.8 |
|
12-Nov-2019 |
markus |
check sig_r and sig_s for ssh-sk keys; ok djm
|
#
1.7 |
|
12-Nov-2019 |
markus |
update sk-api to version 2 for ed25519 support; ok djm
|
#
1.6 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_assemble(); ok djm
|
#
1.5 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_inner_sig(); ok djm
|
#
1.4 |
|
12-Nov-2019 |
markus |
rename sshsk_ecdsa_sign() to sshsk_sign(); ok djm
|
#
1.3 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_inner_sig(); ok djm@
|
#
1.2 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_assemble(); ok djm@
|
#
1.1 |
|
31-Oct-2019 |
djm |
U2F/FIDO middleware interface
Supports enrolling (generating) keys and signatures.
feedback & ok markus@
|
#
1.36 |
|
28-Oct-2021 |
djm |
When downloading resident keys from a FIDO token, pass back the user ID that was used when the key was created and append it to the filename the key is written to (if it is not the default).
Avoids keys being clobbered if the user created multiple resident keys with the same application string but different user IDs.
feedback Pedro Martelletto; ok markus
NB. increments SSH_SK_VERSION_MAJOR
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.35 |
|
26-Feb-2021 |
djm |
a bit more debugging behind #ifdef DEBUG_SK
|
#
1.34 |
|
18-Feb-2021 |
djm |
unbreak SK_DEBUG builds
from https://github.com/openssh/openssh-portable/pull/225 by ZenithalHourlyRate
|
#
1.33 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.32 |
|
09-Sep-2020 |
djm |
when writing an attestation blob for a FIDO key, record all the data needed to verify the attestation. Previously we were missing the "authenticator data" that is included in the signature.
spotted by Ian Haken feedback Pedro Martelletto and Ian Haken; ok markus@
|
#
1.31 |
|
27-Aug-2020 |
djm |
preserve verify-required for resident FIDO keys
When downloading a resident, verify-required key from a FIDO token, preserve the verify-required in the private key that is written to disk. Previously we weren't doing that because of lack of support in the middleware API.
from Pedro Martelletto; ok markus@ and myself
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.30 |
|
28-Apr-2020 |
djm |
when signing a challenge using a FIDO toke, perform the hashing in the middleware layer rather than in ssh code. This allows middlewares that call APIs that perform the hashing implicitly (including Microsoft's AFAIK). ok markus@
|
#
1.29 |
|
06-Mar-2020 |
markus |
return correct error in sshsk_ed25519_sig; ok djm
|
#
1.28 |
|
28-Feb-2020 |
djm |
better error message when trying to use a FIDO key function and SecurityKeyProvider is empty
|
#
1.27 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.26 |
|
28-Jan-2020 |
djm |
changes to support FIDO attestation
Allow writing to disk the attestation certificate that is generated by the FIDO token at key enrollment time. These certificates may be used by an out-of-band workflow to prove that a particular key is held in trustworthy hardware.
Allow passing in a challenge that will be sent to the card during key enrollment. These are needed to build an attestation workflow that resists replay attacks.
ok markus@
|
#
1.25 |
|
25-Jan-2020 |
djm |
improve the error message for u2f enrollment errors by making ssh-keygen be solely responsible for printing the error message and convertint some more common error responses from the middleware to a useful ssherr.h status code. more detail remains visible via -v of course.
also remove indepedent copy of sk-api.h declarations in sk-usbhid.c and just include it.
feedback & ok markus@
|
#
1.24 |
|
06-Jan-2020 |
djm |
Extends the SK API to accept a set of key/value options for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each.
At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O
This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier.
feedback, fixes and ok markus@
|
#
1.23 |
|
30-Dec-2019 |
djm |
translate and return error codes; retry on bad PIN
Define some well-known error codes in the SK API and pass them back via ssh-sk-helper.
Use the new "wrong PIN" error code to retry PIN prompting during ssh-keygen of resident keys.
feedback and ok markus@
|
#
1.22 |
|
30-Dec-2019 |
djm |
improve some error messages; ok markus@
|
#
1.21 |
|
30-Dec-2019 |
djm |
SK API and sk-helper error/PIN passing
Allow passing a PIN via the SK API (API major crank) and let the ssh-sk-helper API follow.
Also enhance the ssh-sk-helper API to support passing back an error code instead of a complete reply. Will be used to signal "wrong PIN", etc.
feedback and ok markus@
|
#
1.20 |
|
30-Dec-2019 |
djm |
resident keys support in SK API
Adds a sk_load_resident_keys() function to the security key API that accepts a security key provider and a PIN and returns a list of keys.
Implement support for this in the usbhid middleware.
feedback and ok markus@
|
#
1.19 |
|
30-Dec-2019 |
djm |
Factor out parsing of struct sk_enroll_response
We'll reuse this for extracting resident keys from a device.
feedback and ok markus@
|
#
1.18 |
|
13-Dec-2019 |
djm |
use ssh-sk-helper for all security key signing operations
This extracts and refactors the client interface for ssh-sk-helper from ssh-agent and generalises it for use by the other programs. This means that most OpenSSH tools no longer need to link against libfido2 or directly interact with /dev/uhid*
requested by, feedback and ok markus@
|
#
1.17 |
|
27-Nov-2019 |
djm |
remove stray semicolon after closing brace of function; from Michael Forney
|
#
1.16 |
|
19-Nov-2019 |
djm |
adjust on-wire signature encoding for ecdsa-sk keys to better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne
NB. if you are depending on security keys (already?) then make sure you update both your clients and servers.
|
#
1.15 |
|
18-Nov-2019 |
naddy |
add the missing WITH_OPENSSL ifdefs after the ED25519-SK addition; ok djm@
|
#
1.14 |
|
16-Nov-2019 |
djm |
tweak debug message
|
#
1.13 |
|
16-Nov-2019 |
djm |
a little debug() in the security key interface
|
#
1.12 |
|
14-Nov-2019 |
djm |
directly support U2F/FIDO2 security keys in OpenSSH by linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging.
|
#
1.11 |
|
13-Nov-2019 |
markus |
fix check for sig_s; noted by qsa at qualys.com
|
#
1.10 |
|
12-Nov-2019 |
djm |
allow an empty attestation certificate returned by a security key enrollment - these are possible for tokens that only offer self- attestation. This also needs support from the middleware.
ok markus@
|
#
1.9 |
|
12-Nov-2019 |
markus |
remove extra layer for ed25519 signature; ok djm@
|
#
1.8 |
|
12-Nov-2019 |
markus |
check sig_r and sig_s for ssh-sk keys; ok djm
|
#
1.7 |
|
12-Nov-2019 |
markus |
update sk-api to version 2 for ed25519 support; ok djm
|
#
1.6 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_assemble(); ok djm
|
#
1.5 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_inner_sig(); ok djm
|
#
1.4 |
|
12-Nov-2019 |
markus |
rename sshsk_ecdsa_sign() to sshsk_sign(); ok djm
|
#
1.3 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_inner_sig(); ok djm@
|
#
1.2 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_assemble(); ok djm@
|
#
1.1 |
|
31-Oct-2019 |
djm |
U2F/FIDO middleware interface
Supports enrolling (generating) keys and signatures.
feedback & ok markus@
|
#
1.35 |
|
26-Feb-2021 |
djm |
a bit more debugging behind #ifdef DEBUG_SK
|
#
1.34 |
|
18-Feb-2021 |
djm |
unbreak SK_DEBUG builds
from https://github.com/openssh/openssh-portable/pull/225 by ZenithalHourlyRate
|
#
1.33 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.32 |
|
09-Sep-2020 |
djm |
when writing an attestation blob for a FIDO key, record all the data needed to verify the attestation. Previously we were missing the "authenticator data" that is included in the signature.
spotted by Ian Haken feedback Pedro Martelletto and Ian Haken; ok markus@
|
#
1.31 |
|
27-Aug-2020 |
djm |
preserve verify-required for resident FIDO keys
When downloading a resident, verify-required key from a FIDO token, preserve the verify-required in the private key that is written to disk. Previously we weren't doing that because of lack of support in the middleware API.
from Pedro Martelletto; ok markus@ and myself
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.30 |
|
28-Apr-2020 |
djm |
when signing a challenge using a FIDO toke, perform the hashing in the middleware layer rather than in ssh code. This allows middlewares that call APIs that perform the hashing implicitly (including Microsoft's AFAIK). ok markus@
|
#
1.29 |
|
06-Mar-2020 |
markus |
return correct error in sshsk_ed25519_sig; ok djm
|
#
1.28 |
|
28-Feb-2020 |
djm |
better error message when trying to use a FIDO key function and SecurityKeyProvider is empty
|
#
1.27 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.26 |
|
28-Jan-2020 |
djm |
changes to support FIDO attestation
Allow writing to disk the attestation certificate that is generated by the FIDO token at key enrollment time. These certificates may be used by an out-of-band workflow to prove that a particular key is held in trustworthy hardware.
Allow passing in a challenge that will be sent to the card during key enrollment. These are needed to build an attestation workflow that resists replay attacks.
ok markus@
|
#
1.25 |
|
25-Jan-2020 |
djm |
improve the error message for u2f enrollment errors by making ssh-keygen be solely responsible for printing the error message and convertint some more common error responses from the middleware to a useful ssherr.h status code. more detail remains visible via -v of course.
also remove indepedent copy of sk-api.h declarations in sk-usbhid.c and just include it.
feedback & ok markus@
|
#
1.24 |
|
06-Jan-2020 |
djm |
Extends the SK API to accept a set of key/value options for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each.
At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O
This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier.
feedback, fixes and ok markus@
|
#
1.23 |
|
30-Dec-2019 |
djm |
translate and return error codes; retry on bad PIN
Define some well-known error codes in the SK API and pass them back via ssh-sk-helper.
Use the new "wrong PIN" error code to retry PIN prompting during ssh-keygen of resident keys.
feedback and ok markus@
|
#
1.22 |
|
30-Dec-2019 |
djm |
improve some error messages; ok markus@
|
#
1.21 |
|
30-Dec-2019 |
djm |
SK API and sk-helper error/PIN passing
Allow passing a PIN via the SK API (API major crank) and let the ssh-sk-helper API follow.
Also enhance the ssh-sk-helper API to support passing back an error code instead of a complete reply. Will be used to signal "wrong PIN", etc.
feedback and ok markus@
|
#
1.20 |
|
30-Dec-2019 |
djm |
resident keys support in SK API
Adds a sk_load_resident_keys() function to the security key API that accepts a security key provider and a PIN and returns a list of keys.
