1*991d5a20Sdjm /* $OpenBSD: ssh-sk.h,v 1.11 2021/10/28 02:54:18 djm Exp $ */ 277045ccdSdjm /* 377045ccdSdjm * Copyright (c) 2019 Google LLC 477045ccdSdjm * 577045ccdSdjm * Permission to use, copy, modify, and distribute this software for any 677045ccdSdjm * purpose with or without fee is hereby granted, provided that the above 777045ccdSdjm * copyright notice and this permission notice appear in all copies. 877045ccdSdjm * 977045ccdSdjm * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 1077045ccdSdjm * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 1177045ccdSdjm * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 1277045ccdSdjm * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 1377045ccdSdjm * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 1477045ccdSdjm * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 1577045ccdSdjm * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 1677045ccdSdjm */ 1777045ccdSdjm 1877045ccdSdjm #ifndef _SSH_SK_H 1977045ccdSdjm #define _SSH_SK_H 1 2077045ccdSdjm 2177045ccdSdjm struct sshbuf; 2277045ccdSdjm struct sshkey; 23a0caf565Sdjm struct sk_option; 2477045ccdSdjm 252db06755Sdjm /* Version of protocol expected from ssh-sk-helper */ 26a769387cSdjm #define SSH_SK_HELPER_VERSION 5 272db06755Sdjm 282db06755Sdjm /* ssh-sk-helper messages */ 292db06755Sdjm #define SSH_SK_HELPER_ERROR 0 /* Only valid H->C */ 302db06755Sdjm #define SSH_SK_HELPER_SIGN 1 312db06755Sdjm #define SSH_SK_HELPER_ENROLL 2 322db06755Sdjm #define SSH_SK_HELPER_LOAD_RESIDENT 3 332db06755Sdjm 34*991d5a20Sdjm struct sshsk_resident_key { 35*991d5a20Sdjm struct sshkey *key; 36*991d5a20Sdjm uint8_t *user_id; 37*991d5a20Sdjm size_t user_id_len; 38*991d5a20Sdjm }; 39*991d5a20Sdjm 4077045ccdSdjm /* 41af4c80eeSmarkus * Enroll (generate) a new security-key hosted private key of given type 42af4c80eeSmarkus * via the specified provider middleware. 4377045ccdSdjm * If challenge_buf is NULL then a random 256 bit challenge will be used. 4477045ccdSdjm * 4577045ccdSdjm * Returns 0 on success or a ssherr.h error code on failure. 4677045ccdSdjm * 4777045ccdSdjm * If successful and the attest_data buffer is not NULL then attestation 4877045ccdSdjm * information is placed there. 4977045ccdSdjm */ 50a0caf565Sdjm int sshsk_enroll(int type, const char *provider_path, const char *device, 51a0caf565Sdjm const char *application, const char *userid, uint8_t flags, 52a0caf565Sdjm const char *pin, struct sshbuf *challenge_buf, 532db06755Sdjm struct sshkey **keyp, struct sshbuf *attest); 5477045ccdSdjm 5577045ccdSdjm /* 56dfd98029Smarkus * Calculate an ECDSA_SK or ED25519_SK signature using the specified key 57d35c175fSmarkus * and provider middleware. 5877045ccdSdjm * 5977045ccdSdjm * Returns 0 on success or a ssherr.h error code on failure. 6077045ccdSdjm */ 614852100aSdjm int sshsk_sign(const char *provider_path, struct sshkey *key, 6277045ccdSdjm u_char **sigp, size_t *lenp, const u_char *data, size_t datalen, 632db06755Sdjm u_int compat, const char *pin); 6477045ccdSdjm 651ac4a90aSdjm /* 661ac4a90aSdjm * Enumerates and loads all SSH-compatible resident keys from a security 671ac4a90aSdjm * key. 681ac4a90aSdjm * 691ac4a90aSdjm * Returns 0 on success or a ssherr.h error code on failure. 701ac4a90aSdjm */ 71a0caf565Sdjm int sshsk_load_resident(const char *provider_path, const char *device, 72*991d5a20Sdjm const char *pin, u_int flags, struct sshsk_resident_key ***srksp, 73*991d5a20Sdjm size_t *nsrksp); 74*991d5a20Sdjm 75*991d5a20Sdjm /* Free an array of sshsk_resident_key (as returned from sshsk_load_resident) */ 76*991d5a20Sdjm void sshsk_free_resident_keys(struct sshsk_resident_key **srks, size_t nsrks); 771ac4a90aSdjm 7877045ccdSdjm #endif /* _SSH_SK_H */ 7977045ccdSdjm 80