diff options
-rw-r--r-- | ssh-sk.c | 58 | ||||
-rw-r--r-- | ssh-sk.h | 8 |
2 files changed, 58 insertions, 8 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-sk.c,v 1.5 2019/11/12 19:31:18 markus Exp $ */ | 1 | /* $OpenBSD: ssh-sk.c,v 1.6 2019/11/12 19:31:45 markus Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2019 Google LLC | 3 | * Copyright (c) 2019 Google LLC |
4 | * | 4 | * |
@@ -39,6 +39,7 @@ | |||
39 | 39 | ||
40 | #include "ssh-sk.h" | 40 | #include "ssh-sk.h" |
41 | #include "sk-api.h" | 41 | #include "sk-api.h" |
42 | #include "crypto_api.h" | ||
42 | 43 | ||
43 | struct sshsk_provider { | 44 | struct sshsk_provider { |
44 | char *path; | 45 | char *path; |
@@ -198,8 +199,40 @@ sshsk_ecdsa_assemble(struct sk_enroll_response *resp, struct sshkey **keyp) | |||
198 | return r; | 199 | return r; |
199 | } | 200 | } |
200 | 201 | ||
202 | static int | ||
203 | sshsk_ed25519_assemble(struct sk_enroll_response *resp, struct sshkey **keyp) | ||
204 | { | ||
205 | struct sshkey *key = NULL; | ||
206 | int r; | ||
207 | |||
208 | *keyp = NULL; | ||
209 | if (resp->public_key_len != ED25519_PK_SZ) { | ||
210 | error("%s: invalid size: %zu", __func__, resp->public_key_len); | ||
211 | r = SSH_ERR_INVALID_FORMAT; | ||
212 | goto out; | ||
213 | } | ||
214 | if ((key = sshkey_new(KEY_ED25519_SK)) == NULL) { | ||
215 | error("%s: sshkey_new failed", __func__); | ||
216 | r = SSH_ERR_ALLOC_FAIL; | ||
217 | goto out; | ||
218 | } | ||
219 | if ((key->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) { | ||
220 | error("%s: malloc failed", __func__); | ||
221 | r = SSH_ERR_ALLOC_FAIL; | ||
222 | goto out; | ||
223 | } | ||
224 | memcpy(key->ed25519_pk, resp->public_key, ED25519_PK_SZ); | ||
225 | /* success */ | ||
226 | *keyp = key; | ||
227 | key = NULL; /* transferred */ | ||
228 | r = 0; | ||
229 | out: | ||
230 | sshkey_free(key); | ||
231 | return r; | ||
232 | } | ||
233 | |||
201 | int | 234 | int |
202 | sshsk_enroll(const char *provider_path, const char *application, | 235 | sshsk_enroll(int type, const char *provider_path, const char *application, |
203 | uint8_t flags, struct sshbuf *challenge_buf, struct sshkey **keyp, | 236 | uint8_t flags, struct sshbuf *challenge_buf, struct sshkey **keyp, |
204 | struct sshbuf *attest) | 237 | struct sshbuf *attest) |
205 | { | 238 | { |
@@ -214,6 +247,15 @@ sshsk_enroll(const char *provider_path, const char *application, | |||
214 | *keyp = NULL; | 247 | *keyp = NULL; |
215 | if (attest) | 248 | if (attest) |
216 | sshbuf_reset(attest); | 249 | sshbuf_reset(attest); |
250 | switch (type) { | ||
251 | case KEY_ECDSA_SK: | ||
252 | case KEY_ED25519_SK: | ||
253 | break; | ||
254 | default: | ||
255 | error("%s: unsupported key type", __func__); | ||
256 | r = SSH_ERR_INVALID_ARGUMENT; | ||
257 | goto out; | ||
258 | } | ||
217 | if (provider_path == NULL) { | 259 | if (provider_path == NULL) { |
218 | error("%s: missing provider", __func__); | 260 | error("%s: missing provider", __func__); |
219 | r = SSH_ERR_INVALID_ARGUMENT; | 261 | r = SSH_ERR_INVALID_ARGUMENT; |
@@ -259,8 +301,16 @@ sshsk_enroll(const char *provider_path, const char *application, | |||
259 | r = SSH_ERR_INVALID_FORMAT; | 301 | r = SSH_ERR_INVALID_FORMAT; |
260 | goto out; | 302 | goto out; |
261 | } | 303 | } |
262 | if ((r = sshsk_ecdsa_assemble(resp, &key)) != 0) | 304 | switch (type) { |
263 | goto out; | 305 | case KEY_ECDSA_SK: |
306 | if ((r = sshsk_ecdsa_assemble(resp, &key)) != 0) | ||
307 | goto out; | ||
308 | break; | ||
309 | case KEY_ED25519_SK: | ||
310 | if ((r = sshsk_ed25519_assemble(resp, &key)) != 0) | ||
311 | goto out; | ||
312 | break; | ||
313 | } | ||
264 | key->sk_flags = flags; | 314 | key->sk_flags = flags; |
265 | if ((key->sk_key_handle = sshbuf_new()) == NULL || | 315 | if ((key->sk_key_handle = sshbuf_new()) == NULL || |
266 | (key->sk_reserved = sshbuf_new()) == NULL) { | 316 | (key->sk_reserved = sshbuf_new()) == NULL) { |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-sk.h,v 1.4 2019/11/12 19:31:18 markus Exp $ */ | 1 | /* $OpenBSD: ssh-sk.h,v 1.5 2019/11/12 19:31:45 markus Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2019 Google LLC | 3 | * Copyright (c) 2019 Google LLC |
4 | * | 4 | * |
@@ -25,8 +25,8 @@ struct sshkey; | |||
25 | #define SSH_SK_HELPER_VERSION 1 | 25 | #define SSH_SK_HELPER_VERSION 1 |
26 | 26 | ||
27 | /* | 27 | /* |
28 | * Enroll (generate) a new security-key hosted private key via the specified | 28 | * Enroll (generate) a new security-key hosted private key of given type |
29 | * provider middleware. | 29 | * via the specified provider middleware. |
30 | * If challenge_buf is NULL then a random 256 bit challenge will be used. | 30 | * If challenge_buf is NULL then a random 256 bit challenge will be used. |
31 | * | 31 | * |
32 | * Returns 0 on success or a ssherr.h error code on failure. | 32 | * Returns 0 on success or a ssherr.h error code on failure. |
@@ -34,7 +34,7 @@ struct sshkey; | |||
34 | * If successful and the attest_data buffer is not NULL then attestation | 34 | * If successful and the attest_data buffer is not NULL then attestation |
35 | * information is placed there. | 35 | * information is placed there. |
36 | */ | 36 | */ |
37 | int sshsk_enroll(const char *provider_path, const char *application, | 37 | int sshsk_enroll(int type, const char *provider_path, const char *application, |
38 | uint8_t flags, struct sshbuf *challenge_buf, struct sshkey **keyp, | 38 | uint8_t flags, struct sshbuf *challenge_buf, struct sshkey **keyp, |
39 | struct sshbuf *attest); | 39 | struct sshbuf *attest); |
40 | 40 | ||