Implement support for this in the usbhid middleware.
feedback and ok markus@
|
#
1.19 |
|
30-Dec-2019 |
djm |
Factor out parsing of struct sk_enroll_response
We'll reuse this for extracting resident keys from a device.
feedback and ok markus@
|
#
1.18 |
|
13-Dec-2019 |
djm |
use ssh-sk-helper for all security key signing operations
This extracts and refactors the client interface for ssh-sk-helper from ssh-agent and generalises it for use by the other programs. This means that most OpenSSH tools no longer need to link against libfido2 or directly interact with /dev/uhid*
requested by, feedback and ok markus@
|
#
1.17 |
|
27-Nov-2019 |
djm |
remove stray semicolon after closing brace of function; from Michael Forney
|
#
1.16 |
|
19-Nov-2019 |
djm |
adjust on-wire signature encoding for ecdsa-sk keys to better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne
NB. if you are depending on security keys (already?) then make sure you update both your clients and servers.
|
#
1.15 |
|
18-Nov-2019 |
naddy |
add the missing WITH_OPENSSL ifdefs after the ED25519-SK addition; ok djm@
|
#
1.14 |
|
16-Nov-2019 |
djm |
tweak debug message
|
#
1.13 |
|
16-Nov-2019 |
djm |
a little debug() in the security key interface
|
#
1.12 |
|
14-Nov-2019 |
djm |
directly support U2F/FIDO2 security keys in OpenSSH by linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging.
|
#
1.11 |
|
13-Nov-2019 |
markus |
fix check for sig_s; noted by qsa at qualys.com
|
#
1.10 |
|
12-Nov-2019 |
djm |
allow an empty attestation certificate returned by a security key enrollment - these are possible for tokens that only offer self- attestation. This also needs support from the middleware.
ok markus@
|
#
1.9 |
|
12-Nov-2019 |
markus |
remove extra layer for ed25519 signature; ok djm@
|
#
1.8 |
|
12-Nov-2019 |
markus |
check sig_r and sig_s for ssh-sk keys; ok djm
|
#
1.7 |
|
12-Nov-2019 |
markus |
update sk-api to version 2 for ed25519 support; ok djm
|
#
1.6 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_assemble(); ok djm
|
#
1.5 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_inner_sig(); ok djm
|
#
1.4 |
|
12-Nov-2019 |
markus |
rename sshsk_ecdsa_sign() to sshsk_sign(); ok djm
|
#
1.3 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_inner_sig(); ok djm@
|
#
1.2 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_assemble(); ok djm@
|
#
1.1 |
|
31-Oct-2019 |
djm |
U2F/FIDO middleware interface
Supports enrolling (generating) keys and signatures.
feedback & ok markus@
|
#
1.34 |
|
18-Feb-2021 |
djm |
unbreak SK_DEBUG builds
from https://github.com/openssh/openssh-portable/pull/225 by ZenithalHourlyRate
|
#
1.33 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.32 |
|
09-Sep-2020 |
djm |
when writing an attestation blob for a FIDO key, record all the data needed to verify the attestation. Previously we were missing the "authenticator data" that is included in the signature.
spotted by Ian Haken feedback Pedro Martelletto and Ian Haken; ok markus@
|
#
1.31 |
|
27-Aug-2020 |
djm |
preserve verify-required for resident FIDO keys
When downloading a resident, verify-required key from a FIDO token, preserve the verify-required in the private key that is written to disk. Previously we weren't doing that because of lack of support in the middleware API.
from Pedro Martelletto; ok markus@ and myself
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.30 |
|
28-Apr-2020 |
djm |
when signing a challenge using a FIDO toke, perform the hashing in the middleware layer rather than in ssh code. This allows middlewares that call APIs that perform the hashing implicitly (including Microsoft's AFAIK). ok markus@
|
#
1.29 |
|
06-Mar-2020 |
markus |
return correct error in sshsk_ed25519_sig; ok djm
|
#
1.28 |
|
28-Feb-2020 |
djm |
better error message when trying to use a FIDO key function and SecurityKeyProvider is empty
|
#
1.27 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.26 |
|
28-Jan-2020 |
djm |
changes to support FIDO attestation
Allow writing to disk the attestation certificate that is generated by the FIDO token at key enrollment time. These certificates may be used by an out-of-band workflow to prove that a particular key is held in trustworthy hardware.
Allow passing in a challenge that will be sent to the card during key enrollment. These are needed to build an attestation workflow that resists replay attacks.
ok markus@
|
#
1.25 |
|
25-Jan-2020 |
djm |
improve the error message for u2f enrollment errors by making ssh-keygen be solely responsible for printing the error message and convertint some more common error responses from the middleware to a useful ssherr.h status code. more detail remains visible via -v of course.
also remove indepedent copy of sk-api.h declarations in sk-usbhid.c and just include it.
feedback & ok markus@
|
#
1.24 |
|
06-Jan-2020 |
djm |
Extends the SK API to accept a set of key/value options for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each.
At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O
This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier.
feedback, fixes and ok markus@
|
#
1.23 |
|
30-Dec-2019 |
djm |
translate and return error codes; retry on bad PIN
Define some well-known error codes in the SK API and pass them back via ssh-sk-helper.
Use the new "wrong PIN" error code to retry PIN prompting during ssh-keygen of resident keys.
feedback and ok markus@
|
#
1.22 |
|
30-Dec-2019 |
djm |
improve some error messages; ok markus@
|
#
1.21 |
|
30-Dec-2019 |
djm |
SK API and sk-helper error/PIN passing
Allow passing a PIN via the SK API (API major crank) and let the ssh-sk-helper API follow.
Also enhance the ssh-sk-helper API to support passing back an error code instead of a complete reply. Will be used to signal "wrong PIN", etc.
feedback and ok markus@
|
#
1.20 |
|
30-Dec-2019 |
djm |
resident keys support in SK API
Adds a sk_load_resident_keys() function to the security key API that accepts a security key provider and a PIN and returns a list of keys.
Implement support for this in the usbhid middleware.
feedback and ok markus@
|
#
1.19 |
|
30-Dec-2019 |
djm |
Factor out parsing of struct sk_enroll_response
We'll reuse this for extracting resident keys from a device.
feedback and ok markus@
|
#
1.18 |
|
13-Dec-2019 |
djm |
use ssh-sk-helper for all security key signing operations
This extracts and refactors the client interface for ssh-sk-helper from ssh-agent and generalises it for use by the other programs. This means that most OpenSSH tools no longer need to link against libfido2 or directly interact with /dev/uhid*
requested by, feedback and ok markus@
|
#
1.17 |
|
27-Nov-2019 |
djm |
remove stray semicolon after closing brace of function; from Michael Forney
|
#
1.16 |
|
19-Nov-2019 |
djm |
adjust on-wire signature encoding for ecdsa-sk keys to better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne
NB. if you are depending on security keys (already?) then make sure you update both your clients and servers.
|
#
1.15 |
|
18-Nov-2019 |
naddy |
add the missing WITH_OPENSSL ifdefs after the ED25519-SK addition; ok djm@
|
#
1.14 |
|
16-Nov-2019 |
djm |
tweak debug message
|
#
1.13 |
|
16-Nov-2019 |
djm |
a little debug() in the security key interface
|
#
1.12 |
|
14-Nov-2019 |
djm |
directly support U2F/FIDO2 security keys in OpenSSH by linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging.
|
#
1.11 |
|
13-Nov-2019 |
markus |
fix check for sig_s; noted by qsa at qualys.com
|
#
1.10 |
|
12-Nov-2019 |
djm |
allow an empty attestation certificate returned by a security key enrollment - these are possible for tokens that only offer self- attestation. This also needs support from the middleware.
ok markus@
|
#
1.9 |
|
12-Nov-2019 |
markus |
remove extra layer for ed25519 signature; ok djm@
|
#
1.8 |
|
12-Nov-2019 |
markus |
check sig_r and sig_s for ssh-sk keys; ok djm
|
#
1.7 |
|
12-Nov-2019 |
markus |
update sk-api to version 2 for ed25519 support; ok djm
|
#
1.6 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_assemble(); ok djm
|
#
1.5 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_inner_sig(); ok djm
|
#
1.4 |
|
12-Nov-2019 |
markus |
rename sshsk_ecdsa_sign() to sshsk_sign(); ok djm
|
#
1.3 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_inner_sig(); ok djm@
|
#
1.2 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_assemble(); ok djm@
|
#
1.1 |
|
31-Oct-2019 |
djm |
U2F/FIDO middleware interface
Supports enrolling (generating) keys and signatures.
feedback & ok markus@
|
#
1.33 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.32 |
|
09-Sep-2020 |
djm |
when writing an attestation blob for a FIDO key, record all the data needed to verify the attestation. Previously we were missing the "authenticator data" that is included in the signature.
spotted by Ian Haken feedback Pedro Martelletto and Ian Haken; ok markus@
|
#
1.31 |
|
27-Aug-2020 |
djm |
preserve verify-required for resident FIDO keys
When downloading a resident, verify-required key from a FIDO token, preserve the verify-required in the private key that is written to disk. Previously we weren't doing that because of lack of support in the middleware API.
from Pedro Martelletto; ok markus@ and myself
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.30 |
|
28-Apr-2020 |
djm |
when signing a challenge using a FIDO toke, perform the hashing in the middleware layer rather than in ssh code. This allows middlewares that call APIs that perform the hashing implicitly (including Microsoft's AFAIK). ok markus@
|
#
1.29 |
|
06-Mar-2020 |
markus |
return correct error in sshsk_ed25519_sig; ok djm
|
#
1.28 |
|
28-Feb-2020 |
djm |
better error message when trying to use a FIDO key function and SecurityKeyProvider is empty
|
#
1.27 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.26 |
|
28-Jan-2020 |
djm |
changes to support FIDO attestation
Allow writing to disk the attestation certificate that is generated by the FIDO token at key enrollment time. These certificates may be used by an out-of-band workflow to prove that a particular key is held in trustworthy hardware.
Allow passing in a challenge that will be sent to the card during key enrollment. These are needed to build an attestation workflow that resists replay attacks.
ok markus@
|
#
1.25 |
|
25-Jan-2020 |
djm |
improve the error message for u2f enrollment errors by making ssh-keygen be solely responsible for printing the error message and convertint some more common error responses from the middleware to a useful ssherr.h status code. more detail remains visible via -v of course.
also remove indepedent copy of sk-api.h declarations in sk-usbhid.c and just include it.
feedback & ok markus@
|
#
1.24 |
|
06-Jan-2020 |
djm |
Extends the SK API to accept a set of key/value options for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each.
At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O
This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier.
feedback, fixes and ok markus@
|
#
1.23 |
|
30-Dec-2019 |
djm |
translate and return error codes; retry on bad PIN
Define some well-known error codes in the SK API and pass them back via ssh-sk-helper.
Use the new "wrong PIN" error code to retry PIN prompting during ssh-keygen of resident keys.
feedback and ok markus@
|
#
1.22 |
|
30-Dec-2019 |
djm |
improve some error messages; ok markus@
|
#
1.21 |
|
30-Dec-2019 |
djm |
SK API and sk-helper error/PIN passing
Allow passing a PIN via the SK API (API major crank) and let the ssh-sk-helper API follow.
Also enhance the ssh-sk-helper API to support passing back an error code instead of a complete reply. Will be used to signal "wrong PIN", etc.
feedback and ok markus@
|
#
1.20 |
|
30-Dec-2019 |
djm |
resident keys support in SK API
Adds a sk_load_resident_keys() function to the security key API that accepts a security key provider and a PIN and returns a list of keys.
Implement support for this in the usbhid middleware.
feedback and ok markus@
|
#
1.19 |
|
30-Dec-2019 |
djm |
Factor out parsing of struct sk_enroll_response
We'll reuse this for extracting resident keys from a device.
feedback and ok markus@
|
#
1.18 |
|
13-Dec-2019 |
djm |
use ssh-sk-helper for all security key signing operations
This extracts and refactors the client interface for ssh-sk-helper from ssh-agent and generalises it for use by the other programs. This means that most OpenSSH tools no longer need to link against libfido2 or directly interact with /dev/uhid*
requested by, feedback and ok markus@
|
#
1.17 |
|
27-Nov-2019 |
djm |
remove stray semicolon after closing brace of function; from Michael Forney
|
#
1.16 |
|
19-Nov-2019 |
djm |
adjust on-wire signature encoding for ecdsa-sk keys to better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne
NB. if you are depending on security keys (already?) then make sure you update both your clients and servers.
|
#
1.15 |
|
18-Nov-2019 |
naddy |
add the missing WITH_OPENSSL ifdefs after the ED25519-SK addition; ok djm@
|
#
1.14 |
|
16-Nov-2019 |
djm |
tweak debug message
|
#
1.13 |
|
16-Nov-2019 |
djm |
a little debug() in the security key interface
|
#
1.12 |
|
14-Nov-2019 |
djm |
directly support U2F/FIDO2 security keys in OpenSSH by linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging.
|
#
1.11 |
|
13-Nov-2019 |
markus |
fix check for sig_s; noted by qsa at qualys.com
|
#
1.10 |
|
12-Nov-2019 |
djm |
allow an empty attestation certificate returned by a security key enrollment - these are possible for tokens that only offer self- attestation. This also needs support from the middleware.
ok markus@
|
#
1.9 |
|
12-Nov-2019 |
markus |
remove extra layer for ed25519 signature; ok djm@
|
#
1.8 |
|
12-Nov-2019 |
markus |
check sig_r and sig_s for ssh-sk keys; ok djm
|
#
1.7 |
|
12-Nov-2019 |
markus |
update sk-api to version 2 for ed25519 support; ok djm
|
#
1.6 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_assemble(); ok djm
|
#
1.5 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_inner_sig(); ok djm
|
#
1.4 |
|
12-Nov-2019 |
markus |
rename sshsk_ecdsa_sign() to sshsk_sign(); ok djm
|
#
1.3 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_inner_sig(); ok djm@
|
#
1.2 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_assemble(); ok djm@
|
#
1.1 |
|
31-Oct-2019 |
djm |
U2F/FIDO middleware interface
Supports enrolling (generating) keys and signatures.
feedback & ok markus@
|
#
1.32 |
|
09-Sep-2020 |
djm |
when writing an attestation blob for a FIDO key, record all the data needed to verify the attestation. Previously we were missing the "authenticator data" that is included in the signature.
spotted by Ian Haken feedback Pedro Martelletto and Ian Haken; ok markus@
|
#
1.31 |
|
27-Aug-2020 |
djm |
preserve verify-required for resident FIDO keys
When downloading a resident, verify-required key from a FIDO token, preserve the verify-required in the private key that is written to disk. Previously we weren't doing that because of lack of support in the middleware API.
from Pedro Martelletto; ok markus@ and myself
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.30 |
|
28-Apr-2020 |
djm |
when signing a challenge using a FIDO toke, perform the hashing in the middleware layer rather than in ssh code. This allows middlewares that call APIs that perform the hashing implicitly (including Microsoft's AFAIK). ok markus@
|
#
1.29 |
|
06-Mar-2020 |
markus |
return correct error in sshsk_ed25519_sig; ok djm
|
#
1.28 |
|
28-Feb-2020 |
djm |
better error message when trying to use a FIDO key function and SecurityKeyProvider is empty
|
#
1.27 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.26 |
|
28-Jan-2020 |
djm |
changes to support FIDO attestation
Allow writing to disk the attestation certificate that is generated by the FIDO token at key enrollment time. These certificates may be used by an out-of-band workflow to prove that a particular key is held in trustworthy hardware.
Allow passing in a challenge that will be sent to the card during key enrollment. These are needed to build an attestation workflow that resists replay attacks.
ok markus@
|
#
1.25 |
|
25-Jan-2020 |
djm |
improve the error message for u2f enrollment errors by making ssh-keygen be solely responsible for printing the error message and convertint some more common error responses from the middleware to a useful ssherr.h status code. more detail remains visible via -v of course.
also remove indepedent copy of sk-api.h declarations in sk-usbhid.c and just include it.
feedback & ok markus@
|
#
1.24 |
|
06-Jan-2020 |
djm |
Extends the SK API to accept a set of key/value options for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each.
At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O
This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier.
feedback, fixes and ok markus@
|
#
1.23 |
|
30-Dec-2019 |
djm |
translate and return error codes; retry on bad PIN
Define some well-known error codes in the SK API and pass them back via ssh-sk-helper.
Use the new "wrong PIN" error code to retry PIN prompting during ssh-keygen of resident keys.
feedback and ok markus@
|
#
1.22 |
|
30-Dec-2019 |
djm |
improve some error messages; ok markus@
|
#
1.21 |
|
30-Dec-2019 |
djm |
SK API and sk-helper error/PIN passing
Allow passing a PIN via the SK API (API major crank) and let the ssh-sk-helper API follow.
Also enhance the ssh-sk-helper API to support passing back an error code instead of a complete reply. Will be used to signal "wrong PIN", etc.
feedback and ok markus@
|
#
1.20 |
|
30-Dec-2019 |
djm |
resident keys support in SK API
Adds a sk_load_resident_keys() function to the security key API that accepts a security key provider and a PIN and returns a list of keys.
Implement support for this in the usbhid middleware.
feedback and ok markus@
|
#
1.19 |
|
30-Dec-2019 |
djm |
Factor out parsing of struct sk_enroll_response
We'll reuse this for extracting resident keys from a device.
feedback and ok markus@
|
#
1.18 |
|
13-Dec-2019 |
djm |
use ssh-sk-helper for all security key signing operations
This extracts and refactors the client interface for ssh-sk-helper from ssh-agent and generalises it for use by the other programs. This means that most OpenSSH tools no longer need to link against libfido2 or directly interact with /dev/uhid*
requested by, feedback and ok markus@
|
#
1.17 |
|
27-Nov-2019 |
djm |
remove stray semicolon after closing brace of function; from Michael Forney
|
#
1.16 |
|
19-Nov-2019 |
djm |
adjust on-wire signature encoding for ecdsa-sk keys to better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne
NB. if you are depending on security keys (already?) then make sure you update both your clients and servers.
|
#
1.15 |
|
18-Nov-2019 |
naddy |
add the missing WITH_OPENSSL ifdefs after the ED25519-SK addition; ok djm@
|
#
1.14 |
|
16-Nov-2019 |
djm |
tweak debug message
|
#
1.13 |
|
16-Nov-2019 |
djm |
a little debug() in the security key interface
|
#
1.12 |
|
14-Nov-2019 |
djm |
directly support U2F/FIDO2 security keys in OpenSSH by linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging.
|
#
1.11 |
|
13-Nov-2019 |
markus |
fix check for sig_s; noted by qsa at qualys.com
|
#
1.10 |
|
12-Nov-2019 |
djm |
allow an empty attestation certificate returned by a security key enrollment - these are possible for tokens that only offer self- attestation. This also needs support from the middleware.
ok markus@
|
#
1.9 |
|
12-Nov-2019 |
markus |
remove extra layer for ed25519 signature; ok djm@
|
#
1.8 |
|
12-Nov-2019 |
markus |
check sig_r and sig_s for ssh-sk keys; ok djm
|
#
1.7 |
|
12-Nov-2019 |
markus |
update sk-api to version 2 for ed25519 support; ok djm
|
#
1.6 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_assemble(); ok djm
|
#
1.5 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_inner_sig(); ok djm
|
#
1.4 |
|
12-Nov-2019 |
markus |
rename sshsk_ecdsa_sign() to sshsk_sign(); ok djm
|
#
1.3 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_inner_sig(); ok djm@
|
#
1.2 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_assemble(); ok djm@
|
#
1.1 |
|
31-Oct-2019 |
djm |
U2F/FIDO middleware interface
Supports enrolling (generating) keys and signatures.
feedback & ok markus@
|
#
1.31 |
|
27-Aug-2020 |
djm |
preserve verify-required for resident FIDO keys
When downloading a resident, verify-required key from a FIDO token, preserve the verify-required in the private key that is written to disk. Previously we weren't doing that because of lack of support in the middleware API.
from Pedro Martelletto; ok markus@ and myself
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.30 |
|
28-Apr-2020 |
djm |
when signing a challenge using a FIDO toke, perform the hashing in the middleware layer rather than in ssh code. This allows middlewares that call APIs that perform the hashing implicitly (including Microsoft's AFAIK). ok markus@
|
#
1.29 |
|
06-Mar-2020 |
markus |
return correct error in sshsk_ed25519_sig; ok djm
|
#
1.28 |
|
28-Feb-2020 |
djm |
better error message when trying to use a FIDO key function and SecurityKeyProvider is empty
|
#
1.27 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.26 |
|
28-Jan-2020 |
djm |
changes to support FIDO attestation
Allow writing to disk the attestation certificate that is generated by the FIDO token at key enrollment time. These certificates may be used by an out-of-band workflow to prove that a particular key is held in trustworthy hardware.
