diff options
author | djm@openbsd.org <djm@openbsd.org> | 2019-12-30 09:25:29 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-12-30 21:01:52 +1100 |
commit | ef65e7dbaa8fac3245aa2bfc9f7e09be7cba0d9d (patch) | |
tree | 58ea05cd4cc84af5dc36654eb371eefb4bd95999 | |
parent | 43ce96427b76c4918e39af654e2fc9ee18d5d478 (diff) |
upstream: document SK API changes in PROTOCOL.u2f
ok markus@
OpenBSD-Commit-ID: 52622363c103a3c4d3d546050480ffe978a32186
-rw-r--r-- | PROTOCOL.u2f | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/PROTOCOL.u2f b/PROTOCOL.u2f index 93601159c..5f44c3acc 100644 --- a/PROTOCOL.u2f +++ b/PROTOCOL.u2f | |||
@@ -233,6 +233,9 @@ support for the common case of USB HID security keys internally. | |||
233 | 233 | ||
234 | The middleware library need only expose a handful of functions: | 234 | The middleware library need only expose a handful of functions: |
235 | 235 | ||
236 | #define SSH_SK_VERSION_MAJOR 0x00030000 /* API version */ | ||
237 | #define SSH_SK_VERSION_MAJOR_MASK 0xffff0000 | ||
238 | |||
236 | /* Flags */ | 239 | /* Flags */ |
237 | #define SSH_SK_USER_PRESENCE_REQD 0x01 | 240 | #define SSH_SK_USER_PRESENCE_REQD 0x01 |
238 | #define SSH_SK_USER_VERIFICATION_REQD 0x04 | 241 | #define SSH_SK_USER_VERIFICATION_REQD 0x04 |
@@ -262,19 +265,34 @@ The middleware library need only expose a handful of functions: | |||
262 | size_t sig_s_len; | 265 | size_t sig_s_len; |
263 | }; | 266 | }; |
264 | 267 | ||
268 | struct sk_resident_key { | ||
269 | uint8_t alg; | ||
270 | size_t slot; | ||
271 | char *application; | ||
272 | struct sk_enroll_response key; | ||
273 | }; | ||
274 | |||
265 | /* Return the version of the middleware API */ | 275 | /* Return the version of the middleware API */ |
266 | uint32_t sk_api_version(void); | 276 | uint32_t sk_api_version(void); |
267 | 277 | ||
268 | /* Enroll a U2F key (private key generation) */ | 278 | /* Enroll a U2F key (private key generation) */ |
269 | int sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len, | 279 | int sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len, |
270 | const char *application, uint8_t flags, | 280 | const char *application, uint8_t flags, const char *pin, |
271 | struct sk_enroll_response **enroll_response); | 281 | struct sk_enroll_response **enroll_response); |
272 | 282 | ||
273 | /* Sign a challenge */ | 283 | /* Sign a challenge */ |
274 | int sk_sign(int alg, const uint8_t *message, size_t message_len, | 284 | int sk_sign(int alg, const uint8_t *message, size_t message_len, |
275 | const char *application, | 285 | const char *application, |
276 | const uint8_t *key_handle, size_t key_handle_len, | 286 | const uint8_t *key_handle, size_t key_handle_len, |
277 | uint8_t flags, struct sk_sign_response **sign_response); | 287 | uint8_t flags, const char *pin, |
288 | struct sk_sign_response **sign_response); | ||
289 | |||
290 | /* Enumerate all resident keys */ | ||
291 | int sk_load_resident_keys(const char *pin, | ||
292 | struct sk_resident_key ***rks, size_t *nrks); | ||
293 | |||
294 | The SSH_SK_VERSION_MAJOR should be incremented for each incompatible | ||
295 | API change. | ||
278 | 296 | ||
279 | In OpenSSH, these will be invoked by using a similar mechanism to | 297 | In OpenSSH, these will be invoked by using a similar mechanism to |
280 | ssh-pkcs11-helper to provide address-space containment of the | 298 | ssh-pkcs11-helper to provide address-space containment of the |