From ef65e7dbaa8fac3245aa2bfc9f7e09be7cba0d9d Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 30 Dec 2019 09:25:29 +0000 Subject: [PATCH] upstream: document SK API changes in PROTOCOL.u2f ok markus@ OpenBSD-Commit-ID: 52622363c103a3c4d3d546050480ffe978a32186 --- PROTOCOL.u2f | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/PROTOCOL.u2f b/PROTOCOL.u2f index 93601159c..5f44c3acc 100644 --- a/PROTOCOL.u2f +++ b/PROTOCOL.u2f @@ -233,6 +233,9 @@ support for the common case of USB HID security keys internally. The middleware library need only expose a handful of functions: + #define SSH_SK_VERSION_MAJOR 0x00030000 /* API version */ + #define SSH_SK_VERSION_MAJOR_MASK 0xffff0000 + /* Flags */ #define SSH_SK_USER_PRESENCE_REQD 0x01 #define SSH_SK_USER_VERIFICATION_REQD 0x04 @@ -262,19 +265,34 @@ The middleware library need only expose a handful of functions: size_t sig_s_len; }; + struct sk_resident_key { + uint8_t alg; + size_t slot; + char *application; + struct sk_enroll_response key; + }; + /* Return the version of the middleware API */ uint32_t sk_api_version(void); /* Enroll a U2F key (private key generation) */ int sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len, - const char *application, uint8_t flags, + const char *application, uint8_t flags, const char *pin, struct sk_enroll_response **enroll_response); /* Sign a challenge */ int sk_sign(int alg, const uint8_t *message, size_t message_len, const char *application, const uint8_t *key_handle, size_t key_handle_len, - uint8_t flags, struct sk_sign_response **sign_response); + uint8_t flags, const char *pin, + struct sk_sign_response **sign_response); + + /* Enumerate all resident keys */ + int sk_load_resident_keys(const char *pin, + struct sk_resident_key ***rks, size_t *nrks); + +The SSH_SK_VERSION_MAJOR should be incremented for each incompatible +API change. In OpenSSH, these will be invoked by using a similar mechanism to ssh-pkcs11-helper to provide address-space containment of the