diff options
author | djm@openbsd.org <djm@openbsd.org> | 2020-01-06 02:00:46 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2020-01-06 13:12:46 +1100 |
commit | c312ca077cd2a6c15545cd6b4d34ee2f69289174 (patch) | |
tree | b8dd974c55dd0de351dfcbfc4f33fddb935a1c12 /sk-api.h | |
parent | 2ab335712d084d9ccaf3f53afc3fa9535329da87 (diff) |
upstream: Extends the SK API to accept a set of key/value options
for all operations. These are intended to future-proof the API a little by
making it easier to specify additional fields for without having to change
the API version for each.
At present, only two options are defined: one to explicitly specify
the device for an operation (rather than accepting the middleware's
autoselection) and another to specify the FIDO2 username that may
be used when generating a resident key. These new options may be
invoked at key generation time via ssh-keygen -O
This also implements a suggestion from Markus to avoid "int" in favour
of uint32_t for the algorithm argument in the API, to make implementation
of ssh-sk-client/helper a little easier.
feedback, fixes and ok markus@
OpenBSD-Commit-ID: 973ce11704609022ab36abbdeb6bc23c8001eabc
Diffstat (limited to 'sk-api.h')
-rw-r--r-- | sk-api.h | 23 |
1 files changed, 15 insertions, 8 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sk-api.h,v 1.6 2019/12/30 09:24:45 djm Exp $ */ | 1 | /* $OpenBSD: sk-api.h,v 1.7 2020/01/06 02:00:46 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2019 Google LLC | 3 | * Copyright (c) 2019 Google LLC |
4 | * | 4 | * |
@@ -58,30 +58,37 @@ struct sk_sign_response { | |||
58 | }; | 58 | }; |
59 | 59 | ||
60 | struct sk_resident_key { | 60 | struct sk_resident_key { |
61 | uint8_t alg; | 61 | uint32_t alg; |
62 | size_t slot; | 62 | size_t slot; |
63 | char *application; | 63 | char *application; |
64 | struct sk_enroll_response key; | 64 | struct sk_enroll_response key; |
65 | }; | 65 | }; |
66 | 66 | ||
67 | #define SSH_SK_VERSION_MAJOR 0x00030000 /* current API version */ | 67 | struct sk_option { |
68 | char *name; | ||
69 | char *value; | ||
70 | uint8_t required; | ||
71 | }; | ||
72 | |||
73 | #define SSH_SK_VERSION_MAJOR 0x00040000 /* current API version */ | ||
68 | #define SSH_SK_VERSION_MAJOR_MASK 0xffff0000 | 74 | #define SSH_SK_VERSION_MAJOR_MASK 0xffff0000 |
69 | 75 | ||
70 | /* Return the version of the middleware API */ | 76 | /* Return the version of the middleware API */ |
71 | uint32_t sk_api_version(void); | 77 | uint32_t sk_api_version(void); |
72 | 78 | ||
73 | /* Enroll a U2F key (private key generation) */ | 79 | /* Enroll a U2F key (private key generation) */ |
74 | int sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len, | 80 | int sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len, |
75 | const char *application, uint8_t flags, const char *pin, | 81 | const char *application, uint8_t flags, const char *pin, |
76 | struct sk_enroll_response **enroll_response); | 82 | struct sk_option **options, struct sk_enroll_response **enroll_response); |
77 | 83 | ||
78 | /* Sign a challenge */ | 84 | /* Sign a challenge */ |
79 | int sk_sign(int alg, const uint8_t *message, size_t message_len, | 85 | int sk_sign(uint32_t alg, const uint8_t *message, size_t message_len, |
80 | const char *application, const uint8_t *key_handle, size_t key_handle_len, | 86 | const char *application, const uint8_t *key_handle, size_t key_handle_len, |
81 | uint8_t flags, const char *pin, struct sk_sign_response **sign_response); | 87 | uint8_t flags, const char *pin, struct sk_option **options, |
88 | struct sk_sign_response **sign_response); | ||
82 | 89 | ||
83 | /* Enumerate all resident keys */ | 90 | /* Enumerate all resident keys */ |
84 | int sk_load_resident_keys(const char *pin, | 91 | int sk_load_resident_keys(const char *pin, struct sk_option **options, |
85 | struct sk_resident_key ***rks, size_t *nrks); | 92 | struct sk_resident_key ***rks, size_t *nrks); |
86 | 93 | ||
87 | #endif /* _SK_API_H */ | 94 | #endif /* _SK_API_H */ |