diff options
Diffstat (limited to 'PROTOCOL.u2f')
-rw-r--r-- | PROTOCOL.u2f | 130 |
1 files changed, 51 insertions, 79 deletions
diff --git a/PROTOCOL.u2f b/PROTOCOL.u2f index 917e669cd..f8ca56b11 100644 --- a/PROTOCOL.u2f +++ b/PROTOCOL.u2f | |||
@@ -39,6 +39,13 @@ the key handle be supplied for each signature operation. U2F tokens | |||
39 | primarily use ECDSA signatures in the NIST-P256 field, though the FIDO2 | 39 | primarily use ECDSA signatures in the NIST-P256 field, though the FIDO2 |
40 | standard specifies additional key types, including one based on Ed25519. | 40 | standard specifies additional key types, including one based on Ed25519. |
41 | 41 | ||
42 | Use of U2F security keys does not automatically imply multi-factor | ||
43 | authentication. From sshd's perspective, a security key constitutes a | ||
44 | single factor of authentication, even if protected by a PIN or biometric | ||
45 | authentication. To enable multi-factor authentication in ssh, please | ||
46 | refer to the AuthenticationMethods option in sshd_config(5). | ||
47 | |||
48 | |||
42 | SSH U2F Key formats | 49 | SSH U2F Key formats |
43 | ------------------- | 50 | ------------------- |
44 | 51 | ||
@@ -147,6 +154,16 @@ by trusted hardware before it will issue a certificate. To support this | |||
147 | case, OpenSSH optionally allows retaining the attestation information | 154 | case, OpenSSH optionally allows retaining the attestation information |
148 | at the time of key generation. It will take the following format: | 155 | at the time of key generation. It will take the following format: |
149 | 156 | ||
157 | string "ssh-sk-attest-v01" | ||
158 | string attestation certificate | ||
159 | string enrollment signature | ||
160 | string authenticator data (CBOR encoded) | ||
161 | uint32 reserved flags | ||
162 | string reserved string | ||
163 | |||
164 | A previous version of this format, emitted prior to OpenSSH 8.4 omitted | ||
165 | the authenticator data. | ||
166 | |||
150 | string "ssh-sk-attest-v00" | 167 | string "ssh-sk-attest-v00" |
151 | string attestation certificate | 168 | string attestation certificate |
152 | string enrollment signature | 169 | string enrollment signature |
@@ -202,6 +219,32 @@ For Ed25519 keys the signature is encoded as: | |||
202 | byte flags | 219 | byte flags |
203 | uint32 counter | 220 | uint32 counter |
204 | 221 | ||
222 | webauthn signatures | ||
223 | ------------------- | ||
224 | |||
225 | The W3C/FIDO webauthn[1] standard defines a mechanism for a web browser to | ||
226 | interact with FIDO authentication tokens. This standard builds upon the | ||
227 | FIDO standards, but requires different signature contents to raw FIDO | ||
228 | messages. OpenSSH supports ECDSA/p256 webauthn signatures through the | ||
229 | "webauthn-sk-ecdsa-sha2-nistp256@openssh.com" signature algorithm. | ||
230 | |||
231 | The wire encoding for a webauthn-sk-ecdsa-sha2-nistp256@openssh.com | ||
232 | signature is similar to the sk-ecdsa-sha2-nistp256@openssh.com format: | ||
233 | |||
234 | string "webauthn-sk-ecdsa-sha2-nistp256@openssh.com" | ||
235 | string ecdsa_signature | ||
236 | byte flags | ||
237 | uint32 counter | ||
238 | string origin | ||
239 | string clientData | ||
240 | string extensions | ||
241 | |||
242 | Where "origin" is the HTTP origin making the signature, "clientData" is | ||
243 | the JSON-like structure signed by the browser and "extensions" are any | ||
244 | extensions used in making the signature. | ||
245 | |||
246 | [1] https://www.w3.org/TR/webauthn-2/ | ||
247 | |||
205 | ssh-agent protocol extensions | 248 | ssh-agent protocol extensions |
206 | ----------------------------- | 249 | ----------------------------- |
207 | 250 | ||
@@ -234,87 +277,15 @@ regress testing. For this reason, OpenSSH shall support a dynamically- | |||
234 | loaded middleware libraries to communicate with security keys, but offer | 277 | loaded middleware libraries to communicate with security keys, but offer |
235 | support for the common case of USB HID security keys internally. | 278 | support for the common case of USB HID security keys internally. |
236 | 279 | ||
237 | The middleware library need only expose a handful of functions: | 280 | The middleware library need only expose a handful of functions and |
238 | 281 | numbers listed in sk-api.h. Included in the defined numbers is a | |
239 | #define SSH_SK_VERSION_MAJOR 0x00050000 /* API version */ | 282 | SSH_SK_VERSION_MAJOR that should be incremented for each incompatible |
240 | #define SSH_SK_VERSION_MAJOR_MASK 0xffff0000 | ||
241 | |||
242 | /* Flags */ | ||
243 | #define SSH_SK_USER_PRESENCE_REQD 0x01 | ||
244 | #define SSH_SK_USER_VERIFICATION_REQD 0x04 | ||
245 | #define SSH_SK_RESIDENT_KEY 0x20 | ||
246 | |||
247 | /* Algs */ | ||
248 | #define SSH_SK_ECDSA 0x00 | ||
249 | #define SSH_SK_ED25519 0x01 | ||
250 | |||
251 | /* Error codes */ | ||
252 | #define SSH_SK_ERR_GENERAL -1 | ||
253 | #define SSH_SK_ERR_UNSUPPORTED -2 | ||
254 | #define SSH_SK_ERR_PIN_REQUIRED -3 | ||
255 | #define SSH_SK_ERR_DEVICE_NOT_FOUND -4 | ||
256 | |||
257 | struct sk_enroll_response { | ||
258 | uint8_t *public_key; | ||
259 | size_t public_key_len; | ||
260 | uint8_t *key_handle; | ||
261 | size_t key_handle_len; | ||
262 | uint8_t *signature; | ||
263 | size_t signature_len; | ||
264 | uint8_t *attestation_cert; | ||
265 | size_t attestation_cert_len; | ||
266 | }; | ||
267 | |||
268 | struct sk_sign_response { | ||
269 | uint8_t flags; | ||
270 | uint32_t counter; | ||
271 | uint8_t *sig_r; | ||
272 | size_t sig_r_len; | ||
273 | uint8_t *sig_s; | ||
274 | size_t sig_s_len; | ||
275 | }; | ||
276 | |||
277 | struct sk_resident_key { | ||
278 | uint32_t alg; | ||
279 | size_t slot; | ||
280 | char *application; | ||
281 | struct sk_enroll_response key; | ||
282 | }; | ||
283 | |||
284 | struct sk_option { | ||
285 | char *name; | ||
286 | char *value; | ||
287 | uint8_t important; | ||
288 | }; | ||
289 | |||
290 | /* Return the version of the middleware API */ | ||
291 | uint32_t sk_api_version(void); | ||
292 | |||
293 | /* Enroll a U2F key (private key generation) */ | ||
294 | int sk_enroll(uint32_t alg, | ||
295 | const uint8_t *challenge, size_t challenge_len, | ||
296 | const char *application, uint8_t flags, const char *pin, | ||
297 | struct sk_option **options, | ||
298 | struct sk_enroll_response **enroll_response); | ||
299 | |||
300 | /* Sign a challenge */ | ||
301 | int sk_sign(uint32_t alg, const uint8_t *message, size_t message_len, | ||
302 | const char *application, | ||
303 | const uint8_t *key_handle, size_t key_handle_len, | ||
304 | uint8_t flags, const char *pin, struct sk_option **options, | ||
305 | struct sk_sign_response **sign_response); | ||
306 | |||
307 | /* Enumerate all resident keys */ | ||
308 | int sk_load_resident_keys(const char *pin, struct sk_option **options, | ||
309 | struct sk_resident_key ***rks, size_t *nrks); | ||
310 | |||
311 | The SSH_SK_VERSION_MAJOR should be incremented for each incompatible | ||
312 | API change. | 283 | API change. |
313 | 284 | ||
314 | The options may be used to pass miscellaneous options to the middleware | 285 | miscellaneous options may be passed to the middleware as a NULL- |
315 | as a NULL-terminated array of pointers to struct sk_option. The middleware | 286 | terminated array of pointers to struct sk_option. The middleware may |
316 | may ignore unsupported or unknown options unless the "important" flag is | 287 | ignore unsupported or unknown options unless the "required" flag is set, |
317 | set, in which case it should return failure if an unsupported option is | 288 | in which case it should return failure if an unsupported option is |
318 | requested. | 289 | requested. |
319 | 290 | ||
320 | At present the following options names are supported: | 291 | At present the following options names are supported: |
@@ -335,3 +306,4 @@ In OpenSSH, the middleware will be invoked by using a similar mechanism to | |||
335 | ssh-pkcs11-helper to provide address-space containment of the | 306 | ssh-pkcs11-helper to provide address-space containment of the |
336 | middleware from ssh-agent. | 307 | middleware from ssh-agent. |
337 | 308 | ||
309 | $OpenBSD: PROTOCOL.u2f,v 1.26 2020/09/09 03:08:01 djm Exp $ | ||