Incomplete attestation data for FIDO2 SKs?
Damien Miller
djm at mindrot.org
Wed Sep 9 13:14:21 AEST 2020
On Tue, 8 Sep 2020, Ian Haken wrote:
> Thanks folks! This looks like it's exactly what I was looking for. As I'm
> pulling the thread on this, one word of warning on the
> fido_cred_authdata_ptr method. The following is mentioned libfido2 docs
> [1]: "The authenticator data returned by fido_cred_authdata_ptr() is a
> CBOR-encoded byte string, as obtained from the authenticator." This is a
> bit unfortunate since it's the CBOR-decoded data over which the attestation
> signature is computed (concatenated with the challenge hash). And of course
> you would also want to CBOR-decode the byte string before parsing the auth
> data structure. I just opened a question [2] on the libfido2 GH page to ask
> if there shouldn't be an API to return the CBOR-decoded data instead since
> really that's what you would want for any uses of the function.
>
> Basically, I think the openssh docs might also want to clarify that the
> "ssh-sk-attest-v01" structure similarly has "authenticator data" as a
> CBOR-encoded byte array (since customers would need to decode it to verify
> attestation), or else you may want to just CBOR-decode the output of
> fido_cred_authdata_ptr in sk-usbhid.c, at least until libfido2 (hopefully)
> follows up on my question and provides a convenience method for getting
> that decoded value directly.
Thanks, I have committed these changes and they'll be in OpenSSH 8.4.
-d
More information about the openssh-unix-dev
mailing list