xref: /freebsd/crypto/openssh/sk-usbhid.c (revision 924226fba12cc9a228c73b956e1b7fa24c60b055)
1 /* $OpenBSD: sk-usbhid.c,v 1.38 2022/02/07 01:25:12 djm Exp $ */
2 /*
3  * Copyright (c) 2019 Markus Friedl
4  * Copyright (c) 2020 Pedro Martelletto
5  *
6  * Permission to use, copy, modify, and distribute this software for any
7  * purpose with or without fee is hereby granted, provided that the above
8  * copyright notice and this permission notice appear in all copies.
9  *
10  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17  */
18 
19 #include "includes.h"
20 
21 #ifdef ENABLE_SK_INTERNAL
22 
23 #include <stdint.h>
24 #include <stdlib.h>
25 #include <string.h>
26 #include <stdio.h>
27 #include <stddef.h>
28 #include <stdarg.h>
29 #include <time.h>
30 #ifdef HAVE_SHA2_H
31 #include <sha2.h>
32 #endif
33 
34 /*
35  * Almost every use of OpenSSL in this file is for ECDSA-NISTP256.
36  * This is strictly a larger hammer than necessary, but it reduces changes
37  * with upstream.
38  */
39 #ifndef OPENSSL_HAS_ECC
40 # undef WITH_OPENSSL
41 #endif
42 
43 #ifdef WITH_OPENSSL
44 #include <openssl/opensslv.h>
45 #include <openssl/crypto.h>
46 #include <openssl/bn.h>
47 #include <openssl/ec.h>
48 #include <openssl/ecdsa.h>
49 #include <openssl/evp.h>
50 #endif /* WITH_OPENSSL */
51 
52 #include <fido.h>
53 #include <fido/credman.h>
54 
55 /* backwards compat for libfido2 */
56 #ifndef HAVE_FIDO_CRED_PROT
57 #define fido_cred_prot(x) (0)
58 #endif
59 #ifndef HAVE_FIDO_CRED_SET_PROT
60 #define fido_cred_set_prot(x, y) (FIDO_ERR_UNSUPPORTED_OPTION)
61 #endif
62 #ifndef HAVE_FIDO_DEV_SUPPORTS_CRED_PROT
63 #define fido_dev_supports_cred_prot(x) (0)
64 #endif
65 #ifndef HAVE_FIDO_DEV_GET_TOUCH_BEGIN
66 #define fido_dev_get_touch_begin(x) (FIDO_ERR_UNSUPPORTED_OPTION)
67 #endif
68 #ifndef HAVE_FIDO_DEV_GET_TOUCH_STATUS
69 #define fido_dev_get_touch_status(x, y, z) (FIDO_ERR_UNSUPPORTED_OPTION)
70 #endif
71 #ifndef FIDO_CRED_PROT_UV_REQUIRED
72 #define FIDO_CRED_PROT_UV_REQUIRED 0
73 #endif
74 #ifndef FIDO_CRED_PROT_UV_OPTIONAL_WITH_ID
75 #define FIDO_CRED_PROT_UV_OPTIONAL_WITH_ID 0
76 #endif
77 
78 #ifndef SK_STANDALONE
79 # include "log.h"
80 # include "xmalloc.h"
81 # include "misc.h"
82 /*
83  * If building as part of OpenSSH, then rename exported functions.
84  * This must be done before including sk-api.h.
85  */
86 # define sk_api_version		ssh_sk_api_version
87 # define sk_enroll		ssh_sk_enroll
88 # define sk_sign		ssh_sk_sign
89 # define sk_load_resident_keys	ssh_sk_load_resident_keys
90 #endif /* !SK_STANDALONE */
91 
92 #include "sk-api.h"
93 
94 /* #define SK_DEBUG 1 */
95 
96 #ifdef SK_DEBUG
97 #define SSH_FIDO_INIT_ARG	FIDO_DEBUG
98 #else
99 #define SSH_FIDO_INIT_ARG	0
100 #endif
101 
102 #define MAX_FIDO_DEVICES	8
103 #define FIDO_POLL_MS		50
104 #define SELECT_MS		15000
105 #define POLL_SLEEP_NS		200000000
106 
107 /* Compatibility with OpenSSH 1.0.x */
108 #if (OPENSSL_VERSION_NUMBER < 0x10100000L)
109 #define ECDSA_SIG_get0(sig, pr, ps) \
110 	do { \
111 		(*pr) = sig->r; \
112 		(*ps) = sig->s; \
113 	} while (0)
114 #endif
115 #ifndef FIDO_ERR_OPERATION_DENIED
116 #define FIDO_ERR_OPERATION_DENIED 0x27
117 #endif
118 
119 struct sk_usbhid {
120 	fido_dev_t *dev;
121 	char *path;
122 };
123 
124 /* Return the version of the middleware API */
125 uint32_t sk_api_version(void);
126 
127 /* Enroll a U2F key (private key generation) */
128 int sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
129     const char *application, uint8_t flags, const char *pin,
130     struct sk_option **options, struct sk_enroll_response **enroll_response);
131 
132 /* Sign a challenge */
133 int sk_sign(uint32_t alg, const uint8_t *data, size_t data_len,
134     const char *application, const uint8_t *key_handle, size_t key_handle_len,
135     uint8_t flags, const char *pin, struct sk_option **options,
136     struct sk_sign_response **sign_response);
137 
138 /* Load resident keys */
139 int sk_load_resident_keys(const char *pin, struct sk_option **options,
140     struct sk_resident_key ***rks, size_t *nrks);
141 
142 static void skdebug(const char *func, const char *fmt, ...)
143     __attribute__((__format__ (printf, 2, 3)));
144 
145 static void
146 skdebug(const char *func, const char *fmt, ...)
