diff options
author | djm@openbsd.org <djm@openbsd.org> | 2020-06-22 05:58:35 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2020-06-22 16:27:27 +1000 |
commit | bb52e70fa5330070ec9a23069c311d9e277bbd6f (patch) | |
tree | bafbbd5e2a0928f44853b3179333b123b7e0d9ff /PROTOCOL.u2f | |
parent | 64bc121097f377142f1387ffb2df7592c49935af (diff) |
upstream: Add support for FIDO webauthn (verification only).
webauthn is a standard for using FIDO keys in web browsers. webauthn
signatures are a slightly different format to plain FIDO signatures - this
support allows verification of these. Feedback and ok markus@
OpenBSD-Commit-ID: ab7e3a9fb5782d99d574f408614d833379e564ad
Diffstat (limited to 'PROTOCOL.u2f')
-rw-r--r-- | PROTOCOL.u2f | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/PROTOCOL.u2f b/PROTOCOL.u2f index 69347e999..fd31ea4ef 100644 --- a/PROTOCOL.u2f +++ b/PROTOCOL.u2f | |||
@@ -209,6 +209,32 @@ For Ed25519 keys the signature is encoded as: | |||
209 | byte flags | 209 | byte flags |
210 | uint32 counter | 210 | uint32 counter |
211 | 211 | ||
212 | webauthn signatures | ||
213 | ------------------- | ||
214 | |||
215 | The W3C/FIDO webauthn[1] standard defines a mechanism for a web browser to | ||
216 | interact with FIDO authentication tokens. This standard builds upon the | ||
217 | FIDO standards, but requires different signature contents to raw FIDO | ||
218 | messages. OpenSSH supports ECDSA/p256 webauthn signatures through the | ||
219 | "webauthn-sk-ecdsa-sha2-nistp256@openssh.com" signature algorithm. | ||
220 | |||
221 | The wire encoding for a webauthn-sk-ecdsa-sha2-nistp256@openssh.com | ||
222 | signature is similar to the sk-ecdsa-sha2-nistp256@openssh.com format: | ||
223 | |||
224 | string "webauthn-sk-ecdsa-sha2-nistp256@openssh.com" | ||
225 | string ecdsa_signature | ||
226 | byte flags | ||
227 | uint32 counter | ||
228 | string origin | ||
229 | string clientData | ||
230 | string extensions | ||
231 | |||
232 | Where "origin" is the HTTP origin making the signature, "clientData" is | ||
233 | the JSON-like structure signed by the browser and "extensions" are any | ||
234 | extensions used in making the signature. | ||
235 | |||
236 | [1] https://www.w3.org/TR/webauthn-2/ | ||
237 | |||
212 | ssh-agent protocol extensions | 238 | ssh-agent protocol extensions |
213 | ----------------------------- | 239 | ----------------------------- |
214 | 240 | ||