1 files changed, 51 insertions, 79 deletions
diff --git a/PROTOCOL.u2f b/PROTOCOL.u2f
index 917e669cd..f8ca56b11 100644
--- a/PROTOCOL.u2f
+++ b/PROTOCOL.u2f
@@ -39,6 +39,13 @@ the key handle be supplied for each signature operation. U2F tokens
 primarily use ECDSA signatures in the NIST-P256 field, though the FIDO2
 standard specifies additional key types, including one based on Ed25519.
+Use of U2F security keys does not automatically imply multi-factor
+authentication. From sshd's perspective, a security key constitutes a
+single factor of authentication, even if protected by a PIN or biometric
+authentication.  To enable multi-factor authentication in ssh, please
+refer to the AuthenticationMethods option in sshd_config(5).
 SSH U2F Key formats
 -------------------
@@ -147,6 +154,16 @@ by trusted hardware before it will issue a certificate. To support this
 case, OpenSSH optionally allows retaining the attestation information
 at the time of key generation. It will take the following format:
+        string          "ssh-sk-attest-v01"
+        string          attestation certificate
+        string          enrollment signature
+        string          authenticator data (CBOR encoded)
+        uint32          reserved flags
+        string          reserved string
+A previous version of this format, emitted prior to OpenSSH 8.4 omitted
+the authenticator data.
        string          "ssh-sk-attest-v00"
        string          attestation certificate
        string          enrollment signature
@@ -202,6 +219,32 @@ For Ed25519 keys the signature is encoded as:
        byte            flags
        uint32          counter
+webauthn signatures
+-------------------
+The W3C/FIDO webauthn[1] standard defines a mechanism for a web browser to
+interact with FIDO authentication tokens. This standard builds upon the
+FIDO standards, but requires different signature contents to raw FIDO
+messages. OpenSSH supports ECDSA/p256 webauthn signatures through the
+"webauthn-sk-ecdsa-sha2-nistp256@openssh.com" signature algorithm.
+The wire encoding for a webauthn-sk-ecdsa-sha2-nistp256@openssh.com
+signature is similar to the sk-ecdsa-sha2-nistp256@openssh.com format:
+        string          "webauthn-sk-ecdsa-sha2-nistp256@openssh.com"
+        string          ecdsa_signature
+        byte            flags
+        uint32          counter
+        string          origin
+        string          clientData
+        string          extensions
+Where "origin" is the HTTP origin making the signature, "clientData" is
+the JSON-like structure signed by the browser and "extensions" are any
+extensions used in making the signature.
+[1] https://www.w3.org/TR/webauthn-2/
 ssh-agent protocol extensions
 -----------------------------
@@ -234,87 +277,15 @@ regress testing. For this reason, OpenSSH shall support a dynamically-
 loaded middleware libraries to communicate with security keys, but offer
 support for the common case of USB HID security keys internally.
-The middleware library need only expose a handful of functions:
+The middleware library need only expose a handful of functions and
+numbers listed in sk-api.h. Included in the defined numbers is a
-        #define SSH_SK_VERSION_MAJOR            0x00050000 /* API version */
+SSH_SK_VERSION_MAJOR that should be incremented for each incompatible
-        #define SSH_SK_VERSION_MAJOR_MASK       0xffff0000
-        /* Flags */
-        #define SSH_SK_USER_PRESENCE_REQD       0x01
-        #define SSH_SK_USER_VERIFICATION_REQD   0x04
-        #define SSH_SK_RESIDENT_KEY             0x20
-        /* Algs */
-        #define SSH_SK_ECDSA                   0x00
-        #define SSH_SK_ED25519                 0x01
-        /* Error codes */
-        #define SSH_SK_ERR_GENERAL              -1
-        #define SSH_SK_ERR_UNSUPPORTED          -2
-        #define SSH_SK_ERR_PIN_REQUIRED         -3
-        #define SSH_SK_ERR_DEVICE_NOT_FOUND     -4
-        struct sk_enroll_response {
-                uint8_t *public_key;
-                size_t public_key_len;
-                uint8_t *key_handle;
-                size_t key_handle_len;
-                uint8_t *signature;
-                size_t signature_len;
-                uint8_t *attestation_cert;
-                size_t attestation_cert_len;
-        };
-        struct sk_sign_response {
-                uint8_t flags;
-                uint32_t counter;
-                uint8_t *sig_r;
-                size_t sig_r_len;
-                uint8_t *sig_s;
-                size_t sig_s_len;
-        };
-        struct sk_resident_key {
-                uint32_t alg;
-                size_t slot;
-                char *application;
-                struct sk_enroll_response key;
-        };
-        struct sk_option {
-                char *name;
-                char *value;
-                uint8_t important;
-        };
-        /* Return the version of the middleware API */
-        uint32_t sk_api_version(void);
-        /* Enroll a U2F key (private key generation) */
-        int sk_enroll(uint32_t alg,
-            const uint8_t *challenge, size_t challenge_len,
-            const char *application, uint8_t flags, const char *pin,
-            struct sk_option **options,
-            struct sk_enroll_response **enroll_response);
-        /* Sign a challenge */
-        int sk_sign(uint32_t alg, const uint8_t *message, size_t message_len,
-            const char *application,
-            const uint8_t *key_handle, size_t key_handle_len,
-            uint8_t flags, const char *pin, struct sk_option **options,
-            struct sk_sign_response **sign_response);
-        /* Enumerate all resident keys */
-        int sk_load_resident_keys(const char *pin, struct sk_option **options,
-            struct sk_resident_key ***rks, size_t *nrks);
-The SSH_SK_VERSION_MAJOR should be incremented for each incompatible
 API change.