147 {
148 #if !defined(SK_STANDALONE)
149 	char *msg;
150 	va_list ap;
151 
152 	va_start(ap, fmt);
153 	xvasprintf(&msg, fmt, ap);
154 	va_end(ap);
155 	debug("%s: %s", func, msg);
156 	free(msg);
157 #elif defined(SK_DEBUG)
158 	va_list ap;
159 
160 	va_start(ap, fmt);
161 	fprintf(stderr, "%s: ", func);
162 	vfprintf(stderr, fmt, ap);
163 	fputc('\n', stderr);
164 	va_end(ap);
165 #else
166 	(void)func; /* XXX */
167 	(void)fmt; /* XXX */
168 #endif
169 }
170 
171 uint32_t
172 sk_api_version(void)
173 {
174 	return SSH_SK_VERSION_MAJOR;
175 }
176 
177 static struct sk_usbhid *
178 sk_open(const char *path)
179 {
180 	struct sk_usbhid *sk;
181 	int r;
182 
183 	if (path == NULL) {
184 		skdebug(__func__, "path == NULL");
185 		return NULL;
186 	}
187 	if ((sk = calloc(1, sizeof(*sk))) == NULL) {
188 		skdebug(__func__, "calloc sk failed");
189 		return NULL;
190 	}
191 	if ((sk->path = strdup(path)) == NULL) {
192 		skdebug(__func__, "strdup path failed");
193 		free(sk);
194 		return NULL;
195 	}
196 	if ((sk->dev = fido_dev_new()) == NULL) {
197 		skdebug(__func__, "fido_dev_new failed");
198 		free(sk->path);
199 		free(sk);
200 		return NULL;
201 	}
202 	if ((r = fido_dev_open(sk->dev, sk->path)) != FIDO_OK) {
203 		skdebug(__func__, "fido_dev_open %s failed: %s", sk->path,
204 		    fido_strerr(r));
205 		fido_dev_free(&sk->dev);
206 		free(sk->path);
207 		free(sk);
208 		return NULL;
209 	}
210 	return sk;
211 }
212 
213 static void
214 sk_close(struct sk_usbhid *sk)
215 {
216 	if (sk == NULL)
217 		return;
218 	fido_dev_cancel(sk->dev); /* cancel any pending operation */
219 	fido_dev_close(sk->dev);
220 	fido_dev_free(&sk->dev);
221 	free(sk->path);
222 	free(sk);
223 }
224 
225 static struct sk_usbhid **
226 sk_openv(const fido_dev_info_t *devlist, size_t ndevs, size_t *nopen)
227 {
228 	const fido_dev_info_t *di;
229 	struct sk_usbhid **skv;
230 	size_t i;
231 
232 	*nopen = 0;
233 	if ((skv = calloc(ndevs, sizeof(*skv))) == NULL) {
234 		skdebug(__func__, "calloc skv failed");
235 		return NULL;
236 	}
237 	for (i = 0; i < ndevs; i++) {
238 		if ((di = fido_dev_info_ptr(devlist, i)) == NULL)
239 			skdebug(__func__, "fido_dev_info_ptr failed");
240 		else if ((skv[*nopen] = sk_open(fido_dev_info_path(di))) == NULL)
241 			skdebug(__func__, "sk_open failed");
242 		else
243 			(*nopen)++;
244 	}
245 	if (*nopen == 0) {
246 		for (i = 0; i < ndevs; i++)
247 			sk_close(skv[i]);
248 		free(skv);
249 		skv = NULL;
250 	}
251 
252 	return skv;
253 }
254 
255 static void
256 sk_closev(struct sk_usbhid **skv, size_t nsk)
257 {
258 	size_t i;
259 
260 	for (i = 0; i < nsk; i++)
261 		sk_close(skv[i]);
262 	free(skv);
263 }
264 
265 static int
266 sk_touch_begin(struct sk_usbhid **skv, size_t nsk)
267 {
268 	size_t i, ok = 0;
269 	int r;
270 
271 	for (i = 0; i < nsk; i++)
272 		if ((r = fido_dev_get_touch_begin(skv[i]->dev)) != FIDO_OK)
273 			skdebug(__func__, "fido_dev_get_touch_begin %s failed:"
274 			    " %s", skv[i]->path, fido_strerr(r));
275 		else
276 			ok++;
277 
278 	return ok ? 0 : -1;
279 }
280 
281 static int
282 sk_touch_poll(struct sk_usbhid **skv, size_t nsk, int *touch, size_t *idx)
283 {
284 	struct timespec ts_pause;
285 	size_t npoll, i;
286 	int r;
287 
288 	ts_pause.tv_sec = 0;
289 	ts_pause.tv_nsec = POLL_SLEEP_NS;
290 	nanosleep(&ts_pause, NULL);
291 	npoll = nsk;
292 	for (i = 0; i < nsk; i++) {
293 		if (skv[i] == NULL)
294 			continue; /* device discarded */
295 		skdebug(__func__, "polling %s", skv[i]->path);
296 		if ((r = fido_dev_get_touch_status(skv[i]->dev, touch,
297 		    FIDO_POLL_MS)) != FIDO_OK) {
298 			skdebug(__func__, "fido_dev_get_touch_status %s: %s",
299 			    skv[i]->path, fido_strerr(r));
300 			sk_close(skv[i]); /* discard device */
301 			skv[i] = NULL;
302 			if (--npoll == 0) {
303 				skdebug(__func__, "no device left to poll");
304 				return -1;
305 			}
306 		} else if (*touch) {
307 			*idx = i;
308 			return 0;
309 		}
310 	}
311 	*touch = 0;
312 	return 0;
313 }
314 
315 #if !defined(HAVE_FIDO_ASSERT_SET_CLIENTDATA) || \
316     !defined(HAVE_FIDO_CRED_SET_CLIENTDATA)
317 /* Calculate SHA256(m) */
318 static int
319 sha256_mem(const void *m, size_t mlen, u_char *d, size_t dlen)
320 {
321 #ifdef WITH_OPENSSL
322 	u_int mdlen;
323 #else
324 	SHA2_CTX ctx;
325 #endif
326 
327 	if (dlen != 32)
328 		return -1;
329 #ifdef WITH_OPENSSL
330 	mdlen = dlen;
331 	if (!EVP_Digest(m, mlen, d, &mdlen, EVP_sha256(), NULL))
332 		return -1;
333 #else
334 	SHA256Init(&ctx);
335 	SHA256Update(&ctx, (const uint8_t *)m, mlen);
336 	SHA256Final(d, &ctx);
337 #endif
338 	return 0;
339 }
340 #endif /* !HAVE_FIDO_ASSERT_SET_CLIENTDATA || !HAVE_FIDO_CRED_SET_CLIENTDATA */
341 
342 #ifndef HAVE_FIDO_CRED_SET_CLIENTDATA
343 static int
344 fido_cred_set_clientdata(fido_cred_t *cred, const u_char *ptr, size_t len)
345 {
346 	uint8_t d[32];
347 	int r;
348 
349 	if (sha256_mem(ptr, len, d, sizeof(d)) != 0) {
350 		skdebug(__func__, "hash challenge failed");
351 		return FIDO_ERR_INTERNAL;
352 	}
353 	r = fido_cred_set_clientdata_hash(cred, d, sizeof(d));
354 	explicit_bzero(d, sizeof(d));
355 	if (r != FIDO_OK) {
356 		skdebug(__func__, "fido_cred_set_clientdata_hash failed: %s",
357 		    fido_strerr(r));
358 	}
359 	return r;
360 }
361 #endif /* HAVE_FIDO_CRED_SET_CLIENTDATA */
362 
363 #ifndef HAVE_FIDO_ASSERT_SET_CLIENTDATA
364 static int
365 fido_assert_set_clientdata(fido_assert_t *assert, const u_char *ptr, size_t len)
366 {
367 	uint8_t d[32];
368 	int r;
369 
370 	if (sha256_mem(ptr, len, d, sizeof(d)) != 0) {
371 		skdebug(__func__, "hash challenge failed");
372 		return FIDO_ERR_INTERNAL;
373 	}
374 	r = fido_assert_set_clientdata_hash(assert, d, sizeof(d));
375 	explicit_bzero(d, sizeof(d));
376 	if (r != FIDO_OK) {
377 		skdebug(__func__, "fido_assert_set_clientdata_hash failed: %s",
378 		    fido_strerr(r));
379 	}
380 	return r;
381 }
382 #endif /* HAVE_FIDO_ASSERT_SET_CLIENTDATA */
383 
384 /* Check if the specified key handle exists on a given sk. */
385 static int
386 sk_try(const struct sk_usbhid *sk, const char *application,
387     const uint8_t *key_handle, size_t key_handle_len)
388 {
389 	fido_assert_t *assert = NULL;
390 	int r = FIDO_ERR_INTERNAL;
391 	uint8_t message[32];
392 
393 	memset(message, '\0', sizeof(message));
394 	if ((assert = fido_assert_new()) == NULL) {
395 		skdebug(__func__, "fido_assert_new failed");
396 		goto out;
397 	}
398 	/* generate an invalid signature on FIDO2 tokens */
399 	if ((r = fido_assert_set_clientdata(assert, message,
400 	    sizeof(message))) != FIDO_OK) {
401 		skdebug(__func__, "fido_assert_set_clientdata_hash: %s",
402 		    fido_strerr(r));
403 		goto out;
404 	}
405 	if ((r = fido_assert_set_rp(assert, application)) != FIDO_OK) {
406 		skdebug(__func__, "fido_assert_set_rp: %s", fido_strerr(r));
407 		goto out;
408 	}
409 	if ((r = fido_assert_allow_cred(assert, key_handle,
410 	    key_handle_len)) != FIDO_OK) {
411 		skdebug(__func__, "fido_assert_allow_cred: %s", fido_strerr(r));
412 		goto out;
413 	}
414 	if ((r = fido_assert_set_up(assert, FIDO_OPT_FALSE)) != FIDO_OK) {
415 		skdebug(__func__, "fido_assert_up: %s", fido_strerr(r));
416 		goto out;
417 	}
418 	r = fido_dev_get_assert(sk->dev, assert, NULL);
419 	skdebug(__func__, "fido_dev_get_assert: %s", fido_strerr(r));
420 	if (r == FIDO_ERR_USER_PRESENCE_REQUIRED) {
421 		/* U2F tokens may return this */
422 		r = FIDO_OK;
423 	}
424  out:
425 	fido_assert_free(&assert);
426 
427 	return r != FIDO_OK ? -1 : 0;
428 }
429 
430 static int
431 check_sk_options(fido_dev_t *dev, const char *opt, int *ret)
432 {
433 	fido_cbor_info_t *info;
434 	char * const *name;
435 	const bool *value;
436 	size_t len, i;
437 	int r;
438 
439 	*ret = -1;
440 
441 	if (!fido_dev_is_fido2(dev)) {
442 		skdebug(__func__, "device is not fido2");
443 		return 0;
444 	}
445 	if ((info = fido_cbor_info_new()) == NULL) {
446 		skdebug(__func__, "fido_cbor_info_new failed");
447 		return -1;
448 	}
449 	if ((r = fido_dev_get_cbor_info(dev, info)) != FIDO_OK) {
450 		skdebug(__func__, "fido_dev_get_cbor_info: %s", fido_strerr(r));
451 		fido_cbor_info_free(&info);
452 		return -1;
453 	}
454 	name = fido_cbor_info_options_name_ptr(info);
455 	value = fido_cbor_info_options_value_ptr(info);
456 	len = fido_cbor_info_options_len(info);
457 	for (i = 0; i < len; i++) {
458 		if (!strcmp(name[i], opt)) {
459 			*ret = value[i];
460 			break;
461 		}
462 	}
463 	fido_cbor_info_free(&info);
464 	if (*ret == -1)
465 		skdebug(__func__, "option %s is unknown", opt);
466 	else
467 		skdebug(__func__, "option %s is %s", opt, *ret ? "on" : "off");
468 
469 	return 0;
470 }
471 
472 static struct sk_usbhid *
473 sk_select_by_cred(const fido_dev_info_t *devlist, size_t ndevs,
474     const char *application, const uint8_t *key_handle, size_t key_handle_len)
475 {
476 	struct sk_usbhid **skv, *sk;
477 	size_t skvcnt, i;
478 	int internal_uv;
479 
480 	if ((skv = sk_openv(devlist, ndevs, &skvcnt)) == NULL) {
481 		skdebug(__func__, "sk_openv failed");
482 		return NULL;
483 	}
484 	if (skvcnt == 1 && check_sk_options(skv[0]->dev, "uv",
485 	    &internal_uv) == 0 && internal_uv != -1) {
486 		sk = skv[0];
487 		skv[0] = NULL;
488 		goto out;
489 	}
490 	sk = NULL;
491 	for (i = 0; i < skvcnt; i++) {
492 		if (sk_try(skv[i], application, key_handle,
493 		    key_handle_len) == 0) {
494 			sk = skv[i];
495 			skv[i] = NULL;
496 			skdebug(__func__, "found key in %s", sk->path);
497 			break;
498 		}
499 	}
500  out:
501 	sk_closev(skv, skvcnt);
502 	return sk;
503 }
504 
505 static struct sk_usbhid *
506 sk_select_by_touch(const fido_dev_info_t *devlist, size_t ndevs)
507 {
508 	struct sk_usbhid **skv, *sk;
509 	struct timeval tv_start, tv_now, tv_delta;
510 	size_t skvcnt, idx;
511 	int touch, ms_remain;
512 
513 	if ((skv = sk_openv(devlist, ndevs, &skvcnt)) == NULL) {
514 		skdebug(__func__, "sk_openv failed");
515 		return NULL;
516 	}
517 	sk = NULL;
518 	if (skvcnt < 2) {
519 		if (skvcnt == 1) {
520 			/* single candidate */
521 			sk = skv[0];
522 			skv[0] = NULL;
523 		}
524 		goto out;
525 	}
526 #ifndef HAVE_FIDO_DEV_GET_TOUCH_STATUS
527 	skdebug(__func__, "libfido2 version does not support a feature needed for multiple tokens. Please upgrade to >=1.5.0");
528 	goto out;
529 #endif
530 
531 	if (sk_touch_begin(skv, skvcnt) == -1) {
532 		skdebug(__func__, "sk_touch_begin failed");
533 		goto out;
534 	}
535 	monotime_tv(&tv_start);
536 	do {
537 		if (sk_touch_poll(skv, skvcnt, &touch, &idx) == -1) {
538 			skdebug(__func__, "sk_touch_poll failed");
539 			goto out;
540 		}
541 		if (touch) {
542 			sk = skv[idx];
543 			skv[idx] = NULL;
544 			goto out;
545 		}
546 		monotime_tv(&tv_now);
547 		timersub(&tv_now, &tv_start, &tv_delta);
548 		ms_remain = SELECT_MS - tv_delta.tv_sec * 1000 -
549 		    tv_delta.tv_usec / 1000;
550 	} while (ms_remain >= FIDO_POLL_MS);
551 	skdebug(__func__, "timeout");
552 out:
553 	sk_closev(skv, skvcnt);
554 	return sk;
555 }
556 
557 static struct sk_usbhid *
558 sk_probe(const char *application, const uint8_t *key_handle,
559     size_t key_handle_len)
560 {
561 	struct sk_usbhid *sk;
562 	fido_dev_info_t *devlist;
563 	size_t ndevs;
564 	int r;
565 
566 	if ((devlist = fido_dev_info_new(MAX_FIDO_DEVICES)) == NULL) {
567 		skdebug(__func__, "fido_dev_info_new failed");
568 		return NULL;
569 	}
570 	if ((r = fido_dev_info_manifest(devlist, MAX_FIDO_DEVICES,
571 	    &ndevs)) != FIDO_OK) {
572 		skdebug(__func__, "fido_dev_info_manifest failed: %s",
573 		    fido_strerr(r));
574 		fido_dev_info_free(&devlist, MAX_FIDO_DEVICES);
575 		return NULL;
576 	}
577 	skdebug(__func__, "%zu device(s) detected", ndevs);
578 	if (ndevs == 0) {
579 		sk = NULL;
580 	} else if (application != NULL && key_handle != NULL) {
581 		skdebug(__func__, "selecting sk by cred");
582 		sk = sk_select_by_cred(devlist, ndevs, application, key_handle,
583 		    key_handle_len);
584 	} else {
585 		skdebug(__func__, "selecting sk by touch");
586 		sk = sk_select_by_touch(devlist, ndevs);
587 	}
588 	fido_dev_info_free(&devlist, MAX_FIDO_DEVICES);
589 	return sk;
590 }
591 
592 #ifdef WITH_OPENSSL
593 /*
594  * The key returned via fido_cred_pubkey_ptr() is in affine coordinates,
595  * but the API expects a SEC1 octet string.