Allow passing in a challenge that will be sent to the card during key enrollment. These are needed to build an attestation workflow that resists replay attacks.
ok markus@
|
#
1.25 |
|
25-Jan-2020 |
djm |
improve the error message for u2f enrollment errors by making ssh-keygen be solely responsible for printing the error message and convertint some more common error responses from the middleware to a useful ssherr.h status code. more detail remains visible via -v of course.
also remove indepedent copy of sk-api.h declarations in sk-usbhid.c and just include it.
feedback & ok markus@
|
#
1.24 |
|
06-Jan-2020 |
djm |
Extends the SK API to accept a set of key/value options for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each.
At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O
This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier.
feedback, fixes and ok markus@
|
#
1.23 |
|
30-Dec-2019 |
djm |
translate and return error codes; retry on bad PIN
Define some well-known error codes in the SK API and pass them back via ssh-sk-helper.
Use the new "wrong PIN" error code to retry PIN prompting during ssh-keygen of resident keys.
feedback and ok markus@
|
#
1.22 |
|
30-Dec-2019 |
djm |
improve some error messages; ok markus@
|
#
1.21 |
|
30-Dec-2019 |
djm |
SK API and sk-helper error/PIN passing
Allow passing a PIN via the SK API (API major crank) and let the ssh-sk-helper API follow.
Also enhance the ssh-sk-helper API to support passing back an error code instead of a complete reply. Will be used to signal "wrong PIN", etc.
feedback and ok markus@
|
#
1.20 |
|
30-Dec-2019 |
djm |
resident keys support in SK API
Adds a sk_load_resident_keys() function to the security key API that accepts a security key provider and a PIN and returns a list of keys.
Implement support for this in the usbhid middleware.
feedback and ok markus@
|
#
1.19 |
|
30-Dec-2019 |
djm |
Factor out parsing of struct sk_enroll_response
We'll reuse this for extracting resident keys from a device.
feedback and ok markus@
|
#
1.18 |
|
13-Dec-2019 |
djm |
use ssh-sk-helper for all security key signing operations
This extracts and refactors the client interface for ssh-sk-helper from ssh-agent and generalises it for use by the other programs. This means that most OpenSSH tools no longer need to link against libfido2 or directly interact with /dev/uhid*
requested by, feedback and ok markus@
|
#
1.17 |
|
27-Nov-2019 |
djm |
remove stray semicolon after closing brace of function; from Michael Forney
|
#
1.16 |
|
19-Nov-2019 |
djm |
adjust on-wire signature encoding for ecdsa-sk keys to better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne
NB. if you are depending on security keys (already?) then make sure you update both your clients and servers.
|
#
1.15 |
|
18-Nov-2019 |
naddy |
add the missing WITH_OPENSSL ifdefs after the ED25519-SK addition; ok djm@
|
#
1.14 |
|
16-Nov-2019 |
djm |
tweak debug message
|
#
1.13 |
|
16-Nov-2019 |
djm |
a little debug() in the security key interface
|
#
1.12 |
|
14-Nov-2019 |
djm |
directly support U2F/FIDO2 security keys in OpenSSH by linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging.
|
#
1.11 |
|
13-Nov-2019 |
markus |
fix check for sig_s; noted by qsa at qualys.com
|
#
1.10 |
|
12-Nov-2019 |
djm |
allow an empty attestation certificate returned by a security key enrollment - these are possible for tokens that only offer self- attestation. This also needs support from the middleware.
ok markus@
|
#
1.9 |
|
12-Nov-2019 |
markus |
remove extra layer for ed25519 signature; ok djm@
|
#
1.8 |
|
12-Nov-2019 |
markus |
check sig_r and sig_s for ssh-sk keys; ok djm
|
#
1.7 |
|
12-Nov-2019 |
markus |
update sk-api to version 2 for ed25519 support; ok djm
|
#
1.6 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_assemble(); ok djm
|
#
1.5 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_inner_sig(); ok djm
|
#
1.4 |
|
12-Nov-2019 |
markus |
rename sshsk_ecdsa_sign() to sshsk_sign(); ok djm
|
#
1.3 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_inner_sig(); ok djm@
|
#
1.2 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_assemble(); ok djm@
|
#
1.1 |
|
31-Oct-2019 |
djm |
U2F/FIDO middleware interface
Supports enrolling (generating) keys and signatures.
feedback & ok markus@
|
#
1.30 |
|
28-Apr-2020 |
djm |
when signing a challenge using a FIDO toke, perform the hashing in the middleware layer rather than in ssh code. This allows middlewares that call APIs that perform the hashing implicitly (including Microsoft's AFAIK). ok markus@
|
#
1.29 |
|
06-Mar-2020 |
markus |
return correct error in sshsk_ed25519_sig; ok djm
|
#
1.28 |
|
28-Feb-2020 |
djm |
better error message when trying to use a FIDO key function and SecurityKeyProvider is empty
|
#
1.27 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.26 |
|
28-Jan-2020 |
djm |
changes to support FIDO attestation
Allow writing to disk the attestation certificate that is generated by the FIDO token at key enrollment time. These certificates may be used by an out-of-band workflow to prove that a particular key is held in trustworthy hardware.
Allow passing in a challenge that will be sent to the card during key enrollment. These are needed to build an attestation workflow that resists replay attacks.
ok markus@
|
#
1.25 |
|
25-Jan-2020 |
djm |
improve the error message for u2f enrollment errors by making ssh-keygen be solely responsible for printing the error message and convertint some more common error responses from the middleware to a useful ssherr.h status code. more detail remains visible via -v of course.
also remove indepedent copy of sk-api.h declarations in sk-usbhid.c and just include it.
feedback & ok markus@
|
#
1.24 |
|
06-Jan-2020 |
djm |
Extends the SK API to accept a set of key/value options for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each.
At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O
This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier.
feedback, fixes and ok markus@
|
#
1.23 |
|
30-Dec-2019 |
djm |
translate and return error codes; retry on bad PIN
Define some well-known error codes in the SK API and pass them back via ssh-sk-helper.
Use the new "wrong PIN" error code to retry PIN prompting during ssh-keygen of resident keys.
feedback and ok markus@
|
#
1.22 |
|
30-Dec-2019 |
djm |
improve some error messages; ok markus@
|
#
1.21 |
|
30-Dec-2019 |
djm |
SK API and sk-helper error/PIN passing
Allow passing a PIN via the SK API (API major crank) and let the ssh-sk-helper API follow.
Also enhance the ssh-sk-helper API to support passing back an error code instead of a complete reply. Will be used to signal "wrong PIN", etc.
feedback and ok markus@
|
#
1.20 |
|
30-Dec-2019 |
djm |
resident keys support in SK API
Adds a sk_load_resident_keys() function to the security key API that accepts a security key provider and a PIN and returns a list of keys.
Implement support for this in the usbhid middleware.
feedback and ok markus@
|
#
1.19 |
|
30-Dec-2019 |
djm |
Factor out parsing of struct sk_enroll_response
We'll reuse this for extracting resident keys from a device.
feedback and ok markus@
|
#
1.18 |
|
13-Dec-2019 |
djm |
use ssh-sk-helper for all security key signing operations
This extracts and refactors the client interface for ssh-sk-helper from ssh-agent and generalises it for use by the other programs. This means that most OpenSSH tools no longer need to link against libfido2 or directly interact with /dev/uhid*
requested by, feedback and ok markus@
|
#
1.17 |
|
27-Nov-2019 |
djm |
remove stray semicolon after closing brace of function; from Michael Forney
|
#
1.16 |
|
19-Nov-2019 |
djm |
adjust on-wire signature encoding for ecdsa-sk keys to better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne
NB. if you are depending on security keys (already?) then make sure you update both your clients and servers.
|
#
1.15 |
|
18-Nov-2019 |
naddy |
add the missing WITH_OPENSSL ifdefs after the ED25519-SK addition; ok djm@
|
#
1.14 |
|
16-Nov-2019 |
djm |
tweak debug message
|
#
1.13 |
|
16-Nov-2019 |
djm |
a little debug() in the security key interface
|
#
1.12 |
|
14-Nov-2019 |
djm |
directly support U2F/FIDO2 security keys in OpenSSH by linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging.
|
#
1.11 |
|
13-Nov-2019 |
markus |
fix check for sig_s; noted by qsa at qualys.com
|
#
1.10 |
|
12-Nov-2019 |
djm |
allow an empty attestation certificate returned by a security key enrollment - these are possible for tokens that only offer self- attestation. This also needs support from the middleware.
ok markus@
|
#
1.9 |
|
12-Nov-2019 |
markus |
remove extra layer for ed25519 signature; ok djm@
|
#
1.8 |
|
12-Nov-2019 |
markus |
check sig_r and sig_s for ssh-sk keys; ok djm
|
#
1.7 |
|
12-Nov-2019 |
markus |
update sk-api to version 2 for ed25519 support; ok djm
|
#
1.6 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_assemble(); ok djm
|
#
1.5 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_inner_sig(); ok djm
|
#
1.4 |
|
12-Nov-2019 |
markus |
rename sshsk_ecdsa_sign() to sshsk_sign(); ok djm
|
#
1.3 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_inner_sig(); ok djm@
|
#
1.2 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_assemble(); ok djm@
|
#
1.1 |
|
31-Oct-2019 |
djm |
U2F/FIDO middleware interface
Supports enrolling (generating) keys and signatures.
feedback & ok markus@
|
#
1.29 |
|
06-Mar-2020 |
markus |
return correct error in sshsk_ed25519_sig; ok djm
|
#
1.28 |
|
28-Feb-2020 |
djm |
better error message when trying to use a FIDO key function and SecurityKeyProvider is empty
|
#
1.27 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.26 |
|
28-Jan-2020 |
djm |
changes to support FIDO attestation
Allow writing to disk the attestation certificate that is generated by the FIDO token at key enrollment time. These certificates may be used by an out-of-band workflow to prove that a particular key is held in trustworthy hardware.
Allow passing in a challenge that will be sent to the card during key enrollment. These are needed to build an attestation workflow that resists replay attacks.
ok markus@
|
#
1.25 |
|
25-Jan-2020 |
djm |
improve the error message for u2f enrollment errors by making ssh-keygen be solely responsible for printing the error message and convertint some more common error responses from the middleware to a useful ssherr.h status code. more detail remains visible via -v of course.
also remove indepedent copy of sk-api.h declarations in sk-usbhid.c and just include it.
feedback & ok markus@
|
#
1.24 |
|
06-Jan-2020 |
djm |
Extends the SK API to accept a set of key/value options for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each.
At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O
This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier.
feedback, fixes and ok markus@
|
#
1.23 |
|
30-Dec-2019 |
djm |
translate and return error codes; retry on bad PIN
Define some well-known error codes in the SK API and pass them back via ssh-sk-helper.
