Add EdDSA/Minisign signatures to #397 (sign-hash/sign-file CTAP command) #583
Conversation
This patch adds new CTAP2 vendor command with command value 0x50. The
command arguments are credentialId and user specified SHA256 hash. It
returns a DER encoded signature of the given hash, using the key
which corresponds to the specified credentialId.
Example request:
{1: <sha256_hash>,
2: {"id": <credential_id>, "type": "public-key"},
3: [pinAuth]}
Example response:
{1: <der_signature>}
Issue: solokeys#395
…ith support for arbitrary-length hashes up to 64B and a trusted comment in the EdDSA case. Also fixed existing bug: get_credential_id_size(SH.cred.type) should be get_credential_id_size(&SH.cred) Also now cose_alg is checked. I'm not sure yet if it is safe to use arbitrary-length hashes with verify_pin_auth_ex. Maybe a min length should be set?
| memcpy(data, data1, len1); | ||
| memcpy(data + len1, data2, len2); | ||
| memcpy(data, data1, len1); | ||
| if (len2) |
There was a problem hiding this comment.
no need to check, memcpy with zero length is fine
There was a problem hiding this comment.
Normally yes, but I call it with data2 == NULL, which would be UB even with len2 == 0. I could call it passing data1 twice, but I think this is cleaner.
There was a problem hiding this comment.
In this case the check should be if (data2 != NULL)
There was a problem hiding this comment.
That's also possible, but personally I think it looks weird because this would make the following a legal call:
crypto_ed25519_sign(some_data, some_len, NULL, 100, buf)Although to be fair, with the current conditional the following is legal:
crypto_ed25519_sign(some_data, some_len, (uint8_t*)123, 0, buf)We could have if (data2 || len2) (or maybe if (data && len2) if we want to be lenient), but in any case it will only matter with invalid parameters.
Or maybe I'm missing an advantage of if (data2)?
…nature algorithm is supported
This adds credential algorithm detection to #397 to also support EdDSA signatures. It also adds a trusted comment field to the request with key
3. If provided with an EdDSA credential, a global signature on the main signature + trusted comment is included in the response with key2. The command now accepts 64-byte (512-bit) hashes in addition to 32-byte hashes. See #575 for more about Minisign and an earlier version using a FIDO2 extension instead of a custom CTAP command.Potentially-breaking change from #397: EdDSA credentials used with sign-hash are not incorrectly treated as ES256 anymore. CTAP structures are backwards-compatible.
Update: now only accepts credentials with RP ID starting with
solo-sign-hash:.See solokeys/solo1-cli#137 for the client PR.