596  */
597 static int
598 pack_public_key_ecdsa(const fido_cred_t *cred,
599     struct sk_enroll_response *response)
600 {
601 	const uint8_t *ptr;
602 	BIGNUM *x = NULL, *y = NULL;
603 	EC_POINT *q = NULL;
604 	EC_GROUP *g = NULL;
605 	int ret = -1;
606 
607 	response->public_key = NULL;
608 	response->public_key_len = 0;
609 
610 	if ((x = BN_new()) == NULL ||
611 	    (y = BN_new()) == NULL ||
612 	    (g = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)) == NULL ||
613 	    (q = EC_POINT_new(g)) == NULL) {
614 		skdebug(__func__, "libcrypto setup failed");
615 		goto out;
616 	}
617 	if ((ptr = fido_cred_pubkey_ptr(cred)) == NULL) {
618 		skdebug(__func__, "fido_cred_pubkey_ptr failed");
619 		goto out;
620 	}
621 	if (fido_cred_pubkey_len(cred) != 64) {
622 		skdebug(__func__, "bad fido_cred_pubkey_len %zu",
623 		    fido_cred_pubkey_len(cred));
624 		goto out;
625 	}
626 
627 	if (BN_bin2bn(ptr, 32, x) == NULL ||
628 	    BN_bin2bn(ptr + 32, 32, y) == NULL) {
629 		skdebug(__func__, "BN_bin2bn failed");
630 		goto out;
631 	}
632 	if (EC_POINT_set_affine_coordinates_GFp(g, q, x, y, NULL) != 1) {
633 		skdebug(__func__, "EC_POINT_set_affine_coordinates_GFp failed");
634 		goto out;
635 	}
636 	response->public_key_len = EC_POINT_point2oct(g, q,
637 	    POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL);
638 	if (response->public_key_len == 0 || response->public_key_len > 2048) {
639 		skdebug(__func__, "bad pubkey length %zu",
640 		    response->public_key_len);
641 		goto out;
642 	}
643 	if ((response->public_key = malloc(response->public_key_len)) == NULL) {
644 		skdebug(__func__, "malloc pubkey failed");
645 		goto out;
646 	}
647 	if (EC_POINT_point2oct(g, q, POINT_CONVERSION_UNCOMPRESSED,
648 	    response->public_key, response->public_key_len, NULL) == 0) {
649 		skdebug(__func__, "EC_POINT_point2oct failed");
650 		goto out;
651 	}
652 	/* success */
653 	ret = 0;
654  out:
655 	if (ret != 0 && response->public_key != NULL) {
656 		memset(response->public_key, 0, response->public_key_len);
657 		free(response->public_key);
658 		response->public_key = NULL;
659 	}
660 	EC_POINT_free(q);
661 	EC_GROUP_free(g);
662 	BN_clear_free(x);
663 	BN_clear_free(y);
664 	return ret;
665 }
666 #endif /* WITH_OPENSSL */
667 
668 static int
669 pack_public_key_ed25519(const fido_cred_t *cred,
670     struct sk_enroll_response *response)
671 {
672 	const uint8_t *ptr;
673 	size_t len;
674 	int ret = -1;
675 
676 	response->public_key = NULL;
677 	response->public_key_len = 0;
678 
679 	if ((len = fido_cred_pubkey_len(cred)) != 32) {
680 		skdebug(__func__, "bad fido_cred_pubkey_len len %zu", len);
681 		goto out;
682 	}
683 	if ((ptr = fido_cred_pubkey_ptr(cred)) == NULL) {
684 		skdebug(__func__, "fido_cred_pubkey_ptr failed");
685 		goto out;
686 	}
687 	response->public_key_len = len;
688 	if ((response->public_key = malloc(response->public_key_len)) == NULL) {
689 		skdebug(__func__, "malloc pubkey failed");
690 		goto out;
691 	}
692 	memcpy(response->public_key, ptr, len);
693 	ret = 0;
694  out:
695 	if (ret != 0)
696 		free(response->public_key);
697 	return ret;
698 }
699 
700 static int
701 pack_public_key(uint32_t alg, const fido_cred_t *cred,
702     struct sk_enroll_response *response)
703 {
704 	switch(alg) {
705 #ifdef WITH_OPENSSL
706 	case SSH_SK_ECDSA:
707 		return pack_public_key_ecdsa(cred, response);
708 #endif /* WITH_OPENSSL */
709 	case SSH_SK_ED25519:
710 		return pack_public_key_ed25519(cred, response);
711 	default:
712 		return -1;
713 	}
714 }
715 
716 static int
717 fidoerr_to_skerr(int fidoerr)
718 {
719 	switch (fidoerr) {
720 	case FIDO_ERR_UNSUPPORTED_OPTION:
721 	case FIDO_ERR_UNSUPPORTED_ALGORITHM:
722 		return SSH_SK_ERR_UNSUPPORTED;
723 	case FIDO_ERR_PIN_REQUIRED:
724 	case FIDO_ERR_PIN_INVALID:
725 	case FIDO_ERR_OPERATION_DENIED:
726 		return SSH_SK_ERR_PIN_REQUIRED;
727 	default:
728 		return -1;
729 	}
730 }
731 
732 static int
733 check_enroll_options(struct sk_option **options, char **devicep,
734     uint8_t *user_id, size_t user_id_len)
735 {
736 	size_t i;
737 
738 	if (options == NULL)
739 		return 0;
740 	for (i = 0; options[i] != NULL; i++) {
741 		if (strcmp(options[i]->name, "device") == 0) {
742 			if ((*devicep = strdup(options[i]->value)) == NULL) {
743 				skdebug(__func__, "strdup device failed");
744 				return -1;
745 			}
746 			skdebug(__func__, "requested device %s", *devicep);
747 		} else if (strcmp(options[i]->name, "user") == 0) {
748 			if (strlcpy(user_id, options[i]->value, user_id_len) >=
749 			    user_id_len) {
750 				skdebug(__func__, "user too long");
751 				return -1;
752 			}
753 			skdebug(__func__, "requested user %s",
754 			    (char *)user_id);
755 		} else {
756 			skdebug(__func__, "requested unsupported option %s",
757 			    options[i]->name);
758 			if (options[i]->required) {
759 				skdebug(__func__, "unknown required option");
760 				return -1;
761 			}
762 		}
763 	}
764 	return 0;
765 }
766 
767 int
768 sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
769     const char *application, uint8_t flags, const char *pin,
770     struct sk_option **options, struct sk_enroll_response **enroll_response)
771 {
772 	fido_cred_t *cred = NULL;
773 	const uint8_t *ptr;
774 	uint8_t user_id[32];
775 	struct sk_usbhid *sk = NULL;
776 	struct sk_enroll_response *response = NULL;
777 	size_t len;
778 	int credprot;
779 	int internal_uv;
780 	int cose_alg;
781 	int ret = SSH_SK_ERR_GENERAL;
782 	int r;
783 	char *device = NULL;
784 
785 	fido_init(SSH_FIDO_INIT_ARG);
