This provides an initial version of security key support in tinyssh.
The main change is a new file sshcrypto_key_sk_ed25519.c, which adds the relevant functions for parsing and putting public keys and signatures, as well as the sk_ed25519_open function, that performs the signature check using the existing crypto_sign_ed25519_open for the cryptographic operation.
I had to update a few places, where the code did not distinguish between server side and client side crypto algorithms, as the server cannot create a keypair or perform a signing operation, as it doesn't have a fido key available.
Limitations:
sk-ssh-ed25519@openssh.com supports an application identifier, which in practice is mostly "ssh:". This commit only allows this application identifier and will not accept public keys with a different one. This is because, I didn't have a good idea yet as to where to store it.
The code doesn't allow extensions in the signature yet. (Which are not defined yet, so it doesn't really matter).
There are tests for the thew file sshcrypto_key_sk_ed25519.c. In addition I performed manual end-to-end tests, to confirm that authentication with ed25519 and sk-ssh-ed25519@openssh.com is successful:
This provides an initial version of security key support in tinyssh.
The main change is a new file sshcrypto_key_sk_ed25519.c, which adds the relevant functions for parsing and putting public keys and signatures, as well as the sk_ed25519_open function, that performs the signature check using the existing crypto_sign_ed25519_open for the cryptographic operation.
I had to update a few places, where the code did not distinguish between server side and client side crypto algorithms, as the server cannot create a keypair or perform a signing operation, as it doesn't have a fido key available.
Limitations:
There are tests for the thew file
sshcrypto_key_sk_ed25519.c
. In addition I performed manual end-to-end tests, to confirm that authentication withed25519
andsk-ssh-ed25519@openssh.com
is successful: