[openssh-commits] [openssh] 02/03: upstream: changes to support FIDO attestation

git+noreply at mindrot.org git+noreply at mindrot.org
Wed Jan 29 18:53:02 AEDT 2020


This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 24c0f752adf9021277a7b0a84931bb5fe48ea379
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Tue Jan 28 08:01:34 2020 +0000

    upstream: changes to support FIDO attestation
    
    Allow writing to disk the attestation certificate that is generated by
    the FIDO token at key enrollment time. These certificates may be used
    by an out-of-band workflow to prove that a particular key is held in
    trustworthy hardware.
    
    Allow passing in a challenge that will be sent to the card during
    key enrollment. These are needed to build an attestation workflow
    that resists replay attacks.
    
    ok markus@
    
    OpenBSD-Commit-ID: 457dc3c3d689ba39eed328f0817ed9b91a5f78f6
---
 PROTOCOL.u2f | 19 +++++++++++--------
 sk-usbhid.c  |  1 +
 ssh-keygen.1 | 16 ++++++++++++++--
 ssh-keygen.c | 36 +++++++++++++++++++++++++++++++++---
 ssh-sk.c     | 10 +++++-----
 5 files changed, 64 insertions(+), 18 deletions(-)

diff --git a/PROTOCOL.u2f b/PROTOCOL.u2f
index 58f75ba2..748111d5 100644
--- a/PROTOCOL.u2f
+++ b/PROTOCOL.u2f
@@ -141,17 +141,20 @@ least manufacturer and batch number granularity. For this reason, we
 choose not to include this information in the public key or save it by
 default.
 
-Attestation information is very useful however in an organisational
-context, where it may be used by a CA as part of certificate
-issuance. In this case, exposure to the CA of hardware identity is
-desirable. To support this case, OpenSSH optionally allows retaining the
-attestation information at the time of key generation. It will take the
-following format:
+Attestation information is useful for out-of-band key and certificate
+registration worksflows, e.g. proving to a CA that a key is backed
+by trusted hardware before it will issue a certificate. To support this
+case, OpenSSH optionally allows retaining the attestation information
+at the time of key generation. It will take the following format:
 
-	string		"sk-attest-v00"
-	uint32		version		(1 for U2F, 2 for FIDO2 in future)
+	string		"ssh-sk-attest-v00"
 	string		attestation certificate
 	string		enrollment signature
+	uint32		reserved flags
+	string		reserved string
+
+OpenSSH treats the attestation certificate and enrollment signatures as
+opaque objects and does no interpretation of them itself.
 
 SSH U2F signatures
 ------------------
diff --git a/sk-usbhid.c b/sk-usbhid.c
index 2148e1d7..ad83054a 100644
--- a/sk-usbhid.c
+++ b/sk-usbhid.c
@@ -570,6 +570,7 @@ sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
 	}
 	if ((ptr = fido_cred_x5c_ptr(cred)) != NULL) {
 		len = fido_cred_x5c_len(cred);
+		debug3("%s: attestation cert len=%zu", __func__, len);
 		if ((response->attestation_cert = calloc(1, len)) == NULL) {
 			skdebug(__func__, "calloc attestation cert failed");
 			goto out;
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index b4a87392..c6a97618 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keygen.1,v 1.196 2020/01/23 23:31:52 djm Exp $
+.\"	$OpenBSD: ssh-keygen.1,v 1.197 2020/01/28 08:01:34 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo at cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 23 2020 $
+.Dd $Mdocdate: January 28 2020 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -483,6 +483,14 @@ Note that
 .Xr sshd 8
 will refuse such signatures by default, unless overridden via
 an authorized_keys option.
+.It Cm challenge=path
+Specifies a path to a challenge string that will be passed to the
+FIDO token during key generation.
+The challenge string is optional, but may be used as part of an out-of-band
+protocol for key enrollment.
+If no
+.Cm challenge
+is specified, a random challenge is used.
 .It Cm resident
 Indicate that the key should be stored on the FIDO authenticator itself.
 Resident keys may be supported on FIDO2 tokens and typically require that
@@ -494,6 +502,10 @@ A username to be associated with a resident key,
 overriding the empty default username.
 Specifying a username may be useful when generating multiple resident keys
 for the same application name.
+.It Cm write-attestation=path
+May be used at key generation time to record the attestation certificate
+returned from FIDO tokens during key generation.
+By default this information is discarded.
 .El
 .Pp
 The
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 8df55f2c..4ee43ab9 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.394 2020/01/25 23:13:09 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.395 2020/01/28 08:01:34 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -3114,6 +3114,8 @@ main(int argc, char **argv)
 	unsigned long long cert_serial = 0;
 	char *identity_comment = NULL, *ca_key_path = NULL, **opts = NULL;
 	char *sk_application = NULL, *sk_device = NULL, *sk_user = NULL;
+	char *sk_attestaion_path = NULL;
+	struct sshbuf *challenge = NULL, *attest = NULL;
 	size_t i, nopts = 0;
 	u_int32_t bits = 0;
 	uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD;
@@ -3557,6 +3559,16 @@ main(int argc, char **argv)
 				sk_device = xstrdup(opts[i] + 7);
 			} else if (strncasecmp(opts[i], "user=", 5) == 0) {
 				sk_user = xstrdup(opts[i] + 5);
+			} else if (strncasecmp(opts[i], "challenge=", 10) == 0) {
+				if ((r = sshbuf_load_file(opts[i] + 10,
+				    &challenge)) != 0) {
+					fatal("Unable to load FIDO enrollment "
+					    "challenge \"%s\": %s",
+					    opts[i] + 10, ssh_err(r));
+				}
+			} else if (strncasecmp(opts[i],
+			    "write-attestation=", 18) == 0) {
+				sk_attestaion_path = opts[i] + 18;
 			} else if (strncasecmp(opts[i],
 			    "application=", 12) == 0) {
 				sk_application = xstrdup(opts[i] + 12);
@@ -3570,12 +3582,14 @@ main(int argc, char **argv)
 			    "to authorize key generation.\n");
 		}
 		passphrase = NULL;
+		if ((attest = sshbuf_new()) == NULL)
+			fatal("sshbuf_new failed");
 		for (i = 0 ; i < 3; i++) {
 			fflush(stdout);
 			r = sshsk_enroll(type, sk_provider, sk_device,
 			    sk_application == NULL ? "ssh:" : sk_application,
-			    sk_user, sk_flags, passphrase, NULL,
-			    &private, NULL);
+			    sk_user, sk_flags, passphrase, challenge,
+			    &private, attest);
 			if (r == 0)
 				break;
 			if (r != SSH_ERR_KEY_WRONG_PASSPHRASE)
@@ -3668,6 +3682,22 @@ main(int argc, char **argv)
 		free(fp);
 	}
 
+	if (sk_attestaion_path != NULL) {
+		if (attest == NULL || sshbuf_len(attest) == 0) {
+			fatal("Enrollment did not return attestation "
+			    "certificate");
+		}
+		if ((r = sshbuf_write_file(sk_attestaion_path, attest)) != 0) {
+			fatal("Unable to write attestation certificate "
+			    "\"%s\": %s", sk_attestaion_path, ssh_err(r));
+		}
+		if (!quiet) {
+			printf("Your FIDO attestation certificate has been "
+			    "saved in %s\n", sk_attestaion_path);
+		}
+	}
+	sshbuf_free(attest);
 	sshkey_free(public);
+
 	exit(0);
 }
diff --git a/ssh-sk.c b/ssh-sk.c
index a8d4de83..3e88aaff 100644
--- a/ssh-sk.c
+++ b/ssh-sk.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-sk.c,v 1.25 2020/01/25 23:13:09 djm Exp $ */
+/* $OpenBSD: ssh-sk.c,v 1.26 2020/01/28 08:01:34 djm Exp $ */
 /*
  * Copyright (c) 2019 Google LLC
  *
@@ -504,14 +504,14 @@ sshsk_enroll(int type, const char *provider_path, const char *device,
 
 	/* Optionally fill in the attestation information */
 	if (attest != NULL) {
-		if ((r = sshbuf_put_cstring(attest, "sk-attest-v00")) != 0 ||
-		    (r = sshbuf_put_u32(attest, 1)) != 0 || /* XXX U2F ver */
+		if ((r = sshbuf_put_cstring(attest,
+		    "ssh-sk-attest-v00")) != 0 ||
 		    (r = sshbuf_put_string(attest,
 		    resp->attestation_cert, resp->attestation_cert_len)) != 0 ||
 		    (r = sshbuf_put_string(attest,
 		    resp->signature, resp->signature_len)) != 0 ||
-		    (r = sshbuf_put_u32(attest, flags)) != 0 || /* XXX right? */
-		    (r = sshbuf_put_string(attest, NULL, 0)) != 0) {
+		    (r = sshbuf_put_u32(attest, 0)) != 0 || /* resvd flags */
+		    (r = sshbuf_put_string(attest, NULL, 0)) != 0 /* resvd */) {
 			error("%s: buffer error: %s", __func__, ssh_err(r));
 			goto out;
 		}

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list