Use the new "wrong PIN" error code to retry PIN prompting during ssh-keygen of resident keys.
feedback and ok markus@
|
#
1.22 |
|
30-Dec-2019 |
djm |
improve some error messages; ok markus@
|
#
1.21 |
|
30-Dec-2019 |
djm |
SK API and sk-helper error/PIN passing
Allow passing a PIN via the SK API (API major crank) and let the ssh-sk-helper API follow.
Also enhance the ssh-sk-helper API to support passing back an error code instead of a complete reply. Will be used to signal "wrong PIN", etc.
feedback and ok markus@
|
#
1.20 |
|
30-Dec-2019 |
djm |
resident keys support in SK API
Adds a sk_load_resident_keys() function to the security key API that accepts a security key provider and a PIN and returns a list of keys.
Implement support for this in the usbhid middleware.
feedback and ok markus@
|
#
1.19 |
|
30-Dec-2019 |
djm |
Factor out parsing of struct sk_enroll_response
We'll reuse this for extracting resident keys from a device.
feedback and ok markus@
|
#
1.18 |
|
13-Dec-2019 |
djm |
use ssh-sk-helper for all security key signing operations
This extracts and refactors the client interface for ssh-sk-helper from ssh-agent and generalises it for use by the other programs. This means that most OpenSSH tools no longer need to link against libfido2 or directly interact with /dev/uhid*
requested by, feedback and ok markus@
|
#
1.17 |
|
27-Nov-2019 |
djm |
remove stray semicolon after closing brace of function; from Michael Forney
|
#
1.16 |
|
19-Nov-2019 |
djm |
adjust on-wire signature encoding for ecdsa-sk keys to better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne
NB. if you are depending on security keys (already?) then make sure you update both your clients and servers.
|
#
1.15 |
|
18-Nov-2019 |
naddy |
add the missing WITH_OPENSSL ifdefs after the ED25519-SK addition; ok djm@
|
#
1.14 |
|
16-Nov-2019 |
djm |
tweak debug message
|
#
1.13 |
|
16-Nov-2019 |
djm |
a little debug() in the security key interface
|
#
1.12 |
|
14-Nov-2019 |
djm |
directly support U2F/FIDO2 security keys in OpenSSH by linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging.
|
#
1.11 |
|
13-Nov-2019 |
markus |
fix check for sig_s; noted by qsa at qualys.com
|
#
1.10 |
|
12-Nov-2019 |
djm |
allow an empty attestation certificate returned by a security key enrollment - these are possible for tokens that only offer self- attestation. This also needs support from the middleware.
ok markus@
|
#
1.9 |
|
12-Nov-2019 |
markus |
remove extra layer for ed25519 signature; ok djm@
|
#
1.8 |
|
12-Nov-2019 |
markus |
check sig_r and sig_s for ssh-sk keys; ok djm
|
#
1.7 |
|
12-Nov-2019 |
markus |
update sk-api to version 2 for ed25519 support; ok djm
|
#
1.6 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_assemble(); ok djm
|
#
1.5 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_inner_sig(); ok djm
|
#
1.4 |
|
12-Nov-2019 |
markus |
rename sshsk_ecdsa_sign() to sshsk_sign(); ok djm
|
#
1.3 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_inner_sig(); ok djm@
|
#
1.2 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_assemble(); ok djm@
|
#
1.1 |
|
31-Oct-2019 |
djm |
U2F/FIDO middleware interface
Supports enrolling (generating) keys and signatures.
feedback & ok markus@
|
#
1.28 |
|
28-Feb-2020 |
djm |
better error message when trying to use a FIDO key function and SecurityKeyProvider is empty
|
#
1.27 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.26 |
|
28-Jan-2020 |
djm |
changes to support FIDO attestation
Allow writing to disk the attestation certificate that is generated by the FIDO token at key enrollment time. These certificates may be used by an out-of-band workflow to prove that a particular key is held in trustworthy hardware.
Allow passing in a challenge that will be sent to the card during key enrollment. These are needed to build an attestation workflow that resists replay attacks.
ok markus@
|
#
1.25 |
|
25-Jan-2020 |
djm |
improve the error message for u2f enrollment errors by making ssh-keygen be solely responsible for printing the error message and convertint some more common error responses from the middleware to a useful ssherr.h status code. more detail remains visible via -v of course.
also remove indepedent copy of sk-api.h declarations in sk-usbhid.c and just include it.
feedback & ok markus@
|
#
1.24 |
|
06-Jan-2020 |
djm |
Extends the SK API to accept a set of key/value options for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each.
At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O
This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier.
feedback, fixes and ok markus@
|
#
1.23 |
|
30-Dec-2019 |
djm |
translate and return error codes; retry on bad PIN
Define some well-known error codes in the SK API and pass them back via ssh-sk-helper.
Use the new "wrong PIN" error code to retry PIN prompting during ssh-keygen of resident keys.
feedback and ok markus@
|
#
1.22 |
|
30-Dec-2019 |
djm |
improve some error messages; ok markus@
|
#
1.21 |
|
30-Dec-2019 |
djm |
SK API and sk-helper error/PIN passing
Allow passing a PIN via the SK API (API major crank) and let the ssh-sk-helper API follow.
Also enhance the ssh-sk-helper API to support passing back an error code instead of a complete reply. Will be used to signal "wrong PIN", etc.
feedback and ok markus@
|
#
1.20 |
|
30-Dec-2019 |
djm |
resident keys support in SK API
Adds a sk_load_resident_keys() function to the security key API that accepts a security key provider and a PIN and returns a list of keys.
Implement support for this in the usbhid middleware.
feedback and ok markus@
|
#
1.19 |
|
30-Dec-2019 |
djm |
Factor out parsing of struct sk_enroll_response
We'll reuse this for extracting resident keys from a device.
feedback and ok markus@
|
#
1.18 |
|
13-Dec-2019 |
djm |
use ssh-sk-helper for all security key signing operations
This extracts and refactors the client interface for ssh-sk-helper from ssh-agent and generalises it for use by the other programs. This means that most OpenSSH tools no longer need to link against libfido2 or directly interact with /dev/uhid*
requested by, feedback and ok markus@
|
#
1.17 |
|
27-Nov-2019 |
djm |
remove stray semicolon after closing brace of function; from Michael Forney
|
#
1.16 |
|
19-Nov-2019 |
djm |
adjust on-wire signature encoding for ecdsa-sk keys to better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne
NB. if you are depending on security keys (already?) then make sure you update both your clients and servers.
|
#
1.15 |
|
18-Nov-2019 |
naddy |
add the missing WITH_OPENSSL ifdefs after the ED25519-SK addition; ok djm@
|
#
1.14 |
|
16-Nov-2019 |
djm |
tweak debug message
|
#
1.13 |
|
16-Nov-2019 |
djm |
a little debug() in the security key interface
|
#
1.12 |
|
14-Nov-2019 |
djm |
directly support U2F/FIDO2 security keys in OpenSSH by linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging.
|
#
1.11 |
|
13-Nov-2019 |
markus |
fix check for sig_s; noted by qsa at qualys.com
|
#
1.10 |
|
12-Nov-2019 |
djm |
allow an empty attestation certificate returned by a security key enrollment - these are possible for tokens that only offer self- attestation. This also needs support from the middleware.
ok markus@
|
#
1.9 |
|
12-Nov-2019 |
markus |
remove extra layer for ed25519 signature; ok djm@
|
#
1.8 |
|
12-Nov-2019 |
markus |
check sig_r and sig_s for ssh-sk keys; ok djm
|
#
1.7 |
|
12-Nov-2019 |
markus |
update sk-api to version 2 for ed25519 support; ok djm
|
#
1.6 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_assemble(); ok djm
|
#
1.5 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_inner_sig(); ok djm
|
#
1.4 |
|
12-Nov-2019 |
markus |
rename sshsk_ecdsa_sign() to sshsk_sign(); ok djm
|
#
1.3 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_inner_sig(); ok djm@
|
#
1.2 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_assemble(); ok djm@
|
#
1.1 |
|
31-Oct-2019 |
djm |
U2F/FIDO middleware interface
Supports enrolling (generating) keys and signatures.
feedback & ok markus@
|
#
1.27 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.26 |
|
28-Jan-2020 |
djm |
changes to support FIDO attestation
Allow writing to disk the attestation certificate that is generated by the FIDO token at key enrollment time. These certificates may be used by an out-of-band workflow to prove that a particular key is held in trustworthy hardware.
Allow passing in a challenge that will be sent to the card during key enrollment. These are needed to build an attestation workflow that resists replay attacks.
ok markus@
|
#
1.25 |
|
25-Jan-2020 |
djm |
improve the error message for u2f enrollment errors by making ssh-keygen be solely responsible for printing the error message and convertint some more common error responses from the middleware to a useful ssherr.h status code. more detail remains visible via -v of course.
also remove indepedent copy of sk-api.h declarations in sk-usbhid.c and just include it.
feedback & ok markus@
|
#
1.24 |
|
06-Jan-2020 |
djm |
Extends the SK API to accept a set of key/value options for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each.
At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O
This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier.
feedback, fixes and ok markus@
|
#
1.23 |
|
30-Dec-2019 |
djm |
translate and return error codes; retry on bad PIN
Define some well-known error codes in the SK API and pass them back via ssh-sk-helper.
Use the new "wrong PIN" error code to retry PIN prompting during ssh-keygen of resident keys.
feedback and ok markus@
|
#
1.22 |
|
30-Dec-2019 |
djm |
improve some error messages; ok markus@
|
#
1.21 |
|
30-Dec-2019 |
djm |
SK API and sk-helper error/PIN passing
Allow passing a PIN via the SK API (API major crank) and let the ssh-sk-helper API follow.
Also enhance the ssh-sk-helper API to support passing back an error code instead of a complete reply. Will be used to signal "wrong PIN", etc.
feedback and ok markus@
|
#
1.20 |
|
30-Dec-2019 |
djm |
resident keys support in SK API
Adds a sk_load_resident_keys() function to the security key API that accepts a security key provider and a PIN and returns a list of keys.