786 
787 	if (enroll_response == NULL) {
788 		skdebug(__func__, "enroll_response == NULL");
789 		goto out;
790 	}
791 	*enroll_response = NULL;
792 	memset(user_id, 0, sizeof(user_id));
793 	if (check_enroll_options(options, &device, user_id,
794 	    sizeof(user_id)) != 0)
795 		goto out; /* error already logged */
796 
797 	switch(alg) {
798 #ifdef WITH_OPENSSL
799 	case SSH_SK_ECDSA:
800 		cose_alg = COSE_ES256;
801 		break;
802 #endif /* WITH_OPENSSL */
803 	case SSH_SK_ED25519:
804 		cose_alg = COSE_EDDSA;
805 		break;
806 	default:
807 		skdebug(__func__, "unsupported key type %d", alg);
808 		goto out;
809 	}
810 	if (device != NULL)
811 		sk = sk_open(device);
812 	else
813 		sk = sk_probe(NULL, NULL, 0);
814 	if (sk == NULL) {
815 		ret = SSH_SK_ERR_DEVICE_NOT_FOUND;
816 		skdebug(__func__, "failed to find sk");
817 		goto out;
818 	}
819 	skdebug(__func__, "using device %s", sk->path);
820 	if ((cred = fido_cred_new()) == NULL) {
821 		skdebug(__func__, "fido_cred_new failed");
822 		goto out;
823 	}
824 	if ((r = fido_cred_set_type(cred, cose_alg)) != FIDO_OK) {
825 		skdebug(__func__, "fido_cred_set_type: %s", fido_strerr(r));
826 		goto out;
827 	}
828 	if ((r = fido_cred_set_clientdata(cred,
829 	    challenge, challenge_len)) != FIDO_OK) {
830 		skdebug(__func__, "fido_cred_set_clientdata: %s",
831 		    fido_strerr(r));
832 		goto out;
833 	}
834 	if ((r = fido_cred_set_rk(cred, (flags & SSH_SK_RESIDENT_KEY) != 0 ?
835 	    FIDO_OPT_TRUE : FIDO_OPT_OMIT)) != FIDO_OK) {
836 		skdebug(__func__, "fido_cred_set_rk: %s", fido_strerr(r));
837 		goto out;
838 	}
839 	if ((r = fido_cred_set_user(cred, user_id, sizeof(user_id),
840 	    "openssh", "openssh", NULL)) != FIDO_OK) {
841 		skdebug(__func__, "fido_cred_set_user: %s", fido_strerr(r));
842 		goto out;
843 	}
844 	if ((r = fido_cred_set_rp(cred, application, NULL)) != FIDO_OK) {
845 		skdebug(__func__, "fido_cred_set_rp: %s", fido_strerr(r));
846 		goto out;
847 	}
848 	if ((flags & (SSH_SK_RESIDENT_KEY|SSH_SK_USER_VERIFICATION_REQD)) != 0) {
849 #if !defined(HAVE_FIDO_DEV_SUPPORTS_CRED_PROT) || \
850     !defined(HAVE_FIDO_CRED_SET_PROT)
851 		skdebug(__func__, "libfido2 version does not support a feature required for this operation. Please upgrade to >=1.5.0");
852 		ret = SSH_SK_ERR_UNSUPPORTED;
853 		goto out;
854 		credprot = 0; (void)credprot; /* avoid warning */
855 #endif
856 		if (!fido_dev_supports_cred_prot(sk->dev)) {
857 			skdebug(__func__, "%s does not support credprot, "
858 			    "refusing to create unprotected "
859 			    "resident/verify-required key", sk->path);
860 			ret = SSH_SK_ERR_UNSUPPORTED;
861 			goto out;
862 		}
863 		if ((flags & SSH_SK_USER_VERIFICATION_REQD))
864 			credprot = FIDO_CRED_PROT_UV_REQUIRED;
865 		else
866 			credprot = FIDO_CRED_PROT_UV_OPTIONAL_WITH_ID;
867 
868 		if ((r = fido_cred_set_prot(cred, credprot)) != FIDO_OK) {
869 			skdebug(__func__, "fido_cred_set_prot: %s",
870 			    fido_strerr(r));
871 			ret = fidoerr_to_skerr(r);
872 			goto out;
873 		}
874 	}
875 	if ((r = fido_dev_make_cred(sk->dev, cred, pin)) != FIDO_OK) {
876 		skdebug(__func__, "fido_dev_make_cred: %s", fido_strerr(r));
877 		ret = fidoerr_to_skerr(r);
878 		goto out;
879 	}
880 	if (fido_cred_x5c_ptr(cred) != NULL) {
881 		if ((r = fido_cred_verify(cred)) != FIDO_OK) {
882 			skdebug(__func__, "fido_cred_verify: %s",
883 			    fido_strerr(r));
884 			goto out;
885 		}
886 	} else {
887 		skdebug(__func__, "self-attested credential");
888 		if ((r = fido_cred_verify_self(cred)) != FIDO_OK) {
889 			skdebug(__func__, "fido_cred_verify_self: %s",
890 			    fido_strerr(r));
891 			goto out;
892 		}
893 	}
894 	if ((response = calloc(1, sizeof(*response))) == NULL) {
895 		skdebug(__func__, "calloc response failed");
896 		goto out;
897 	}
898 	response->flags = flags;
899 	if ((flags & SSH_SK_USER_VERIFICATION_REQD)) {
900 		if (check_sk_options(sk->dev, "uv", &internal_uv) == 0 &&
901 		    internal_uv != -1) {
902 			/* user verification handled by token */
903 			response->flags &= ~SSH_SK_USER_VERIFICATION_REQD;
904 		}
905 	}
906 	if (pack_public_key(alg, cred, response) != 0) {
907 		skdebug(__func__, "pack_public_key failed");
908 		goto out;
909 	}
910 	if ((ptr = fido_cred_id_ptr(cred)) != NULL) {
911 		len = fido_cred_id_len(cred);
912 		if ((response->key_handle = calloc(1, len)) == NULL) {
913 			skdebug(__func__, "calloc key handle failed");
914 			goto out;
915 		}
916 		memcpy(response->key_handle, ptr, len);
917 		response->key_handle_len = len;
918 	}
919 	if ((ptr = fido_cred_sig_ptr(cred)) != NULL) {
920 		len = fido_cred_sig_len(cred);
921 		if ((response->signature = calloc(1, len)) == NULL) {
922 			skdebug(__func__, "calloc signature failed");
923 			goto out;
924 		}
925 		memcpy(response->signature, ptr, len);
926 		response->signature_len = len;
927 	}
928 	if ((ptr = fido_cred_x5c_ptr(cred)) != NULL) {
929 		len = fido_cred_x5c_len(cred);
930 		skdebug(__func__, "attestation cert len=%zu", len);
931 		if ((response->attestation_cert = calloc(1, len)) == NULL) {
932 			skdebug(__func__, "calloc attestation cert failed");
933 			goto out;
934 		}
935 		memcpy(response->attestation_cert, ptr, len);
936 		response->attestation_cert_len = len;
937 	}
938 	if ((ptr = fido_cred_authdata_ptr(cred)) != NULL) {
939 		len = fido_cred_authdata_len(cred);
940 		skdebug(__func__, "authdata len=%zu", len);
941 		if ((response->authdata = calloc(1, len)) == NULL) {
942 			skdebug(__func__, "calloc authdata failed");
943 			goto out;
944 		}
