From 24c0f752adf9021277a7b0a84931bb5fe48ea379 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Tue, 28 Jan 2020 08:01:34 +0000 Subject: upstream: changes to support FIDO attestation Allow writing to disk the attestation certificate that is generated by the FIDO token at key enrollment time. These certificates may be used by an out-of-band workflow to prove that a particular key is held in trustworthy hardware. Allow passing in a challenge that will be sent to the card during key enrollment. These are needed to build an attestation workflow that resists replay attacks. ok markus@ OpenBSD-Commit-ID: 457dc3c3d689ba39eed328f0817ed9b91a5f78f6 --- ssh-sk.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'ssh-sk.c') diff --git a/ssh-sk.c b/ssh-sk.c index a8d4de83..3e88aaff 100644 --- a/ssh-sk.c +++ b/ssh-sk.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-sk.c,v 1.25 2020/01/25 23:13:09 djm Exp $ */ +/* $OpenBSD: ssh-sk.c,v 1.26 2020/01/28 08:01:34 djm Exp $ */ /* * Copyright (c) 2019 Google LLC * @@ -504,14 +504,14 @@ sshsk_enroll(int type, const char *provider_path, const char *device, /* Optionally fill in the attestation information */ if (attest != NULL) { - if ((r = sshbuf_put_cstring(attest, "sk-attest-v00")) != 0 || - (r = sshbuf_put_u32(attest, 1)) != 0 || /* XXX U2F ver */ + if ((r = sshbuf_put_cstring(attest, + "ssh-sk-attest-v00")) != 0 || (r = sshbuf_put_string(attest, resp->attestation_cert, resp->attestation_cert_len)) != 0 || (r = sshbuf_put_string(attest, resp->signature, resp->signature_len)) != 0 || - (r = sshbuf_put_u32(attest, flags)) != 0 || /* XXX right? */ - (r = sshbuf_put_string(attest, NULL, 0)) != 0) { + (r = sshbuf_put_u32(attest, 0)) != 0 || /* resvd flags */ + (r = sshbuf_put_string(attest, NULL, 0)) != 0 /* resvd */) { error("%s: buffer error: %s", __func__, ssh_err(r)); goto out; } -- cgit v1.2.1