upstream: changes to support FIDO attestation

Allow writing to disk the attestation certificate that is generated by the FIDO token at key enrollment time. These certificates may be used by an out-of-band workflow to prove that a particular key is held in trustworthy hardware. Allow passing in a challenge that will be sent to the card during key enrollment. These are needed to build an attestation workflow that resists replay attacks. ok markus@ OpenBSD-Commit-ID: 457dc3c3d689ba39eed328f0817ed9b91a5f78f6
author: djm@openbsd.org <djm@openbsd.org> 2020-01-28 08:01:34 +0000
committer: Damien Miller <djm@mindrot.org> 2020-01-29 18:52:55 +1100
commit: 24c0f752adf9021277a7b0a84931bb5fe48ea379 (patch)
tree: cd1b9474e73ad7647b4ad88775365e7430d3fe64 /sk-usbhid.c
parent: 156bef36f93a48212383235bb8e3d71eaf2b2777 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/sk-usbhid.c b/sk-usbhid.c
index 2148e1d7..ad83054a 100644
--- a/sk-usbhid.c
+++ b/sk-usbhid.c
@@ -570,6 +570,7 @@ sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
 	}
 	if ((ptr = fido_cred_x5c_ptr(cred)) != NULL) {
 		len = fido_cred_x5c_len(cred);
+		debug3("%s: attestation cert len=%zu", __func__, len);
 		if ((response->attestation_cert = calloc(1, len)) == NULL) {
 			skdebug(__func__, "calloc attestation cert failed");
 			goto out;
author	djm@openbsd.org <djm@openbsd.org>	2020-01-28 08:01:34 +0000
committer	Damien Miller <djm@mindrot.org>	2020-01-29 18:52:55 +1100
commit	24c0f752adf9021277a7b0a84931bb5fe48ea379 (patch)
tree	cd1b9474e73ad7647b4ad88775365e7430d3fe64 /sk-usbhid.c
parent	156bef36f93a48212383235bb8e3d71eaf2b2777 (diff)