diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2020-01-28 08:01:34 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2020-01-29 18:52:55 +1100 |
| commit | 24c0f752adf9021277a7b0a84931bb5fe48ea379 (patch) | |
| tree | cd1b9474e73ad7647b4ad88775365e7430d3fe64 /sk-usbhid.c | |
| parent | 156bef36f93a48212383235bb8e3d71eaf2b2777 (diff) | |
upstream: changes to support FIDO attestation
Allow writing to disk the attestation certificate that is generated by
the FIDO token at key enrollment time. These certificates may be used
by an out-of-band workflow to prove that a particular key is held in
trustworthy hardware.
Allow passing in a challenge that will be sent to the card during
key enrollment. These are needed to build an attestation workflow
that resists replay attacks.
ok markus@
OpenBSD-Commit-ID: 457dc3c3d689ba39eed328f0817ed9b91a5f78f6
Diffstat (limited to 'sk-usbhid.c')
| -rw-r--r-- | sk-usbhid.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/sk-usbhid.c b/sk-usbhid.c index 2148e1d79..ad83054ad 100644 --- a/sk-usbhid.c +++ b/sk-usbhid.c | |||
| @@ -570,6 +570,7 @@ sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len, | |||
| 570 | } | 570 | } |
| 571 | if ((ptr = fido_cred_x5c_ptr(cred)) != NULL) { | 571 | if ((ptr = fido_cred_x5c_ptr(cred)) != NULL) { |
| 572 | len = fido_cred_x5c_len(cred); | 572 | len = fido_cred_x5c_len(cred); |
| 573 | debug3("%s: attestation cert len=%zu", __func__, len); | ||
| 573 | if ((response->attestation_cert = calloc(1, len)) == NULL) { | 574 | if ((response->attestation_cert = calloc(1, len)) == NULL) { |
| 574 | skdebug(__func__, "calloc attestation cert failed"); | 575 | skdebug(__func__, "calloc attestation cert failed"); |
| 575 | goto out; | 576 | goto out; |