[openssh-commits] [openssh] branch master updated: upstream: Implement missing pieces of FIDO/webauthn signature support,

git+noreply at mindrot.org git+noreply at mindrot.org
Fri Feb 6 09:06:51 AEDT 2026 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

The following commit(s) were added to refs/heads/master by this push:
     new 6463960c5 upstream: Implement missing pieces of FIDO/webauthn signature support,
6463960c5 is described below

commit 6463960c58cd0adcb26bfbddceb9d4efcfbd9dd0
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Thu Feb 5 22:05:49 2026 +0000

    upstream: Implement missing pieces of FIDO/webauthn signature support,
    
    mostly related to certificate handling and enable acceptance of this
    signature format by default.  bz3748 GHPR624 GHPR625
    
    Feedback tb / James Zhang; ok tb
    
    OpenBSD-Commit-ID: ce3327b508086b24a3f7a6507aa5c49d8e9505e6
---
 myproposal.h   |  5 ++++-
 ssh-ecdsa-sk.c | 18 ++++++++++++++++--
 ssh_config.5   | 10 ++++++++--
 sshconnect2.c  |  5 +++--
 sshd_config.5  | 10 ++++++++--
 sshkey.c       | 15 ++++++++++++++-
 6 files changed, 53 insertions(+), 10 deletions(-)

diff --git a/myproposal.h b/myproposal.h
index 8fe9276c2..d992d8b12 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: myproposal.h,v 1.77 2024/12/02 14:06:42 djm Exp $ */
+/* $OpenBSD: myproposal.h,v 1.78 2026/02/05 22:05:49 djm Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -47,6 +47,7 @@
 	"ecdsa-sha2-nistp521-cert-v01 at openssh.com," \
 	"sk-ssh-ed25519-cert-v01 at openssh.com," \
 	"sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com," \
+	"webauthn-sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com," \
 	"rsa-sha2-512-cert-v01 at openssh.com," \
 	"rsa-sha2-256-cert-v01 at openssh.com," \
 	"ssh-ed25519," \
@@ -55,6 +56,7 @@
 	"ecdsa-sha2-nistp521," \
 	"sk-ssh-ed25519 at openssh.com," \
 	"sk-ecdsa-sha2-nistp256 at openssh.com," \
+	"webauthn-sk-ecdsa-sha2-nistp256 at openssh.com," \
 	"rsa-sha2-512," \
 	"rsa-sha2-256"
 
@@ -87,6 +89,7 @@
 	"ecdsa-sha2-nistp521," \
 	"sk-ssh-ed25519 at openssh.com," \
 	"sk-ecdsa-sha2-nistp256 at openssh.com," \
+	"webauthn-sk-ecdsa-sha2-nistp256 at openssh.com," \
 	"rsa-sha2-512," \
 	"rsa-sha2-256"
 
diff --git a/ssh-ecdsa-sk.c b/ssh-ecdsa-sk.c
index 3588b11a4..9be9e6b48 100644
--- a/ssh-ecdsa-sk.c
+++ b/ssh-ecdsa-sk.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-ecdsa-sk.c,v 1.19 2024/08/15 00:51:51 djm Exp $ */
+/* $OpenBSD: ssh-ecdsa-sk.c,v 1.20 2026/02/05 22:05:49 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2010 Damien Miller.  All rights reserved.
@@ -273,7 +273,9 @@ ssh_ecdsa_sk_verify(const struct sshkey *key,
 		ret = SSH_ERR_INVALID_FORMAT;
 		goto out;
 	}
-	if (strcmp(ktype, "webauthn-sk-ecdsa-sha2-nistp256 at openssh.com") == 0)
+	if (strcmp(ktype, "webauthn-sk-ecdsa-sha2-nistp256 at openssh.com") == 0 ||
+	    strcmp(ktype, "webauthn-sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com")
+	      == 0)
 		is_webauthn = 1;
 	else if (strcmp(ktype, "sk-ecdsa-sha2-nistp256 at openssh.com") != 0) {
 		ret = SSH_ERR_INVALID_FORMAT;
@@ -489,4 +491,16 @@ const struct sshkey_impl sshkey_ecdsa_sk_webauthn_impl = {
 	/* .funcs = */		&sshkey_ecdsa_sk_funcs,
 };
 