Implement support for this in the usbhid middleware.
feedback and ok markus@
|
#
1.19 |
|
30-Dec-2019 |
djm |
Factor out parsing of struct sk_enroll_response
We'll reuse this for extracting resident keys from a device.
feedback and ok markus@
|
#
1.18 |
|
13-Dec-2019 |
djm |
use ssh-sk-helper for all security key signing operations
This extracts and refactors the client interface for ssh-sk-helper from ssh-agent and generalises it for use by the other programs. This means that most OpenSSH tools no longer need to link against libfido2 or directly interact with /dev/uhid*
requested by, feedback and ok markus@
|
#
1.17 |
|
27-Nov-2019 |
djm |
remove stray semicolon after closing brace of function; from Michael Forney
|
#
1.16 |
|
19-Nov-2019 |
djm |
adjust on-wire signature encoding for ecdsa-sk keys to better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne
NB. if you are depending on security keys (already?) then make sure you update both your clients and servers.
|
#
1.15 |
|
18-Nov-2019 |
naddy |
add the missing WITH_OPENSSL ifdefs after the ED25519-SK addition; ok djm@
|
#
1.14 |
|
16-Nov-2019 |
djm |
tweak debug message
|
#
1.13 |
|
16-Nov-2019 |
djm |
a little debug() in the security key interface
|
#
1.12 |
|
14-Nov-2019 |
djm |
directly support U2F/FIDO2 security keys in OpenSSH by linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging.
|
#
1.11 |
|
13-Nov-2019 |
markus |
fix check for sig_s; noted by qsa at qualys.com
|
#
1.10 |
|
12-Nov-2019 |
djm |
allow an empty attestation certificate returned by a security key enrollment - these are possible for tokens that only offer self- attestation. This also needs support from the middleware.
ok markus@
|
#
1.9 |
|
12-Nov-2019 |
markus |
remove extra layer for ed25519 signature; ok djm@
|
#
1.8 |
|
12-Nov-2019 |
markus |
check sig_r and sig_s for ssh-sk keys; ok djm
|
#
1.7 |
|
12-Nov-2019 |
markus |
update sk-api to version 2 for ed25519 support; ok djm
|
#
1.6 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_assemble(); ok djm
|
#
1.5 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_inner_sig(); ok djm
|
#
1.4 |
|
12-Nov-2019 |
markus |
rename sshsk_ecdsa_sign() to sshsk_sign(); ok djm
|
#
1.3 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_inner_sig(); ok djm@
|
#
1.2 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_assemble(); ok djm@
|
#
1.1 |
|
31-Oct-2019 |
djm |
U2F/FIDO middleware interface
Supports enrolling (generating) keys and signatures.
feedback & ok markus@
|
#
1.26 |
|
28-Jan-2020 |
djm |
changes to support FIDO attestation
Allow writing to disk the attestation certificate that is generated by the FIDO token at key enrollment time. These certificates may be used by an out-of-band workflow to prove that a particular key is held in trustworthy hardware.
Allow passing in a challenge that will be sent to the card during key enrollment. These are needed to build an attestation workflow that resists replay attacks.
ok markus@
|
#
1.25 |
|
25-Jan-2020 |
djm |
improve the error message for u2f enrollment errors by making ssh-keygen be solely responsible for printing the error message and convertint some more common error responses from the middleware to a useful ssherr.h status code. more detail remains visible via -v of course.
also remove indepedent copy of sk-api.h declarations in sk-usbhid.c and just include it.
feedback & ok markus@
|
#
1.24 |
|
06-Jan-2020 |
djm |
Extends the SK API to accept a set of key/value options for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each.
At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O
This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier.
feedback, fixes and ok markus@
|
#
1.23 |
|
30-Dec-2019 |
djm |
translate and return error codes; retry on bad PIN
Define some well-known error codes in the SK API and pass them back via ssh-sk-helper.
Use the new "wrong PIN" error code to retry PIN prompting during ssh-keygen of resident keys.
feedback and ok markus@
|
#
1.22 |
|
30-Dec-2019 |
djm |
improve some error messages; ok markus@
|
#
1.21 |
|
30-Dec-2019 |
djm |
SK API and sk-helper error/PIN passing
Allow passing a PIN via the SK API (API major crank) and let the ssh-sk-helper API follow.
Also enhance the ssh-sk-helper API to support passing back an error code instead of a complete reply. Will be used to signal "wrong PIN", etc.
feedback and ok markus@
|
#
1.20 |
|
30-Dec-2019 |
djm |
resident keys support in SK API
Adds a sk_load_resident_keys() function to the security key API that accepts a security key provider and a PIN and returns a list of keys.
Implement support for this in the usbhid middleware.
feedback and ok markus@
|
#
1.19 |
|
30-Dec-2019 |
djm |
Factor out parsing of struct sk_enroll_response
We'll reuse this for extracting resident keys from a device.
feedback and ok markus@
|
#
1.18 |
|
13-Dec-2019 |
djm |
use ssh-sk-helper for all security key signing operations
This extracts and refactors the client interface for ssh-sk-helper from ssh-agent and generalises it for use by the other programs. This means that most OpenSSH tools no longer need to link against libfido2 or directly interact with /dev/uhid*
requested by, feedback and ok markus@
|
#
1.17 |
|
27-Nov-2019 |
djm |
remove stray semicolon after closing brace of function; from Michael Forney
|
#
1.16 |
|
19-Nov-2019 |
djm |
adjust on-wire signature encoding for ecdsa-sk keys to better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne
NB. if you are depending on security keys (already?) then make sure you update both your clients and servers.
|
#
1.15 |
|
18-Nov-2019 |
naddy |
add the missing WITH_OPENSSL ifdefs after the ED25519-SK addition; ok djm@
|
#
1.14 |
|
16-Nov-2019 |
djm |
tweak debug message
|
#
1.13 |
|
16-Nov-2019 |
djm |
a little debug() in the security key interface
|
#
1.12 |
|
14-Nov-2019 |
djm |
directly support U2F/FIDO2 security keys in OpenSSH by linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging.
|
#
1.11 |
|
13-Nov-2019 |
markus |
fix check for sig_s; noted by qsa at qualys.com
|
#
1.10 |
|
12-Nov-2019 |
djm |
allow an empty attestation certificate returned by a security key enrollment - these are possible for tokens that only offer self- attestation. This also needs support from the middleware.
ok markus@
|
#
1.9 |
|
12-Nov-2019 |
markus |
remove extra layer for ed25519 signature; ok djm@
|
#
1.8 |
|
12-Nov-2019 |
markus |
check sig_r and sig_s for ssh-sk keys; ok djm
|
#
1.7 |
|
12-Nov-2019 |
markus |
update sk-api to version 2 for ed25519 support; ok djm
|
#
1.6 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_assemble(); ok djm
|
#
1.5 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_inner_sig(); ok djm
|
#
1.4 |
|
12-Nov-2019 |
markus |
rename sshsk_ecdsa_sign() to sshsk_sign(); ok djm
|
#
1.3 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_inner_sig(); ok djm@
|
#
1.2 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_assemble(); ok djm@
|
#
1.1 |
|
31-Oct-2019 |
djm |
U2F/FIDO middleware interface
Supports enrolling (generating) keys and signatures.
feedback & ok markus@
|
#
1.25 |
|
25-Jan-2020 |
djm |
improve the error message for u2f enrollment errors by making ssh-keygen be solely responsible for printing the error message and convertint some more common error responses from the middleware to a useful ssherr.h status code. more detail remains visible via -v of course.
also remove indepedent copy of sk-api.h declarations in sk-usbhid.c and just include it.
feedback & ok markus@
|
#
1.24 |
|
06-Jan-2020 |
djm |
Extends the SK API to accept a set of key/value options for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each.
At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O
This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier.
feedback, fixes and ok markus@
|
#
1.23 |
|
30-Dec-2019 |
djm |
translate and return error codes; retry on bad PIN
Define some well-known error codes in the SK API and pass them back via ssh-sk-helper.
Use the new "wrong PIN" error code to retry PIN prompting during ssh-keygen of resident keys.
feedback and ok markus@
|
#
1.22 |
|
30-Dec-2019 |
djm |
improve some error messages; ok markus@
|
#
1.21 |
|
30-Dec-2019 |
djm |
SK API and sk-helper error/PIN passing
Allow passing a PIN via the SK API (API major crank) and let the ssh-sk-helper API follow.
Also enhance the ssh-sk-helper API to support passing back an error code instead of a complete reply. Will be used to signal "wrong PIN", etc.
feedback and ok markus@
|
#
1.20 |
|
30-Dec-2019 |
djm |
resident keys support in SK API
Adds a sk_load_resident_keys() function to the security key API that accepts a security key provider and a PIN and returns a list of keys.
Implement support for this in the usbhid middleware.
feedback and ok markus@
|
#
1.19 |
|
30-Dec-2019 |
djm |
Factor out parsing of struct sk_enroll_response
We'll reuse this for extracting resident keys from a device.
feedback and ok markus@
|
#
1.18 |
|
13-Dec-2019 |
djm |
use ssh-sk-helper for all security key signing operations
This extracts and refactors the client interface for ssh-sk-helper from ssh-agent and generalises it for use by the other programs. This means that most OpenSSH tools no longer need to link against libfido2 or directly interact with /dev/uhid*
requested by, feedback and ok markus@
|
#
1.17 |
|
27-Nov-2019 |
djm |
remove stray semicolon after closing brace of function; from Michael Forney
|
#
1.16 |
|
19-Nov-2019 |
djm |
adjust on-wire signature encoding for ecdsa-sk keys to better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne
NB. if you are depending on security keys (already?) then make sure you update both your clients and servers.
|
#
1.15 |
|
18-Nov-2019 |
naddy |
add the missing WITH_OPENSSL ifdefs after the ED25519-SK addition; ok djm@
|
#
1.14 |
|
16-Nov-2019 |
djm |
tweak debug message
|
#
1.13 |
|
16-Nov-2019 |
djm |
a little debug() in the security key interface
|
#
1.12 |
|
14-Nov-2019 |
djm |
directly support U2F/FIDO2 security keys in OpenSSH by linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging.
|
#
1.11 |
|
13-Nov-2019 |
markus |
fix check for sig_s; noted by qsa at qualys.com
|
#
1.10 |
|
12-Nov-2019 |
djm |
allow an empty attestation certificate returned by a security key enrollment - these are possible for tokens that only offer self- attestation. This also needs support from the middleware.
ok markus@
|
#
1.9 |
|
12-Nov-2019 |
markus |
remove extra layer for ed25519 signature; ok djm@
|
#
1.8 |
|
12-Nov-2019 |
markus |
check sig_r and sig_s for ssh-sk keys; ok djm
|
#
1.7 |
|
12-Nov-2019 |
markus |
update sk-api to version 2 for ed25519 support; ok djm
|
#
1.6 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_assemble(); ok djm
|
#
1.5 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_inner_sig(); ok djm
|
#
1.4 |
|
12-Nov-2019 |
markus |
rename sshsk_ecdsa_sign() to sshsk_sign(); ok djm
|
#
1.3 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_inner_sig(); ok djm@
|
#
1.2 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_assemble(); ok djm@
|
#
1.1 |
|
31-Oct-2019 |
djm |
U2F/FIDO middleware interface
Supports enrolling (generating) keys and signatures.
feedback & ok markus@
|
#
1.24 |
|
06-Jan-2020 |
djm |
Extends the SK API to accept a set of key/value options for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each.
