Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hacking On The Mozilla Authenticator-RS Backend For SSHCerts #45

Merged
merged 23 commits into from
Jun 6, 2024
Merged

Hacking On The Mozilla Authenticator-RS Backend For SSHCerts #45

merged 23 commits into from
Jun 6, 2024

Conversation

obelisk
Copy link
Owner

@obelisk obelisk commented Dec 1, 2023

This gives a lot more flexibility for key selection and tying it to development of Firefox is probably good for long term updates and support of new CTAP2 features.

Currently this relies on a patch of authenticator-rs, which is available through a patch of sshcerts so definitely not ready for primetime.

This is also dependent on the multithreading fix by @timweri

obelisk and others added 3 commits December 7, 2023 00:50
@obelisk
Fix rebase
7f7bf49
@timweri
Address misc security issues (#47)
fd388b9 
* Limit the size of attestation certs

* Use authority returned from x509 approval response

* x509 authorization checks authority for local-db mode

* Fix test configs
@timweri
Limit pubkey size in challenge request (#48)
630f638
@obelisk obelisk marked this pull request as ready for review February 29, 2024 08:24
timweri and others added 11 commits May 6, 2024 19:46
@timweri @obelisk
Add feature to fetch a list of signers and their pubkeys (#49)
d1be858 
* Add feature to fetch a list of signers and their pubkeys

* Refactor

* Update CLI output

* Add authorized signers cache

* Add compression to authorized signers

* Switch to zstd

* Refactor

* Update local testdb

* Add LRU rate limiter

* Remove output line

* FFI

* Remove line

* Move to SSHCerts 13.1

* Add new FFIs for data signing and verification

* Fix agent

* Rename authorized signers to allowed signers

* Restrict sshcerts features in rustica to remove openssl

* A missing s makes everyone sad

* Yubikey lite you idiot

* Rename

* Fix return code

---------

Co-authored-by: Mitchell Grenier <mitchell@confurious.io>
@timweri
Add get_cert function to Rustica agent (#51)
ac7199d 
* Add get_cert function to Agent handler

* Add get_cert

* Fix get_cert FFI

* Reuse runtime
@obelisk
Update to sshcert 0.13.2
78d7058
@obelisk
Add new allowed_signer config blocks to examples
47aa0e7
@obelisk
Bump protoc
1409a39
@obelisk
Add new allowed_signer config blocks to test_config examples
27cf857
@obelisk
Bump ID to 1001
5404ae2
@obelisk
Update keys in the test configs
b448354
@obelisk
Update client private key
015aac6
@obelisk
Reissue client keys and update alt config with new private key. Also …
86cd11d 
…update issuance CN to match what is expected in server code
@obelisk
Fix the final stage of the integration test
e9882a0
@obelisk obelisk merged commit e2c2538 into develop Jun 6, 2024
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@obelisk @timweri