Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for EdDSA/Minisign signatures to sign-hash/sign-file, also add support for choosing credential algorithm to make-credential #137

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Add support for EdDSA/Minisign signatures to sign-hash/sign-file, also add support for choosing credential algorithm to make-credential #137

wants to merge 9 commits into from

Conversation

stevenwdv
Copy link
Contributor

@stevenwdv stevenwdv commented Oct 20, 2021
edited
Loading

This adds support for EdDSA pre-hashed signatures to sign-file (solokeys/solo1#397), possibly including a trusted comment according to Minisign.

New sign-file flags:

  --minisign                Use Minisign-compatible signatures (pre-hashed)
  --sig-file TEXT           Destination file for signature
                            (<filename>.(mini)sig if empty)
  --trusted-comment TEXT    Trusted comment included in global signature
                            (combine with --minisign) [default: <time and file
                            name, prehashed>]
  --untrusted-comment TEXT  Untrusted comment not included in global signature
                            (combine with --minisign and --sig-file)
                            [default: signature created on solokey]
  --key-id TEXT             Key ID to write to signature file (8 bytes as HEX)
                            (combine with --minisign and --sig-file) [default:
                            <hash of credential ID>]

If the --minisign flag is passed, the signature will using pre-hashing with Blake2b-512 instead of SHA-256 and the signature file will be a Minisign-compatible signature. The flag can only be used with EdDSA credentials.

To be able to choose the credential type, I added the following flag to make-credential:

  --alg TEXT                Algorithm(s) for key, separated by ',', in order
                            of preference  [default: EdDSA,ES256]

To view supported algorithms, use the new solo key list-algorithms command.

make-credential now also supports saving Minisign keys for EdDSA credentials, and it prints the public key:

  --no-pubkey               Do not display public key
  --minisign                Display public key in Minisign-compatible format
  --key-file TEXT           File to store public key (use with --minisign)
  --key-id TEXT             Key ID to write to key file (8 bytes as HEX) (use
                            with --key-file) [default: <hash of credential ID>]
  --untrusted-comment TEXT  Untrusted comment to write to public key file (use
                            with --key-file) [default: <key ID>]

Breaking change: the credential_id parameter is now assumed to be a HEX credential, to make it consistent with make-credential.

More info, mostly about an earlier version using a FIDO2 extension instead of a custom CTAP command, can be found in solokeys/solo1#575.

See solokeys/solo1#583 for the authenticator PR.

@stevenwdv
Add support for choosing algorithm and displaying public key to make_…
e0d3b5e 
…credential (v0.0.30 version)
@stevenwdv
Add support for Minisign to sign-file/sign-hash and make-credential (…
dacd228 
…largely from branch minisign(-v0.0.27)), via a custom CTAP command, see stevenwdv/solo:sign-hash. (v0.0.30 version)

Note that sign-hash now uses HEX credentials just like make-credential, and it will respect the credential algorithm
@stevenwdv
Added list-algorithms command to list algorithms supported by pytho…
70a1001 
…n-fido2. Display default value for `--alg` in help.
This was referenced Oct 20, 2021
Open
Open
@stevenwdv stevenwdv marked this pull request as draft October 21, 2021 14:14
@stevenwdv stevenwdv marked this pull request as ready for review November 2, 2021 11:32
@nickray nickray mentioned this pull request Jun 2, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@stevenwdv