upstream: changes to support FIDO attestation

Allow writing to disk the attestation certificate that is generated by
the FIDO token at key enrollment time. These certificates may be used
by an out-of-band workflow to prove that a particular key is held in
trustworthy hardware.

Allow passing in a challenge that will be sent to the card during
key enrollment. These are needed to build an attestation workflow
that resists replay attacks.

ok markus@

OpenBSD-Commit-ID: 457dc3c3d689ba39eed328f0817ed9b91a5f78f6
This commit is contained in:
djm@openbsd.org 2020-01-28 08:01:34 +00:00 committed by Damien Miller
parent 156bef36f9
commit 24c0f752ad
5 changed files with 64 additions and 18 deletions

View File

@ -141,17 +141,20 @@ least manufacturer and batch number granularity. For this reason, we
choose not to include this information in the public key or save it by choose not to include this information in the public key or save it by
default. default.
Attestation information is very useful however in an organisational Attestation information is useful for out-of-band key and certificate
context, where it may be used by a CA as part of certificate registration worksflows, e.g. proving to a CA that a key is backed
issuance. In this case, exposure to the CA of hardware identity is by trusted hardware before it will issue a certificate. To support this
desirable. To support this case, OpenSSH optionally allows retaining the case, OpenSSH optionally allows retaining the attestation information
attestation information at the time of key generation. It will take the at the time of key generation. It will take the following format:
following format:
string "sk-attest-v00" string "ssh-sk-attest-v00"
uint32 version (1 for U2F, 2 for FIDO2 in future)
string attestation certificate string attestation certificate
string enrollment signature string enrollment signature
uint32 reserved flags
string reserved string
OpenSSH treats the attestation certificate and enrollment signatures as
opaque objects and does no interpretation of them itself.
SSH U2F signatures SSH U2F signatures
------------------ ------------------

View File

@ -570,6 +570,7 @@ sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
} }
if ((ptr = fido_cred_x5c_ptr(cred)) != NULL) { if ((ptr = fido_cred_x5c_ptr(cred)) != NULL) {
len = fido_cred_x5c_len(cred); len = fido_cred_x5c_len(cred);
debug3("%s: attestation cert len=%zu", __func__, len);
if ((response->attestation_cert = calloc(1, len)) == NULL) { if ((response->attestation_cert = calloc(1, len)) == NULL) {
skdebug(__func__, "calloc attestation cert failed"); skdebug(__func__, "calloc attestation cert failed");
goto out; goto out;

View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-keygen.1,v 1.196 2020/01/23 23:31:52 djm Exp $ .\" $OpenBSD: ssh-keygen.1,v 1.197 2020/01/28 08:01:34 djm Exp $
.\" .\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi> .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -35,7 +35,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.Dd $Mdocdate: January 23 2020 $ .Dd $Mdocdate: January 28 2020 $
.Dt SSH-KEYGEN 1 .Dt SSH-KEYGEN 1
.Os .Os
.Sh NAME .Sh NAME
@ -483,6 +483,14 @@ Note that
.Xr sshd 8 .Xr sshd 8
will refuse such signatures by default, unless overridden via will refuse such signatures by default, unless overridden via
an authorized_keys option. an authorized_keys option.
.It Cm challenge=path
Specifies a path to a challenge string that will be passed to the
FIDO token during key generation.
The challenge string is optional, but may be used as part of an out-of-band
protocol for key enrollment.
If no
.Cm challenge
is specified, a random challenge is used.
.It Cm resident .It Cm resident
Indicate that the key should be stored on the FIDO authenticator itself. Indicate that the key should be stored on the FIDO authenticator itself.
Resident keys may be supported on FIDO2 tokens and typically require that Resident keys may be supported on FIDO2 tokens and typically require that
@ -494,6 +502,10 @@ A username to be associated with a resident key,
overriding the empty default username. overriding the empty default username.
Specifying a username may be useful when generating multiple resident keys Specifying a username may be useful when generating multiple resident keys
for the same application name. for the same application name.
.It Cm write-attestation=path
May be used at key generation time to record the attestation certificate
returned from FIDO tokens during key generation.
By default this information is discarded.
.El .El
.Pp .Pp
The The