+const struct sshkey_impl sshkey_ecdsa_sk_webauthn_cert_impl = {
+	/* .name = */		"webauthn-sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com",
+	/* .shortname = */	"ECDSA-SK-CERT",
+	/* .sigalg = */		NULL,
+	/* .type = */		KEY_ECDSA_SK_CERT,
+	/* .nid = */		NID_X9_62_prime256v1,
+	/* .cert = */		1,
+	/* .sigonly = */	1,
+	/* .keybits = */	256,
+	/* .funcs = */		&sshkey_ecdsa_sk_funcs,
+};
+
 #endif /* OPENSSL_HAS_ECC */
diff --git a/ssh_config.5 b/ssh_config.5
index f7066cbaa..6e9bde1ac 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.420 2025/10/04 21:41:35 naddy Exp $
-.Dd $Mdocdate: October 4 2025 $
+.\" $OpenBSD: ssh_config.5,v 1.421 2026/02/05 22:05:49 djm Exp $
+.Dd $Mdocdate: February 5 2026 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -1020,12 +1020,14 @@ ecdsa-sha2-nistp384-cert-v01 at openssh.com,
 ecdsa-sha2-nistp521-cert-v01 at openssh.com,
 sk-ssh-ed25519-cert-v01 at openssh.com,
 sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,
+webauthn-sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,
 rsa-sha2-512-cert-v01 at openssh.com,
 rsa-sha2-256-cert-v01 at openssh.com,
 ssh-ed25519,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 sk-ssh-ed25519 at openssh.com,
 sk-ecdsa-sha2-nistp256 at openssh.com,
+webauthn-sk-ecdsa-sha2-nistp256 at openssh.com,
 rsa-sha2-512,rsa-sha2-256
 .Ed
 .Pp
@@ -1066,11 +1068,13 @@ ecdsa-sha2-nistp384-cert-v01 at openssh.com,
 ecdsa-sha2-nistp521-cert-v01 at openssh.com,
 sk-ssh-ed25519-cert-v01 at openssh.com,
 sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,
+webauthn-sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,
 rsa-sha2-512-cert-v01 at openssh.com,
 rsa-sha2-256-cert-v01 at openssh.com,
 ssh-ed25519,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 sk-ecdsa-sha2-nistp256 at openssh.com,
+webauthn-sk-ecdsa-sha2-nistp256 at openssh.com
 sk-ssh-ed25519 at openssh.com,
 rsa-sha2-512,rsa-sha2-256
 .Ed
@@ -1689,12 +1693,14 @@ ecdsa-sha2-nistp384-cert-v01 at openssh.com,
 ecdsa-sha2-nistp521-cert-v01 at openssh.com,
 sk-ssh-ed25519-cert-v01 at openssh.com,
 sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,
+webauthn-sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,
 rsa-sha2-512-cert-v01 at openssh.com,
 rsa-sha2-256-cert-v01 at openssh.com,
 ssh-ed25519,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 sk-ssh-ed25519 at openssh.com,
 sk-ecdsa-sha2-nistp256 at openssh.com,
+webauthn-sk-ecdsa-sha2-nistp256 at openssh.com,
 rsa-sha2-512,rsa-sha2-256
 .Ed
 .Pp
diff --git a/sshconnect2.c b/sshconnect2.c
index 53e1f197d..5e99d293f 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.379 2026/01/21 23:58:20 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.380 2026/02/05 22:05:49 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Damien Miller.  All rights reserved.
@@ -1273,7 +1273,8 @@ identity_sign(struct identity *id, u_char **sigp, size_t *lenp,
 	 * PKCS#11 tokens may not support all signature algorithms,
 	 * so check what we get back.
 	 */
-	if ((r = sshkey_check_sigtype(*sigp, *lenp, alg)) != 0) {
+	if ((id->key->flags & SSHKEY_FLAG_EXT) != 0 &&
+	    (r = sshkey_check_sigtype(*sigp, *lenp, alg)) != 0) {
 		debug_fr(r, "sshkey_check_sigtype");
 		goto out;
 	}
diff --git a/sshd_config.5 b/sshd_config.5
index 80cb2cecb..e0e23a77f 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.393 2026/01/22 15:30:07 millert Exp $
-.Dd $Mdocdate: January 22 2026 $
+.\" $OpenBSD: sshd_config.5,v 1.394 2026/02/05 22:05:49 djm Exp $
+.Dd $Mdocdate: February 5 2026 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -788,12 +788,14 @@ ecdsa-sha2-nistp384-cert-v01 at openssh.com,
 ecdsa-sha2-nistp521-cert-v01 at openssh.com,
 sk-ssh-ed25519-cert-v01 at openssh.com,
 sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,
+webauthn-sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,
 rsa-sha2-512-cert-v01 at openssh.com,
 rsa-sha2-256-cert-v01 at openssh.com,
 ssh-ed25519,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 sk-ssh-ed25519 at openssh.com,
 sk-ecdsa-sha2-nistp256 at openssh.com,
+webauthn-sk-ecdsa-sha2-nistp256 at openssh.com,
 rsa-sha2-512,rsa-sha2-256
 .Ed
 .Pp
@@ -872,12 +874,14 @@ ecdsa-sha2-nistp384-cert-v01 at openssh.com,
 ecdsa-sha2-nistp521-cert-v01 at openssh.com,
 sk-ssh-ed25519-cert-v01 at openssh.com,
 sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,
+webauthn-sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,
 rsa-sha2-512-cert-v01 at openssh.com,
 rsa-sha2-256-cert-v01 at openssh.com,
 ssh-ed25519,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 sk-ssh-ed25519 at openssh.com,
 sk-ecdsa-sha2-nistp256 at openssh.com,
+webauthn-sk-ecdsa-sha2-nistp256 at openssh.com,
 rsa-sha2-512,rsa-sha2-256
 .Ed
 .Pp
@@ -1738,12 +1742,14 @@ ecdsa-sha2-nistp384-cert-v01 at openssh.com,
 ecdsa-sha2-nistp521-cert-v01 at openssh.com,
 sk-ssh-ed25519-cert-v01 at openssh.com,
 sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,
+webauthn-sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,
 rsa-sha2-512-cert-v01 at openssh.com,
 rsa-sha2-256-cert-v01 at openssh.com,
 ssh-ed25519,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 sk-ssh-ed25519 at openssh.com,
 sk-ecdsa-sha2-nistp256 at openssh.com,
+webauthn-sk-ecdsa-sha2-nistp256 at openssh.com,
 rsa-sha2-512,rsa-sha2-256
 .Ed
 .Pp
diff --git a/sshkey.c b/sshkey.c
index 517065332..96c4c6c07 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.c,v 1.159 2025/12/22 01:49:03 djm Exp $ */
+/* $OpenBSD: sshkey.c,v 1.160 2026/02/05 22:05:49 djm Exp $ */
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Alexander von Gernler.  All rights reserved.
@@ -96,6 +96,7 @@ extern const struct sshkey_impl sshkey_ed25519_sk_cert_impl;
 extern const struct sshkey_impl sshkey_ecdsa_sk_impl;
 extern const struct sshkey_impl sshkey_ecdsa_sk_cert_impl;
 extern const struct sshkey_impl sshkey_ecdsa_sk_webauthn_impl;
+extern const struct sshkey_impl sshkey_ecdsa_sk_webauthn_cert_impl;
 #  endif /* ENABLE_SK */
 extern const struct sshkey_impl sshkey_ecdsa_nistp256_impl;
 extern const struct sshkey_impl sshkey_ecdsa_nistp256_cert_impl;
@@ -135,6 +136,7 @@ const struct sshkey_impl * const keyimpls[] = {
 	&sshkey_ecdsa_sk_impl,
 	&sshkey_ecdsa_sk_cert_impl,
 	&sshkey_ecdsa_sk_webauthn_impl,
+	&sshkey_ecdsa_sk_webauthn_cert_impl,
 #  endif /* ENABLE_SK */
 # endif /* OPENSSL_HAS_ECC */
 	&sshkey_rsa_impl,
@@ -300,6 +302,17 @@ sshkey_match_keyname_to_sigalgs(const char *keyname, const char *sigalgs)
 		    sigalgs, 0) == 1 ||
 		    match_pattern_list("rsa-sha2-512-cert-v01 at openssh.com",
 		    sigalgs, 0) == 1;
+	} else if (ktype == KEY_ECDSA_SK) {
+		return match_pattern_list("sk-ecdsa-sha2-nistp256 at openssh.com",
+		    sigalgs, 0) == 1 || match_pattern_list(
+		    "webauthn-sk-ecdsa-sha2-nistp256 at openssh.com",
+		    sigalgs, 0) == 1;
+	} else if (ktype == KEY_ECDSA_SK_CERT) {
+		return match_pattern_list(
+		    "sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com",
+		    sigalgs, 0) == 1 || match_pattern_list(
+		    "webauthn-sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com",
+		    sigalgs, 0) == 1;
 	} else
 		return match_pattern_list(keyname, sigalgs, 0) == 1;
 }

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list