At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O
This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier.
feedback, fixes and ok markus@
|
#
1.23 |
|
30-Dec-2019 |
djm |
translate and return error codes; retry on bad PIN
Define some well-known error codes in the SK API and pass them back via ssh-sk-helper.
Use the new "wrong PIN" error code to retry PIN prompting during ssh-keygen of resident keys.
feedback and ok markus@
|
#
1.22 |
|
30-Dec-2019 |
djm |
improve some error messages; ok markus@
|
#
1.21 |
|
30-Dec-2019 |
djm |
SK API and sk-helper error/PIN passing
Allow passing a PIN via the SK API (API major crank) and let the ssh-sk-helper API follow.
Also enhance the ssh-sk-helper API to support passing back an error code instead of a complete reply. Will be used to signal "wrong PIN", etc.
feedback and ok markus@
|
#
1.20 |
|
30-Dec-2019 |
djm |
resident keys support in SK API
Adds a sk_load_resident_keys() function to the security key API that accepts a security key provider and a PIN and returns a list of keys.
Implement support for this in the usbhid middleware.
feedback and ok markus@
|
#
1.19 |
|
30-Dec-2019 |
djm |
Factor out parsing of struct sk_enroll_response
We'll reuse this for extracting resident keys from a device.
feedback and ok markus@
|
#
1.18 |
|
13-Dec-2019 |
djm |
use ssh-sk-helper for all security key signing operations
This extracts and refactors the client interface for ssh-sk-helper from ssh-agent and generalises it for use by the other programs. This means that most OpenSSH tools no longer need to link against libfido2 or directly interact with /dev/uhid*
requested by, feedback and ok markus@
|
#
1.17 |
|
27-Nov-2019 |
djm |
remove stray semicolon after closing brace of function; from Michael Forney
|
#
1.16 |
|
19-Nov-2019 |
djm |
adjust on-wire signature encoding for ecdsa-sk keys to better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne
NB. if you are depending on security keys (already?) then make sure you update both your clients and servers.
|
#
1.15 |
|
18-Nov-2019 |
naddy |
add the missing WITH_OPENSSL ifdefs after the ED25519-SK addition; ok djm@
|
#
1.14 |
|
16-Nov-2019 |
djm |
tweak debug message
|
#
1.13 |
|
16-Nov-2019 |
djm |
a little debug() in the security key interface
|
#
1.12 |
|
14-Nov-2019 |
djm |
directly support U2F/FIDO2 security keys in OpenSSH by linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging.
|
#
1.11 |
|
13-Nov-2019 |
markus |
fix check for sig_s; noted by qsa at qualys.com
|
#
1.10 |
|
12-Nov-2019 |
djm |
allow an empty attestation certificate returned by a security key enrollment - these are possible for tokens that only offer self- attestation. This also needs support from the middleware.
ok markus@
|
#
1.9 |
|
12-Nov-2019 |
markus |
remove extra layer for ed25519 signature; ok djm@
|
#
1.8 |
|
12-Nov-2019 |
markus |
check sig_r and sig_s for ssh-sk keys; ok djm
|
#
1.7 |
|
12-Nov-2019 |
markus |
update sk-api to version 2 for ed25519 support; ok djm
|
#
1.6 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_assemble(); ok djm
|
#
1.5 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_inner_sig(); ok djm
|
#
1.4 |
|
12-Nov-2019 |
markus |
rename sshsk_ecdsa_sign() to sshsk_sign(); ok djm
|
#
1.3 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_inner_sig(); ok djm@
|
#
1.2 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_assemble(); ok djm@
|
#
1.1 |
|
31-Oct-2019 |
djm |
U2F/FIDO middleware interface
Supports enrolling (generating) keys and signatures.
feedback & ok markus@
|
#
1.23 |
|
30-Dec-2019 |
djm |
translate and return error codes; retry on bad PIN
Define some well-known error codes in the SK API and pass them back via ssh-sk-helper.
Use the new "wrong PIN" error code to retry PIN prompting during ssh-keygen of resident keys.
feedback and ok markus@
|
#
1.22 |
|
30-Dec-2019 |
djm |
improve some error messages; ok markus@
|
#
1.21 |
|
30-Dec-2019 |
djm |
SK API and sk-helper error/PIN passing
Allow passing a PIN via the SK API (API major crank) and let the ssh-sk-helper API follow.
Also enhance the ssh-sk-helper API to support passing back an error code instead of a complete reply. Will be used to signal "wrong PIN", etc.
feedback and ok markus@
|
#
1.20 |
|
30-Dec-2019 |
djm |
resident keys support in SK API
Adds a sk_load_resident_keys() function to the security key API that accepts a security key provider and a PIN and returns a list of keys.
Implement support for this in the usbhid middleware.
feedback and ok markus@
|
#
1.19 |
|
30-Dec-2019 |
djm |
Factor out parsing of struct sk_enroll_response
We'll reuse this for extracting resident keys from a device.
feedback and ok markus@
|
#
1.18 |
|
13-Dec-2019 |
djm |
use ssh-sk-helper for all security key signing operations
This extracts and refactors the client interface for ssh-sk-helper from ssh-agent and generalises it for use by the other programs. This means that most OpenSSH tools no longer need to link against libfido2 or directly interact with /dev/uhid*
requested by, feedback and ok markus@
|
#
1.17 |
|
27-Nov-2019 |
djm |
remove stray semicolon after closing brace of function; from Michael Forney
|
#
1.16 |
|
19-Nov-2019 |
djm |
adjust on-wire signature encoding for ecdsa-sk keys to better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne
NB. if you are depending on security keys (already?) then make sure you update both your clients and servers.
|
#
1.15 |
|
18-Nov-2019 |
naddy |
add the missing WITH_OPENSSL ifdefs after the ED25519-SK addition; ok djm@
|
#
1.14 |
|
16-Nov-2019 |
djm |
tweak debug message
|
#
1.13 |
|
16-Nov-2019 |
djm |
a little debug() in the security key interface
|
#
1.12 |
|
14-Nov-2019 |
djm |
directly support U2F/FIDO2 security keys in OpenSSH by linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging.
|
#
1.11 |
|
13-Nov-2019 |
markus |
fix check for sig_s; noted by qsa at qualys.com
|
#
1.10 |
|
12-Nov-2019 |
djm |
allow an empty attestation certificate returned by a security key enrollment - these are possible for tokens that only offer self- attestation. This also needs support from the middleware.
ok markus@
|
#
1.9 |
|
12-Nov-2019 |
markus |
remove extra layer for ed25519 signature; ok djm@
|
#
1.8 |
|
12-Nov-2019 |
markus |
check sig_r and sig_s for ssh-sk keys; ok djm
|
#
1.7 |
|
12-Nov-2019 |
markus |
update sk-api to version 2 for ed25519 support; ok djm
|
#
1.6 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_assemble(); ok djm
|
#
1.5 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_inner_sig(); ok djm
|
#
1.4 |
|
12-Nov-2019 |
markus |
rename sshsk_ecdsa_sign() to sshsk_sign(); ok djm
|
#
1.3 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_inner_sig(); ok djm@
|
#
1.2 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_assemble(); ok djm@
|
#
1.1 |
|
31-Oct-2019 |
djm |
U2F/FIDO middleware interface
Supports enrolling (generating) keys and signatures.
feedback & ok markus@
|
#
1.18 |
|
13-Dec-2019 |
djm |
use ssh-sk-helper for all security key signing operations
This extracts and refactors the client interface for ssh-sk-helper from ssh-agent and generalises it for use by the other programs. This means that most OpenSSH tools no longer need to link against libfido2 or directly interact with /dev/uhid*
requested by, feedback and ok markus@
|
#
1.17 |
|
27-Nov-2019 |
djm |
remove stray semicolon after closing brace of function; from Michael Forney
|
#
1.16 |
|
19-Nov-2019 |
djm |
adjust on-wire signature encoding for ecdsa-sk keys to better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne
NB. if you are depending on security keys (already?) then make sure you update both your clients and servers.
|
#
1.15 |
|
18-Nov-2019 |
naddy |
add the missing WITH_OPENSSL ifdefs after the ED25519-SK addition; ok djm@
|
#
1.14 |
|
16-Nov-2019 |
djm |
tweak debug message
|
#
1.13 |
|
16-Nov-2019 |
djm |
a little debug() in the security key interface
|
#
1.12 |
|
14-Nov-2019 |
djm |
directly support U2F/FIDO2 security keys in OpenSSH by linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging.
|
#
1.11 |
|
13-Nov-2019 |
markus |
fix check for sig_s; noted by qsa at qualys.com
|
#
1.10 |
|
12-Nov-2019 |
djm |
allow an empty attestation certificate returned by a security key enrollment - these are possible for tokens that only offer self- attestation. This also needs support from the middleware.
ok markus@
|
#
1.9 |
|
12-Nov-2019 |
markus |
remove extra layer for ed25519 signature; ok djm@
|
#
1.8 |
|
12-Nov-2019 |
markus |
check sig_r and sig_s for ssh-sk keys; ok djm
|
#
1.7 |
|
12-Nov-2019 |
markus |
update sk-api to version 2 for ed25519 support; ok djm
|
#
1.6 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_assemble(); ok djm
|
#
1.5 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_inner_sig(); ok djm
|
#
1.4 |
|
12-Nov-2019 |
markus |
rename sshsk_ecdsa_sign() to sshsk_sign(); ok djm
|
#
1.3 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_inner_sig(); ok djm@
|
#
1.2 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_assemble(); ok djm@
|
#
1.1 |
|
31-Oct-2019 |
djm |
U2F/FIDO middleware interface
Supports enrolling (generating) keys and signatures.
feedback & ok markus@
|
#
1.17 |
|
27-Nov-2019 |
djm |
remove stray semicolon after closing brace of function; from Michael Forney
|
#
1.16 |
|
19-Nov-2019 |
djm |
adjust on-wire signature encoding for ecdsa-sk keys to better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne
NB. if you are depending on security keys (already?) then make sure you update both your clients and servers.