945 		memcpy(response->authdata, ptr, len);
946 		response->authdata_len = len;
947 	}
948 	*enroll_response = response;
949 	response = NULL;
950 	ret = 0;
951  out:
952 	free(device);
953 	if (response != NULL) {
954 		free(response->public_key);
955 		free(response->key_handle);
956 		free(response->signature);
957 		free(response->attestation_cert);
958 		free(response->authdata);
959 		free(response);
960 	}
961 	sk_close(sk);
962 	fido_cred_free(&cred);
963 	return ret;
964 }
965 
966 #ifdef WITH_OPENSSL
967 static int
968 pack_sig_ecdsa(fido_assert_t *assert, struct sk_sign_response *response)
969 {
970 	ECDSA_SIG *sig = NULL;
971 	const BIGNUM *sig_r, *sig_s;
972 	const unsigned char *cp;
973 	size_t sig_len;
974 	int ret = -1;
975 
976 	cp = fido_assert_sig_ptr(assert, 0);
977 	sig_len = fido_assert_sig_len(assert, 0);
978 	if ((sig = d2i_ECDSA_SIG(NULL, &cp, sig_len)) == NULL) {
979 		skdebug(__func__, "d2i_ECDSA_SIG failed");
980 		goto out;
981 	}
982 	ECDSA_SIG_get0(sig, &sig_r, &sig_s);
983 	response->sig_r_len = BN_num_bytes(sig_r);
984 	response->sig_s_len = BN_num_bytes(sig_s);
985 	if ((response->sig_r = calloc(1, response->sig_r_len)) == NULL ||
986 	    (response->sig_s = calloc(1, response->sig_s_len)) == NULL) {
987 		skdebug(__func__, "calloc signature failed");
988 		goto out;
989 	}
990 	BN_bn2bin(sig_r, response->sig_r);
991 	BN_bn2bin(sig_s, response->sig_s);
992 	ret = 0;
993  out:
994 	ECDSA_SIG_free(sig);
995 	if (ret != 0) {
996 		free(response->sig_r);
997 		free(response->sig_s);
998 		response->sig_r = NULL;
999 		response->sig_s = NULL;
1000 	}
1001 	return ret;
1002 }
1003 #endif /* WITH_OPENSSL */
1004 
1005 static int
1006 pack_sig_ed25519(fido_assert_t *assert, struct sk_sign_response *response)
1007 {
1008 	const unsigned char *ptr;
1009 	size_t len;
1010 	int ret = -1;
1011 
1012 	ptr = fido_assert_sig_ptr(assert, 0);
1013 	len = fido_assert_sig_len(assert, 0);
1014 	if (len != 64) {
1015 		skdebug(__func__, "bad length %zu", len);
1016 		goto out;
1017 	}
1018 	response->sig_r_len = len;
1019 	if ((response->sig_r = calloc(1, response->sig_r_len)) == NULL) {
1020 		skdebug(__func__, "calloc signature failed");
1021 		goto out;
1022 	}
1023 	memcpy(response->sig_r, ptr, len);
1024 	ret = 0;
1025  out:
1026 	if (ret != 0) {
1027 		free(response->sig_r);
1028 		response->sig_r = NULL;
1029 	}
1030 	return ret;
1031 }
1032 
1033 static int
1034 pack_sig(uint32_t  alg, fido_assert_t *assert,
1035     struct sk_sign_response *response)
1036 {
1037 	switch(alg) {
1038 #ifdef WITH_OPENSSL
1039 	case SSH_SK_ECDSA:
1040 		return pack_sig_ecdsa(assert, response);
1041 #endif /* WITH_OPENSSL */
1042 	case SSH_SK_ED25519:
1043 		return pack_sig_ed25519(assert, response);
1044 	default:
1045 		return -1;
1046 	}
1047 }
1048 
1049 /* Checks sk_options for sk_sign() and sk_load_resident_keys() */
1050 static int
1051 check_sign_load_resident_options(struct sk_option **options, char **devicep)
1052 {
1053 	size_t i;
1054 
1055 	if (options == NULL)
1056 		return 0;
1057 	for (i = 0; options[i] != NULL; i++) {
1058 		if (strcmp(options[i]->name, "device") == 0) {
1059 			if ((*devicep = strdup(options[i]->value)) == NULL) {
1060 				skdebug(__func__, "strdup device failed");
1061 				return -1;
1062 			}
1063 			skdebug(__func__, "requested device %s", *devicep);
1064 		} else {
1065 			skdebug(__func__, "requested unsupported option %s",
1066 			    options[i]->name);
1067 			if (options[i]->required) {
1068 				skdebug(__func__, "unknown required option");
1069 				return -1;
1070 			}
1071 		}
1072 	}
1073 	return 0;
1074 }
1075 
1076 int
1077 sk_sign(uint32_t alg, const uint8_t *data, size_t datalen,
1078     const char *application,
1079     const uint8_t *key_handle, size_t key_handle_len,
1080     uint8_t flags, const char *pin, struct sk_option **options,
1081     struct sk_sign_response **sign_response)
1082 {
1083 	fido_assert_t *assert = NULL;
1084 	char *device = NULL;
1085 	struct sk_usbhid *sk = NULL;
1086 	struct sk_sign_response *response = NULL;
1087 	int ret = SSH_SK_ERR_GENERAL, internal_uv;
1088 	int r;
1089 
1090 	fido_init(SSH_FIDO_INIT_ARG);
1091 
1092 	if (sign_response == NULL) {
1093 		skdebug(__func__, "sign_response == NULL");
1094 		goto out;
1095 	}
1096 	*sign_response = NULL;
1097 	if (check_sign_load_resident_options(options, &device) != 0)
1098 		goto out; /* error already logged */
1099 	if (device != NULL)
1100 		sk = sk_open(device);
1101 	else if (pin != NULL || (flags & SSH_SK_USER_VERIFICATION_REQD))
1102 		sk = sk_probe(NULL, NULL, 0);
1103 	else
1104 		sk = sk_probe(application, key_handle, key_handle_len);
1105 	if (sk == NULL) {
1106 		ret = SSH_SK_ERR_DEVICE_NOT_FOUND;
1107 		skdebug(__func__, "failed to find sk");
1108 		goto out;
1109 	}
1110 	if ((assert = fido_assert_new()) == NULL) {
1111 		skdebug(__func__, "fido_assert_new failed");
1112 		goto out;
1113 	}
1114 	if ((r = fido_assert_set_clientdata(assert,
1115 	    data, datalen)) != FIDO_OK)  {
1116 		skdebug(__func__, "fido_assert_set_clientdata: %s",
1117 		    fido_strerr(r));
1118 		goto out;
1119 	}
1120 	if ((r = fido_assert_set_rp(assert, application)) != FIDO_OK) {
1121 		skdebug(__func__, "fido_assert_set_rp: %s", fido_strerr(r));
1122 		goto out;
1123 	}
1124 	if ((r = fido_assert_allow_cred(assert, key_handle,
1125 	    key_handle_len)) != FIDO_OK) {
1126 		skdebug(__func__, "fido_assert_allow_cred: %s", fido_strerr(r));
1127 		goto out;
1128 	}
1129 	if ((r = fido_assert_set_up(assert,
1130 	    (flags & SSH_SK_USER_PRESENCE_REQD) ?
