xref: /freebsd/crypto/openssh/sk-api.h (revision 38a52bd3b5cac3da6f7f6eef3dd050e6aa08ebb3) 
1*38a52bd3SEd Maste /* $OpenBSD: sk-api.h,v 1.15 2022/07/20 03:29:14 djm Exp $ */
219261079SEd Maste /*
319261079SEd Maste  * Copyright (c) 2019 Google LLC
419261079SEd Maste  *
519261079SEd Maste  * Permission to use, copy, modify, and distribute this software for any
619261079SEd Maste  * purpose with or without fee is hereby granted, provided that the above
719261079SEd Maste  * copyright notice and this permission notice appear in all copies.
819261079SEd Maste  *
919261079SEd Maste  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
1019261079SEd Maste  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
1119261079SEd Maste  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
1219261079SEd Maste  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
1319261079SEd Maste  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
1419261079SEd Maste  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1519261079SEd Maste  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
1619261079SEd Maste  */
1719261079SEd Maste 
1819261079SEd Maste #ifndef _SK_API_H
1919261079SEd Maste #define _SK_API_H 1
2019261079SEd Maste 
2119261079SEd Maste #include <stddef.h>
2219261079SEd Maste #ifdef HAVE_STDINT_H
2319261079SEd Maste #include <stdint.h>
2419261079SEd Maste #endif
2519261079SEd Maste 
2619261079SEd Maste /* Flags */
2719261079SEd Maste #define SSH_SK_USER_PRESENCE_REQD	0x01
2819261079SEd Maste #define SSH_SK_USER_VERIFICATION_REQD	0x04
29*38a52bd3SEd Maste #define SSH_SK_FORCE_OPERATION		0x10
3019261079SEd Maste #define SSH_SK_RESIDENT_KEY		0x20
3119261079SEd Maste 
3219261079SEd Maste /* Algs */
3319261079SEd Maste #define SSH_SK_ECDSA			0x00
3419261079SEd Maste #define SSH_SK_ED25519			0x01
3519261079SEd Maste 
3619261079SEd Maste /* Error codes */
3719261079SEd Maste #define SSH_SK_ERR_GENERAL		-1
3819261079SEd Maste #define SSH_SK_ERR_UNSUPPORTED		-2
3919261079SEd Maste #define SSH_SK_ERR_PIN_REQUIRED		-3
4019261079SEd Maste #define SSH_SK_ERR_DEVICE_NOT_FOUND	-4
41*38a52bd3SEd Maste #define SSH_SK_ERR_CREDENTIAL_EXISTS	-5
4219261079SEd Maste 
4319261079SEd Maste struct sk_enroll_response {
441323ec57SEd Maste 	uint8_t flags;
4519261079SEd Maste 	uint8_t *public_key;
4619261079SEd Maste 	size_t public_key_len;
4719261079SEd Maste 	uint8_t *key_handle;
4819261079SEd Maste 	size_t key_handle_len;
4919261079SEd Maste 	uint8_t *signature;
5019261079SEd Maste 	size_t signature_len;
5119261079SEd Maste 	uint8_t *attestation_cert;
5219261079SEd Maste 	size_t attestation_cert_len;
5319261079SEd Maste 	uint8_t *authdata;
5419261079SEd Maste 	size_t authdata_len;
5519261079SEd Maste };
5619261079SEd Maste 
5719261079SEd Maste struct sk_sign_response {
5819261079SEd Maste 	uint8_t flags;
5919261079SEd Maste 	uint32_t counter;
6019261079SEd Maste 	uint8_t *sig_r;
6119261079SEd Maste 	size_t sig_r_len;
6219261079SEd Maste 	uint8_t *sig_s;
6319261079SEd Maste 	size_t sig_s_len;
6419261079SEd Maste };
6519261079SEd Maste 
6619261079SEd Maste struct sk_resident_key {
6719261079SEd Maste 	uint32_t alg;
6819261079SEd Maste 	size_t slot;
6919261079SEd Maste 	char *application;
7019261079SEd Maste 	struct sk_enroll_response key;
7119261079SEd Maste 	uint8_t flags;
721323ec57SEd Maste 	uint8_t *user_id;
731323ec57SEd Maste 	size_t user_id_len;
7419261079SEd Maste };
7519261079SEd Maste 
7619261079SEd Maste struct sk_option {
7719261079SEd Maste 	char *name;
7819261079SEd Maste 	char *value;
7919261079SEd Maste 	uint8_t required;
8019261079SEd Maste };
8119261079SEd Maste 
82*38a52bd3SEd Maste #define SSH_SK_VERSION_MAJOR		0x000a0000 /* current API version */
8319261079SEd Maste #define SSH_SK_VERSION_MAJOR_MASK	0xffff0000
8419261079SEd Maste 
8519261079SEd Maste /* Return the version of the middleware API */
8619261079SEd Maste uint32_t sk_api_version(void);
8719261079SEd Maste 
8819261079SEd Maste /* Enroll a U2F key (private key generation) */
8919261079SEd Maste int sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
9019261079SEd Maste     const char *application, uint8_t flags, const char *pin,
9119261079SEd Maste     struct sk_option **options, struct sk_enroll_response **enroll_response);
9219261079SEd Maste 
9319261079SEd Maste /* Sign a challenge */
9419261079SEd Maste int sk_sign(uint32_t alg, const uint8_t *data, size_t data_len,
9519261079SEd Maste     const char *application, const uint8_t *key_handle, size_t key_handle_len,
9619261079SEd Maste     uint8_t flags, const char *pin, struct sk_option **options,
9719261079SEd Maste     struct sk_sign_response **sign_response);
9819261079SEd Maste 
9919261079SEd Maste /* Enumerate all resident keys */
10019261079SEd Maste int sk_load_resident_keys(const char *pin, struct sk_option **options,
10119261079SEd Maste     struct sk_resident_key ***rks, size_t *nrks);
10219261079SEd Maste 
10319261079SEd Maste #endif /* _SK_API_H */
104