|
#
1.15 |
|
18-Nov-2019 |
naddy |
add the missing WITH_OPENSSL ifdefs after the ED25519-SK addition; ok djm@
|
#
1.14 |
|
16-Nov-2019 |
djm |
tweak debug message
|
#
1.13 |
|
16-Nov-2019 |
djm |
a little debug() in the security key interface
|
#
1.12 |
|
14-Nov-2019 |
djm |
directly support U2F/FIDO2 security keys in OpenSSH by linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging.
|
#
1.11 |
|
13-Nov-2019 |
markus |
fix check for sig_s; noted by qsa at qualys.com
|
#
1.10 |
|
12-Nov-2019 |
djm |
allow an empty attestation certificate returned by a security key enrollment - these are possible for tokens that only offer self- attestation. This also needs support from the middleware.
ok markus@
|
#
1.9 |
|
12-Nov-2019 |
markus |
remove extra layer for ed25519 signature; ok djm@
|
#
1.8 |
|
12-Nov-2019 |
markus |
check sig_r and sig_s for ssh-sk keys; ok djm
|
#
1.7 |
|
12-Nov-2019 |
markus |
update sk-api to version 2 for ed25519 support; ok djm
|
#
1.6 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_assemble(); ok djm
|
#
1.5 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_inner_sig(); ok djm
|
#
1.4 |
|
12-Nov-2019 |
markus |
rename sshsk_ecdsa_sign() to sshsk_sign(); ok djm
|
#
1.3 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_inner_sig(); ok djm@
|
#
1.2 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_assemble(); ok djm@
|
#
1.1 |
|
31-Oct-2019 |
djm |
U2F/FIDO middleware interface
Supports enrolling (generating) keys and signatures.
feedback & ok markus@
|
#
1.16 |
|
19-Nov-2019 |
djm |
adjust on-wire signature encoding for ecdsa-sk keys to better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne
NB. if you are depending on security keys (already?) then make sure you update both your clients and servers.
|
#
1.15 |
|
18-Nov-2019 |
naddy |
add the missing WITH_OPENSSL ifdefs after the ED25519-SK addition; ok djm@
|
#
1.14 |
|
16-Nov-2019 |
djm |
tweak debug message
|
#
1.13 |
|
16-Nov-2019 |
djm |
a little debug() in the security key interface
|
#
1.12 |
|
14-Nov-2019 |
djm |
directly support U2F/FIDO2 security keys in OpenSSH by linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging.
|
#
1.11 |
|
13-Nov-2019 |
markus |
fix check for sig_s; noted by qsa at qualys.com
|
#
1.10 |
|
12-Nov-2019 |
djm |
allow an empty attestation certificate returned by a security key enrollment - these are possible for tokens that only offer self- attestation. This also needs support from the middleware.
ok markus@
|
#
1.9 |
|
12-Nov-2019 |
markus |
remove extra layer for ed25519 signature; ok djm@
|
#
1.8 |
|
12-Nov-2019 |
markus |
check sig_r and sig_s for ssh-sk keys; ok djm
|
#
1.7 |
|
12-Nov-2019 |
markus |
update sk-api to version 2 for ed25519 support; ok djm
|
#
1.6 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_assemble(); ok djm
|
#
1.5 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_inner_sig(); ok djm
|
#
1.4 |
|
12-Nov-2019 |
markus |
rename sshsk_ecdsa_sign() to sshsk_sign(); ok djm
|
#
1.3 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_inner_sig(); ok djm@
|
#
1.2 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_assemble(); ok djm@
|
#
1.1 |
|
31-Oct-2019 |
djm |
U2F/FIDO middleware interface
Supports enrolling (generating) keys and signatures.
feedback & ok markus@
|
#
1.15 |
|
18-Nov-2019 |
naddy |
add the missing WITH_OPENSSL ifdefs after the ED25519-SK addition; ok djm@
|
#
1.14 |
|
16-Nov-2019 |
djm |
tweak debug message
|
#
1.13 |
|
16-Nov-2019 |
djm |
a little debug() in the security key interface
|
#
1.12 |
|
14-Nov-2019 |
djm |
directly support U2F/FIDO2 security keys in OpenSSH by linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging.
|
#
1.11 |
|
13-Nov-2019 |
markus |
fix check for sig_s; noted by qsa at qualys.com
|
#
1.10 |
|
12-Nov-2019 |
djm |
allow an empty attestation certificate returned by a security key enrollment - these are possible for tokens that only offer self- attestation. This also needs support from the middleware.
ok markus@
|
#
1.9 |
|
12-Nov-2019 |
markus |
remove extra layer for ed25519 signature; ok djm@
|
#
1.8 |
|
12-Nov-2019 |
markus |
check sig_r and sig_s for ssh-sk keys; ok djm
|
#
1.7 |
|
12-Nov-2019 |
markus |
update sk-api to version 2 for ed25519 support; ok djm
|
#
1.6 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_assemble(); ok djm
|
#
1.5 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_inner_sig(); ok djm
|
#
1.4 |
|
12-Nov-2019 |
markus |
rename sshsk_ecdsa_sign() to sshsk_sign(); ok djm
|
#
1.3 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_inner_sig(); ok djm@
|
#
1.2 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_assemble(); ok djm@
|
#
1.1 |
|
31-Oct-2019 |
djm |
U2F/FIDO middleware interface
Supports enrolling (generating) keys and signatures.
feedback & ok markus@
|
#
1.14 |
|
16-Nov-2019 |
djm |
tweak debug message
|
#
1.13 |
|
16-Nov-2019 |
djm |
a little debug() in the security key interface
|
#
1.12 |
|
14-Nov-2019 |
djm |
directly support U2F/FIDO2 security keys in OpenSSH by linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging.
|
#
1.11 |
|
13-Nov-2019 |
markus |
fix check for sig_s; noted by qsa at qualys.com
|
#
1.10 |
|
12-Nov-2019 |
djm |
allow an empty attestation certificate returned by a security key enrollment - these are possible for tokens that only offer self- attestation. This also needs support from the middleware.
ok markus@
|
#
1.9 |
|
12-Nov-2019 |
markus |
remove extra layer for ed25519 signature; ok djm@
|
#
1.8 |
|
12-Nov-2019 |
markus |
check sig_r and sig_s for ssh-sk keys; ok djm
|
#
1.7 |
|
12-Nov-2019 |
markus |
update sk-api to version 2 for ed25519 support; ok djm
|
#
1.6 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_assemble(); ok djm
|
#
1.5 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_inner_sig(); ok djm
|
#
1.4 |
|
12-Nov-2019 |
markus |
rename sshsk_ecdsa_sign() to sshsk_sign(); ok djm
|
#
1.3 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_inner_sig(); ok djm@
|
#
1.2 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_assemble(); ok djm@
|
#
1.1 |
|
31-Oct-2019 |
djm |
U2F/FIDO middleware interface
Supports enrolling (generating) keys and signatures.
feedback & ok markus@
|
#
1.12 |
|
14-Nov-2019 |
djm |
directly support U2F/FIDO2 security keys in OpenSSH by linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging.
|
#
1.11 |
|
13-Nov-2019 |
markus |
fix check for sig_s; noted by qsa at qualys.com
|
#
1.10 |
|
12-Nov-2019 |
djm |
allow an empty attestation certificate returned by a security key enrollment - these are possible for tokens that only offer self- attestation. This also needs support from the middleware.
ok markus@
|
#
1.9 |
|
12-Nov-2019 |
markus |
remove extra layer for ed25519 signature; ok djm@
|
#
1.8 |
|
12-Nov-2019 |
markus |
check sig_r and sig_s for ssh-sk keys; ok djm
|
#
1.7 |
|
12-Nov-2019 |
markus |
update sk-api to version 2 for ed25519 support; ok djm
|
#
1.6 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_assemble(); ok djm
|
#
1.5 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_inner_sig(); ok djm
|
#
1.4 |
|
12-Nov-2019 |
markus |
rename sshsk_ecdsa_sign() to sshsk_sign(); ok djm
|
#
1.3 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_inner_sig(); ok djm@
|
#
1.2 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_assemble(); ok djm@
|
#
1.1 |
|
31-Oct-2019 |
djm |
U2F/FIDO middleware interface
Supports enrolling (generating) keys and signatures.
feedback & ok markus@
|
#
1.11 |
|
13-Nov-2019 |
markus |
fix check for sig_s; noted by qsa at qualys.com
|
#
1.10 |
|
12-Nov-2019 |
djm |
allow an empty attestation certificate returned by a security key enrollment - these are possible for tokens that only offer self- attestation. This also needs support from the middleware.
ok markus@
|
#
1.9 |
|
12-Nov-2019 |
markus |
remove extra layer for ed25519 signature; ok djm@
|
#
1.8 |
|
12-Nov-2019 |
markus |
check sig_r and sig_s for ssh-sk keys; ok djm
|
#
1.7 |
|
12-Nov-2019 |
markus |
update sk-api to version 2 for ed25519 support; ok djm
|
#
1.6 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_assemble(); ok djm
|
#
1.5 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_inner_sig(); ok djm
|
#
1.4 |
|
12-Nov-2019 |
markus |
rename sshsk_ecdsa_sign() to sshsk_sign(); ok djm
|
#
1.3 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_inner_sig(); ok djm@
|
#
1.2 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_assemble(); ok djm@
|
#
1.1 |
|
31-Oct-2019 |
djm |
U2F/FIDO middleware interface
Supports enrolling (generating) keys and signatures.
feedback & ok markus@
|
#
1.10 |
|
12-Nov-2019 |
djm |
allow an empty attestation certificate returned by a security key enrollment - these are possible for tokens that only offer self- attestation. This also needs support from the middleware.
ok markus@
|
#
1.9 |
|
12-Nov-2019 |
markus |
remove extra layer for ed25519 signature; ok djm@
|
#
1.8 |
|
12-Nov-2019 |
markus |
check sig_r and sig_s for ssh-sk keys; ok djm
|
#
1.7 |
|
12-Nov-2019 |
markus |
update sk-api to version 2 for ed25519 support; ok djm
|
#
1.6 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_assemble(); ok djm
|
#
1.5 |
|
12-Nov-2019 |
markus |
implement sshsk_ed25519_inner_sig(); ok djm
|
#
1.4 |
|
12-Nov-2019 |
markus |
rename sshsk_ecdsa_sign() to sshsk_sign(); ok djm
|
#
1.3 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_inner_sig(); ok djm@
|
#
1.2 |
|
12-Nov-2019 |
markus |
factor out sshsk_ecdsa_assemble(); ok djm@
|
#
1.1 |
|
31-Oct-2019 |
djm |
U2F/FIDO middleware interface
Supports enrolling (generating) keys and signatures.
feedback & ok markus@
|