View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-keygen.c,v 1.394 2020/01/25 23:13:09 djm Exp $ */ /* $OpenBSD: ssh-keygen.c,v 1.395 2020/01/28 08:01:34 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -3114,6 +3114,8 @@ main(int argc, char **argv)
unsigned long long cert_serial = 0; unsigned long long cert_serial = 0;
char *identity_comment = NULL, *ca_key_path = NULL, **opts = NULL; char *identity_comment = NULL, *ca_key_path = NULL, **opts = NULL;
char *sk_application = NULL, *sk_device = NULL, *sk_user = NULL; char *sk_application = NULL, *sk_device = NULL, *sk_user = NULL;
char *sk_attestaion_path = NULL;
struct sshbuf *challenge = NULL, *attest = NULL;
size_t i, nopts = 0; size_t i, nopts = 0;
u_int32_t bits = 0; u_int32_t bits = 0;
uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD; uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD;
@ -3557,6 +3559,16 @@ main(int argc, char **argv)
sk_device = xstrdup(opts[i] + 7); sk_device = xstrdup(opts[i] + 7);
} else if (strncasecmp(opts[i], "user=", 5) == 0) { } else if (strncasecmp(opts[i], "user=", 5) == 0) {
sk_user = xstrdup(opts[i] + 5); sk_user = xstrdup(opts[i] + 5);
} else if (strncasecmp(opts[i], "challenge=", 10) == 0) {
if ((r = sshbuf_load_file(opts[i] + 10,
&challenge)) != 0) {
fatal("Unable to load FIDO enrollment "
"challenge \"%s\": %s",
opts[i] + 10, ssh_err(r));
}
} else if (strncasecmp(opts[i],
"write-attestation=", 18) == 0) {
sk_attestaion_path = opts[i] + 18;
} else if (strncasecmp(opts[i], } else if (strncasecmp(opts[i],
"application=", 12) == 0) { "application=", 12) == 0) {
sk_application = xstrdup(opts[i] + 12); sk_application = xstrdup(opts[i] + 12);
@ -3570,12 +3582,14 @@ main(int argc, char **argv)
"to authorize key generation.\n"); "to authorize key generation.\n");
} }
passphrase = NULL; passphrase = NULL;
if ((attest = sshbuf_new()) == NULL)
fatal("sshbuf_new failed");
for (i = 0 ; i < 3; i++) { for (i = 0 ; i < 3; i++) {
fflush(stdout); fflush(stdout);
r = sshsk_enroll(type, sk_provider, sk_device, r = sshsk_enroll(type, sk_provider, sk_device,
sk_application == NULL ? "ssh:" : sk_application, sk_application == NULL ? "ssh:" : sk_application,
sk_user, sk_flags, passphrase, NULL, sk_user, sk_flags, passphrase, challenge,
&private, NULL); &private, attest);
if (r == 0) if (r == 0)
break; break;
if (r != SSH_ERR_KEY_WRONG_PASSPHRASE) if (r != SSH_ERR_KEY_WRONG_PASSPHRASE)
@ -3668,6 +3682,22 @@ main(int argc, char **argv)
free(fp); free(fp);
} }
if (sk_attestaion_path != NULL) {
if (attest == NULL || sshbuf_len(attest) == 0) {
fatal("Enrollment did not return attestation "
"certificate");
}
if ((r = sshbuf_write_file(sk_attestaion_path, attest)) != 0) {
fatal("Unable to write attestation certificate "
"\"%s\": %s", sk_attestaion_path, ssh_err(r));
}
if (!quiet) {
printf("Your FIDO attestation certificate has been "
"saved in %s\n", sk_attestaion_path);
}
}
sshbuf_free(attest);
sshkey_free(public); sshkey_free(public);
exit(0); exit(0);
} }

View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-sk.c,v 1.25 2020/01/25 23:13:09 djm Exp $ */ /* $OpenBSD: ssh-sk.c,v 1.26 2020/01/28 08:01:34 djm Exp $ */
/* /*
* Copyright (c) 2019 Google LLC * Copyright (c) 2019 Google LLC
* *
@ -504,14 +504,14 @@ sshsk_enroll(int type, const char *provider_path, const char *device,
/* Optionally fill in the attestation information */ /* Optionally fill in the attestation information */
if (attest != NULL) { if (attest != NULL) {
if ((r = sshbuf_put_cstring(attest, "sk-attest-v00")) != 0 || if ((r = sshbuf_put_cstring(attest,
(r = sshbuf_put_u32(attest, 1)) != 0 || /* XXX U2F ver */ "ssh-sk-attest-v00")) != 0 ||
(r = sshbuf_put_string(attest, (r = sshbuf_put_string(attest,
resp->attestation_cert, resp->attestation_cert_len)) != 0 || resp->attestation_cert, resp->attestation_cert_len)) != 0 ||
(r = sshbuf_put_string(attest, (r = sshbuf_put_string(attest,
resp->signature, resp->signature_len)) != 0 || resp->signature, resp->signature_len)) != 0 ||
(r = sshbuf_put_u32(attest, flags)) != 0 || /* XXX right? */ (r = sshbuf_put_u32(attest, 0)) != 0 || /* resvd flags */
(r = sshbuf_put_string(attest, NULL, 0)) != 0) { (r = sshbuf_put_string(attest, NULL, 0)) != 0 /* resvd */) {
error("%s: buffer error: %s", __func__, ssh_err(r)); error("%s: buffer error: %s", __func__, ssh_err(r));
goto out; goto out;
} }