1131 	    FIDO_OPT_TRUE : FIDO_OPT_FALSE)) != FIDO_OK) {
1132 		skdebug(__func__, "fido_assert_set_up: %s", fido_strerr(r));
1133 		goto out;
1134 	}
1135 	if (pin == NULL && (flags & SSH_SK_USER_VERIFICATION_REQD)) {
1136 		if (check_sk_options(sk->dev, "uv", &internal_uv) < 0 ||
1137 		    internal_uv != 1) {
1138 			skdebug(__func__, "check_sk_options uv");
1139 			ret = SSH_SK_ERR_PIN_REQUIRED;
1140 			goto out;
1141 		}
1142 		if ((r = fido_assert_set_uv(assert,
1143 		    FIDO_OPT_TRUE)) != FIDO_OK) {
1144 			skdebug(__func__, "fido_assert_set_uv: %s",
1145 			    fido_strerr(r));
1146 			ret = fidoerr_to_skerr(r);
1147 			goto out;
1148 		}
1149 	}
1150 	if ((r = fido_dev_get_assert(sk->dev, assert, pin)) != FIDO_OK) {
1151 		skdebug(__func__, "fido_dev_get_assert: %s", fido_strerr(r));
1152 		ret = fidoerr_to_skerr(r);
1153 		goto out;
1154 	}
1155 	if ((response = calloc(1, sizeof(*response))) == NULL) {
1156 		skdebug(__func__, "calloc response failed");
1157 		goto out;
1158 	}
1159 	response->flags = fido_assert_flags(assert, 0);
1160 	response->counter = fido_assert_sigcount(assert, 0);
1161 	if (pack_sig(alg, assert, response) != 0) {
1162 		skdebug(__func__, "pack_sig failed");
1163 		goto out;
1164 	}
1165 	*sign_response = response;
1166 	response = NULL;
1167 	ret = 0;
1168  out:
1169 	free(device);
1170 	if (response != NULL) {
1171 		free(response->sig_r);
1172 		free(response->sig_s);
1173 		free(response);
1174 	}
1175 	sk_close(sk);
1176 	fido_assert_free(&assert);
1177 	return ret;
1178 }
1179 
1180 static int
1181 read_rks(struct sk_usbhid *sk, const char *pin,
1182     struct sk_resident_key ***rksp, size_t *nrksp)
1183 {
1184 	int ret = SSH_SK_ERR_GENERAL, r = -1, internal_uv;
1185 	fido_credman_metadata_t *metadata = NULL;
1186 	fido_credman_rp_t *rp = NULL;
1187 	fido_credman_rk_t *rk = NULL;
1188 	size_t i, j, nrp, nrk, user_id_len;
1189 	const fido_cred_t *cred;
1190 	const char *rp_id, *rp_name, *user_name;
1191 	struct sk_resident_key *srk = NULL, **tmp;
1192 	const u_char *user_id;
1193 
1194 	if (pin == NULL) {
1195 		skdebug(__func__, "no PIN specified");
1196 		ret = SSH_SK_ERR_PIN_REQUIRED;
1197 		goto out;
1198 	}
1199 	if ((metadata = fido_credman_metadata_new()) == NULL) {
1200 		skdebug(__func__, "alloc failed");
1201 		goto out;
1202 	}
1203 	if (check_sk_options(sk->dev, "uv", &internal_uv) != 0) {
1204 		skdebug(__func__, "check_sk_options failed");
1205 		goto out;
1206 	}
1207 
1208 	if ((r = fido_credman_get_dev_metadata(sk->dev, metadata, pin)) != 0) {
1209 		if (r == FIDO_ERR_INVALID_COMMAND) {
1210 			skdebug(__func__, "device %s does not support "
1211 			    "resident keys", sk->path);
1212 			ret = 0;
1213 			goto out;
1214 		}
1215 		skdebug(__func__, "get metadata for %s failed: %s",
1216 		    sk->path, fido_strerr(r));
1217 		ret = fidoerr_to_skerr(r);
1218 		goto out;
1219 	}
1220 	skdebug(__func__, "existing %llu, remaining %llu",
1221 	    (unsigned long long)fido_credman_rk_existing(metadata),
1222 	    (unsigned long long)fido_credman_rk_remaining(metadata));
1223 	if ((rp = fido_credman_rp_new()) == NULL) {
1224 		skdebug(__func__, "alloc rp failed");
1225 		goto out;
1226 	}
1227 	if ((r = fido_credman_get_dev_rp(sk->dev, rp, pin)) != 0) {
1228 		skdebug(__func__, "get RPs for %s failed: %s",
1229 		    sk->path, fido_strerr(r));
1230 		goto out;
1231 	}
1232 	nrp = fido_credman_rp_count(rp);
1233 	skdebug(__func__, "Device %s has resident keys for %zu RPs",
1234 	    sk->path, nrp);
1235 
1236 	/* Iterate over RP IDs that have resident keys */
1237 	for (i = 0; i < nrp; i++) {
1238 		rp_id = fido_credman_rp_id(rp, i);
1239 		rp_name = fido_credman_rp_name(rp, i);
1240 		skdebug(__func__, "rp %zu: name=\"%s\" id=\"%s\" hashlen=%zu",
1241 		    i, rp_name == NULL ? "(none)" : rp_name,
1242 		    rp_id == NULL ? "(none)" : rp_id,
1243 		    fido_credman_rp_id_hash_len(rp, i));
1244 
1245 		/* Skip non-SSH RP IDs */
1246 		if (rp_id == NULL ||
1247 		    strncasecmp(fido_credman_rp_id(rp, i), "ssh:", 4) != 0)
1248 			continue;
1249 
1250 		fido_credman_rk_free(&rk);
1251 		if ((rk = fido_credman_rk_new()) == NULL) {
1252 			skdebug(__func__, "alloc rk failed");
1253 			goto out;
1254 		}
1255 		if ((r = fido_credman_get_dev_rk(sk->dev,
1256 		    fido_credman_rp_id(rp, i), rk, pin)) != 0) {
1257 			skdebug(__func__, "get RKs for %s slot %zu failed: %s",
1258 			    sk->path, i, fido_strerr(r));
1259 			goto out;
1260 		}
1261 		nrk = fido_credman_rk_count(rk);
1262 		skdebug(__func__, "RP \"%s\" has %zu resident keys",
