implementation of sk-ssh-ed25519@openssh.com #87
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This provides an initial version of security key support in tinyssh. The main change is a new file sshcrypto_key_sk_ed25519.c, which adds the relevant functions for parsing and putting public keys and signatures, as well as the sk_ed25519_open function, that performs the signature check using the existing crypto_sign_ed25519_open for the cryptographic operation. I had to update a few places, where the code did not distinguish between server side and client side crypto algorithms, as the server cannot create a keypair or perform a signing operation, as it doesn't have a fido key available. Limitations: * sk-ssh-ed25519@openssh.com supports an application identifier, which in practice is mostly "ssh:". This commit only allows this application identifier and will not accept public keys with a different one. This is because, I didn't have a good idea yet as to where to store it. * The code doesn't allow extensions in the signature yet. (Which are not defined yet, so it doesn't really matter).
jo-bitsch
changed the title
This extends the security key support in tinyssh to allow arbitrary application ids. The application id is part of the public key in sk-ssh-ed25519@openssh.com. This is saved after the ed25519 public key bytes in sshcrypto_key.sign_publickey. Therefore, the previous limitation of only supporting application identifier "ssh:" is resolved. Remaining limitations: * The application identifier must be smaller than 32 bytes. * The code still doesn't allow extensions in the signature yet.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This provides an initial version of security key support in tinyssh.
The main change is a new file sshcrypto_key_sk_ed25519.c, which adds the relevant functions for parsing and putting public keys and signatures, as well as the sk_ed25519_open function, that performs the signature check using the existing crypto_sign_ed25519_open for the cryptographic operation.
I had to update a few places, where the code did not distinguish between server side and client side crypto algorithms, as the server cannot create a keypair or perform a signing operation, as it doesn't have a fido key available.
Limitations:
There are tests for the thew file
sshcrypto_key_sk_ed25519.c. In addition I performed manual end-to-end tests, to confirm that authentication withed25519andsk-ssh-ed25519@openssh.comis successful: