Re: webauthn signatures: SecurityKeyProvider, json parsing

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Wed, 12 Jan 2022, Scott C Wang wrote:

> Awesome! Thank you, Damien.
> 
> > AFAIK clientData is
> > prepared from origin, extensions and H(message), so there's not need
> > to pass that explicitly.
>
> The trouble with not passing clientData is that the spec reserves
> the right to append new keys to it in the future. To validate
> the signature, the OpenSSH server has to be apprised of the
> entire clientData blob returned from the webauthn API. Ergo, the
> OpenSSH client does need to be passed the entire clientData blob
> explicitly, as opposed to reconstructing it, lest there be extra keys.
> (Chromium already randomly appends an extra "reminder" key to break
> implementations that attempt such a construction. [0])

Sure, but OpenSSH is the thing requesting the signature to begin with
and isn't going to requesting extra stuff. So AFAIK there's no need
to pass clientData from OpenSSH to the signer.

> > As far as communicating with the webauthn signer via the ssh-sk API,
> > nothing in OpenSSH uses the extensions field and the existing
> > application field could be used to pass origin.
>
> Are you referring to passing in, or passing back? Does "extensions"
> refer to the authenticatorData attestedCredentialData and extensions
> [0]? If so, then the SecurityKeyProvider will need to pass those
> back to OpenSSH so that the server can include them in the hash
> computation, even if it doesn't parse them.

AFAIK extensions are the extra things that go in clientData, no?

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux