cryptenroll,homectl: Introduce --fido2-credential-algorithm option

* Some authenticators(like Yubikey) support credential algorithm other than ES256 * Introduce a new option so users can make use of it
author: MkfsSion <mkfssion@mkfssion.com> 2022-04-17 15:42:49 +0800
committer: Lennart Poettering <lennart@poettering.net> 2022-04-22 20:22:40 +0200
commit: 70e723c000e46e2304e54f8063572d7fa0cdad46 (patch)
tree: 462cd67a414dc0bce495d01f405ddbe60c0731fa /src/home
parent: 6dc18ca5ddd996ffbf83b42cb45f23496fe38c9d (diff)
download: systemd-70e723c000e46e2304e54f8063572d7fa0cdad46.tar.gz
3 files changed, 19 insertions, 4 deletions
diff --git a/src/home/homectl-fido2.c b/src/home/homectl-fido2.c
index d0457d8e29..61f0d081a3 100644
--- a/src/home/homectl-fido2.c
+++ b/src/home/homectl-fido2.c
@@ -118,7 +118,8 @@ static int add_fido2_salt(
 int identity_add_fido2_parameters(
                 JsonVariant **v,
                 const char *device,
-                Fido2EnrollFlags lock_with) {
+                Fido2EnrollFlags lock_with,
+                int cred_alg) {
 
 #if HAVE_LIBFIDO2
         JsonVariant *un, *realm, *rn;
@@ -165,6 +166,7 @@ int identity_add_fido2_parameters(
                         /* user_icon_name= */ NULL,
                         /* askpw_icon_name= */ "user-home",
                         lock_with,
+                        cred_alg,
                         &cid, &cid_size,
                         &salt, &salt_size,
                         &secret, &secret_size,
diff --git a/src/home/homectl-fido2.h b/src/home/homectl-fido2.h
index 5087069c3c..558c6747d9 100644
--- a/src/home/homectl-fido2.h
+++ b/src/home/homectl-fido2.h
@@ -4,4 +4,4 @@
 #include "json.h"
 #include "libfido2-util.h"
 
-int identity_add_fido2_parameters(JsonVariant **v, const char *device, Fido2EnrollFlags lock_with);
+int identity_add_fido2_parameters(JsonVariant **v, const char *device, Fido2EnrollFlags lock_with, int cred_alg);
diff --git a/src/home/homectl.c b/src/home/homectl.c
index f0d1dac6ab..56f6096769 100644
--- a/src/home/homectl.c
+++ b/src/home/homectl.c
@@ -61,6 +61,11 @@ static uint64_t arg_disk_size_relative = UINT64_MAX;
 static char **arg_pkcs11_token_uri = NULL;
 static char **arg_fido2_device = NULL;
 static Fido2EnrollFlags arg_fido2_lock_with = FIDO2ENROLL_PIN | FIDO2ENROLL_UP;
+#if HAVE_LIBFIDO2
+static int arg_fido2_cred_alg = COSE_ES256;
+#else
+static int arg_fido2_cred_alg = 0;
+#endif
 static bool arg_recovery_key = false;
 static JsonFormatFlags arg_json_format_flags = JSON_FORMAT_OFF;
 static bool arg_and_resize = false;
@@ -1114,7 +1119,7 @@ static int acquire_new_home_record(UserRecord **ret) {
         }
 
         STRV_FOREACH(i, arg_fido2_device) {
-                r = identity_add_fido2_parameters(&v, *i, arg_fido2_lock_with);
+                r = identity_add_fido2_parameters(&v, *i, arg_fido2_lock_with, arg_fido2_cred_alg);
                 if (r < 0)
                         return r;
         }
@@ -1473,7 +1478,7 @@ static int acquire_updated_home_record(
         }
 
         STRV_FOREACH(i, arg_fido2_device) {
-                r = identity_add_fido2_parameters(&json, *i, arg_fido2_lock_with);
+                r = identity_add_fido2_parameters(&json, *i, arg_fido2_lock_with, arg_fido2_cred_alg);
                 if (r < 0)
                         return r;
         }
@@ -2387,6 +2392,7 @@ static int parse_argv(int argc, char *argv[]) {
                 ARG_LUKS_EXTRA_MOUNT_OPTIONS,
                 ARG_AUTO_RESIZE_MODE,
                 ARG_REBALANCE_WEIGHT,
+                ARG_FIDO2_CRED_ALG,
         };
 
         static const struct option options[] = {
@@ -2463,6 +2469,7 @@ static int parse_argv(int argc, char *argv[]) {
                 { "json",                        required_argument, NULL, ARG_JSON                        },
                 { "export-format",               required_argument, NULL, ARG_EXPORT_FORMAT               },
                 { "pkcs11-token-uri",            required_argument, NULL, ARG_PKCS11_TOKEN_URI            },
+                { "fido2-credential-algorithm",  required_argument, NULL, ARG_FIDO2_CRED_ALG              },
                 { "fido2-device",                required_argument, NULL, ARG_FIDO2_DEVICE                },
                 { "fido2-with-client-pin",       required_argument, NULL, ARG_FIDO2_WITH_PIN              },
                 { "fido2-with-user-presence",    required_argument, NULL, ARG_FIDO2_WITH_UP               },
@@ -3485,6 +3492,12 @@ static int parse_argv(int argc, char *argv[]) {
                         strv_uniq(arg_pkcs11_token_uri);
                         break;
 
+                case ARG_FIDO2_CRED_ALG:
+                        r = parse_fido2_algorithm(optarg, &arg_fido2_cred_alg);
+                        if (r < 0)
+                                return log_error_errno(r, "Failed to parse COSE algorithm: %s", optarg);
+                        break;
+
                 case ARG_FIDO2_DEVICE:
                         if (streq(optarg, "list"))
                                 return fido2_list_devices();
author	MkfsSion <mkfssion@mkfssion.com>	2022-04-17 15:42:49 +0800
committer	Lennart Poettering <lennart@poettering.net>	2022-04-22 20:22:40 +0200
commit	70e723c000e46e2304e54f8063572d7fa0cdad46 (patch)
tree	462cd67a414dc0bce495d01f405ddbe60c0731fa /src/home
parent	6dc18ca5ddd996ffbf83b42cb45f23496fe38c9d (diff)
download	systemd-70e723c000e46e2304e54f8063572d7fa0cdad46.tar.gz