On Tue, 8 Sep 2020, Ian Haken wrote: > Thanks folks! This looks like it's exactly what I was looking for. As I'm > pulling the thread on this, one word of warning on the > fido_cred_authdata_ptr method. The following is mentioned libfido2 docs > [1]: "The authenticator data returned by fido_cred_authdata_ptr() is a > CBOR-encoded byte string, as obtained from the authenticator." This is a > bit unfortunate since it's the CBOR-decoded data over which the attestation > signature is computed (concatenated with the challenge hash). And of course > you would also want to CBOR-decode the byte string before parsing the auth > data structure. I just opened a question [2] on the libfido2 GH page to ask > if there shouldn't be an API to return the CBOR-decoded data instead since > really that's what you would want for any uses of the function. > > Basically, I think the openssh docs might also want to clarify that the > "ssh-sk-attest-v01" structure similarly has "authenticator data" as a > CBOR-encoded byte array (since customers would need to decode it to verify > attestation), or else you may want to just CBOR-decode the output of > fido_cred_authdata_ptr in sk-usbhid.c, at least until libfido2 (hopefully) > follows up on my question and provides a convenience method for getting > that decoded value directly. Thanks, I have committed these changes and they'll be in OpenSSH 8.4. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