-The options may be used to pass miscellaneous options to the middleware
+miscellaneous options may be passed to the middleware as a NULL-
-as a NULL-terminated array of pointers to struct sk_option. The middleware
+terminated array of pointers to struct sk_option. The middleware may
-may ignore unsupported or unknown options unless the "important" flag is
+ignore unsupported or unknown options unless the "required" flag is set,
-set, in which case it should return failure if an unsupported option is
+in which case it should return failure if an unsupported option is
 requested.
 At present the following options names are supported:
@@ -335,3 +306,4 @@ In OpenSSH, the middleware will be invoked by using a similar mechanism to
 ssh-pkcs11-helper to provide address-space containment of the
 middleware from ssh-agent.
+$OpenBSD: PROTOCOL.u2f,v 1.26 2020/09/09 03:08:01 djm Exp $

diff --git a/PROTOCOL.u2f b/PROTOCOL.u2f index 917e669cd..f8ca56b11 100644 --- a/PROTOCOL.u2f +++ b/PROTOCOL.u2f
@@ -39,6 +39,13 @@ the key handle be supplied for each signature operation. U2F tokens
39	primarily use ECDSA signatures in the NIST-P256 field, though the FIDO2	39	primarily use ECDSA signatures in the NIST-P256 field, though the FIDO2
40	standard specifies additional key types, including one based on Ed25519.	40	standard specifies additional key types, including one based on Ed25519.
41		41
		42	Use of U2F security keys does not automatically imply multi-factor
		43	authentication. From sshd's perspective, a security key constitutes a
		44	single factor of authentication, even if protected by a PIN or biometric
		45	authentication. To enable multi-factor authentication in ssh, please
		46	refer to the AuthenticationMethods option in sshd_config(5).
		47
		48
42	SSH U2F Key formats	49	SSH U2F Key formats
43	-------------------	50	-------------------
44		51
@@ -147,6 +154,16 @@ by trusted hardware before it will issue a certificate. To support this
147	case, OpenSSH optionally allows retaining the attestation information	154	case, OpenSSH optionally allows retaining the attestation information
148	at the time of key generation. It will take the following format:	155	at the time of key generation. It will take the following format:
149		156
		157	string "ssh-sk-attest-v01"
		158	string attestation certificate
		159	string enrollment signature
		160	string authenticator data (CBOR encoded)
		161	uint32 reserved flags
		162	string reserved string
		163
		164	A previous version of this format, emitted prior to OpenSSH 8.4 omitted
		165	the authenticator data.
		166
150	string "ssh-sk-attest-v00"	167	string "ssh-sk-attest-v00"
151	string attestation certificate	168	string attestation certificate
152	string enrollment signature	169	string enrollment signature
@@ -202,6 +219,32 @@ For Ed25519 keys the signature is encoded as:
202	byte flags	219	byte flags
203	uint32 counter	220	uint32 counter
204		221
		222	webauthn signatures
		223	-------------------
		224
		225	The W3C/FIDO webauthn[1] standard defines a mechanism for a web browser to
		226	interact with FIDO authentication tokens. This standard builds upon the
		227	FIDO standards, but requires different signature contents to raw FIDO
		228	messages. OpenSSH supports ECDSA/p256 webauthn signatures through the
		229	"webauthn-sk-ecdsa-sha2-nistp256@openssh.com" signature algorithm.
		230
		231	The wire encoding for a webauthn-sk-ecdsa-sha2-nistp256@openssh.com
		232	signature is similar to the sk-ecdsa-sha2-nistp256@openssh.com format:
		233
		234	string "webauthn-sk-ecdsa-sha2-nistp256@openssh.com"
		235	string ecdsa_signature
		236	byte flags
		237	uint32 counter
		238	string origin
		239	string clientData
		240	string extensions
		241
		242	Where "origin" is the HTTP origin making the signature, "clientData" is
		243	the JSON-like structure signed by the browser and "extensions" are any
		244	extensions used in making the signature.
		245
		246	[1] https://www.w3.org/TR/webauthn-2/
		247
205	ssh-agent protocol extensions	248	ssh-agent protocol extensions
206	-----------------------------	249	-----------------------------
207		250
@@ -234,87 +277,15 @@ regress testing. For this reason, OpenSSH shall support a dynamically-
234	loaded middleware libraries to communicate with security keys, but offer	277	loaded middleware libraries to communicate with security keys, but offer
235	support for the common case of USB HID security keys internally.	278	support for the common case of USB HID security keys internally.
236		279
237	The middleware library need only expose a handful of functions:	280	The middleware library need only expose a handful of functions and
238		281	numbers listed in sk-api.h. Included in the defined numbers is a
239	#define SSH_SK_VERSION_MAJOR 0x00050000 /* API version */	282	SSH_SK_VERSION_MAJOR that should be incremented for each incompatible
240	#define SSH_SK_VERSION_MAJOR_MASK 0xffff0000
241
242	/* Flags */
243	#define SSH_SK_USER_PRESENCE_REQD 0x01
244	#define SSH_SK_USER_VERIFICATION_REQD 0x04
245	#define SSH_SK_RESIDENT_KEY 0x20
246
247	/* Algs */
248	#define SSH_SK_ECDSA 0x00
249	#define SSH_SK_ED25519 0x01
250
251	/* Error codes */
252	#define SSH_SK_ERR_GENERAL -1
253	#define SSH_SK_ERR_UNSUPPORTED -2
254	#define SSH_SK_ERR_PIN_REQUIRED -3
255	#define SSH_SK_ERR_DEVICE_NOT_FOUND -4
256
257	struct sk_enroll_response {
258	uint8_t *public_key;
259	size_t public_key_len;
260	uint8_t *key_handle;
261	size_t key_handle_len;
262	uint8_t *signature;
263	size_t signature_len;
264	uint8_t *attestation_cert;
265	size_t attestation_cert_len;
266	};
267
268	struct sk_sign_response {
269	uint8_t flags;
270	uint32_t counter;
271	uint8_t *sig_r;
272	size_t sig_r_len;
273	uint8_t *sig_s;
274	size_t sig_s_len;
275	};
276
277	struct sk_resident_key {
278	uint32_t alg;
279	size_t slot;
280	char *application;
281	struct sk_enroll_response key;
282	};
283
284	struct sk_option {
285	char *name;
286	char *value;
287	uint8_t important;
288	};
289
290	/* Return the version of the middleware API */
291	uint32_t sk_api_version(void);
292
293	/* Enroll a U2F key (private key generation) */
294	int sk_enroll(uint32_t alg,
295	const uint8_t *challenge, size_t challenge_len,
296	const char application, uint8_t flags, const char pin,
297	struct sk_option **options,
298	struct sk_enroll_response **enroll_response);
299
300	/* Sign a challenge */
301	int sk_sign(uint32_t alg, const uint8_t *message, size_t message_len,
302	const char *application,
303	const uint8_t *key_handle, size_t key_handle_len,
304	uint8_t flags, const char pin, struct sk_option *options,
305	struct sk_sign_response **sign_response);
306
307	/* Enumerate all resident keys */
308	int sk_load_resident_keys(const char pin, struct sk_option *options,
309	struct sk_resident_key **rks, size_t nrks);
310
311	The SSH_SK_VERSION_MAJOR should be incremented for each incompatible
312	API change.	283	API change.
313		284
314	The options may be used to pass miscellaneous options to the middleware	285	miscellaneous options may be passed to the middleware as a NULL-
315	as a NULL-terminated array of pointers to struct sk_option. The middleware	286	terminated array of pointers to struct sk_option. The middleware may
316	may ignore unsupported or unknown options unless the "important" flag is	287	ignore unsupported or unknown options unless the "required" flag is set,
317	set, in which case it should return failure if an unsupported option is	288	in which case it should return failure if an unsupported option is
318	requested.	289	requested.
319		290
320	At present the following options names are supported:	291	At present the following options names are supported:
@@ -335,3 +306,4 @@ In OpenSSH, the middleware will be invoked by using a similar mechanism to
335	ssh-pkcs11-helper to provide address-space containment of the	306	ssh-pkcs11-helper to provide address-space containment of the
336	middleware from ssh-agent.	307	middleware from ssh-agent.
337		308
		309	$OpenBSD: PROTOCOL.u2f,v 1.26 2020/09/09 03:08:01 djm Exp $