1263 		    fido_credman_rp_id(rp, i), nrk);
1264 
1265 		/* Iterate over resident keys for this RP ID */
1266 		for (j = 0; j < nrk; j++) {
1267 			if ((cred = fido_credman_rk(rk, j)) == NULL) {
1268 				skdebug(__func__, "no RK in slot %zu", j);
1269 				continue;
1270 			}
1271 			if ((user_name = fido_cred_user_name(cred)) == NULL)
1272 				user_name = "";
1273 			user_id = fido_cred_user_id_ptr(cred);
1274 			user_id_len = fido_cred_user_id_len(cred);
1275 			skdebug(__func__, "Device %s RP \"%s\" user \"%s\" "
1276 			    "uidlen %zu slot %zu: type %d flags 0x%02x "
1277 			    "prot 0x%02x", sk->path, rp_id, user_name,
1278 			    user_id_len, j, fido_cred_type(cred),
1279 			    fido_cred_flags(cred), fido_cred_prot(cred));
1280 
1281 			/* build response entry */
1282 			if ((srk = calloc(1, sizeof(*srk))) == NULL ||
1283 			    (srk->key.key_handle = calloc(1,
1284 			    fido_cred_id_len(cred))) == NULL ||
1285 			    (srk->application = strdup(rp_id)) == NULL ||
1286 			    (user_id_len > 0 &&
1287 			     (srk->user_id = calloc(1, user_id_len)) == NULL)) {
1288 				skdebug(__func__, "alloc sk_resident_key");
1289 				goto out;
1290 			}
1291 
1292 			srk->key.key_handle_len = fido_cred_id_len(cred);
1293 			memcpy(srk->key.key_handle, fido_cred_id_ptr(cred),
1294 			    srk->key.key_handle_len);
1295 			srk->user_id_len = user_id_len;
1296 			if (srk->user_id_len != 0)
1297 				memcpy(srk->user_id, user_id, srk->user_id_len);
1298 
1299 			switch (fido_cred_type(cred)) {
1300 			case COSE_ES256:
1301 				srk->alg = SSH_SK_ECDSA;
1302 				break;
1303 			case COSE_EDDSA:
1304 				srk->alg = SSH_SK_ED25519;
1305 				break;
1306 			default:
1307 				skdebug(__func__, "unsupported key type %d",
1308 				    fido_cred_type(cred));
1309 				goto out; /* XXX free rk and continue */
1310 			}
1311 
1312 			if (fido_cred_prot(cred) == FIDO_CRED_PROT_UV_REQUIRED
1313 			    && internal_uv == -1)
1314 				srk->flags |=  SSH_SK_USER_VERIFICATION_REQD;
1315 
1316 			if ((r = pack_public_key(srk->alg, cred,
1317 			    &srk->key)) != 0) {
1318 				skdebug(__func__, "pack public key failed");
1319 				goto out;
1320 			}
1321 			/* append */
1322 			if ((tmp = recallocarray(*rksp, *nrksp, (*nrksp) + 1,
1323 			    sizeof(**rksp))) == NULL) {
1324 				skdebug(__func__, "alloc rksp");
1325 				goto out;
1326 			}
1327 			*rksp = tmp;
1328 			(*rksp)[(*nrksp)++] = srk;
1329 			srk = NULL;
1330 		}
1331 	}
1332 	/* Success */
1333 	ret = 0;
1334  out:
1335 	if (srk != NULL) {
1336 		free(srk->application);
1337 		freezero(srk->key.public_key, srk->key.public_key_len);
1338 		freezero(srk->key.key_handle, srk->key.key_handle_len);
1339 		freezero(srk->user_id, srk->user_id_len);
1340 		freezero(srk, sizeof(*srk));
1341 	}
1342 	fido_credman_rp_free(&rp);
1343 	fido_credman_rk_free(&rk);
1344 	fido_credman_metadata_free(&metadata);
1345 	return ret;
1346 }
1347 
1348 int
1349 sk_load_resident_keys(const char *pin, struct sk_option **options,
1350     struct sk_resident_key ***rksp, size_t *nrksp)
1351 {
1352 	int ret = SSH_SK_ERR_GENERAL, r = -1;
1353 	size_t i, nrks = 0;
1354 	struct sk_resident_key **rks = NULL;
1355 	struct sk_usbhid *sk = NULL;
1356 	char *device = NULL;
1357 
1358 	*rksp = NULL;
1359 	*nrksp = 0;
1360 
1361 	fido_init(SSH_FIDO_INIT_ARG);
1362 
1363 	if (check_sign_load_resident_options(options, &device) != 0)
1364 		goto out; /* error already logged */
1365 	if (device != NULL)
1366 		sk = sk_open(device);
1367 	else
1368 		sk = sk_probe(NULL, NULL, 0);
1369 	if (sk == NULL) {
1370 		ret = SSH_SK_ERR_DEVICE_NOT_FOUND;
1371 		skdebug(__func__, "failed to find sk");
1372 		goto out;
1373 	}
1374 	skdebug(__func__, "trying %s", sk->path);
1375 	if ((r = read_rks(sk, pin, &rks, &nrks)) != 0) {
1376 		skdebug(__func__, "read_rks failed for %s", sk->path);
1377 		ret = r;
1378 		goto out;
1379 	}
1380 	/* success, unless we have no keys but a specific error */
1381 	if (nrks > 0 || ret == SSH_SK_ERR_GENERAL)
1382 		ret = 0;
1383 	*rksp = rks;
1384 	*nrksp = nrks;
1385 	rks = NULL;
1386 	nrks = 0;
1387  out:
1388 	sk_close(sk);
1389 	for (i = 0; i < nrks; i++) {
1390 		free(rks[i]->application);
1391 		freezero(rks[i]->key.public_key, rks[i]->key.public_key_len);
1392 		freezero(rks[i]->key.key_handle, rks[i]->key.key_handle_len);
1393 		freezero(rks[i]->user_id, rks[i]->user_id_len);
1394 		freezero(rks[i], sizeof(*rks[i]));
1395 	}
1396 	free(rks);
1397 	return ret;
1398 }
1399 
1400 #endif /* ENABLE_SK_INTERNAL */
1401