From bb52e70fa5330070ec9a23069c311d9e277bbd6f Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 22 Jun 2020 05:58:35 +0000 Subject: upstream: Add support for FIDO webauthn (verification only). webauthn is a standard for using FIDO keys in web browsers. webauthn signatures are a slightly different format to plain FIDO signatures - this support allows verification of these. Feedback and ok markus@ OpenBSD-Commit-ID: ab7e3a9fb5782d99d574f408614d833379e564ad --- PROTOCOL.u2f | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) (limited to 'PROTOCOL.u2f') diff --git a/PROTOCOL.u2f b/PROTOCOL.u2f index 69347e99..fd31ea4e 100644 --- a/PROTOCOL.u2f +++ b/PROTOCOL.u2f @@ -209,6 +209,32 @@ For Ed25519 keys the signature is encoded as: byte flags uint32 counter +webauthn signatures +------------------- + +The W3C/FIDO webauthn[1] standard defines a mechanism for a web browser to +interact with FIDO authentication tokens. This standard builds upon the +FIDO standards, but requires different signature contents to raw FIDO +messages. OpenSSH supports ECDSA/p256 webauthn signatures through the +"webauthn-sk-ecdsa-sha2-nistp256@openssh.com" signature algorithm. + +The wire encoding for a webauthn-sk-ecdsa-sha2-nistp256@openssh.com +signature is similar to the sk-ecdsa-sha2-nistp256@openssh.com format: + + string "webauthn-sk-ecdsa-sha2-nistp256@openssh.com" + string ecdsa_signature + byte flags + uint32 counter + string origin + string clientData + string extensions + +Where "origin" is the HTTP origin making the signature, "clientData" is +the JSON-like structure signed by the browser and "extensions" are any +extensions used in making the signature. + +[1] https://www.w3.org/TR/webauthn-2/ + ssh-agent protocol extensions ----------------------------- -- cgit v1.2.1