summaryrefslogtreecommitdiff
path: root/PROTOCOL.u2f
AgeCommit message (Collapse)Author
2020-05-01upstream: when signing a challenge using a FIDO toke, perform thedjm@openbsd.org
hashing in the middleware layer rather than in ssh code. This allows middlewares that call APIs that perform the hashing implicitly (including Microsoft's AFAIK). ok markus@ OpenBSD-Commit-ID: c9fc8630aba26c75d5016884932f08a5a237f37d
2020-02-21upstream: Fix some typos and an incorrect word in docs. Patch fromdtucker@openbsd.org
itoama at live.jp via github PR#172. OpenBSD-Commit-ID: 166ee8f93a7201fef431b9001725ab8b269d5874
2020-01-29upstream: changes to support FIDO attestationdjm@openbsd.org
Allow writing to disk the attestation certificate that is generated by the FIDO token at key enrollment time. These certificates may be used by an out-of-band workflow to prove that a particular key is held in trustworthy hardware. Allow passing in a challenge that will be sent to the card during key enrollment. These are needed to build an attestation workflow that resists replay attacks. ok markus@ OpenBSD-Commit-ID: 457dc3c3d689ba39eed328f0817ed9b91a5f78f6
2020-01-26upstream: improve the error message for u2f enrollment errors bydjm@openbsd.org
making ssh-keygen be solely responsible for printing the error message and convertint some more common error responses from the middleware to a useful ssherr.h status code. more detail remains visible via -v of course. also remove indepedent copy of sk-api.h declarations in sk-usbhid.c and just include it. feedback & ok markus@ OpenBSD-Commit-ID: a4a8ffa870d9a3e0cfd76544bcdeef5c9fb1f1bb
2020-01-06upstream: Extends the SK API to accept a set of key/value optionsdjm@openbsd.org
for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each. At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier. feedback, fixes and ok markus@ OpenBSD-Commit-ID: 973ce11704609022ab36abbdeb6bc23c8001eabc
2019-12-30upstream: document SK API changes in PROTOCOL.u2fdjm@openbsd.org
ok markus@ OpenBSD-Commit-ID: 52622363c103a3c4d3d546050480ffe978a32186
2019-12-30upstream: basic support for generating FIDO2 resident keysdjm@openbsd.org
"ssh-keygen -t ecdsa-sk|ed25519-sk -x resident" will generate a device-resident key. feedback and ok markus@ OpenBSD-Commit-ID: 8e1b3c56a4b11d85047bd6c6c705b7eef4d58431
2019-12-21upstream: SSH U2F keys can now be used as host keys. Fix a gardennaddy@openbsd.org
path sentence. ok markus@ OpenBSD-Commit-ID: 67d7971ca1a020acd6c151426c54bd29d784bd6b
2019-12-14upstream: add a note about the 'extensions' field in the signeddjm@openbsd.org
object OpenBSD-Commit-ID: 67c01e0565b258e0818c1ccfe1f1aeaf9a0d4c7b
2019-12-11upstream: some more corrections for documentation problems spotteddjm@openbsd.org
by Ron Frederick document certifiate private key format correct flags type for sk-ssh-ed25519@openssh.com keys OpenBSD-Commit-ID: fc4e9a1ed7f9f7f9dd83e2e2c59327912e933e74
2019-12-11upstream: loading security keys into ssh-agent used the extensiondjm@openbsd.org
constraint "sk-provider@openssh.com", not "sk@openssh.com"; spotted by Ron Frederick OpenBSD-Commit-ID: dbfba09edbe023abadd5f59c1492df9073b0e51d
2019-12-11upstream: chop some unnecessary and confusing verbiage from thedjm@openbsd.org
security key protocol description; feedback from Ron Frederick OpenBSD-Commit-ID: 048c9483027fbf9c995e5a51b3ac502989085a42
2019-11-28upstream: tweak wordingdjm@openbsd.org
OpenBSD-Commit-ID: bd002ca1599b71331faca735ff5f6de29e32222e
2019-11-20upstream: adjust on-wire signature encoding for ecdsa-sk keys todjm@openbsd.org
better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne NB. if you are depending on security keys (already?) then make sure you update both your clients and servers. OpenBSD-Commit-ID: 53d88d8211f0dd02a7954d3af72017b1a79c0679
2019-11-18upstream: document ed25519-sk pubkey, private key and certificatedjm@openbsd.org
formats OpenBSD-Commit-ID: 795a7c1c80315412e701bef90e31e376ea2f3c88
2019-11-18upstream: correct order or ecdsa-sk private key fieldsdjm@openbsd.org
OpenBSD-Commit-ID: 4d4a0c13226a79f0080ce6cbe74f73b03ed8092e
2019-11-18upstream: correct description of fields in pub/private keys (wasdjm@openbsd.org
missing curve name); spotted by Sebastian Kinne OpenBSD-Commit-ID: 2a11340dc7ed16200342d384fb45ecd4fcce26e7
2019-11-13upstream: remove extra layer for ed25519 signature; ok djm@markus@openbsd.org
OpenBSD-Commit-ID: 7672d9d0278b4bf656a12d3aab0c0bfe92a8ae47
2019-11-13upstream: update sk-api to version 2 for ed25519 support; ok djmmarkus@openbsd.org
OpenBSD-Commit-ID: 77aa4d5b6ab17987d8a600907b49573940a0044a
2019-11-02upstream: fix miscellaneous text problems; ok djm@naddy@openbsd.org
OpenBSD-Commit-ID: 0cbf411a14d8fa0b269b69cbb1b4fc0ca699fe9f
2019-11-01upstream: Protocol documentation for U2F/FIDO keys in OpenSSHdjm@openbsd.org
OpenBSD-Commit-ID: 8f3247317c2909870593aeb306dff848bc427915